Cambium PMP 450 Configuration and User Guide: System Release 12.0.2

Cambium
PMP 450 Configuration

and User Guide
System Release 12.0.2
PMP 450 module essential information

Default IP Address for Management GUI Access
169.254.1.1
Default Administrator Username
admin
Default Administrator Password
(no password)
Software Upgrade Procedure
See Updating the software version and using CNUT

in the PMP 450 Configuration and User Guide
1.
On the radio GUI, navigate to Configuration,

Unit Settings and select Set to Factory Defaults
OR
Resetting to Factory Defaults (2 options)
2.
On the radio GUI, navigate to Configuration,

Unit Settings and enable and save option Set to
Factory Defaults Upon Default Plug Detection.
When the unit is powered on with a
default/override plug (see section Acquiring the
Override Plug in the PMP 450 Configuration and
User Guide) the radio will be returned to its
factory default settings.
pmp-0050 (January 2013)
Accuracy
While reasonable efforts have been made to assure the accuracy of this document, Cambium Networks assumes
no liability resulting from any inaccuracies or omissions in this document, or from use of the information obtained
herein. Cambium reserves the right to make changes to any products described herein to improve reliability,
function, or design, and reserves the right to revise this document and to make changes from time to time in
content hereof with no obligation to notify any person of revisions or changes. Cambium does not assume any
liability arising out of the application or use of any product, software, or circuit described herein; neither does it
convey license under its patent rights or the rights of others. It is possible that this publication may contain
references to, or information about Cambium products (machines and programs), programming, or services that
are not announced in your country. Such references or information must not be construed to mean that Cambium
intends to announce such Cambium products, programming, or services in your country.
Copyrights
This document, Cambium products, and 3rd Party Software products described in this document may include or
describe copyrighted Cambium and other 3rd Party supplied computer programs stored in semiconductor
memories or other media. Laws in the United States and other countries preserve for Cambium, its licensors, and
other 3rd Party supplied software certain exclusive rights for copyrighted material, including the exclusive right to
copy, reproduce in any form, distribute and make derivative works of the copyrighted material. Accordingly, any
copyrighted material of Cambium, its licensors, or the 3rd Party software supplied material contained in the
Cambium products described in this document may not be copied, reproduced, reverse engineered, distributed,
merged or modified in any manner without the express written permission of Cambium. Furthermore, the
purchase of Cambium products shall not be deemed to grant either directly or by implication, estoppel, or
otherwise, any license under the copyrights, patents or patent applications of Cambium or other 3rd Party supplied
software, except for the normal non-exclusive, royalty free license to use that arises by operation of law in the sale
of a product.
Restrictions
Software and documentation are copyrighted materials. Making unauthorized copies is prohibited by law. No part
of the software or documentation may be reproduced, transmitted, transcribed, stored in a retrieval system, or
translated into any language or computer language, in any form or by any means, without prior written permission
of Cambium.
License Agreements
The software described in this document is the property of Cambium and its licensors. It is furnished by express
license agreement only and may be used only in accordance with the terms of such an agreement.
High Risk Materials

Components, units, or 3rd Party products used in the product described herein are NOT fault-tolerant and are
NOT designed, manufactured, or intended for use as on-line control equipment in the following hazardous
environments requiring fail-safe controls: the operation of Nuclear Facilities, Aircraft Navigation or Aircraft
Communication Systems, Air Traffic Control, Life Support, or Weapons Systems (High Risk Activities).
Cambium and its supplier(s) specifically disclaim any expressed or implied warranty of fitness for such High Risk
Activities.
2012 Cambium Networks, Inc. All Rights Reserved.
PMP 450 Configuration and User Guide
Safety and regulatory information

This section describes important safety and regulatory guidelines that must be observed by personnel
installing or operating PMP 450 equipment.
Important safety information

To prevent loss of life or physical injury, observe the safety guidelines in this section.
Power lines
Exercise extreme care when working near power lines.
Working at heights
Exercise extreme care when working at heights.
Grounding and protective earth

PMP 450 units must be properly grounded to protect against lightning. It is the users responsibility to
install the equipment in accordance with national regulations. In the USA, follow Section 810 of the
National Electric Code, ANSI/NFPA No.70-1984 (USA). In Canada, follow Section 54 of the Canadian
Electrical Code. These codes describe correct installation procedures for grounding the outdoor unit, mast,
lead-in wire and discharge unit, size of grounding conductors and connection requirements for grounding
electrodes. Other regulations may apply in different countries and therefore it is recommended that
installation of the outdoor unit be contracted to a professional installer.
Powering down before servicing

Always power down and unplug the equipment before servicing.
Primary disconnect device

The AP or SM units power supply is the primary disconnect device.
External cables
Safety may be compromised if outdoor rated cables are not used for connections that will be exposed to the
outdoor environment.
RF exposure near the antenna

Radio frequency (RF) fields will be present close to the antenna when the transmitter is on. Always turn off
the power to the PMP 450 unit before undertaking maintenance activities in front of the antenna.
Minimum separation distances

Install the AP/SM so as to provide and maintain the minimum separation distances from all persons.
The minimum separation distances for each frequency variant are specified in the PMP 450 Planning
Guide.
Important regulatory information

The PMP 450 product is certified as an unlicensed device in frequency bands where it is not allowed to
cause interference to licensed services (called primary users of the bands).
Radar avoidance
In countries where radar systems are the primary band users, the regulators have mandated special
requirements to protect these systems from interference caused by unlicensed devices. Unlicensed devices
must detect and avoid co-channel operation with radar systems.
Installers and users must meet all local regulatory requirements for radar detection. To meet these
requirements, users must set the correct region code during commissioning of the PMP 450. If this is not
done, installers and users may be liable to civil and criminal penalties.
Contact the Cambium helpdesk if more guidance is required.
USA and Canada specific information

The USA Federal Communications Commission (FCC) has asked manufacturers to implement special
features to prevent interference to radar systems that operate in the 5250-5350 and 5470-5725 MHz bands.
These features must be implemented in all products able to operate outdoors in the UNII band. The use of
the 5600 5650 MHz band is prohibited, even with detect-and-avoid functionality implemented.
Manufacturers must ensure that such radio products cannot be configured to operate outside of FCC rules;
specifically it must not be possible to disable or modify the radar protection functions that have been
demonstrated to the FCC.
In order to comply with these FCC requirements, Cambium supplies variants of the PMP 450 for operation
in the USA or Canada. These variants are only allowed to operate with region codes that comply with
FCC/IC rule.
ii
Contents
Contents
PMP 450 module essential information ................................................................................................................. 2
Safety and regulatory information ........................................................................... i
Important safety information ........................................................................................................................... i
Important regulatory information ................................................................................................................... ii
About This Configuration and User Guide .............................................................viii
General information .............................................................................................................................................. ix
Version information....................................................................................................................................... ix
Contacting Cambium Networks .................................................................................................................... ix
Chapter 1: Configuration and alignment ........................................................... 1-1
Preparing for configuration and alignment ......................................................................................................... 1-2
Safety precautions during configuration and alignment .............................................................................. 1-2
Task 1: Connecting to the unit ............................................................................................................................ 1-3
Configuring the management PC ................................................................................................................ 1-3
Connecting to the PC and powering up ....................................................................................................... 1-5
Logging into the web interface .................................................................................................................... 1-5
Task 2: Configuring IP and Ethernet interfaces .................................................................................................. 1-7
Configuring the AP IP interface .................................................................................................................. 1-7
NAT, DHCP Server, DHCP Client, and DMZ in SM ................................................................................. 1-9
Configuring the SM IP interface with NAT disabled ................................................................................ 1-13
Configuring the SM IP interface with NAT enabled ................................................................................. 1-15
NAT tab of the SM with NAT disabled..................................................................................................... 1-16
NAT tab of the SM with NAT enabled ..................................................................................................... 1-19
Reconnecting to the management PC ........................................................................................................ 1-24
VLAN Tab of the AP ................................................................................................................................ 1-25
VLAN Membership Tab of the AP ........................................................................................................... 1-29
VLAN Tab of the SM ................................................................................................................................ 1-30
VLAN Membership Tab of the SM ........................................................................................................... 1-34
PPPoE Tab of the SM ................................................................................................................................ 1-34
NAT Port Mapping Tab of the SM ............................................................................................................ 1-37
Task 3: Upgrading the software version and using CNUT ............................................................................... 1-38
Checking the installed software version .................................................................................................... 1-38
Upgrading to a new software version ........................................................................................................ 1-39
Task 4: Configuring General and Unit settings ................................................................................................. 1-42
General Tab of the AP ............................................................................................................................... 1-42
Unit Settings Tab of the AP ....................................................................................................................... 1-47
General Tab of the SM .............................................................................................................................. 1-49
Unit Settings Tab of the SM ...................................................................................................................... 1-52
Time tab of the AP .................................................................................................................................... 1-53
Task 5: Configuring security............................................................................................................................. 1-55
Isolating APs from the internet .................................................................................................................. 1-55
Contents
Encrypting radio transmissions ................................................................................................................. 1-56

Managing module access by passwords .................................................................................................... 1-56
Requiring SM Authentication.................................................................................................................... 1-60
Filtering protocols and ports ...................................................................................................................... 1-60
Encrypting downlink broadcasts ............................................................................................................... 1-63
Isolating SMs ............................................................................................................................................. 1-63
Filtering management through Ethernet .................................................................................................... 1-63
Allowing management only from specified IP addresses .......................................................................... 1-64
Configuring management IP by DHCP ..................................................................................................... 1-64
Restricting radio Telnet access over the RF interface ............................................................................... 1-64
Security Tab of the AP .............................................................................................................................. 1-67
Protocol Filtering tab of the AP ................................................................................................................. 1-70
Port configuration tab of the AP ................................................................................................................ 1-71
Security Tab of the SM.............................................................................................................................. 1-72
Protocol Filtering Tab of the SM ............................................................................................................... 1-76
Port configuration tab of the SM ............................................................................................................... 1-77
Task 6: Configuring radio parameters ............................................................................................................... 1-79
Task 7: Setting up SNMP agent ........................................................................................................................ 1-86
SNMP Tab of the AP ................................................................................................................................. 1-87
SNMP Tab of the SM ................................................................................................................................ 1-90
Task 8: Configuring syslog ............................................................................................................................... 1-93
Configuring AP system logging (syslog) .................................................................................................. 1-93
Configuring SM system logging (syslog) .................................................................................................. 1-94
Task 9: Configuring remote access ................................................................................................................... 1-95
Configuring SM IP over-the-air access ..................................................................................................... 1-95
Accessing SM over-the-air by LUID ......................................................................................................... 1-96
Task 10: Monitoring the AP-SM Link .............................................................................................................. 1-97
Monitoring the AP-SM Link ..................................................................................................................... 1-97
Task 11: Configuring quality of service ............................................................................................................ 1-99
Maximum Information Rate (MIR) Parameters ........................................................................................ 1-99
Token Bucket Algorithm ........................................................................................................................... 1-99
MIR Data Entry Checking ....................................................................................................................... 1-100
Bandwidth from the SM Perspective ....................................................................................................... 1-100
Interaction of Burst Allocation and Sustained Data Rate Settings .......................................................... 1-101
High-priority Bandwidth ......................................................................................................................... 1-101
Traffic Scheduling ................................................................................................................................... 1-102
Setting the Configuration Source ............................................................................................................ 1-103
Quality of Service (QoS) Tab of the AP .................................................................................................. 1-105
DiffServ Tab of the AP............................................................................................................................ 1-107
Quality of Service (QoS) Tab of the SM ................................................................................................. 1-108
DiffServ Tab of the SM ........................................................................................................................... 1-110
Task 12: Configuring a RADIUS server ......................................................................................................... 1-112
Understanding RADIUS for PMP 450 .................................................................................................... 1-112
Choosing Authentication Mode and Configuring for Authentication Servers - AP ........................... 1-113
SM Authentication Mode Require RADIUS or Follow AP ............................................................ 1-114
Handling Certificates ............................................................................................................................... 1-117
ii
Contents
Configuring your RADIUS servers for SM authentication ..................................................................... 1-118

Assigning SM management IP addressing via RADIUS ......................................................................... 1-119
Configuring your RADIUS server for SM configuration ........................................................................ 1-119
Using RADIUS for centralized AP and SM user name and password management ............................... 1-122
RADIUS Device Data Accounting .......................................................................................................... 1-126
RADIUS Device Re-Authentication ....................................................................................................... 1-129
RADIUS Attribute Framed-IP-Address .................................................................................................. 1-129
Appendix A:
Glossary ............................................................................................ I
iii
List of Figures
List of Figures
Figure 1 NAT disabled implementation.................................................................................................................. 1-10
Figure 2 NAT with DHCP client and DHCP server implementation ..................................................................... 1-11
Figure 3 NAT with DHCP client implementation .................................................................................................. 1-11
Figure 4 NAT with DHCP server implementation ................................................................................................. 1-12
Figure 5 NAT without DHCP implementation ...................................................................................................... 1-12
Figure 6 IP tab of the SM with NAT disabled ........................................................................................................ 1-13
Figure 7 IP tab of SM with NAT enabled ............................................................................................................... 1-15
Figure 8 NAT tab of the SM with NAT disabled ................................................................................................... 1-16
Figure 9 NAT tab of the SM with NAT enabled .................................................................................................... 1-19
Figure 10 VLAN tab of the AP ............................................................................................................................... 1-25
Figure 11 VLAN Membership tab of the AP .......................................................................................................... 1-29
Figure 12 VLAN tab of the SM .............................................................................................................................. 1-30
Figure 13 VLAN Membership tab of the SM .......................................................................................................... 1-34
Figure 14 Unit Settings tab of the AP ..................................................................................................................... 1-47
Figure 15 General tab of the SM............................................................................................................................. 1-49
Figure 16 Unit Settings tab of the SM .................................................................................................................... 1-52
Figure 17 Time tab of the AP ................................................................................................................................. 1-53
Figure 18 General Status tab view for GUEST-level account ................................................................................ 1-57
Figure 19 SM Add User tab .................................................................................................................................... 1-57
Figure 20 Delete User tab of the SM ...................................................................................................................... 1-58
Figure 21 RJ-11 pinout for the override plug ......................................................................................................... 1-59
Figure 22 Categorical protocol filtering.................................................................................................................. 1-62
Figure 23 Ports filtered per protocol selection ........................................................................................................ 1-62
Figure 24 RF Telnet Access Restrictions (orange) and Flow through (green)........................................................ 1-65
Figure 25 RF Telnet Access Restriction (orange) and Potential Security Hole (green).......................................... 1-66
Figure 26 Security tab of the AP ............................................................................................................................ 1-67
Figure 27 Security tab of the SM ............................................................................................................................ 1-72
Figure 28 Port Configuration tab of the SM ............................................................................................................ 1-77
Figure 29 Radio tab of the AP ................................................................................................................................. 1-79
Figure 30 SNMP tab of the AP ............................................................................................................................... 1-87
Figure 31 SNMP tab of the SM .............................................................................................................................. 1-90
Figure 32 AP Syslog Configuration page ............................................................................................................... 1-93
Figure 33 SM Syslog Configuration page............................................................................................................... 1-94
Figure 34 SM IP Configuration page ...................................................................................................................... 1-95
Figure 35 AP Session Status page .......................................................................................................................... 1-96
Figure 36 AP Remote Subscribers page ................................................................................................................. 1-96
Figure 37 AP Session Status page .......................................................................................................................... 1-97
Figure 38 Uplink and downlink rate caps adjusted to apply aggregate cap ........................................................... 1-100
Figure 39 Uplink and downlink rate cap adjustment example ............................................................................... 1-100
Figure 40 Quality of Service (QoS) tab of the AP ................................................................................................ 1-105
iv
Figure 41
Figure 42
Figure 43
Figure 44
Figure 45
Figure 46
Figure 47
Figure 48
List of Figures
Diffserv tab of the AP .......................................................................................................................... 1-107

Quality of Service (QoS) tab of the SM ............................................................................................... 1-108
Diffserv tab of the SM .......................................................................................................................... 1-110
Security tab of the AP .......................................................................................................................... 1-114
Security tab of the SM .......................................................................................................................... 1-116
SM Certificate Management ................................................................................................................. 1-118
User Authentication tab of the AP ........................................................................................................ 1-123
User Authentication tab of the SM ....................................................................................................... 1-125
List of Tables
List of Tables
Table 1 IP interface attributes ........................................................................................................................... 1-8
Table 2 SM with NAT disabled - IP attributes ............................................................................................... 1-14
Table 3 SM with NAT enabled - IP attributes ................................................................................................ 1-15
Table 4 SM with NAT disabled - NAT attributes ........................................................................................... 1-17
Table 5 SM with NAT enabled - NAT attributes ............................................................................................ 1-20
Table 6 SM DNS Options with NAT Enabled ................................................................................................ 1-24
Table 7 AP VLAN tab attributes .................................................................................................................... 1-26
Table 8: Q-in-Q Ethernet frame ....................................................................................................................... 1-27
Table 9 AP VLAN Membership attributes ..................................................................................................... 1-29
Table 10 SM VLAN attributes........................................................................................................................ 1-31
Table 11 SM VLAN Membership attributes................................................................................................... 1-34
Table 12 PPPoE tab of the SM ....................................................................................................................... 1-34
Table 13 SM PPPoE attributes........................................................................................................................ 1-35
Table 14 NAT Port Mapping tab of the SM ................................................................................................... 1-37
Table 15 SM NAT Port Mapping attributes.................................................................................................... 1-37
Table 16 General tab of the AP....................................................................................................................... 1-42
Table 17 AP General Configuration attributes ............................................................................................... 1-43
Table 18 AP Unit Settings attributes .............................................................................................................. 1-48
Table 19 SM General Configuration attributes ............................................................................................... 1-50
Table 20 SM Unit Settings attributes .............................................................................................................. 1-52
Table 21 AP Time attributes ........................................................................................................................... 1-53
Table 22 AP Security attributes ...................................................................................................................... 1-68
Table 23 Protocol Filtering tab of the AP ....................................................................................................... 1-70
Table 24 AP Protocol Filtering attributes ....................................................................................................... 1-70
Table 25 Port configuration tab of the AP ...................................................................................................... 1-71
Table 26 AP Port Configuration attributes ..................................................................................................... 1-71
Table 27 SM Security attributes ..................................................................................................................... 1-73
Table 28 Protocol Filtering tab of the SM ...................................................................................................... 1-76
Table 29 SM Protocol Filtering attributes....................................................................................................... 1-77
Table 30 SM Port Configuration attributes ..................................................................................................... 1-78
Table 31 AP Radio attributes .......................................................................................................................... 1-80
Table 32 Radio tab of SM ............................................................................................................................... 1-83
Table 33 SM Radio attributes ......................................................................................................................... 1-83
Table 34 AP SNMP attributes ........................................................................................................................ 1-88
Table 35 SM SNMP attributes ........................................................................................................................ 1-91
Table 36 Syslog Configuration attributes ....................................................................................................... 1-94
Table 37 Syslog Configuration attributes ....................................................................................................... 1-94
Table 38 Characteristics of traffic scheduling ............................................................................................... 1-102
1-6
Table 39 Recommended combined settings for typical operations................................................................ 1-103

Table 40 Where feature values are obtained for an SM with authentication required ................................... 1-104
Table 41 Where feature values are obtained for an SM with authentication disabled ................................... 1-104
Table 42 AP QoS attributes .......................................................................................................................... 1-105
Table 43 AP Diffserv attributes .................................................................................................................... 1-107
Table 44 SM Quality of Service attributes.................................................................................................... 1-108
Table 45 SM Diffserv attributes ................................................................................................................... 1-111
Table 46 RADIUS Vendor Specific Attributes (VSAs) ............................................................................... 1-120
Table 47 AP User Authentication and Access Tracking attributes ............................................................... 1-123
Table 48 SM User Authentication and Access Tracking attributes .............................................................. 1-125
Table 49 Device data accounting RADIUS attributes .................................................................................. 1-126
Table 50 RADIUS accounting messages configuration................................................................................ 1-128
Table 51 Device re-authentication configuration .......................................................................................... 1-129
1-7
About This Configuration and User Guide

This guide describes the configuration of the Cambium PMP 450 Series of point-to-multipoint
wireless equipment deployment. It is intended for use by the system administrator.
After the initial general and legal information, the guide begins with a set of tasks to complete a basic
configuration of the equipment. Once this configuration is complete, the units are ready for
deployment. Advanced configuration, also defined in this document, may be initiated at the
operators discretion.
viii
General information
General information
Version information
The following shows the issue status of this document since it was first released:
Issue
Date of issue
Remarks
001v000
September 2012
System Release 12.0
002v000
November 2012
Updated for System Release 12.0.1
003v000
January 2013
Updated for System Release 12.0.2
Contacting Cambium Networks

PMP support website: http://www.cambiumnetworks.com/support
Cambium main website: http://www.cambiumnetworks.com/
Sales enquiries: solutions@cambiumnetworks.com
Email support: support@cambiumnetworks.com
Telephone numbers:
For full list of Cambium support telephone numbers, see:
http://www.cambiumnetworks.com/support/technical.php
Address:
Cambium Networks
3800 Golf Road, Suite 360
Rolling Meadows, IL 60008
ix
General information
Purpose
Cambium Networks Point-To-Multipoint (PMP) documents are intended to instruct and assist
personnel in the operation, installation and maintenance of the Cambium PMP equipment and
ancillary devices. It is recommended that all personnel engaged in such activities be properly trained.
Cambium disclaims all liability whatsoever, implied or express, for any risk of damage, loss or
reduction in system performance arising directly or indirectly out of the failure of the customer, or
anyone acting on the customer's behalf, to abide by the instructions, system parameters, or
recommendations made in this document.
Cross references
References to external publications are shown in italics. Other cross references, emphasized in blue
text in electronic versions, are active links to the references.
This document is divided into numbered chapters that are divided into sections. Sections are not
numbered, but are individually named at the top of each page, and are listed in the table of contents.
Feedback
We appreciate feedback from the users of our documents. This includes feedback on the structure,
content, accuracy, or completeness of our documents. Send feedback to email support (see
Contacting Cambium Networks).
Problems and warranty

Reporting problems
If any problems are encountered when installing or operating this equipment, follow this procedure to
investigate and report:
1
Search this document and the software release notes of supported releases.
Visit the support website. http://www.cambiumnetworks.com/support/pmp/software/index.php
Ask for assistance from the Cambium product supplier.
Gather information from affected units such as:
The IP addresses and MAC addresses.
The software releases.
The configuration of software features.
Any available diagnostic downloads.
CNUT Support Capture Tool information
Escalate the problem by emailing or telephoning support.
See Contacting Cambium Networks for URLs, email addresses and telephone numbers.
Repair and service

If unit failure is suspected, obtain details of the Return Material Authorization (RMA) process from
the support website.
Warranty
Cambiums standard hardware warranty is for one (1) year from date of shipment from Cambium or a
Cambium distributor. Cambium warrants that hardware will conform to the relevant published
specifications and will be free from material defects in material and workmanship under normal use
and service. Cambium shall within this time, at its own option, either repair or replace the defective
product within thirty (30) days of receipt of the defective product. Repaired or replaced product will
be subject to the original warranty period but not less than thirty (30) days.
To register PMP products or activate warranties, visit the support website.
Extended warranties are available for PMP products. For warranty assistance, contact the reseller or
distributor.
xi
Using non-Cambium parts for repair could damage the equipment or void warranty. Contact
Cambium for service and repair instructions.
Portions of Cambium equipment may be damaged from exposure to electrostatic discharge. Use
precautions to prevent damage.
xii
Security advice
Security advice
Cambium Networks systems and equipment provide security parameters that can be configured by the
operator based on their particular operating environment. Cambium recommends setting and using
these parameters following industry recognized security practices. Security aspects to be considered
are protecting the confidentiality, integrity, and availability of information and assets. Assets include
the ability to communicate, information about the nature of the communications, and information
about the parties involved.
In certain instances Cambium makes specific recommendations regarding security practices, however
the implementation of these recommendations and final responsibility for the security of the system
lies with the operator of the system.
xiii
Warnings, cautions, and notes
Warnings, cautions, and notes

The following describes how warnings and cautions are used in this document and in all documents of
the Cambium Networks document set.
Warnings
Warnings precede instructions that contain potentially hazardous situations. Warnings are used to alert
the reader to possible hazards that could cause loss of life or physical injury. A warning has the
following format:
Warning text and consequence for not following the instructions in the warning.
Cautions
Cautions precede instructions and are used when there is a possibility of damage to systems, software,
or individual items of equipment within a system. However, this damage presents no danger to
personnel. A caution has the following format:
Caution text and consequence for not following the instructions in the caution.
Notes
A note means that there is a possibility of an undesirable situation or provides additional information
to help the reader understand a topic or concept. A note has the following format:
Note text.
xiv
Chapter 1: Configuration and alignment

This chapter describes all configuration and alignment tasks that are performed when a PMP 450 link is
deployed.
Observe the precautions in Preparing for configuration and alignment on page 1-2.
This section is divided into several tasks, including:
Task 1: Connecting to the unit on page 1-3
Task 2: Configuring IP and Ethernet interfaces on page 1-7
Task 3: Upgrading the software version and using CNUT on page 1-38
Task 4: Configuring General and Unit settings on page 1-42
Task 5: Configuring security on page 1-55
Task 6: Configuring radio parameters on page 1-79
Task 7: Setting up SNMP agent on page 1-86
Task 8: Configuring syslog on page 1-93
Task 9: Configuring remote access on page 1-95
Task 10: Monitoring the AP-SM Link on page 1-97
Task 11: Configuring quality of service on page 1-99
Task 12: Configuring a RADIUS server on page 1-112
1-1
Preparing for configuration and alignment
Preparing for configuration and alignment

This section describes the checks to be performed before proceeding with unit configuration and antenna
alignment.
Safety precautions during configuration and alignment

All national and local safety standards must be followed while configuring the units and aligning the
antennas.
Ensure that personnel are not exposed to unsafe levels of RF energy. The units start to radiate as
soon as they are powered up.
Observe the following guidelines:
1-2
Never work in front of the antenna when the AP or SM is powered.
Always power down the AP or SM before connecting or disconnecting the drop cable from the unit.
Task 1: Connecting to the unit

This task consists of the following procedures:
Configuring the management PC on page 1-3
Connecting to the PC and powering up on page 1-5
Logging into the web interface on page 1-5
Configuring the management PC

To configure the local management PC to communicate with the PMP 450 AP or SM, proceed as follows:
Procedure 1 Configuring the management PC
1
Select Properties for the Ethernet port.
Select the Internet Protocol (TCP/IP) item (in Windows 7, this item is called Internet Protocol Version
4 (TCP/IPv4):
Click on Properties.
1-3
Enter an IP address that is valid for the 169.254.X.X network, avoiding:

169.254.0.0 and 169.254.1.1 and 169.254.1.2
A good example is 169.254.1.3:
Enter a subnet mask of 255.255.255.0.

Leave the default gateway blank.
1-4
Connecting to the PC and powering up

To connect the PMP 450 AP or SM to the PC and power up the unit, proceed as follows:
Procedure 2 Connecting to the PC and powering up
1
Check that the AP or SM and the associated power supply are correctly connected.
Connect the PC Ethernet port to the LAN port of the power supply using a standard (not crossed)
Ethernet cable.
Apply power to the radio power supply. The green Power LED should illuminate continuously.
Logging into the web interface (AP or SM)

To log into the AP or SM web interface as a system administrator, proceed as follows:
Procedure 3 Logging into the web interface (AP or SM)
1
Start the web browser from the management PC.
Type the IP address of the unit into the address bar. The factory default IP address is 169.254.1.1. Press
ENTER. The web interface General Status page is displayed:
Figure 1 AP General Status page, GUEST user example
1-5
Log in with the default administrator username (admin) and password (admin).
Figure 2 AP General Status page, ADMINISTRATOR user example
1-6
Task 2: Configuring IP and Ethernet interfaces

This task consists of the following sections:
Configuring the AP IP interface on page 1-7
NAT, DHCP Server, DHCP Client, and DMZ in SM on page 1-9
Configuring the SM IP interface with NAT disabled on page 1-13
Configuring the SM IP interface with NAT enabled on page 1-15
NAT tab of the SM with NAT disabled on page 1-16
NAT tab of the SM with NAT enabled on page 1-19
Reconnecting to the management PC on page 1-24
Configuring the AP IP interface

The IP interface allows users to connect to the PMP 450 web interface, either from a locally connected
computer or from a management network.
To configure the IP interface, proceed as follows
Procedure 4 Configuring the AP IP interface
1
Select menu option Configuration, IP. The LAN configuration page is displayed:
Update IP Address, Subnet Mask and Gateway IP Address to meet network requirements (as specified by
the network administrator).
Review the other IP interface attributes and update them, if required (Table 1).
1-7
Select Save. The Reboot Required message is displayed:
Select Reboot.
Table 1 IP interface attributes
1-8
Attribute
Meaning
IP Address
Internet protocol (IP) address. This address is used by the family of Internet
protocols to uniquely identify this unit on a network.
Subnet Mask
Defines the address range of the connected IP network.
Gateway IP Address
The IP address of a computer on the current network that acts as a gateway. A

gateway acts as an entrance and exit to packets from and to other networks.
DHCP state
If Enabled is selected, the DHCP server automatically assigns the IP

configuration (IP address, subnet mask, and gateway IP address) and the values
of those individual parameters (above) are not used. The setting of this DHCP
state parameter is also viewable, but not settable, in the Network Interface tab of
the Home page.
DNS IP Address
Canopy devices allow for configuration of a preferred and alternate DNS server
IP address either automatically or manually. Devices must set DNS server IP
address manually when DHCP is disabled for the management interface of the
device. DNS servers may be configured automatically from the DHCP response
when DHCP is enabled for the management interface of the device. Optionally
devices may be configured to set the DNS server IP address manually when
DHCP is enabled for the management interface. The default DNS IP addresses
are 0.0.0.0 when configured manually.
Preferred DNS Server
The first address used for DNS resolution.
Alternate DNS Server
Upon failure to reach the Preferred DNS server, the Alternate DNS Server is
used.
Attribute
Meaning
Domain Name
The operators management domain name may be configured for DNS. The
domain name configuration can be used for configuration of the servers in the
operators network. The default domain name is example.com, and is only used
if configured as such.
LAN2 Network
Interface
Configuration (Radio
Private Interface) IP
Address
It is recommended to not change this parameter from the default AP private IP

address of 192.168.101.1. A /24 CIDR subnet is used to communicate with each
of the SMs that are registered. The AP uses a combination of the private IP and
the LUID (logical unit ID) of the SM.
For example, if an SM is the first to register in an AP, and another SM registers
later, then the AP whose Private IP address is 192.168.101.1 uses the following
SM Private IP addresses to communicate to each:
SM
LUID
Private IP
First SM registered
192.168.101.2
Second SM registered
192.168.101.3
NAT, DHCP Server, DHCP Client, and DMZ in SM

The system provides NAT (network address translation) for SMs in the following combinations of NAT
and DHCP (Dynamic Host Configuration Protocol):
NAT Disabled
NAT with DHCP Client (DHCP selected as the Connection Type of the WAN interface) and DHCP
Server
NAT with DHCP Client(DHCP selected as the Connection Type of the WAN interface)
NAT with DHCP Server
NAT without DHCP
NAT
NAT isolates devices connected to the Ethernet/wired side of an SM from being seen directly from the
wireless side of the SM. With NAT enabled, the SM has an IP address for transport traffic (separate from
its address for management), terminates transport traffic, and allows you to assign a range of IP addresses
to devices that are connected to the Ethernet/wired side of the SM.
In the Cambium system, NAT supports many protocols, including HTTP, ICMP (Internet Control Message
Protocols), and FTP (File Transfer Protocol). For virtual private network (VPN) implementation, L2TP
over IPSec (Level 2 Tunneling Protocol over IP Security) and PPTP (Point to Point Tunneling Protocol) are
supported.
DHCP
DHCP enables a device to be assigned a new IP address and TCP/IP parameters, including a default
gateway, whenever the device reboots. Thus DHCP reduces configuration time, conserves IP addresses,
and allows modules to be moved to a different network within the Cambium system.
1-9
In conjunction with the NAT features, each SM provides
a DHCP server that assigns IP addresses to computers connected to the SM by Ethernet protocol.
a DHCP client that receives an IP address for the SM from a network DHCP server.
DMZ
In conjunction with the NAT features, a DMZ (demilitarized zone) allows the assignment of one IP address
behind the SM for a device to logically exist outside the firewall and receive network traffic. The first three
octets of this IP address must be identical to the first three octets of the NAT private IP address.
NAT Disabled
The NAT Disabled implementation is illustrated in Figure 1.
Figure 3 NAT disabled implementation
1-10
NAT with DHCP Client and DHCP Server

Figure 4 NAT with DHCP client and DHCP server implementation
NAT with DHCP Client

Figure 5 NAT with DHCP client implementation
1-11
NAT with DHCP Server

Figure 6 NAT with DHCP server implementation
NAT without DHCP

Figure 7
1-12
NAT without DHCP implementation
NAT and VPNs

VPN technology provides the benefits of a private network during communication over a public network.
One typical use of a VPN is to connect remote employees, who are at home or in a different city, to their
corporate network over the public Internet. Any of several VPN implementation schemes is possible. By
design, NAT translates or changes addresses, and thus interferes with a VPN that is not specifically
supported by a given NAT implementation.
With NAT enabled, SMs support L2TP over IPSec (Level 2 Tunneling Protocol over IP Security) VPNs
and PPTP (Point to Point Tunneling Protocol) VPNs. With NAT disabled, SMs support all types of VPNs.
Configuring the SM IP interface with NAT disabled

Figure 8 IP tab of the SM with NAT disabled
In the IP tab of an SM with NAT disabled, you may set the following parameters.
1-13
Table 2 SM with NAT disabled - IP attributes

Attribute
Meaning
LAN1 Network Interface

Configuration, IP Address
Enter the non-routable IP address to associate with the Ethernet

connection on this SM. (The default IP address from the factory is
169.254.1.1.) If you set and then forget this parameter, then you must
both
physically access the module.
use an override plug to electronically access the module

configuration parameters at 169.254.1.1. See Overriding Forgotten
IP Addresses or Passwords on AP on Page 1-58.
Note or print the IP settings from this page. Ensure that you can
readily associate these IP settings both with the module and with
the other data that you store about the module.
Configuration, Network
Accessibility
Specify whether the IP address of the SM should be visible to only a

device connected to the SM by Ethernet (Local) or should be visible to
the AP as well (Public).

Configuration, Subnet Mask
Enter an appropriate subnet mask for the SM to communicate on the

network. The default subnet mask is 255.255.0.0.

Configuration, Gateway IP
Address
Enter the appropriate gateway for the SM to communicate with the

network. The default gateway is 169.254.0.0.

Configuration, DHCP state
If you select Enabled, the DHCP server automatically assigns the IP

configuration (IP address, subnet mask, and gateway IP address) and the
values of those individual parameters (above) are not used. The setting
of this DHCP state parameter is also viewable, but not settable, in the
Network Interface tab of the Home page.
In this tab, DHCP State is settable only if the Network Accessibility
parameter in the IP tab is set to Public. This parameter is also settable in
the NAT tab of the Configuration web page, but only when NAT is
enabled.
If the DHCP state parameter is set to Enabled in the Configuration =>
IP tab of the SM, do not check the BootpClient option for Packet
Filter Types in its Protocol Filtering tab, because doing so would block
the DHCP request. (Filters apply to all packets that leave the SM via its
RF interface, including those that the SM itself generates.) If you want
to keep DHCP enabled and avoid the blocking scenario, select the
Bootp Server option instead. This will result in responses being
appropriately filtered and discarded.
1-14
Attribute
Meaning

Configuration, DNS IP
Address
Canopy devices allow for configuration of a preferred and alternate

DNS server IP address either automatically or manually. Devices must
set DNS server IP address manually when DHCP is disabled for the
management interface of the device. DNS servers may be configured
automatically from the DHCP response when DHCP is enabled for the
management interface of the device. Optionally devices may be
configured to set the DNS server IP address manually when DHCP is
enabled for the management interface. The default DNS IP addresses
are 0.0.0.0 when configured manually.

Configuration, Preferred DNS
Server
The first DNS server used for DNS resolution.

Configuration, Alternate DNS
Server
The second DNS server used for DNS resolution.

Configuration, Domain Name
The operators management domain name may be configured for DNS.

The domain name configuration can be used for configuration of the
servers in the operators network. The default domain name is
example.com, and is only used if configured as such.
Configuring the SM IP interface with NAT enabled

Figure 9 IP tab of SM with NAT enabled
In the IP tab of an SM with NAT enabled, you may set the following parameters.
Table 3 SM with NAT enabled - IP attributes
Attribute
Meaning
NAT Network Interface

Configuration, IP Address
Assign an IP address for SM management through Ethernet access to

the SM. Set only the first three bytes. The last byte is permanently set to
1. This address becomes the base for the range of DHCP-assigned
addresses.
NAT Network Interface

Configuration, Subnet Mask
Assign a subnet mask of 255.255.255.0 or a more restrictive subnet

mask. Set only the last byte of this subnet mask. Each of the first three
bytes is permanently set to 255.
1-15
NAT tab of the SM with NAT disabled

Figure 10 NAT tab of the SM with NAT disabled
1-16
In the NAT tab of an SM with NAT disabled, you may set the following parameters.
Table 4 SM with NAT disabled - NAT attributes
Attribute
Meaning
NAT Enable/Disable
This parameter enables or disabled the Network Address Translation

(NAT) feature for the SM. NAT isolates devices connected to the
Ethernet/wired side of an SM from being seen directly from the wireless
side of the SM. With NAT enabled, the SM has an IP address for
transport traffic separate from its address for management, terminates
transport traffic, and allows you to assign a range of IP addresses to
devices that are connected to the Ethernet/wired side of the SM
When NAT is enabled, VLANs are not supported on the wired side of
that SM. You can enable NAT in SMs within a sector where VLAN is
enabled in the AP, but this may constrain network design
WAN Interface, Connection

Type
This parameter is not configurable when NAT is disabled.
WAN Interface, IP Address
This field displays the IP address for the SM. DHCP Server will not
automatically assign this address when NAT is disabled.
WAN Interface, Subnet Mask
This field displays the subnet mask for the SM. DHCP Server will not
automatically assign this address when NAT is disabled.
WAN Interface, Gateway IP

Address
This field displays the gateway IP address for the SM. DHCP Server
will not automatically assign this address when NAT is disabled.
WAN Interface, Reply to Ping

on WAN Interface
LAN Interface, IP Address
LAN Interface, Subnet Mask
LAN Interface, DMZ Enable
LAN Interface, DMZ IP

Address
LAN DHCP Server, DHCP

Server Enable/Disable

Server Lease Timeout

Start IP
LAN DHCP Server, Number of

IPs to Lease
LAN DHCP Server, DNS

Server Proxy
1-17
1-18
Attribute
Meaning
LAN DHCP Server, DNS IP

Address
LAN DHCP Server, Preferred

DNS IP Address
LAN DHCP Server, Alternate

DNS IP Address
Remote Configuration
Interface, Interface
Enable/Disable
Interface, Connection Type
Interface, IP Address
Interface, Subnet Mask
Interface, Gateway IP Address
Interface, DNS IP Address
Interface, Preferred DNS
Server
Remote Connection Interface,

Alternate DNS Server
Remote Connection Interface,

Domain Name
NAT Protocol Parameters,

ARP Cache Timeout
If a router upstream has an ARP cache of longer duration (as some use
30 minutes), enter a value of longer duration than the router ARP cache.
The default value of this field is 20 minutes.

TCP Session Garbage Timeout
Where a large network exists behind the SM, you can set this parameter
to lower than the default value of 120 minutes. This action makes
additional resources available for greater traffic than the default value
accommodates.

UDP Session Garbage Timeout
You may adjust this parameter in the range of 1 to 1440 minutes, based
on network performance. The default value of this parameter is 4
minutes.
NAT tab of the SM with NAT enabled

Figure 11 NAT tab of the SM with NAT enabled
1-19
In the NAT tab of an SM with NAT enabled, you may set the following parameters.
Table 5 SM with NAT enabled - NAT attributes
Attribute
Meaning
NAT Enable/Disable
This parameter enables or disabled the Network Address Translation

(NAT) feature for the SM. NAT isolates devices connected to the
Ethernet/wired side of an SM from being seen directly from the
wireless side of the SM. With NAT enabled, the SM has an IP address
for transport traffic separate from its address for management,
terminates transport traffic, and allows you to assign a range of IP
addresses to devices that are connected to the Ethernet/wired side of the
SM.
When NAT is enabled, VLANs are not supported on the wired side of
that SM. You can enable NAT in SMs within a sector where VLAN is
enabled in the AP, but this may constrain network design.
WAN Interface
The WAN interface is the RF-side address for transport traffic.
WAN Interface, Connection

Type
This parameter may be set to

Static IPwhen this is the selection, the following three parameters
(IP Address, Subnet Mask, and Gateway IP Address) must all be
properly populated.
DHCPwhen this is the selection, the information from the DHCP
server configures the interface.
PPPoEwhen this is the selection, the information from the PPPoE
1-20
WAN Interface, Subnet Mask
If Static IP is set as the Connection Type of the WAN interface, then

this parameter configures the subnet mask of the SM for RF transport
traffic.
WAN Interface, Gateway IP

Address

this parameter configures the gateway IP address for the SM for RF
transport traffic.
WAN Interface, Reply to Ping

on WAN Interface
By default, the radio interface does not respond to pings. If you use a
management system (such as WM) that will occasionally ping the SM,
set this parameter to Enabled.
LAN Interface
The LAN interface is both the management access through the Ethernet
port and the Ethernet-side address for transport traffic. When NAT is
enabled, this interface is redundantly shown as the NAT Network
Interface Configuration on the IP tab of the Configuration web page
in the SM.
LAN Interface, IP Address
Assign an IP address for SM management through Ethernet access to

the SM. This address becomes the base for the range of DHCP-assigned
addresses.
Attribute
Meaning
LAN Interface, Subnet Mask
Assign a subnet mask of 255.255.255.0 or a more restrictive subnet

mask. Set only the last byte of this subnet mask. Each of the first three
bytes is permanently set to 255.
LAN Interface, DMZ Enable
Either enable or disable DMZ for this SM.
LAN Interface, DMZ IP

Address
If you enable DMZ in the parameter above, set the last byte of the
DMZ host IP address to use for this SM when DMZ is enabled. Only
one such address is allowed. The first three bytes are identical to those
of the NAT private IP address. Ensure that the device that should
receive network traffic behind this SM is assigned this address.
The system provides a warning if you enter an address within the range
that DHCP can assign.
LAN DHCP Server
This is the server (in the SM) that provides an IP address to the device
connected to the Ethernet port of the SM.

Server Enable/Disable
Select either
Enabled to
allow this SM to assign IP addresses, subnet masks, and gateway

IP addresses to attached devices.
assign a start address for DHCP.
designate how many IP addresses may be temporarily used

(leased).
Disabled to disallow the SM to assign addresses to attached devices.

Server Lease Timeout
Based on network performance, enter the number of days between

when the DHCP server assigns an IP address and when that address
expires. The range of values for this parameter is 1 to 30 days. The
default value is 30 days.

Start IP
If you will be enabling DHCP Server below, set the last byte of the
starting IP address that the DHCP server will assign. The first three
bytes are identical to those of the NAT private IP address.
LAN DHCP Server, Number of

IPs to Lease
Enter how many IP addresses the DHCP server is allowed to assign.

The default value is 50 addresses.
LAN DHCP Server, DNS

Server Proxy
This parameter enables or disables advertisement of the SM as the DNS

server. On initial boot up of an SM with the NAT WAN interface
configured as DHCP or PPPoE, the SM module will not immediately
have DNS information. With DNS Server Proxy disabled, the clients
will renew their lease about every minute until the SM has the DNS
information to give out. At this point the SM will go to the full
configured lease time period which is 30 days by default. With DNS
Server Proxy enabled, the SM will give out full term leases with its
NAT LAN IP as the DNS server.
1-21
Attribute
Meaning
LAN DHCP Server, DNS IP

Address
Select either
Obtain Automatically to allow the system to set the IP address of the

DNS server.
Set Manually to enable yourself to set both a preferred and an alternate
DNS IP address.
LAN DHCP Server, Preferred

DNS IP Address
Enter the preferred DNS IP address to use when the DNS IP Address
parameter is set to Set Manually.
LAN DHCP Server, Alternate

DNS IP Address
Enter the DNS IP address to use when the DNS IP Address parameter
is set to Set Manually and no response is received from the preferred
DNS IP address.
Enable/Disable
If you want over-the-air management capability for the SM, select

Enabled. If you want to limit management of the SM to its Ethernet
interface, select Disabled.
Remote Configuration Interface
The Remote Configuration interface is the RF-side address for

management by an EMS or NMS (WM, for example).
Enable/Disable
When this interface is Disabled, the SM is not directly accessible by IP

address, and management access is only through either
the LAN (Ethernet) interface
a link from an AP web page into the WAN (RF-side) interface.
When this interface is Enabled, you can configure management access
through either
a Static IP address
an IP address that DHCP provides for the WAN interface.
Interface, Connection Type
This parameter may be set to

Static IPwhen this is the selection, the following three parameters
(IP Address, Subnet Mask, and Gateway IP Address) must all be
properly populated.
DHCPwhen this is the selection, the information from the DHCP
1-22
Interface, IP Address

this parameter configures the IP address of the SM for RF management
traffic.
Interface, Subnet Mask

this parameter configures the subnet mask of the SM for RF
management traffic.
Attribute
Meaning
Interface, Gateway IP Address

this parameter configures the gateway IP address for the SM for RF
management traffic.
Note or print the IP settings from this page. Ensure that you can readily
associate these IP settings both with the module and with the other data
that you store about the module.
Interface, DNS IP Address
Select either
Obtain Automatically to allow the system to set the IP address of the
DNS server.
Set Manually to enable yourself to set both a preferred and an alternate
DNS IP address.
Interface, Preferred DNS Server
Enter the preferred DNS IP address to use when the DNS IP Address
parameter is set to Set Manually.
Interface, Alternate DNS Server
Enter the DNS IP address to use when the DNS IP Address parameter
is set to Set Manually and no response is received from the preferred
DNS IP address.
Interface, Domain Name
Domain Name to use for management DNS configuration. This

domain name may be concatenated to DNS names used configured for
the remote configuration interface.
NAT Protocol Parameters, ARP

Cache Timeout
If a router upstream has an ARP cache of longer duration (as some use
30 minutes), enter a value of longer duration than the router ARP
cache. The default value of this field is 20 minutes.
NAT Protocol Parameters, TCP

Session Garbage Timeout
Where a large network exists behind the SM, you can set this parameter
to lower than the default value of 120 minutes. This action makes
additional resources available for greater traffic than the default value
accommodates.

UDP Session Garbage Timeout
You may adjust this parameter in the range of 1 to 1440 minutes, based
on network performance. The default value of this parameter is 4
minutes.
SM NAT DNS Considerations

SM DNS behavior is different depending on the accessibility of the SM. When NAT is enabled the DNS
configuration that is discussed in this document is tied to the RF Remote Configuration Interface, which
must be enabled to utilize DNS Client functionality. Note that the WAN DNS settings when NAT is
enabled are unchanged with the addition of the management DNS feature discussed in this document.
1-23
Table 6 SM DNS Options with NAT Enabled

NAT
Configuration
Management
Interface
Accessibility
DHCP Status
DNS Status
NAT Enabled
RF Remote
Configuration Interface
Disabled
N/A
DNS Disabled
RF Remote
Configuration Interface
Enabled
DHCP Disabled
DNS Static
Configuration
DHCP Enabled
DNS from DHCP or

DNS Static
Configuration
Reconnecting to the management PC

If the IP Address, Subnet Mask and Gateway IP Address of the unit have been updated to meet network
requirements, then reconfigure the local management PC to use an IP address that is valid for the network.
Refer to Configuring the management PC on page 1-3.
When the unit has rebooted, log in using the new IP address. Refer to Logging into the web interface on
page 1-5.
1-24
VLAN Tab of the AP

Figure 12 VLAN tab of the AP
1-25
In the VLAN tab of the AP, you may set the following parameters.
Table 7 AP VLAN tab attributes
Attribute
Meaning
VLAN
Specify whether VLAN functionality for the AP and all linked SMs should
(Enabled) or should not (Disabled) be allowed. The default value is
Disabled.
Always use Local VLAN

Config
Enable this option before you reboot this AP as an SM to use it to perform

spectrum analysis. After the spectrum analysis is completed and before
you reboot this module as an AP, disable this option.
Allow Frame Types
Select the type of arriving frames that the AP should tag, using the VID
that is stored in the Untagged Ingress VID parameter. The default value is
All Frames.
Dynamic Learning
Specify whether the AP should (Enabled) or should not (Disabled) add

the VLAN IDs (VIDs) of upstream frames to the VID table. (The AP
passes frames with VIDs that are stored in the table both upstream and
downstream.) The default value is Enabled.
VLAN Aging Timeout
Specify how long the AP should keep dynamically learned VIDs. The
range of values is 5 to 1440 (minutes). The default value is 25 (minutes).
VIDs that you enter for the Management VID and VLAN
Membership parameters do not time out.
1-26
Management VID
Enter the VID that the operator wishes to use to communicate with the
module manager. The range of values is 1 to 4095. The default value is 1.
SM Management VID Passthrough
Specify whether to allow the SM (Enable) or the AP (Disable) to control

the VLAN settings of the SM. The default value is Enable.
Attribute
Meaning
QinQ EtherType
Modules can be configured with 802.1ad Q-in-Q DVLAN (DoubleVLAN) tagging which is a way for an operator to put an 802.1Q VLAN
inside of an 802.1ad VLAN. A nested VLAN, which is the original
802.1Q tag and a new second 802.1ad tag, allows for bridging of VLAN
traffic across a network and segregates the broadcast domains of 802.1Q
VLANs. Q-in-Q can be used with PPPoE and/or NAT.
The 802.1ad standard defines the S-VLAN as the Service Provider VLAN
and the C-VLAN as the customer VLAN. The radio software does 2 layer
Q-in-Q whereby the C-VLAN is the 802.1Q tag and the S-VLAN is the
second layer Q tag as shown below:
Table 8: Q-in-Q Ethernet frame
Ethernet
Header
S-VLAN
EthType
0x88a8
C-VLAN
EthType
0x8100
IP Data EthType
0x0800
The 802.1ad S-VLAN is the outer VLAN that is configurable on the

Configuration => VLAN web page of the AP. The Q-in-Q EtherType
parameter is configured with a default EtherType of 0x88a8 in addition to
four alternate EtherTypes that can be configured to aid in interoperability
with existing networks that use a different EtherType than the default.
The C-VLAN is the inner VLAN tag, which is the same as 802.1Q. As a
top level concept, this operates on the outermost tag at any given time,
either pushing a tag on or popping a tag off. This means packets will
at most transition from an 802.1Q frame to an 801.ad frame (with a tag
pushed on) or an untagged 802.1 frame (with the tag popped off.
Similarly, for an 802.1ad frame, this can only transition from an 802.1ad
frame to an 802.1Q frame (with the tag popped off) since the radio
software only supports 2 levels of tags
Active Configuration
When VLAN is enabled in the AP, the Active Configuration block

provides the following details as read-only information in this tab. In the
Cambium fixed wireless broadband IP network, each device of any type is
automatically a permanent member of VID 1. This facilitates deployment
of devices that have VLAN enabled with those that do not.
Port VID
This is the VID that the AP will use for tagging frames of the type
specified by Allow Frame Types.
Management VID
This is the value of the parameter of the same name, configured above.
SM Management VID PassThrough
Dynamic Aging Timeout
This is the value of the VLAN Aging Timeout parameter configured

above.
Allow Learning
Yes is displayed if the value of the Dynamic Learning parameter above is

Enabled. No is displayed if the value of Dynamic Learning is Disabled.
1-27
Attribute
Meaning
Allow Frame Type
This displays the selection that was made from the drop-down list at the
Allow Frame Types parameter above.
Current VID Member Set,

VID Number
This column lists the ID numbers of the VLANs in which this module is a
member, whether through assignment or through dynamic learning.

Type
For each VID number in the first column, the entry in this column
correlates the way in which the module became and continues to be a
member:
PermanentThis indicates that the module was assigned the VID number
through direct configuration by the operator.
DynamicThis indicates that the module adopted the VID number
through enabled dynamic learning, when a tagged packet from an SM
behind it in the network, or from a customer equipment that is behind the
SM in this case, was read.

Age
For each VID number in the first column of the table, the entry in this
column reflects whether or when the VID number will time out:
for Permanent typethe number will never time out, and this is
indicated by the digit 0.
for Dynamic typethe Age reflects what is configured in the VLAN

Aging Timeout parameter in the Configuration => VLAN tab of the
AP or reflects a fewer number of minutes that represents the
difference between what was configured and what has elapsed since
the VID was learned. Each minute, the Age decreases by one until, at
zero, the AP deletes the learned VID, but can it again from packets
sent by elements that are beneath it in the network.
Values in this Active Configuration block can differ from attempted

values in configurations:
A VLAN profile administered by RADIUS is capable of overriding
any configured VLAN value, if the Configuration Source parameter
in the AP is set to Authentication Server.
The AP itself can override the value that the SM has configured for
SM Management VID Pass-Through.
1-28
VLAN Membership Tab of the AP

Figure 13 VLAN Membership tab of the AP
You may set the VLAN Membership tab parameter as follows.

Table 9 AP VLAN Membership attributes
Attribute
Meaning
VLAN Membership Table

Configuration
For each VLAN in which you want the AP to be a member, enter

the VLAN ID and then click the Add Member button. Similarly,
for any VLAN in which you want the AP to no longer be a
member, enter the VLAN ID and then click the Remove Member
button.
1-29
VLAN Tab of the SM

Figure 14 VLAN tab of the SM
In the VLAN tab of an SM, you may set the following parameters.
1-30
Table 10 SM VLAN attributes

Attribute
Meaning
VLAN Port Type
By default this will be simply Q, indicating that it is to operate in the

existing manner. The other option is Q-in-Q, which indicates that it should
be adding and removing the S-Tag, and adding a C-Tag if necessary for
untagged packets. The VLAN Port type corresponds to the Ethernet port of
the SM. Currently, the internal management interfaces will always operate
as Q ports.
Accept QinQ Frames
This option is valid for the Q-in-Q port so that the user may force blocking
of existing 802.1ad Q-in-Q frames. This way, only untagged or single
tagged packets will come in and out of the Ethernet interface. If a Q-in-Q
frame is about ingress or egress the Ethernet interface and this is disabled,
it will be dropped and a filter entry will show up on the VLAN Statistics
page as DVLAN Egress or DVLAN Ingress.
Allow Frame Types
Select the type of arriving frames that the SM should tag, using the VID
that is stored in the Untagged Ingress VID parameter. The default value is
All Frames.
Tagged Frames Only: The SM will only tag incoming VLAN-tagged
frames
Untagged Frames Only: The SM will only tag incoming untagged frames
Dynamic Learning
Specify whether the SM should (Enable) or should not (Disable) add the
VIDs of upstream frames (that enter the SM through the wired Ethernet
interface) to the VID table. The default value is Enable.
VLAN Aging Timeout
Specify how long the SM should keep dynamically learned VIDs. The
range of values is 5 to 1440 (minutes). The default value is 25 (minutes).
VIDs that you enter for the Untagged Ingress VID and Management
VID parameters do not time out.
Management VID
Enter the VID that the SM should share with the AP. The range of values
is 1 to 4095. The default value is 1.
SM Management VID Passthrough
Specify whether to allow the SM (Enable) or the AP (Disable) to control

the VLAN settings of this SM. The default value is Enable.
When VLAN is enabled in the AP to whom this SM is registered, the
Active Configuration block provides the following details as read-only
information in this tab. In the Cambium fixed wireless broadband IP
network, each device of any type is automatically a permanent member of
VID 1. This facilitates deployment of devices that have VLAN enabled
with those that do not.
1-31
1-32
Attribute
Meaning
Default Port VID
This is the VID that will be used for untagged frames and will correspond
to the Q-Tag for 802.1Q frames (if VLAN Port Type is Q), or the C-Tag
for 802.1ad frames (if the VLAN Port Type is Q-in- Q).
Port VID MAC Address

Mapping
These parameters allow operators to place specific devices onto different

VLANs (802.1Q tag or 802.1ad C-tag) based on the source MAC address
of the packet. If the MAC address entry is 00-00-00-00-00-00 then that
entry is not used. If a packet arrives at the SM that is sourced from a
device whose MAC address is in the table, then the corresponding VID
will be used for that frames Q-tag (Q port) or C-tag (Q-in-Q port). If
there is no match, then the Default Port VID will be used. This table is
also used in the downstream direction for removal of the tag based on the
destination MAC address so that an untagged (for Q port) or Q-Tagged
(for Q-in-Q port) frame is delivered to the end device. You may use
wildcards for the non-OUI (Organizationally Unique Identifier) portion
of the MAC address, which is the last 3 bytes. MAC addresses contain 6
bytes, the first 3 of which are the OUI of the vendor that manufactured
the device and the last 3 are unique to that vendor OUI. If you want to
cover all devices from a known vendors OUI, you would specify 0xFF
for the remaining 3 bytes. So, for example, if you wanted all devices
from a specific vendor with an OUI of 00-95-5b (which is a Netgear
OUI) to be on the same VID of 800, you would specify an entry with
MAC address 00-95-5b-ff-ff-ff. Then, any device underneath of the SM
with MAC addresses starting with 00-95-5b will be put on VLAN 800.
Provider VID
The provider VID is used for the S-tag. It is only used if the Port Type
is Q-in-Q and will always be used for the S-tag. If an existing 802.1Q
frame arrives, the Provider VID is what will be used for adding and
removing of the outer S-tag. If an untagged frame arrives to a Q-in-Q
port, then the Provider VID will be the S-tag and the Default Port VID
(or Port VID MAC Address Mapping, if valid) will be used for the Ctag.
Active Configuration,
Default Port VID
Active Configuration, MAC

Address VID Map
This is the listing of the MAC address VIDs configured in Port VID MAC
Address Mapping.
Management VID
Active Configuration, SM
Management VID PassThrough
Dynamic Aging Timeout
This is the value of the VLAN Aging Timeout parameter configured

above.
Attribute
Meaning
Active Configuration, Allow

Learning
Yes is displayed if the value of the Dynamic Learning parameter above is

Enabled. No is displayed if the value of Dynamic Learning is Disabled.

Frame Type
This displays the selection that was made from the drop-down list at the
Allow Frame Types parameter above.
Active Configuration, QinQ
This is set to Enabled if VLAN Port Type is set to QinQ, and is set to
Disabled if VLAN Port Type is set to Q.
Active Configuration, QinQ

EthType
This is the value of the QinQ EtherType configured in the AP.

QinQ Tagged Frames
This is the value of Accept QinQ Frames, configured above.
VID Number
This column lists the ID numbers of the VLANs in which this module is a
member, whether through assignment or through dynamic learning.
Type
For each VID number in the first column, the entry in this column
correlates the way in which the module became and continues to be a
member:
PermanentThis indicates that the module was assigned the VID number
through direct configuration by the operator.
DynamicThis indicates that the module adopted the VID number
through enabled dynamic learning, when a tagged packet from an SM
behind it in the network, or from a customer equipment that is behind the
SM in this case, was read.
Age
For each VID number in the first column of the table, the entry in this
column reflects whether or when the VID number will time out:
for Permanent typethe number will never time out, and this is indicated
by the digit 0.
for Dynamic typethe Age reflects what is configured in the VLAN
Aging Timeout parameter in the Configuration => VLAN tab of the AP or
reflects a fewer number of minutes that represents the difference between
what was configured and what has elapsed since the VID was learned.
Each minute, the Age decreases by one until, at zero, the AP deletes the
learned VID, but can it again from packets sent by elements that are
beneath it in the network.
Values in this Active Configuration block can differ from attempted

values in configurations:
The AP can override the value that the SM has configured for SM
Management VID Pass-Through.
1-33
VLAN Membership Tab of the SM

Figure 15 VLAN Membership tab of the SM
In the VLAN Membership tab, you may set the following parameter.
Table 11 SM VLAN Membership attributes
Attribute
Meaning
VLAN Membership Table

Configuration
For each VLAN in which you want the AP to be a member, enter the
VLAN ID and then click the Add Member button. Similarly, for any
VLAN in which you want the AP to no longer be a member, enter the
VLAN ID and then click the Remove Member button.
PPPoE Tab of the SM

Table 12 PPPoE tab of the SM
1-34
Point-to-Point Protocol over Ethernet (PPPoE) is a protocol that encapsulates PPP frames inside Ethernet
frames (at Ethernet speeds). Benefits to the network operator may include
Access control
Service monitoring
Generation of statistics about activities of the customer
Re-use of infrastructure and operational practices by operators who already use PPP for other networks
PPPoE options are configurable for the SM only, and the AP indicates whether or not PPPoE is enabled for
a specific subscriber.
When PPPoE is enabled, once the RF session comes up between the SM and the AP, the SM will
immediately attempt to connect to the PPPoE Server. You can monitor the status of this by viewing the
PPPoE Session Log in the Logs section (Administrator only). Every time the RF session comes up, the SM
will check the status of the link and if it is down, the SM will attempt to redial the link if necessary
depending on the Timer Type. Also, on the Configuration page, the user may Connect or Disconnect the
session manually. This can be used to override the session to force a manual disconnect and/or reconnect if
there is a problem with the session.
In order to enable PPPoE, NAT MUST be enabled on the SM, and Translation Bridging MUST be
disabled on the AP. These items will be strictly enforced for you when you are trying to enable PPPoE. A
message will indicate any prerequisites not being met. Also, the NAT Public IP DHCP client cannot be
enabled This is because the NAT Public IP will be received through the IPCP process of the PPPoE
discovery stages.
The pre-requisites required are:
NAT MUST be enabled on the SM

o NAT DHCP Client will be disabled automatically. The NAT public IP will be received from the
PPPoE Server.
o NAT Public Network Interface Configuration will not be used and should be left to defaults. Also
NAT Public IP DHCP will be disabled if it is enabled.
Translation Bridging MUST be DISABLED on the AP

o This will only be determined if the SM is in session since the SM wont know the AP
configuration otherwise. If the SM is not in session, PPPoE can be enabled but if the SM goes
into session to a Translation Bridge-enabled AP, then PPPoE will not be enabled.
The following PPPoE configuration parameters are available:

Table 13 SM PPPoE attributes
Attribute
Meaning
Access Concentrator
An optional entry to set a specific access concentrator to connect to for the

PPPoE session. If this is blank, the SM will accept the first access concentrator
which matches the service name (if specified). This is limited to 32 characters.
Service Name
An optional entry to set a specific service name to connect to for the PPPoE
session. If this is left blank the SM will accept the first service option that
comes back from the access concentrator specified above, if any. This is
limited to 32 characters.
1-35
Attribute
Meaning
Authentication Type
None means that no PPPoE authentication will be implemented

CHAP/PAP means that CHAP authentication will be attempted first, then PAP
authentication. The same password is used for both types.
User Name
This is the CHAP/PAP user name that will be used if CHAP/PAP

authentication is selected. If None is selected for authentication then this field
is unused. This is limited to 32 characters.
Password
This is the CHAP/PAP password that will be used if PAP authentication is

selected. If None is selected for authentication then this field is unused. This is
limited to 32 characters.
MTU
Use MTU Received from PPPoE Server causes the SM to use the MRU of
the PPPoE server received in LCP as the MTU for the PPPoE link.
Use User Defined MTU allows the operator to specify an MTU value to use to
override any MTU that may be determined in the LCP phase of PPPoE session
setup. If this is selected, the user will be able to enter an MTU value up to
1492. However, if the MTU determined in LCP negotiations is less than this
user-specified value, the SM will use the smaller value as its MTU for the
PPPoE link.
Timer Type
Keep Alive is the default timer type. This timer will enable a keepalive that
will check the status of the link periodically. The user can set a keepalive
period. If no data is seen from the PPPoE server for that period, the link will be
taken down and a reconnection attempt will be started. For marginal links, the
keep alive timer can be useful so that the session will stay alive over periodic
dropouts. The keepalive timer should be set such that the session can outlast
any session drop. Some PPPoE servers will have a session check timer of their
own so that the timeouts of the server and the SM should be in sync so that one
side does not drop the session prematurely.
Idle Timeout enables an idle timer that will check the usage of the link from
the customer side. If there is no data seen from the customer for the idle
timeout period, the PPPoE session will be dropped. Once data starts flowing
from the customer again, the session will be started up again. This timer is
useful for users who may not be using the connection frequently. If the session
is idle for long periods of time, this timer will allow the resources used by the
session to be returned to the server. Once the connection is used again by the
customer, the link will be reestablished automatically.
Timer Period
1-36
The length in seconds of the PPPoE keepalive timer.
Attribute
Meaning
TCP MSS Clamping
If this is enabled, then the SM will alter TCP SYN and SYN-ACK packets by
changing the Maximum Segment Size to be compatible with the current MTU
of the PPPoE link. This way, the user does not have to worry about MTU on
the client side for TCP packets. The MSS will be set to the current MTU 40
(20 bytes for IP headers and 20 bytes for TCP headers). This will cause the
application on the client side to not send any TCP packets larger than the MTU.
If the network is exhibiting large packet loss, try enabling this option. This
may not be an option on the PPPoE server itself. The SM will NOT reassemble
IP fragments, so if the MTUs are incorrect on the end stations, then MSS
clamping will solve the problem for TCP connections.
NAT Port Mapping Tab of the SM

An example of the NAT Port Mapping tab in an SM is displayed in below.
Table 14 NAT Port Mapping tab of the SM
In the NAT Port Mapping tab of the SM, you may set the following parameters.
Table 15 SM NAT Port Mapping attributes
Attribute
Meaning
Port Map 1 to 10
Separate parameters allow you to distinguish NAT ports from each other
by assigning a unique combination of port number, protocol for traffic
through the port, and IP address for access to the port
1-37
Task 3: Upgrading the software version and

using CNUT
Task 3: Upgrading the software version and using

CNUT
This task consists of the following procedures:
Checking the installed software version on page 1-38
Upgrading to a new software version on page 1-39
If the link is operational, ensure that the remote end of the link is upgraded first using the wireless
connection, and then the local end can be upgraded. Otherwise, the remote end may not be accessible.
Always refer to the software release notes before upgrading system software. The release notes are
available at:
http://www.cambiumnetworks.com/support/pmp/software/index.php?tag=pmp450
Checking the installed software version

To check the installed software version, proceed as follows:
Procedure 5 Checking the installed software version
1-38
Select Home menu tab General.
Note the installed Software Version (near the top of the page):
Go to the support website (see Contacting Cambium Networks on page ix) and find Point-to-Multipoint
software updates. Check that the latest PMP 450 software version (for example 13.0) is the same as the
installed Software Version.
If the software needs to be upgraded to the latest version, perform Upgrading to a new software version
on page 1-39.

CNUT
Upgrading to a new software version

PMP 450 modules are upgraded using the Canopy Network Updater Tool (CNUT version 4.1). The
Canopy Network Updater Tool (CNUT) manages and automates the software and firmware upgrade
process for a Canopy radio, CMMmicro, or CMM4 (but not its 14-port switch) across the network. This
eliminates the need for an administrator to visit each radio in the network (or each AP while using the
Autoupdate feature) to upgrade the modules.
This section includes an example of updating a single unit before deployment. System-wide upgrading
procedures may be found in the CNUT Online Help manual, which can be found on the Cambium support
website (see Contacting Cambium Networks on page ix).
CNUT functions
The Canopy Network Updater Tool
automatically discovers all network elements
executes a UDP command that initiates and terminates the Autoupdate mode within APs. This
command is both secure and convenient:
o For security, the AP accepts this command from only the IP address that you specify in the
Configuration page of the AP.
o For convenience, Network Updater automatically sets this Configuration parameter in the APs to
the IP address of the Network Updater server when the server performs any of the update
commands.
allows you to choose among updating

o your entire network.
o only elements that you select.
o only network branches that you select.
provides a Script Engine that you can use with any script that
o you define.
o Cambium supplies.
configurability of any of the following to be the file server for image files:
o The AP, for traditional file serving via UDP commands and monitoring vai UDP messaging
o CNUT HTTP Server, for upgrading via SNMP commands and monitoring via SNMP messaging.
This also supports an option to either set the image order specifically for this file server or to allow
the AP to determine the order.
o Local TFTP Server ,for traditional file serving via UDP commands and monitoring via UDP
messaging. This supports setting the number of simultaneous image transfers per AP
the capability to launch a test of connectivity and operational status of the local HTTP and TFTP file
servers
an interface that supports efficient specification of the proper IP address for the local file server(s)
where Network Updater resides on a multi-homed computer
an md5 checksum calculator utility for identifying corruption of downloaded image files before
Network Updater is set to apply them.
1-39
Task 3: Upgrading the software version and

using CNUT
Network element groups

With the Canopy Network Updater Tool, you can identify element groups composed of network elements
that you select. Identifying these element groups
organizes the display of elements (for example, by region or by AP cluster).
allows you to
o perform an operation on all elements in the group simultaneously.
o set group-level defaults for ftp password access and SNMP Community String (defaults that can
be overridden in an individual element when necessary).
Network layers
A typical network contains multiple layers of elements, with each layer farther from the Point of Presence.
For example, SMs are behind an AP and thus, in this context, at a lower layer than the AP. Correctly
portraying these layers in Network Updater is essential so that Network Updater can perform radio and AP
cluster upgrades in an appropriate order.
Correct layer information ensures that Network Updater does not command an AP that is behind another
AP/SM pair (such as in a remote AP installation) to perform an upgrade at the same time as the SM that
is feeding the AP. If this occurs, then the remote AP loses network connection during the upgrade (when
the SM in front of the AP completes its upgrade and reboots).
Script engine
Script Engine is the capability in Network Updater that executes any user-defined script against any
network element or element group. This capability is useful for network management, especially for scripts
that you repetitively execute across your network.
The Autodiscovery capability in Network Updater finds all of your network elements. This comprehensive
discovery
ensures that, when you intend to execute a script against all elements, the script is indeed executed
against all elements.
maintains master lists of elements (element groups) against which you selectively execute scripts.
The following scripts are included with CNUT:
1-40
Gather Customer Support Information
Set Access Point Authentication Mode
Set Autoupdate Address on APs
Set SNMP Accessibility
Reset Unit

CNUT
Software dependencies for CNUT

CNUT functionality requires
one of the following operating systems

o Windows 2000
o Windows Server 2003
o Windows 7
o Windows XP or XP Professional
o Red Hat Enterprise Linux (32-bit) Version 4 or 5
Java Runtime Version 2.0 or later (installed by the CNUT installation tool)
CNUT download
CNUT can be downloaded together with each system release that supports CNUT. Software for these
system releases is available from
http://www.cambiumnetworks.com/support/planning/index.php?cat=3&type=1
as either
a .zip file for use without the CNUT application.
a .pkg file that the CNUT application can open.
Upgrading a module prior to deployment

To upgrade to a new software version, proceed as follows:
Procedure 6 Upgrading a module prior to deployment
1
Go to the support website (see Contacting Cambium Networks on page ix) and find Point-to-Multipoint
software updates. Download and save the required software image (for example
CANOPY120BUILDOFFICIAL_DES.pkg3).
Start CNUT
If you dont start up with a blank new network file in CNUT, then open a new network file with the New
Network Archive operation (located at File, New Network).
Enter a new network element to the empty network tree using the Add Elements to Network Root
operation (located at Edit, Add Elements to Network Root).
In the Add Elements dialogue, select a type of Access Point or Subscriber Module and enter the IP
address of 169.254.1.1.
Make sure that the proper Installation Package is active with the Package Manager dialogue (located at
Update, Manage Packages).
To verify connectivity with the radio, perform a Refresh, Discover Entire Network operation (located at
View, Refresh/Discover Entire Network). You should see the details columns for the new element
filled in with ESN and software version information.
Initiate the upgrade of the radio using Update Entire Network Root operation (located at Update,
Update Entire Network Root). When this operation finishes, the radio is done being upgraded.
1-41
Task 4: Configuring General and Unit settings

General Tab of the AP
Table 16 General tab of the AP
1-42
The General tab of the AP contains many of the configurable parameters that define how the AP and the
SMs in the sector operate.
Table 17 AP General Configuration attributes
Attribute
Meaning
Device Setting
You can temporarily transform an AP into an SM and thereby use the spectrum
analyzer functionality. Otherwise, the selection for this parameter is AP.
Link Speeds
From the drop-down list of options, select the type of link speed for the
Ethernet connection. The default for this parameter is that all speeds are
selected: Auto 100F/100H/10F/10H. In this setting, the two ends of the link
automatically negotiate with each other whether the speed that they will use is
10 Mbps or 100 Mbps and whether the Ethernet traffic will be full duplex or
half duplex. However, Ethernet links work best when either:
both ends are set to the same forced selection
both ends are set to auto-negotiate and both have capability in least one
common speed and traffic type combination.
Configuration Source
See Setting the Configuration Source on page 1-103.
Sync Input
Specify the type of synchronization for this AP to use:

Select Sync to Received Signal (Power Port) to set this AP to receive sync
from a connected CMMmicro or CMM4.
Select Sync to Received Signal (Timing Port) to set this AP to receive sync
from a connected CMM2, an AP in the cluster, or an SM.
Select Generate Sync Signal where the AP does not receive sync, and no
other AP is active within the link range.
Select Sync to iGPS to set this AP to receive sync from its internal GPS
module.
Region
From the dop-down list, select the region in which the radio is operating.
1-43
Attribute
Meaning
Country
From the drop-down list, select the country in which the radio is operating.
Unlike selections in other parameters, your Country selection requires a
Save Changes and a Reboot cycle before it will force the context-sensitive
GUI to display related options (for example, Alternate Frequency Carrier 1
and 2 in the Configuration => Radio tab).
PMP 450 equipment shipped to the United States is locked to a Region Code
setting of United States. Units shipped to regions other than the United
States must be configured with the corresponding Region Code to comply with
local regulatory requirements.
Country Code settings affect the radios in the following ways:
Maximum transmit power limiting (based on radio transmitter power plus

configured antenna gain)
DFS operation is enabled based on the configured region code, if

applicable
For more information on how transmit power limiting and DFS is

implemented for each country, see the PMP 450 Planning Guide.
Webpage Auto Update
Enter the frequency (in seconds) for the web browser to automatically refresh
the web-based interface. The default setting is 0. The 0 setting causes the webbased interface to never be automatically refreshed.
Bridge Entry Timeout
Specify the appropriate bridge timeout for correct network operation with the
existing network infrastructure. The Bridge Entry Timeout should be a longer
period than the ARP (Address Resolution Protocol) cache timeout of the router
that feeds the network.
An inappropriately low Bridge Entry Timeout setting may lead to

temporary loss of communication with some end users.
1-44
Attribute
Meaning
Translation Bridging
Optionally, you can configure the AP to change the source MAC address in
every packet it receives from its SMs to the MAC address of the SM that
bridged the packet, before forwarding the packet toward the public network. If
you do, then
not more than 10 IP devices at any time are valid to send data to
the AP from behind the SM.
the AP populates the Translation Table tab of its Statistics web

page, displaying the MAC address and IP address of all the valid
connected devices.
each entry in the Translation Table is associated with the number

of minutes that have elapsed since the last packet transfer
between the connected device and the SM.
if 10 are connected, and another attempts to connect

o and no Translation Table entry is older than 255 minutes, the
attempt is ignored.
o and an entry is older than 255 minutes, the oldest entry is
removed and the attempt is successful.
the Send Untranslated ARP parameter in the General tab of the

Configuration page can be
o disabled, so that the AP will overwrite the MAC address in
Address Resolution Protocol (ARP) packets before
forwarding them.
o enabled, so that the AP will forward ARP packets regardless
of whether it has overwritten the MAC address.
When this feature is disabled, the setting of the Send Untranslated ARP
parameter has no effect, because all packets are forwarded untranslated (with
the source MAC address intact).
Send Untranslated ARP
If the Translation Bridging parameter is set to Enabled, then the Send

Untranslated ARP parameter can be
disabled, so that the AP will overwrite the MAC address in Address Resolution
Protocol (ARP) packets before forwarding them.
enabled, so that the AP will forward ARP packets regardless of whether it has
overwritten the MAC address.
If the Translation Bridging parameter is set to Disabled, then the Send
Untranslated ARP parameter has no effect.
1-45
Attribute
Meaning
SM Isolation
Prevent or allow SM-to-SM communication by selecting from the following

drop-down menu items:
Disable SM Isolation (the default selection). This allows full communication
between SMs.
Block SM Packets from being forwarded. This prevents both
multicast/broadcast and unicast SM-to-SM communication.
Block and Forward SM Packets to Backbone. This not only prevents
multicast/broadcast and unicast SM-to-SM communication but also sends the
packets, which otherwise would have been handled SM to SM, through the
Ethernet port of the AP.
Update Application
Address
Enter the address of the server to access for software updates on this AP and
registered SMs.
Prioritize TCP ACK
To reduce the likelihood of TCP acknowledgement packets being dropped, set

this parameter to Enabled. This can improve throughput that the end user
perceives during transient periods of congestion on the link that is carrying
acknowledgements.
Multicast Destination
Address
Using Link Layer Discovery Protocol (LLDP), a module exchanges multicast

addresses with the device to which it is wired on the Ethernet interface.
Although some switches (CMMmicro, for example) do not pass LLDP
addresses upward in the network, a radio can pass it as the value of the
Multicast Destination Address parameter value in the connected device that
has it populated.
In this way, an SM can report to WM, for example, the multicast address of a
connected remote AP, and thus allow Wireless Manager to discover that AP.
To allow this, set the message mode in the remote AP to LLDP Multicast. The
SM will pass this address in broadcast mode, and the CMMmicro will pass the
address upward in the network, since it does not discard addresses that it
receives in broadcast mode.
Where the AP is not behind another device, the Broadcast mode will allow
discovery of the AP.
1-46
Attribute
Meaning
DHCP Relay Agent
The AP may act as a DHCP relay for SMs and CPEs underneath it. The AP
will make use of the DHCP Option 82 (DHCP Relay Agent Information) from
RFC 3046 when performing relay functions. The AP offers two types of
DHCP relay functionality:
Full Relay Information. Configuring the DHCP Full Relay Operation will
take broadcast DHCP packets and send them to a Unicast server in unicast
mode. This way the DHCP requests and replies can be routed like any other
UDP packet.
Only Insert Option 82. This option leaves the DHCP request on its broadcast
domain as opposed to DHCP Full Relay Operation which will turn it into a
unicast packet.
In order to accommodate setting up pools or classes for different VLANs, the
Option 82 field will include information to tell the server what VLAN the
client is on.
DHCP Server (Name or

IP Address)
The DHCP relay server may be either a DNS name or a static IP address in
dotted decimal notation. Additionally the management DNS domain name may
be toggled such that the name of the DHCP relay server only needs to be
specified and the DNS domain name is automatically appended to that name.
The default DHCP relay server addresses is 255.255.255.255 with the
appending of the DNS domain name disabled.
Coordinates
Physical radio location data may be configured via the Latitude, Longitude,
and Height fields.
Unit Settings Tab of the AP

Figure 16 Unit Settings tab of the AP
1-47
The Unit Settings tab of the AP contains an option for how the AP should react when it detects a connected
override plug. You may set this option as follows.
Table 18 AP Unit Settings attributes
Attribute
Meaning
Set to Factory Defaults

Upon Default Plug
Detection
If Enabled is checked, then an override/default plug functions as a default

plug. When the module is rebooted with the plug inserted, it can be accessed at
the IP address 169.254.1.1 and no password, and all parameter values are reset
to defaults. A subscriber, technician, or other person who gains physical access
to the module and uses an override/default plug cannot see or learn the settings
that were previously configured in it. When the module is later rebooted with
no plug inserted, the module uses the new values for any parameters that were
changed and the default values for any that were not.
If Disabled is checked, then an override/default plug functions as an override
the IP address 169.254.1.1 and no password, and all previously configured
parameter values remain and are displayed. A subscriber, technician, or other
person who gains physical access to the module and uses an override/default
plug can see and learn the settings. When the module is later rebooted with no
plug inserted, the module uses the new values for any parameters that were
changed and the previous values for any that were not.
See Overriding Forgotten IP Addresses or Passwords on AP on Page 1-58.
1-48
Undo Unit-Wide Saved

Changes
When you click this button, any changes that you made in any tab but did not
commit by a reboot of the module are undone.
When you click this button, all configurable parameters on all tabs are reset to
the factory settings.
General Tab of the SM

Figure 17 General tab of the SM
1-49
In the General tab of the SM, you may set the following parameters.
Table 19 SM General Configuration attributes
Attribute
Meaning
Link Speeds
From the drop-down list of options, select the type of link speed for the
Ethernet connection. The default for this parameter is that all speeds are
selected. The recommended setting is a single speed selection for all
APs and SMs in the operator network.
Ethernet Link Enable/Disable
Specify whether to enable or disable Ethernet/802.3 connectivity on the

wired port of the SM. This parameter has no effect on the wireless link.
When you select Enable, this feature allows traffic on the
Ethernet/802.3 port. This is the factory default state of the port. When
you select Disable, this feature prevents traffic on the port. Typical
cases of when you may want to select Disable include:
The subscriber is delinquent with payment(s).
You suspect that the subscriber is sending or flooding undesired
broadcast packets into the network, such as when
a virus is present in the subscriber's computing device.
the subscriber's home router is improperly configured.
Region
This parameter allows you to set the region in which the radio will
operate.
The SM radio automatically inherits the Region type of the master. This
behavior ignores the value of the Region parameter in the SM, even
when the value is None. Nevertheless, since future system software
releases may read the value in order to configure some other regionsensitive feature(s), this parameter should always be set to the value
that corresponds to the local region.
Country
This parameter allows you to set the country in which the radio will
operate.
The SM radio automatically inherits the Country Code type of the
master. This behavior ignores the value of the Country parameter in
the SM, even when the value is None. Nevertheless, since future
system software releases may read the value in order to configure some
other region-sensitive feature(s), this parameter should always be set to
the value that corresponds to the local region.
PMP 450 equipment shipped to the United States is locked to a Region
Code setting of United States. Units shipped to regions other than
the United States must be configured with the corresponding Region
Code to comply with local regulatory requirements.
Webpage Auto Update
1-50
Enter the frequency (in seconds) for the web browser to automatically
refresh the web-based interface. The default setting is 0. The 0 setting
causes the web-based interface to never be automatically refreshed.
Attribute
Meaning
Bridge Entry Timeout
Specify the appropriate bridge timeout for correct network operation

with the existing network infrastructure. Timeout occurs when the AP
encounters no activity with the SM (whose MAC address is the bridge
entry) within the interval that this parameter specifies. The Bridge
Entry Timeout should be a longer period than the ARP (Address
Resolution Protocol) cache timeout of the router that feeds the network.
This parameter governs the timeout interval, even if a router in the

system has a longer timeout interval. The default value of this field
is 25 minutes.
An inappropriately low Bridge Entry Timeout setting may lead to
temporary loss of communication with some end users.
Frame Timing Pulse Gated
If this SM extends the sync pulse to a BH master or an AP, select either

EnableIf this SM loses sync from the AP, then do not propagate a
sync pulse to the BH timing master or other AP. This setting prevents
interference in the event that the SM loses sync.
DisableIf this SM loses sync from the AP, then propagate the sync
pulse to the BH timing master or other AP.
Multicast Destination Address
Using Link Layer Discovery Protocol (LLDP), a module exchanges

multicast addresses with the device to which it is wired on the Ethernet
interface. Although some switches (CMMmicro, for example) do not
pass LLDP addresses upward in the network, a radio can pass it as the
value of the Multicast Destination Address parameter value in the
connected device that has it populated.
In this way, an SM can report to WM, for example, the multicast
address of a connected remote AP, and thus allow Wireless Manager to
discover that AP. To allow this, set the message mode in the remote AP
to LLDP Multicast. Set this parameter in the SM to Broadcast. The
SM will pass this address in broadcast mode, and the CMMmicro will
pass the address upward in the network, since it does not discard
addresses that it receives in broadcast mode.
Where the AP is not behind another device, the Broadcast mode will
allow discovery of the AP.
Coordinates
Physical radio location data may be configured via the Latitude,

Longitude, and Height fields.
1-51
Unit Settings Tab of the SM

Figure 18 Unit Settings tab of the SM
The Unit Settings tab of the SM contains an option for how the SM should react when it detects a
connected override plug. You may set this option as follows.
Table 20 SM Unit Settings attributes
Attribute
Meaning
Set to Factory Defaults Upon

Default Plug Detection
If Enabled is checked, then an override/default plug functions as a default

the IP address 169.254.1.1 and no password, and all parameter values are reset
to defaults. A subscriber, technician, or other person who gains physical access
to the module and uses an override/default plug cannot see or learn the settings
that were previously configured in it. When the module is later rebooted with
no plug inserted, the module uses the new values for any parameters that were
changed and the default values for any that were not.
If Disabled is checked, then an override/default plug functions as an override
the IP address 169.254.1.1 and no password, and all previously configured
parameter values remain and are displayed. A subscriber, technician, or other
person who gains physical access to the module and uses an override/default
plug can see and learn the settings. When the module is later rebooted with no
plug inserted, the module uses the new values for any parameters that were
changed and the previous values for any that were not.
See Overriding Forgotten IP Addresses or Passwords on AP on Page 1-58.
LED Panel Mode
Revised Mode is reserved for 900 MHz indoor SM units

Legacy Mode configures the radio to operate with standard LED behavior (see
section SM Interfaces in the PMP 450 Planning Guide or in the PMP 450
Installation Guide
Undo Unit-Wide Saved Changes
1-52
When you click this button, any changes that you made in any tab but did not
commit by a reboot of the module are undone.
Attribute
Meaning
When you click this button, all configurable parameters on all tabs are reset to
the factory settings.
Time tab of the AP

Figure 19 Time tab of the AP
You may set the time parameters as follows:

Table 21 AP Time attributes
Attribute
Meaning
NTP Server (Name or IP

Address)
The management DNS domain name may be toggled such that the name of the
NTP server only needs to be specified and the DNS domain name is
automatically appended to that name.
1-53
Attribute
Meaning
NTP Server 1 (Name or IP

Address)
To have each log in the AP correlated to a meaningful time and date, either a
reliable network element must pass time and date to the AP or you must set the
time and date whenever a power cycle of the AP has occurred. A network
element passes time and date in any of the following scenarios:

Address)
Address)
A connected CMM2 or CMM4 passes time and date (GPS time and date,
if received).
A connected CMMmicro passes the time and date (GPS time and date, if
received), but only if both the CMMmicro is operating on CMMmicro
Release 2.1 or later release. (These releases include NTP server
functionality.)
A separate NTP server is addressable from the AP.
If the AP should obtain time and date from a CMMmicro, CMM4, or a

separate NTP server, enter the IP address or DNS name of the CMM or NTP
server on this tab. To force the AP to obtain time and date before the first (or
next) 15-minute interval query of the NTP server, click Get Time through
NTP.
The polling of the NTP servers is done in a sequential fashion, and the polling
status of each server is displayed in the NTP Update Log section of the Time
Configuration page. An entry of 0.0.0.0 in any of the NTP Server fields
indicates an unused server configuration.
1-54
NTP Server(s) in Use
Lists the IP addresses of servers used for NTP retrieval.
Time Zone
The Time Zone option may be used to offset the received NTP time to match
the operators local time zone. When set on the AP, the offset will be set for
the entire sector (SMs will be notified of the current Time Zone upon initial
registration). If a Time Zone change is applied, the SMs will be notified of the
change in a best effort fashion, meaning some SMs may not pick up the change
until the next re-registration. Time Zone changes are noted in the Event Log
of the AP and SM.
System Time
The current time used by the system.
Last NTP Time Update
The last time that the system time was set via NTP.
Time
This field may be used to manually set the system time of the radio.
Date
This field may be used to manually set the system date of the radio.
Task 5: Configuring security

Perform this task to configure the PMP 450 system in accordance with the network operators security
policy. Choose from the following procedures:
Isolating APs from the internet on page 1-55: to ensure that APs are properly secured from external
networks
Encrypting radio transmissions on page 1-56: to configure the unit to operate with AES or DES
wireless link security
Managing module access by passwords on page 1-56: to set up the AP to require SMs to authenticate
via the AP, WM, or RADIUS server
Filtering protocols and ports on page 1-60: to filter (block) specified protocols and ports from leaving
the system
Requiring SM Authentication on page 1-60: to configure the network to only allow registration to
authenticated SMs
Encrypting downlink broadcasts on page 1-63: to encrypt downlink broadcast transmissions such as
ARP and NetBIOS
Isolating SMs on page 1-63: to prevent SMs in the same sector from directly communicating with
each other
Filtering management through Ethernet on page 1-63: to prevent management access to the SM via the
radios Ethernet port
Allowing management only from specified IP addresses on page 1-64: to only allow radio
management interface access from specified IP addresses
Configuring management IP by DHCP on page 1-64: to allow the radios management IP address to
be assigned by a network DHCP server
Restricting radio Telnet access over the RF interface on page 1-64: to restrict Telnet access to the AP
Isolating APs from the internet

Ensure that the IP addresses of the APs in your network
are not routable over the Internet.
do not share the subnet of the IP address of your user.
RFC 1918, Address Allocation for Private Subnets, reserves for private IP networks three blocks of IP
addresses that are not routable over the Internet:
/8 subnets have one reserved network, 10.0.0.0 to 10.255.255.255.
/16 subnets have 16 reserved networks, 172.16.0.0 to 172.31.255.255.
/24 subnets have 256 reserved networks, 192.168.0.0 to 192.168.255.255.
1-55
Encrypting radio transmissions

Cambium fixed wireless broadband IP systems employ the following form of encryption for security of the
wireless link:
DESData Encryption Standard, an over-the-air link option that uses secret

56-bit keys and 8 parity bits.
DES Encryption
Standard modules provide DES encryption. DES performs a series of bit permutations, substitutions, and
recombination operations on blocks of data. DES Encryption does not affect the performance or throughput
of the system.
Managing module access by passwords

Adding a User for Access to a Module
From the factory, each module has a preconfigured administrator-level account in the name root, which
initially requires no associated password. This is the same root account that you may have used for access
to the module by ftp. When you upgrade a module:
an account is created in the name admin.
both admin and root inherit the password that was previously used for access to the module:
o the Full Access password, if one was set.
o the Display-Only Access password, if one was set and no Full Access password was set.
Each module supports four or fewer user accounts, regardless of account levels. The available levels are
ADMINISTRATOR, who has full read and write permissions. This is the level of the root and
admin users, as well as any other administrator accounts that one of them creates.
INSTALLER, who has permissions identical to those of ADMINISTRATOR except that the installer
cannot add or delete users or change the password of any other user.
TECHNICIAN, who has permissions to modify basic radio parameters and view informational web
pages
GUEST, who has no write permissions and only a limited view of General Status tab
From the factory default state, configure passwords for both the root and admin account at the
ADMINISTRATOR permission level, using the Account, Change Users Password tab. (If you configure
only one of these, then the other will still require no password for access into it and thus remain a security
risk.) If you are intent on configuring only one of them, delete the admin account. The root account is
the only account that CNUT uses to update the module.
1-56
Figure 20 General Status tab view for GUEST-level account
Figure 21 SM Add User tab
1-57
After a password has been set for any ADMINISTRATOR-level account, initial access to the module GUI
opens the view of GUEST level.
Deleting a User from Access to a Module

The Account => Delete User tab provides a drop-down list of configured users from which to select the
user you want to delete.
Figure 22 Delete User tab of the SM
Accounts that cannot be deleted are
the current user's own account.
the last remaining account of ADMINISTRATOR level.
Overriding Forgotten IP Addresses or Passwords on AP and SM

A small adjunctive product allows you to temporarily override some AP/SM settings and thereby regain
control of the module. This override plug is needed for access to the module in any of the following cases:
You have forgotten either

o the IP address assigned to the module.
o the password that provides access to the module.
The module has been locked by the No Remote Access feature.
You want local access to a module that has had the 802.3 link disabled in the Configuration page.
You can configure the module such that, when it senses the override plug, it responds by either
resetting the LAN1 IP address to 169.254.1.1, allowing access through the default configuration
without changing the configuration, whereupon you will be able to view and reset any non-default
values as you wish.
resetting all configurable parameters to their factory default values.
Acquiring the Override Plug

You can either purchase or fabricate an override plug as follows. To purchase an override plug for a
nominal fee, order the plug at http://www.best-tronics.com. To fabricate an override plug, perform the
following steps.
1-58
Procedure 7 Constructing an override plug

1
Install an RJ-11 6-pin connector onto a 6-inch length of CAT 5 cable
Pin out all 6-pins.
Short (solder together) Pins 4 and 6 on the other end. Do not connect any other wires to anything.
Figure 23 RJ-11 pinout for the override plug

Pin 1 white / orange Pin 1
Pin 2 white / green
Pin 2
Pin 3 white / blue
Pin 3
Pin 4 green
Pin 6
Pin 5 blue
Pin 5
Pin 6 orange
Pin 4
Using the Override Plug
While the override plug is connected to a module, the module can neither register nor allow registration of
another module.
To regain access to the module, perform the following steps.

Procedure 8 Using the override plug
1
Insert the override plug into the RJ-11 GPS utility port of the module.
Power cycle by removing, then re-inserting, the Ethernet cable.

RESULT: The module boots with the default IP address of 169.254.1.1, password fields blank, and all
other configuration values as previously set.
Wait approximately 30 seconds for the boot to complete.
Remove the override plug.
Set passwords and IP address as desired.
Change configuration values if desired.
Click the Save Changes button.
Click the Reboot button.
1-59
Requiring SM Authentication
Through the use of a shared AP key, or an external RADIUS (Remote Authentication Dial In User Service)
server, you can enhance network security by requiring SMs to authenticate when they register.
For descriptions of each of the configurable security parameters on the AP, see section Security Tab of the
AP on page 1-67. For descriptions of each of the configurable security parameters on the SM, see section
Security Tab of the SM on page 1-72.
Operators may use the APs Authentication Mode field to select from among the following authentication
modes:
Disabledthe AP requires no SMs to authenticate.
Authentication Server the AP requires any SM that attempts registration to be authenticated in

Wireless Manager before registration
AP PreShared Key - The AP acts as the authentication server to its SMs and will make use of a userconfigurable pre-shared authentication key. The operator enters this key on both the AP and all SMs
desired to register to that AP. There is also an option of leaving the AP and SMs at their default setting
of using the Default Key. Due to the nature of the authentication operation, if you want to set a
specific authentication key, then you MUST configure the key on all of the SMs and reboot them
BEFORE enabling the key and option on the AP. Otherwise, if you configure the AP first, none of the
SMs will be able to register.
RADIUS AAA - When RADIUS AAA is selected, up to 3 Authentication Server (RADIUS Server) IP
addresses and Shared Secrets can be configured. The IP address(es) configured here must match the IP
address(es) of the RADIUS server(s). The shared secret(s) configured here must match the shared
secret(s) configured in the RADIUS server(s). Servers 2 and 3 are meant for backup and reliability, not
for splitting the database. If Server 1 doesnt respond, Server 2 is tried, and then server 3. If Server 1
rejects authentication, the SM is denied entry to the network, and does not progress trying the other
servers. For more information on configuring the PMP 450 network to utilize a RADIU server, see
section Task 12: Configuring a RADIUS server on page 1-112.
Filtering protocols and ports

You can filter (block) specified protocols and ports from leaving the AP and SM and entering the network.
This protects the network from both intended and inadvertent packet loading or probing by network users.
By keeping the specified protocols or ports off the network, this feature also provides a level of protection
to users from each other.
Protocol and port filtering is set per AP/SM. Except for filtering of SNMP ports, filtering occurs as packets
leave the AP/SM. If an SM is configured to filter SNMP, then SNMP packets are blocked from entering the
SM and, thereby, from interacting with the SNMP portion of the protocol stack on the SM.
Port Filtering with NAT Enabled

Where NAT is enabled, you can filter only the three user-defined ports. The following are example
situations in which you can configure port filtering where NAT is enabled.
1-60
To block a subscriber from using FTP, you can filter Ports 20 and 21 (the FTP ports) for both the TCP
and UDP protocols.
To block a subscriber from access to SNMP, you can filter Ports 161 and 162 (the SNMP ports) for
both the TCP and UDP protocols.
In only the SNMP case, filtering occurs before the packet interacts with the protocol stack.
Protocol and Port Filtering with NAT Disabled

Where NAT is disabled, you can filter both protocols and the three user-defined ports. Using the check
boxes on the interface, you can either
allow all protocols except those that you wish to block.
block all protocols except those that you wish to allow.
You can allow or block any of the following protocols:
PPPoE (Point to Point Protocol over Ethernet)
Any or all of the following IPv4 (Internet Protocol version 4) protocols:

o SMB (Network Neighborhood)
o SNMP
o Up to 3 user-defined ports
o All other IPv4 traffic
Uplink Broadcast
ARP (Address Resolution Protocol)
All others
1-61
Figure 24 Categorical protocol filtering
BootP
Server
BootP
Client
IPv4
Multica
st
SNMP
All
Other
IPv4
User
Defined
Port 1
SMB
User
Defined
Port 2
User
Defined
Port 3
ARP
PPPoE
All
Others
The following are example situations in which you can configure protocol filtering where NAT is disabled:
If you block a subscriber from only PPPoE and SNMP, then the subscriber retains access to all other
protocols and all ports.
If you block PPPoE, IPv4, and Uplink Broadcast, and you also check the
All others selection, then only Address Resolution Protocol is not filtered.
. Further information is provided under Protocol Filtering Tab of the SM on Page 1-76.
Figure 25 Ports filtered per protocol selection
1-62
Protocol
Selected
Port Filtered (Blocked)
SMB
Destination Ports 137 TCP and UDP, 138 UDP, 139 TCP, 445 TCP
SNMP
Destination Ports 161 TCP and UDP, 162 TCP and UDP
Bootp Client
Source Port 68 UDP
Bootp Server
Source Port 67 UDP
Encrypting downlink broadcasts

An AP can be enabled to encrypt downlink broadcast packets such as the following:
ARP
NetBIOS
broadcast packets containing video data on UDP.
The encryption used is DES for a DES-configured module, and AES for an AES-configured module.
Before the Encrypt Downlink Broadcast feature is enabled on the AP, air link security should be enabled on
the AP.
Isolating SMs
In an AP, you can prevent SMs in the sector from directly communicating with each other. In CMMmicro
Release 2.2 or later and the CMM4, you can prevent connected APs from directly communicating with
each other, which prevents SMs that are in different sectors of a cluster from communicating with each
other.
In the AP, the SM Isolation parameter is available in the General tab of the Configuration web page. In the
drop-down menu for that parameter, you can configure the SM Isolation feature by any of the following
selections:
Disable SM Isolation (the default selection). This allows full communication between SMs.
Block SM Packets from being forwarded. This prevents both multicast/broadcast and unicast SM-toSM communication.
Block and Forward SM Packets to Backbone. This not only prevents multicast/broadcast and
unicast SM-to-SM communication but also sends the packets, which otherwise would have been
handled SM to SM, through the Ethernet port of the AP.
In the CMMmicro and the CMM4, SM isolation treatment is the result of how you choose to manage the
port-based VLAN feature of the embedded switch, where you can switch all traffic from any AP to an
uplink port that you specify. However, this is not packet level switching. It is not based on VLAN IDs. See
the VLAN Port Configuration parameter in the dedicated user guide that supports the CMM product that
you are deploying.
Filtering management through Ethernet

You can configure the SM to disallow any device that is connected to its Ethernet port from accessing the
IP address of the SM. If you set the Ethernet Access Control parameter to Enabled, then
no attempt to access the SM management interface (by http, SNMP, ftp, or tftp) through Ethernet can
succeed.
any attempt to access the SM management interface over the air (by IP address, presuming that LAN1
Network Interface Configuration, Network Accessibility is set to Public, or by link from the
Session Status or Remote Subscribers tab in the AP) is unaffected.
1-63
Allowing management only from specified IP addresses

The Security tab of the Configuration web page in the AP and SM includes the IP Access Control
parameter. You can specify one, two, or three IP addresses that should be allowed to access the
management interface (by http, SNMP, ftp, or tftp).
If you select
IP Access Filtering Disabled, then management access is allowed from any IP address, even if the
Allowed Source IP 1 to 3 parameters are populated.
IP Access Filtering Enabled, and specify at least one address in the Allowed Source IP 1 to 3
parameter, then management access is limited to the specified address(es). If you intend to use
Wireless Manager to manage the element, then you must ensure that the IP address of the Wireless
Manager server is listed here.
Configuring management IP by DHCP

The IP tab in the Configuration web page of every radio contains a LAN1 Network Interface
Configuration, DHCP State parameter that, if enabled, causes the IP configuration (IP address, subnet
mask, and gateway IP address) to be obtained through DHCP instead of the values of those individual
parameters. The setting of this DHCP state parameter is also viewable, but is not settable, in the Network
Interface tab of the Home page.
In the SM, this parameter is settable
in the NAT tab of the Configuration web page, but only if NAT is enabled.
in the IP tab of the Configuration web page, but only if the Network Accessibility parameter in the IP
tab is set to Public.
Restricting radio Telnet access over the RF interface

RF Telnet Access restricts Telnet access to the AP from a device situated below a network SM
(downstream from the AP). This is a security enhancement to restrict RF-interface sourced AP access
specifically to the LAN1 IP address and LAN2 IP address (Radio Private Address, typically
192.168.101.[LUID]). This restriction disallows unauthorized users from running Telnet commands on the
AP that can change AP configuration or modifying network-critical components such as routing and ARP
tables.
The RF Telnet Access may be configured via the AP GUI or via SNMP commands, and RF Telnet Access
is set to Enabled by default. Once RF Telnet Access is set to Disabled, if there is a Telnet session
attempt to the AP originating from a device situated below the SM (or any downstream device), the attempt
will be dropped. This also includes Telnet session attempts originated from the SMs management
interface (if a user has initiated a Telnet session to an SM and attempts to Telnet from the SM to the AP).
In addition, if there are any active Telnet connections to the AP originating from a device situated below
the SM (or any downstream device), the connection will be dropped. This behavior should be considered if
system administrators use Telnet downstream from an AP (from a registered SM) to modify system
parameters.
1-64
Setting RF Telnet Access to Disabled does not affect devices situated above the AP from accessing the
AP via Telnet, including servers running the CNUT (Canopy Network Updater Tool) application. Also,
setting RF Telnet Access to Disabled does not affect any Telnet access into upstream devices (situated
above or adjacent to the AP) through the AP (see figure below).
The figure below depicts a user attempting two telnet sessions. One is targeted for the AP (orange) and one
is targeted for the network upstream from the AP (green). If RF Telnet Access is set to Disabled, the
Telnet attempt from the user to the AP will be blocked, but the attempt from the user to Network will be
allowed to pass through the Cambium network.
Figure 26 RF Telnet Access Restrictions (orange) and Flow through (green)
Key Security Considerations when using the RF Telnet Access

Feature
To ensure that the network is fully protected from unauthorized AP Telnet sessions, the following topics
must be considered:
Securing AP Clusters
When working with a cluster of AP units, to eliminate potential security holes allowing Telnet access,
ensure that the RF Telnet Access parameter is set to Disabled for every AP in the cluster. In addition,
since users situated below the AP are able to pass Telnet sessions up through the SM and AP to the
upstream network (while AP RF Telnet Access is set to Disabled), ensure that all CMM3/CMM4 or other
networking equipment is secured with strong passwords. Otherwise, users may Telnet to the
CMM3/CMM4 or other networking equipment, and subsequently access network APs (see figure below)
via their Ethernet interfaces (since RF Telnet Access only prevents Telnet sessions originating from the
APs wireless interface).
1-65
Figure 27 RF Telnet Access Restriction (orange) and Potential Security Hole (green)
As a common practice, AP administrator usernames and passwords should be secured with strong, nondefault passwords.
Securing SNMP Access

Ensure that AP SNMP Community Strings are set to a string other than the radio default (Canopy). Also,
ensure that the SNMP accessing subnets are configured to prohibit unauthorized SNMP configuration of
the RF Telnet Access parameter.
Restricting AP RF Telnet Access

AP Telnet access via the RF interface may be configured in two ways the AP GUI and SNMP.
Controlling RF Telnet Access via the AP GUI

To restrict all Telnet access to the AP via the RF interface from downstream devices, perform the following
procedure using the AP GUI:
Procedure 9 Restricting RF Telnet access
1-66
Log into the AP GUI using administrator credentials
On the AP GUI, navigate to Configuration > Security
Under GUI heading Telnet Access over RF Interface, set RF Telnet Access to Disabled
Click the Save button
Once the Save button is clicked, all RF Telnet Access to the AP from devices situated below the AP
will be blocked.
Security Tab of the AP

Figure 28 Security tab of the AP
1-67
In the Security tab of the AP, you may set the following parameters.
Table 22 AP Security attributes
Attribute
Meaning
Authentication Mode
Operators may use this field to select from among the following
authentication modes:
Disabledthe AP requires no SMs to authenticate.
Authentication Server the AP requires any SM that attempts registration
to be authenticated in Wireless Manager before registration.
AP PreShared Key - The AP acts as the authentication server to its SMs and
will make use of a user-configurable pre-shared authentication key. The
operator enters this key on both the AP and all SMs desired to register to that
AP. There is also an option of leaving the AP and SMs at their default
setting of using the Default Key. Due to the nature of the authentication
operation, if you want to set a specific authentication key, then you MUST
configure the key on all of the SMs and reboot them BEFORE enabling the
key and option on the AP. Otherwise, if you configure the AP first, none of
the SMs will be able to register.
RADIUS AAA - When RADIUS AAA is selected, up to 3 Authentication
Server (RADIUS Server) IP addresses and Shared Secrets can be
configured. The IP address(es) configured here must match the IP
address(es) of the RADIUS server(s). The shared secret(s) configured here
must match the shared secret(s) configured in the RADIUS server(s).
Servers 2 and 3 are meant for backup and reliability, not for splitting the
database. If Server 1 doesnt respond, Server 2 is tried, and then server 3. If
Server 1 rejects authentication, the SM is denied entry to the network, and
does not progress trying the other servers.
Authentication Server DNS

Usage
The management DNS domain name may be toggled such that the name of
the authentication server only needs to be specified and the DNS domain
name is automatically appended to that name.
Authentication Server 1 to 5
Enter the IP address or server name of the authentication server (RADIUS or

WM) and the Shared Secret configured in the authentication server. When
Authentication Mode RADIUS AAA is selected, the default value of
Shared Secret is CanopySharedSecret. The Shared Secret may consist of
up to 32 ASCII characters.
Radius Port
This field allows the operator to configure a custom port for RADIUS server
communication. The default value is 1812.
Authentication Key
The authentication key is a 32-character hexadecimal string used when

Authentication Mode is set to AP PreShared Key. By default, this key is
set to 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF.
Select Key
This option allows operators to choose which authentication key is used:

Use Key above means that the key specified in Authentication Key is used
for authentication
Use Default Key means that a default key (based off of the SMs MAC
address) will be used for authentication
1-68
Attribute
Meaning
Encryption Setting
Specify the type of airlink security to apply to this AP. The encryption
setting must match the encryption setting of the SMs.
None provides no encryption on the air link.
DES (Data Encryption Standard): An over-the-air link encryption option that
uses secret 56-bit keys and 8 parity bits. DES performs a series of bit
permutations, substitutions, and recombination operations on blocks of data.
DES encryption does not affect the performance or throughput of the system.
AES (Advanced Encryption Standard): An over-the-air link encryption
option that uses the Rijndael algorithm and 128-bit keys to establish a higher
level of security than DES. AES products are certified as compliant with the
Federal Information Processing Standards (FIPS 197) in the U.S.A.
SM Display of AP Evaluation
Data
You can use this field to suppress the display of data about this AP on the AP
Evaluation tab of the Tools page in all SMs that register.
Web, Telnet, FTP Session

Timeout
Enter the expiry in seconds for remote management sessions via HTTP,
telnet, or ftp access to the AP.
IP Access Control
You can permit access to the AP from any IP address (IP Access Filtering
Disabled) or limit it to access from only one, two, or three IP addresses that
you specify (IP Access Filtering Enabled). If you select IP Access
Filtering Enabled, then you must populate at least one of the three Allowed
Source IP parameters or have no access permitted from any IP address
Allowed Source IP 1 to 3
If you selected IP Access Filtering Enabled for the IP Access Control

parameter, then you must populate at least one of the three Allowed Source
IP parameters or have no access permitted to the AP from any IP address.
You may populate as many as all three.
If you selected IP Access Filtering Disabled for the IP Access Control
parameter, then no entries in this parameter are read, and access from all IP
addresses is permitted.
RF Telnet Access
RF Telnet Access restricts Telnet access to the AP from a device situated

below a network SM (downstream from the AP). This is a security
enhancement to restrict RF-interface sourced AP access specifically to the
LAN1 IP address and LAN2 IP address (Radio Private Address, typically
192.168.101.[LUID]). This restriction disallows unauthorized users from
running Telnet commands on the AP that can change AP configuration or
modifying network-critical components such as routing and ARP tables.
1-69
Protocol Filtering tab of the AP

Table 23 Protocol Filtering tab of the AP
In the Protocol Filtering tab of the AP, you may set the following parameters.
Table 24 AP Protocol Filtering attributes
Attribute
Meaning
Packet Filter Types
For any box selected, the Protocol and Port Filtering feature blocks the
associated protocol type.
To filter packets in any of the user-defined ports, you must do all of the
following:
Check the box for User Defined Port n (See Below) in the Packet Filter
Types section of this tab.
In the User Defined Port Filtering Configuration section of this tab:
1-70
provide a port number at Port #n.
enable TCP and/or UDP by clicking the associated radio button
Filter Direction
Operators may choose to filter upstream (uplink) RF packets or downstream

(downlink) RF packets.
User Defined Port Filtering

Configuration
You can specify ports for which to block subscriber access, regardless of
whether NAT is enabled.
Port configuration tab of the AP

PMP 450 devices support access to various communication protocols and only the ports required for these
protocols are available for access by external entities. Operators may change the port numbers for these
protocols via the radio GUI or SNMP.
Table 25 Port configuration tab of the AP
In the Port Configuration tab of the AP, you may set the following parameters.
Table 26 AP Port Configuration attributes
Attribute
Meaning
FTP Port
The listen port on the device used for FTP communication.
HTTP Port
The listen port on the device used for HTTP communication.
Radius Port
The destination port used by the device for RADIUS communication.
Radius Accounting Port
The destination port used by the device for RADIUS accounting

communication.
SNMP Port
The listen port on the device used for SNMP communication.
SNMP Trap Port
The destination port used by the device to which SNMP traps are sent.
Syslog Server Port
The destination port used by the device to which Syslog messaging is sent.
1-71
Security Tab of the SM

Figure 29 Security tab of the SM
1-72
In the Security tab of the SM, you may set the following parameters.
Table 27 SM Security attributes
Attribute
Meaning
Authentication Key
Only if the AP to which this SM will register requires authentication, specify

the key that the SM should use when authenticating. For alpha characters in
this hex key, use only upper case.
Select Key
The Use Default Key selection specifies the predetermined key for
authentication in Wireless Manager
The Use Key above selection specifies the 32-digit hexadecimal key that is
permanently stored on both the SM and the WM
Enforce Authentication
The SM may enforce authentication types of AAA and AP Pre-sharedKey.

The SM will not finish the registration process if the AP is not using the
configured authentication method (and the SM will lockout the AP for 15
minutes).
Phase 1
The protocols supported for the Phase 1 (Outside Identity) phase of

authentication are EAPTTLS (Extensible Authentication Protocol Tunneled
Transport Layer Security) or MSCHAPv2 (Microsoft ChallengeHandshake Authentication Protocol version 2).
Phase 2
Select the desired Phase 2 (Inside Identity) authentication protocol from the
Phase 2 options of PAP (Password Authentication Protocol), CHAP
(Challenge Handshake Authentication Protocol), and MSCHAP
(Microsofts version of CHAP, version 2 is used). The protocol must be
consistent with the authentication protocol configured on the RADIUS
server.
Identity/Realm
If Realms are being used, select Enable Realm and configure an outer
identity in the Identity field and a Realm in the Realm field. These must
match the Phase 1/Outer Identity and Realm configured in the RADIUS
server. The default Identity is anonymous. The Identity can be up to 128
non-special (no diacritical markings) alphanumeric characters. The default
Realm is canopy.net. The Realm can also be up to 128 non-special
alphanumeric characters.
Configure an outer Identity in the Username field. This must match the
Phase 1/Outer Identity username configured in the RADIUS server. The
default Phase 1/Outer Identity Username is anonymous. The Username
can be up to 128 non-special (no diacritical markings) alphanumeric
characters.
Username
Enter a Username for the SM. This must match the username configured
for the SM on the RADIUS server. The default Username is the SMs
MAC address. The Username can be up to 128 non-special (no diacritical
markings) alphanumeric characters.
1-73
Attribute
Meaning
Password
Enter the desired password for the SM in the Password and Confirm
Password fields.. The Password must match the password configured for
the SM on the RADIUS server. The default Password is password. The
Password can be up to 128 non-special (no diacritical markings)
alphanumeric characters
Upload Certificate File
To upload a certificate manually to an SM, first load it in a known place on

your PC or network drive, then click on a Delete button on one of the
Certificate description blocks to delete a certificate to provide space for
your certificate. Click on Choose File, browse to the location of the
certificate, and click the Import Certificate button, and then reboot the
radio to use the new certificate.
When a certificate is in use, after the SM successfully registers to an AP,
an indication of In Use will appear in the description block of the
certificate being used.
The public certificates installed on the SMs are used with the private
certificate on the RADIUS server to provide a public/private key
encryption system.
Up to 2 certificates can be resident on an SM. An installed certificate can
be deleted by clicking the Delete button in the certificates description
block on the Configuration > Security tab. To restore fhe 2 default
certificates, click the Use Default Certificates button in the RADIUS
Certificate Settings parameter block and reboot the radio.
Encryption Setting
Specify the type of airlink security to apply to this SM. The encryption
setting must match the encryption setting of the AP.
None provides no encryption on the air link.
DES (Data Encryption Standard): An over-the-air link encryption option that
uses secret 56-bit keys and 8 parity bits. DES performs a series of bit
permutations, substitutions, and recombination operations on blocks of data.
DES encryption does not affect the performance or throughput of the system.
AES (Advanced Encryption Standard): An over-the-air link encryption
option that uses the Rijndael algorithm and 128-bit keys to establish a higher
level of security than DES. AES products are certified as compliant with the
Federal Information Processing Standards (FIPS 197) in the U.S.A.
Web, Telnet, FTP Session

Timeout
1-74
Enter the expiry in seconds for remote management sessions via HTTP,
telnet, or FTP access to the SM.
Attribute
Meaning
Ethernet Access
If you want to prevent any device that is connected to the Ethernet port of the
SM from accessing the management interface of the SM, select Ethernet
Access Disabled. This selection disables access through this port to via http
(the GUI), SNMP, telnet, ftp, and tftp. With this selection, management
access is available through only the RF interface via either an IP address (if
Network Accessibility is set to Public on the SM) or the Session Status or
Remote Subscribers tab of the AP.
This setting does not prevent a device connected to the Ethernet port
from accessing the management interface of other SMs in the network.
To prevent this, use the IP Access Filtering Enabled selection in the IP
Access Control parameter of the SMs in the network. See IP Access
Control below.
If you want to allow management access through the Ethernet port, select
Ethernet Access Enabled. This is the factory default setting for this
parameter.
IP Access Control
You can permit access to the SM from any IP address (IP Access Filtering
Disabled) or limit it to access from only one, two, or three IP addresses that
you specify (IP Access Filtering Enabled). If you select IP Access
Filtering Enabled, then you must populate at least one of the three Allowed
Source IP parameters or have no access permitted from any IP address
Allowed Source IP 1 to 3
If you selected IP Access Filtering Enabled for the IP Access Control

parameter, then you must populate at least one of the three Allowed Source
IP parameters or have no access permitted to the SM from any IP address.
You may populate as many as all three.
If you selected IP Access Filtering Disabled for the IP Access Control
parameter, then no entries in this parameter are read, and access from all IP
addresses is permitted.
1-75
Protocol Filtering Tab of the SM

Table 28 Protocol Filtering tab of the SM
1-76
In the Protocol Filtering tab of the SM, you may set the following parameters.
Table 29 SM Protocol Filtering attributes
Attribute
Meaning
Packet Filter Types
For any box selected, the Protocol and Port Filtering feature blocks the
associated protocol type.
To filter packets in any of the user-defined ports, you must do all of the
following:
Check the box for User Defined Port n (See Below) in the Packet Filter
Types section of this tab.
In the User Defined Port Filtering Configuration section of this tab:
provide a port number at Port #n.
enable TCP and/or UDP by clicking the associated radio button
If the DHCP state parameter is set to Enabled in the Configuration => IP

tab of the SM, do not check the Bootp Client option for Packet Filter Types
in its Protocol Filtering tab, because doing so would block the DHCP request.
(Filters apply to all packets that leave the SM via its RF interface, including
those that the SM itself generates.) If you want to keep DHCP enabled and
avoid the blocking scenario, select the Bootp Server option instead. This will
result in responses being appropriately filtered and discarded.
User Defined Port Filtering
Configuration
You can specify ports for which to block subscriber access, regardless of
whether NAT is enabled.
Port configuration tab of the SM

PMP 450 devices support access to various communication protocols and only the ports required for these
protocols are available for access by external entities. Operators may change the port numbers for these
protocols via the radio GUI or SNMP.
.
Figure 30 Port Configuration tab of the SM
In the Port Configuration tab of the SM, you may set the following parameters.
1-77
Table 30 SM Port Configuration attributes
1-78
Attribute
Meaning
FTP Port
The listen port on the device used for FTP communication.
HTTP Port
The listen port on the device used for HTTP communication.
SNMP Port
The listen port on the device used for SNMP communication.
SNMP Trap Port
The destination port used on the device to which SNMP traps are sent.
Task 6: Configuring radio parameters

Radio tab of the AP
Figure 31 Radio tab of the AP
1-79
The Radio tab of the AP contains some of the configurable parameters that define how the AP operates.
Table 31 AP Radio attributes
Attribute
Meaning
Radio Mode
(reserved for future Combo mode)
Frequency Band
Select the desired operating frequency band.
Frequency Carrier
Specify the frequency for the module to transmit. The default for this parameter is
None. For a list of channels in the band, see the drop-down list on the radio GUI.
Channel Bandwidth
The channel size used by the radio for RF transmission. The setting for the
channel bandwidth must match between the AP and the SM.
Cyclic Prefix
OFDM technology uses a cyclic prefix, where a portion of the end of a symbol
(slot) is repeated at the beginning of the symbol to allow multi-pathing to settle
before receiving the desired data. A 1/16 cyclic prefix means that for every 16
bits of throughput data transmitted, an additional bit is used.
Color Code
Specify a value from 0 to 254. For registration to occur, the color code of the SM
and the AP must match. Color code is not a security feature. Instead, color code is
a management feature, typically for assigning each sector a different color code.
Color code allows you to force an SM to register to only a specific AP, even
where the SM can communicate with multiple APs. The default setting for the
color code value is 0. This value matches only the color code of 0 (not all 255
color codes).
Signal to Noise Ratio

Calculation
Enabling this parameter allows operators to use Signal-to-Noise calculations to

monitor link quality.
The Signal-to-Noise Ratio may be monitored on the APs Session Status page,
Link Capacity Test page, and Link Status page.
Max Range
Enter a number of miles (or kilometers divided by 1.61, then rounded to an

integer) for the furthest distance from which an SM is allowed to register to this
AP. Do not set the distance to any greater number of miles. A greater distance
does not increase the power of transmission from the AP.
can reduce aggregate throughput.
Regardless of this distance, the SM must meet the minimum requirements for an
acceptable link. If the AP is in cluster, then you must set this parameter on all
other APs in the cluster exactly the same, except as described in the NOTE
admonition below. The default value of this parameter is 2 miles (3.2 km).
1-80
Attribute
Meaning
Downlink Data
Specify the percentage of the aggregate throughput for the downlink (frames
transmitted from the AP to the subscriber). For example, if the aggregate (uplink
and downlink total) throughput on the AP is 90 Mb, then 75% specified for this
parameter allocates 67.5 Mb for the downlink and 22.5 Mb for the uplink. The
default for this parameter is 75%. This parameter must be set in the range of 15%
- 85%, otherwise the invalid input will not be accepted and the previously-entered
valid setting will be used.
You must set this parameter exactly the same for all APs in a cluster.
Control Slots
This field indicates the number of (reserved) control slots configured by the
operator. Control slots are half the size of data slots. The SM uses reserved
control slots and unused data slots for bandwidth requests.
The Control Slots parameter should be set to 4.

Transmitter Output Power
This value represents the combined power of the APs two transmitters.
Nations and regions may regulate transmitter output power. For example
5.4/5.8-GHz modules are available as connectorized radios, which require

the operator to adjust power to ensure regulatory compliance.
The professional installer of the equipment has the responsibility to
External Gain
Broadcast Repeat Count
maintain awareness of applicable regulations.
calculate the permissible transmitter output power for the module.
confirm that the initial power setting is compliant with national or regional
regulations.
confirm that the power setting is compliant following any reset of the
module to factory defaults.
This value represents the amount of gain introduced by an external antenna.

Module Type
Recommended
Setting
OFDM connectorized with antenna

that was purchased with it
17
The default is 2 repeats (in addition to the original broadcast packet, for a total of
3 packets sent for every one needed), and is settable to 1 or 0 repeats (2 or 1
packets for every broadcast).
ARQ (Automatic Repeat reQuest) is not present in downlink broadcast packets,
since it would cause unnecessary uplink traffic from every SM for each broadcast
packet. For successful transport without ARQ, the AP repeats downlink broadcast
packets. The SMs filter out all repeated broadcast packets and, thus, do not
transport further.
The default of 2 repeats is optimum for typical uses of the network as an internet
access system. In applications with heavy download broadcast such as video
distribution, overall throughput is significantly improved by setting the repeat
count to 1 or 0. This avoids flooding the downlink with repeat broadcast packets.
1-81
1-82
Attribute
Meaning
Subscriber Color Code

Rescan (When not on a
Primary Color Code)
This timer may be utilized to initiate SM rescans in order to register to an AP

configured with the SMs primary color code.
The time (in minutes) for a subscriber to rescan (if this AP is not configured with
the SMs primary color code). This timer will only fire once if the Subscriber
Color Code Wait Period for Idle timer is configured with a nonzero value and
the Subscriber Color Code Rescan expires, the Subscriber Color Code Wait
Period for Idle will be started. If the Subscriber Color Code Wait Period for
Idle timer is configured with a zero value and the Subscriber Color Code
Rescan timer expires, the SM will immediately go into rescan mode
Subscriber Color Code Wait

Period for Idle
The time (in minutes) for a subscriber to rescan while idle (if this AP is not
configured with the SMs primary color code). This timer will fire periodic
events. The fired event determines if any RF unicast traffic (either inbound or
outbound) has occurred since the last event. If the results of the event determine
that no RF unicast traffic has occurred (SM is idle), then the subscriber will
rescan.
Installation Color Code
With this feature enabled on the AP and SM, operators may install and remotely
configure SMs without having to configure matching color codes between the
modules. While the SM is accessible for configuration from above the AP (for
remote provisioning) and below the SM (for local site provisioning), no user data
is passed over the radio link. SMs with Installation Color Code enabled will first
try any configured Color Code values first, then will use the Installation Color
Code feature as a last result to connect to the AP. The status of the Installation
Color Code can be viewed on the AP Eval web GUI page, and when the SM is
registered using the Installation Color Code the message SM is registered via
ICC Bridging Disabled! is displayed in red on every SM GUI page. The
Installation Color Code parameter is configurable without a radio reboot for both
the AP and SM. If an SM is registered via Installation Color Code and the feature
is then disabled, operators will need to reboot the SM or force it to reregister (i.e.
using the Rescan APs functionality on the AP Eval page).
SM Receive Target Level
Each SMs Transmitter Output Power is automatically set by the AP. The AP
monitors the received power from each SM, and adjusts each SMs Transmitter
Output Power so that the received power at the AP from that SM is not greater
what is set in this field. This value represents a single-port power perceived on
the SM.
Radio tab of the SM

Table 32 Radio tab of SM
In the Radio tab of the SM, you may set the following parameters.
Table 33 SM Radio attributes
Attribute
Meaning
Frequency Band
Reserved for future Combo mode.
Custom Radio Frequency

Scan Selection List
Check any frequency that you want the SM to scan for AP transmissions. The
frequency band of the SM affects what channels you should select.
If you select all frequencies that are listed in this field (default selections), then
the SM scans for a signal on any channel. If you select only one, then the SM
limits the scan to that channel.
Channel Bandwidth
The channel size used by the radio for RF transmission. The setting for the
channel bandwidth must match between the AP and the SM.
1-83
Attribute
Meaning
Color Code 1 to 10
Color code allows you to force the SM to register to only a specific AP, even
where the SM can communicate with multiple APs. For registration to occur, the
color code of the SM and the AP must match. Specify a value from 0 to 254.
Color code is not a security feature. Instead, color code is a management feature,
typically for assigning each sector a different color code. The default setting for
the color code value is 0. This value matches only the color code of 0 (not all 255
color codes).
SMs may be configured with up to 10 color codes. These color codes can be
tagged as Primary, Secondary, or Tertiary, or Disable. When the SM is
scanning for APs, it will first attempt to register to an AP that matches one of the
SMs primary color codes. Failing that, the SM will continue scanning and
attempt to register to an AP that matches one of the SMs secondary color codes.
Failing that, the SM will continue scanning and attempt to register to an AP that
matches one of the SMs tertiary color codes. This is all done in the scanning
mode of the SM and will repeat until a registration has occurred.
Color codes in the same priority group are treated equally. For example, all APs
matching one of the SMs primary color codes are analyzed equally. Likewise,
this evaluation is done for the secondary and tertiary groups in order. The
analysis for selecting an AP within a priority group is based on various inputs,
including signal strength and number of SMs already registered to each AP.
The first color code in the configuration is the pre-Release 9.5 color code. Thus,
it is always a primary color code for legacy reasons.
The color codes can be disabled, with the exception of the first color code.
Installation Color Code
1-84
With this feature enabled on the AP and SM, operators may install and remotely
configure SMs without having to configure matching color codes between the
modules. While the SM is accessible for configuration from above the AP (for
remote provisioning) and below the SM (for local site provisioning), no user data
is passed over the radio link. SMs with Installation Color Code enabled will first
try any configured Color Code values first, then will use the Installation Color
Code feature as a last result to connect to the AP. The status of the Installation
Color Code can be viewed on the AP Eval web GUI page, and when the SM is
registered using the Installation Color Code the message SM is registered via
ICC Bridging Disabled! is displayed in red on every SM GUI page. The
Installation Color Code parameter is configurable without a radio reboot for both
the AP and SM. If an SM is registered via Installation Color Code and the feature
is then disabled, operators will need to reboot the SM or force it to reregister (i.e.
using the Rescan APs functionality on the AP Eval page).
Attribute
Meaning
Large VC data Q
Certain applications such as video Surveillance cameras operate by sending bursts

of IP traffic upstream. Some systems will send short bursts of packets at over 50
Mbps and then be idle for some period of time and then send another burst of
data.
In order for the RF interface of a radio to accommodate these bursts of traffic,
there is a configurable parameter on SM radios to operate with a large input
queue at the radios data VC. This large queue allows packets which arrive at a
rate greater than the radio link capacity to be stored in this deep queue until the
radio is ready to transmit them. The queue size has been optimized to allow large
packets to be stored just long enough so that there is always data available to be
transmitted, but not large enough to cause packets to sit in a queue for a second or
more.
Configuration of this parameter is shown on the Configuration => Radio web
page on the SM..
If an operator is experiencing packet loss in the uplink due to bursting IP traffic
and the overall traffic rate is less than or equal to the uplink capacity of the radio
system, then the large VC data Q should be enabled.
Signal to Noise Ratio

Calculation
Enabling this parameter allows operators to use Signal-to-Noise calculations to

monitor link quality.
The Signal-to-Noise Ratio may be monitored on the SMs Home page, Link
Capacity Test page, and Link Status page.
External Gain
This value represents the amount of gain introduced by an external antenna.

Module Type
Recommended
Setting
OFDM integrated antenna with LENS
OFDM Integrated antenna with CLIP
OFDM integrated antenna with reflector dish
15
1-85
Task 7: Setting up SNMP agent

Operators may use SNMP commands to set configuration parameters and retrieve data from the AP and
SM modules. Also, if enabled, when an event occurs, the SNMP agent on the PMP 450 sends a trap to
whatever SNMP trap receivers have been configured.
1-86
SNMP Tab of the AP

Figure 32 SNMP tab of the AP
1-87
You may set the SNMP tab parameters as follows.

Table 34 AP SNMP attributes
Attribute
Meaning
SNMP Community String 1
Specify a control string that can allow an Network Management Station (NMS)
to access SNMP information. No spaces are allowed in this string. The default
string is Canopy.

Permissions
You can designate the SNMP Community String 1 to be the password for WM,
for example, to have read/write access to the module via SNMP, or for all SNMP
access to the module to be read only.

(Read Only)
Specify an additional control string that can allow an Network Management

Station (NMS) to read SNMP information. No spaces are allowed in this string.
The default string is Canopyro. This password will never authenticate a user or
an NMS to read/write access.
The Community String value is clear text and is readable by a packet monitor.
Additional security derives from the configuration of the Accessing Subnet,
Trap Address, and Permission parameters.
Accessing IP / Subnet Mask

1 to 10
Specify the addresses that are allowed to send SNMP requests to this AP. The
NMS has an address that is among these addresses (this subnet). You must enter
both
The network IP address in the form xxx.xxx.xxx.xxx
The CIDR (Classless Interdomain Routing) prefix length in the form /xx
For example:
the /16 in 198.32.0.0/16 specifies a subnet mask of 255.255.0.0 (the first 16

bits in the address range are identical among all members of the subnet).
192.168.102.0 specifies that any device whose IP address is in the range

192.168.102.0 to 192.168.102.254 can send SNMP requests to the AP,
presuming that the device supplies the correct Community String value.
The default treatment is to allow all networks access. For more information on
CIDR, execute an Internet search on Classless Interdomain Routing. You are
allowed to specify as many as 10 different accessing IP address, subnet mask
combinations.
SNMP Trap Server DNS
Usage
1-88
trap server only needs to be specified and the DNS domain name is automatically
appended to that name. The default SNMP trap server addresses for all 10
available servers is 0.0.0.0 with the appending of the DNS domain name
disabled.
Attribute
Meaning
Trap Address 1 to 10
Specify ten or fewer IP addresses (xxx.xxx.xxx.xxx) or DNS names to which

SNMP traps should be sent. Traps inform Wireless Manager or an NMS that
something has occurred. For example, trap information is sent
after a reboot of the module.
when an NMS attempts to access agent information but either
supplied an inappropriate community string or SNMP version number.
is associated with a subnet to which access is disallowed.
Trap Enable, Sync Status
If you want sync status traps (sync lost and sync regained) sent to Wireless
Manager or an NMS, select Enabled. If you want these traps suppressed, select
Disabled.
Trap Enable, Session Status
If you want session status traps sent to Wireless Manager or an NMS, select
Enabled.
Site Information Viewable

to Guest Users
Operators can enable or disable site information from appearing when a user is in
GUEST account mode.
Site Name
Specify a string to associate with the physical module. This parameter is written
into the sysName SNMP MIB-II object and can be polled by Wireless Manager
or an NMS. The buffer size for this field is 128 characters.
Site Contact
Enter contact information for the module administrator. This parameter is written
into the sysContact SNMP MIB-II object and can be polled by Wireless Manager
Site Location
Enter information about the physical location of the module. This parameter is
written into the sysLocation SNMP MIB-II object and can be polled by Wireless
Manager or an NMS. The buffer size for this field is 128 characters.
1-89
SNMP Tab of the SM

Figure 33 SNMP tab of the SM
1-90
In the SNMP tab of the SM, you may set the following parameters.
Table 35 SM SNMP attributes
Attribute
Meaning
Specify a control string that can allow an Network Management Station (NMS)
to access SNMP information. No spaces are allowed in this string. The default
string is Canopy.

Permissions
You can designate the SNMP Community String 1 to be the password for WM,
for example, to have read/write access to the module via SNMP, or for all SNMP
access to the module to be read only.

(Read Only)
Specify an additional control string that can allow an Network Management

Station (NMS) to read SNMP information. No spaces are allowed in this string.
The default string is Canopy2. This password will never authenticate a user or an
NMS to read/write access.
The Community String value is clear text and is readable by a packet monitor.
Additional security derives from the configuration of the Accessing Subnet,
Trap Address, and Permission parameters.
Accessing IP / Subnet Mask

1 to 10
Specify the addresses that are allowed to send SNMP requests to this SM.
Wireless Manager or the NMS has an address that is among these addresses (this
subnet). You must enter both
The network IP address in the form xxx.xxx.xxx.xxx
The CIDR (Classless Interdomain Routing) prefix length in the form /xx
For example
the /16 in 198.32.0.0/16 specifies a subnet mask of 255.255.0.0 (the first 16

bits in the address range are identical among all members of the subnet).
192.168.102.0 specifies that any device whose IP address is in the range

192.168.102.0 to 192.168.102.254 can send SNMP requests to the SM,
presuming that the device supplies the correct Community String value.
The default treatment is to allow all networks access (set to 0). For more
information on CIDR, execute an Internet search on Classless Interdomain
Routing. You are allowed to specify as many as 10 different accessing IP
address, subnet mask combinations.
RECOMMENDATION:
The subscriber can access the SM by changing the
subscriber device to the accessing subnet. This hazard exists
because the Community String and Accessing Subnet are
both visible parameters. To avoid this hazard, configure the
SM to filter (block) SNMP requests.
1-91
Attribute
Meaning
SNMP Trap Server DNS

Usage
trap server only needs to be specified and the DNS domain name is automatically
appended to that name. The default SNMP trap server addresses for all 10
available servers is 0.0.0.0 with the appending of the DNS domain name
disabled.
Trap Address 1 to 10
Specify ten or fewer IP addresses (xxx.xxx.xxx.xxx) to which trap information

should be sent. Trap information informs Wireless Manager or an NMS that
something has occurred. For example, trap information is sent
after a reboot of the module.
when Wireless Manager or an NMS attempts to access agent information but
either
supplied an inappropriate community string or SNMP version number.
is associated with a subnet to which access is disallowed.
1-92
Read Permissions
Select Read Only if you wish to disallow Wireless Manager or NMS SNMP
access to configurable parameters and read-only fields of the SM.
Site Information Viewable

to Guest Users
Operators can enable or disable site information from appearing when a user is in
GUEST account mode.
Site Name
Specify a string to associate with the physical module. This parameter is written
into the sysName SNMP MIB-II object and can be polled by Wireless Manager
Site Contact
Enter contact information for the module administrator. This parameter is written
into the sysContact SNMP MIB-II object and can be polled by Wireless Manager
Site Location
Enter information about the physical location of the module. This parameter is
written into the sysLocation SNMP MIB-II object and can be polled by Wireless
Manager or an NMS. The buffer size for this field is 128 characters.
Task 8: Configuring syslog

This task is only performed when system logging is required. Both the AP and the SM may be configured
to send system messages to a syslog server. An example of a syslog message that would be sent from a
radio is as follows:
<6>1 2011-05-13T12:28:31Z 169.245.1.1 - - - - BOM******System Startup******
By default syslog is disabled on all devices.
Configuring AP system logging (syslog)

To configure system logging, select menu option Configuration, Syslog. The Syslog Configuration page is
displayed (Figure 32).
Figure 34 AP Syslog Configuration page
1-93
Table 36 Syslog Configuration attributes

Attribute
Meaning
Syslog DNS Server

Usage
To configure the AP to append or not append the DNS server name to the syslog
server name.
Syslog Server
The dotted decimal or DNS name of the syslog server address.
Syslog Server Port
The syslog server port (default 514) to which syslog messaging is sent.
AP Syslog Transmit
When enabled, syslog messages will be sent from the AP.
SM Syslog Transmit
When enabled, allows all SMs in a sector to learn the enabling or disabling syslog
messages transmission setting at registration. In order for the SM to use this
information from the AP, the SM must be configured to learn syslog settings from the
AP.
Configuring SM system logging (syslog)

To configure system logging, select menu option Configuration, Syslog. The Syslog Configuration page is
displayed (Figure 32).
Syslog will only work with SMs that have have Network Accessibility set to Public.
Figure 35 SM Syslog Configuration page
Table 37 Syslog Configuration attributes
1-94
Attribute
Meaning
Syslog Transmission
The SM can choose to either learn its syslog configuration from the AP or to override
the APs sector settings with its own settings. The ability to override the AP settings
lets an operator enable or disable syslog settings for individual SMs in a sector.
Task 9: Configuring remote access

Configuring SM IP over-the-air access
To access the SM management interface from a device situated above the AP, the SMs Network
Accessibility parameter (located in the web GUI at Configuration, IP) may be set to Public.
Figure 36 SM IP Configuration page
1-95
Accessing SM over-the-air by LUID

The SM may be accessed via the AP management GUI by navigating to either Home, Session Status or
Home, Remote Subscribers and clicking on the SMs hyperlink.
For example, to access the SM in Figure 35 click on LUID: 002 [0a-00-3e-a0-00-4b].

Figure 37 AP Session Status page
To access the SM in Figure 36 click on No Site Name [0a-00-3e-a0-00-4b] LUID: 002

Figure 38 AP Remote Subscribers page
1-96
Task 10: Monitoring the AP-SM Link

Monitoring the AP-SM Link
After the SM installer has configured the link, either an operator in the network office or the SM installer in
the field (if read access to the AP is available to the installer) should perform the following procedure. Who
is authorized and able to do this may depend on local operator password policy, management VLAN setup,
and operational practices.
To monitor the AP-SM link for performance, proceed as follows:

Procedure 10 Monitoring the AP-SM link
1
Access the web interface of the AP
In the left-side menu of the AP interface, select Home.
Click the Session Status tab.

Figure 39 AP Session Status page
Find the Session Count line under the MAC address of the SM.
Check and note the values for Session Count, Reg Count, and Re-Reg Count.
Session Count: This field displays how many sessions the SM has had with the AP. Typically, this is
the sum of Reg Count and Re-Reg Count. However, the result of internal calculation may display
here as a value that slightly differs from the sum.
Reg Count: When an SM makes a registration request, the AP checks its local data to see whether it
considers the SM to be already registered. If the AP concludes that the SM is not, then the request
increments the value of this field.
Typically, a Re-Reg is the case where both

o
an SM attempts to reregister for having lost communication with the AP.
the AP has not yet observed the link to the SM as being down.
1-97
Briefly monitor these values, occasionally refreshing this page by clicking another tab and then the
Session Status tab again.
If these values are low (for example, 1, 1, and 0, respectively, meaning that the SM registered and started
a stable session once) and are not changing
consider the installation successful.
monitor these values from the network office over the next several hours and days.
If these values are greater than 1, 1, and 0, or they increase while you are monitoring them, troubleshoot
the link. (For example, Use Receive Power Level for aiming and then use Link Tests to confirm
alignment).
1-98
Task 11: Configuring quality of service

Maximum Information Rate (MIR) Parameters
Point-to-multipoint links use the following four MIR parameters for bandwidth management:
Sustained Uplink Data Rate (kbps)
Uplink Burst Allocation (kb)
Sustained Downlink Data Rate (kbps)
Downlink Burst Allocation (kb)
You can independently set each of these parameters per AP or per SM.
Token Bucket Algorithm

The software uses a token bucket algorithm that
stores credits (tokens) for the SM to spend on bandwidth for reception or transmission.
drains tokens during reception or transmission.
refills with tokens at the sustained rate set by the network operator.
For each token, the SM can send toward the network in the uplink (or the AP can send toward the SM in
the downlink) an equivalent number of kilobits. Two buckets determine the permitted throughput: one in
the SM for uplink and one in the AP for downlink.
The applicable set of Uplink Burst Allocation and Downlink Burst Allocation parameters determine the
number of tokens that can fill each bucket. When the SM transmits (or the AP transmits) a packet, the
equivalent number of tokens is removed from the uplink (or downlink) bucket.
Except when full, the bucket is continuously being refilled with tokens at rates that the applicable set of
Sustained Uplink Data Rate and Sustained Downlink Data Rate parameters specify. The bucket often
drains at a rate that is much faster than the sustained data rate but can refill at only the sustained data rate.
Thus, the effects of the allocation and rate parameters on packet delay are as follows:
the burst allocation affects how many kilobits are processed before packet delay is imposed.
the sustained data rate affects the packet delay that is imposed.
1-99
MIR Data Entry Checking

Uplink and downlink MIR is enforced as shown in Figure 38.
In these figures, entry refers to the setting in the data rate parameter, not the burst allocation parameter.
Figure 40 Uplink and downlink rate caps adjusted to apply aggregate cap
uplink entry x aggregate cap for the SM
uplink cap enforced =
uplink entry + downlink entry
downlink entry x aggregate cap for the SM

downlink cap enforced =
uplink entry + downlink entry
For example, in the SM, if you set the Sustained Uplink Data Rate parameter to 2,000 kbps and the
Sustained Downlink Data Rate parameter to 10,000 kbps, then the uplink and downlink MIR that will be
enforced for the SM can be calculated as shown in Figure 39.
Figure 41 Uplink and downlink rate cap adjustment example
2,000 kbps x 7,000 kbps
uplink cap enforc ed =
= 1,167 kbps
2,000 kbps + 10,000 kbps
10,000 kbps x 7,000 kbps

downlink cap enforced =
5,833 kbps
2,000 kbps + 10,000 kbps
In this example case, the derived 1,167-kbps uplink and 5,833-kbps downlink MIR sum to the fixed 7,000kbps aggregate cap of the SM.
Bandwidth from the SM Perspective

In the SM, normal web browsing, e-mail, small file transfers, and short streaming video are rarely rate
limited with practical bandwidth management (QoS) settings. When the SM processes large downloads
such as software upgrades and long streaming video or a series of medium-size downloads, the bucket
rapidly drains, the burst limit is reached, and some packets are delayed. The subscriber experience is more
affected in cases where the traffic is more latency sensitive.
1-100
Interaction of Burst Allocation and Sustained Data Rate

Settings
If the Burst Allocation is set to 1200 kb and the Sustained Data Rate is set to 128 kbps, a data burst of 1000
kb is transmitted at full speed because the Burst Allocation is set high enough. After the burst, the bucket
experiences a significant refill at the Sustained Data Rate. This configuration uses the advantage of the
settable Burst Allocation.
If both the Burst Allocation and the Sustained Data Rate are set to 128 kb, a burst is limited to the Burst
Allocation value. This configuration does not take advantage of the settable Burst Allocation.
If the Burst Allocation is set to 128 kb and the Sustained Data Rate is set to 256 kbps, the actual rate will be
the burst allocation (but in kbps). As above, this configuration does not take advantage of the settable Burst
Allocation.
High-priority Bandwidth
To support low-latency traffic such as VoIP (Voice over IP) or video, the system implements a highpriority channel. This channel does not affect the inherent latencies in the system but allows high-priority
traffic to be immediately served. The high-priority pipe separates low-latency traffic from traffic that is
latency tolerant, such as standard web traffic and file downloads.
The number of channels available on the AP is reduced by the number of SMs configured for the highpriority channel (each SM operating with high-priority enabled uses two channels (virtual circuits) instead
of one).
A module prioritizes traffic by
reading the Low Latency bit (Bit 3) in the IPv4 Type of Service (ToS) byte in a received packet. Bit 3
is set by a device outside the system.
reading the 802.1p field of the 802.1Q header in a received packet, where VLAN is enabled on the
module.
comparing the 6-bit Differentiated Services Code Point (DSCP) field in the ToS byte of a received
packet to a corresponding value in the Diffserv tab of the Configuration page of the module. A packet
contains no flag that indicates whether the encoding is for the Low Latency bit or the DSCP field. For
this reason, you must ensure that all elements in your trusted domain, including routers and endpoints,
set and read the ToS byte with the same scheme.
Modules monitor ToS bytes with DSCP fields, but with the following differences:
The 6-bit length of the field allows it to specify one of 64 service differentiations.
These correlate to 64 individual (CodePoint) parameters in the Diffserv tab of the Configuration
page.
Per RFC 2474, 3 of these 64 are preset and cannot be changed. (See
http://www.faqs.org/rfcs/rfc1902.html.)
For any or all of the remaining 61 CodePoint parameters, you can specify a value of
o 0 through 3 for low-priority handling.
1-101
4 through 7 for high-priority handling.
Ensure that your Differentiated Services domain boundary nodes mark any entering packet, as needed, so
that it specifies the appropriate Code Point for that traffic and domain. This prevents theft of service level.
An example of the Diffserv tab in the Configuration page and parameter descriptions are provided under
DiffServ Tab of the AP on Page 1-107. This tab and its rules are identical from module type to module
type. However, any of the 61 configurable Code Points can be set to a different value from module to
module, thus defining unique per-hop behavior for some traffic.
This tab in the AP sets the priorities for the various packets in the downstream (sent from the public
network). This tab in the SM sets the priorities for the various packets in the upstream (sent to the public
network).
Typically, some SMs attach to older devices that use the ToS byte as originally formatted, and others to
newer devices that use the DSCP field. The default values in the Diffserv tab allow your modules to
prioritize traffic from the older devices roughly the same as they traditionally have. However, these default
values may result in more high-priority traffic as DSCP fields from the newer devices are read and handled.
So, after making any changes in the Diffserv tab, carefully monitor the high-priority channel for high
packet rates
in SMs that you have identified as those to initially set and watch.
across your network when you have broadly implemented Code Point values, such as via SNMP.
Traffic Scheduling
The characteristics of traffic scheduling in a sector are summarized in Table 38.
Table 38 Characteristics of traffic scheduling
Category
Factor
Treatment
Throughput
Aggregate throughput, less

additional overhead
95 Mbps
Number of frames required

for the scheduling process
Round-trip latency
6 ms
AP broadcast the download

schedule
No
Allocation for uplink highpriority traffic on amount of

high-priority traffic
Dynamic, based
on amount of
high-priority
traffic
Allocation for downlink highpriority traffic on amount of
Dynamic, based
on amount of
Latency
Highpriority
Channel
1-102
Category
Factor
Treatment
high-priority traffic
high-priority
traffic
Other high-priority
Order of transmission
Other low-priority
Power requirements affect the recommended maximums for power cord length feeding the CMMmicro or
CMM4. See the dedicated user guide that supports the CMM that you are deploying. However, the
requirements do not affect the maximums for the CMM2.
Packets that have a priority of 4 to 7 in either the DSCP or a VLAN 802.1p tag are automatically sent on
the high-priority channel, but only where the high-priority channel is enabled.
Setting the Configuration Source

The AP includes a Configuration Source parameter, which sets where SMs that register to the AP are
controlled for MIR, VLAN, and the high-priority channel as follows. The Configuration Source parameter
affects the source of:
all MIR settings:

o Sustained Uplink Data Rate
o Uplink Burst Allocation
o Sustained Downlink Data Rate
o Downlink Burst Allocation
all SM VLAN settings

o Dynamic Learning
o Allow Only Tagged Frames
o VLAN Aging Timeout
o Untagged Ingress VID
o Management VID
o VLAN Membership
the Hi Priority Channel setting
Table 39 Recommended combined settings for typical operations

Most operators
who use
no authentication
server
should set
this
parameter
in this web
page/tab
Authentication
Mode
Configuration/
Security
Disabled
Configuration
Source
Configuration/
SM
in the AP to
1-103
Most operators
who use
should set
this
parameter
in this web
page/tab
in the AP to
General
Wireless Manager
(Authentication
Server)
RADIUS AAA
server
Authentication
Mode
Configuration/
Security
Authentication Server
Configuration
Source
Configuration/
General
Authentication
Mode
Configuration/
Security
RADIUS AAA
Configuration
Source
Configuration/
General
Table 40 Where feature values are obtained for an SM with authentication required
Configuration
Source
Setting
in the AP
Values are obtained from

High Priority Channel
MIR Values
VLAN Values
Authentication
Server
SM
SM
SM
SM
Authentication
Server+SM
Authentication Server, then

SM
Authentication Server, then SM
State
NOTES:
HPC represents the Hi Priority Channel (enable or disable).
Where Authentication Server, then SM is the indication, parameters for which Authentication Server does not send
values are obtained from the SM. This is the case where the Authentication Server server is operating on a
Authentication Server release that did not support the feature. This is also the case where the feature
enable/disable flag in Authentication Server is set to disabled. The values are those previously set or, if none ever
were, then the default values.
Where Authentication Server is the indication, values in the SM are disregarded.
Where SM is the indication, values that Authentication Server sends for the SM are disregarded.
For any SM whose Authentication Mode parameter is not set to Authentication Required, the listed
settings are derived as shown:
Table 41 Where feature values are obtained for an SM with authentication disabled
1-104
Configuration
Source
Setting
in the AP

MIR
Values
VLAN
Values
High Priority
Channel State
Authentication
Server
AP
AP
AP
Configuration
Source
Setting
in the AP

MIR
Values
VLAN
Values
High Priority
Channel State
SM
SM
SM
SM
Authentication
Server+SM
SM
SM
SM
Quality of Service (QoS) Tab of the AP

Figure 42 Quality of Service (QoS) tab of the AP
In the Quality of Service (QoS) tab, you may set AP bandwidth parameters as follows.
Table 42 AP QoS attributes
Attribute
Meaning
Sustained Uplink Data Rate
Specify the rate that each SM registered to this AP is replenished with credits for
transmission. This default imposes no restriction on the uplink. See
Maximum Information Rate (MIR) Parameters on page 1-99
Interaction of Burst Allocation and Sustained Data Rate Settings on page 1101
Configuration Source on page 1-43
1-105
Attribute
Meaning
Uplink Burst Allocation
Specify the maximum amount of data to allow each SM to transmit before being
recharged at the Sustained Uplink Data Rate with credits to transmit more. See
Sustained Downlink Data

Rate
Downlink Burst Allocation
1-106
Specify the rate at which the AP should be replenished with credits (tokens) for
transmission to each of the SMs in its sector. This default imposes no restriction
on the uplink. See
Specify the maximum amount of data to allow the AP to transmit to any

registered SM before the AP is replenished with transmission credits at the
Sustained Downlink Data Rate. See
Priority Precedence
Allows operator to decide if 802.1p or DiffServ priority bits should be used first
when making priority decisions.
PPPoE Control Message

Priority
Operators may configure the SM to utilize the high priority channel for PPPoE
control messages. Configuring the SM in this fashion can benefit the continuity
of PPPoE connections when there are issues with PPPoE sessions being dropped
in the network. This prioritization may be configured in the DiffServ tab in the
Configuration menu of the SM.
Prioritize TCP ACK

acknowledgements.
DiffServ Tab of the AP

Figure 43 Diffserv tab of the AP
You may set the following Diffserv tab parameters.

Table 43 AP Diffserv attributes
Attribute
CodePoint 1
through
CodePoint 47
CodePoint 49
through
CodePoint 55
CodePoint 57
through
CodePoint 63
Meaning
Priorities of 0 through 3 map to the low-priority channel; 4 through 7 to the highpriority channel. The mappings are the same as 802.1p VLAN priorities.
Consistent with RFC 2474
CodePoint 0 is predefined to a fixed priority value of 0
(low-priority channel).
CodePoint 48 is predefined to a fixed priority value of 6 (high-priority channel).
You cannot change any of these three fixed priority values. Among the settable
parameters, the priority values (and therefore the handling of packets in the highor low-priority channel) are set in the AP for all downlinks within the sector and
in the SM for each uplink.
CodePoint Select
This represents the CodePoint Selection to be modified via Priority Select
Priority Select
The priority setting input for the CodePoint selected in CodePoint Select
Priority Precedence
1-107
Attribute
Meaning

Priority
Operators may configure the AP to utilize the high priority channel for PPPoE
control messages. Configuring the AP in this fashion can benefit the continuity of
PPPoE connections when there are issues with PPPoE sessions being dropped in
the network. This prioritization may be configured in the DiffServ tab in the
Configuration menu of the AP.
Quality of Service (QoS) Tab of the SM

Figure 44 Quality of Service (QoS) tab of the SM
In the Quality of Service (QoS) tab of the SM, you may set the following parameters.
Table 44 SM Quality of Service attributes
1-108
Attribute
Meaning
Sustained Uplink Data Rate
Specify the rate that this SM is replenished with credits for transmission. This
default imposes no restriction on the uplink. See
Attribute
Meaning
Sustained Downlink Data

Rate
Specify the rate at which the AP should be replenished with credits (tokens) for
transmission to this SM. This default imposes no restriction on the uplink. See
Uplink Burst Allocation
Downlink Burst Allocation
Hi Priority Channel
Maximum Information Rate (MIR) Parameters on Page 1-99
Specify the maximum amount of data to allow this SM to transmit before being
recharged at the Sustained Uplink Data Rate with credits to transmit more. See
Specify the maximum amount of data to allow the AP to transmit to this SM

before the AP is replenished at the Sustained Downlink Data Rate with
transmission credits. See
See
High-priority Bandwidth on page 1-101
Priority Precedence

Priority
Prioritize TCP ACK

acknowledgements.
1-109
DiffServ Tab of the SM

Figure 45 Diffserv tab of the SM
1-110
In the Diffserv tab of the SM, you may set the following parameters.
Table 45 SM Diffserv attributes
Attribute
Meaning
CodePoint 1
through
CodePoint 47
Priorities of 0 through 3 map to the low-priority channel; 4 through 7 to the highpriority channel. The mappings are the same as 802.1p VLAN priorities.
CodePoint 49
through
CodePoint 55
Consistent with RFC 2474

CodePoint 0 is predefined to a fixed priority value of 0
(low-priority channel).
CodePoint 57
through
CodePoint 63
You cannot change any of these three fixed priority values. Among the settable
parameters, the priority values (and therefore the handling of packets in the highor low-priority channel) are set in the AP for all downlinks within the sector and
in the SM for each uplink.
CodePoint Select
This represents the CodePoint Selection to be modified via Priority Select
Priority Select
The priority setting input for the CodePoint selected in CodePoint Select
Priority Precedence

Priority
1-111
Task 12: Configuring a RADIUS server

Configuring a RADIUS server in a PMP 450 network is optional, but can provide added security, increase
ease of network management and provide usage-based billing data.
Understanding RADIUS for PMP 450

PMP 450 modules include support for the RADIUS (Remote Authentication Dial In User Service)
protocol supporting Authentication and Accounting.
RADIUS Functions
RADIUS protocol support provides the following functions:
SM Authentication allows only known SMs onto the network (blocking rogue SMs), and can be
configured to ensure SMs are connecting to a known network (preventing SMs from connecting to
rogue APs). RADIUS authentication is used for SMs, but is not used for APs.
SM Configuration: Configures authenticated SMs with MIR (Maximum Information Rate), CIR
(Committed Information Rate), High Priority, and VLAN (Virtual LAN) parameters from the RADIUS
server when an SM registers to an AP.
SM Accounting provides support for RADIUS accounting messages for usage-based billing. This
accounting includes indications for subscriber session establishment, subscriber session disconnection,
and bandwidth usage per session for each SM that connects to the AP.
Centralized AP and SM user name and password management allows AP and SM usernames
and access levels (Administrator, Installer, Technician) to be centrally administered in the RADIUS
server instead of on each radio and tracks access events (logon/logoff) for each username on the
RADIUS server. This accounting does not track and report specific configuration actions performed
on radios or pull statistics such as bit counts from the radios. Such functions require an Element
Management System (EMS) such as Cambium Networks Wireless Manager. This accounting is not
the ability to perform accounting functions on the subscriber/end user/customer account.
Framed IP allows operators to use a RADIUS server to assign management IP addressing to SM

modules (framed IP address).
Tested RADIUS Servers

The Canopy RADIUS implementation has been tested and is supported on
FreeRADIUS, Version 2.1.8
Aradial RADIUS, Version 5.1.12
Note, Aradial 5.3 has a bug that prevents remote device login, so doesnt support the user name and
password management feature.
1-112
Choosing Authentication Mode and Configuring for

Authentication Servers - AP
On the APs Configuration > Security tab, select the RADIUS AAA Authentication Mode. The
following describes the other Authentication Mode options for reference, and then the RADIUS AAA
option.
Disabled: Requires no authentication. Any SM (except an SM that itself has been configured to
require RADIUS authentication by enabling Enforce Authentication as described below) will be
allowed to register to the AP.
Authentication Server: Authentication Server in this instance refers to Wireless Manager in BAMonly mode. Authentication will be required for an SM to register to the AP. Only SMs listed by
MAC address in the Wireless Manager database will be allowed to register to the AP.
AP Pre-Shared Key: Canopy offers a pre-shared key authentication option. In this case, an
identical key must be entered in the Authentication Key field on the APs Configuration > Security
tab and in the Authentication Key field on each desired SMs Configuration > Security tab.
RADIUS AAA: To support RADIUS authentication of SMs, on the APs Configuration > Security
tab select RADIUS AAA. Only properly configured SMs with a valid certificate will be allowed to
register to the AP.
When RADIUS AAA is selected, up to 3 Authentication Server (RADIUS Server) IP addresses and
Shared Secrets can be configured. The IP address(es) configured here must match the IP address(es) of
the RADIUS server(s). The shared secret(s) configured here must match the shared secret(s) configured
in the RADIUS server(s). Servers 2 and 3 are meant for backup and reliability, not splitting the database.
If Server 1 doesnt respond, Server 2 is tried, and then server 3. If Server 1 rejects authentication, the
SM is denied entry to the network, and does not progress trying the other servers.
The default IP address is 0.0.0.0. The default Shared Secret is CanopySharedSecret. The Shared Secret
can be up to 32 ASCII characters (no diacritical marks or ligatures, for example).
1-113
Figure 46 Security tab of the AP
SM Authentication Mode Require RADIUS or Follow AP

If it is desired that an SM will only authenticate to an AP that is using RADIUS, on the SMs
Configuration Security tab set Enforce Authentication to AAA. With this enabled, an SM will not
register to an AP that has any Authentication Mode other than RADIUS AAA selected.
1-114
If it is desired that an SM use the authentication method configured on the AP it is registering to, set
Enforce Authentication to Disabled. With Enforce Authentication disabled, an SM will attempt to
register using whichever Authentication Mode is configured on the AP it is attempting to register to.
Note, requiring SMs to use RADIUS by enabling Enforce Authentication avoids the security issue of
SMs possibly registering to rogue APs which have authentication disabled.
1-115
Figure 47 Security tab of the SM
1-116
SM - Phase 1 (Outside Identity) parameters and settings

The protocols supported for the Phase 1 (Outside Identity) phase of authentication are
eapttls (Extensible Authentication Protocol Tunneled Transport Layer Security) and eapMSChapV2
(Extensible Authentication Protocol Microsoft Challenge-Handshake Authentication Protocol).
Configure an outer Identity in the Username field. This must match the Phase 1/Outer Identity username
configured in the RADIUS server. The default Phase 1/Outer Identity Username is anonymous. The
Username can be up to 128 non-special (no diacritical markings) alphanumeric characters. If Realms are
being used in the RADIUS system (eapttls only), select Enable Realm and configure an outer identity in
the Identity field and a Realm in the Realm field. These must match the Phase 1/Outer Identity and Realm
configured in the RADIUS server. The default Identity is anonymous. The Identity can be up to 128 nonspecial (no diacritical markings) alphanumeric characters. The default Realm is canopy.net. The Realm can
also be up to 128 non-special alphanumeric characters.
SM - Phase 2 (Inside Identity) parameters and settings

If using eapttls for Phase 1 authentication, select the desired Phase 2 (Inside Identity) authentication
protocol from the Phase 2 options of PAP (Password Authentication Protocol), CHAP (Challenge
Handshake Authentication Protocol), and MSCHAPv2 (Microsofts version of CHAP). The protocol
must be consistent with the authentication protocol configured on the RADIUS server. Enter a
Username for the SM. This must match the username configured for the SM on the RADIUS server.
The default Username is the SMs MAC address. The Username can be up to 128 non-special (no
diacritical markings) alphanumeric characters.
Enter the desired password for the SM in the Password and Confirm Password fields.. The Password
must match the password configured for the SM on the RADIUS server. The default Password is
password. The Password can be up to 128 non-special (no diacritical markings) alphanumeric
characters.
Handling Certificates
Managing SM Certificates via the SM GUI
The default public Canopy certificates are loaded into SMs upon factory software installation. The
default certificates are not secure and are intended for use during lab and field trials as part of gaining
experience with the RADIUS functionalities or as an option during debug. For secure operation, an
operator will want to create or procure their own certificates. Resetting an SM to its factory defaults will
remove the current certificates and restore the default certificates.
Up to 2 certificates can be resident on an SM. An installed certificate can be deleted by clicking the
Delete button in the certificates description block on the Configuration > Security tab. To restore fhe 2
default certificates, click the Use Default Certificates button in the RADIUS Certificate Settings
parameter block and reboot the radio.
1-117
To upload a certificate manually to an SM, first load it in a known place on your PC or network drive,
then click on a Delete button on one of the Certificate description blocks to delete a certificate to provide
space for your certificate. Click on Choose File, browse to the location of the certificate, and click the
Import Certificate button, and then reboot the radio to use the new certificate.
When a certificate is in use, after the SM successfully registers to an AP, an indication of In Use will
appear in the description block of the certificate being used.
The public certificates installed on the SMs are used with the private certificate on the RADIUS server
to provide a public/private key encryption system.
Figure 48 SM Certificate Management
Configuring your RADIUS servers for SM authentication

Your RADIUS server will need to be configured to use the following:
1-118
EAPTTLS or MSCHAPv2 as the Phase 1/Outer Identity protocol.
If Enable Realm is selected on the SMs Configuration > Security tab, then the same
Realm as appears there (or access to it).
The same Phase 2 (Inner Identity) protocol as configured on the SMs Configuration > Security tab
under Phase 2 options.
The username and password for each SM configured on each SMs Configuration > Security tab.
An IP address and NAS shared secret that is the same as the IP address and Shared Secret
configured on the APs Configuration > Security tab for that RADIUS server.
A server private certificate, server key, and CA certificate that complement the public certificates
distributed to the SMs, as well as the Canopy dictionary file that defines Vendor Specific Attributes
(VSAa). Default certificate files and the dictionary file are available from the software site:
www.cambiumnetworks.com/support/pmp/software/ after entering your name, email address, and
either Customer Contract Number or the MAC address of a module covered under the 12 month
warranty.
Optionally, operators may configure the RADIUS server response messages (Accept or Reject) so that the
user has information as to why they have been rejected. The AP displays the RADIUS Authentication
Reply message strings in the Session Status list as part of each SMs information. The SM will show this
string (listed as Authentication Response on the SM GUI) on the main Status page in the Subscriber
Module Stats section.
(Note: Aradial AAA servers only support operator-configurable Authentication Accept responses, not
Authentication Reject responses).
Assigning SM management IP addressing via RADIUS

Operators may use a RADIUS AAA server to assign management IP addressing to SM modules (framed IP
address). SMs now interpret attributes Framed-IP-Address, Framed-IP-Netmask, and Cambium-CanopyGateway from RADIUS. The RADIUS dictionary file has been updated to include the Cambium-CanopyGateway attribute and is available on the Cambium Software Support website.
In order for these attributes to be assigned and used by the SM, the following must be true:
The system is configured for AAA authentication
The SM is not configured for DHCP on its management interface. If DHCP is enabled and these
attributes are configured in the RADIUS server, the attributes will be ignored by the SM.
The SM management interface must be configured to be publically accessible. If the SM is configured

to have local accessibility, the management interface will still be assigned the framed addressing, and
the SM will become publicly accessible via the assigned framed IP addressing.
When using these attributes, for the addressing to be implemented by the SM operators must configure
Framed-IP-Address in RADIUS. If Framed-IP-Address is not configured but Framed-IP-Netmask
and/or Cambium-Canopy-Gateway is configured, the attributes will be ignored. In the case where only
the Framed-IP-Address is configured, Framed-IP-Netmask defaults to 255.255.0.0 (NAT disabled) /
255.255.255.0 (NAT enabled) and Cambium-Canopy-Gateway defaults to 0.0.0.0.
Configuring your RADIUS server for SM configuration

Table 46 lists Canopy Vendor Specific Attributes (VSAs) along with VSA numbers and other details.
The associated SM GUI page, tab, and parameter is listed to aid cross-referencing and understanding of
the VSAs.
1-119
A RADIUS dictionary file is available from the software site:

www.cambiumnetworks.com/support/pmp/software/
The RADIUS dictionary file defines the VSAs and their values and is usually imported into the
RADIUS server as part of server and database setup.
Assigning SM management IP addressing via RADIUS

Operators may use a RADIUS AAA server to assign management IP addressing to SM modules (framed IP
address). SMs now interpret attributes Framed-IP-Address, Framed-IP-Netmask, and Cambium-CanopyGateway from RADIUS. The RADIUS dictionary file has been updated to include the Cambium-CanopyGateway attribute and is available on the Motorola Software Support website.
The Canopy system is configured for AAA authentication

Table 46 RADIUS Vendor Specific Attributes (VSAs)

Name
Number
Type Reqd Value
SM GUI Page > Tab > Parameter

MS-MPPE-Send-Key
26.311.16
Default
-
MS-MPPE-Recv-Key
Cambium-Canopy-HPENABLE
26.161.5
integer N
0-disable, 1-enable
Configuration > Quality of Service > Hi Priority Channel
Cambium-Canopy-ULBR
0-50000+ kbps
26.161.6
integer N
32 bits
Configuration > Quality of Service > Sustained Uplink Data Rate
dependent on radio feature 32 bits

set
Cambium-Canopy-ULBL
0-50000+ kbps
26.161.7
integer N
Configuration > Quality of Service > Uplink Burst Allocation

Cambium-Canopy-DLBR
1-120
26.311.17
Size
26.161.8
integer N

set
0-50000+ kbps
Configuration > Quality of Service > Sustained Downlink Data Rate

Cambium-Canopy-DLBL
26.161.9
integer N
Configuration > Quality of Service > Downlink Burst Allocation

Cambium-Canopy-
26.161.14
integer N
Configuration > VLAN > Dynamic Learning

Cambium-Canopy-VLFRAMES
26.161.15
26.161.16
integer N
integer N
26.161.20
Configuration > VLAN > VLAN Aging Timeout

Cambium-Canopy-VLIGVID
26.161.21
Configuration > VLAN > Default Port VID

Cambium-Canopy-VLMGVID
26.161.22
Configuration > VLAN > Management VID

Cambium-Canopy-VLSMMGPASS 26.161.23
Cambium-Canopy-BCASTMIR
0-50000+ kbps, 0=disabled
integer N
32 bits
0-disable, 1-enable
Configuration > VLAN > SM Management VID Pass-through

26.161.24
32 bits
1 4094
1
integer N
32 bits
1 4094
1
integer N
32 bits
5 - 1440 minutes
25 mins
integer N
32 bits
VLAN Membership (1-4094)

0
integer N
32 bits
0-all, 1-tagged, 2-untagged

0
Configuration > VLAN Membership

Cambium-Canopy-VLAGETO

set
0-disable, 1-enable
1
Configuration > VLAN > Allow Frame Types

Cambium-Canopy-VLIDSET

set
0-50000+ kbps
32 bits
Configuration > Quality of Service > Broadcast/Multicast Uplink Data dependent on radio feature 32 bits
set
Rate
Cambium-Canopy-Gateway
26.161.25
ipaddr
Configuration > IP > Gateway IP Address
Cambium-Canopy-UserLevel
26.161.50
0.0.0.0
integer N
1-Technician, 2-Installer,
3-Administrator
Account > Add User > Level
32 bits
Note about VSA numbering:

26 connotes Vendor Specific Attribute, per RFC 2865
26.311 is Microsoft Vendor Code, per IANA
1-121
Using RADIUS for centralized AP and SM user name and

password management
AP Technician/Installer/Administrator Authentication
To control technician, installer, and administrator access to the AP from a centralized RADIUS server:
1
Set Authentication Mode on the APs Configuration > Security tab to RADIUS AAA
Set User Authentication Mode on the APs Account > User Authentication tab (the tab only appears
after the AP is set to RADIUS authentication) to Remote or Remote then Local.
Local: The local SM is checked for accounts. No centralized RADIUS
accounting (access control) is performed.
Remote: Authentication by the centralized RADIUS server is required to gain access to the
SM if the SM is registered to an AP that has RADIUS AAA Authentication Mode selected.
For up to 2 minutes a test pattern will be displayed until the server responds or times out.
Remote then Local: Authentication using the centralized RADIUS server is attempted. If the
server sends a reject message, then the setting of Allow Local Login after Reject from AAA
determines if the local user database is checked or not. If the configured servers do not respond
within 2 minutes, then the local user database is used. The successful login method is displayed
in the navigation column of the SM.
Either the same RADIUS server used for SM authentication can be used for user authentication and
accounting (access control), or a separate RADIUS accounting server can be used. Indicate your
network design under Authentication Server Settings in the APs Security tab.
If separate accounting server(s) are used, configure the IP address(es) and Shared Secret(s) in the
Accounting Server fields. The default Shared Secret is CanopyAcctSecret. Up to 3 servers can be
used for redundancy. Servers 2 and 3 are meant for backup and reliability, not
splitting the database. If Server 1 doesnt respond, Server 2 is tried, and then server 3. If Server 1 rejects
authentication, Server 2 is not tried.
1-122
Figure 49 User Authentication tab of the AP
Table 47 AP User Authentication and Access Tracking attributes

Attribute
Meaning
Local: The local SM is checked for accounts. No centralized

RADIUS accounting (access control) is performed.
Remote: Authentication by the centralized RADIUS server is

required to gain access to the AP. For up to 2 minutes a test pattern will
be displayed until the server responds or times out.
User Authentication Mode
Remote then Local: Authentication using the centralized RADIUS

server is attempted. If the server sends a reject message, then the setting
of Allow Local Login after Reject from AAA determines if the local
user database is checked or not. If the configured servers do not respond
within 2 minutes, then the local user database is used. The successful
login method is displayed in the navigation column of the AP.
User Authentication Method
The user authentication method employed by the radios is EAP-MD5.
Allow Local Login after

Reject from AAA
If a user authentication is rejected from the AAA server, the user will be
allowed to login locally to the radios management interface.
Radius Accounting Port
The destination port on the AAA server used for Radius accounting
communication.
disable no accounting messages are sent to the RADIUS server
deviceAccess accounting messages are sent to the RADIUS server

regarding device access (see Table 49).
dataUsage accounting messages are sent to the RADIUS server

regarding data usage (see Table 49).
Accounting Messages
1-123
Attribute
Meaning
Accounting Data Usage

Interval
The interval for which accounting data messages are sent from the radio to
the RADIUS server. If 0 is configured for this parameter, no data usage
messages are sent.
SM Re-authentication
Interval
The interval for which the SM will re-authenticate to the RADIUS server.
SM Technician/Installer/Administrator Authentication
To control technician, installer, and administrator access to the SM from a centralized RADIUS
server:
1
Set Authentication Mode on the APs Configuration > Security tab to RADIUS AAA
(RADIUS)
Set User Authentication Mode on the APs Account > User Authentication and Access Tracking tab
(the tab only appears after the AP is set to AAA authentication) to Remote or Remote then Local.
Set User Authentication Mode on the SMs Account > User Authentication and Access Tracking tab
to Remote or Remote then Local.
Local: The local SM is checked for accounts. No centralized RADIUS
accounting (access control) is performed.
Remote: Authentication by the centralized RADIUS server is required to gain access to the
SM if the SM is registered to an AP that has RADIUS AAA Authentication Mode selected.
For up to 2 minutes a test pattern will be displayed until the server responds or times out.
Remote then Local: Authentication using the centralized RADIUS server is attempted. If the
server sends a reject message, then the setting of Allow Local Login after Reject from AAA
determines if the local user database is checked or not. If the configured servers do not respond
within 2 minutes, then the local user database is used. The successful login method is displayed
in the navigation column of the SM.
Note, remote access control is enabled only after the SM registers to an AP that has Authentication
Mode set to RADIUS AAA. Local access control will always be used before registration and will be
used after registration if the AP is not configured for RADIUS.
1-124
Figure 50 User Authentication tab of the SM
Table 48 SM User Authentication and Access Tracking attributes

Attribute
Meaning
User Authentication Mode
Local: The local SM is checked for accounts. No centralized

RADIUS accounting (access control) is performed.
Remote: Authentication by the centralized RADIUS server is

required to gain access to the SM if the SM is registered to an AP that
has RADIUS AAA Authentication Mode selected. For up to 2 minutes
a test pattern will be displayed until the server responds or times out.
Remote then Local: Authentication using the centralized RADIUS
server is attempted. If the server sends a reject message, then the setting
of Allow Local Login after Reject from AAA determines if the local
user database is checked or not. If the configured servers do not respond
within 2 minutes, then the local user database is used. The successful
login method is displayed in the navigation column of the SM.
Allow Local Login after

Reject from AAA
Accounting Messages
If a user authentication is rejected from the AAA server, the user will be
allowed to login locally to the radios management interface.
disable no accounting messages are sent to the RADIUS server
deviceAccess accounting messages are sent to the RADIUS server

regarding device access (see Table 49).
1-125
Access Tracking
To track logon and logoff times on individual radios by technicians, installers, and administrators, on the
AP or SMs Account > User Authentication and Access Tracking tab under Accounting (Access
Tracking) set Accounting Messages to deviceAccess.
Device Access Tracking is enabled separately from User Authentication Mode. A given AP or
SM can be configured for both, either, or neither.
RADIUS Device Data Accounting

PMP 450 systems include support for RADIUS accounting messages for usage-based billing. This
accounting includes indications for subscriber session establishment, subscriber session disconnection, and
bandwidth usage per session for each SM that connects to the AP. The attributes included in the RADIUS
accounting messages are shown in the table below.
Table 49 Device data accounting RADIUS attributes

Sender
Message
Attribute
Value
AP
AccountingRequest
Acct-Status-Type
1 - Start
Acct-Session-Id
Unique per AP session.

Initial value is SM MAC, and
increments after every start
message sent of an in session
SM.
Event-Timestamp
UTC time the event occurred

on the AP
Acct-Status-Type
2 - Stop
Acct-Session-Id

SM.
Acct-Input-Octets
Sum of the input octets

received at the SM over
regular data VC and the high
priority data VC (if enabled).
Will not include broadcast.
AP
1-126
AccountingRequest
Description
This message is sent
every time an SM
registers with an AP,
and after the SM stats
are cleared.

every time an SM
becomes unregistered
with an AP, and when
the SM stats are
cleared.
Sender
AP
Message
AccountingRequest
Attribute
Value
Acct-Output-Octets
Sum of the output octets sent

from the SM over regular
data VC and the high priority
data VC (if enabled).
Acct-Input-Gigawords
Number of times the AcctInput-Octets counter has

wrapped around 2^32 over
the course of the session
Acct-OutputGigawords
Number of times the AcctOutput-Octets counter has

Acct-Input-Packets
Sum of unicast and multicast

packets that are sent to a
particular SM over the
It will not include broadcast.
Acct-Output-Packets

packets that are sent from a
Acct-Session-Time
Uptime of the SM session.
Acct-Terminate-Cause
Reason code for session

termination
Acct-Status-Type
3 - Interim-Update
Acct-Session-Id

SM.
Acct-Input-Octets
Sum of the input octets sent

to the SM over regular data
VC and the high priority data
VC (if enabled). Will not
include broadcast.
Description

periodically per the
operator
configuration on the
AP in seconds.
Interim update counts
are cumulative over
the course of the
session
1-127
Sender
Message
Attribute
Value
Description
Acct-Output-Octets
Sum of the output octets set

from the SM over regular
data VC and the high priority
data VC (if enabled).
Acct-Input-Gigawords
Number of times the AcctInput-Octets counter has

Acct-OutputGigawords
Number of times the AcctOutput-Octets counter has

Acct-Session-Time
Uptime of the SM session.
Acct-Input-Packets

packets that are sent to a
It will not include broadcast.
Acct-Output-Packets

packets that are sent from a
The data accounting configuration is located on the APs Accounts > User Authentication and Access
Tracking GUI menu, and the APs Authentication Mode must be set to Radius AAA for the menu to
appear. The accounting may be configured via the AP GUI as shown in the figures below. By default
accounting messages are not sent and the operator has the choice of configuring to send only Device
Access accounting messages (when a user logs in or out of the radio), only Data Usage messages, or both.
When Data Accounting is enabled, the operator must specify the interval of when the data accounting
messages are sent (0 disabled, or in the range of 30-10080 minutes). The default interval is 30 minutes.
Table 50 RADIUS accounting messages configuration
1-128
The data accounting message data is based on the SM statistics that the AP maintains, and these statistics
may be cleared on the AP by an operator. If an operator clears these messages and data accounting is
enabled, an accounting stop message is sent followed by an accounting start message to notify the AAA of
the change.
If an operator clears the VC statistics on the device through the management GUI, a RADIUS stop message
and data start message will be issued for each device affected. The start and stop messages will only be
sent once every 5 minutes, so if an operator clears these statistics multiple times within 5 minutes, only one
set of data stop/start messages will be sent. This may result in inaccurate data accumulation results.
RADIUS Device Re-Authentication

PMP 450 systems include support for periodic SM re-authentication in a network without requiring the SM
to re-register (and drop the session). The re-authentication may be configured to occur in the range of
every 30 minutes to weekly.
Table 51 Device re-authentication configuration
The re-authentication interval is only configurable on the AP. When this feature is enabled, each SM that
enters the network will re-authenticate each the interval time has expired without dropping the session. The
response that the SM receives from the AAA server upon re-authentication is one of the following:
Success: The SM will continue normal operation
Reject: The SM will de-register and will attempt network entry again after 1 minute and then if
rejected will attempt re-entry every 15 minutes
Timeout or other error: The SM will remain in session and attempt 5 times to re-authenticate with
the RADIUS-REQUEST message. If these attempts fail, then the SM will go out of session and
proceed to re-authenticate after 5 minutes, then every 15 minutes.
Although re-authentication is an independent feature, it was designed to work alongside with the RADIUS
data usage accounting messages. If a user is over their data usage limit the network operator can reject the
user from staying in the network. Operators may configure the RADIUS Reply-Message attribute with an
applicable message (i.e. Data Usage Limit Reached) that will be sent to the subscriber module and
displayed on the general page.
RADIUS Attribute Framed-IP-Address

Operators may now use a RADIUS AAA server to assign management IP addressing to SM modules
(framed IP address). SMs now interpret attributes Framed-IP-Address, Framed-IP-Netmask, and
Cambium-Canopy-Gateway from RADIUS. The RADIUS dictionary file has been updated to include the
Cambium-Canopy-Gateway attribute and is available on the Cambium Software Support website.
The Canopy system is configured for AAA authentication
1-129
1-130

Glossary
Appendix A: Glossary
Term
Definition
10Base-T
Technology in Ethernet communications that can deliver 10 Mb of data across 328 feet
(100 meters) of CAT 5 cable.
169.254.0.0
Gateway IP address default in Cambium fixed wireless broadband IP network modules.
169.254.1.1
IP address default in Cambium fixed wireless broadband IP network modules.
255.255.0.0
Subnet mask default in Cambium fixed wireless broadband IP network modules and in
Microsoft and Apple operating systems.
802.3
An IEEE standard that defines the contents of frames that are transferred through
Ethernet connections. Each of these frames contains a preamble, the address to which
the frame is sent, the address that sends the frame, the length of the data to expect, the
data, and a checksum to validate that no contents were lost.
802.11
The IEEE standard for wireless local area networks.
802.15
The IEEE standard for wireless personal area networks.
Access Point
Cluster
Two to six Access Point Modules that together distribute network or Internet services
to a community of subscribers. Each Access Point Module covers a 60 or 90 sector.
This cluster covers as much as 360. Also known as AP cluster.
Access Point
Module
Also known as AP. One module that distributes network or Internet services in a 60 or
90 sector.
ACT/4
Second-from-left LED in the module. In the operating mode, this LED is lit when data
activity is present on the Ethernet link.
Activate
To provide feature capability to a module, but not to enable (turn on) the feature in the
module. See also Enable.
Address Resolution
Protocol
Protocol defined in RFC 826 to allow a network element to correlate a host IP address
to the Ethernet address of the host. See http://www.faqs.org/rfcs/rfc826.html.
Aggregate
Throughput
The sum of the throughputs in the uplink and the downlink.
AP
Access Point Module. One module that distributes network or Internet services to
subscriber modules.
APs MIB
Management Information Base file that defines objects that are specific to the Access
Point Module. See also Management Information Base.
II
Glossary
Term
Definition
ARP
Address Resolution Protocol. A protocol defined in RFC 826 to allow a network

element to correlate a host IP address to the Ethernet address of the host. See
http://www.faqs.org/rfcs/rfc826.html.
ASN.1
Abstract Syntax Notation One language. The format of the text files that compose the
Management Information Base.
Attenuation
Reduction of signal strength caused by the travel from the transmitter to the receiver,
and caused by any object between. In the absence of objects between, a signal that has
a short wavelength experiences a high degree of attenuation nevertheless.
BER
Bit Error Rate. The ratio of incorrect data received to correct data received.
Bit Error Rate
Ratio of incorrect data received to correct data received.
Box MIB
Management Information Base file that defines module-level objects. See also
Management Information Base.
Bridge
Network element that uses the physical address (not the logical address) of another to
pass data. The bridge passes the data to either the destination address, if found in the
simple routing table, or to all network segments other than the one that transmitted the
data. Modules are Layer 2 bridges except that, where NAT is enabled for an SM, the
SM is a Layer 3 switch. Compare to Switch and Router, and see also NAT.
Bridge Entry
Timeout Field
Value that the operator sets as the maximum interval for no activity with another
module, whose MAC address is the Bridge Entry. This interval should be longer than
the ARP (Address Resolution Protocol) cache timeout of the router that feeds the
network.
Buckets
Theoretical data repositories that can be filled at preset rates or emptied when preset
conditions are experienced, such as when data is transferred.
Burst
Preset amount limit of data that may be continuously transferred.
C/I Ratio
Ratio of intended signal (carrier) to unintended signal (interference) received.
Carrier-tointerference Ratio
Ratio of intended reception to unintended reception.
CarSenseLost Field
This field displays how many carrier sense lost errors occurred on the Ethernet
controller.
CAT 5 Cable
Cable that delivers Ethernet communications from module to module. Later modules
auto-sense whether this cable is wired in a straight-through or crossover scheme.
CLIP
Cassegrain Lens for Improved Performance
Cluster
Management
Module
Module that provides power, GPS timing, and networking connections for an AP
cluster. Also known as CMM. If this CMM is connected to a Backhaul Module, then
this CMM is the central point of connectivity for the entire site.
CMM
Cluster Management Module. A module that provides power, GPS timing, and
networking connections for an Access Point cluster.
CodePoint
See DiffServ.
Glossary
Term
Definition
Color Code Field
Module parameter that identifies the other modules with which communication is
allowed. The range of values is 0 to 255. When set at 0, the Color Code does not
restrict communications with any other module.
Community String
Field
Control string that allows a network management station to access MIB information
about the module.
CPE
Customer premises equipment.
CRCError Field
This field displays how many CRC errors occurred on the Ethernet controller.
CRM
Customer relationship management system.
Data Encryption
Standard
Over-the-air link option that uses secret 56-bit keys and 8 parity bits. Data Encryption
Standard (DES) performs a series of bit permutations, substitutions, and recombination
operations on blocks of data.
Demilitarized Zone
Internet Protocol area outside of a firewall. Defined in RFC 2647. See

DES
Data Encryption Standard. An over-the-air link option that uses secret 56-bit keys and
8 parity bits. DES performs a series of bit permutations, substitutions, and
recombination operations on blocks of data.
Desensed
Received an undesired signal that was strong enough to make the module insensitive to
the desired signal.
DFS
See Dynamic Frequency Selection
DHCP
Dynamic Host Configuration Protocol, defined in RFC 2131. Protocol that enables a
device to be assigned a new IP address and TCP/IP parameters, including a default
gateway, whenever the device reboots. Thus DHCP reduces configuration time,
conserves IP addresses, and allows modules to be moved to a different network within
the system. See http://www.faqs.org/rfcs/rfc2131.html. See also Static IP Address
Assignment.
DiffServ
Differentiated Services, consistent with RFC 2474. A byte in the type of service (TOS)
field of packets whose values correlates to the channel on which the packet should be
sent. The value is a numeric code point. Cambium modules map each of 64 code points
to values of 0 through 7. Three of these code points have fixed values, and the
remaining 61 are settable. Values of 0 through 3 map to the low-priority channel; 4
through 7 to the high-priority channel. The mappings are the same as 802.1p VLAN
priorities. (However, configuring DiffServ does not automatically enable the VLAN
feature.) Among the settable parameters, the values are set in the AP for all downlinks
within the sector and in the SM for each uplink.
Disable
To turn off a feature in the module after both the feature activation file has activated
the module to use the feature and the operator has enabled the feature in the module.
See also Activate and Enable.
DMZ
Demilitarized Zone as defined in RFC 2647. An Internet Protocol area outside of a

firewall. See http://www.faqs.org/rfcs/rfc2647.html.
III
Term
Dynamic Frequency
Selection
IV
Glossary
Definition
A requirement in certain countries and regions for systems to detect
interference from other systems, notably radar systems, and to avoid co-channel
operation with these systems.
Dynamic Host
Configuration
Protocol
See DHCP.
Electronic Serial
Number
Hardware address that the factory assigns to the module for identification in the Data
Link layer interface of the Open Systems Interconnection system. This address serves
as an electronic serial number. Same as MAC Address.
Enable
To turn on a feature in the module after the feature activation file has activated the
module to use the feature. See also Activate.
ESN
Electronic Serial Number. The hardware address that the factory assigns to the module
for identification in the Data Link layer interface of the Open Systems Interconnection
system. This address serves as an electronic serial number. Same as MAC Address.
EthBusErr Field
This field displays how many Ethernet bus errors occurred on the Ethernet controller.
Ethernet Protocol
Any of several IEEE standards that define the contents of frames that are transferred
from one network element to another through Ethernet connections.
Fade Margin
The difference between strength of the received signal and the strength that the receiver
requires for maintaining a reliable link. A higher fade margin is characteristic of a more
reliable link. Standard operating margin.
FCC
Federal Communications Commission of the U.S.A.
Field-programmable
Gate Array
Array of logic, relational data, and wiring data that is factory programmed and can be
reprogrammed.
File Transfer
Protocol
Utility that transfers of files through TCP (Transport Control Protocol) between
computing devices that do not operate on the same platform. Defined in RFC 959. See
FPGA
Field-programmable Gate Array. An array of logic, relational data, and wiring data that
is factory programmed and can be reprogrammed.
Frame Timing Pulse

Gated Field
Toggle parameter that prevents or allows the module to continue to propagate GPS
sync timing when the module no longer receives the timing.
Free Space Path

Loss
Signal attenuation that is naturally caused by atmospheric conditions and by the

distance between the antenna and the receiver.
Fresnel Zone
Space in which no object should exist that can attenuate, diffract, or reflect a
transmitted signal before the signal reaches the target receiver.
FTP
File Transfer Protocol, defined in RFC 959. Utility that transfers of files through TCP
(Transport Control Protocol) between computing devices that do not operate on the
same platform. See http://www.faqs.org/rfcs/rfc959.html.
Glossary
Term
Definition
Global Positioning
System
Network of satellites that provides absolute time to networks on earth, which use the
time signal to synchronize transmission and reception cycles (to avoid interference) and
to provide reference for troubleshooting activities.
GPS
Global Positioning System. A network of satellites that provides absolute time to

networks on earth, which use the time signal to synchronize transmission and reception
cycles (to avoid interference) and to provide reference for troubleshooting activities.
GPS/3
Third-from-left LED in the module. In the operating mode for an Access Point Module,
this LED is continuously lit as the module receives sync pulse. In the operating mode
for a Subscriber, this LED flashes on and off to indicate that the module is not
registered.
GUI
Graphical user interface.
High-priority
Channel
Channel that supports low-latency traffic (such as Voice over IP) over low-latency
traffic (such as standard web traffic and file downloads). To recognize the latency
tolerance of traffic, this channel reads the IPv4 Type of Service DiffServ Control Point
(DSCP) bits. Enabling the high-priority channel reduces the maximum number of SMs
that can be served in the sector.
HTTP
Hypertext Transfer Protocol, used to make the Internet resources available on the
World Wide Web. Defined in RFC 2068. See http://www.faqs.org/rfcs/rfc2068.html.
ICMP
Internet Control Message Protocols defined in RFC 792, used to identify Internet
Protocol (IP)-level problems and to allow IP links to be tested. See
iGPS
The PMP 450 Access Point contains an internal GPS receiver (iGPS) which may be
enabled to synchronize transmit and receive cycles among all network APs utilizing
GPS synchronization (via CMM, UGPS, or iGPS).
indiscards count
Field
How many inbound packets were discarded without errors that would have prevented
their delivery to a higher-layer protocol. (Some of these packets may have been
discarded to increase buffer space.)
inerrors count Field
How many inbound packets contained errors that prevented their delivery to a higherlayer protocol.
innucastpkts count
Field
How many inbound non-unicast (subnetwork-broadcast or subnetwork-multicast)

packets were delivered to a higher-layer protocol.
inoctets count Field
How many octets were received on the interface, including those that deliver framing
information.
Intel
A registered trademark of Intel Corporation.
inucastpkts count
Field
How many inbound subnetwork-unicast packets were delivered to a higher-layer

protocol.
inunknownprotos
count Field
How many inbound packets were discarded because of an unknown or unsupported

protocol.
VI
Glossary
Term
Definition
IP
Internet Protocol defined in RFC 791. The Network Layer in the TCP/IP protocol
stack. This protocol is applied to addressing, routing, and delivering, and re-assembling
data packets into the Data Link layer of the protocol stack. See
IP Address
32-bit binary number that identifies a network element by both network and host. See
also Subnet Mask.
IPv4
Traditional version of Internet Protocol, which defines 32-bit fields for data
transmission.
ISM
Industrial, Scientific, and Medical Equipment radio frequency band, in the 900-MHz,
2.4-GHz, and 5.8-GHz ranges.
L2TP over IPSec
Level 2 Tunneling Protocol over IP Security. One of several virtual private network
(VPN) implementation schemes. Regardless of whether Subscriber Modules have the
Network Address Translation feature (NAT) enabled, they support VPNs that are based
on this protocol.
Late Collision Field
This field displays how many late collisions occurred on the Ethernet controller. A
normal collision occurs during the first 512 bits of the frame transmission. A collision
that occurs after the first 512 bits is considered a late collision. A late collision is a
serious network problem because the frame being transmitted is discarded. A late
collision is most commonly caused by a mismatch between duplex configurations at
the ends of a link segment.
Latency Tolerance
Acceptable tolerance for delay in the transfer of data to and from a module.
Line of Sight
Wireless path (not simply visual path) direct from module to module. The path that
results provides both ideal aim and an ideal Fresnel zone.
Linux
A registered trademark of Linus Torvalds.
LNK/5
Furthest left LED in the module. In the operating mode, this LED is continuously lit
when the Ethernet link is present. In the aiming mode for a Subscriber Module, this
LED is part of a bar graph that indicates the quality of the RF link.
Logical Unit ID
Final octet of the 4-octet IP address of the module.
LOS
Line of sight. The wireless path (not simply visual path) direct from module to module.
The path that results provides both ideal aim and an ideal Fresnel zone.
LUID
Logical Unit ID. The final octet of the 4-octet IP address of the module.
MAC Address
Media Access Control address. The hardware address that the factory assigns to the
module for identification in the Data Link layer interface of the Open Systems
Interconnection system. This address serves as an electronic serial number.
Management
Information Base
Space that allows a program (agent) in the network to relay information to a network
monitor about the status of defined variables (objects).
Glossary
Term
Definition
Maximum
Information Rate
(MIR)
The cap applied to the bandwidth of an SM or specified group of SMs. In the Cambium
implementation, this is controlled by the Sustained Uplink Data Rate, Uplink Burst
Allocation, Sustained Downlink Data Rate, and Downlink Burst Allocation parameters.
Media Access
Control Address
Hardware address that the factory assigns to the module for identification in the Data
Link layer interface of the Open Systems Interconnection system. This address serves
as an electronic serial number.
MIB
Management Information Base. Space that allows a program (agent) in the network to
relay information to a network monitor about the status of defined variables (objects).
MIR
See Maximum Information Rate.
NAT
Network Address Translation defined in RFC 1631. A scheme that isolates Subscriber
Modules from the Internet. See http://www.faqs.org/rfcs/rfc1631.html.
NEC
National Electrical Code. The set of national wiring standards that are enforced in the
U.S.A.
NetBIOS
Protocol defined in RFC 1001 and RFC 1002 to support an applications programming
interface in TCP/IP. This interface allows a computer to transmit and receive data with
another host computer on the network. RFC 1001 defines the concepts and methods.
RFC 1002 defines the detailed specifications. See
http://www.faqs.org/rfcs/rfc1001.html and http://www.faqs.org/rfcs/rfc1002.html.
Network Address
Translation
Scheme that defines the Access Point Module as a proxy server to isolate registered
Subscriber Modules from the Internet. Defined in RFC 1631. See
Network
Management
Station
See NMS.
NMS
Network Management Station. A monitor device that uses Simple Network

Management Protocol (SNMP) to control, gather, and report information about
predefined network variables (objects). See also Simple Network Management
Protocol.
Object
Network variable that is defined in the Management Information Base.
outdiscards count
Field
How many outbound packets were discarded without errors that would have prevented
their transmission. (Some of these packets may have been discarded to increase buffer
space.)
outerrrors count
Field
How many outbound packets contained errors that prevented their transmission.
outnucastpkts count
Field
How many packets for which the higher-level protocols requested transmission to a
non-unicast (subnetwork-broadcast or subnetwork-multicast) address. The number
includes those that were discarded or not sent.
outoctets count
Field
How many octets were transmitted out of the interface, including those that deliver
framing information.
VII
Glossary
Term
Definition
outucastpkts count
Field
How many packets for which the higher-level protocols requested transmission to a
subnetwork-unicast address. The number includes those that were discarded or not sent.
Override Plug
Device that enables the operator to regain control of a module that has been locked by
the No Remote Access feature, the 802.3 Link Disable feature, or a password or IP
address that cannot be recalled. This device can be either fabricated on site or ordered.
PMP
See Point-to-Multipoint Protocol.
Point-to-Multipoint
Protocol
Defined in RFC 2178, which specifies that data that originates from a central network
element can be received by all other network elements, but data that originates from a
non-central network element can be received by only the central network element. See
http://www.faqs.org/rfcs/rfc2178.html. Also referenced as PMP.
PPPoE
Point to Point Protocol over Ethernet. Supported on SMs for

operators who use PPPoE in other parts of their network
operators who want to deploy PPPoE to realize per-subscriber authentication, metrics,
and usage control.
VIII
PPTP
Point to Point Tunneling Protocol. One of several virtual private network

implementations. Regardless of whether the Network Address Translation (NAT)
feature enabled, Subscriber Modules support VPNs that are based on this protocol.
Protective Earth
Connection to earth (which has a charge of 0 volts). Also known as ground.
Proxy Server
Network computer that isolates another from the Internet. The proxy server
communicates for the other computer, and sends replies to only the appropriate
computer, which has an IP address that is not unique or not registered.
PTMP
See Point-to-Multipoint Protocol.
Quick Start
Interface page that requires minimal configuration for initial module operation.
Radio Signal
Strength Indicator
Relative measure of the strength of a received signal. An acceptable link displays an

Radio Signal Strength Indicator (RSSI) value of greater than 700.
Recharging
Resumed accumulation of data in available data space (buckets). See Buckets.
Red Hat
A registered trademark of Red Hat, Inc.
Reflection
Change of direction and reduction of amplitude of a signal that encounters an object

larger than the wavelength. Reflection may cause an additional copy of the wavelength
to arrive after the original, unobstructed wavelength arrives. This causes partial
cancellation of the signal and may render the link unacceptable. However, in some
instances where the direct signal cannot be received, the reflected copy may be
received and render an otherwise unacceptable link acceptable.
Region Code
A parameter that offers multiple fixed selections, each of which automatically

implements frequency band range restrictions for the selected region. Units shipped to
regions other than the United States must be configured with the corresponding Region
Code to comply with local regulatory requirements.
Glossary
Term
Definition
Registrations MIB
Management Information Base file that defines registrations for global items such as
product identities and product components. See also Management Information Base.
RetransLimitExp
Field
This field displays how many times the retransmit limit has expired.
RF
Radio frequency. How many times each second a cycle in the antenna occurs, from
positive to negative and back to positive amplitude.
RJ-11
Standard cable that is typically used for telephone line or modem connection.
RJ-45
Standard cable that is typically used for Ethernet connection. This cable may be wired
as straight-through or as crossover. Later modules auto-sense whether the cable is
straight-through or crossover.
Router
Network element that uses the logical (IP) address of another to pass data to only the
intended recipient. Compare to Switch and Bridge.
RPM
Red Hat Package Manager.
RSSI
Radio Signal Strength Indicator. A relative measure of the strength of a received signal.
An acceptable link displays an RSSI value of greater than 700.
RxBabErr Field
This field displays how many receiver babble errors occurred.
RxOverrun Field
This field displays how many receiver overrun errors occurred on the Ethernet
controller.
Secure Shell
A trademark of SSH Communications Security.
Self-interference
Interference with a module from another module in the same network.
SES/2
Third-from-right LED in the module. In the Access Point Module and Backhaul timing
master, this LED is unused. In the operating mode for a Subscriber Module or a
Backhaul timing slave, this LED flashes on and off to indicate that the module is not
registered. In the aiming mode for a Subscriber Module or a Backhaul timing slave,
this LED is part of a bar graph that indicates the quality of the RF link.
Simple Network
Management
Protocol
Standard that is used for communications between a program (agent) in the network
and a network management station (monitor). Defined in RFC 1157. See
SM
Customer premises equipment (CPE) device that extends network or Internet services
by communication with an Access Point Module or an Access Point cluster.
SM MIB
Management Information Base file that defines objects that are specific to the
Subscriber Module or Backhaul timing slave. See also Management Information Base.
SNMP
See Simple Network Management Protocol, defined in RFC 1157.
SNMP Trap
Capture of information that informs the network monitor through Simple Network
Management Protocol of a monitored occurrence in the module.
IX
Glossary
Term
Definition
Static IP Address
Assignment
Assignment of Internet Protocol address that can be changed only manually. Thus static
IP address assignment requires more configuration time and consumes more of the
available IP addresses than DHCP address assignment does. RFC 2050 provides
guidelines for the static allocation of IP addresses. See
http://www.faqs.org/rfcs/rfc2050.html. See also DHCP.
su -
A command that opens a Linux operating system session for the user root.
Subnet Mask
32-bit binary number that filters an IP address to reveal what part identifies the network
and what part identifies the host. The number of subnet mask bits that are set to 1
indicates how many leading bits of the IP address identify the network. The number of
subnet mask bits that are set 0 indicate how many trailing bits of the IP address identify
the host.
Subscriber Module
Customer premises equipment (CPE) device that extends network or Internet services
by communication with an Access Point Module or an Access Point cluster.
Sustained Data Rate
Preset rate limit of data transfer.
Switch
Network element that uses the port that is associated with the physical address of
another to pass data to only the intended recipient. Compare to Bridge and Router.
SYN/1
Second-from-right LED in the module. In the Access Point Module or in a registered

Subscriber, this LED is continuously lit to indicate the presence of sync. In the
operating mode for a Subscriber Module, this LED flashes on and to indicate that the
module is not registered.
Sync
GPS (Global Positioning System) absolute time, which is passed from one module to
another. Sync enables timing that prevents modules from transmitting or receiving
interference. Sync also provides correlative time stamps for troubleshooting efforts.
TCP
Alternatively known as Transmission Control Protocol or Transport Control Protocol.

The Transport Layer in the TCP/IP protocol stack. This protocol is applied to assure
that data packets arrive at the target network element and to control the flow of data
through the Internet. Defined in RFC 793. See http://www.faqs.org/rfcs/rfc793.html.
TDD
Time Division Duplexing. Synchronized data transmission with some time slots
allocated to devices transmitting on the uplink and some to the device transmitting on
the downlink.
telnet
Utility that allows a client computer to update a server. A firewall can prevent the use
of the telnet utility to breach the security of the server. See
http://www.faqs.org/rfcs/rfc818.html, http://www.faqs.org/rfcs/rfc854.html and
Textual
Conventions MIB
Management Information Base file that defines system-specific textual conventions.

See also Management Information Base.
Tokens
Theoretical amounts of data. See also Buckets.
TOS
8-bit field in that prioritizes data in a IP transmission. See

Glossary
Term
Definition
TxUnderrun Field
This field displays how many transmission-underrun errors occurred on the Ethernet
controller.
UDP
User Datagram Protocol. A set of Network, Transport, and Session Layer protocols that
RFC 768 defines. These protocols include checksum and address information but does
not retransmit data or process any errors. See http://www.faqs.org/rfcs/rfc768.html.
udp
User-defined type of port.
U-NII
Unlicensed National Information Infrastructure radio frequency band, in the 5.1-GHz

through 5.8-GHz ranges.
VID
VLAN identifier. See also VLAN.
VLAN
Virtual local area network. An association of devices through software that contains
broadcast traffic, as routers would, but in the switch-level protocol.
VPN
Virtual private network for communication over a public network. One typical use is to
connect remote employees, who are at home or in a different city, to their corporate
network over the Internet. Any of several VPN implementation schemes is possible.
SMs support L2TP over IPSec (Level 2 Tunneling Protocol over IP Security) VPNs
and PPTP (Point to Point Tunneling Protocol) VPNs, regardless of whether the
Network Address Translation (NAT) feature enabled.
XI

Cambium PMP 450 Configuration and User Guide: System Release 12.0.2

Uploaded by

Copyright:

Available Formats

Cambium PMP 450 Configuration and User Guide: System Release 12.0.2

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cambium PMP 450 Configuration and User Guide: System Release 12.0.2

Uploaded by

Copyright:

Available Formats

Cambium

PMP 450 Configuration

PMP 450 module essential information

Default Administrator Username

Default Administrator Password

Software Upgrade Procedure

See Updating the software version and using CNUT

On the radio GUI, navigate to Configuration,

Resetting to Factory Defaults (2 options)

On the radio GUI, navigate to Configuration,

pmp-0050 (January 2013)

High Risk Materials

pmp-0050 (January 2013)

PMP 450 Configuration and User Guide

Safety and regulatory information

Safety and regulatory information

Important safety information

Grounding and protective earth

Powering down before servicing

Primary disconnect device

pmp-0050 (January 2013)

Safety and regulatory information

PMP 450 Configuration and User Guide

RF exposure near the antenna

Minimum separation distances

Important regulatory information

USA and Canada specific information

pmp-0050 (January 2013)

PMP 450 Configuration and User Guide

PMP 450 Configuration and User Guide

Encrypting radio transmissions ................................................................................................................. 1-56

pmp-0050 (January 2013)

PMP 450 Configuration and User Guide

Configuring your RADIUS servers for SM authentication ..................................................................... 1-118

pmp-0050 (January 2013)

PMP 450 Configuration and User Guide

PMP 450 Configuration and User Guide

Diffserv tab of the AP .......................................................................................................................... 1-107

pmp-0050 (January 2013)

PMP 450 Configuration and User Guide

pmp-0050 (January 2013)

PMP 450 module essential information

Safety and regulatory information

Table 39 Recommended combined settings for typical operations................................................................ 1-103

pmp-0050 (January 2013)

PMP 450 Configuration and User Guide

PMP 450 module essential information

About This Configuration and User Guide

pmp-0050 (January 2013)

PMP 450 Configuration and User Guide

System Release 12.0

Updated for System Release 12.0.1

Updated for System Release 12.0.2

Contacting Cambium Networks

pmp-0050 (January 2013)

PMP 450 Configuration and User Guide

pmp-0050 (January 2013)

Problems and warranty

PMP 450 Configuration and User Guide