Access Point Features

The Intel® PRO/Wireless 2011B LAN Access Point includes features for different interface connections and network management. The access point:

MAC Layer Bridging

The access point listens to all packets on all interfaces and builds an address database using the unique IEEE 48-bit address (MAC address). An address in the database includes the interface media that the device uses to associate with the access point. The access point uses the database to forward packets from one interface to another. The bridge forwards packets addressed to unknown systems to the default interface; either Ethernet or Point to Point Protocol (PPP).

Each access point stores information about destinations and their interfaces to facilitate forwarding. When a user sends an Address Resolution Protocol (ARP) request packet, the access point forwards it over all enabled interfaces including Ethernet, PPP, radio, and WLAP(Wireless LAN Access Point) except the one that received the ARP request packet. When it receives the ARP response packet, the access point database keeps a record of the destination address and the receiving interface. Using this information, the access point forwards any directed packet to the correct destination. The access point forwards any packet with an unknown destination to the Ethernet interface. Transmitted ARP request packets echo back to other computers.

The access point removes destinations or interfaces not used for a specified amount of time from its database. The access point refreshes its database when it transmits or receives data from these destinations and interfaces.

Filtering and Access Control

The access point limits the clients that send data packets through the access point. Filters provide network security and improve performance by eliminating broadcast and multicast packets from the radio network.

You can use the Access Control List (ACL) to specify MAC addresses for clients allowed to associate with the access point. This prevents unauthorized access.

The access point supports a list of disallowed destinations. To prevent communication with specified destinations, the list can include network devices that do not require communication with the access point or its clients.

Depending on the setting, the access point can keep a list of frame types that it forwards or discards. Type Filtering prevents specific frames from being processed by the access point. Filtering out unnecessary frames can improve performance by discarding certain broadcast frames from devices unimportant to the wireless LAN.

Auto Fallback to Wireless Mode

The access point supports an auto fallback to wireless mode if the wired Ethernet connection fails and the access point is in Wireless LAN Access Point (WLAP) Mode. The access point resets itself and, during initialization, attempts to associate with any other WLAP in the network. This allows the access point to communicate wirelessly with other access points.

To make this feature available, set the WLAP Mode in the RF Configuration screen to Link Required.

DHCP Support

The access point can use Dynamic Host Configuration Protocol (DHCP) to obtain a leased IP address and network configuration information from a DHCP server. The access point sends out a DHCP request for a DHCP server to acquire the network configuration and firmware filenames.

The access point can download the firmware file and an HTML file when a boot takes place. You can configure a DHCP or BOOTP server to transfer these two files when a DHCP request is made. Use these DHCP options for the specific file or information to download:

If the access point receives a network configuration change or is not able to renew the IP address lease, it sends out an SNMP trap.

NOTE: Mobile IP is not available when DHCP is used. When configuring an access point and mobile device for Mobile IP, disable DHCP support.

Bridging Support

The access point PPP interface, accessible from the serial port at the rear of the access point, provides two types of bridging operations: Data-link and Internet Protocol.

Data-link bridging between two access points.

A network using a data-link bridge provides radio coverage by using a remote access point in a location geographically distant from the access point connected to the Ethernet network. The remote access point cannot provide an Ethernet connection to other access points. Computers associating with the remote access point transmit and receive from the Ethernet network through the PPP link.

 

Internet Protocol bridging between an access point and a computer. 

To establish an Internet Protocol bridge with an access point, use a computer with the appropriate Telnet software with PPP and TCP/IP protocols. Using Telnet, a remote computer can connect to any access point on an Ethernet network, if data transfers through IP packets.

 

PPP Bridging Considerations

With PPP link, you can use a direct serial link or modem to extend a wired Ethernet network.

When in PPP mode, the access point automatically attempts to communicate with the other device using the Data-Link Bridging (DLB) protocol. An access point using DLB communicates on the MAC level, and receives and transmits Ethernet frames. If the other device does not support DLB, the access point attempts to communicate using Internet Protocol Control Protocol (IPCP). An access point using IPCP communicates on the IP level, and receives and transmits Internet Protocol (IP) packets.

The PPP implementation in the access point uses the Link Control Protocol (LCP) and Network Control Protocol (NCP). The access point database dynamically tracks computers and access points on the PPP interface.

Connecting two access points with a direct serial link requires a null-modem serial cable. Connecting two access points with modem devices requires straight-through cables between the access points and modems. Using modems requires a telephone line for as long as the link remains active.

When using a modem connection, one access point represents the originating access point and the other represents the answering access point. When using a PPP link, do not use the serial port to access the access point management screens. To access the management screens, you must establish a Telnet session with the access point.

Cellular Coverage

The access point establishes an average communication range with clients called a Basic Service Set (BSS) or cell. When in a particular cell, the client associates and communicates with the access point of that cell. Each cell has a Basic Service Set Identifier (BSSID). In IEEE 802.11, the access point MAC address is the BSSID. The client recognizes the associated access point from its BSSID. Adding access points to a LAN establishes more cells in an environment, creating a wireless network using the same Extended Service Set Identifier (ESSID).

Access points with the same ESSID, also known as the Service Set Identifier (SSID) or Network Name, define a coverage area. To establish communication, the client searches for access points with a matching SSID and synchronizes with an access point. This allows clients within the coverage area to move about or roam . As the client roams from cell to cell, it switches access points. The switch occurs when the client analyzes the reception quality at a location and determines the access point to communicate with based on the best signal strength and lowest client load distribution.

You configure the SSID. A valid SSID is an alphanumeric, case-sensitive identifier up to 32 characters. All nodes within one LAN must use the same SSID to communicate on the same LAN. Multiple wireless LANs can coexist in a single environment if you assign a different SSID for each access point and the clients that communicate with the corresponding access points.

Root Access Point and Association Process

By default, access points with Wireless LAN Access Point (WLAP) Mode enabled and within range of each other automatically associate and configure wireless operation parameters at power up. This association process determines the wireless connection viability and establishes the root access point and subsequently designated WLAPs.

Access points that are communicating wirelessly require the same settings for: 

The root access point maintains the wireless connection among WLAPs by sending out beacons and sending and receiving configuration Bridge Protocol Data Unit (BPDU) packets between each designated WLAP. The WLAP with the lowest WLAP ID becomes the root access point. A concatenation of the WLAP Priority value and the MAC address becomes the WLAP ID.

WLAPs associated with the root access point use the root access point channel, Delivery Traffic Indication Message (DTIM), and Traffic Indication Map (TIM) interval.

The following picture illustrates the root association process between access points. 

In this configuration, the Wireless LAN Access Point (WLAP) Priority value is the default, 8000 Hex. After concatenating this value to the MAC addresses of the access points, access point A on Ethernet I has the lowest WLAP ID (800000A0F800181A), making it the root access point. Access point C uses the Access point A channel, DTIM, and TIM interval.

If access point D on Ethernet II has data for a device on Ethernet I, it requires a bridge or a repeater. In this configuration, access point C functions as a repeater. To ensure transmission to devices on Ethernet I, access point D must use the access point A channel, DTIM, and TIM interval.

To manually designate access point B as the root access point, assign it a WLAP Priority value of 8000 and assign a higher WLAP Priority value to all other access points.

Client Association Process

Access points recognize wireless clients when they associate with the access point. The access point keeps a list of the clients it services. Clients associate with an access point based on the following conditions:

Clients perform preemptive roaming by intermittently scanning for access points and associating with the best available access point. Before roaming and associating with access points, clients scan to collect access point statistics and determine the direct-sequence channel used by the access point.

Scanning is an intermittent process in which the wireless client sends out probe messages on all frequencies defined by the country code. The statistics enable a client to reassociate by synchronizing its frequency to the access point. The client continues communicating with that access point until it needs to switch cells or roam.

Clients perform full scans at power-up. In a full scan, a client uses a sequential set of channels as the scan range. For each channel in the range, the client tests for Clear Channel Assessment (CCA). When a transmission-free channel becomes available, the client broadcasts a probe with the Network Name (SSID) and the broadcast BSSID. An access point directed probe response generates a client acknowledgment (ACK) and the addition of the access point to the access point table with a proximity classification. An unsuccessful access point packet transmission generates another client probe on the same channel. If the client fails to receive a response within the time limit, it repeats the probe on the next channel in the sequence. This process continues through all channels in the range.

Clients perform partial scans at programmed intervals, when missing expected beacons or after excessive transmission retries. In a partial scan, the client scans access points classified as proximate on the access point table. For each channel, the client tests for CCA. The client broadcasts a probe with the Network Name (SSID) and broadcast BSSID when the channel is transmission free. It sends an ACK to a directed probe response from the access point and updates the access point table. If an access point packet transmission is unsuccessful, the client broadcasts another probe on the same channel. The client classifies an access point as out-of-range in the access point table if it fails to receive a probe response within the time limit. This process continues through all access points classified as proximate on the access point table.

A client can roam within a coverage area by switching access points. Roaming occurs if:

To begin association, a client selects the best available access point and adjusts to the access point direct-sequence channel. When associated, the access point begins forwarding any frames addressed to the client. Each frame contains fields for the current direct-sequence channel. The client uses these fields to resynchronize to the access point.

The scanning and association process continues for active clients. This process allows the client to choose the best network connection available by finding new access points and discarding out-of-range or deactivated access points.

Data Encryption

The Intel PRO/Wireless 2011B LAN uses the Wired Equivalent Privacy (WEP) encryption and decryption algorithm specified in Section 8 of the IEEE 802.11 wireless LAN standard. WEP uses the same key for encryption and decryption, and provides security equivalent to that of a wired network, hence the "Wired Equivalent" portion of the name.

The IEEE 802.11 standard defines two types of authentication:

To implement WEP on each access point, use either a 64-bit key or a 128-bit key. A 64-bit key consists of 10 hexadecimal numbers in two 5-digit groups (40 bits), arrayed as follows.

	10111 21314

A 128-bit key consists of 26 hexadecimal numbers in two 5-digit groups and four 4-digit groups (124 bits), arrayed as follows.

	10111 21314 1516 1718 191A 1B1C

The remaining 24 bits for both keys are factory set and are not configurable.

 
NOTE: If you implement the shared key authentication mode, you must configure all access points and clients to use the same key.

Mobile IP

The Internet Protocol (IP) identifies the point of attachment to a network through the computer's IP address. The access point routes packets according to the location information contained in the IP header. If a wireless client roams across routers to another subnet, the following problems occur:

Mobile IP enables a wireless client to communicate on the network using its home IP address after changing its point of attachment to another subnet.

NOTE: Mobile IP does not work with addresses assigned dynamically through DHCP. To use the Mobile IP feature, the station must have a static IP address.  

Mobile IP is like giving a person who leaves home for an extended period a local post office forwarding address. When mail arrives for the individual, it is sent by the local post office to the current forwarding address (or care-of-address). Using this method, only the local post office requires notification of the forwarding address. While this example represents the general concept of Mobile IP operation and functionality, it does not represent the implementation of Mobile IP used.

Mobile IP Terms

A tunnel is the path taken by the original packet encapsulated within the payload portion of a second packet to a destination on the network.

A Home Agent is an access point acting as a router on the client's home network. The home agent intercepts packets sent to the client home address and tunnels the message to the client at its current location. This occurs if the client keeps its home agent informed of its current location on a foreign link.

A Foreign Agent is an access point acting as a router at the client's location on a foreign link. The foreign agent serves as the default router for packets sent out by the client connected on the same foreign link.

A care-of-address is the IP address used by the client visiting a foreign link. This address changes each time the client moves to another foreign link. It can also be viewed as an exit point of a tunnel between the client's home agent and the client itself.

Mobile IP Example

The following diagram illustrates Mobile IP:

When the client moves to an access point on another subnet, mobile IP allows it to continue to communicate as if it were on its original subnet.

Mobile IP Using MD5 Authentication

Security is important to mobile users. Enabling the Mobile-Home MD5 key option in the System Configuration menu generates a 16-byte checksum authenticator using an MD5 algorithm. The client and access point share the checksum, (called a key) to authenticate messages that they exchange between them. The access point and client share the key while the client is visiting a foreign subnet. The client and access point must use the same key. If they don't, the access point refuses to become the Home Agent for the client. The maximum key length is 13 characters. The access point allows all printable characters.

MD5 is a message-digest algorithm that takes an arbitrarily long message and computes a 16-byte (128-bit) digest version of the original message. The message digest is the authentication checksum of a message from a mobile client to an access point during the Home Agent registration process.

The MD5 algorithm prevents an outside computer from impersonating an authenticated client. You can think of the message-digest as a fingerprint of the original message that is computed using an algorithm. The probability of an outside entity reproducing the MD5 message-digest is remote.


Copyright© 2002 Intel Corporation. Legal Information