BelAir100

BelAir100

User Guide

Release: 6.0
Document Date: June 30, 2006
Document Number: BDTM10001-A05
Document Status: Standard
Security Status: Confidential
Customer Support: 613-254-7070
1-877-BelAir1 (235-2471)
[email protected]
© Copyright 2006 by BelAir Networks.
The information contained in this document is confidential and proprietary to BelAir Networks. Errors and Omissions Excepted.
Specification may be subject to change. All trademarks are the property of their respective owners.

Page 1 of 147
BelAir100 User Guide Contents

Contents
About This Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
BelAir100 Wireless Multi-service Node . . . . . . . . . . . . . . . . . . . . . 4
System Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
BelAir100 Configuration Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . 8
Command Line Interface Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
User Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
System Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Common Radio Module Configuration Commands . . . . . . . . . . . 32
Access Radio Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Backhaul Link Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Wireless Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Managing Access Radio SSIDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Layer 2 Network Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Using Layer 2 Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Quality of Service Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
BelAir100 Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Performing a Software Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
BelAir100 Network Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
For More Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Definitions and Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Appendix A: Node Configuration Sheets . . . . . . . . . . . . . . . . . . 126
Appendix B: BelAir100 Factory Defaults . . . . . . . . . . . . . . . . . . 129
Appendix C: Connecting to the Ethernet Interface . . . . . . . . . . 136
Detailed Table of Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

June 30, 2006 Confidential Page 2 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide About This Document

About This Document

This document provides the information you need to install and configure the
BelAir100, and the procedures for using the BelAir100 Command Line
Interface (CLI).
This document may contain alternate references to the product. Table 1 shows
possible synonyms to the product name.
Table 1: Product Name Synonyms

Product Name Synonym

BelAir200 BA200
BelAir100 BA100
BelAir100S BA100S
BelAir100C BA100, BA100C
BelAir50C BA50, BA50C
BelAir50S BA50S

Typographical This document uses the following typographical conventions:

Conventions • Text in < > indicates a parameter required as input for a CLI command;
for example, < IP address >
• Text in [ ] indicates optional parameters for a CLI command.
• Text in { } refers to a list of possible entries with | as the separator.
• Parameters in ( ) indicate that at least one of the parameters must entered.
• For radio mode commands, the <n> parameter, as in brm<n>, specifies the
particular radio that the command applies to.

Related The following titles are BelAir reference documents:

Documentation • BelAir Products Deployment Guidelines
• BelAir100 System Command Line Interface Guide
• BelAir100 Radio Command Line Interface Guide
• BelAir Products Web Interface Guide

June 30, 2006 Confidential Page 3 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide BelAir100 Wireless Multi-service Node

BelAir100 Wireless Multi-service Node

BelAir Networks offers the industry’s most comprehensive portfolio of
wireless mesh products ensuring exceptional flexibility in the design and
future-proof growth of your network. BelAir wireless mesh products support a
full range of coverage options from high-speed Internet access and other data
services through to high capacity, high performance networks delivering video,
wireline-quality voice, tiered business services and cellular backhaul.
The BelAir100 Wireless Multi-service Node is the industry’s highest
performance and most flexible dual-radio wireless mesh node. Available in both
multiple point to point, and point to multipoint (BelAir100C) backhaul variants,
the BelAir100 is equally at home in high capacity, high performance networks
and low-cost hotzones. It can be deployed as a standalone device providing
indoor or outdoor coverage or as part of a larger mesh with any combination
of BelAir200, BelAir100, BelAir100C, BelAir100S, BelAir50C, and BelAir50S, all
seamlessly managed by BelAir BelView NMS.
The modular BelAir100 features an attractive, rugged outdoor enclosure, a 100
Mbps Ethernet electrical or optical line interface, one access antenna and one
backhaul antenna. BelAir100 nodes are available in multiple configurations and
can be pole or wall mounted. Backup power supply and a high performance
network processing core complete with an open embedded software
environment are standard.
Figure 1: BelAir100

June 30, 2006 Confidential Page 4 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide System Overview

System Overview
The BelAir100 can operate as a standalone device, or participate in a BelAir
Networks multiple point-to-point mesh as an edge node or to terminate the
mesh where the full functionality of the BelAir200 is not required.
A typical BelAir100 configuration will include one access radio and one
backhaul radio using the integral antennas.
In this configuration, the BelAir100 unit provides access to mobile users
through 802.11b or 802.11g radio links at 2.4 GHz, or through 802.11a radio
links at 5 GHz. As shown in Figure 2, the typical deployment scenario is to use
both BelAir100 units and BelAir200 units to illuminate a building from the
outside to provide coverage throughout the building. The BelAir100 can also
provide outdoor coverage and act as a mesh portal for a cluster of BelAir50C
or BelAir50S nodes.
Figure 2: Access Radio Coverage

Alternatively, the BelAir100 can also be configured to use two backhaul radios.
In this configuration, the BelAir100 provides wireless backhaul between nodes
using 5 GHz 802.11a links.

June 30, 2006 Confidential Page 5 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide System Overview

Hardware Figure 3 shows the relationship between the main BelAir100 hardware
modules.
Description
Figure 3: BelAir100 Hardware Module Block Diagram

Radome EMC Enclosure Radome

Radio Radio
Module Module
LPM

PSU

Ethernet 90-264 V Battery

100Base-TX
100Base-FX

Note: Either Radio Module can be an access radio or a backhaul radio.

The BelAir100 consists of the following modules:

• up to one access radio using an enhanced performance 802.11b, 802.11g or
802.11a link
The access radio provides user traffic wireless access to the BelAir100
• up to two backhaul radios using enhanced performance 802.11a links
The backhaul radios provide backhaul links for the radio mesh.
• one Line and Power Module (LPM) providing a wireline interface to the
Internet. Two types of LPM are available:
—The electrical LPM provides a 10/100 Base-TX Ethernet interface.
—The optical LPM provides a 100Base-FX Fast Ethernet interface.
• internal access and backhaul antennas as required
• one Power Supply Unit (PSU)

June 30, 2006 Confidential Page 6 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide System Overview

• one battery and charger

• one environmental enclosure with radomes
• an external connector field
In a BelAir100, one of the radio modules is also responsible for centralized
control of the unit, including packet forwarding and all OAM tasks.

BelAir100 Layer 2 At the layer 2 (data-link) layer, the BelAir100 acts as a bridge and layer 2 switch.
See Figure 4.
View
The layer 2 switch ports are connected to the BelAir100 input/output devices,
such as the access radio and backhaul radios. The BelAir100 layer 2 switch
forwards layer 2 frames to the output of one or multiple ports based on the
information contained in the frame header.
Figure 4: BelAir100 Layer 2 View, Typical Configuration

Wireless
Access
Point

Backhaul and
Mesh Links BelAir100 - Layer 2

access radio eth0

(ARM1)
LPM
backhaul radio
eth1
Layer 2 switch
(BRM1)

Line Interface

June 30, 2006 Confidential Page 7 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide BelAir100 Configuration Interfaces

BelAir100 Configuration Interfaces

The BelAir100 can be accessed and configured using the following configuration
interfaces:
• the command line interface (CLI)
• the SNMP interface
• the Web interface (using either HTTPS or HTTP)
All three interfaces (Web, CLI and SNMP) have the same public IP address. All
three also access the same BelAir100 node database. That means that changes
made with one interface are seen immediately through the other interfaces.
When a BelAir100 is shipped from the factory, only the CLI, the HTTP and the
HTTPS interfaces are enabled. You can use these interfaces to configure the
system’s IP networking parameters and enable other interfaces such as SNMP.

Command Line The CLI allows you to configure and display all the parameters of a BelAir100
unit, including:
Interface
• system parameters
• system configuration and status
• radio module configuration and status
• user accounts
• BelAir100 traffic statistics
• layer 2 functionality, such as those related to bridging and VLANs
• alarm system configuration and alarms history
For a description of basic CLI commands and tasks see “Command Line
Interface Basics” on page 12.

BelAir100 SNMP The Simple Network Management Protocol (SNMP) provides a means of
communication between SNMP managers and SNMP agents. The SNMP
Interface manager is typically a part of a network management system (NMS) such as HP
OpenView, while the BelAir100 provides the services of an SNMP agent.
Configuring the BelAir100 SNMP agent means configuring the SNMP
community names and trap destinations to establish a relationship between the
manager and the agent.

June 30, 2006 Confidential Page 8 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide BelAir100 Configuration Interfaces

The BelAir100 SNMP agent contains Management Information Base (MIB)

variables. A manager can query an agent for the value of MIB variables, or
request the agent to change the value of a MIB variable.
The BelAir100 SNMP agent can send unsolicited messages, called traps, to an
SNMP manager. Traps are messages alerting the SNMP manager of a condition
on the network node.
To configure the SNMP interface from the CLI, you must either enter the
SNMP mode using the command cd /snmp, or preface each command with
/snmp.
To use the BelAir100 SNMP agent, you must:
1 Start the SNMP agent.
2 Create SNMP Community Names.
3 Create SNMP Trap Destinations.
The SNMP community names and trap destinations can be created through
either the CLI or the Web interface. The SNMP CLI commands are described
in detail in the BelAir100 System Command Line Interface Guide.

Integrating the In addition to providing support for the SNMP MIBs described in Table 2, BelAir
BelAir100 with a Networks provides a number of enterprise MIB definitions that you can
Pre-deployed NMS integrate with your Network Management System (NMS). Table 3 on page 9
describes the BelAir100 SNMP MIBs. A copy of the BelAir100 SNMP MIBs is
available from the BelAir Networks online support center at:
www.belairnetworks.com/support/index.cfm.

Table 2: Standard SNMP MIBs

File Name Description

SNMPv2-MIB.mib implements RFC1907

IF-MIB.mib implements RFC2863
IEEE802dot11-MIB.mib IEEE MIB to manage 802.11 devices

Table 3: BelAir Enterprise MIBs

File Name Description

BELAIR-SMI.mib defines BelAir top level OID tree

BELAIR-TC.mib defines BelAir data types

June 30, 2006 Confidential Page 9 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide BelAir100 Configuration Interfaces

Table 3: BelAir Enterprise MIBs (Continued)

File Name Description

BELAIR-PRODUCTS.mib defines product object IDs

BELAIR-SYSTEM.mib defines basic OAM features such as software
download, temperature and BelAir alarms
BELAIR-IP.mib defines BelAir IP data types
BELAIR-MESH.mib defines BelAir multipoint-to-multipoint data
types
BELAIR-IEEE802DOT11.mib defines features that are not supported by
the standard IEEE802.11 MIB

The procedure for importing the SNMP MIB definition files depends on the
deployed NMS platform. Refer to your NMS platform documentation for
details.

BelAir100 Web Refer to the BelAir100 Web Interface Guide for details on accessing and using
this interface.
Interface
Supported Web BelAir Networks has verified that the BelAir100 Web interface operates
Browsers and Platforms correctly with the following web browsers:
• Microsoft Internet Explorer version 5.0, or later
• Netscape Navigator version 6.0, or later

Accessing the Web You can access the Web interface using either secure HTTP (HTTPS) or HTTP.
Interface Both HTTP and HTTPS are enabled when each BelAir100 node is shipped.
Note: By default, the BelAir100 Web interface has an associated time-out
value. If the interface is inactive for 30 minutes, then you are
disconnected from the interface. To reconnect to the interface, you
need to log in again. See BelAir100 System Command Line Interface
Guide to alter this default period.

June 30, 2006 Confidential Page 10 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide BelAir100 Configuration Interfaces

Accessing the System To log in to the BelAir100 Web interface and access the main page using HTTPS
Page with Secure HTTP or HTTP, do the following steps:
or with HTTP
1 Open your Web browser and specify the IP address of the BelAir100 node
you want to access.
The default IP address of each BelAir100 node is: 10.1.1.10.
A Login page is displayed.
2 Enter a valid user name, such as root, and a valid password.
Note:The specified password is case sensitive.
If successful, the BelAir100 Web interface System page is displayed.

June 30, 2006 Confidential Page 11 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Command Line Interface Basics

Command Line Interface Basics

Use this chapter to familiarize yourself with basic CLI tasks, including:
• “Connecting to the BelAir100” on page 12
• “Starting a CLI Session” on page 13
• “Command Modes ” on page 14
• “Abbreviating Commands ” on page 15
• “Command History” on page 16
• “Special CLI Keys ” on page 16
• “Help Command” on page 16
• “Terminating your CLI Session ” on page 18
In addition, “Saving and Restoring the BelAir100 Configuration” on page 29
contains a detailed procedure on how to do that task.

Connecting to the You can connect to the BelAir100 default address using one of the following
methods:
BelAir100
• through the BelAir100 radio interface
• by connecting directly to the Ethernet port on the BelAir100
CAUTION! Do not connect the BelAir100 to an operational data network before you
configure its desired IP network parameters. This may cause traffic disruptions
due to potentially duplicated IP addresses.
In all cases, the BelAir100 unit must connect to an isolated LAN, or to a
desktop or laptop PC configured to communicate on the same IP sub-network
as the BelAir100.

Using the Radio Interface

Use a desktop or laptop PC equipped with a wireless 802.11a, 802.11b or
802.11g compliant interface as required, configured with a static IP address on
the same subnet as the default OAM IP address (for example, 10.1.1.1/24). For
the required configuration procedure, refer to your PC and wireless interface
configuration manuals or contact your network administrator. The PC will
connect to the BelAir100 through the radio interface.

June 30, 2006 Confidential Page 12 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Command Line Interface Basics

Connecting to the Ethernet Port

The connection method varies depending on whether your unit has an
electrical or optical Ethernet interface:
• If your unit is equipped with an electrical Ethernet interface, use a
cross-connect RJ45 cable to connect the Ethernet port of the unit.
• If your unit is equipped with an optical Ethernet interface, connect to the
unit through a media converter. Use a single mode fiber cable with a dual LC
connector at one end to connect to the Ethernet port of the unit. The
other end of the cable needs to connect to the media converter. Consult
your media converter documentation to identify the appropriate type of
connector.
For a detailed procedure, refer to “Connecting to the Ethernet Interface” on
page 136.

Starting a CLI Start a Telnet or secure shell (ssh) client and connect to the BelAir100 IP
address. Each BelAir100 can have up to eight simultaneous Telnet or ssh
Session sessions. If you are configuring the BelAir100 for the first time, you must use
the BelAir100 default IP address (10.1.1.10). The BelAir100 prompts you for
your user name and password.
The default super-user account is “root”. The default password is “admin123”.
If the login is successful, the BelAir100 prompt is displayed. The default prompt
is “#”, if you login as root. Otherwise, the default prompt string is “>”.
Note 1: The terminal session locks after four unsuccessful login attempts. To
unlock the terminal session, you must enter the super-user password.
Note 2: BelAir100 CLI commands are not case sensitive (uppercase and
lowercase characters are equivalent). However, some command
parameters are case sensitive. For example, passwords and any Service
Set Identifier (SSID) supplied with the radio commands are case
sensitive. Also, all parameters of the syscmd commands are case
sensitive.

SSH Session Example of Initial Login

With secure shell, the system prompts you twice for your password.
ssh -l root 10.1.1.10
[email protected]'s password:
BelAir Backhaul and Access Wireless Router
BelAir User: root

June 30, 2006 Confidential Page 13 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Command Line Interface Basics

Password:
/#

Telnet Session Example of Initial Login

With Telnet, the system prompts you only once for your password.
telnet 10.1.1.10
BelAir Backhaul and Access Wireless Router
BelAir User: root
Password:
/#

Command Modes The BelAir100 CLI has different configuration “modes”. The available
commands depend on the selected mode. Their list can be displayed using the
help command. Table 4 on page 14 describes the modes that are supported.
Table 4: Command Line Interface Modes

Mode Description
“root” mode (/) The top or root level of the CLI commands. Mostly display
(show) commands.

Administration

SYSTEM System and node configuration and administration

SNMP Configure the Simple Network Management Protocol
(SNMP) parameters
SYSLOG Configure the destination of SYSLOG messages
SSL Configure Secure Socket Layer (SSL) parameters
SSH Configure Secure Shell (SSH) parameters
IP Configure BelAir100 IP parameters
QOS Configure Quality of Service (QoS) parameters

Wireless

June 30, 2006 Confidential Page 14 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Command Line Interface Basics

Table 4: Command Line Interface Modes (Continued)

Mode Description

RADIO Configure the BelAir100 backhaul and access radios.

Configure the mesh portal settings if the BelAir100 is a

portal to a mesh cluster.

Use the mode command to display all the available modes. For a description of
additional modes, see:
• BelAir100 System Command Line Interface Guide
• BelAir100 Radio Command Line Interface Guide
Users can move between modes with the cd command. For instance, you can
move from the radio mode to the system mode using the command:
/radio# cd /system
/system#

Note 1: The prompt changes to match the current mode.

Note 2: Access to a mode is only allowed if the user has sufficient privileges to
execute commands in that mode. For additional details see “User
Privilege Levels” on page 19.
When a given mode is enabled, only the commands pertaining to that mode are
available. The list of available commands can be obtained by entering the help
command.
Users may execute commands from other modes than the current one, by
prefixing the desired command with the slash character ‘/’ followed by the
mode’s name. For instance, entering:
/system# /snmp/snmp-community 4 community-name snmpcom4 ipaddr 0.0.0.0 privilege
readonly

executes a command from the snmp mode while in the system mode.

Abbreviating You must enter only enough characters for the CLI to recognize the command
as unique.
Commands
The following example shows how to enter the root mode command show
system config:
/# sh syst c

June 30, 2006 Confidential Page 15 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Command Line Interface Basics

Command You can use the history command to display a list of the last ten commands that
you have typed.
History
Example
/# history
22 /snmp/snmp-community 4 community-name belairmgmt
ipaddr 0.0.0.0 privilege readwrite
23 cd /system
24 show sessions
25 cd /snmp
26 show snmp-community config
27 cd /radio
28 help
29 cd /
30 whoami
31 show user

Special CLI Keys Command Completion

You can ask the CLI to complete a partially typed command by pressing the tab
key. If the command cannot be completed unambiguously, the CLI presents you
with a list of possible completions. For instance, entering:
/# /show snmp- {tab}
produces the following output:
Available commands :
[Syntax] : show snmp-community config
[Syntax] : show snmp-trap config

Execution of the Last Typed Command

You may repeat the last command, by entering the “!” key twice, followed by
carriage return.

Executing the Previous Commands

You may browse through the command history by using the up and down arrow
keys of a VT100 or compatible terminal. You can also execute a certain
command from the command history by entering the “!” key, followed by the
command number (as displayed in the history command output) and carriage
return.

Help Command help [<command>]

This command displays help for:
• a particular command available in the current mode
• a list of commands available in the current mode

June 30, 2006 Confidential Page 16 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Command Line Interface Basics

• a list of commands starting with the given keyword in the current mode
You can use "?" as an alternative for the word "help".
When "help" or "?" is typed in the required mode, all commands present in that
mode as well as all general commands are listed.

Example
/system# help
show version
show alarms <number of alarms>
[type {all|dcom|eqpt|sw|qos|env|secu|sys}]
[severity {all|critical|major|minor|warning|info}]
show alarm history <number of entries>
[type {all|dcom|eqpt|sw|qos|env|secu|sys}]
[severity {all|critical|major|minor|warning|info}]
[<start_idx>]
set alarm type mask {all|dcom|eqpt|sw|qos|env|secu|sys}
set alarm severity mask {all|critical|major|minor|warning|info}
show alarm mask
show phyinv
show temperature internal
show temperature limit upper
show temperature limit lower
show battery present
show battery voltage

When a keyword is typed, all possible commands starting from that keyword
are displayed.

Example
/system# help system
[Syntax] : system [switch <name>] [contact <firm>] [location <place>]
Description : configures system parameters
[Syntax] : system [default-ipaddr <ip addr>] [subnet-mask < mask >]
[default-interface <name>]
Description : configures system parameters

When help is needed for a specific command, enter the command within
quotes along with the word help.

Example
/system# help "reboot"
[Syntax] : reboot [{force}]
Description : Directs the node to reboot.

When an abbreviation is used in the help string, all matching commands are
listed with the description.

June 30, 2006 Confidential Page 17 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Command Line Interface Basics

Example
/system# help "reb"
[Syntax] : reboot [{force}]
Description : Directs the node to reboot.

Terminating your You can terminate your own CLI session at any time by entering the exit
command.
CLI Session

June 30, 2006 Confidential Page 18 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide User Administration

User Administration
For full details on user administration functions, see the BelAir100 System
Command Line Interface Guide.

User Privilege User accounts on the BelAir100 can be assigned the following three privilege
levels:
Levels
• An observer user can execute only the following commands:
—most show commands
—the help and ? commands
—the passwd command
—the clear and exit commands
—the cd and mode commands
—the history command
—the whoami command
—the ping command
• A normal user can execute any CLI command, except those reserved for
the super-user.
• The super-user can execute any CLI command. CLI Commands for the
following functions are reserved for the super-user:
—user administration
—session access and control
—SNMP setup and configuring SNMP access
—first time configuration (country code and unit’s IP settings)
—remote backup and restore of the configuration database, including
reboot and all syscmds commands
—software upgrade
—all SSH, all SSL and most SYSLOG commands
—debug commands
Each unit can have any number of observer users and normal users, but only
one super-user account, called root.

June 30, 2006 Confidential Page 19 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide User Administration

Adding User adduser <user-name> -p <passwd> [-d <mode>] [-g <group>]

Accounts This command is only available if you are logged in as root.

This command creates a new user account. The mode parameter sets the
command mode that a user accesses when they log in. If unspecified, it defaults
to a slash (/) so the user begins their session in root mode. Users with observer
privileges must start their sessions in root mode.
The group parameter specifies the user account’s privilege level. It can be
OBSERVER or NORMAL. If unspecified, the user account has observer
privileges.
To use this command, you must be in root mode.
Note 1: The specified password is case sensitive and must be at least six
characters long.
Note 2: The specified group is case sensitive.
If you use a RADIUS server to authenticate users as they login, you must
specify the user’s privilege level in the RADIUS Reply-Message field. Specifically,
the Reply-Message field must contain in plain text one of the following: root,
NORMAL or OBSERVER. These entries in RADIUS are case sensitive, so make
sure the user privilege levels are entered exactly as specified. If the privilege
levels are unspecified in RADIUS, then the BelAir100 provides the user with
observer privileges.

Example
/# adduser testuser -p userpwd - d system

Deleting User deluser <user-name>

Accounts This command is only available if you are logged in as root.

This command deletes a user account. The default login, “root”, cannot be
deleted.
To use this command, you must be in root mode.

Example
/# deluser xyz

Modifying User moduser <user-name> [-p <passwd>] [-d <mode>] [-g <group>]

Accounts This command is only available if you are logged in as root.

June 30, 2006 Confidential Page 20 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide User Administration

This command modifies the parameters of a user account.

The mode parameter sets the command mode that a user accesses when they
log in. If unspecified, it defaults to a slash (/) so the user begins their session in
root mode. Users with observer privileges must start their sessions in root
mode.
The group parameter specifies the user account’s privilege level. It can be
OBSERVER or NORMAL. If unspecified, the user account has observer
privileges. The group parameter does not apply to changes to the root account.
To use this command, you must be in root mode.
Note 1: The specified password is case sensitive and must be at least six
characters long. Changes the super-user account require that you
provide the super-user password.
Note 2: The specified group is case sensitive.

Example
In the following example, the user guest begins their session in radio mode and
their password is changed to “guest123”.
/# moduser guest –p guest123 –d radio

Displaying the show user

Available User This command is only available if you are logged in as root.
Accounts This command lists all valid user accounts, the mode in which they start their
session and their maximum privilege level. For example, under Groups, normal
users display NORMAL OBSERVER while the root account displays root
NORMAL OBSERVER.
This is a common command that can be used while in any mode.

Example
/# show user
USER MODE GROUPS
root / root NORMAL OBSERVER
user1 / OBSERVER
user2 / OBSERVER
user3 RADIO NORMAL OBSERVER

June 30, 2006 Confidential Page 21 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide User Administration

Changing Your You can change your current password with the passwd command. You will be
first asked to enter your old password. Then you must enter your new
Password password twice, to verify that you have typed it correctly.
Note: The specified password is case sensitive and must be at least six
characters long.

Configuring You can use a RADIUS server to authenticate users as they login to their
accounts.
Authentication
for User
Accounts
Selecting the authentication login {local|radius}
authentication mode
This command is only available if you are logged in as root.
This command determines how the BelAir100 authenticates users.
The local setting means that the BelAir100 uses the locally stored password and
user account information to authenticate the user. This is the default setting.
The radius setting means that the BelAir100 uses a RADIUS server to
authenticate the user.
To use this command, you must be in system mode.

Example
authentication login radius

Adding RADIUS Servers add radius-server <IP address> <port> <shared secret>
[interface <NAS IP address>] [timeout <seconds>]
This command is only available if you are logged in as root.
This command specifies a RADIUS server that you can use to authenticate
users. Up to five servers can be defined in a list. By default, the first server in
the list is used. If the first server is not available, then the second server is used.
This continues for every server on the list.
To use this command, you must be in system mode.
The IP address parameter specifies the IP address of the RADIUS server.
The port parameter specifies the UDP port number of the RADIUS server
(typically 1812).

June 30, 2006 Confidential Page 22 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide User Administration

The shared secret parameter specifies the password for access to the RADIUS
server.
The NAS IP address parameter specifies the Network Access Server (NAS) IP
address for the BelAir100 RADIUS client. It is used when the unit is configured
with multiple IP interfaces and matches the interface used to communicate with
the given RADIUS server. The default value is the IP address of the unit’s
management interface, which is usually VLAN1.
Note: The NAS IP address parameter is entered statically with this command.
If the VLAN IP addresses are determined dynamically with a DHCP
server, then an updated VLAN IP address is not automatically reflected
into the NAS IP address parameter.
The timeout parameter specifies the interval (in seconds) after which the
RADIUS client considers that the remote server has timed out if a reply is not
received. The default value is 10 seconds.
Note: Make sure the user’s privilege level are correctly specified in the
RADIUS Reply-Message field. Refer to “Adding User Accounts” on
page 20.

Examples
add radius-server 172.16.1.25 1812 ”radius-shared-secret”
interface 10.1.1.2

Deleting RADIUS del radius-server <ip address> <port>

Servers This command is only available if you are logged in as root.
This command deletes the specified RADIUS server from the server list.
To use this command, you must be in system mode.

Example
del radius-server 172.16.1.25

Displaying the show authentication login

Authentication Mode
and RADIUS Servers This command is only available if you are logged in as root.
This command displays the method currently used by the BelAir100 to
authenticate users.
To use this command, you must be in system mode.

June 30, 2006 Confidential Page 23 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide User Administration

Example
/system# show authentication login
Authentication Login is radius
Radius Authentication server table
-------------------------------------
Index : 1
Radius Server Address : 10.1.1.2
UDP port number : 1812
Radius Client Address : 0.0.0.0
Timeout : 10
--------------------------------------------

June 30, 2006 Confidential Page 24 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide System Settings

System Settings
This chapter contains procedures for managing BelAir100 parameters as
follows:
• “Displaying the BelAir100 Node and IP Parameters” on page 25
• “Configuring the BelAir100 System Parameters” on page 25
• “Configuring the System IP Parameters” on page 26
• “Configuring the System Date and Time” on page 27
• “Displaying Inventory and Status Parameters” on page 28
• “Saving and Restoring the BelAir100 Configuration” on page 29
For full details on system settings, see the BelAir100 System Command Line
Interface Guide.

Displaying the show system configuration

BelAir100 Node This command displays the system’s configuration. To use this command you
must be in system mode.
and IP Parameters
Example
/# show system configuration
BelAir System configuration
--------------------------
Software version : BA50c 4.1.0
Default IP Addr Config Mode : Manual
Switch name :
Switch Contact :
Switch Location :
Switch base MAC address : 00:0d:67:00:00:48
Default IP Address : 10.1.1.10
Subnet Mask : 255.255.255.0
Effective IP Address : 10.1.1.10
Default Interface Name : eth0
Logging Option : Console

Configuring the system [switch <name>] [contact <firm>] [location <place>]

BelAir100 System This command configures the system parameters such as switch name, switch
contact information and physical switch location. To use this command you
Parameters must be in system mode.

June 30, 2006 Confidential Page 25 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide System Settings

Example
The following example sets the system name to BA200-A, the contact
information to BelAirNetworks and its location to PoleNumber1.
cd /system
system switch BA200-A contact BelAirNetworks location PoleNumber1

Configuring the You can configure a static IP address and subnet mask, as well as static IP
routes. To configure dynamic IP addressing, see the BelAir100 System
System IP Command Line Interface Guide.
Parameters
Setting a Static IP system [default-ipaddr <ip addr>][subnet-mask < mask >]
Address and Subnet [default-interface <name>]
Mask This command is only available if you are logged in as root.
This command configures the system parameters such as default IP address,
subnet mask and default interface.
The BelAir100 uses internal IP addresses in the range of 192.168.1.x,
192.168.2.x and 192.168.3.x. As a result, users should not configure the
BelAir100 to use any IP addresses within these ranges.
To use this command you must be in system mode.

Example
/#cd system
/system# system default-ipaddr 10.6.4.135 subnet-mask
255.255.255.0 default-interface eth1

Displaying the Static IP By default, the routing tables are configured to allow the BelAir100 to
Routing Tables communicate with IP hosts on the same sub-network.
To display the static IP routing tables, use the following root (/) mode
command:
show route

Configuring the Static IP If you need to reach the management interface of your unit from other
Routing Tables sub-networks, you must obtain the IP address of your network gateway from
your administrator and add the appropriate routes.
Extra static IP routes can be added from the ip mode with the following
command:
ip route add <dest ip addr> <dest mask> gw <gateway>
<dest mask> is the destination subnet mask.
<gateway> is the IP address of network gateway.

June 30, 2006 Confidential Page 26 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide System Settings

Configuring the You can manage the system date and time from the system mode. The system
date and time can be configured:
System Date and
Time • manually
• using a Simple Network Time Protocol (SNTP) server

Displaying System Date show date

and Time This command displays the current date and time. To use this command you
must be in system mode.

Example
/#cd system
/system# show date
Current date: 2004-02-10 06:52:20

Manual Date set date YYYY-MM-DD

Configuration This command sets the current date. The value must be formatted as follows:
• YYYY is the year
• MM is the month
• DD is the date
You must enter the exact date format as specified; that is, four digits for the
year and two digits for the month and day.

Example
/#cd system
/system# set date 2004-02-10

Manual Time set time hh:mm:ss

Configuration This command sets the current time. The value must be formatted as follows:
• hh specifies the hour
• mm specifies the minutes
• ss specifies the seconds
You must enter the exact time format as specified; that is two digits for the
hour, minutes and seconds.

Example
/#cd system
/system# set time 06:50:00

June 30, 2006 Confidential Page 27 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide System Settings

Obtaining Time from a The BelAir100 supports the Simple Network Time Protocol (SNTP) by
Time Server providing an SNTP client that can synchronize the unit date and time with any
SNTP compatible external time server.

Displaying the IP Address of the External SNTP Server

show sntp ip address
This command displays the value of the SNTP server IP address.

Example
/#cd system
/system# show sntp ip address

Configuring the IP Address of the External SNTP Server

set sntp ip address <ip address>
This command lets you set the IP address of the external SNTP server.

Example
/#cd system
/system# set sntp ip address 10.1.1.2

Enabling and Disabling Time Synchronization

set sntp {enable|disable}
This command enables or disables the SNTP client. When the SNTP client is
enabled, the BelAir100’s clock is reset to use Universal Time (UTC).

Example
/#cd system
/system# set sntp enable

Displaying You can display the inventory and status parameters from system mode.
Inventory and
Status Parameters
Displaying Unit show phyinv
Inventory Information To use this command you must be in system mode. This command displays the
manufacturing parameters (name, serial number and part version numbers) of
the equipment parts contained in a unit.

Displaying BelAir100 show temperature internal

Status Parameters show temperature limit upper

June 30, 2006 Confidential Page 28 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide System Settings

show temperature limit lower

show battery present
show battery voltage
These commands display the unit’s current internal temperature (in degrees
Celsius), whether a battery is present and the battery’s current voltage. To use
these commands you must be in system mode.

Example 1
/#cd system
/system# show temperature internal
36

Example 2
/#cd system
/system# show temperature limit upper
85

Saving and To save changes from the system defaults, the following options are available:
Restoring the • Save each of the system and radio module parameters to local files. These
BelAir100 are applied after reboot and can restore the configuration. Refer to:
Configuration —“Local Back Up of the Configuration Database” on page 29
—“Saving and Restoring Node Configuration Parameters” on page 29
• Create a backup of the configuration database and store it remotely on a
TFTP server. This option consists of aggregating all of the local configuration
files, and other critical system files. The aggregate file is then moved to a
remote location. The system can then be restored from this remote backup
file. Refer to “Remote Back Up and Restore of the Configuration Database”
on page 30.

Local Back Up of the The following command is available from any mode and saves the entire
Configuration Database configuration database (including the system and radio module configuration) to
persistent storage. The stored configuration is automatically applied at the next
reboot.
config-save

Saving and Restoring save node_config

Node Configuration
Parameters restore node_config

June 30, 2006 Confidential Page 29 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide System Settings

These commands save and restore the country of operation, the alarm type
mask and the alarm severity mask to persistent storage. The parameters are
automatically activated the next time the system reboots.
Note: To restore the node parameters, you must be logged in as root.

Example 1
/#cd system
/system# save node_config

Example 2
/#cd system
/system# restore node_config

Remote Back Up and To provide support for business continuity after a catastrophic event, the
Restore of the configuration data of a BelAir100 unit can be:
Configuration Database • backed up and saved to a remote server
• restored from a previously backed up copy
You can use either TFTP or FTP to communicate with the remote server. By
default, TFTP is used.

Remote Backup of Configuration Data

To save your configuration data to external storage, you must:
1 Save your current configuration:
config-save
2 Upload the backup copy to a remote server:
config-save backup remoteip <ipaddr> remotefile <name>
[{tftp|ftp [user <usrname> password <pword>]}]]
Both of the previous steps are combined by using the following command:
config-save active remoteip <ipaddr> remotefile <name>
[{tftp|ftp [user <usrname> password <pword>]}]]

For example:
config-save active remoteip 10.1.1.1 remotefile Node100.backup.2.0.0.20_2004_04_12

If you specify FTP, you can also specify the user name and password. The default
FTP user name is anonymous and the default FTP password is root@<nodeip>,
where <nodeip> is the IP address of node making the request. If you do not
use the default FTP username, the FTP server must be configured to accept
your username and password. Refer to the BelAir100 System Command Line
Interface Guide for a complete description of the config-save command.

June 30, 2006 Confidential Page 30 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide System Settings

Note: The remote server must be configured to allow file uploads. By default,
most TFTP or FTP servers disallow file uploads.

Restoring Configuration Data from a Backup Copy

To restore the configuration data from a remote server, you must:
1 Login to the unit as root.
2 Download a previous configuration back up copy from a remote server
using the following command:
config-restore remoteip <ipaddr> remotefile <name>
[{tftp|ftp [user <usrname> password <pword>]}]]
[force]

The config-restore command is available from any mode.

You can use either TFTP or FTP to communicate with the remote server. By
default, TFTP is used. If you specify FTP, you can also specify the user name
and password. The default FTP user name is anonymous and the default FTP
password is root@<nodeip>, where <nodeip> is the IP address of node
making the request. If you do not use the default FTP username, the FTP
server must be configured to accept your username and password.
You can use a backup copy that was created with a different version of
software than the current software installed on the unit. To do so, use the
config-restore command with the force option. If you use the force option,
then you must do step 4 on page 31 after you reboot the system.
3 Reboot the unit for the new configuration to take effect:
cd /system
reboot
4 If you used the force option, thoroughly verify the restored configuration.
The configuration database in a software release may be structurally
different than in other releases. Because of this, some of the restored
configuration parameters may not be applied, or applied incorrectly. BelAir
Networks strongly recommends that you fully verify the configuration and
operation of the unit before you proceed any further and save the restored
configuration.
5 Use the config-save command to save the restored configuration.
For example:
config-restore remoteip 10.1.1.1 remotefile Node100.backup.1.2.3.20_2004_04_12
cd /system
reboot
config-save

June 30, 2006 Confidential Page 31 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Common Radio Module Configuration Commands

Common Radio Module Configuration Commands

This chapter describes how to display and configure radio parameters that are
common to both access radios and backhaul radios, including:
• “Radio Mode or Disabling a Radio” on page 35
• “Antenna Type” on page 36
• “Channel Number” on page 37
• “Transmission Power Level” on page 38
• “Dynamic Frequency Selection” on page 39
All CLI commands described in this chapter are available in radio mode.
To configure parameters that are specific to access radios, see “Access Radio
Configuration” on page 40.
To configure parameters that are specific to backhaul radios, including the
different types of backhaul links, see “Backhaul Link Configuration” on page 46.
Other aspects of radio configuration and operation are described in:
• “Wireless Security” on page 59
• “Managing Access Radio SSIDs” on page 76
For full details on radio module configuration, see the BelAir100 Radio
Command Line Interface Guide.

Displaying the You can display the configured parameters of a radio module using radio mode
show commands.
Radio
Configuration The following show commands are the ones used most often:
show {arm<n>|brm<n>} config
show brm<n> status
show {arm<n>|brm<n>} mac-address
show {arm<n>|brm<n>} mac configuration
The following sections describes each of these commands in more detail.

Displaying All show {arm<n>|brm<n>} config

Configuration
Parameters This command displays the configuration of a radio.

June 30, 2006 Confidential Page 32 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Common Radio Module Configuration Commands

Example 1
/# cd radio
/radio# show arm1 config
mode : enable [ap]
Channel : 3
Privacy : enabled
Rx Antenna : main
Antenna Diversity : disabled
TX antenna type : 3 (8 dbi)
Tx Power : 27 dBm
Profile : Mixed B/G
SSID Information
--------------------------------------------------
id vlan type mb wb sp security acl ssid
-- ---- ---- -- -- -- -------- --- ------------
1 620 normal * * . wpa-psk . BRM3-Mesh1
2 -- suppress . . . wep . BRM3-Mesh1_man
==================================================
For SSID information in the previous example, encryption settings are displayed
as follows:
• a dot ( . ) means that the encryption setting is disabled for that particular
SSID
• the word yes means that the encryption setting is enabled for that particular
SSID
• a dash ( - ) means that information is not available

Example 2
/# cd radio
/radio# show brm1 config

Radio State : enable

Channel : 149
Link Identifier : BRM3-Trial
Link Topology : Star SS
Link Provisioned : 1
Privacy : disabled (key:)
Antenna : external (0.00dBi)
Link Distance : 2 kms
TPC State : enabled
Tx Power : 20.00dBm (step=1)
DFS State : enabled
Secondary DFS Channel : 0

Backhaul Radio show brm<n> status

Operational Information This command applies only to radios with part numbers B2CC001AA,
B2CC001AB, B2CC034AA and B2CC034AB. It displays operational
information of a backhaul radio.

June 30, 2006 Confidential Page 33 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Common Radio Module Configuration Commands

Example 1
The following example shows a typical output when the backhaul link is
operational.
/# cd radio
/radio# show brm1 status
Local Node Information
======================
Link state : up
Current active channel : 56
Local RSSI : -78 dbm
BRM MAC address : 00:0d:67:00:03:a3
Tx power state : low
Tx power level : 8 dBm
Country : UNITED STATES
TPC admin state : disabled
DFS admin state : enabled

channel DFS radar radar holdoff-time

required type detected remaining
------------------ --------- --------- ---------- ------------
056 ( primary ) no unknown no n/a
056 (secondary) no unknown no n/a

Remote Node Information

=======================
Last heard from : 0 secs ago
Remote Radio
RSSI : 0 dBm
Antenna type : external
Module : brm1
MAC address : 00:0d:67:ff:ff:ff
Remote Node
Name :
Location :
MAC address : 00:00:00:00:00:00
SwVersion : 3.2.0.2005.06.2

Example 2
The following example shows a typical output when the backhaul link is not
operational.
/# cd radio
/radio# show brm1 status
Local Node Information
======================
Link state : down
Current active channel : 148
BRM MAC address : 00:0d:67:00:1e:12
Tx power state : high
Tx power level : 17 dBm
Country : UNITED STATES
TPC admin state : enabled
DFS admin state : enabled

June 30, 2006 Confidential Page 34 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Common Radio Module Configuration Commands

channel DFS radar radar holdoff-time

required type detected remaining
------------------ --------- --------- ---------- ------------
148 ( primary ) no unknown no n/a
148 (secondary) no unknown no n/a

==== No associated BRM ====

Displaying the MAC show {arm<n>|brm<n>} mac-address

Address This command displays the MAC address of a backhaul radio or an access radio.

Example
/# cd radio
/radio# show arm1 mac-address
00:0d:67:00:00:0a

Displaying All MAC show {arm<n>|brm<n>} mac configuration

Configuration This command displays the MAC layer configuration of a backhaul radio or an
Parameters
access radio.

Example
/# cd radio
/radio# show arm1 mac configuration
rts threshold : 2347
fragment threshold : 2346
short retries : 8
long retries : 4
auth-response timeout : 500
assoc-response timeout : 500

Radio Mode or show {arm<n>|brm<n>} mode

Disabling a Radio set {arm<n>|brm<n>} radio-state {enable|disable}
set brm<n> mode {ap|client|disable}
set arm<n> mode {ap|disable}
The show command displays the operating mode of a radio module.
The set {arm<n>|brm<n>} radio-state command applies only to radios with
part number B2CC033AA. The default setting is disable, meaning that the radio
is switched off.
The set brm<n> mode command applies only to radios with part numbers
B2CC001AA, B2CC001AB, B2CC034AA and B2CC034AB. It configures the
radio to act either as an Access Point (AP) or client. The default setting is
disable, meaning that the backhaul radio is switched off.

June 30, 2006 Confidential Page 35 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Common Radio Module Configuration Commands

The set arm <n> mode command applies only to radios with part numbers
B2CC000AA, B2CC000AB, B2CC011AA, B2CC011AA, B2CC043AA. If
switched on, the access radio must be configured as an Access Point. If set to
disable, the access radio is switched off.

Antenna Type show {arm<n>|brm<n>} antenna-type

set {arm<n>|brm<n>} antenna-type <type>
These commands are only available if your unit contains a radio with part
numbers B2CC011AA, B2CC011AB, B2CC043AA or B2CC033AA. Use the
/system/show phyinv command to display the radio’s part number.
These commands let you manage the type of antenna installed with your unit.
Each antenna type has an associated antenna gain.
For the show command, the output displays the current and possible antenna
types, the associated antenna gain (in dBi) for each type and the maximum
allowable transmit power for that antenna. The displayed values vary depending
on the country of operation.
For the set command, you must set the antenna type to match the gain of the
antenna installed in your unit. Use the show command to determine valid
values for <type>. For all countries except Korea, the default access antenna
type is for an antenna gain of 8 dBi. For Korea, the default access antenna type
is for an antenna gain of 6 dBi.
CAUTION! Improper setting of the antenna type may exceed regulatory requirements and
void the operator’s right to operate the radio equipment.

Example
/# cd radio
/radio# show arm1 antenna-type
Antenna : External
Antenna Type : 0
Antenna Gain : 0.00dBi
TYPE GAIN State
---- ---- -----
1 4.00 --
2 7.00 --
3 9.00 --
4 10.00 --
5 10.25 --
6 10.50 --
7 12.00 --
8 13.50 --
9 15.00 --
10 23.00 --

June 30, 2006 Confidential Page 36 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Common Radio Module Configuration Commands

Channel Number show {arm<n>|brm<n>} channel

set {arm<n>|brm<n>} channel <channel_num> [secondary <channel_num2>]
The show command displays the channel number used by a radio. Where
applicable, it also shows the secondary channel number that is used for
Dynamic Frequency Selection (DFS).
The set command let you specify the channel number for a backhaul radio or an
access radio. Valid channel settings depend on your country of operation.
The secondary parameter sets an optional secondary channel for use with
Dynamic Frequency Selection (DFS). The default value is 0, instructing DFS to
operate as if the secondary channel is the same as the primary channel. If you
change the channel number from the default value and if you do not specify a
secondary channel, then your secondary channel is set to be the same as your
primary channel. DFS behaves the same way regardless of whether your
secondary channel is the same as the primary channel or whether your
secondary channel is 0. Refer to your RF plan and site survey to determine if
you need to set a secondary channel other than 0 or your primary channel.
Note: After you change the channel number for the access radio, BelAir
Networks recommends that you save your configuration and reboot
the access radio. Rebooting the access radio will disrupt access traffic
for approximately 20 seconds.
See also:
• “Dynamic Frequency Selection” on page 39
• the BelAir Products Deployment Guidelines.
Example 1
/radio# show arm1 channel
6

Example 2
/# cd radio
/radio# set brm1 channel 52 secondary 149

Example 3
/radio# show brm1 channel
48 (secondary 149)

June 30, 2006 Confidential Page 37 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Common Radio Module Configuration Commands

Transmission show {arm<n>|brm<n>} tx power

Power Level set {arm<n>|brm<n>} tx power <value>

The show command displays the current transmission power value as well as
the possible values for a backhaul radio or an access radio. If your unit contains
a radio with part numbers B2CC011AA, B2CC011AB, B2CC043AA or
B2CC033AA, then the output of this command displays power settings that are
adjusted to account for your country of operation, channel in use, and type of
antenna that is installed.
The set command sets the transmission power for a backhaul radio or an
access radio. If your unit contains a radio with part numbers B2CC011AA,
B2CC011AB, B2CC043AA or B2CC033AA, then the range of <value> is
limited to be valid for your country of operation, physical channel in use, and
type of antenna that is installed. The default setting is to have the radio transmit
at maximum power.
Use the /system/show phyinv command to display the radio’s part number.
Note: After you change the transmission power for the access radio, BelAir
Networks recommends that you save your configuration and reboot it.
Rebooting the access radio will disrupt access traffic for approximately
20 seconds.
See also “Antenna Type” on page 36.

Example
The following command displays possible transmit power settings for an access
radio with part numbers B2CC011AA, B2CC011AB or B2CC043AA:
/# cd radio
/radio# show arm1 tx power
TX antenna : 2
Channel : 5
Country : US
Index Power(dBm) State
----- ---------- --------
1 26 --
2 25 --
3 23 --
4 21 --
5 19 current
6 17 --
7 15 --
8 13 --

June 30, 2006 Confidential Page 38 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Common Radio Module Configuration Commands

Dynamic show {arm<n>|brm<n>} dfs

Frequency set {arm<n>|brm<n>} dfs {enabled|disabled}

Selection These commands let you manage the Dynamic Frequency Selection (DFS)
feature. The set command is only available if you are logged in as root.
These commands apply only if your unit contains a radio with part numbers
B2CC034AA, B2CC034AB or B2CC033AA. Use the /system/show phyinv
command to display the radio’s part number.
Dynamic Frequency Selection (DFS) is a regulatory requirement in some
jurisdictions. It is normally set automatically when specifying the country of
operation.
The show command displays various parameters associated with DFS. The
default value of the secondary channel is 0, instructing DFS to operate as if the
secondary channel is the same as the primary channel.
The set command suppresses any use of DFS by the set country
<country_code> command. When disabled with this command, DFS remains
disabled for all radio channels until re-enabled by this command.
CAUTION! Improper setting of DFS may exceed regulatory requirements and void the
operator’s right to operate the radio equipment.
For details on specify the country of operation, see:
• BelAir100 Installation Guide
• BelAir100 System Command Line Interface Guide

Example 1
/radio# show brm1 dfs
DFS admin state: enabled
Current channel: 161
CHANNEL DFS radar radar elapsed
required type detected time
------- --------- --------- -------- -----------
161 ( primary ) yes fcc no 15 min
055 (secondary) no fcc no n/a

Example 2
/# cd radio
/radio# set brm1 dfs disabled

June 30, 2006 Confidential Page 39 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Access Radio Configuration

Access Radio Configuration

This chapter describes how to display and configure radio parameters that are
specific to access radios, including:
• “Client Information” on page 40
• “Access Radio Transmission Rates” on page 43
Other aspects of radio configuration and operation are described in:
• “Wireless Security” on page 59
• “Managing Access Radio SSIDs” on page 76
All CLI commands described in this chapter are available in radio mode.
To configure parameters that are specific to backhaul radios, including the
different types of backhaul links, see “Backhaul Link Configuration” on page 46.
To configure parameters that are common to both access radios and backhaul
radios, see “Common Radio Module Configuration Commands” on page 32.
For full details on radio module configuration, see the BelAir100 Radio
Command Line Interface Guide.

Client You can display information about the clients that are associated, or that were
recently associated to the AP.
Information
Displaying the Number show arm<n> client associated [ssidx <ssid_index>]
of Associated Clients This command displays the list of associated wireless clients for a given SSID. If
no SSID is specified, the displayed list shows all associated clients and their
SSID.
The ssid_index parameter must be a valid SSID index. The default value is 1.
Table 5 explains the various fields in the resultant output.

Table 5: Output Field Descriptions

Field Description

IP Client's IP address. (s) indicates static IP addressing

identity 802.1X client identity. Present for dot1x or WPA SSIDs

June 30, 2006 Confidential Page 40 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Access Radio Configuration

Table 5: Output Field Descriptions (Continued)

Field Description

auth Authentication state of the client

unauth default or initial state
auth client is authorized for Open or WEP privacy
eapAuth client is authorized for dot1x, WPA1 or WPA2
privacy
pskErr Possible wrong WPAPSK key configured on client
radto For dot1x, WPA1 or WPA2. Problems connecting to
radius server, possibly because of a network problem.
cltto For dot1x, WPA1 or WPA2. Problems sending EAP
packets to client.

June 30, 2006 Confidential Page 41 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Access Radio Configuration

Table 5: Output Field Descriptions (Continued)

Field Description
dhcp Client DHCP state (applicable only if client uses dynamic IP addressing)

init Client has just connected and has not yet started a DHCP
sequence

disc Client has sent a DHCP Discover message and is waiting for a
DHCP Offer message to get its IP address.
(Applicable only if client does not already have a valid IP address.
Otherwise client sends DHCP Request message.)

offer Server has responded to the DHCP Discover message with a

DHCP Offer message. This packet tells the client its IP address.
The client should then send a DHCP Request message to verify
the IP address.

req Client has sent the DHCP Request message to the server and is
waiting for a a DHCP Ack message to confirm the assigned IP
address.

decl Server has declined the client’s DHCP request. Verify the server
settings.

ack Client has sent a DHCP Request message and the server has
confirmed the assigned IP address.
(Considered a DHCP complete state.)

nack Server has responded to the client’s DHCP request with a DHCP
Nack message. Verify the server settings.

relse Client has sent a DHCP Release message.

inform Client has sent a DHCP Inform message. Depending on the

server, the server may respond with a DHCP Ack message.
(Considered a DHCP complete state.)

arpRes Client has gone through one of the DHCP state transitions and
replied to an ARP request for its IP address.
(Considered a DHCP complete state.)

Depending on the server configuration, if a client moves to a different subnet, it

may need to timeout the current IP address (approx. 30 seconds) and then
restart the DHCP sequence. During this process the client may use the
standard default IP address for Microsoft Windows (169.254.X.X).

June 30, 2006 Confidential Page 42 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Access Radio Configuration

Example
/# cd radio
/radio# show arm1 client associated
Total associated clients : 2

id ss vlan mac addr IP identity rssi auth dhcp

--- -- ---- ----------------- ------------------ ---------- ---- ------- ------
12 2 500 00:0D:88:EF:B2:3D 10.1.50.108 mrussell -61 eapAuth arpRes
11 2 500 00:0D:88:EF:B2:3E 10.1.60.108(s) anonymous -62 eapAuth arpRes

Displaying the Client show arm<n> client <1|2|...|2007> details

Details
This command displays the details of a wireless client that is associated or was
recently associated with the AP. You determine the client number
<1|2|...|2007> by first using the show arm<n> client associated command.
In the resulting output, the age parameter shows the time since the access
radio last received a data frame from the client and the state parameter shows
authenticated (2) if the client is no longer associated.

Example
/# cd radio
/radio# show arm1 client 35 details
id : 35
address : 00:40:96:38:2e:03
state : associated (5)
age : 594 secs
rssi : -82 dBm

Access Radio If your unit contains a radio with part numbers B2CC011AA, B2CC011AB or
B2CC043AA, then you can customize the following:
Transmission
• whether the radio uses 802.11b rates, 802.11g rates or both
Rates
• some of the settings for the rates that are used
Use the /system/show phyinv command to display the radio’s part number.
If your unit contains a radio with part number B2CC033AA, then it is providing
802.11a radio links and the data transfer rates cannot be changed.

June 30, 2006 Confidential Page 43 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Access Radio Configuration

Access Radio Profile show arm<n> profile

set arm<n> profile {b|g|mixed}
These commands let you manage whether the radio uses 802.11b rates,
802.11g rates or both. Table 6 describes the specific rates that are available for
each setting.

Table 6: Access Radio Profile Settings

802.11b Settings 802.11b Settings Mixed (802.11b and g)

Rate (Mb/s) Rate (Mb/s) Rate (Mb/s)

1 basic 1 basic 1 basic

2 basic 2 basic 2 basic
5.5 basic 5.5 basic 5.5 basic
11 basic 6 basic 6 non-basic
11 basic 11 basic
12 basic 12 non-basic
18 non-basic 18 non-basic
24 basic 24 non-basic
35 non-basic 35 non-basic
48 non-basic 48 non-basic
54 non-basic 54 non-basic

Example 1
/# cd radio
/radio# show arm1 profile
Profile: B-only

Example 2
/# cd radio
/radio# show arm1 profile
Profile: Mixed

June 30, 2006 Confidential Page 44 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Access Radio Configuration

Access Radio Rates show arm<n> rates

set arm<n> rates {default|range|throughput|custom “<rates>”}
These commands allow you to customize the radio rate settings listed
previously.
The default setting resets the radio rate settings to match those listed
previously.
The range setting optimizes the radio rate settings such that clients can
associate with the access radio from a greater distance. The lowest rate
becomes basic and all other rates become non-basic.
The throughput setting optimizes the radio rate settings such that clients that
associate with the access radio have the greatest throughput. All rates becomes
basic.
The custom “<rates>” setting allows you to customize the radio rate settings
listed previously. The <rates> parameter is a comma separated list of rates. If a
rate is excluded from the list, then that rate is disabled and the radio cannot
operate at that rate. You can also specify a rate with -basic. Rates that are
specified without -basic automatically become non-basic. When specifying the
<rates> parameter, make sure that you:
• use quotation marks to enclose the list
• do not put a space after the comma delimiter

Example - Customizing the Rate Setting

The following command sets the 1 Mb/s rate as basic, sets the 2 Mb/s rate as
non-basic, disables the 5.5 Mb/s rate and sets the 11 Mb/s rate as non-basic.
/radio# set arm1 rates custom “1-basic,2,11”

June 30, 2006 Confidential Page 45 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Backhaul Link Configuration

Backhaul Link Configuration

This chapter describes the different types of backhaul links that are available for
the BelAir100. It also shows you how to display and configure radio parameters
that are specific to the backhaul links, including:
• “Backhaul Radio Service Set Identifiers” on page 48
• “Backhaul Transmission Power Control” on page 48
• “5 GHz P-to-P Links” on page 49
• “2.4 GHz MP-to-MP Links” on page 50
• “5 GHz MP-to-MP Links” on page 50
• “5 GHz P-to-MP Links” on page 50
• “Additional MP-to-MP Link Commands” on page 51
• “Associated and Peer Backhaul Radio MAC Addresses ” on page 56
All CLI commands described in this chapter are available in radio mode.
Other aspects of radio configuration and operation are described in:
• “Wireless Security” on page 59
• “Managing Access Radio SSIDs” on page 76
To configure parameters that are specific to access radios, see “Access Radio
Configuration” on page 40.
To configure parameters that are common to both access radios and backhaul
radios, see “Common Radio Module Configuration Commands” on page 32.
For full details on radio module configuration, see the BelAir100 Radio
Command Line Interface Guide.

Backhaul Link The BelAir100 can be configured with the following types of links to form a
mesh for backhaul traffic:
Types
• 5 GHz multiple point-to-point (P-to-P)—Any BelAir node containing a radio
with part numbers B2CC001AA, B2CC001AB, B2CC034AA, B2CC034AB
or B2CC033AA can provide P-to-P backhaul links.
• 2.4 GHz multipoint-to-multipoint (MP-to-MP)—To create these types of
links, the BelAir node must contain a radio with part numbers B2CC011AA,

June 30, 2006 Confidential Page 46 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Backhaul Link Configuration

B2CC011AB or B2CC043AA. MP-to-MP links allow you to create a full

mesh topology with up to eight BelAir nodes forming a cluster. Typically, a
mesh cluster contains up to seven BelAir50C nodes and a mesh portal that
can be any BelAir node. The mesh portal connects the cluster to the rest of
the network.
A BelAir50C mesh portal uses its Ethernet LPM connection to route traffic
to the rest of the network.
A BelAir50S mesh portal uses its DOCSIS module connection to route
traffic to the rest of the network.
A BelAir200, BelAir100, BelAir100C or BelAir100S mesh portal can use a
variety of ways to route traffic to the rest of the network depending on how
it is equipped:
—It can use a 5 GHz P-to-P, point-to-multipoint (P-to-MP), or MP-to-MP
backhaul link.
—It can use an Ethernet or DOCIS connection.
• 5 GHz multipoint-to-multipoint (MP-to-MP)—To create these types of links,
the BelAir node must contain a radio with part number B2CC033AA.
MP-to-MP links allow you to create a full mesh topology with up to eight
BelAir nodes forming a cluster. Typically, a mesh cluster contains up to seven
BelAir nodes and a mesh portal that can be a BelAir200, BelAir100,
BelAir100C or BelAir100S node. The mesh portal connects the cluster to
the rest of the network
A BelAir200, BelAir100, BelAir100C or BelAir100S mesh portal can use a
variety of ways to route traffic to the rest of the network depending on how
it is equipped:
—It can use a 5 GHz P-to-P, point-to-multipoint (P-to-MP), or MP-to-MP
backhaul link.
—It can use an Ethernet or DOCIS connection.
• 5 GHz point-to-multipoint (P-to-MP)—To create these types of links, the
BelAir node must contain a radio with part number B2CC033AA. P-to-MP
links allow you to create a star topology with one base station in the middle
connecting up to eight subscriber stations. Typically, P-to-MP links are used
to connect several mesh portals, and their clusters, to the rest of the
network.
Use the /system/show phyinv command to display the radio’s part number and
determine the type of radio you have.

June 30, 2006 Confidential Page 47 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Backhaul Link Configuration

Backhaul Radio show brm<n> ssid

Service Set set brm<n> ssid <ssid_string>

These commands do not apply to radios with part number B2CC033AA. They
Identifiers let you manage the Service Set Identifier (SSID) for a backhaul radio. The SSID
is a unique identifier that wireless networking devices use to establish and
maintain wireless connectivity. SSIDs are case sensitive and can contain up to 32
alphanumeric characters.
Note: The specified SSID is case sensitive.

Example
/# cd radio
/radio# set brm1 ssid BelAirNetworks

Backhaul show brm<n> tpc

Transmission set brm<n> tpc {enabled|disabled}

These commands let you manage backhaul Transmission Power Control (TPC).
Power Control The set command is only available if you are logged in as root.
This command applies only if your unit contains a radio with part numbers
B2CC034AA or B2CC034AB or B3CC033AA. Use the /system/show phyinv
command to display the radio’s part number.
TPC that automatically adjusts the transmit power of a backhaul radio based on
communications with the backhaul radio at the other end of a link.
The backhaul radio transmit power operates at two levels: 6 dBm and 14 dBm.
With TPC, if one end of a link detects that the signal strength is below
-65 dBm, then it can request the transmitting backhaul radio to increase its
transmit power to 14 dBm. Similarly, if the signal strength is above -50 dBm,
then the transmitting backhaul radio is requested to decrease its transmit
power to 6 dBm.

Example 1
/# cd radio
/radio# show brm1 tpc
TPC admin state : enabled
TPC operation state : up
Link : associated
Channel : 64
Country : Canada
TPC tx power state : high
Tx power level : 14 dBm
Local rssi : -39 dbm
Peer rssi : -30 dbm

June 30, 2006 Confidential Page 48 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Backhaul Link Configuration

Example 2
/# cd radio
/radio# set brm1 tpc enabled

5 GHz P-to-P The commands that you use depend on the type of radio that you are using.
Use the /system/show phyinv command to display the radio’s part number.
Links
Backhaul Radios with Part Number B2CC033AA
This type of radio can form backhaul links only with other radios with the same
part number. As well, the radios do not need to have a Client and Access Point
relationship. However, the radio’s topology must be set to p2p.
With these types of radios, a wireless backhaul link (or association) can be
established between two backhaul radios if all the following conditions are met:
• Both are configured on the same channel. Refer to “Channel Number” on
page 37 for the appropriate command.
• Both are configured with the same link identifier.
The following command configures the radio for a basic 5 GHz (P-to-P) link
topology without privacy.
set brm<n> link identifier <lnk_id> topology p2p
The <link_id> parameter is case sensitive and can be up to 32 alphanumeric
characters. For P-to-P links, BelAir Networks recommends that the link
identifier describes the link; that is, the nodes it connects.

All Other Backhaul Radios

These types of radios have part numbers B2CC001AA, B2CC001AB,
B2CC034AA and B2CC034AB. They can form P-to-P backhaul links with any
other 5 GHz BelAir radio except those with part number B2CC033AA.
A wireless backhaul link (or association) can only be established between two
backhaul radios if all the following conditions are met:
• One of them is in Client mode and the other in Access Point (AP) mode.
Refer to “Radio Mode or Disabling a Radio” on page 35 for the appropriate
command.
• Both are configured on the same channel. Refer to “Channel Number” on
page 37 for the appropriate command.
• Both are configured with the same SSID. Refer to “Backhaul Radio Service
Set Identifiers” on page 48 for the appropriate command.

June 30, 2006 Confidential Page 49 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Backhaul Link Configuration

2.4 GHz set arm<n> link identifier <lnk_id> topology mesh

MP-to-MP Links This command lets you manage the configuration of a 2.4 GHz MP-to-MP
backhaul link.
The <link_id> parameter is case sensitive and can be up to 32 alphanumeric
characters. For MP-to-MP links, the link identifier is also known as a mesh
identifier. It is the same for all members of a particular mesh cluster.

Example
/radio# set arm1 link topology mesh identifier BelAir-mesh

5 GHz MP-to-MP set {arm<n>|brm<n>} link identifier <lnk_id> topology mesh

Links This command lets you manage the configuration of a 5 GHz MP-to-MP
backhaul link.
The <link_id> parameter is case sensitive and can be up to 32 alphanumeric
characters. For MP-to-MP links, the link identifier is also known as a mesh
identifier. It is the same for all members of a particular mesh cluster.

Example
/radio# set brm1 link topology mesh identifier BelAir-mesh

5 GHz P-to-MP set {arm<n>|brm<n>} link [identifier <lnk_id>]

topology star role{bs|ss} index <lnk_idx>}
Links This command lets you manage the configuration of a 5 GHz P-to-MP backhaul
link.
The <lnk_id> parameter is case sensitive and can be up to 32 alphanumeric
characters. It is the same for all members of the star topology.
The node’s role can be a base station (bs) or a subscriber station (ss). A base
station can support up to eight subscriber stations.
The <lnk_idx> parameter identifies individual links in the star topology. It
ranges from 1 to 8.

Example
/radio# set brm1 link topology star role bs index 1,2,3,7
Link index provisioning successful

June 30, 2006 Confidential Page 50 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Backhaul Link Configuration

Additional The following sections describe additional commands for both a 2.4 GHz mesh
cluster or a 5 GHz mesh cluster.
MP-to-MP Link
Commands
Displaying MP Link show {arm<n>|brm<n>} link
Information [{config|detail|provisioned|statistics [<lnk_id>]}]
This command lets you display the current settings of various parameters for
2.4 GHz MP-to-MP, 5 GHz MP-to-MP or 5 GHz P-to-MP links.
The <lnk_id> parameter applies only to P-to-MP links. It identifies the specific
link that the commands applies to.

Example 1
/radio# show arm1 link config
Link Identifier : BelAir Networks Mesh
Link Topology : Mesh (enabled)
Portal State : no
Isolate RSTP : yes
Privacy : enabled (key:1234567890abcdef)

Example 2
/radio# show arm1 link detail
Link Identifier : BelAir Networks Mesh
Link Topology : Mesh (enabled)
Portal State : no
Isolate RSTP : yes
Privacy : enabled (key:1234567890abcdef)
Link RadioMAC State RSSI Radio NodeIP Rx Pkts Tx Pkts
---- ----------------- ----- ---- ----- --------------- ----------- -----------
1 00:0d:67:00:4c:9e fwd -38 arm1 10.1.3.101 223139 97301

Example 3
/radio# show brm1 link provisioned
Current link provisioned : 1, 2, 3, 7

Example 4
/radio# show brm1 link statistics
Link RadioMac Rx_Pkts Tx_Pkts Rx_Bytes Tx_Bytes Rx_Errs Tx_Errs
---- -------- ------- ------- -------- -------- ------- -------
1 00:0d:67:00:43:e7 4051 6301 127885 235458 0 0

Enabling or Disabling set {arm<n>|brm<n>} mesh-state {disable|enable}

MP Functionality This command applies to radios with part numbers B2CC011AA, B2CC011AB,
B2CC043AA or B2CC033AA. It lets you enable or disable 2.4 GHz or 5 GHz
MP-to-MP functionality for those radios. The default setting is enable.

Example
/radio# set arm1 mesh-state disable

June 30, 2006 Confidential Page 51 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Backhaul Link Configuration

Managing Bandwidth show {arm<n>|brm<n>} traffic-limit

set {arm<n>|brm<n>} traffic-limit <max_rate>
These commands let you manage the rate at which the specified radio can
transmit traffic. The goal is to equalize traffic between radios in a mesh cluster.
The max_rate parameter is specified in kBits/s. Typically, it is set between 1000
and 4000 kBits/s. By default, the traffic limit is set to 0, meaning it is disabled.
The maximum traffic rate applies to both the radio’s access traffic and its
backhaul traffic through the mesh links. It also applies to all clients that are
associated to the radio.
Note: Although this command may be used on any BelAir unit with the proper
hardware, it is intended for use mainly on units that are part of a mesh
cluster.

Example
/radio# show arm1 traffic-limit
Radio traffic limit is 4000 kBit/s

Displaying the Mesh show {arm<n>|brm<n>} mesh-topology

Topology This command displays the operating parameters of the node you are currently
accessing and all the links connected to it. The output consists of three areas, as
follows:
• a list of operating parameters of the node you are currently accessing
• a list of mesh points
• a link matrix
The list of mesh points identifies the node you are currently accessing with an
asterisk. It is always the first mesh point that is listed. The mesh portal is
identified with a p.
The link matrix displays the RSSI value of each link in dBm as seen from each
end. RSTP forwarding is identified with an asterisk. The following example
illustrates and explains the output.

Example
/radio# show arm1 mesh-topology
Link Identifier : PVStn5_Ba50Mesh
Link Topology : Mesh (enabled)
Portal State : no
Isolate RSTP : yes
Privacy : enabled (key:1234567890abcdef)

June 30, 2006 Confidential Page 52 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Backhaul Link Configuration

Link Active : 1

MP RadioMAC Radio NodeMac NodeIP

-- -------- ----- -------- ------
1 00:0d:67:00:33:c5* arm1 00:0d:67:00:33:c4 10.1.3.131
2 00:0d:67:00:33:e5 arm1 00:0d:67:00:33:e4 10.1.3.132
3 00:0d:67:00:4c:9ep arm1 00:0d:67:00:0e:90 10.1.3.101

Link Matrix
1 2 3
------+------+------+
1| | -67* | -53* |
|------+------+------+
2| -65* | | -68 |
|------+------+------+
3| -50* | -71* | |
|------+------+------+

Note: rows list originating nodes [value=avg RSSI] [*=RSTP forwarding]

In the previous example, you are currently accessing the node with a MAC
address of 00:0d:67:00:33:c4. Your node contains a radio module with a MAC
address of 00:0d:67:00:33:c5 that is forming a multipoint mesh with two other
radio modules.
The link matrix displays the RSSI value as seen from each end. Row 1 column 2
shows -67 meaning that according to Node 1, the link to Node 2 has an RSSI
value of -67 dBm. Row 2 column 1 shows -65 meaning that according to
Node 2, the link to Node 1 has an RSSI value of -65 dBm. A slight variance in
the RSSI value, as seen from both ends, is normal because one radio receiver
may be slightly more sensitive than the other, or the associated antenna gain
may be slightly different.

Managing the Mesh show {arm<n>|brm<n>} blacklist

Blacklist add {arm<n>|brm<n>} blacklist <mesh_pt_MAC_add>
delete {arm<n>|brm<n>} blacklist <mesh_pt_MAC_add>
These commands allow you to control whether or not a link is used between
two mesh points. To blacklist a link, you need to log in to both ends of the link
and put the radio of other node on the local blacklist. For example, to prevent
the use of a link between node A and B, you need to:
1 Log in to node A and add to its blacklist the MAC address of node B radio.
2 Log in to node B and add to its blacklist the MAC address of node A radio.
The MAC addresses of the node radios can be determined with the show
{arm<n>|brm<n>} mesh-topology command.

June 30, 2006 Confidential Page 53 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Backhaul Link Configuration

Typically, these commands are used to disable an unstable link. This behavior
may occur when either radio at each end of the link is operating at the limit of
its sensitivity.
As well, these commands can be used to disable a particular link if the RF plan
for the cluster predicts low RSSI values for it.

Example
/radio# show arm1 blacklist
1 00-0d-67-00-2a-80

Doing a Mesh Survey show {arm<n>|brm<n>} mesh-survey

This command allows you to troubleshoot potential mesh configuration
problems. It displays a list of all visible mesh points (excluding those which are
already part of the same mesh as the local mesh point). The output can include
nodes that are configured with:
• the local mesh point’s current mesh or link identifier, but with a different
channel
• the local mesh point’s previously saved mesh or link identifier, either on the
same or different channel
• either the current or previously saved mesh or link identifier, on either the
same or different channel, but with a different encryption scheme
The output may show undef as the type of privacy, meaning that the node
cannot determine the type of privacy used by that link. Link age is also displayed
as follows:
• N, meaning that the link is not aging
• Y, meaning that the link is aged
• S, meaning that the link aging data is not current

Example
show arm1 mesh-survey
12345678
RadioMac CH Priv RSSI TOP Role LinkIdx Age LinkIdentifier
-------- -- ---- ---- --- ---- -------- --- --------------
00:12:88:de:2c:01 6 undef-75 p2p -- -------- N
00:0d:67:00:75:c8 3 aes -48 mesh -- -------- N BelAirNetworks MESH
00:12:88:de:0a:09 6 undef-61 mesh -- -------- N
00:0d:67:00:33:db 3 aes -68 mesh -- -------- N BelAirNetworks MESH
00:11:95:38:3d:83 6 undef-74 p2p -- -------- N
00:13:10:77:74:99 6 undef-73 mesh -- -------- N

June 30, 2006 Confidential Page 54 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Backhaul Link Configuration

00:12:88:de:14:d1 6 undef-61 mesh -- -------- N

00:12:88:de:07:01 6 undef-62 p2p -- -------- N

Mesh Portal Attribute set {arm<n>|brm<n>} mesh-portal {yes|no}

This command establishes whether the member of the mesh cluster is a mesh
portal or not. The default value is no, meaning that the member of the mesh
cluster is not a mesh portal.
CAUTION! BelAir Networks strongly recommends that each mesh cluster has only one
mesh portal.

Managing RSTP BPDUs rstp isolate {arm<n>|brm<n>}

no rstp isolate {arm<n>|brm<n>}
These commands control whether or not RSTP BPDUs are sent and received
through the LPM Ethernet port of the BelAir100 node. The default setting is to
isolate the node; that is, it does not send or receive RSTP BPDUs.
BelAir Networks recommends that you do not change this setting unless
advised to do so by BelAir Networks technical support staff. An improper
settings of this parameter may result in subsequent RSTP topology issues.

Managing the Mesh show {arm<n>|brm<n>} mesh-accept

Accept List accept {arm<n>|brm<n>} mesh
For a 2.4 GHz mesh cluster, you can use these commands only with the mesh
portal. For a 5 GHz mesh cluster, you can used these commands with any
member of a multipoint-to-multipoint mesh.
The accept command puts into persistent storage a snapshot of the cluster
topology. The node then issues an alarm if it detects any deviation in the
topology from that snapshot. For example, the mesh portal would issue an
alarm if a member of the cluster becomes unreachable, or if an unexpected new
member is added to the topology.
The show command lists the MAC addresses of the nodes that are in the mesh
Accept list.

Example 1
/radio# accept arm1 mesh
These remote mesh points have been accepted:
00:0d:67:00:2d:7d
00:0d:67:00:2d:c0
00:0d:67:00:1f:4a
00:0d:67:00:01:05

June 30, 2006 Confidential Page 55 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Backhaul Link Configuration

00:0d:67:00:2d:af
00:0d:67:00:14:87
Number of accepted remote mesh points: 6

Example 2
/radio# show arm1 mesh-accepted
These remote mesh points have been accepted:
00:0d:67:00:2d:7d
00:0d:67:00:2d:c0
00:0d:67:00:1f:4a
00:0d:67:00:01:05
00:0d:67:00:2d:af
00:0d:67:00:14:87
Number of accepted remote mesh points: 6

Associated and This feature applies only to radios with part numbers B2CC001AA,
B2CC001AB, B2CC034AA and B2CC034AB. It allows you to control which
Peer Backhaul nodes establish backhaul links in a point-to-point mesh configuration.
Radio MAC
The associated backhaul radio MAC address is the MAC address of the remote
Addresses backhaul radio of an established backhaul link. Its default value is null
(00:00:00:00:00:00), indicating no established link. It is dynamically set when the
backhaul radio associates itself with another backhaul radio with matching SSID,
physical channel and complementary mode.
The currently associated backhaul radio MAC address can be displayed with the
following command:
show brm<n> associated mac address

The peer MAC address is the MAC address of the desired remote backhaul
radio to which the local backhaul radio should associate. Its default value is also
null (00:00:00:00:00:00) and can be set in two ways:
• accept the currently associated backhaul radio MAC address
• statically configure the desired backhaul radio MAC address

Accepting the Currently To accept the currently associated backhaul radio as the desired peer backhaul
Associated Backhaul radio, use the following command:
Radio
accept brm<n> associated mac address

June 30, 2006 Confidential Page 56 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Backhaul Link Configuration

This command copies the value of the currently associated backhaul radio MAC
address to the peer MAC address.

Statically Configuring The peer backhaul radio MAC address can be set with the desired remote
the Peer Backhaul Radio backhaul radio’s MAC address with the following command:
MAC Address
set brm<n> peer mac address <mac address>

Example
/radio# set brm1 peer mac address 00:0d:67:00:21:8f

The backhaul radio can only associate itself with a remote backhaul radio with
the specified MAC address.

Discarding the If the backhaul radio has associated itself with an undesired backhaul radio, the
Associated Backhaul current associated backhaul radio MAC address can be discarded, so that the
Radio MAC Address pre-configured peer can become associated. To do so, use the following
command:
discard brm<n> associated mac address

Example
/radio# discard brm1 associated mac address
/radio# show associated mac address
00:00:00:00:00:00

Changing the Peer To change the value of the peer backhaul radio MAC address, use the following
Backhaul Radio MAC command:
Address
discard brm<n> peer mac address
This command sets the desired peer backhaul radio MAC address to null and
also discards the associated backhaul radio MAC address, dis-associating any
existing link.
After discarding the peer MAC address, any remote backhaul radio
appropriately configured (with matching SSID, physical channel, and
complementary mode) can associate with the local backhaul radio. To prevent
this, set the peer MAC address with the desired remote backhaul radio’s
address as shown previously.

June 30, 2006 Confidential Page 57 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Backhaul Link Configuration

Example – Associated The following example shows a typical sequence of commands to force a
and Peer Backhaul backhaul radio association with a different remote node:
Radio MAC Addresses
Example
# Previous desired peer MAC address
/radio# show brm1 peer mac address
00:0d:67:00:11:6c
/radio# show brm1 associated mac address
00:0d:67:00:11:6c
# Break the existing association (backhaul link)
/radio# discard brm1 peer mac address
/radio# show brm1 peer mac address
00:00:00:00:00:00
/radio# show brm1 associated mac address
00:00:00:00:00:00
# A few seconds later, another BRM becomes associated
/radio# show brm1 associated mac address
00:0d:67:00:21:8f
# Accept the new associated BRM; copy the contents of its MAC
# address to the peer MAC address
/radio# accept brm1 associated mac address
/radio# show brm1 peer mac address
00:0d:67:00:21:8f
# Saves configuration (with new peer MAC address)
/radio# config-save

June 30, 2006 Confidential Page 58 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Wireless Security

Wireless Security
This chapter describes how you can set up security to encrypt your wireless
transmissions so that your data cannot be deciphered if it is intercepted, and to
prevent access to the network by unauthorized clients. The following topics are
covered:
• “Configuring Security for Wireless Clients” on page 59
• “Configuring Security for Backhaul Links” on page 69
• “Controlling Inter-client Communication” on page 71
• “Detecting Rogue Access Points” on page 74
For full details on radio module security configuration, see the BelAir100 Radio
Command Line Interface Guide.

Configuring The BelAir100 has several options for wireless authentication and data
encryption. The method that you use depends on your security needs and your
Security for network configuration.
Wireless Clients If multiple SSIDs are configured, each SSID can be configured with its own
security options.
The authentication options are:
• instruct the Access Point to connect to a Remote Authentication Dial In
User Service (RADIUS) server in your network that keeps a list of accepted
clients. RADIUS is a standard for user authentication.
For this option, you need a RADIUS server. Multiple BelAir100 units can
share the information from the same RADIUS server.
• use a pre-shared key. This is a simpler authentication option, but more
difficult to maintain because pre-shared keys must be distributed to all
users.
You can also create a list of accepted clients; that is, an Access Control List
(ACL). This option is best suited for small networks.
The encryption options are:
• Wired Equivalent Privacy (WEP). This is a basic encryption scheme.
• Temporal Key Integrity Protocol (TKIP). This is an more advanced
encryption scheme.
• Advance Encryption Standard (AES). This is the strongest encryption
scheme.

June 30, 2006 Confidential Page 59 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Wireless Security

Table 7 shows which CLI commands to use to implement the various

encryption and authentication options combinations.

Table 7: Implementing Combinations of Encryption and Authentication Options

Authentication Option
Encryption
Option Pre-shared key RADIUS 802.1X (EAP)

WEP WEP PSK dot1x

(See “Pre-Shared Key WEP Encryption” on (See “802.1X Authentication with WEP
page 61.) Encryption” on page 64.)
TKIP Wi-Fi Protected Access (WPA1) PSK Wi-Fi Protected Access (WPA1) EAP
(See “WPA1 Authentication” on page 66.) (See “WPA1 Authentication” on page 66.)
AES Wi-Fi Protected Access (WPA2) PSK Wi-Fi Protected Access (WPA2) EAP
(See “WPA2 Authentication” on page 67.) (See “WPA2 Authentication” on page 67.)

Note 1: The WPA2 encryption option is only available if your unit contains a
radio with part numbers B2CC011AA, B2CC011AB, B2CC043AA or
B2CC033AA. Use the /system/show phyinv command to display the
radio’s part number.
Note 2: Some configuration commands take longer than others to be applied
to a radio module. For example, it can take up to 40 seconds per SSID
for a WPA1 PSK configuration to be applied to an access radio. The
delay varies depending on the amount of computing resources
required to implement the configuration.
For small networks, you can use WEP or WPA1. For large networks, you can
use dot1x, WPA1 or WPA2 in combination with a RADIUS server. Because it
uses the TKIP mechanism for encryption, WPA1 provides much stronger
security than WEP or dot1x. WPA2 provides the strongest level of protection
because it uses the AES encryption.
CAUTION! dot1x, WPA1 or WPA2 can only be used with wireless clients that support
these standards (both the operating system and the network card). For clients
that only support WEP, select a combination with WEP.
Note: A network is as secure as its weakest link. If WEP is enabled, the overall
level of network security will be that of WEP.
To execute the commands described in this section, you must be in radio
mode.

June 30, 2006 Confidential Page 60 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Wireless Security

Pre-Shared Key WEP show arm<n> wep-encryption [ssidx <ssid_index>]

Encryption set arm<n> wep-encryption psk <key> {enabled|disabled}
[ssidx <ssid_index>]
set arm<n> wep-encryption disabled [ssidx <ssid_index>]
These commands let you manage WEP encryption with a pre-shared key. The
pre-shared key consists of exactly 5 or 13 bytes (for 40 or 104 bit encryption,
respectively). The pre-shared key can be specified as a hexadecimal or ASCII
string and must not contain the following characters:
• exclamation mark (!)
• bar (|)
• semicolon (;)
• question mark (?)
• double quotation mark (“)
When disabling WEP encryption, key index 1 is used by default.
The ssid_index parameter must be a valid SSID index. The default value is 1.

Example 1
/# cd radio
/radio# show arm1 wep-encryption
wep psk key : <0x0102030405>
state : disabled

Example 2
/# cd radio
/radio# set arm1 wep-encryption psk 0x0123456789 enabled

Example 3
/# cd radio
/radio# set arm1 wep-encryption disabled

Managing RADIUS You can only use the 802.1X with RADIUS and the WPA1 with RADIUS access
Servers control methods when at least one RADIUS server is configured.
All access-request packets include the service type attribute which is set to a
value of 2.
RADIUS packets include a specific NAS port number representing the physical
port of the access radio.

June 30, 2006 Confidential Page 61 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Wireless Security

Showing, Adding and Deleting RADIUS Servers

show arm<n> radius-server
add arm<n> radius-server <ip address> <port>
( [rac-port <radius_acc_port>] <shared secret>
[interface <NAS IP address>] [{default|timeout <seconds>}
[ssidx <SSID_index>] )
del arm<n> radius-server <ip address> <port> [ssidx
<ssid_index>]
You can configure more than one RADIUS server for each node and for each
SSID. These commands let you manage the RADIUS server list. By default, the
first server in the list is used. If the first server is not available, then the second
server is used. This continues for every server on the list.
Note: The syntax statement for the set command contains parentheses ( )
enclosing optional parameters (for example, interface or ssidx) and one
mandatory parameter (<shared secret>). When you use this command,
you must specify <shared secret> and at least one of the optional
parameters.
If you add a RADIUS server for a specific SSID, that SSID must be created first.
The ip address parameter specifies the IP address of the RADIUS server.
The port parameter specifies the UDP port number of the RADIUS server
(typically 1812).
The shared secret parameter specifies the password for access to the RADIUS
server.
The NAS IP address parameter specifies the Network Access Server (NAS) IP
address for the BelAir100 RADIUS client. It is used when the unit is configured
with multiple IP interfaces and matches the interface used to communicate with
the given RADIUS server. The default value is the IP address of the unit’s
management interface, which is usually VLAN1.
Note: The NAS IP address parameter is entered statically with this command.
If the VLAN IP addresses are determined dynamically with a DHCP
server, then an updated VLAN IP address is not automatically reflected
into the NAS IP address parameter.
The timeout parameter specifies the interval (in seconds) after which the
RADIUS client considers that the remote server has timed out if a reply is not
received. The default value is 10 seconds.
If the default keyword is specified, then the command uses the default values for
NAS IP address and timeout. Otherwise, you must specify at least one
non-default value for these parameters.

June 30, 2006 Confidential Page 62 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Wireless Security

The radius_acc_port parameter specifies the port number for RADIUS

accounting data. The default value is 1813.
The ssid_index parameter must be a valid SSID index. The default value is 1.

Example 1
/# cd radio
/radio# add arm1 radius-server 172.16.1.20 1812
”radius-shared-secret” default

Example 2
/# cd radio
/radio# add arm1 radius-server 172.16.1.20 1812
”radius-shared-secret” interface 10.1.1.2

Example 3
/# cd radio
/radio# del arm1 radius-server 172.16.1.20 1812

Enabling or Disabling RADIUS Accounting

set arm<n> radius-accounting {enable|disable}
[ssidx <ssid_index>]
By default RADIUS accounting is disabled.

Setting and Displaying the RADIUS Re-authentication Time

show arm<n> radius-reauth-time [ssidx <ssid_index>]
set arm<n> radius-reauth-time <seconds> [ssidx <ssid_index>]
These commands let you manage the RADIUS re-authentication time.
You can set a RADIUS re-authentication time. This forces the BelAir100 to
check all connected clients with the RADIUS server (that is, make sure they are
still allowed to access the network) at the specified interval. You only need to
configure this parameter if it is not specified on the RADIUS server.
The ssid_index parameter must be a valid SSID index. The default value is 1.
Setting the interval to zero disables this feature. The maximum interval time is
2147483647. If you enter a higher number, the value is set to its maximum.

Example 1
/# cd radio
/radio# show arm1 radius-reauth-time
Re-authorization time interval: 3600 seconds

June 30, 2006 Confidential Page 63 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Wireless Security

Example 2
/# cd radio
/radio# set arm1 radius-reauth-time 3

Setting and Displaying the Network Access Server Identifier

show arm<n> radius-nas-identifier [ssidx <ssid_index>]
set arm<n> radius-nas-identifier <name> [ssidx <ssid_index>]
These commands let you manage the RADIUS Network Access Server (NAS)
identifier. The <name> parameter specifies the new identifier. The default value
is the switch name as set with the /system/system switch <name> command.

Enabling or Disabling Station ID Formatting

show arm<n> radius-station-id-unformatting [ssidx <ssid_index>]
set arm<n> radius-station-id-unformatting {enable|disable}
[ssidx <ssid_index>]
These commands let you manage RADIUS station ID formatting. By default the
called-station-ID and the calling-station-ID fields are formatted to include SSID
information to the provided MAC address.

Including an Accounting Session Identifier in Access-request Packets

show arm<n> radius-account-session-id [ssidx <ssid_index>]
set arm<n> radius-account-session-id {enable|disable}
[ssidx <ssid_index>]
These commands let you manage whether to include or not an accounting
session identifier in access-request packets. The session identifier is
automatically generated by the system.

802.1X Authentication show arm<n> dot1x [ssidx <ssid_index>]

with WEP Encryption set arm<n> dot1x ( [wepkey {psk|bits40|bits104}]
[rekey {no|kpackets <count>|seconds <seconds>}]
[ssidx <ssid_index>] ) {enabled|disabled}
These commands let you to manage 802.1X authentication.
Note: The syntax statement for the set command contains parentheses ( )
enclosing optional parameters (wepkey, rekey or ssidx). When you use
this command, you must specify at least one of these optional
parameters. For example, to enable 802.1X authentication, you specify
set arm<n> dot1x, at least one of the optional parameters, and then
enabled.
If wepkey is set to psk, the specified key for pre-shared WEP key encryption is
used. (The command fails if pre-shared WEP key encryption is not turned on.)

June 30, 2006 Confidential Page 64 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Wireless Security

If WEPKEY is set to bits40 or bits104, the keys are automatically obtained

(either 40 or 104 bits). All wireless clients must support 104-bit keys, in case a
104-bit key is used.
CAUTION! You must disable PSK WEP encryption if you want to use an option other than
PSK.
The rekey parameter allows you to specify Group Key Rekey options to
improve security. These options allow you to specify that a new group key (the
key that is used for communication between the access radio and a group of
clients) must be generated at regular intervals.
If rekey is set to no, then the group key is not changed. This is the default when
802.1X is enabled. If rekey is set to n seconds, the group key is changed after
that time period. If rekey is set to n kpackets, the group key is changed after
that many thousand packets.
The ssid_index parameter must be a valid SSID index. The default value is 1.

Example 1
/# cd radio
/radio# show arm1 dot1x
dot1x wepkey : bits104
rekey method : no
state : disabled

Example 2
/# cd radio
/radio# set arm1 dot1x wepkey bits104 rekey kpackets 1000 enabled

Additional Considerations
If 802.1X is already enabled, entering the set dot1x command only changes the
specified parameter.
For instance, if you have entered the following command:
set arm1 dot1x wepkey bits104 rekey kpackets 1000 enabled
The following set dot1x command only changes the re-key method to once
every 100 seconds, without making any other changes.
set arm1 dot1x rekey seconds 100 enabled

June 30, 2006 Confidential Page 65 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Wireless Security

WPA1 Authentication show arm<n> wpa1 [ssidx <ssid_index>]

set arm<n> wpa1 ( [{eap|psk <secret string>}]
[rekey {no|kpackets <count>|seconds <seconds>}]
[update {yes|no}] [ssidx <ssid_index>]
{enabled|disabled} )
These commands let you to manage WPA1 authentication.
Note: The syntax statement for the set command contains parentheses ( )
enclosing several parameters (for example, rekey, update or ssidx).
When you use this command, you must specify at least one of these
parameters and you must specify either enabled or disabled.
You can use WPA1 with a pre-shared key. This is suitable, but not
recommended for small networks. The pre-shared key must be between 8 and
63 bytes long. The longer the key, the more secure the connection. The
pre-shared key can be specified as a hexadecimal or ASCII string and must not
contain the following characters:
• exclamation mark (!)
• bar (|)
• semicolon (;)
• question mark (?)
• double quotation mark (“)
You can also use WPA1 with a RADIUS server by specifying eap instead of a
pre-shared key. In this case, at least one RADIUS server must be
pre-configured.
The rekey parameter allows you to specify Group Key Rekey options to
improve security. These options allow you to specify that a new group key (the
key that is used for communication between the access radio and a group of
clients) must be generated at regular intervals.
If rekey is set to no, then the group key is not changed. This is the default when
WPA1 is enabled. If rekey is set to n seconds, the group key is changed after
that time period. If rekey is set to n kpackets, the group key is changed after
that many thousand packets.
If update is set to yes, the group key changes immediately when one client
leaves the network. The default is no.
The ssid_index parameter must be a valid SSID index. The default value is 1.
CAUTION! Re-keying is disabled when WEP is selected.

June 30, 2006 Confidential Page 66 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Wireless Security

Example
/# cd radio
/radio# show arm1 wpa1 ssidx 15
wpa1 authen : eap
wpa1 psk key : undef
rekey method : no
update : disabled
state : enabled

Additional Considerations
Make sure to set an access radio SSID other than the default before enabling
WPA1. The BelAir100 unit combines the password phrase with your network’s
SSID to create the WPA1 key.
If WPA1 is already enabled, entering the set wpa1 command only changes the
specified parameter.
For instance, if you have entered the following command:
set arm1 wpa1 eap rekey kpackets 1000 enabled
The following set wpa1 command only sets the update parameter to yes,
without making any other changes.
set arm1 wpa1 update yes enabled

WPA2 Authentication show arm<n> wpa2 [ssidx <ssid_index>]

set arm<n> wpa2 ( [{eap|psk <secret string>}]
[ssidx <ssid_index>] ) {enabled|disabled}
These commands let you manage WPA2 authentication. It is only available if
your unit contains a radio with part numbers B2CC011AA, B2CC011AB,
B2CC043AA or B2CC033AA. Use the /system/show phyinv command to
display the radio’s part number.
Note: The syntax statement for the set command contains parentheses ( )
enclosing several parameters (for example, ssidx). When you use this
command, you must specify at least one of these parameters.
You can use WPA2 with a pre-shared key. This is suitable, but not
recommended for small networks. The pre-shared key must be between 8 and
63 bytes long. The longer the key, the more secure the connection. The
pre-shared key can be specified as a hexadecimal or ASCII string and must not
contain the following characters:
• exclamation mark (!)
• bar (|)

June 30, 2006 Confidential Page 67 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Wireless Security

• semicolon (;)
• question mark (?)
• double quotation mark (“)
You can also use WPA2 with a RADIUS server by specifying eap instead of a
pre-shared key. In this case, at least one RADIUS server must be
pre-configured.
The ssid_index parameter must be a valid SSID index. The default value is 1.

Example
/# cd radio
/radio# show arm1 wpa2
wpa2 authen : eap
wpa2 psk key : undef
state : enabled

Additional Considerations
Make sure to set an access radio SSID other than the default before enabling
WPA2. The BelAir100 unit combines the password phrase with your network’s
SSID to create the WPA2 key.

Wireless Client Access You should only use this option as an extra security measure if:
Control List
• you cannot or prefer not to set up a RADIUS server
• your network provides access to network clients which do not support
802.1X/WPA authentication
In both cases, it is recommended that you enable pre-shared key encryption
(WEP, WPA1 or WPA2).
show arm<n> acl [ssidx <ssid_index>]
add arm<n> acl mac-addr <mac-address> [ssidx <ssid_index>]
del arm<n> acl mac-addr <mac-address> [ssidx <ssid_index>]
set arm<n> acl {enabled|disabled} [ssidx <ssid_index>]
These commands let you manage the current access control list.
You can create a local list of clients (an ACL) that have access to the network.
All other clients are denied access. Clients are identified by the MAC address of
their network card. If you have multiple BelAir100 units in your network, you
need to create this list for every Access Point.

June 30, 2006 Confidential Page 68 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Wireless Security

Typically, you enable ACL mode only after you have added all the desired MAC
addresses to the control list.
Note: This is a different list than the secure port mode access list.
CAUTION! When used with multiple SSIDs, this method affects wireless clients attempting
to associate with any of the SSIDs.
The ssid_index parameter must be a valid SSID index. The default value is 1.

Example
/# cd radio
/radio# add arm1 acl mac-addr 00:0D:87:00:11:22

MAC Authorization show {arm<n>|brm<n>} mac auth-response-time-out

Response Timeout set {arm<n>|brm<n>} mac auth-response-time-out <time-out>
These commands let you manage authentication response time-out value of a
backhaul radio or an access radio. The authentication response time-out is the
amount of time to wait for the next frame in the IEEE 802.11 authentication
sequence.
The time-out parameter has a range of 0 to 2147483647 and is specified in
“time units”. One time unit is 1024 microseconds.

Example 1
/# cd radio
/radio# show brm1 mac auth-response-time-out
500

Example 2
/# cd radio
/radio# set brm1 mac auth-response-time-out 3000

Configuring This section describes how to configure wireless encryption for the various
types of backhaul links
Security for
Backhaul Links The commands that you use depend on the type of radio that you have. Use
the /system/show phyinv command to display the radio’s part number.

Radios with Part set {arm<n>|brm<n>} link privacy {enabled|disabled}

Number B2CC033AA [key <secret_string>]
The privacy setting determines the whether AES privacy is used or not.

June 30, 2006 Confidential Page 69 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Wireless Security

The pre-shared key must be exactly 32 bytes long (16 characters). The
pre-shared key can be specified as a hexadecimal or ASCII string and must not
contain the following characters:
• exclamation mark (!)
• bar (|)
• semicolon (;)
• question mark (?)
• double quotation mark (“)

Example
set brm1 link privacy enabled key 123456789qwertyu

All Other Backhaul Backhaul Radio Encryption Keys

Radios set brm<n> key <type>,<key>
These commands let you manage the encryption key for a specific backhaul
radio. Each backhaul radio can have a different encryption key. However, the
backhaul radios at both ends of a link must use the same key type and value.
The type can be either WEP or TKIP.
If you use the WEP type, the key must be a string of either exactly 5 ASCII
characters (for 40/64 bit encryption) or exactly 13 ASCII characters (for 104/
128 bit encryption). You can only use the following ASCII characters for a
backhaul radio WEP key:
• 0 to 9
• a to z
• A to Z
If you use TKIP encryption type, the key must be a string of exactly 16 ASCII
characters. Any ASCII character can be used for a backhaul radio TKIP key.

Example
/# cd radio
/radio# set brm1 key WEP,abcdefg012345

Backhaul Radio Privacy Status

show brm<n> privacy status
set brm<n> privacy {enabled|disabled}
These commands let you manage privacy (encryption and authentication
mechanisms) for a backhaul radio.

June 30, 2006 Confidential Page 70 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Wireless Security

Example 1
/# cd radio
/radio# show brm1 privacy status
enabled

Example 2
/# cd radio
/radio# set brm1 privacy enabled

Controlling By default, wireless clients associated to an access radio can communicate to

one another (assuming they are able to determine the IP addresses of their
Inter-client peer wireless clients).
Communication
For security reasons in a public network environment, it may be desirable to
block inter-client communications.
CAUTION! Provisioning the inter-client communication control can affect the wireless
clients associated with all the SSIDs of that BelAir100 unit.
To prevent communications between associated wireless clients and still allow
them to connect to the Internet, you need to:
1 Determine the MAC address of the Internet gateway(s) or router(s) in your
network.
2 Disable wireless bridging for each of the access radios in your network.
3 Disable inter-AP wireless client communications:
a Add the previously determined gateway MAC address or addresses to the
access radio’s white list. This allows wireless clients to communicate with
the Internet. The white list typically contains the MAC address of the
gateway interfaces.
b Enable secure port mode for each of the access radios in your network.
If your unit contains a radio with part numbers B2CC011AA, B2CC011AB,
B2CC043AA or B2CC033AA, then you can control inter-client communication
individually for each SSID configured on that access radio. Use the /system/
show phyinv command to display the radio’s part number.
Determining the MAC Determining the MAC address of your Internet gateway(s) depends on the type
Address of the Internet of equipment you are using. Refer to your equipment’s User Manual for the
gateway specific details.
You will need the MAC address of your gateways later to provision the white
list of the access radios configured in secure port mode.

June 30, 2006 Confidential Page 71 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Wireless Security

Disabling or Enabling show arm<n> wireless-bridge [ssidx <ssid_index>]

Access Radio Wireless set arm<n> wireless-bridge {enabled|disabled}
Bridging [ssidx <ssid_index>]
These commands let you manage wireless bridging.
The [ssidx <ssid_index>] parameter applies only if your unit contains a radio
with part numbers B2CC011AA, B2CC011AB, B2CC043AA or B2CC033AA.
(Use the /system/show phyinv command to display the radio’s part number.)
The ssid_index parameter must be a valid SSID index. The default value is 1.
Disabling the wireless bridging for an access radio prevents wireless clients
associated to that particular access radio from communicate with one another.
It does not prevent a wireless client associated with one access radio
(ARM “A”) from communicating with a wireless client associated with another
access radio (ARM “B”). The secure port mode prevents this.
By default, wireless bridging is enabled.

Example 1
/# cd radio
/radio# show arm1 wireless-bridge
enabled

Example 2
/# cd radio
/radio# set arm1 wireless-bridge disabled

Disabling Inter-AP Disabling inter-AP wireless client communications involves setting up an access
Wireless Client radio white list and secure port mode for each access radio.
Communication
Managing the Access Radio White List
show arm<n> secure-mac-addresses [ssidx <ssid_index>]
add arm<n> secure-mac-address <mac address> [ssidx <ssid_index>]
del arm<n> secure-mac-address <mac address> [ssidx <ssid_index>]
These commands let you manage an access radio’s white list.
The [ssidx <ssid_index>] parameter applies only if your unit contains a radio
with part numbers B2CC011AA, B2CC011AB, B2CC043AA or B2CC033AA.
(Use the /system/show phyinv command to display the radio’s part number.)
The ssid_index parameter must be a valid SSID index. The default value is 1.
When configured in secure port mode, the access radio forwards to the
associated wireless clients only those Layer 2 (Ethernet) frames for which the

June 30, 2006 Confidential Page 72 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Wireless Security

source MAC address matches one of the MAC addresses in its white list. The
white list can contain up to 32 MAC addresses.
In effect, while in this mode the access radio acts as a firewall for all Layer 2
frames arriving from inside the network for the wireless clients. The access
radio white list should only contain the MAC addresses of the gateway
interfaces. Thus, wireless clients associated to other access radios in the
network are prevented from communicating with locally associated clients.
Note: The white list is different from the access control list for wireless
clients. An access control list lets only certain wireless clients associate
with an access radio. The white list controls data forwarding to the
wireless clients from remote entities in the network.
The content of the white list takes effect only when the access radio secure
port mode is enabled.

Example
/# cd radio
/radio# add arm1 secure-mac-address 00:0d:c7:a0:11:23

Managing the Access Radio Secure Port Mode

show arm<n> secure-port [ssidx <ssid_index>]
set arm<n> secure-port {enabled|disabled} [ssidx <ssid_index>]
These commands let you manage access radio secure port mode.
The [ssidx <ssid_index>] parameter applies only if your unit contains a radio
with part numbers B2CC011AA, B2CC011AB, B2CC043AA or B2CC033AA.
(Use the /system/show phyinv command to display the radio’s part number.)
The ssid_index parameter must be a valid SSID index. The default value is 1.
To prevent wireless clients associated with different access radios from
communicating with each other, you must enable the secure port mode on each
of the access radios in your network.
By default, the secure port mode is disabled.
Note: Typically, you provision the white list before enabling the secure port
mode. This ensures that wireless clients that are already associated do
not lose their connection to the Internet.

Example 1
/# cd radio
/radio# show arm1 secure-port
disabled

June 30, 2006 Confidential Page 73 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Wireless Security

Example 2
/# cd radio
/radio# set arm1 secure-port enabled

Detecting Rogue Rogue access points may be installed on a corporate network by employees
using low-cost equipment they purchased themselves. The rogue access points
Access Points are often installed inside the corporate firewall with even the most basic
security settings disabled, thus creating the potential for network security
breaches. A rogue device may also be connected to a totally separate wired
network that happens to be near corporate facilities but is still accessible to
client devices within the enterprise.
For public networks, numerous Wi-Fi networks may exist “underneath” the
public network, being in or near the coverage area.
In some cases, a rogue access point may present a security concern. In all cases,
rogue access points are a source of interference and capacity degradation for
the network being deployed.
The following commands assist you in detecting unauthorized “rogue” wireless
access points:
show arm<n> rogue-ap
show brm<n> rf_survey
These commands display several information items for every access point
“visible” to a BelAir100’s radio using a particular channel. The displayed
information can help you identify and locate rogue access points. The displayed
information includes the following information about the detected access
points:
• the access point’s MAC address
• the channel number it is using
• its SSID
• the Remote Signal Strength Indication (RSSI) of the link in dBm
• the age of the association (number of seconds since last signal was received
from the MAC address)
• the BSS configuration type, either infra (for infrastructure) or adhoc
• whether privacy is enabled or not
Note: This command may not detect rogue access points that use a channel
that is different than the radio’s channel. You can choose to change the
radio’s channel and repeat this command to detect all possible rogue
access points. However, changing a radio’s channel is service affecting

June 30, 2006 Confidential Page 74 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Wireless Security

and could disrupt client access. See “Channel Number” on page 37 for
the command to changing a radio’s channel.

Example
cd /radio
/radio# show arm1 rogue-ap
MAC CH RSSI(dBm) AGE(s) BSSTYPE PRIVACY SSID
------------------ -- --------- ------ ------- ------- ----------
00:0d:67:00:03:e1 1 -61 2 infra yes abc_ltd
00:0d:67:00:02:fe 4 -52 3 infra yes abc_ltd
00:07:85:B3:73:94 6 -90 11 infra no tsunami
00:0d:67:00:00:93 8 -65 0 infra yes abc_ltd
01:0d:67:00:01:21 11 -45 0 infra yes abc_ltd

In the previous example, four of the devices visible to the access radio have
SSIDs abc_ltd indicating the network being deployed with BelAir equipment. A
fifth device has an SSID tsunami, indicating a potential rogue access point. By
examining the MAC address, you can interpret that the rogue is a Cisco access
point. The rogue is transmitting on (the usual default) channel 6 with no
encryption and has a fairly low RSSI. This rogue is located within the field of
view of the BelAir100 that is performing the rogue query. The rogue likely
interferes most with the BelAir nodes for ABC Ltd deployed on channels 4
and 8.

June 30, 2006 Confidential Page 75 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Managing Access Radio SSIDs

Managing Access Radio SSIDs

Each access radio supports up to 16 SSIDs. If associated clients use different
SSIDs, then the BelAir100 can use the SSID to direct traffic to different VLANs.
You can also enable a Basic SSID (BSSID) for up to eight SSIDs. The BSSID has
the same format at a MAC address. By enabling a BSSID, you are effectively
creating a virtual AP for the associated clients that use that SSID.
Note: To maximize multipoint-to-multipoint mesh performance, BelAir
Networks recommends that you do not enable BSSIDs on BelAir50C
and BelAir50S platforms.
To manage client association, the access radio periodically emits a beacon
dataframe. The following SSID types are available, based on their effect on the
beacon dataframe:
• A public SSID means that the SSID information element is present in the
beacon dataframe, has a length and a value.
• A private SSID means that there is no beacon dataframe. Instead, the
association is managed through a client’s probe and response dataframe
session.
SSID 1 is usually a public SSID, but its behavior can be configured. All other
SSIDs are always private. SSID 1 also always has an enabled BSSID.
Finally, you can use the commands described in this chapter to map an SSID to
a VLAN.

Adding or set arm<n> ssid <ssid_string>

[ssidx <ssid_index>] [vlan <vlan_ID>]
Modifying an SSID set arm<n> ssid <ssid_string> {normal|suppress|broadcast}
[ssidx <ssid_index>] [vlan <vlan_ID>]
These commands add or modify the access radio SSID with the given index
number.
The ssid_string parameter is the SSID setting. SSIDs are case sensitive and can
contain up to 32 alphanumeric characters.
The ssid_index parameter is an integer from 1 to 16. The default value is 1.
The vlan_id parameter, if present, specifies that traffic for all wireless clients
associated to the BelAir100 unit with the given SSID be directed to the
specified VLAN. The VLAN ID is an integer from 1 to 2815. If no VLAN is
specified, traffic from the wireless clients corresponding to that SSID is passed
through the access radio without change.

June 30, 2006 Confidential Page 76 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Managing Access Radio SSIDs

CAUTION! Before using this command on a BelAir100, you must configure the BelAir200
VLAN subsystems with the same VLAN ID as specified by this command. Refer
to the BelAir200 User Guide for instructions on configuring VLAN subsystems.
All traffic from the specified client is discarded by the BelAir200 if the mapped
VLAN is not previously configured.
The normal, broadcast or suppressed setting applies only to SSID 1. SSIDs 2 to
16 can only be suppressed.
Note: Configuring multiple normal or broadcast SSIDs increases the number
of beacon data frames sent by the unit.
For all access radios except those with part numbers B2CC000AA or
B2CC000AB:
• The normal setting is the default for SSID 1. The normal SSID type is the
same as broadcast.
• A broadcast setting means that the access radio does respond to a
broadcast probe request and that SSID information element is present in the
beacon dataframe.
Note: Because normal and broadcast are considered the same, any display
of the SSID type shows normal.
• A suppress setting means that the access radio does not respond to a
broadcast probe request and that SSID information element is present in the
beacon dataframe, but has a length of 0 and a null value.
If you have a radio with part number B2CC000AA or B2CC000AB:
• The normal setting is the default for SSID1 and means the SSID type is
neither suppressed nor broadcast.
• A broadcast setting means that the access radio does respond to a
broadcast probe request and that SSID information element is present in the
beacon dataframe, but has a length of 0 and a null value.
• A suppress setting means that the access radio does not respond to a
broadcast probe request and that the SSID information element is removed
from the beacon dataframe.
Note 1: The set arm<n> ssid <ssid_string> command sets the value of SSID 1
without mapping it to a VLAN.
Note 2: After you set or change an SSID for the access radio, BelAir Networks
recommends that you save your configuration and reboot it. Rebooting
the access radio will disrupt access traffic for approximately
20 seconds.

June 30, 2006 Confidential Page 77 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Managing Access Radio SSIDs

Managing Basic set arm<n> mbssid [ssidx <ssid_index>] {enabled|disabled}

SSIDs show arm<n> mbssid

These commands apply to all access radios except those with part numbers
B2CC000AA or B2CC000AB. Use the /system/show phyinv command to
display the radio’s part number.
These commands enable or disable a BSSID for a particular access radio SSID.
The ssid_string parameter is an integer from 1 to 16. The default value is 1.
The BSSID is automatically generated and has the same format at a MAC
address. The BSSID for SSID 1 is the primary BSSID and cannot be disabled.
The primary BSSID is usually the unit’s MAC address.
Additional BSSIDs are usually generated based on data embedded on the radio
during manufacturing. If the embedded data is unavailable, then the additional
BSSID are generated by incrementing the third least significant byte of the
primary BSSID. For example, if the primary BSSID is 00:0D:67:00:12:34, then
the second BSSID is 00:0D:67:01:12:34 and the third BSSID is
00:0D:67:02:12:34.

Configuring a Suppressed SSID with a BSSID

Do the following steps:
1 If necessary, configure the SSID with the following command:
set arm<n> ssid <ssid_string>
[ssidx <ssid_index>] [vlan <vlan_ID>]
2 Enable the BSSID with the following command:
set arm<n> mbssid [ssidx <ssid_index>] enabled
This command automatically sets the SSID to normal.
3 Change the SSID to suppressed with the following command:
set arm<n> ssid <ssid_string> suppress
[ssidx <ssid_index>] [vlan <vlan_ID>]

Deleting a SSID del arm<n> ssid ssidx <ssid_index>

<ssid_index> is an integer from 1 to 16. The default value is 1.
Note: SSID 1 cannot be deleted.

Displaying the List show arm<n> ssid

of Available SSIDs Example

cd /radio
/radio# show arm1 ssid
id vlan type ssid

June 30, 2006 Confidential Page 78 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Managing Access Radio SSIDs

-- ---- ---- ----

1 100 normal BelAir_1
2 300 normal BelAir_2
3 - normal BelAir_3

Displaying the List show arm<n> client associated [ssidx <ssid_index>]

of Associated This command displays the list of associated wireless clients for a given SSID. If
no SSID is specified, the displayed list shows all associated clients and their
Clients for a SSID.
Given Access
The ssid_index parameter must be a valid SSID index. The default value is 1.
Radio SSID
Table 8 explains the various fields in the resultant output.

Table 8: Output Field Descriptions

Field Description

IP Client's IP address. (s) indicates static IP addressing

identity 802.1X client identity. Present for dot1x or WPA SSIDs
auth Authentication state of the client
unauth default or initial state
auth client is authorized for Open or WEP privacy
eapAuth client is authorized for dot1x, WPA1 or WPA2
privacy
pskErr Possible wrong WPAPSK key configured on client
radto For dot1x, WPA1 or WPA2. Problems connecting to
radius server, possibly because of a network problem.
cltto For dot1x, WPA1 or WPA2. Problems sending EAP
packets to client.

June 30, 2006 Confidential Page 79 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Managing Access Radio SSIDs

Table 8: Output Field Descriptions (Continued)

Field Description
dhcp Client DHCP state (applicable only if client uses dynamic IP addressing)

init Client has just connected and has not yet started a DHCP
sequence

disc Client has sent a DHCP Discover message and is waiting for a
DHCP Offer message to get its IP address.
(Applicable only if client does not already have a valid IP address.
Otherwise client sends DHCP Request message.)

offer Server has responded to the DHCP Discover message with a

DHCP Offer message. This packet tells the client its IP address.
The client should then send a DHCP Request message to verify
the IP address.

req Client has sent the DHCP Request message to the server and is
waiting for a a DHCP Ack message to confirm the assigned IP
address.

decl Server has declined the client’s DHCP request. Verify the server
settings.

ack Client has sent a DHCP Request message and the server has
confirmed the assigned IP address.
(Considered a DHCP complete state.)

nack Server has responded to the client’s DHCP request with a DHCP
Nack message. Verify the server settings.

relse Client has sent a DHCP Release message.

inform Client has sent a DHCP Inform message. Depending on the

server, the server may respond with a DHCP Ack message.
(Considered a DHCP complete state.)

arpRes Client has gone through one of the DHCP state transitions and
replied to an ARP request for its IP address.
(Considered a DHCP complete state.)

Depending on the server configuration, if a client moves to a different subnet, it

may need to timeout the current IP address (approx. 30 seconds) and then
restart the DHCP sequence. During this process the client may use the
standard default IP address for Microsoft Windows (169.254.X.X).

June 30, 2006 Confidential Page 80 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Managing Access Radio SSIDs

Example
/# cd radio
/radio# show arm1 client associated
Total associated clients : 2

id ss vlan mac addr IP identity rssi auth dhcp

--- -- ---- ----------------- ------------------ ---------- ---- ------- ------
12 2 500 00:0D:88:EF:B2:3D 10.1.50.108 mrussell -61 eapAuth arpRes
11 2 500 00:0D:88:EF:B2:3E 10.1.60.108(s) anonymous -62 eapAuth arpRes

June 30, 2006 Confidential Page 81 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Layer 2 Network Configuration

Layer 2 Network Configuration

The BelAir100 behaves as a layer 2 switch and transparent bridge without the
need to configure any software features. However, to control and manage the
traffic inherent in a bridge (for example, broadcast and flooding), you can
invoke layer 2 features, such as Virtual LANs (VLANs), that divide traffic among
several sets of users and restrict broadcast to the respective VLANs.
In addition you can create layer 2 tunnels between a BelAir100 and one or
more gateway routers to a core network.
See the following sections for a description of these layer 2 features:
• “BelAir100 Layer 2 Switch Port Assignment” on page 82
• “Using Layer 2 Bridging” on page 82
• “Using Virtual LANs” on page 83
• “Managing Egress Node Traffic” on page 85
• “Using Layer 2 Tunnels” on page 87

BelAir100 Layer 2 The following command displays the port assignment and status of the layer 2
switch:
Switch Port
Assignment show interface config all

Example
/# show interface config all
Index Name Module IfaceType MTU AdminStat OperStat EncapType
----------------------------------------------------------------------------
Physical:
----------------------------------------------------------------------------
1 eth0 ARM 802.11 1500 Up Up Ethernet V2
2 eth1 BRM1 802.11 1500 Up Up Ethernet V2
5 eth4 LIM ENET 1500 Up Up Ethernet V2
----------------------------------------------------------------------------
Logical:
----------------------------------------------------------------------------
9 default Logical L3IPVLAN 1500 Up Up Ethernet V2
10 vlan44 Logical L3IPVLAN 1500 Up Up Ethernet V2
11 vlan4 Logical L3IPVLAN 1500 Up Up Ethernet V2

Note that the logical interface named default corresponds to the unit
management interface. Typically, you should never disable this interface.

Using Layer 2 The BelAir100 behaves as a layer 2 switch and transparent bridge where the
traffic from any port can be switched to any other port.
Bridging

June 30, 2006 Confidential Page 82 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Layer 2 Network Configuration

There are no CLI commands for the BelAir100 bridge functions.

Note: Clients that associate with the BelAir100 are not allowed to operate as
a bridge. This is to prevent issues associated with network loops. The
BelAir100 will automatically disassociate without warning from any
client that is detected as behaving as a bridge; that is, sending
spanning-tree BPDUs. However, clients are allowed to operate as
router to allow features such as sharing a wireless Internet connection.
For this type of operation, BelAir Networks recommends that the
computer with the wireless connection to the BelAir100 have its
operating system configured to act as a router. For example, Microsoft
Windows XP offers the Internet Sharing function.

Using Virtual A virtual LAN (VLAN) refers to a group of devices that communicate with each
other as if they were on the same physical LAN. VLANs have the following
LANs benefits:
• You can control traffic by excluding broadcast traffic from the VLAN, and
including only those devices that must communicate with each other
• You can provide security by forcing traffic between VLANs through a routing
device.
For the BelAir100, an unlimited number of VLANs can be created for client
traffic. Up to four management VLANs can be configured. VLANs can be
implemented based on client SSID, as described in “Managing Access Radio
SSIDs” on page 76.
CAUTION! Before assigning client SSID traffic to a VLAN on a BelAir100, you must
configure a BelAir200 VLAN subsystem with the same VLAN ID as specified on
the BelAir100. All traffic from the specified client is discarded by the BelAir200
if the mapped VLAN is not previously configured.
Data packets from the client are tagged for the appropriate VLAN by the access
radio. If the client traffic is bridged to a port with a backhaul radio that sends
the traffic to a BelAir200, then the BelAir200 segregates the traffic onto the
appropriate VLAN based on the tag. If the client traffic is bridged to the LPM
port, then the LPM sends the traffic onto the Ethernet connection without
removing the tag. This is different than the case of the BelAir200, where you
can choose to have the tag removed before the traffic is sent onto the Ethernet
connection.

June 30, 2006 Confidential Page 83 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Layer 2 Network Configuration

Configuring the IP You can set the IP address associated with a VLAN with the following
Address of a VLAN commands:
cd /ip
/ip# ip config set <ip address> netmask <subnet mask> vlan <1-2815>

or
cd /ip
/ip# ip config dynamic vlan <1-2815>

The ip config set command configures a static IP address. If you use the ip config
dynamic command, a Dynamic Host Configuration Protocol (DHCP) server
provides the IP address. If the specified VLAN does not previously exist, then it
is created.
CAUTION! If you create a new VLAN with this command, then, you must configure a
BelAir200 VLAN subsystem with the same VLAN ID as specified on the
BelAir100. All traffic from the specified client is discarded by the BelAir200 if
the mapped VLAN is not previously configured.
Note: DHCP servers usually have the ability to assign a default route to
DHCP clients. BelAir Networks recommends that you configure your
DHCP server to not supply any default routes. This avoids the
possibility of the DHCP server providing two different default routes to
two different IP interfaces on the same BelAir platform (for example, a
management IP interface and a VLAN IP interface). To configure a
default route, use instead the ip route add command available while in
ip mode.
If you use a DHCP server, you can use the following command to renew the IP
address:
cd /ip
/ip# ip config vlan <1-2815> renew-ip

You can remove a previously created VLAN with the following command:
cd /ip
/ip# ip config del vlan <1-2815>

You can display the current VLAN IP settings with the following command:
cd /
/# show ip config [vlan <1-2815>]

If you do not specify a VLAN, then information is displayed about all VLANs.

June 30, 2006 Confidential Page 84 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Layer 2 Network Configuration

Example
cd /
/# show ip config

Vlan Address Netmask Broadcast Alloc_Type

----- --------------- --------------- --------------- ------------
101 10.10.1.1 255.255.255.0 10.10.1.255 static
107 142.168.2.240 255.255.255.0 142.168.255.255 dynamic
108 18.18.1.1 255.255.255.0 18.18.1.255 static
132 132.168.2.239 255.255.255.0 132.168.255.255 dynamic

Managing Egress In a BelAir network, the LPM port of a node can act as an egress point for the
backhaul traffic of many other nodes. The other nodes may be connected to
Node Traffic the egress node through point-to-point, point-to-multipoint or
multipoint-to-multipoint links.

VLAN Conversion show egress pvid

set egress pvid {<vlan_id>|untagged}
To use these commands, you must be in system mode.
The set command is only available if you are logged in as root.
These commands let you convert the VLAN tagging of traffic entering or
leaving the LPM port of an egress node. If you specify a VLAN ID, untagged
VLAN packets coming from the LPM port of an egress node are converted to
tagged packets with the specified VLAN ID. Similarly, packets that are tagged
with the specified VLAN ID are sent to the LPM port of the egress node as
untagged VLAN packets.
If you specify the keyword untagged instead of VLAN ID, then packets are not
converted as they enter or leave the LPM port of the egress node. The default
setting is untagged.

VLAN Filtering show egress

add egress vlan {<vlan_id>|untagged}
delete egress vlan {<vlan_id>|untagged}
To use these commands, you must be in system mode.
The add and delete commands are only available if you are logged in as root.
You can create a list containing up to four VLAN IDs to control which traffic
enters or leaves the LPM port of an egress node. Only packets that are tagged
with a VLAN ID in the list are allowed to enter or leave the LPM port of the
egress node.

June 30, 2006 Confidential Page 85 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Layer 2 Network Configuration

These commands let you manage list of VLAN IDs. By default, the list is empty
meaning that all traffic is allowed to enter or leave the LPM port of the egress
node. If you add a VLAN ID to the list, then only traffic belonging to that VLAN
can enter or leave the LPLM port of the egress node. If you add the keyword
untagged to the list, then only untagged traffic can enter or leave the LPLM port
of the egress node.

June 30, 2006 Confidential Page 86 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Using Layer 2 Tunnels

Using Layer 2 Tunnels

Layer 2 tunnels use the Layer 2 Tunneling Protocol (L2TP), version 2, to provide
the following benefits:
• provides a bi-directional communication path between the BelAir100 and a
central router. The path is unaffected by the size, topology and complexity
of the layer 2 and layer 3 access network between them.
• ensures efficient handling of mobile client MAC addresses, especially for
customers using DOCSIS technology in their access network
Figure 5 shows how wireless mobility is implemented with L2TP. When a
wireless client transmits an 802.11 frame, the BelAir Access Point (AP)
converts it to an Ethernet frame with VLAN information, encapsulates it within
an IP packet and then sends the packet to a Tunnel End Point (TEP). The TEP is
usually part of a network central router. The BelAir implementation of Layer 2
tunnels currently operates with a Cisco 7200 router or equivalent.
Figure 5: Wireless Mobility using L2TP
Mobile wireless client
device going from BelAir Access Points (APs)
one AP to another

BelAir Access Points (APs)

June 30, 2006 Confidential Page 87 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Using Layer 2 Tunnels

The TEP strips off the encapsulation data to reveal the original Ethernet frame
exactly as sent by the AP. The TEP delivers the Ethernet frame to a
VLAN-aware Ethernet switch. The switch applies normal Ethernet forwarding
rules to send it to a gateway router with one router port per subnet. The
gateway router switches the Ethernet frame to the appropriate outgoing router
port.
For packets moving in the other direction to the wireless client, the gateway
router applies to IP traffic an Ethernet header with the client’s MAC address as
the destination. The VLAN switch forwards this packet to the interface on
which it last saw the client’s MAC address, which is the interface connected to
the tunnel. The TEP receives the frame and encapsulates it in an IP packet.
When the AP receives the packet it strips off the encapsulation data, converts
the resulting Ethernet frame to an 802.11frame, and then transmits it to the
wireless client.
When a mobile wireless client moves to a new AP, its traffic travels through a
different Layer 2 tunnel. The traffic is encapsulated and sent to TEP as before.
The VLAN-aware Ethernet switch then updates its MAC address table as
required with the information for the wireless client’s new AP. Any subsequent
frames sent to the wireless client are then forwarded to the new AP.
Each BelAir AP can have up to five tunnels to one or more TEPs. The end
points of a layer 2 tunnel are identified by their IP addresses. The IP address of
the BelAir tunnel end point can be the IP address of the unit’s management
interface, or any IP address associated with a VLAN. The BelAir IP addresses
can be set manually or through the Dynamic Host Configuration Protocol
(DHCP).
Each tunnel can carry traffic belonging to any group of configured VLANs.

Configuring the The following tasks can be done:

BelAir Node for • “Displaying Tunnel Configuration and Status” on page 89
Layer 2 Tunneling • “Starting and Stopping Layer 2 Tunneling” on page 89
• “Adding and Removing Layer 2 Tunnels” on page 89
• “Mapping User Traffic” on page 90
Layer 2 tunnel CLI commands are available in system mode.

June 30, 2006 Confidential Page 88 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Using Layer 2 Tunnels

Displaying Tunnel show tunnels

Configuration and This command displays the current tunnel configuration and status.
Status
Example
cd /system
/system# show tunnels
Tunnel server is running, IP address 10.1.1.33

Num Remote IP Name Stat

===== ================ ==================== ====

1 10.1.1.2 bridge2 UP
2 10.1.1.2 bridge1 UP
VLAN map: 1500
3 N/C
4 N/C
5 N/C

Starting and Stopping tunnel start [interface-vlan <VLAN_ID>] mode [local|egress]

Layer 2 Tunneling tunnel stop
The tunnel start command begins tunneling operation. If the VLAN interface is
not specified, the unit’s management IP address is used to identify the local
tunnel end point. IP addresses may be manually configured or obtained by
DHCP.
If a VLAN interface is specified, it must be previously configured. Refer to
“Using Virtual LANs” on page 83.
The mode parameter is used when the unit is connected to other units through
backhaul links. In this case, you may want the unit to act as an egress point and
put access traffic from itself and the other nodes into the tunnel. Use local
mode when the BelAir unit puts only its own access traffic into the tunnel. Use
egress mode when the BelAir unit puts its own access traffic and that of many
other units into the tunnel.
The tunnel stop command stops all tunnel forwarding.

Adding and Removing tunnel add <index> ip <peer_IP_address> name <stn_name>

Layer 2 Tunnels tunnel del <index>
The tunnel add command creates a new tunnel to be terminated at the
specified peer IP address, which is usually the network central router. You can

June 30, 2006 Confidential Page 89 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Using Layer 2 Tunnels

create multiple tunnels to the same peer or to different peers. Each tunnel
carries just one L2TP session.
The <index> parameter is used for easy reference when using other
commands. It can be displayed with the show tunnels command.
The <stn_name> parameter can be any series of 18 alphanumeric ASCII
characters. L2TP protocol provides the <stn_name> parameter to the other
end point so it can identify different tunnels coming from the same IP address.
The tunnel del command removes the specified tunnel. After using this
command, user data mapped to this tunnel is dropped instead of forwarded.

Mapping User Traffic tunnel map-vlan [untagged|<VLAN ID>] to <index>

tunnel unmap-vlan [untagged|<VLAN ID>]
The tunnel map-vlan command instructs the node to forward traffic to the
specified tunnel. You can specify either traffic associated with a specific VLAN
or traffic that is not tagged for any VLAN. All packets that meet this criteria
received by any of the node’s radios are forwarded through the tunnel. If the
tunnel is not configured or not active, all corresponding packets are dropped.
If you specify untagged traffic, then the tunnel interface itself must be associated
with a VLAN. Refer to “Starting and Stopping Layer 2 Tunneling” on page 89.
The tunnel unmap-vlan command removes the tunnel mapping entry. After this
command, the specified packets are then forwarded as if the tunnel does not
exist.

Configuring the The specific configuration tasks and commands for the network central router
vary, depending on the type of router that is installed.
Network Central
Router for Refer to the Tunnel Mobility Application Note, available at
www.support.belairnetworks.com for guidance on configuring the Cisco 7200
Layer 2 Tunneling router.

June 30, 2006 Confidential Page 90 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Quality of Service Settings

Quality of Service Settings

BelAir nodes work in conjunction with one another to allow you to separate
and prioritize traffic. Each BelAir200 node can inspect incoming traffic and
prioritize traffic into four priority queues.
The commands described in this section apply strictly to the BelAir unit that
you are currently logged on to. You must repeat them on each related BelAir
unit. For example, when specifying that particular VLAN traffic has a particular
priority, you must execute the associated commands on each possible BelAir
unit in the path of that VLAN.

Prioritization Each BelAir node supports four traffic priority queues, numbered 0 to 3.
Queue 3 has the highest priority while queue 0 has the lowest priority. Table 9
describes each queue.

Table 9: Traffic Priority Queues

Queue
Description
Number

0 Background traffic
1 Best effort traffic

Use this queue for traffic that does not require QoS features,
such as most data traffic
2 Video traffic

Use this queue for high priority traffic such as video or “gold
service” customer traffic

Note: Mesh cluster control traffic also uses priority queue 2.

3 Voice traffic

Use this queue for SVP or other voice applications

All traffic that is not associated to a VLAN has priority 1. This means that until
you create VLANs, all traffic has priority 1.

June 30, 2006 Confidential Page 91 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Quality of Service Settings

Once VLANs have been created, you configure the node traffic to have different
priorities based on User Priority bits (0 to 7) or VLAN IDs.

Prioritizing Traffic map up <0-7> to queue <0-3>

Based on User To use this command, you must be in qos mode.

Priority Bits This command instructs the BelAir100 to process packets with the specified
User Priority value, regardless of the VLAN ID, to the specified priority queue.
Note: Settings made with the map vlan command have precedence over
settings made with this command.
Table 10 shows how User Priority values are processed to priority queues by
default.
Table 10: User Priority Value to Priority Queue Processing

User Priority Value Priority Queue to which it is processed

0 1
1 0
2 0
3 1
4 2
5 2
6 3
7 3

To unmap a previously set priority, use the map up command to map that
priority back to the default priority queue as shown in Table 10.

Prioritizing Traffic map vlan id <1-2815> to queue <0-3>

using VLAN IDs no map vlan id <1-2815>

To use these commands, you must be in qos mode.

June 30, 2006 Confidential Page 92 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Quality of Service Settings

The map vlan command instructs the BelAir100 to process packets from the
specified VLAN to the specified priority queue. The no map vlan id command
removes a VLAN ID to priority map.
Note: Settings made with this command have precedence over settings made
with the map up command.

Enabling or set arm<n> wmm {enable|disable}

Disabling To use these commands you must be in radio mode.

Wireless Wireless Multi-media is normally enabled. When enabled, the access point
Multi-media communicates with a WMM enabled wireless client using WMM features as
described in “Managing the QoS Priority Scheme” on page 93 and “Managing
the QoS Mapping Scheme” on page 93.
When disabled, the access point ignores requests for WMM communications
from wireless clients and instead uses traditional non-WMM features to
communicate with them.

Managing the QoS set {arm<n>|brm<n>} qosschedule {edca|spq|lspq}

Priority Scheme show {arm<n>|brm<n>} qosschedule
To use these commands, you must be in radio mode.
These commands apply only if your unit contains a radio with part numbers
B2CC011AA, B2CC011AB, B2CC043AA or B2CC033AA. (Use the /system/
show phyinv command to display the radio’s part number.)
The show command displays the current QoS priority setting.
The set command let you decide which priority setting to use.
Selecting edca means that the BelAir node uses Enhanced Distributed Channel
Access (EDCA) priority queuing., including support for transmit opportunities
(TXOP). EDCA and TXOP are part of the Wi-Fi Multimedia (WMM)
specification. Selecting spq means that the BelAir node uses strict priority
queueing. Selecting lspq means that the BelAir node uses legacy strict priority
queueing.
By default, QoS priority scheme is edca.

Managing the QoS set {arm<n>|brm<n>} qosmapping {up|dscp|both}

Mapping Scheme show {arm<n>|brm<n>} qosmapping
To use these commands, you must be in radio mode.

June 30, 2006 Confidential Page 93 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Quality of Service Settings

These commands apply only if your unit contains a radio with part numbers
B2CC011AA, B2CC011AB, B2CC043AA or B2CC033AA. (Use the /system/
show phyinv command to display the radio’s part number.)
The show command displays the current QoS mapping setting.
The set command let you decide how traffic is processed to the four BelAir
priority queues depending on the values of the User Priority (UP) field or the
Differentiated Services Code Point (DSCP) field in the client traffic fields.
Selecting up means that traffic is sent to the four BelAir priority queues based
on the UP field value. Selecting dscp means that traffic is sent to the four BelAir
priority queues based on the DSCP field value. Selecting both means that traffic
is sent to the four BelAir priority queues based on the highest priority value of
either the UP field or the DSCP field. By default, QoS mapping is set to both.
Table 11 shows the mapping of the UP value and the DSCP value to the priority
queue.
Table 11: UP and DSCP Value to Priority Queue Processing

UP Value DSCP Value Priority Queue to which it is processed

0 0 (0x0) 1
1 32 (0x20) 0
2 64 (0x40) 0
3 96 (0x60) 1
4 128 (0x80) 2
5 160 (0xA0) 2
6 192 (0xC0) 3
7 224 (0xE0) 3

Resetting the QoS set qos default

Configuration To use this command, you must be in qos mode.

This command returns the QoS configuration to factory default settings.
User Priority prioritizing returns to the default settings shown in Table 10 on
page 92.

June 30, 2006 Confidential Page 94 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Quality of Service Settings

Resetting the QoS set vlan id <1-2815> qos default

Configuration for To use this command, you must be in qos mode.
a VLAN This command resets any QoS configuration made for a particular VLAN. After
this command is executed, the packets with the specified VLAN ID are no
longer prioritized and are transmitted transparently.

Displaying a show qos config

Summary of QoS To use this command, you must be in qos mode.

Settings This command displays a summary of all current QOS settings, including:
• the Spectralink Voice Priority (SVP) classification settings, if applicable
• how User Priority bits are currently mapped to the priority queues

Example
cd /qos
/qos# show qos config

Qos Global Configuration

------------------------
Qos Status : Enabled
SVP Status : Enabled

Qos Global UP to Queue Mapping

---------------------------------
UP Value : 0 -- Queue : 1
UP Value : 1 -- Queue : 0
UP Value : 2 -- Queue : 0
UP Value : 3 -- Queue : 1
UP Value : 4 -- Queue : 2
UP Value : 5 -- Queue : 2
UP Value : 6 -- Queue : 3
UP Value : 7 -- Queue : 3

Displaying the show vlan {all|vlan id <1-2815>} qos config

VLAN QoS To use this command, you must be in qos mode.

Settings The show vlan qos config command displays a summary of the QoS settings
that are based on VLAN IDs. See “Prioritizing Traffic using VLAN IDs” on
page 92.

Example
cd /qos
/qos# show vlan id 100 qos config

June 30, 2006 Confidential Page 95 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Quality of Service Settings

Qos Vlan Id Configuration

------------------------
Vlan Id : 100
Vlan Qos Status : Enabled
User Priority : 4
Queue Map : 3

Displaying the show qos user priority map

Prioritization To use this command, you must be in qos mode.

Settings The show qos user priority map command displays how User Priority bits are
currently mapped to the priority queues.

Example
cd /qos
/qos# show qos user priority map
Qos Global UP to Queue Mapping
---------------------------------
UP Value : 0 -- Queue : 0
UP Value : 1 -- Queue : 1
UP Value : 2 -- Queue : 1
UP Value : 3 -- Queue : 1
UP Value : 4 -- Queue : 1
UP Value : 5 -- Queue : 1
UP Value : 6 -- Queue : 2
UP Value : 7 -- Queue : 3

June 30, 2006 Confidential Page 96 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide BelAir100 Statistics

BelAir100 Statistics
The BelAir100 collects a large number of statistical information which can help
you determine the state of your wireless network, as well as pinpoint any
potential source of troubles (as, for instance, congested links or repeated
attempts to gain unauthorized access to the network).
This section summarizes BelAir100 radio statistics. For further details, refer to
the BelAir100 Radio Command Line Interface Guide.

Radio Statistics
Wireless show {arm<n>|brm<n>} mac statistics
Communication This command displays the MAC statistics of a backhaul radio or an access
Statistics
radio.

Example
/# cd radio
/radio# show arm1 mac statistics
transmit fragment count : 627
multicast transmit fragment count : 203
failed count : 1552
retry count : 0
multiple retry count : 424
frame duplicate count : 0
rts success count : 0
rts failure count : 0
ack failure count : 1552
received fragment count : 0
multicast received fragment count : 0
fcs error count : 762
transmit frame count : 424
received frame count : 0
wep undecryptable count : 0

Wireless Security show {arm<n>|brm<n>} privacy statistics

Statistics This command displays a summary of the privacy statistics of a radio.

Example
/# cd radio
/radio# show arm1 privacy statistics
xmit rejected : 0
plain rejected : 0
encrypted rejected : 0
nokey rejected : 0

June 30, 2006 Confidential Page 97 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Performing a Software Upgrade

Performing a Software Upgrade

This section instructs you how to upgrade a BelAir100 unit by downloading a
new software load from a remote server. The procedures in this section
assume the following:
• You have connected to the BelAir100.
• You have started a Command Line Interface (CLI) session and you have
logged in as root. When you need to login again, such as after a reboot, use
the root user account so you have access to all the required commands.
• You are familiar with the operation of the CLI.
• You are familiar with the operation of the config-save command. Refer to
“Saving and Restoring the BelAir100 Configuration” on page 29 for details.
CAUTION! Make sure to read and understand the entire upgrade procedure described in
this section before attempting to upgrade a unit. An improper upgrade could
result in a unit becoming inoperable and isolated from the network.
CAUTION! A unit’s configuration database in one release can be structurally different than
in other releases. For example, the configuration database in Release 6.0 is
structurally different than in previous releases. Because of this, downgrading a
software load from Release 6.0 to the previous release requires much effort.
BelAir Networks strongly recommends that you fully verify the configuration
and operation of an upgraded unit before you commit the new load to replace
the old load and configuration. The upgrade process in this document contains
guidelines to help you verify a unit.
For instructions on how to downgrade a unit, contact BelAir Networks.

Upgrade Process An operator logged in as root can upgrade a BelAir100 unit by downloading a
new software load from a remote server. You can use either TFTP or FTP to
Overview communicate with the remote server. You must ensure that the server is
running at an accessible IP address. For redundancy purposes, BelAir100 units
store two copies of the software load in two application banks: banks A and B.
The active software load is the software load that is currently running. The
standby software load is the software load in the alternate application bank.
Either bank A or bank B may be active at a given time. See Figure 6 on page 99.

June 30, 2006 Confidential Page 98 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Performing a Software Upgrade

Figure 6: Active and Standby Software Loads

BelAir Unit
Active
Software Load

Pointer to software
load for next restart

A B
Active Standby
Software Load Software Load

Under normal operating conditions, the contents of the two software load
banks are identical. During a software upgrade, the new software load is copied
into the standby bank at the time of the upgrade.
A software upgrade consists of the following steps:
1 Ensure the current configuration is saved. Refer to “Saving and Restoring the
BelAir100 Configuration” on page 29.
2 Determine what software load is active (A or B). The new software load will
overwrite the standby bank.
3 Download the new software load. The new software load is downloaded to
the standby software load bank. If A is active, then the new software load is
downloaded to bank B. If B is active, then the new software load is
downloaded to bank A.
4 Verify the new software downloaded successfully.
5 Activate the new software load from the standby software load bank
(containing the new load) by rebooting the node. The new load is promoted
to active and the formerly active software load bank becomes standby.
6 Verify the configuration and operation of the unit operating with the new
software load
7 Commit the load (copy the newly activated load to the standby software
load bank).
Note: Any configuration changes that you make before you commit the new
software load are lost if you back out of the upgrade.

June 30, 2006 Confidential Page 99 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Performing a Software Upgrade

CAUTION! Do not change or save the node configuration while upgrading the system.
CAUTION! It is always possible to downgrade a committed software load to an older
release. However, while the existing configuration data is saved (upgraded)
during a software upgrade, the existing configuration data could be lost (erased)
during a software downgrade. BelAir Networks recommends that you save and
remotely store the current existing configuration database in case you choose
to downgrade a software load. For instructions on how to downgrade a unit,
contact BelAir Networks.

Displaying the The active software load can be displayed with the following command:
Active and Next cd /system
show active load
Software Loads The software load that is activated at the next reboot can be displayed with the
following command:
cd /system
show next load

Downloading a You can download a new software image from a remote server with the
following command:
New Software
Load cd /system
upgrade load remoteip <serverIPaddress>
remotepath <serverSubDir>
[{tftp|ftp [user <usrname> password <pword>]}]]
Note: This command is only available if you are logged in as root.
The command copies the new software load into the standby software load
bank and sets the new load as the next active load. See Figure 7.
By default, the upgrade load command uses TFTP. If you specify FTP, you can
also specify the user name and password. The default FTP user name is
anonymous and the default FTP password is root@<nodeip>, where
<nodeip> is the IP address of node making the request. If you do not use the
default FTP username, the FTP server must be configured to accept your
username and password.
CAUTION! Once it begins, the upgrade process cannot be interrupted or terminated by the
user with the current CLI session. See “Canceling a Software Upgrade” on
page 101.

June 30, 2006 Confidential Page 100 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Performing a Software Upgrade

Canceling a To cancel the upgrade process:

Software Upgrade 1 Start another CLI session to the BelAir100 being upgraded and log in as in
as root.
2 Issue the following command:
cd /system
cancel upgrade
3 When requested, confirm your intent.
If you confirm that you want to cancel the software upgrade, a message
appears in the other CLI session informing it’s user that the upgrade has
been cancelled.
This command stops the transfer of the new software load into the standby
software load bank. If you reboot the node, the software in the active software
load bank is used. See Figure 7.
CAUTION! Because the software upgrade process was interrupted, the software in the
standby software load bank may no longer be suitable to reboot the system. Do
not set it to be the next active load unless you first commit the current active
software load, or complete a new software upgrade.
Figure 7: Software Upgrade Step 3 - Downloading the New Software Load

BelAir Unit
Active
Software Load

Pointer to software
load for next restart

External
TFTP
A B Server
Software
Active Standby Download
Software Load Software Load

Verifying a Verify that the new software downloaded successfully with the following
command:
Successful
Download cd /system
show loads

June 30, 2006 Confidential Page 101 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Performing a Software Upgrade

If there are any issues with the downloaded software, perform the download
again.
Note: All software prior to Release 3.2 does not recognize the load ID tags
for software subsequent to Release 4.0. This means that if you upgrade
from Release 3.2 (or earlier software) to Release 4.0 (or later
software), the show loads command does not return results for the
new load until you activate the new load with the reboot command.
Once you activate the new load, the show loads command displays
results for both the new and old software loads.

Activating a To activate a software load, reboot the system, with the reboot command. The
reboot command is only available if you are logged in as root.
Software Load
This command forces the unit to execute with the new load and completes the
activation process.
Note: Rebooting a unit as part of a software upgrade can take significantly
longer, up to 20 minutes, depending on the unit’s configuration.

Verifying the New BelAir Networks recommends that you fully verify the configuration and
operation of an upgraded unit before you commit the new load. Use the
Software Load following steps as guidelines.
1 Fully verify the unit’s configuration and operation.
2 If required, adjust any settings and save the new configuration.
3 Reboot the unit and verify that all changes take effect.
If you observe any issues, follow the steps in “Backing Out from a Software
Upgrade” on page 103.

Committing a Once you have activated the unit with new software load, you can commit it
with the following command:
New Software
Load cd /system
commit load

Note: This command is only available if you are logged in as root.

See Figure 8.
CAUTION! This command copies the contents of the active software bank to the standby
bank. For example, if the active software bank is A, its contents overwrite those
of bank B. Backing out is no longer possible after the new software load has

June 30, 2006 Confidential Page 102 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Performing a Software Upgrade

been committed. After the new software load has been committed, you can no
longer back out of the upgrade; but you can downgrade the unit. For
instructions on how to downgrade a unit, contact BelAir Networks.
Figure 8: Software Upgrade Step 7 - Commit the Software Load

BelAir Unit
Active
Software Load

Pointer to software
load for next restart

A B
Standby Active
Software Load Software Load

Commit: Overwrite old software

load in the standby bank

The commit command copies the system software and the configuration
database to the adjacent bank at the time of execution. However, changes to
the active load’s configuration after the commit command is executed are not
automatically stored in the standby bank. To keep both banks synchronized, you
must use the commit command after every configuration change of the active
load.

Backing Out from It is possible to back out from a software upgrade in case its effects are
undesired, but only if the new software load has not been committed. See
a Software Figure 9 on page 104.
Upgrade

June 30, 2006 Confidential Page 103 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Performing a Software Upgrade

Figure 9: Backing Out from an Uncommitted Software Upgrade

BelAir Unit
Active
Software Load

Pointer to software
load for next restart

Activate old
software load

A B
Old New
Software Load Software Load

Backout: Overwrite new software

load with old software load

When you back out of a software upgrade, the old load overwrites the new
software load.
Note: The commands described in this procedure are only available if you are
logged in as root.
To back out from an upgrade, do the following steps:
1 Determine which bank has the old software load with the following
command:
cd /system
show loads
2 Set the old software load to be the next active load with the following
command:
cd /system
set next load {A|B}
If you have just upgraded the software, you must set the unit to reboot with
the currently standby load. For example, if the old software load is in
bank A, as shown inFigure 9, and the new software load is in bank B, then
you must activate bank A with the following command:
set next load A

June 30, 2006 Confidential Page 104 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Performing a Software Upgrade

3 Reboot the system, with the reboot command.

Note: Rebooting a unit as part of a software upgrade can take significantly
longer, up to 20 minutes, depending on the unit’s configuration.
4 Run the commit command.
Running the commit command is not necessary if the system is already
executing the old software load (because you have decided, for example, to
back-out of the upgrade before activating the new load). In this case, the
content of the old software load (which is active) overwrites the contents of
the new undesired software load.

Displaying the The status of the software upgrade process can be displayed with the following
command:
Status of the
Software Upgrade cd /system
show upgrade status

June 30, 2006 Confidential Page 105 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide BelAir100 Network Example

BelAir100 Network Example

The example described by this chapter uses several commands that require
super-user privilege level. Because of this, the example assumes that you log in
to each unit as root.
Also, the example described by this chapter assumes that the backhaul radios
not have part number B2CC033AA. Backhaul radios with part number
B2CC033AA require different configuration parameters. Refer to “5 GHz
P-to-P Links” on page 49 for details.
Consider the case of the simple network in Figure 10.
Figure 10: Simple BelAir200 and BelAir100 Network Configuration

Switch and Pubic

BA200-A Access Control
172.16.100.1
BRM1 Gateway
Mode: AP LIM
MAC address:
00:0d:67:00:0A:01

BRM1
Mode: Client
MAC address:
BA100-A
172.16.100.3
00:0d:67:00:0B:01
BA200-B
172.16.100.2
BRM2 BRM1
Mode: AP Mode: Client
MAC address: MAC address: Configuration
00:0d:67:00:0B:02 00:0d:67:00:0C:01 Terminal

To configure the network, you first need to configure the IP parameters for
each BelAir200 unit and the BelAir100 unit, as described in section
“Configuration of IP Parameters” on page 107. At this stage, you should also
determine the MAC addresses of the backhaul radios. You will need this piece
of information to configure the backhaul radio links.
The next step is to configure each unit’s country of operation, which in this
case is Canada. Then, you must configure the radio modules and finally, for the
BelAir200 units in the network, the layer 2 networking. After these latter steps,
the network is ready to carry traffic.

June 30, 2006 Confidential Page 106 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide BelAir100 Network Example

Configuration of As shown in Figure 10, all units are assigned static IP addresses, namely
172.16.100.1 for BA200-A, 172.16.100.2 for BA200-B and 172.16.1.3 for
IP Parameters BA100-A.
Start a secure CLI session to BA200-A, using the default IP address (10.1.1.10).
Login as root, and change the default root password, using the passwd
command.
Note: The specified password is case sensitive and must be at least six
characters long.
Determine the MAC address of the radio modules:
/radio/show brm1 mac-address
00:0d:67:00:0A:01
If two client mode backhaul radios attempt to associate with the same AP
mode backhaul radio, you can tell which is the desired one based on the
received remote-end MAC address.
Lastly, change the IP settings; that is, the IP address and the static routing tables,
if needed:
cd /system
system default-ipaddr 172.16.100.1 subnet-mask 255.255.255.0

Reboot for the IP settings to take effect:

reboot

You must execute similar procedures for each of the other units: BA200-B and
BA100-A.

Configuring the After rebooting, login again to each unit, using the new root password.
Remaining Execute the configuration commands listed in the following subsections. There
Parameters is one subsection for each unit in the network. The commands configure the
backhaul radio links using channels 53 and 61.
It is essential that the radio module pair (client and AP mode) at the two ends
of a backhaul link be configured with the same SSID and with the same security
and privacy parameters.
Configuring different backhaul links with unique SSIDs prevents undesired
associations and potential connectivity problems. Refer to the BelAir Products
Deployment Guidelines for more details.

June 30, 2006 Confidential Page 107 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide BelAir100 Network Example

Configuration 1 Configure the country of operation:

Commands for cd /system
BA200-A /system# set country ca
/system# save node_config
/system# reboot
2 Configure the wireless parameters, starting with the access radio SSID and
privacy:
cd /radio
/radio# set arm1 ssid BA200-A-1 ssidx 1 vlan 230
/radio# set arm1 wep-encryption psk 3132333435 enabled ssidx 1
/radio# config-save
3 Configure the backhaul radio, namely, the BA200-A end of the A-B link:
cd /radio
/radio# set brm1 channel 53
/radio# set brm1 mode ap
/radio# set brm1 ssid AB-SSID
4 Change the factory encryption key for backhaul with your own. You must
use the same key at both ends of a link.
/radio# set brm1 key wep,abcdefg012345
5 Enable backhaul privacy:
/radio# set brm1 privacy enabled
Bridge functionality is automatically enabled, so you do not need to enter
bridge commands. Also, the Spanning Tree Protocol is not required because
there are no loops in this network.

Configuration 1 Configure the country of operation:

Commands for cd /system
BA200-B /system# set country ca
/system# save node_config
/system# reboot
2 Configure the SSID and privacy for the access radio:
cd /radio
/radio# set arm1 ssid BA200-B-1 ssidx 1 vlan 230
/radio# set arm1 wep-encryption psk 3132333435 enabled ssidx 1
/radio# config-save
3 Configure BRM1, namely, the BA200-B end of the A-B link:
cd /radio
/radio# set brm1 channel 53
/radio# set brm1 mode client
/radio# set brm1 ssid AB-SSID
4 Change the factory encryption key for backhaul with your own. You must
use the same key at both ends of a link.
/radio# set brm1 key wep,abcdefg012345
5 Enable backhaul privacy:
/radio# set brm1 privacy enabled

June 30, 2006 Confidential Page 108 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide BelAir100 Network Example

6 Configure BRM2, namely, the BA200 end of the BA200B-BA100A link:

/radio# set BRM2 channel 61
/radio# set BRM2 mode ap
/radio# set BRM2 ssid BA200B-BA100A-SSID
7 Change the factory encryption key for backhaul with your own. You must
use the same key at both ends of a link.
/radio# set BRM2 key tkip,123456789qwertyu
8 Enable backhaul privacy:
/radio# set BRM2 privacy enabled
Bridge functionality is automatically enabled, so you do not need to enter
bridge commands. Also, the Spanning Tree Protocol is not required because
there are no loops in this network.

Configuration 1 Configure the country of operation:

Commands for cd /system
BA100-A /system# set country ca
/system# save node_config
/system# reboot
2 Configure the SSID and privacy for the access radio
cd /radio
/radio# set arm1 ssid BA100-A-1 ssidx 1 vlan 230
/radio# set arm1 wep-encryption psk 3132333435 enabled ssidx 1
/radio# config-save
3 Configure the backhaul radio, namely, the BA100 end of the
BA200B-BA100A link
cd /radio
/radio# set brm1 channel 61
/radio# set brm1 mode client
/radio# set brm1 ssid BA200B-BA100A-SSID
4 Change the factory encryption key for backhaul with your own. You must
use the same key at both ends of a link:
/radio# set brm1 key tkip,123456789qwertyu
5 Enable backhaul privacy:
/radio# set brm1 privacy enabled

Additional Backhaul Once the backhaul links become operational, you can configure Associated and
Configuration Options Peer backhaul radio MAC address functions as an additional measure to control
which nodes establish backhaul links. Refer to “Associated and Peer Backhaul
Radio MAC Addresses ” on page 56.

June 30, 2006 Confidential Page 109 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide For More Information

For More Information

BelAir Networks documentation is modular and organized to be of best use to
you during the logical process of setting up a network of BelAir devices.
Use the documents as outlined in the following sections.

Getting Started
Table 12: More Information — Getting Started

When you are: Use these documents:

• Planning a new implementation BelAir Products Deployment

Guidelines
• Determining how many units you
will need to deploy
• Determining the location of each
unit
• Determining and installing the
support infrastructure (unit
mounting structures, cabling, etc.)
• Infrastructure requirements BelAir100 Installation Guide
• Pre-configuring the BelAir units
• Installing BelAir units
• Problem-solving on the site
• Mounting BelAir units
• Setting up the network, security BelAir100 User Guide
and OAM
• Using CLI to establish the network

June 30, 2006 Confidential Page 110 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide For More Information

Working Out
Table 13: More Information — Working Out Details
Details
When you are: Use these documents:

• Becoming accustomed to the BelAir Products Web Interface

BelAir100 web interface Guide
• Becoming accustomed to the BelAir100 System CLI Guide
BelAir100 SNMP interface
• Using CLI, the web interface or BelAir100 System CLI Guide
SNMP-type interfaces to configure
the BelAir100 unit
• Looking up BelAir100 System
configuration details:
—Access interfaces (SNMP, SSL,
SSH)
—Traffic interfaces (Ethernet)
—System logs
—statistics
• Using CLI, the web interface or BelAir100 Radio CLI Guide
SNMP-type interfaces to configure
the radios
• Looking up BelAir100 radio
configuration details
• Using CLI, the web interface or BelAir100 User Guide
SNMP for Layer 2 networking
• Looking up BelAir100 Layer 2
network configuration details

June 30, 2006 Confidential Page 111 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide For More Information

On the Road and

Table 14: More Information — On the Road and in the Field
in the Field
When you are: Use these documents:

• In the field deploying a BelAir100 “Technical Support” chapters found

network at the end of every BelAir technical
• Troubleshooting and in need of document
technical support

June 30, 2006 Confidential Page 112 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Technical Support

Technical Support
This section provides direction should you have questions about your
BelAir100 unit.

Support In general, BelAir Networks recommends that you do the following steps to
seek the information you want:
Resources
1 If this document has a troubleshooting section, refer to it and to the
troubleshooting section in the User Guide to see if it describes your
situation. If it does, do the provided corrective actions.
2 If the troubleshooting section does not cover your situation, contact your
BelAir Networks product representative
3 If you still need assistance, use the BelAir Networks online support center
at www.support.belairnetworks.com
4 Finally, if your issue is not resolved, contact BelAir Networks:
—613-254-7070
—1-877-BelAir1 (235-2471)
—[email protected]

Warranty and To review BelAir’s product warranty, refer to the chapter called “Warranty and
Limitations” in the Installation Guide.
Limitations

Troubleshooting The BelAir100 provides the following tools to determine the source of your
network problems:
• the alarm and event reporting subsystem (see “Alarm and Event Reporting”
on page 113 and “Alarm Definitions” on page 117)
• SNMP traps, that are created for some events (see the BelAir100 System
Command Line Interface Guide)
• statistics information available while in radio mode
• the SYSLOG subsystem (see “Using SYSLOG” on page 121)

Alarm and Event The BelAir100 alarm and event reporting subsystem monitors both active
alarms and alarm history. Active alarms are stored in system memory and are
Reporting

June 30, 2006 Confidential Page 113 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Technical Support

not persistent. The BelAir100 maintains the history of the last 10 000 reported
alarms. The alarm history is persistent during normal operation.
The alarm and event subsystem is accessible in system mode, where you can:
• display active alarms, filtered by alarm type and severity level
• display the alarm history, filtered by alarm type and severity level
• determine which alarm types and alarm severities generate SYSLOG and
SNMP trap notifications

Alarm Types and Table 15 shows the types of alarms that the BelAir100 can generate.
Severity
Table 15: BelAir100 Alarm Types

Type Description

dcom data communication

eqpt equipment (for instance, equipment failures)
sw software (software errors)
qos quality of service
env environment (for instance, temperature too low or
too high)
secu security
sys system

The BelAir100 can produce alarms with the following severity: critical, major,
minor, warning and information.

Displaying Active show alarms <max_num_of_alarms>

Alarms [type {all|dcomm|eqpt|sw|qos|env|secu|sys}]
[severity {all|critical|major|minor|warning|info}]
This command allows you to display up to “N” active alarms, filtered by alarm
type or alarm severity. If the alarm severity is to be specified, then the alarm
type must also be specified, but can be specified as all if no filtering by type is
desired.
The type and severity specifications can have multiple values separated by a
vertical bar. For example, specifying type dcom|eqpt|env shows all data
communications, equipment and environment alarms.

June 30, 2006 Confidential Page 114 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Technical Support

In the active alarm display:

• The Id field indicates the log index number.
• The Ignored field indicates whether or not a SYSLOG and SNMP trap
notification was sent for this item. See “Setting the Alarm Type Mask” on
page 116 and “Setting the Alarm Severity Mask” on page 117.

Example
In the following example, only one alarm is displayed because only one alarm
was active at the time the command was issued.
/# system/show alarms 20
Displaying 1 active alarms of 1 total:
Id Date/Time (UTC) Severity Status Ignored Entity Type Description
----------------------------------------------------------------------------------------------
0 2004-11-05 19:16:06 critical Set No brm1 dcom Link Down

Displaying the Alarm show alarm history <max_num_of_alarms>

History [type {all|dcomm|eqpt|sw|qos|env|secu|sys}]
[severity {all|critical|major|minor|warning|info}]
[<log_idx>]
This command allows you to display up to the last “N” reported alarms, filtered
by alarm type or alarm severity. If the alarm severity is to be specified, then the
alarm type must also be specified, but can be specified as all if no filtering by
type is desired.
The type and severity specifications can have multiple values separated by a
vertical bar. For example, specifying type dcom|eqpt|env shows all data
communications, equipment and environment alarms.
The <log_idx> parameter specifies the most recent alarm log to display. It
defaults to the last index generated.
In the alarm history display:
• The Id field indicates the log index number.
• The Ignored field indicates whether or not a notification (through SYSLOG
or through SNMP traps) was sent for this item. See “Setting the Alarm Type
Mask” on page 116 and “Setting the Alarm Severity Mask” on page 117.
The <max_num_of_alarm> parameter cannot be greater than 200. To display
alarms that occurred previous to that, note the log index number of the last

June 30, 2006 Confidential Page 115 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Technical Support

displayed alarm and re-issue the show alarm history command with the
appropriate <log_idx> parameter. See the following examples.

Example 1
The following example displays the five most recent alarms.
/# system/show alarm history 5
Displaying 5 alarm history entries:
Id Date/Time (UTC) Severity Status Ignored Entity Type Description
------------------------------------------------------------------------------------------------
9 2006-01-23 19:40:43 minor Clr No scm eqpt SNTP server not available
8 2006-01-23 19:39:20 critical Clr No brm3 dcom Link Down
7 2006-01-23 19:39:06 critical Set No brm3 dcom Link Down
6 2006-01-23 19:38:00 critical Clr No brm2 dcom Link Down
5 2006-01-23 19:37:45 critical Set No brm2 dcom Link Down

Example 2
The following example displays the next two most recent alarms.
/# system/show alarm history 2 type all severity all 4
Displaying 5 alarm history entries:
Id Date/Time (UTC) Severity Status Ignored Entity Type Description
------------------------------------------------------------------------------------------------
4 2006-01-23 19:36:54 minor Set No scm eqpt SNTP server not available
3 2006-01-23 19:36:29 warning Set No brm3 eqpt Battery missing

Example 3
In the following example, only two alarms are displayed because only two
alarms were active at the time the command was issued.
/# system/show alarm history 20
Displaying 2 alarm history entries:
Id Date/Time (UTC) Severity Status Ignored Entity Type Description
----------------------------------------------------------------------------------------------
1 2004-11-08 14:04:43 critical Set No brm3 dcom Link Down
0 2004-11-05 19:16:06 critical Set No brm1 dcom Link Down

Setting the Alarm Type set alarm type mask {all|dcomm|eqpt|sw|qos|env|secu|sys}

Mask This command allows you to set which alarm types generate SYSLOG and
SNMP trap notifications. The default setting is for all alarm types to generate
notifications.

June 30, 2006 Confidential Page 116 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Technical Support

Specifying a value in the mask enables notifications for that type. Mask
specifications can have multiple values separated by a vertical bar. For example,
specifying mask dcom|eqpt|env means that all data communications,
equipment and environment alarms generate SYSLOG and SNMP trap
notifications, provided they are not blocked by the alarm severity mask.

Setting the Alarm set alarm severity mask {all|critical|major|minor|warning|info}

Severity Mask This command allows you to set which alarm severities generate SYSLOG and
SNMP trap notifications. The default setting is for all alarm severities to
generate notifications.
Specifying a value in the mask enables notifications for that severity. Mask
specifications can have multiple values separated by a vertical bar. For example,
specifying mask critical|major|minor means that all critical, major and minor
alarms generate SYSLOG and SNMP trap notifications, provided they are not
blocked by the alarm type mask.

Displaying the Alarm show alarm mask

Mask This command displays the current alarm type and severity masks.
In the displayed masks, any alarm type or severity followed by (1) generates a
SYSLOG and SNMP trap notification. Any alarm type or severity followed by (0)
does not generate a SYSLOG and SNMP trap notification.

Example
/# system/show alarm mask
Alarm masks (enabled if set)
Alarm Notification type mask: dcom(1), eqpt(1), sw(1), qos(1), env(1), secu(1), sys(1)
Alarm severity mask: critical(1), major(1), minor(1), warning(1), info(1)

Alarm Definitions Table 16 describes the alarms that are displayed by the BelAir user interface.

Table 16: BelAir User Interface Alarms

Id Alarm Description

1 Text: Temperature above high temperature threshold

Trigger condition: Internal temperature is above 85 degree C.
Severity: Major

June 30, 2006 Confidential Page 117 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Technical Support

Table 16: BelAir User Interface Alarms (Continued)

Id Alarm Description

2 Text: Temperature below low temperature threshold

Trigger condition: Internal temperature is below -40 degree C.
Severity: Major
3 Text: Temperature sensor malfunction
Trigger condition: System cannot read the temperature sensor.
Severity: Major
6 Text: SNTP server not available
Trigger condition: System has lost contact with the SNTP server.
Severity: Minor
7 Text: Software download in progress
Trigger condition: User entered the upgrade command to start
software upgrade.
Severity: Warning
8 Text: Software download failed
Trigger condition: A software download operation has failed.
Severity: Warning
12 Text: System management software started
Trigger condition: Management software has successfully started up.
Severity: Info
15 Text: Link Down
Trigger condition: Lost backhaul link connectivity.
Severity: Critical

June 30, 2006 Confidential Page 118 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Technical Support

Table 16: BelAir User Interface Alarms (Continued)

Id Alarm Description

20 Text: Battery active. Main power failure.

Trigger condition: Lost main power and switched to battery operation.
Severity: Critical
21 Text: Battery missing.
Trigger condition: Battery is not present.
Severity: Warning
22 Text: Battery charging, voltage low.
Trigger condition: Low battery voltage detected while main power is
still active.
Severity: Minor
23 Text: Battery active, voltage low.
Trigger condition: Low battery voltage detected and main power has
failed.
Severity: Major
24 Text: Battery charging, voltage critically low.
Trigger condition: Battery voltage has dropped below critical level
while main power is still active.
Severity: Minor
25 Text: Battery active, voltage critically low.
Trigger condition: Battery voltage has dropped below critical level and
main power has failed.
Severity: Critical
30 Text: T1 <n> LOS (loss of signal)
Trigger condition: Detected lost of signal from the <n> T1 interface.
Severity: Major

June 30, 2006 Confidential Page 119 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Technical Support

Table 16: BelAir User Interface Alarms (Continued)

Id Alarm Description

31 Text: T1 <n> AIS (alarm indication signal)

Trigger condition: Detected an AIS signal from the <n> T1 interface.
Severity: Major
32 Text: T1 <n> LOF (loss of frame)
Trigger condition: Detected lost of frame from the <n> T1 interface.
Severity: Major
33 Text: T1 <n> RAI (remote alarm indication)
Trigger condition: Detect an RAI signal from the <n> T1 interface.
Severity: Major
34 Text: T1 %d RED (link failure)
Trigger condition: Any of the LOS, LOF, AIS or RAI condition
detected.
Severity: Major
46 Text: Mesh link down
Trigger condition: One of the links in the multipoint-to-multipoint
topology has lost connectivity.
Severity: Info
49 Text: Manual reboot.
Trigger condition: User entered card reboot command (instead of a
node reboot command).
Severity: Info
50 Text: Admin down.
Trigger condition: User has set card to admin down state.
Severity: Info

June 30, 2006 Confidential Page 120 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Technical Support

Table 16: BelAir User Interface Alarms (Continued)

Id Alarm Description

51 Text: Communication failure.

Trigger condition: System has lost communication with a card.
Severity: Critical
52 Text: Link down.
Trigger condition: One of the links in the star topology has lost
connectivity.
Severity: Critical
53 Text: Link down.
Trigger condition: One of the links in the point-to-point topology has
lost connectivity.
Severity: Critical
59 Text: Interface down.
Trigger condition: Cable modem interface fails to respond.
Severity: Critical

Using SYSLOG In addition to the alarm subsystem, the BelAir100 can generate other event
notifications. With the System Log (SYSLOG) functions you can:
• send the event notifications to a remote server
• have them displayed on a CLI session as they occur
• filter the severity of the events that are logged
For full details on the SYSLOG functions, see the BelAir100 System Command
Line Interface Guide.

Displaying the SYSLOG show syslog config

Configuration
This command displays the SYSLOG configuration.

Example
/# show syslog config

June 30, 2006 Confidential Page 121 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Technical Support

System Log Information

----------------------
Log Status : Enable
Monitor Logging : Enable
Log Server IP : None
Log Levels: critical

Configuring the logserver <ip address>

SYSLOG Server IP This command is only available if you are logged in as root.
Address
This command sets the SYSLOG server IP address for remote logging. Only
one server can be defined at a time. If a different IP address was configured
before, this command closes the previous connection.

Example
/#cd syslog
/syslog# logserver 10.6.4.52

Sending SYSLOG monitor logging {enable|disable}

Messages to a CLI This command is only available if you are logged in as root.
Session
This command instructs the BelAir100 to send SYSLOG messages to the
current CLI session for display as they are generated. If you continue to use the
current CLI session, the SYSLOG messages are interleaved with regular
command input and output.
This command affects only the current CLI session. A new CLI session does not
have this option enabled. This feature allows the SYSLOG messages to be
displayed in one CLI session while another CLI session is used for regular
command input and output.
Enabling this feature disables the normal CLI session inactivity timer. The CLI
session remains open until this feature is explicitly disabled.

Example
/#cd syslog
/syslog# monitor logging enable

Configuring the Log loglevel {debug|info|notice|warn|error|

Level critical|alert|emerg}
This command is only available if you are logged in as root.
This command defines the maximum severity level for messages to be sent to
the remote SYSLOG server or the CLI session. (See “Configuring the SYSLOG
Server IP Address” on page 122 and “Sending SYSLOG Messages to a CLI
Session” on page 122.)

June 30, 2006 Confidential Page 122 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Technical Support

This command restricts logging to messages at the specified level and below (in
the sequence of appearance in the command).
Note: The SYSLOG message severity levels are separate and distinct from the
alarm severity levels.

Example
/#cd syslog
/syslog# loglevel error
In the preceding example, after the command is issued, the unit generates
error, critical, alert and emerg messages.

Enabling or Disabling logging {enable|disable}

Logging
This command is only available if you are logged in as root.
This command enables or disables the logging feature. Once enabled, the
BelAir100 sends the specified SYSLOG messages to the remote SYSLOG
server if an IP address has been configured and to the CLI session if configured
to do so.

Example
/#cd syslog
/syslog# logging enable

June 30, 2006 Confidential Page 123 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Definitions and Acronyms

Definitions and Acronyms

ACL Access Control List
ARM Access Radio Module
ASM Antenna Selection Module
Access point A wireless LAN data transceiver that uses radio waves to provide connectivity
services to a network
Beacon A protocol packet that signals the availability and presence of a wireless device
BID Bridge identifier used in spanning-tree calculations
BPDU Bridge protocol data unit. When the spanning tree protocol is enabled, bridges
send and receive spanning-tree frames, called BPDUs, at regular intervals and
use the frames to maintain a loop-free network.
BRM Backhaul Radio Module
BSS Basic Service Set: A set of 802.11-compliant stations that operate as a fully
connected wireless network
CIST Common and Internal Spanning Tree
Client A device that uses the services of a wireless access point to connect to a
network
CLI Command Line Interface
DHCP Dynamic Host Configuration Protocol
IP Internet Protocol
IP address The Internet Protocol (IP) address of a station. Expressed in dotted notation,
for instance, 10.21.1.14
IP subnet mask The number used to identify the IP sub-network.
LAN Local Area Network
LPM Line and Power Module
MAC Address Media Access Control address. A unique 48-bit number used in Ethernet data
packets to identify an Ethernet device.
MIB SNMP Management Information Base
MPDU MAC Protocol Data Unit
NAS Network Access Server

June 30, 2006 Confidential Page 124 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Definitions and Acronyms

OAM Operations, Administration and Maintenance

OUI Organizationally Unique Identifier (first 3 bytes of a MAC address)
QoS Quality of Service
PDU Protocol Data Unit
RADIUS Remote Authentication Dial-In User Service. An Internet protocol (RFC 2138)
for carrying dial-in users' authentication information and configuration
information between a shared, centralized authentication server (the RADIUS
server) and a network access server (the RADIUS client) that needs to
authenticate the users of its network access ports
RRD Route Re-Distribution
RTM Routing Table Manager
SNMP Simple Network Management Protocol
SNTP Simple Network Time Protocol
SSID Service Set Identifier (also referred to as Network Name or Id). A unique
identifier used to identify a radio network and which stations must use to be
able to communicate with each other or to an access point
TKIP Temporal Key Integrity Protocol, an optional IEEE 802.11 function that offers
frame transmission privacy. Like WEP, it is based on RC4 encryption. It
generates new encryption keys for every 10 kilobytes of data transmitted.
VLAN Virtual Local Area Network
WEP Wired Equivalent Privacy, an optional IEEE 802.11 function that offers frame
transmission privacy. The Wired Equivalent Privacy generates secret shared
encryption keys that both source and destination stations can use to alter frame
bits to avoid disclosure to eavesdroppers.
WPA Wi-Fi Protected Access

June 30, 2006 Confidential Page 125 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Node Configuration Sheets

Appendix A: Node Configuration Sheets

You can use this sample worksheet to document the basic configuration of a
BelAir100 unit. Store your worksheets in a secure location because they
contain sensitive information (super-user password and privacy keys).

Unit part number (located on the sticker affixed to the unit):__________________________

Unit serial number (located on the sticker affixed to the unit):__________________________

Super-user password: ____________________________

System Name: ______________ Location: ____________ Contact: _______________

Base MAC Address: ______________

IP Address: _____________Subnet:______________ Gateway: ______________

Client to VLAN mapping Y or N

Mesh Settings (for mesh portal only)

Mesh Ch#: ________
Mesh ID: _____________________
Mesh Privacy Type: __________Key: __________________________

June 30, 2006 Confidential Page 126 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Node Configuration Sheets

Access Radio

ARM1 (if equipped) Phys. Ch# ________

Privacy Setting Table (optional)
WEP WPA1/2 PSK
SSID ACL RADIUS Server List 802.1X WPA1/2
(5 or 13 bytes) (8 to 63 bytes)

1. ________________ Y or N 1. ________________ ______________ Y or N Y or N ______________

2. ________________
3. ________________
4. ________________

2. ________________ Y or N 1. ________________ ______________ Y or N Y or N ______________

2. ________________
3. ________________
4. ________________

3. ________________ Y or N 1. ________________ ______________ Y or N Y or N ______________

2. ________________
3. ________________
4. ________________

4. ________________ Y or N 1. ________________ ______________ Y or N Y or N ______________

2. ________________
3. ________________
4. ________________

5. ________________ Y or N 1. ________________ ______________ Y or N Y or N ______________

2. ________________
3. ________________
4. ________________

6. ________________ Y or N 1. ________________ ______________ Y or N Y or N ______________

2. ________________
3. ________________
4. ________________

7. ________________ Y or N 1. ________________ ______________ Y or N Y or N ______________

2. ________________
3. ________________
4. ________________

. . . . . . .
. . . . . . .
. . . . . . .

16. _______________ Y or N 1. ________________ ______________ Y or N Y or N ______________

2. ________________
3. ________________
4. ________________

June 30, 2006 Confidential Page 127 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Node Configuration Sheets

Backhaul Radio
BRM1 (if equipped) SSID: ____________________________ Phys. Ch#__________
Key Id Type (Wep or TKIP) Key Value (5 or 13 ASCII characters if WEP, or 16 ASCII characters if TKIP)

1 ____________________ _____________________________________________________________________

BRM2 (if equipped) SSID: ____________________________ Phys. Ch#__________

Key Id Type (Wep or TKIP) Key Value (5 or 13 ASCII characters if WEP, or 16 ASCII characters if TKIP)

1 ____________________ _____________________________________________________________________

June 30, 2006 Confidential Page 128 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide BelAir100 Factory Defaults

Appendix B: BelAir100 Factory Defaults

This appendix does the following:
• shows you how to reset a BelAir100 configuration to its factory default
settings
• describes the factory default settings for the BelAir100

Resetting a You can reset the configuration of a BelAir100 to the factory default settings by
using a CLI command or a Reset Dongle. See Figure 11 on page 130.
BelAir100
Configuration to Typically, you would perform this procedure only when all other methods of
changing the unit’s configuration have failed. The Reset Dongle is used when
Factory Defaults there is no way of communicating to the unit.

Resetting to Factory If you are logged in as root and have access to system commands, you can reset
Defaults with a CLI the unit to the factory defaults.
Command
CAUTION! By performing the following procedure, all local configuration data will be
replaced by default factory settings. You will not be able to recover any local
configuration data.
CAUTION! You may not able to reestablish connectivity to a remotely located unit after you
execute this procedure.
Use the following command sequence:
cd /system
syscmd restoreDefaultConfig
reboot

Note: The parameters of the syscmd command are case sensitive.

Resetting to Factory Figure 11 on page 130 shows a Reset Dongle. It is provided with every
Defaults with a Reset BelAir100 unit that is shipped from the factory.
Dongle

June 30, 2006 Confidential Page 129 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide BelAir100 Factory Defaults

Figure 11: Reset Dongle

To perform this procedure, you need physical access to the unit.

CAUTION! By performing the following procedure, all local configuration data will be
replaced by default factory settings. You will not be able to recover any local
configuration data.
To reset the BelAir100 configuration to factory defaults, do the following steps:
1 Ensure that the unit to be reset has been powered up at least 5 minutes.
2 With a Phillips screwdriver, remove the plastic cover of the BelAir100. See
Figure 12 on page 131.
There are two screws. Keep these screws because you will use them later.

June 30, 2006 Confidential Page 130 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide BelAir100 Factory Defaults

Figure 12: Removing Cover from a BelAir100

3 Plug the Reset Dongle into the unit battery connector jack. See Figure 13.
Figure 13: Installing a Reset Dongle

4 Wait until the power indicator LED turns from green to amber, indicating
that the unit is rebooting. Once the LED turns amber, remove the Reset
Dongle.
The default factory default configuration is activated after the reboot.
5 Re-install the cover removed in step 2 using the appropriate screws.

June 30, 2006 Confidential Page 131 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide BelAir100 Factory Defaults

Factory Defaults The following sections describe the default factory settings for a BelAir100 unit.
Settings
Default Node
Configuration Table 17: Default OAM IP Addressing

Parameter Setting

management IP address 10.1.1.10/24, Static

sub-network mask 255.255.255.0
management interface VLAN1

Table 18: Default Country of Operation

Parameter Setting

country us

Table 19: Default System Identification

Parameter Setting

system name none

system location none
system contact none

Table 20: Default Services

Parameter Setting

HTTP server enabled

secure HTTP server enabled
Telnet server enabled, port 23
SSH server enabled, port 22
SNMP server enabled
SNMP community names and trap destinations none

June 30, 2006 Confidential Page 132 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide BelAir100 Factory Defaults

Table 20: Default Services (Continued)

Parameter Setting

remote SYSLOG server none

Default Radio Module

Configuration Table 21: Default Mesh Settings (if equipped)

Parameter Setting

channel 11
mesh identifier BelAirNetworks
privacy disabled
encryption key 0x00000000000000000000000000000000
mesh point type multipoint
mesh portal no
traffic limit disabled

Table 22: Default ARM Settings (if equipped)

Parameter Setting

physical channel number 11

receive antenna in use main
receive antenna diversity disabled
transmit power level 27 dBm
beacon period 100 milliseconds
RTS threshold 2347
fragmentation threshold 2346
short retries 8
(traffic priority queues 0 to 2)
long retries 4
(traffic priority queues 0 to 2)

June 30, 2006 Confidential Page 133 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide BelAir100 Factory Defaults

Table 22: Default ARM Settings (if equipped) (Continued)

Parameter Setting

short retries (traffic priority queue 3) 3

long retries (traffic priority queue 3) 3
authentication response timeout 1000 milliseconds
association response timeout 500 milliseconds
communication disabled
wireless bridge enabled
secure port disabled
privacy disabled (no encryption)
MSSID disabled
SSID 1 BelAir Networks Access Radio

Table 23: Default BRM Settings

Parameter Setting
mode disabled
physical channel number
BRM1(if equipped) 54 (prim. channel), 0 (sec. channel)
BRM2 (if equipped) 66 (prim. channel), 0 (sec. channel)
SSID
BRM1(if equipped) BelAir Backhaul Radio 1
BRM2 (if equipped) BelAir Backhaul Radio 2
privacy disabled (no encryption)
antenna selection external
peer MAC provisioned 00:00:00:00:00:00
link distance 1 km
TPC admin state disabled
DFS disabled
communications enabled

June 30, 2006 Confidential Page 134 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide BelAir100 Factory Defaults

Table 23: Default BRM Settings (Continued)

Parameter Setting
beacon period 100 milliseconds
RTS threshold 2347
fragmentation threshold 2346
short retries 8
long retries 4
authentication response timeout 500 milliseconds
association response timeout 500 milliseconds

Table 24: BRM Default Key Settings

Key Number Type Key Value (ASCII String)

1 WEP 1234567890123

Default QoS Settings

Table 25: Default QoS Settings

Parameter Setting

Prioritization based on UP bits UP 1 and 2 to queue 0 (lowest priority)

UP 0 and 3 to queue 1
UP 4 and 5 to queue 2
UP 6 and 7 to queue 3 (highest priority)

Default Layer 2 Settings

Table 26: Default Layer 2 Settings

Parameter Setting

bridging enabled
VLANs
default VLAN for untagged traffic ID 1
no other VLAN tags are configured

June 30, 2006 Confidential Page 135 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Connecting to the Ethernet Interface

Appendix C: Connecting to the Ethernet Interface

This appendix describes the connection method to use if you can not connect
to the BelAir100 unit through its radio modules, as when you are configuring
the unit for the first time.
The connection method varies depending on whether your unit is equipped
with an electrical or optical Ethernet interface.

Configuration The configuration terminal can be a desktop or laptop PC configured to

communicate on the same IP sub-network as the BelAir100.
Terminal Set-up

Required You need a no. 2 Phillips screwdriver to access the unit’s connectors.
Equipment If your unit is equipped with an electrical Ethernet interface, you need a
cross-connect RJ45 Ethernet cable. If your unit is equipped with an optical
Ethernet interface, you need:
• a media converter; such as the McBasic TX/FX from IMC Networks
• a single mode fiber cable with dual-LC connector at one end and a
connector at the other end suitable for your media converter
Refer to Figure 14.
Figure 14: Typical Required Equipment for an Optical Ethernet interface

June 30, 2006 Confidential Page 136 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Connecting to the Ethernet Interface

Connection To connect to the unit’s Ethernet port, do the following steps:

Procedure 1 Access the Ethernet port of the unit by removing the unit’s cover. Set aside
the screws and washers for use later. A no. 2 Phillips screwdriver is
required.
Figure 15: BelAir100 Connector Field

AC Power Ethernet
Connector Connector

Battery
Connector

2 Carefully remove the protective cover from the unit’s Ethernet port.
3 Make the Ethernet connection.
If your unit has an electrical Ethernet interface, plug one end of the RJ45
Ethernet cable into the BelAir100’s Ethernet port and the other end into
your configuration terminal.
If your unit has an optical Ethernet interface refer to Figure 16 and do the
following sub-steps:
a Carefully remove all caps and dust covers protecting the ends of the dual
LC connector on the optical cable.
b Remove the cover protecting BelAir100 optical Ethernet port.
c Remove the dust protector on the BelAir100 dual LC connector.
d To avoid an electrostatic discharge while connecting the optical cable,
touch the metal base of the unit.
e Carefully insert the optical cable’s dual LC connector into the BelAir100’s
optical Ethernet port.
f Connect the other end of the optical cable to the media converter.
g Connect your configuration terminal to the media converter.

June 30, 2006 Confidential Page 137 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Connecting to the Ethernet Interface

Figure 16: Connection Setup for BelAir100 with an Optical Ethernet Interface

100 BASE-TX 100 BASE-FX

Media
Converter
BelAir100
Configuration
Terminal

June 30, 2006 Confidential Page 138 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Detailed Table of Contents

Detailed Table of Contents

About This Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Typographical Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

BelAir100 Wireless Multi-service Node . . . . . . . . . . . . . . . . . . . . 4

System Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Hardware Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
BelAir100 Layer 2 View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7

BelAir100 Configuration Interfaces . . . . . . . . . . . . . . . . . . . . . . . . 8

Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
BelAir100 SNMP Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
Integrating the BelAir100 with a Pre-deployed NMS . . . . . . . .9
BelAir100 Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Supported Web Browsers and Platforms . . . . . . . . . . . . . . . .10
Accessing the Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . .10
Accessing the System Page with Secure HTTP or with HTTP 11

Command Line Interface Basics . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Connecting to the BelAir100 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
Starting a CLI Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
Command Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Abbreviating Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Command History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Special CLI Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Help Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Terminating your CLI Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18

User Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
User Privilege Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Adding User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Deleting User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Modifying User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Displaying the Available User Accounts . . . . . . . . . . . . . . . . . . . . . . . .21

June 30, 2006 Confidential Page 139 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Detailed Table of Contents

Changing Your Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22

Configuring Authentication for User Accounts . . . . . . . . . . . . . . . . . .22
Selecting the authentication mode . . . . . . . . . . . . . . . . . . . . . .22
Adding RADIUS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Deleting RADIUS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Displaying the Authentication Mode and RADIUS Servers . .23

System Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Displaying the BelAir100 Node and IP Parameters . . . . . . . . . . . . . . .25
Configuring the BelAir100 System Parameters . . . . . . . . . . . . . . . . . .25
Configuring the System IP Parameters . . . . . . . . . . . . . . . . . . . . . . . . .26
Setting a Static IP Address and Subnet Mask . . . . . . . . . . . . . .26
Displaying the Static IP Routing Tables . . . . . . . . . . . . . . . . . .26
Configuring the Static IP Routing Tables . . . . . . . . . . . . . . . . .26
Configuring the System Date and Time . . . . . . . . . . . . . . . . . . . . . . . .27
Displaying System Date and Time . . . . . . . . . . . . . . . . . . . . . .27
Manual Date Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . .27
Manual Time Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . .27
Obtaining Time from a Time Server . . . . . . . . . . . . . . . . . . . .28
Displaying Inventory and Status Parameters . . . . . . . . . . . . . . . . . . . .28
Displaying Unit Inventory Information . . . . . . . . . . . . . . . . . . .28
Displaying BelAir100 Status Parameters . . . . . . . . . . . . . . . . .28
Saving and Restoring the BelAir100 Configuration . . . . . . . . . . . . . . .29
Local Back Up of the Configuration Database . . . . . . . . . . . .29
Saving and Restoring Node Configuration Parameters . . . . . .29
Remote Back Up and Restore of the Configuration Database 30

Common Radio Module Configuration Commands . . . . . . . . . . 32

Displaying the Radio Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . .32
Displaying All Configuration Parameters . . . . . . . . . . . . . . . . .32
Backhaul Radio Operational Information . . . . . . . . . . . . . . . . .33
Displaying the MAC Address . . . . . . . . . . . . . . . . . . . . . . . . . .35
Displaying All MAC Configuration Parameters . . . . . . . . . . . .35
Radio Mode or Disabling a Radio . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
Antenna Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Channel Number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37

June 30, 2006 Confidential Page 140 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Detailed Table of Contents

Transmission Power Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38

Dynamic Frequency Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39

Access Radio Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Client Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40
Displaying the Number of Associated Clients . . . . . . . . . . . . .40
Displaying the Client Details . . . . . . . . . . . . . . . . . . . . . . . . . .43
Access Radio Transmission Rates . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
Access Radio Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
Access Radio Rates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45

Backhaul Link Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Backhaul Link Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
Backhaul Radio Service Set Identifiers . . . . . . . . . . . . . . . . . . . . . . . . .48
Backhaul Transmission Power Control . . . . . . . . . . . . . . . . . . . . . . . .48
5 GHz P-to-P Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49
2.4 GHz MP-to-MP Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
5 GHz MP-to-MP Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
5 GHz P-to-MP Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
Additional MP-to-MP Link Commands . . . . . . . . . . . . . . . . . . . . . . . .51
Displaying MP Link Information . . . . . . . . . . . . . . . . . . . . . . . .51
Enabling or Disabling MP Functionality . . . . . . . . . . . . . . . . . .51
Managing Bandwidth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52
Displaying the Mesh Topology . . . . . . . . . . . . . . . . . . . . . . . . .52
Managing the Mesh Blacklist . . . . . . . . . . . . . . . . . . . . . . . . . . .53
Doing a Mesh Survey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54
Mesh Portal Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55
Managing RSTP BPDUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55
Managing the Mesh Accept List . . . . . . . . . . . . . . . . . . . . . . . .55
Associated and Peer Backhaul Radio MAC Addresses . . . . . . . . . . . .56
Accepting the Currently Associated Backhaul Radio . . . . . . .56
Statically Configuring the Peer Backhaul Radio MAC Address 57
Discarding the Associated Backhaul Radio MAC Address . . .57
Changing the Peer Backhaul Radio MAC Address . . . . . . . . .57
Example – Associated and Peer Backhaul Radio MAC Addresses
58

June 30, 2006 Confidential Page 141 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Detailed Table of Contents

Wireless Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Configuring Security for Wireless Clients . . . . . . . . . . . . . . . . . . . . . .59
Pre-Shared Key WEP Encryption . . . . . . . . . . . . . . . . . . . . . . .61
Managing RADIUS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
802.1X Authentication with WEP Encryption . . . . . . . . . . . . .64
WPA1 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66
WPA2 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67
Wireless Client Access Control List . . . . . . . . . . . . . . . . . . . .68
MAC Authorization Response Timeout . . . . . . . . . . . . . . . . .69
Configuring Security for Backhaul Links . . . . . . . . . . . . . . . . . . . . . . .69
Radios with Part Number B2CC033AA . . . . . . . . . . . . . . . . .69
All Other Backhaul Radios . . . . . . . . . . . . . . . . . . . . . . . . . . . .70
Controlling Inter-client Communication . . . . . . . . . . . . . . . . . . . . . . .71
Determining the MAC Address of the Internet gateway . . . .71
Disabling or Enabling Access Radio Wireless Bridging . . . . . .72
Disabling Inter-AP Wireless Client Communication . . . . . . . .72
Detecting Rogue Access Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74

Managing Access Radio SSIDs . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Adding or Modifying an SSID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76
Managing Basic SSIDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
Deleting a SSID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
Displaying the List of Available SSIDs . . . . . . . . . . . . . . . . . . . . . . . . . .78
Displaying the List of Associated Clients for a Given Access Radio SSID
79

Layer 2 Network Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . 82

BelAir100 Layer 2 Switch Port Assignment . . . . . . . . . . . . . . . . . . . . .82
Using Layer 2 Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82
Using Virtual LANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83
Configuring the IP Address of a VLAN . . . . . . . . . . . . . . . . . .84
Managing Egress Node Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
VLAN Conversion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
VLAN Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85

June 30, 2006 Confidential Page 142 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Detailed Table of Contents

Using Layer 2 Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Configuring the BelAir Node for Layer 2 Tunneling . . . . . . . . . . . . . .88
Displaying Tunnel Configuration and Status . . . . . . . . . . . . . .89
Starting and Stopping Layer 2 Tunneling . . . . . . . . . . . . . . . . .89
Adding and Removing Layer 2 Tunnels . . . . . . . . . . . . . . . . . .89
Mapping User Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90
Configuring the Network Central Router for Layer 2 Tunneling . . . .90

Quality of Service Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91
Prioritizing Traffic Based on User Priority Bits . . . . . . . . . . . . . . . . . .92
Prioritizing Traffic using VLAN IDs . . . . . . . . . . . . . . . . . . . . . . . . . . .92
Enabling or Disabling Wireless Multi-media . . . . . . . . . . . . . . . . . . . .93
Managing the QoS Priority Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . .93
Managing the QoS Mapping Scheme . . . . . . . . . . . . . . . . . . . . . . . . . .93
Resetting the QoS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94
Resetting the QoS Configuration for a VLAN . . . . . . . . . . . . . . . . . . .95
Displaying a Summary of QoS Settings . . . . . . . . . . . . . . . . . . . . . . . .95
Displaying the VLAN QoS Settings . . . . . . . . . . . . . . . . . . . . . . . . . . .95
Displaying the Prioritization Settings . . . . . . . . . . . . . . . . . . . . . . . . . .96

BelAir100 Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Radio Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97
Wireless Communication Statistics . . . . . . . . . . . . . . . . . . . . .97
Wireless Security Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . .97

Performing a Software Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Upgrade Process Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98
Downloading a New Software Load . . . . . . . . . . . . . . . . . . . . . . . . .100
Canceling a Software Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101
Activating a Software Load . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102
Committing a New Software Load . . . . . . . . . . . . . . . . . . . . . . . . . .102
Backing Out from a Software Upgrade . . . . . . . . . . . . . . . . . . . . . . .103
Displaying the Status of the Software Upgrade . . . . . . . . . . . . . . . . .105

BelAir100 Network Example . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Configuration of IP Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107

June 30, 2006 Confidential Page 143 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Detailed Table of Contents

Configuring the Remaining Parameters . . . . . . . . . . . . . . . . . . . . . . .107

Configuration Commands for BA200-A . . . . . . . . . . . . . . . .108
Configuration Commands for BA200-B . . . . . . . . . . . . . . . .108
Configuration Commands for BA100-A . . . . . . . . . . . . . . . .109
Additional Backhaul Configuration Options . . . . . . . . . . . . .109

For More Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110
Working Out Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111
On the Road and in the Field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112

Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Support Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113
Warranty and Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113
Alarm and Event Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113
Alarm Types and Severity . . . . . . . . . . . . . . . . . . . . . . . . . . .114
Displaying Active Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . .114
Displaying the Alarm History . . . . . . . . . . . . . . . . . . . . . . . . .115
Setting the Alarm Type Mask . . . . . . . . . . . . . . . . . . . . . . . . .116
Setting the Alarm Severity Mask . . . . . . . . . . . . . . . . . . . . . .117
Displaying the Alarm Mask . . . . . . . . . . . . . . . . . . . . . . . . . . .117
Alarm Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .117
Using SYSLOG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121
Displaying the SYSLOG Configuration . . . . . . . . . . . . . . . . .121
Configuring the SYSLOG Server IP Address . . . . . . . . . . . . .122
Sending SYSLOG Messages to a CLI Session . . . . . . . . . . . . .122
Configuring the Log Level . . . . . . . . . . . . . . . . . . . . . . . . . . .122
Enabling or Disabling Logging . . . . . . . . . . . . . . . . . . . . . . . . .123

Definitions and Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Appendix A: Node Configuration Sheets . . . . . . . . . . . . . . . . . . 126

Appendix B: BelAir100 Factory Defaults . . . . . . . . . . . . . . . . . . 129

Resetting a BelAir100 Configuration to Factory Defaults . . . . . . . . .129
Resetting to Factory Defaults with a CLI Command . . . . . .129

June 30, 2006 Confidential Page 144 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Detailed Table of Contents

Resetting to Factory Defaults with a Reset Dongle . . . . . . .129

Factory Defaults Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132
Default Node Configuration . . . . . . . . . . . . . . . . . . . . . . . . .132
Default Radio Module Configuration . . . . . . . . . . . . . . . . . . .133
Default QoS Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135
Default Layer 2 Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . .135

Appendix C: Connecting to the Ethernet Interface . . . . . . . . . . 136

Configuration Terminal Set-up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136
Required Equipment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136
Connection Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137

Detailed Table of Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

List of Figures

Figure 1: BelAir100 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
Figure 2: Access Radio Coverage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
Figure 3: BelAir100 Hardware Module Block Diagram . . . . . . . . . . . . . . . . . . .6
Figure 4: BelAir100 Layer 2 View, Typical Configuration . . . . . . . . . . . . . . . . .7
Figure 5: Wireless Mobility using L2TP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87
Figure 6: Active and Standby Software Loads . . . . . . . . . . . . . . . . . . . . . . . . .99
Figure 7: Software Upgrade Step 3 - Downloading the New Software Load 101
Figure 8: Software Upgrade Step 7 - Commit the Software Load . . . . . . . .103
Figure 9: Backing Out from an Uncommitted Software Upgrade . . . . . . . . .104
Figure 10: Simple BelAir200 and BelAir100 Network Configuration . . . . . .106
Figure 11: Reset Dongle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130
Figure 12: Removing Cover from a BelAir100 . . . . . . . . . . . . . . . . . . . . . . .131
Figure 13: Installing a Reset Dongle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131
Figure 14: Typical Required Equipment for an Optical Ethernet interface . .136
Figure 15: BelAir100 Connector Field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137
Figure 16: Connection Setup for BelAir100 with an Optical Ethernet Interface
138

List of Tables

Table 1: Product Name Synonyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

Table 2: Standard SNMP MIBs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

June 30, 2006 Confidential Page 145 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide Detailed Table of Contents

Table 3: BelAir Enterprise MIBs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

Table 4: Command Line Interface Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Table 5: Output Field Descriptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40
Table 6: Access Radio Profile Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
Table 7: Implementing Combinations of Encryption and Authentication Options
60
Table 8: Output Field Descriptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79
Table 9: Traffic Priority Queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91
Table 10: User Priority Value to Priority Queue Processing . . . . . . . . . . . . . .92
Table 11: UP and DSCP Value to Priority Queue Processing . . . . . . . . . . . . .94
Table 12: More Information — Getting Started. . . . . . . . . . . . . . . . . . . . . . .110
Table 13: More Information — Working Out Details . . . . . . . . . . . . . . . . . .111
Table 14: More Information — On the Road and in the Field. . . . . . . . . . . .112
Table 15: BelAir100 Alarm Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114
Table 16: BelAir User Interface Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . .117
Table 17: Default OAM IP Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132
Table 18: Default Country of Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . .132
Table 19: Default System Identification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132
Table 20: Default Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132
Table 21: Default Mesh Settings (if equipped) . . . . . . . . . . . . . . . . . . . . . . . .133
Table 22: Default ARM Settings (if equipped). . . . . . . . . . . . . . . . . . . . . . . . .133
Table 23: Default BRM Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .134
Table 24: BRM Default Key Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135
Table 25: Default QoS Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135
Table 26: Default Layer 2 Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135

June 30, 2006 Confidential Page 146 of 147

Document Number BDTM10001-A05 Standard
BelAir100 User Guide

BelAir Networks Inc. General Information Sales Visit us on the web at:
603 March Road [email protected] [email protected]
Kanata, Ontario www.belairnetworks.com
Canada Technical Support
K2K 2M5 [email protected]

1-877-BelAir1 (235-2471)
613-254-7070

June 30, 2006 Confidential Page 147 of 147

Document Number BDTM10001-A05 Standard

147