Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive
 

Introduction

External design and hardware

Firmware upgrade

Web-interface

Wireless controller

Command line

Testing

Conclusion

Introduction

Usually on the site of our laboratory, there are reviews of specific network equipment, certain devices and models. Occasionally, you can find articles on any technology without reference to the manufacturer. However, today we want to move a little away from the usual framework and provide our readers with a review of the wireless solution from Zyxel, which includes several components. In fairness, it is worth saying that we did not limit ourselves to any “turnkey solution”; instead, it was decided to consider several devices working both separately and in conjunction with each other.

Two types of equipment provide the work of wireless networks: access points and wireless controllers. Of course, we can also include supporting wired infrastructure here, but this time we decided not to touch on this issue. We had two access points: the Zyxel NWA5123-AC and the WAC6103D-I, as well as the hardware firewall Zyxel ZyWALL 310, which served as a controller.   

So let's get started!

External design and hardware

The Zyxel NWA5123-AC access point has a white plastic case, the dimensions of which are 130x130x55 mm with a mass of only 300 g. The top panel contains the name of the vendor, as well as a LED that displays the status of the device.

The console port, the Gigabit Ethernet interface, the connector for connecting an external power adaptor, a sticker with brief information about the device, the ventilation grate, and the system for fixing the access point to the wall or ceiling are located on the bottom panel.

The NWA5123-AC model can be powered by an AC adapter (supplied), or via PoE. Power consumption of the device is 9 watts.

Two green textolite boards, one of which serves as a wireless module, represent the electronic filling of the Zyxel NWA5123-AC access point. Unfortunately, almost all the components of interest to us are hidden under protective screens. For viewing, only the Texas Instruments TPS23756 PoE controller is available, as well as two Macronix 25L12835F flash memory modules, each of which is 16 MBytes.

The Zyxel WAC6103D-I access point is made in a white plastic case, the dimensions of which are 204x192x35 mm with a mass of 445 g. This model can be called really thin.

On the top panel there are lights indicating the status of the device as a whole, as well as wired and wireless interfaces.

Ventilation grate occupies a significant portion of the lower surface of the access point. Also here are small stickers with brief information about the model and a special mount that allows you to place the access point on the wall or under the ceiling. In a small recess, there are two Gigabit Ethernet ports; hardware switch that allows you to choose the method of placement; Reset button to reset user settings and console port. The access point is powered only with the help of Power over Ethernet technology, the use of any other power supply is not provided. Power consumption is 12.48 watts.

The hardware platform is represented by one green textolite board, the main elements are located on one side. Unfortunately, almost all chips are hidden under protective screens. For viewing, only the flash memory module Micron Technologies 29F2G08ABAEA, which is 256 MByte, and the Texas Instruments TPS23756 PoE controller are available.

We will not analyze the hardware features of the ZyWALL 310 firewall here, since in this case this device acts only as an example of network equipment that can be assigned the role of a wireless controller. The only thing that confuses us a bit is that we did not find among the large list of devices with the support of the role of WLC models with two power supplies. It seems to us that corporate products designed to work in large networks should have this option.

Firmware upgrade

Access points of the NWA5123-AC and WAC6103D-I models can operate in one of two modes: standalone or managed by a wireless controller. When working in a standalone mode, the firmware is updated using the “Firmware Package” tab of the “File Manager” item in the “MAINTENANCE” menu. The whole process takes about five minutes and does not require any specialized qualifications from the user.

You can make sure that the firmware has been updated successfully using the “DASHBOARD” menu.

When building a corporate wireless network without a controller cannot do. When access points operate in managed mode, their software is also updated using the controller. However, before proceeding to consider the process of centralized firmware upgrades at access points, we would like to consider the procedure for changing the firmware on the controller itself. In our case, the WLC functions were assigned to the Zyxel ZyWALL 310 firewall, so we’ll update it. Updating the controller is necessary not only to add new options, but also to expand the list of supported access points.

The ZyWALL 310 firmware is upgraded using the “Firmware Management” tab in the “File Manager” item of the “SERVICE” menu. The whole process takes about five minutes (without taking into account the time required to download a file with a new firmware from the Internet) and does not require any specialized training from the administrator.

In fairness, it is worth noting that the update ZyWALL 310 can occur not only in semi-automatic, but also in fully automatic mode (according to the schedule).

After the software of the controller itself has been updated, you can refer to the “Firmware” tab of the “Manage Access Points” item of the “Wireless Network” group of the “CONFIGURATION” menu to update the firmware on all managed access points. The success of a wireless network requires that all managed access points have the same firmware version. If there are discrepancies in the installed firmware, the controller will automatically update or downgrade the firmware version.

It is also worth noting that Zyxel offers the ZAC utility - Zyxel AP Configurator, which allows you to automate some routine processes of servicing several access points in a network without a controller.

So, the latest firmware is installed on the controller and access points, now we will figure out what opportunities are available to the network administrator when the access points operate in a standalone mode and under the control of the wireless controller.

Web-interface

You can access the Zyxel NWA5123-AC access point web interface using any modern browser. Access is via HTTPS. The default address is 192.168.1.2. To log on, you must enter the login and password, equal to the default admin/1234. We will not consider in detail all the features of the device web interface; however, we’ll dwell on the most interesting ones.

 

After entering the correct credentials, the user gets to the start page of the device (menu “Dashboard”), which contains information about the access point itself, the operating system and network interfaces. The administrator can optionally enable or disable the display of this or that information.

 

Using the “Network Status” item of the “Monitor” menu, the administrator can obtain information about the operation parameters of the network interfaces of the access point, as well as view statistical data.  

 

 

Using the items of the “Wireless” group of the “Monitor” menu, the administrator can view information on the operation of wireless modules for both frequency bands; find out which wireless clients are connected; examine existing WDS connections; and also display a list of suspicious access points.  

 

 

 

 

 

 

The Log item contains log information about the operation of the NWA5123-AC model.

 

IP parameters are managed using the “Network” item of the “Configuration” menu. It is worth noting that the NWA5123-AC supports not only IPv4, but also IPv6. In addition, here you can choose how to discover a wireless controller.   

 

 

 

In the case access points managed by WLC, almost all parameters of their operation are set with its help. However, when standalone access points operate, the wireless parameters are managed using the “Wireless” group items in the “Configuration” menu. Here, the administrator for each of the frequency ranges can select the device operation mode (access point, monitoring mode, root access point or repeater), select a radio module profile, specify the maximum transmitted power, configure load balancing parameters on access points, and select an available radio channel.

 

 

 

 

 

Management of user accounts with access to the management interface of the access point itself is performed using the “User” item of the “Object” group of the “Configuration” menu.

 

 

 

To change and create profiles of wireless modules, you must refer to the “AP Profile” item of the same group.

 

 

 

 

 

 

 

 

 

The management of the device operation profiles in the monitoring mode is performed using the “MON Profile” item.

 

 

WDS profile settings are collected in the same section of the “Object” group.  

 

 

The “Certificate” item is intended for managing your own and trusted certificates.

 

 

 

You can change the name of the access point, set the date and time on the device, as well as control the operation parameters of the HTTP(S), SSH, Telnet, FTP and SNMP protocols using the items in the System group.

 

 

 

 

 

 

 

To change the settings for saving and sending log information, you must refer to the items in the “Log & Report” group. The “Diagnostics” item of the “Maintenance” menu is responsible for selecting the stored information.

 

 

 

 

You can change the configuration files, update the firmware, and start the script execution using the tabs of the “File Manager” item in the “Maintenance” menu.

 

 

 

If necessary, the administrator can turn off the indicator light located on the device, the corresponding setting is available in the item “LEDs” of the same menu.

 

Shutting down and rebooting the NWA5123-AC model is performed using the “Maintenance” menu items of the same name. It is worth noting that the vendor strongly recommends that you programmatically turn off access points before turning off the power supply to them.  

 

 

 

After this section has been completely written, we have discovered a new version of the firmware on the manufacturer’s website, in which the page design has been significantly reworked, but the essence has remained the same.

 

In conclusion, it is worth noting that the web interface of access points may differ slightly due to the difference in the set of supported functions. For example, the model WAC6103D-I has a hardware switch that allows you to choose the location of the access point: on the wall or on the ceiling. The corresponding setting is also present in the web interface of the model under discussion (tab “Antenna Switch” of the sub-item “Antenna” of the menu “MAINTENANCE”).

 

This concludes the study of the web interface capabilities of Zyxel access points that operate in a standalone mode, and proceed to consider the web interface of the ZyWALL 310 based wireless controller.

Wireless controller

Zyxel access points can operate in two modes: standalone, that is, independently, without a controller, and with centralized control using a wireless controller. The corresponding setting is available in the “AC Discovery” tab of the “Network” item of the “CONFIGURATION” menu.

The administrator can either completely abandon the use of the wireless controller, or specify it manually (primary and backup). An automatic search for a controller on the network is also allowed; in this case, the access point periodically broadcasts the CAPWAP control Discovery Request messages. An example of such a message is presented below.

At our disposal was the hardware firewall Zyxel ZyWALL 310, which allows us to assume the role of a wireless controller in the network. We will not consider any other features of this device other than those directly related to the management of wireless devices.

The “Wireless Network” group of the “MONITORING” menu allows the administrator to get information about access points detected (both trusted and non-trusted), the number of connected client devices, operation parameters of wireless interfaces, configured SSIDs.     

The latest firmware versions allow you to create a mesh network based on existing access points, you can view the relevant information using the “ZyMesh” item of the same group.

If necessary, the administrator can get access to the log information stored on each individual point from the controller, for which you will need to refer to the “Wireless Log” tab of the “Log” item in the “MONITORING” menu.

The connected wireless equipment is controlled using the items of the “Wireless Network” group in the “CONFIGURATION” menu. For example, using the “Controller” item, the administrator can select the country code in which the wireless network is being deployed, as well as specify the method of registering access points on the controller.

The “List of Managed Access Points” tab in the “Access Point Management” item allows you to edit certain parameters of each access point, reboot equipment, start dynamic channel selection (DCS - Dynamic Channel Selection), turn on or off the LEDs on the front panel of the access point. Using the controller, it is allowed to redefine the parameters of the transmitter power of each of the points, the SSID value, the VLAN settings and the physical port, as well as the operating parameters of the indicator lights.

Here it is worth noting that access points can operate in one of the following modes: Access Point Mode, Monitoring Mode, Root AP, and Repeater. The latter two are used in building ZyMesh networks. Access points that have a wired connection to the controller should work in the Root AP mode, for those that do not have direct access to the wired part of the network, select the Repeater mode.

The “Access Point Policy” tab is used to change the parameters of the wireless controller's detection by the access point, as well as the method for updating the firmware on the equipment under control.

Managing a large number of access points will be much more convenient if you pre-group them. The corresponding setting is available in the “Access Point Group” tab.

The choice of firmware, under the control of which the access points operate, is made using the “Firmware” tab. All controlled access points must have the same firmware version so that the controller can manage them. Unfortunately, the administrator does not have the ability to manually upload a new firmware for a particular access point to the controller, since firmware download is supported only in automatic mode and from the vendor’s website.

Lists of illegal and trusted access points are managed using the Monitoring Profiles item.

In the event of an access point failure, the wireless controller can automatically change the operating parameters of the remaining devices so as to restore the wireless coverage of the problem area. To control this option is the item "Auto Healing".

To control the positioning system Ekahau RTLS (Real Time Location Service), you need to refer to the same point.

In conclusion, we add that in order to manage ZyMesh networks, you need to refer to the “ZyMesh Profile” item of the “Object” group of the “CONFIGURATION” menu, and to manage the wireless profiles you will have to use the “Access Point Profiles” item of the same group.   

A nice feature that we found when setting up a security profile was support for fast roaming within the IEEE 802.11r standard.

Finally, we want to make one obvious conclusion that some options are available for changing both when the access point is operating in standalone mode and under the control of the controller. For example, we are talking about the choice of SSID or wireless channel. However, a number of functions appear only when choosing a centralized control method. These features include the Auto Healing option, which allows neighboring access points to try to replace a failed device.

This concludes a brief review of the capabilities for managing a wireless network using a controller and proceed to consider the capabilities of the command line interface.

Command line

Enabling/disabling access to the device command line is performed using the “SSH” and “TELNET” sub-items in the “CONFIGURATION” menu of the web interface. SSH access is enabled by default, while support for the Telnet protocol is usually disabled for security reasons.

It is also worth noting that the administrator can view the commands that will be added to the device configuration after the changes are applied.

To gain access to the device command line, you must enter a login and password.

***************** Warning **********************
* *
* Telnet service is not a secure service!! *
* Please use SSH service for remote management *
* *
************************************************
Welcome to WAC6100
Username: admin
Password:
Bad terminal type: "ansi". Will assume vt100.
Router>
apply
atse
clear
configure
copy
daily-report
debug
delete
diag Diagnostic
diaginfo
dir
disable
enable
exit
htm
interface
no
nslookup
packet-trace
ping
ping6
psm
reboot
release
rename
renew
run
setenv
show
shutdown
sshcon
telnet
test
tracepath
tracepath6
traceroute
traceroute6
wlan-report
write
Router>

The command line of the Zyxel access points is very similar to the Cisco CLI, so network administrators who are familiar with the hardware of the specified vendor will have no difficulty in understanding the Zyxel command interpreter. The only thing that confused us at the beginning was the impossibility of using abbreviated versions of commands, but you quickly get used to it, especially considering the possibility of automatic writing a command when you press the Tab key.

Router> ena
% Command not found
retval = -1
ERROR: Parse error/command not found!
Router> enable

We will not examine in detail all the features of the command line of Zyxel wireless equipment, however, a few frequently used commands will be considered.

Using the show interface all call, you can get information about which network interfaces the device has and what their status is.

Router# show interface all
No. Name Status IP Address Mask IP Assignment
===============================================================================
2 lan Up 192.168.1.21 255.255.255.0 Static
3 wlan-1 n/a n/a n/a n/a
4 wlan-1-1 Up 0.0.0.0 0.0.0.0 static

The show capwap command options allow the administrator to examine the communication status of the access point with the wireless controller.

Router# show capwap
ap
bridge
fw-updating
vlan
Router# show capwap ap
ac-ip
discovery-type
idle
info
Router# show capwap ap info
;
|
Router# show capwap ap info
 AC-IP 192.168.1.255
 Fallback Disable
 Fallback Interval 0
 Discovery type Broadcast
 SM-State DISC(2)
 msg-buf-usage 0/10 (Usage/Max)
 capwap-version 10003
 Radio Number 2/4 (Usage/Max)
 BSS Number 8/8 (Usage/Max)
 IANA ID 037a
 Description

The show cpu status command provides information about the average CPU utilization of the access point, while you will have to use the show system uptime call to view the time elapsed since the last power up.

Router# show cpu status
CPU utilization: 1 %
CPU utilization for 1 min: 1 %
CPU utilization for 5 min: 2 %
Router# show system uptime
system uptime: 00:39:20

If the device is busy searching for rogue access points, then information about the operation of this mechanism can be obtained using the show rogue-ap detection info command.

Router# show rogue-ap
containment
detection
Router# show rogue-ap detection
info
list
monitoring
status
Router# show rogue-ap detection info
;
|
Router# show rogue-ap detection info
rogue ap: 0
friendly ap: 0
adhoc: 0
unclassified ap: 0

The current configuration of the access point can be obtained using the show running-config command. Only a small part of the configuration is provided below.

Router# show running-config
!
!
hybrid-mode standalone
!
hardware-watchdog-timer 10
!
software-watchdog-timer 300
!
interface-name ge1 ge1
!
interface-name br0 lan
!

The device serial number can be obtained remotely from the output of the show serial-number command. In identifying a specific access point on the ground, the led_locator command may also be useful, which includes a special LED on the front panel of the device.

Router# show serial-number
serial number: S172L16141905
Router(config)# led_locator
blink-timer
off
on
Router(config)# led_locator blink-timer
<1..60>
Router(config)# led_locator blink-timer
Router(config)# show led_locator status
Locator LED Status : ON
Locator LED Time : 1
Locator LED Time Lease: 367

The show socket command will help determine the open ports and sessions.

Router# show socket open
No. Proto Local_Address Foreign_Address State
===============================================================================
1 tcp 127.0.0.1:6379 127.0.0.1:40195 ESTABLISHED
2 tcp 127.0.0.1:40196 127.0.0.1:6379 ESTABLISHED
3 tcp 127.0.0.1:40195 127.0.0.1:6379 ESTABLISHED
4 tcp 192.168.1.21:23 192.168.1.120:59163 ESTABLISHED
5 tcp 127.0.0.1:6379 127.0.0.1:40196 ESTABLISHED
6 tcp 127.0.0.1:6379 127.0.0.1:40193 ESTABLISHED
7 tcp 127.0.0.1:40193 127.0.0.1:6379 ESTABLISHED
8 udp 0.0.0.0:161 0.0.0.0:0
9 udp 0.0.0.0:43605 0.0.0.0:0
Router# show socket listen
No. Proto Local_Address Foreign_Address State
===============================================================================
1 tcp 0.0.0.0:80 0.0.0.0:0 LISTEN
2 tcp 127.0.0.1:50000 0.0.0.0:0 LISTEN
3 tcp 0.0.0.0:21 0.0.0.0:0 LISTEN
4 tcp 0.0.0.0:22 0.0.0.0:0 LISTEN
5 tcp 0.0.0.0:443 0.0.0.0:0 LISTEN
6 tcp 127.0.0.1:60000 0.0.0.0:0 LISTEN
7 tcp 127.0.0.1:60001 0.0.0.0:0 LISTEN
8 tcp 127.0.0.1:60002 0.0.0.0:0 LISTEN
9 tcp 127.0.0.1:60003 0.0.0.0:0 LISTEN
10 tcp 127.0.0.1:6379 0.0.0.0:0 LISTEN

Information about the access point model and firmware is provided by the show version command.

Router# show version
Zyxel Communications Corp.
model : WAC6103D-I
firmware version: V5.10(AAXH.2)
BM version : V2.3
build date : 2017-10-02 05:59:08

Information on the operation of the wireless module can be obtained using the options of the show wlan command.

Router# show wlan
<slot1,...>
all Everything
channels
country-code
radio
Router# show wlan all
;
|
Router# show wlan all
slot: slot1
 card: none
 Role: ap
 Profile: default
 SSID_profile_1: default
 SSID_profile_2:
 SSID_profile_3:
 SSID_profile_4:
 SSID_profile_5:
 SSID_profile_6:
 SSID_profile_7:
 SSID_profile_8:
 SLOT_1_Output_power: 30dBm
 Activate: yes
 WDS_Role: none
 WDS_Profile: default
 WDS_uplink: auto
 Antenna_Type: ceiling
slot: slot2
 card: none
 Role: ap
 Profile: default2
 SSID_profile_1: default
 SSID_profile_2:
 SSID_profile_3:
 SSID_profile_4:
 SSID_profile_5:
 SSID_profile_6:
 SSID_profile_7:
 SSID_profile_8:
 SLOT_2_Output_power: 30dBm
 Activate: no
 WDS_Role: none
 WDS_Profile: default
 WDS_uplink: auto
 Antenna_Type: ceiling
Router# show wlan country-code
;
|
Router# show wlan country-code
Default Country Code : ED
Router# show wlan radio
% (after 'radio'): Parse error
retval = -1
ERROR: Parse error/command not found!
Router# show wlan radio
macaddr
Router# show wlan radio macaddr
;
|
Router# show wlan radio macaddr
slot1: B8:EC:A3:AC:5C:1A
slot2: B8:EC:A3:AC:5C:1B
Router# show wlan channels
11A
11G
Router# show wlan channels 11
11A 11G
Router# show wlan channels 11A
;
cw
|
Router# show wlan channels 11A
Available Channels: ED
No. Channel string
===============================================================================
1 36 36
2 40 40
3 44 44
4 48 48
5 52 52 - (DFS)
6 56 56 - (DFS)
7 60 60 - (DFS)
8 64 64 - (DFS)
9 100 100 - (DFS)
10 104 104 - (DFS)
11 108 108 - (DFS)
12 112 112 - (DFS)
13 116 116 - (DFS)
14 120 120 - (DFS)
15 124 124 - (DFS)
16 128 128 - (DFS)
17 132 132 - (DFS)
18 136 136 - (DFS)
19 140 140 - (DFS)
Router#

A complete list of ‘show’ commands is presented below.

Router# show
aaa
address-object
address-object-match
address6-object
antenna
app-watch-dog
apply
arp-table
arpseal
boot
bridge
ca
capwap
clock
comport
console Console
contingency-access
cpu
daily-report
dcs
description
dhcp6
diag-info
diaginfo
disk
dual-image
extension-slot
force-auth
fqdn
hardware-watchdog-timer
hybrid-mode
interface
interface-name
ip
ipv6
language
led
led_locator
led_suppress
load-balancing
lockout-users
logging
mac
manager
mem
ntp
object-group
periodically-collect-data
port
power
radius-server
ram-size
reference
report
rogue-ap
rtls
running-config
serial-number
session
slide-switch
snmp
snmp-server
socket
software-watchdog-timer
speed-test
sshcon
system
username
users
version
vlan
vrpt
web-auth
wireless-hal
wlan
wlan-l2isolation-profile
wlan-macfilter-profile
wlan-monitor-profile
wlan-monitor-profile-by-slot
wlan-radio-profile
wlan-radio-profile-by-slot
wlan-security-profile
wlan-ssid-profile
wlan-wds-profile
zon
zymesh-profile

Zyxel office access points can operate in one of two modes: standalone and managed by a wireless controller. Switching between modes can be done using the hybrid configuration mode of the global configuration mode. After changing the mode, the device will automatically reboot.

Router(config)# hybrid-mode
managed
standalone

As we mentioned earlier, the Zyxel WAC6103D-I wireless access point has a software and hardware switch that allows you to explicitly specify the type of device placement: on the wall or on the ceiling. Management of this switch, obviously, can be done not only using the web interface.

Router(config)# antenna
config
sw-control
Router(config)# antenna sw-control
enable
Router(config)# antenna sw-control enable
;
|
Router(config)# antenna sw-control enable
Router(config)# antenna config
slot1
slot2
Router(config)# antenna config s
slot1 slot2
Router(config)# antenna config slot
slot1
slot2
Router(config)# antenna config slot1
chain3
Router(config)# antenna config slot1 chain3
ceiling
wall
Router(config)# antenna config slot1 chain3 wall
;
|
Router(config)# antenna config slot1 chain3 wall

To conclude our brief overview of the command line capabilities of the Zyxel wireless terminal equipment, we would like to point out two obvious commands: reboot — reboot the device; copy running-config startup-config — saves the changes made by the administrator.

Testing

Traditionally, we begin this section with measuring the device booting time, which is the time interval from the moment the equipment is powered up and until the first ICMP echo reply is received. The Zyxel NWA5123-AC access point boots in 65 seconds, while the WAC6103D-I will take a little longer to boot - 68 seconds. We consider this a good result. We also decided to find out in what time the access points can not only boot, but also successfully register on the controller. We tracked the registration of access points using the “Access Points List” tab of the “Access Points” item of the “Wireless Network” group of the “MONITORING” menu. The NWA5123-AC model takes approximately 95 seconds to boot and register with the wireless controller. Model WAC6103D-I for the same operation will take about 105 seconds. Thus, it turns out that the procedure of searching for the controller and registering on it takes approximately 30-40 additional seconds. In our opinion, this is quite a decent result.

Zyxel wireless equipment supports mesh networks (ZyMesh feature). We decided to find out in what time the access point of the NWA5123-AC model would boot, connect to the existing wireless network based on the ZyWAL 310 controller and the root access point WAC6103D-I. The whole process of booting and association took approximately 101 seconds (measurements were made according to the access point state in the web interface of the controller), thus connecting to the existing ZyMesh network from one hop takes about 6 seconds.

The time it takes to boot the wireless controller will depend on which particular device plays the role of the WLC on the network. At our disposal was the hardware firewall Zyxel ZyWALL 310, which in our tests was assigned the role of controller. In our case, the ZyWALL 310 model booted in 115 seconds (of course, we understand that the indicated time depends on the firmware version and activated services).

The next, no less traditional test is a device security check, conducted with the help of a network security scanner Positive Technologies XSpider 7.8. When scanning both access points, five open ports were detected: UDP-161 (SNMP), TCP-443 (HTTPS), TCP-22 (SSH), TCP-21 (FTP) and TCP-80 (HTTP). In both cases, the network security scanner detected well-known credentials for the SNMP protocol. To the credit of the vendor, it is worth noting that the administrator is notified of this each time on connecting to the AP web interface.

However, what really raises concerns is also related to the support of the SNMP protocol - these are suspicions of multiple vulnerabilities in protocol implementations. The standard recommendation in this case is to disable support for the first version of SNMP protocol.  

Both of our access points (models NWA5123-AC and WAC6103D-I) allow you to specify the IP address of the main and backup controllers explicitly. This feature will be useful in a situation when the control interface of the access points and the wireless controller are located in different network segments, different IP subnets. We decided to test the functionality of this option, so we installed a router between the access points and the controller, and then set the controller address for one of them.

Testing has shown that the access point has successfully registered to the controller.

Obviously, this solution cannot be called scalable, since the administrator would have to configure each access point manually. Fortunately, there is an industrial solution, which we also decided to test. Its essence is to inform the access points of the controller address using DHCP. We captured the DHCP Discover message sent by the device and found option # 138 (CAPWAP Access Controllers) in the list of requested options.

We added the appropriate setting to our test DHCP server configuration and rebooted the access point.

switch#sho run | sec dhcp
ip dhcp excluded-address 192.168.20.1 192.168.20.199
ip dhcp pool test2
network 192.168.20.0 255.255.255.0
default-router 192.168.20.10
dns-server 8.8.8.8
option 138 ip 192.168.1.1

The second access point also registered to the wireless controller successfully.

One of the differences between the access points being tested in our laboratory is the presence of an external power supply. For example, the NWA5123-AC model has an external power adapter, whereas for the WAC6103D-I model, its use is not provided for in principle. Regardless of the model, both devices make it possible to consume power using PoE technology, which requires either special injectors or a switch with the support of the corresponding technology. A more scalable solution, obviously, is the use of switches supporting IEEE 802.3af-2003 and IEEE 802.3at-2009 standards. The listing below provides information on the power consumption of both access points with light user traffic.

switch#sho lldp neighbors
Capability codes:
(R) Router, (B) Bridge, (T) Telephone, (C) DOCSIS Cable Device
(W) WLAN Access Point, (P) Repeater, (S) Station, (O) Other
Device ID Local Intf Hold-time Capability Port ID
nwa5123-ac Gi1/0/3 120 B,W,R 1
wac6103d-i Gi1/0/5 120 B,W,R 1
Total entries displayed: 2
switch#sho power inline
Module Available Used Remaining
(Watts) (Watts) (Watts)
------ --------- -------- ---------
1 240.0 30.8 209.2
Interface Admin Oper Power Device Class Max
(Watts)
--------- ------ ---------- ------- ------------------- ----- ----
Gi1/0/1 auto off 0.0 n/a n/a 30.0
Gi1/0/2 auto off 0.0 n/a n/a 30.0
Gi1/0/3 auto on 15.4 Ieee PD 0 30.0
Gi1/0/4 auto off 0.0 n/a n/a 30.0
Gi1/0/5 auto on 15.4 Ieee PD 4 30.0
Gi1/0/6 auto off 0.0 n/a n/a 30.0
Te1/0/7 auto off 0.0 n/a n/a 30.0
Te1/0/8 auto off 0.0 n/a n/a 30.0
switch#sho power inline gi1/0/3 de
Interface: Gi1/0/3
Inline Power Mode: auto
Operational status: on
Device Detected: yes
Device Type: Ieee PD
IEEE Class: 0
Discovery mechanism used/configured: Unknown
Police: off
Power Allocated
Admin Value: 30.0
Power drawn from the source: 15.4
Power available to the device: 15.4
Actual consumption
Measured at the port: 3.2
Maximum Power drawn by the device since powered on: 4.5
Absent Counter: 0
Over Current Counter: 0
Short Current Counter: 0
Invalid Signature Counter: 0
Power Denied Counter: 0
Power Negotiation Used: None
LLDP Power Negotiation --Sent to PD-- --Rcvd from PD--
Power Type: - -
Power Source: - -
Power Priority: - -
Requested Power(W): - -
Allocated Power(W): - -
Four-Pair PoE Supported: No
Spare Pair Power Enabled: No
Four-Pair PD Architecture: N/A
switch#
switch#sho power inline gi1/0/5 de
Interface: Gi1/0/5
Inline Power Mode: auto
Operational status: on
Device Detected: yes
Device Type: Ieee PD
IEEE Class: 4
Discovery mechanism used/configured: Unknown
Police: off
Power Allocated
Admin Value: 30.0
Power drawn from the source: 15.4
Power available to the device: 15.4
Actual consumption
Measured at the port: 4.3
Maximum Power drawn by the device since powered on: 5.2
Absent Counter: 0
Over Current Counter: 0
Short Current Counter: 0
Invalid Signature Counter: 0
Power Denied Counter: 0
Power Negotiation Used: None
LLDP Power Negotiation --Sent to PD-- --Rcvd from PD--
Power Type: - -
Power Source: - -
Power Priority: - -
Requested Power(W): - -
Allocated Power(W): - -
Four-Pair PoE Supported: No
Spare Pair Power Enabled: No
Four-Pair PD Architecture: N/A
switch#

We also decided to measure the temperature of the case of access points at the time of a small load on the network. It turned out that the case temperature of the NWA5123-AC model was 35°C, while the temperature of the WAC6103D-I case was 36°C with an average room temperature of about 25°C. We consider the temperature readings to be normal.

In addition to functionality tests, we would like to provide our readers with the results of access point performance tests that form the basis of any wireless network. But first, it is impossible not to indicate the main parameters of our test bench.  

Component PC Laptop
MB ASUS Maximus VIII Extreme ASUS M60J
CPU Intel Core i7 7700K 4 GHz Intel Core i7 720QM 1.6 GHz
RAM DDR4-2133 Samsung 64 GBytes DDR3 PC3-10700 SEC 16 GBytes
NIC Intel PRO/1000 PT
ASUS PCE-AC88
Atheros AR8131
Zyxel NWD6605
OS Windows 7 x64 SP1 Rus Windows 7 x64 SP1 Rus

We started our measurements with the NWA5123-AC model, using the ASUS PCE-AC88 wireless network card as a client. Measurements were made for both frequency ranges for one, five, and fifteen simultaneous TCP connections. As a test tool, we used the JPerf utility version 2.0.2.   

We also carried out similar tests for the WAC6103D-I model.

We repeated the performance measurement of the access point WAC6103D-I, but this time we used a USB network interface card, the Zyxel NWD6605, as a wireless client. The measurement results are presented in the diagrams below.

Let us now return to the functionality tests and check the operation of the system when the traffic is switched by the controller or locally. Recall that when using local switching, the access point immediately sends user data to the virtual network (VLAN) that corresponds to the user's SSID. Otherwise, all the data is encapsulated in CAPWAP by AP and sent towards the controller, which then itself sends the frames to the desired virtual network. But first, create the appropriate SSID. Using the “SSID” tab of the “Access Point Profiles” item of the “Object” group, you need to create a security profile and then bind it to the SSID profile.

Please note that the switching mode is selected using the "Transfer Mode" option when creating an SSID profile.

We decided to schematically depict the traffic path during local switching.

The next step to be performed is to associate the SSID profile with a group of access points and add the necessary points to the group. The corresponding setting is available in the “Access Point Group” tab of the “Access Point Management” item in the “Wireless Network” group of the “CONFIGURATION” menu.

If all settings have been made correctly, a new SSID will appear in the list of available networks.

So, we are ready to carry out a test connection of the wireless client. Access points are connected to the switch Gi1/0/3 and Gi1/0/5 ports, while the ZyWAL 310 is connected to the Gi1/0/2 interface. SSID fox corresponds to a virtual network with VID 30. On our test L3 switch, we created an SVI corresponding to VLAN 30.

 switch#sho vla bri
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi1/0/1, Gi1/0/4, Gi1/0/6, Te1/0/7, Te1/0/8, Te1/0/1, Te1/0/2
20 test active
30 SSID_fox active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
switch#sho lldp ne
Capability codes:
(R) Router, (B) Bridge, (T) Telephone, (C) DOCSIS Cable Device
(W) WLAN Access Point, (P) Repeater, (S) Station, (O) Other
Device ID Local Intf Hold-time Capability Port ID
nwa5123-ac Gi1/0/3 120 B,W,R 1
wac6103d-i Gi1/0/5 120 B,W,R 1
Total entries displayed: 2
switch#sho int tru
Port Mode Encapsulation Status Native vlan
Gi1/0/2 on 802.1q trunking 1
Gi1/0/3 on 802.1q trunking 1
Gi1/0/5 on 802.1q trunking 1
Port Vlans allowed on trunk
Gi1/0/2 1-4094
Gi1/0/3 1-4094
Gi1/0/5 1-4094
Port Vlans allowed and active in management domain
Gi1/0/2 1,20,30
Gi1/0/3 1,20,30
Gi1/0/5 1,20,30
Port Vlans in spanning tree forwarding state and not pruned
Gi1/0/2 1,20,30
Gi1/0/3 1,20,30
Gi1/0/5 1,20,30
switch#sho ip int bri | e unas
Interface IP-Address OK? Method Status Protocol
Vlan1 192.168.1.10 YES NVRAM up up
Vlan20 192.168.20.10 YES NVRAM up up
Vlan30 192.168.30.10 YES manual up up
switch#sho ip dhcp pool SSID_fox
Pool SSID_fox :
Utilization mark (high/low) : 100 / 0
Subnet size (first/next) : 0 / 0
Total addresses : 254
Leased addresses : 0
Excluded addresses : 199
Pending event : none
1 subnet is currently in the pool :
Current index IP address range Leased/Excluded/Total
192.168.30.200 192.168.30.1 - 192.168.30.254 0 / 199 / 254

The condition for the successful completion of this test will be the access of the wireless client to VLAN 30, the discovery of the client's MAC address on the port to which one of the access points is connected.

So, we have connected to the detected fox SSID.

Make sure the switch SVI is available from the client.

C:\>ping 192.168.30.10
Pinging 192.168.30.10 with 32 bytes of data:
Reply from 192.168.30.10: bytes=32 time=4ms TTL=255
Reply from 192.168.30.10: bytes=32 time=3ms TTL=255
Reply from 192.168.30.10: bytes=32 time=3ms TTL=255
Reply from 192.168.30.10: bytes=32 time=3ms TTL=255
Ping statistics for 192.168.30.10:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 3ms, Maximum = 4ms, Average = 3ms

Now we verify that the client’s MAC address is visible through the corresponding switch interface.

switch#sho mac address-table dy vla 30
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
30 240a.6449.70af DYNAMIC Gi1/0/3
Total Mac Addresses for this criterion: 1

As an additional check, we see that the wireless client obtained the IP parameters dynamically using a DHCP pool configured on our test L3 switch.

C:\>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : FOX
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Mixed
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Wireless LAN adapter Беспроводное сетевое соединение 5:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom 802.11ac Network Adapter
Physical Address. . . . . . . . . : 24-0A-64-49-70-AF
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::a861:9ebc:9e29:2e4e%38(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.30.200(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : 25 декабря 2017 г. 2:05:19
Lease Expires . . . . . . . . . . : 26 декабря 2017 г. 2:13:31
Default Gateway . . . . . . . . . : 192.168.30.10
DHCP Server . . . . . . . . . . . : 192.168.30.1
DHCPv6 IAID . . . . . . . . . . . : 707005028
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-F9-D5-EB-90-E6-BA-97-A9-30
DNS Servers . . . . . . . . . . . : 2001:470:1f1d:d01::1
8.8.8.8
NetBIOS over Tcpip. . . . . . . . : Enabled

Now turn off our test wireless client and reconfigure our network so that the access point forwards all traffic through the tunnel to the wireless controller. It is worth noting, however, that in this case the VLAN corresponding to our SSID must be pre-created on the ZyWAL 310.

We also decided to provide our readers with a data path map for sending traffic through a wireless controller.

We will now verify the availability for the client of the switch SVI interface.

C:\>ping 192.168.30.10
Pinging 192.168.30.10 with 32 bytes of data:
Reply from 192.168.30.10: bytes=32 time=1ms TTL=255
Reply from 192.168.30.10: bytes=32 time=3ms TTL=255
Reply from 192.168.30.10: bytes=32 time=3ms TTL=255
Reply from 192.168.30.10: bytes=32 time=2ms TTL=255
Ping statistics for 192.168.30.10:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms

In addition, in order to recognize the test as completely successful, we need to discover the client's MAC address on the switch interface to which the wireless controller is connected.

switch#sho mac address-table | i 240a.6449.70af
30 240a.6449.70af DYNAMIC Gi1/0/2

Experimental results convincingly prove that Zyxel’s wireless networking solution successfully handles both local switching and user data transmission through the controller. In the latter case, the administrator has additional options for filtering user traffic, for example, it can be subjected to anti-virus scanning.

This concludes the testing of the wireless solution based on Zyxel equipment and proceeds to the debriefing.

Conclusion

In general, we were pleased with the solution for the organization of wireless networks offered by Zyxel. The solution we tested included two access points of the NWA5123-AC and WAC6103D-I models, as well as a wireless controller based on the ZyWALL 310 firewall. Judging by the changes made to the firmware of the controllers and access points, this direction is being actively developed by Zyxel, that is, it seems to us, we should expect even greater improvements and innovations in the near future.

Firewall and other Zyxel security devices support the wireless controller functions, as it seems to us, is a good idea, as in this case administrators can filter even local traffic (when switching traffic using a controller/firewall).

The strengths of the individual models and solution entirely include the following:

  • mesh support;
  • powering the access points using PoE;
  • support fast roaming 802.11r;
  • a wide range of access point models;
  • the ability to assign the functions of a wireless controller not only to specialized devices, but, for example, to firewalls;
  • support of local switching by the access point, or the ability to send user data to the controller using CAPWAP;
  • automatical firmware update;
  • support for multiple wireless controllers at the same time;
  • the ability to search for rogue access points in the controlled area;
  • the presence of several methods of authentication and billing of wireless clients;
  • the ability to automate some routine processes of managing access points without using a controller;
  • availability of software tools that simplify the process of planning a wireless network and its monitoring.

Unfortunately, we cannot fail to point out the discovered defects:

  • not all wireless controllers currently support work with all models of access points (it is planned to be corrected);
  • wrong time zones (fixed in the latest firmware versions);
  • suspicion of vulnerabilities in the implementation of the SNMPv1 protocol;
  • not the highest data transfer rate in the wireless segment.

We would like to give a little explanation regarding the last item in the list. The results of testing wireless networks depend on many factors: the configuration of the room, the channel used, the presence of other wireless networks and interference not related to Wi-Fi.

At the time of writing this review, the average price of the NWA5123-AC access point in German-speaking Europe countries, according to website Geizhals Preisvergleich, was about 130 euro, while the WAC6103D-I model cost from 250 euro and above. The price of the ZyWALL 310 firewall started at 700 euro, excluding additional licenses.

Add comment


Security code
Refresh

Found a typo? Please select it and press Ctrl + Enter.