Radio Frequency Interference Requirements This device is restricted to indoor use due to its operation in the 2.4 GHz frequency range. FCC requires this product to be used indoors in 2.4 GHz the frequency range to reduce the potential for harmful interference to co-channel Mobile Satellite systems. Regulatory Compliance Information This device is restricted to indoor use due to reduce the potential for harmful interference to co-channel Mobile Satellite and Radar Systems.
Canadian Department of Communications Compliance Statement
This Class B Digital apparatus (ME103 802.11b ProSafe Wireless Access Point) meets all the requirements of the Canadian Interference Causing Equipment Regulations.
Cet appareil numerique del la classe B respect les exigences du Regalement sur le material broilleur du Canada. This device comples with Class B limits of Industry of Canada. Operation is subject to the following two conditions:
1. This device may not cause harmful interference.
This device must accept any interference received, including interference that may cause undesired operation.
The device is certified to the requirements of RSS-139-1 and RSS-210 for 2.4 GHz spread spectrum devices. The use of this device in a system operating either partially or completely outdoors may require the user to obtain a license for the system according to the Canadian regulations. For further information, contact your local Industry Canada office. EN Declaration of Conformance This is to certify that the ME103 802.11b ProSafe Wireless Access Point is shielded against the generation of radio interference in accordance with the application of Council Directive 89/336/EEC, Article 4a. Conformity is declared by the application of EN Class B (CISPR 22).
CE Declaration of Conformity
For the following equipment: ME103 802.11b ProSafe Wireless Access Point

0470 !

is herewith confirmed to comply with the requirements set out in the Council Directive on the Approximation of the Laws of the Member States relating to Electromagnetic Compatibility (89/336/EEC), Low-voltage Directive (73/23/EEC) and the Amendment Directive (93/68/EEC), the procedures given in European Council Directive 99/5/EC and 89/3360EEC. The equipment was passed. The test was performed according to the following European standards:
EN 301489-1 V1.2.1 (2000-08) EN 301 489-17 V1.1.1 (2000-09) EN 55022: 1988 Class B EN 61000-3-2: 2000 EN 6100-3-3: 1995 EN 55024: 1998 (IEC 61000-4-5:1995, IEC 61000-4-3:1995, IEC 61000-4-4;1995, IEC 61000-4-5:1995, IEC 61000-4-6:1996, IEC 61000-4-8:1993, IEC 61000-4-11:1994)

1-viii August 2003

Chapter 2 Introduction
This chapter introduces the NETGEAR ME103 802.11b ProSafe Wireless Access Point. Minimal prerequisites for installation are presented in System Requirements on page 2-5.
About the ME103 802.11b ProSafe Wireless Access Point
The ME103 802.11b ProSafe Wireless Access Point is the basic building block of a wireless LAN infrastructure. It provides connectivity between Ethernet wired networks and radio-equipped wireless notebook systems, desktop systems, print servers, and other devices. The ME103 provides wireless connectivity to multiple wireless network devices within a fixed range or area of coverage, interacting with a wireless network interface card (NIC) via an antenna. Typically, an individual in-building access point provides a maximum connectivity area with about a 300 foot radius. The ME103 802.11b ProSafe Wireless Access Point can support a small group of users in a range of several hundred feet. Most access points are rated between 30-70 users simultaneously. The ME103 802.11b ProSafe Wireless Access Point acts as a bridge between the wired LAN and wireless clients. Connecting multiple ME103 Access Points via a wired Ethernet backbone can further lengthen the wireless network coverage. As a mobile computing device moves out of the range of one access point, it moves into the range of another. As a result, wireless clients can freely roam from one Access Point to another and still maintain seamless connection to the network. The auto-sensing capability of the ME103 802.11b ProSafe Wireless Access Point allows packet transmission at up to 11Mbps, or at reduced speeds to compensate for distance or electromagnetic noise interference.

Introduction August 2003

Key Features
The ME103 Access Point is easy-to-use and provides solid wireless and networking support. Supported Standards and Conventions The following standards and conventions are supported: Standards Compliant. The Wireless Access Point complies with the IEEE 802.11b (DSSS) and IEEE 802.1x specifications for Wireless LANs. 802.1x Support. Support for 802.1x mode is included, providing for the industrial-strength wireless security of 802.1x authentication and authorization. Radius Client Support. The Wireless Access Point can log in to your existing Radius server (as a Radius client). WEP support. Support for WEP is included. Both 64-bit and 128-bit keys are supported. Dynamic WEP key Support. In 802.1x mode, fixed or Dynamic WEP (Wired Equivalent Privacy) keys can be used. Dynamic key exchange can be used when deploying 802.1x EAP-TLS. DHCP Client Support. DHCP provides a dynamic IP address to PCs and other devices upon request. The ME103 can act as a client and obtain information from your DHPC server. NAT & WINS Support. Support for both NetBIOS broadcast and WINS (Windows Internet Naming Service) allows the ME103 to easily fit into your existing Windows network. SNMP Support. Support for Simple Network Management Protocol (SNMP) Management Information Base (MIB) management. Key Features The NETGEAR ME103 provides solid functionality, including these features: Multiple Operating Modes Wireless Access Point. Operates as a standard 802.11b or 802.11x Access Point. Point-to-Point Bridge. In this mode, the ME103 only communicates with another bridge-mode wireless station. You must enter the MAC address (physical address) of the other bridge-mode wireless station in the field provided. WEP should be used to protect this communication. Point-to-Multi-Point Bridge. Select this only if this ME103 is the Master for a group of bridge-mode wireless stations. The other bridge-mode wireless stations must be set to Point-to-Point Bridge mode, using this ME103's MAC address. They then send all traffic to this Master, rather than communicate directly with each other. WEP should be used to protect this traffic.

ProSafeWireless Access Point
Wireless Data Security Options Range: Up to 500 Feet
1) Open System: Easy but no security 2) MAC Access List: No data security 3) WEP: Security but some vulnerabilities 4) 802.1x: Secure
Figure 3-1: ME103 wireless data security options
There are several ways you can enhance the security of your wireless network: Restrict Access Based on MAC address. You can restrict access to only trusted PCs so that unknown PCs cannot wirelessly connect to the ME103. MAC address filtering adds an obstacle against unwanted access to your network, but the data broadcast over the wireless link is fully exposed. Turn Off the Broadcast of the Wireless Network Name (SSID). If you disable broadcast of the SSID, only devices that have the correct SSID can connect. This nullifies the wireless network discovery feature of some products such as Windows XP, but the data is still fully exposed to a determined snoop using specialized test equipment like wireless sniffers. Use WEP. Wired Equivalent Privacy (WEP) data encryption provides data security. WEP Shared Key authentication and WEP data encryption will block all but the most determined eavesdropper. Implement 802.1x. IEEE 802.1x provides very strong security. Although it can use the same data encryption scheme as WEP, it enables stronger authentication as well as the ability to dynamically vary the encryption keys.
Installing the ME103 802.11b ProSafe Wireless Access Point
Before installing the ME103 802.11b ProSafe Wireless Access Point, you should make sure that your Ethernet network is up and working. You will be connecting the access point to the Ethernet network so that computers with 802.11b or 802.11g wireless adapters will be able to communicate with computers on the Ethernet network. In order for this to work correctly, verify that you have met all of the system requirements, shown on page 2-5.
1 SET UP THE ME103 ACCESS POINT 1 SET UP THE ME103 ACCESS POINT
Tip: Before mounting the ME103 in a high location, first set up and test the ME103 to verify wireless network connectivity.

a. b. c.

Prepare a PC with an Ethernet adapter. If this PC is already part of your network, record its TCP/IP configuration settings. Configure the PC with a static IP address of 192.168.0.210 and 255.255.255.0 for the Subnet Mask. Connect an Ethernet cable from the ME103 to the PC (A).

4 VERIFY WIRELESS CONNECTIVITY
Using a computer with an 802.11b or 802.11g wireless adapter with the correct wireless settings needed to connect to the ME103 (SSID, WEP, MAC ACL, 802.1x, etc.), verify connectivity by using a browser such as Netscape or Internet Explorer to browse the Internet, or check for file and printer access on your network. Note: If you are unable to connect, see Chapter 6, Troubleshooting.

3-7 August 2003

How to Log In to the ME103 Using Its Default NetBIOS Name
The ME103 802.11b ProSafe Wireless Access Point can be configured remotely from Microsoft Internet Explorer browser version 5.0 or above, or Netscape Navigator web browser version 4.78 or above. You can connect to the ME103 by using its default NetBIOS name or its default IP address. The instructions for connecting using the default NetBIOS name are below. The instructions for connecting using the default IP address follow this section. Determine the NetBIOS name of your access point. To find the NetBIOS name, refer to the labels on the bottom of your access point. The access point NetBIOS name is on the label on the bottom of the unit and looks like NETGEAR123456, where 123456 is the last 6 digits of the access points MAC address. Note: If the computer you are using to connect to the ME103 is on a different subnet, you will not be able to connect via its NetBIOS name unless there is a WINS server on you LAN. 2. Open a Web browser such as Internet Explorer or Netscape Navigator. 3. Log in to the ME103 using the NetBIOS name you found on the bottom of the unit. In this example, you see NETGEAR123456 in the browser address or location box. There is no space between NETGEAR and the 6 digits of the access point name.You do not need to include www or http://.
Figure 3-4: Example ME103 NetBIOS name in browser address bar 4.
A login window like the one shown below opens:
Figure 3-5: Login window Basic Installation and Configuration August 2003 3-8
Enter the default user name of admin and the default password of password.
Figure 3-6: Login result: ME103 home page
The Web browser will then display the ME103 home page.

3-9 August 2003

1. 3-17 August 2003 Basic Installation and Configuration
Automatic - enter a word or group of printable characters in the Passphrase box and click the Generate button. The four key boxes will be automatically populated with key values. Manual - enter ten hexadecimal digits (any combination of 0-9, a-f, or A-F) Select which of the four keys will be active. See Overview of WEP Parameters on page B-5 for a full explanation of each of these options, as defined by the IEEE 802.11 wireless communication standard. 5. Click Apply to save your settings.
Note: If you use a wireless PC to configure WEP settings, you will be disconnected when you click Apply. Reconfigure your wireless adapter to match the new settings or access the wireless access point from a wired PC to make any further changes.
Using the Basic IP Settings Options
The Basic IP Settings menu is under the Basic heading of the main menu. Use this menu to configure DHCP, static IP, access point NetBIOS name, WINS, and SNMP settings.
Figure 3-11: Basic IP Settings Menu
The IP Address Source The wireless access point is shipped preconfigured to use a private IP address on the LAN side, and to act as a DHCP client. If the wireless access point does not find a DHCP server on the Ethernet LAN, it defaults to this IP configuration: IP Address 192.168.0.224 IP Subnet Mask 255.255.255.0 Gateway 0.0.0.0 Primary DNS blank Secondary DNS blank
If your network has a requirement to use a different IP addressing scheme, you can make those changes in this menu. These settings are only required if the Use this IP address radio button is chosen. Remember to click Apply to save your changes. Access Point Name (NetBIOS) Enter a new name for the wireless access point and click Apply to save your changes. Enable EWINS This allows your wirelessly connected PCs to browse the remote network using the Windows Network Neighborhood feature. Select this check box, enter the WINS Server name or IP address, and click Apply to save your changes. SNMP Management This allows your take advantage of the management features supported in the ME103 MIBs.

3-19 August 2003

Chapter 4 Maintenance
This chapter describes how to use the management features of your ME103 802.11b ProSafe Wireless Access Point. These features can be found by clicking on the Maintenance heading in the Main Menu of the browser interface.
Viewing General, Log, Station, and Statistical Information

Obtain the certificate which includes the public key from a Certificate Authority (CA). Install this certificate in the Windows Root Certificate Store. After installing the certificate on the Windows client, switch from the wired Ethernet connection to the wireless adapter.
Verify that the Use Windows to configure my wireless network settings check box is selected in the Windows XP Network Connections wireless adapter properties dialog box Wireless Networks tab page.
Figure 5-2: Windows XP wireless adapter configuration utility

5-4 August 2003

Reference Manual for the ME103 802.11b ProSafe Wireless Access Point c.
Select the wireless network to which you will connect (NETGEAR in the screen above), and click the Configure button to display the Wireless network properties dialog box shown below.
Figure 5-3: Configure a Windows XP wireless adapter association d. e.
Select only the Data encryption (WEP enabled) check box. Click the Authentication tab to display the screen below.
Figure 5-4: Configure a Windows XP wireless adapter for EAP-TLS f.
Configure the wireless adapter to enable 802.1x authentication by selecting the Enable IEEE 802.1x authentication for this network check box. g. Click OK to apply the settings to your wireless adapter. h. The first time you establish the EAP-TLS wireless session from a client workstation, Windows will prompt you to verify that the certificate it found is the correct one.
Note: During the authentication processes, there is a session timeout. If either the authenticator or the client does not respond with the proper data to the other side in 30 seconds, the authentication fails. If this happens, you should physically remove the wireless adapter from your computer, and re-insert it to start the authentication again. In addition, if the ME103 is rebooted, you should physically remove the wireless adapter from your computer and re-insert it to start the authentication again.
4. View the ME103 log and check the connection To check the connection, you can initiate a request from a wireless device to the network. Use the ME103 Activity Log to monitor the initiation of the 802.1x wireless session.
Figure 5-5: Information Activity Log for starting a 802.1x wireless connection
The simplest method is to ping the LAN IP address of another computer on the Ethernet LAN.
From a wireless PC, on the Windows taskbar click the Start button, then click Run. Type ping -t 192.168.0.1 , and click OK.
Figure 5-6: Running a Ping test from Windows c.
This command causes a continuous ping to be sent. Between several seconds to two minutes, the ping response should change from timed out to reply.

5-6 August 2003

Figure 5-7: Ping test results
At this point the connection is established and your wireless connection is working.
Understanding Advanced Wireless Settings

Worldwide Mode Broadcast Wireless Network Name (SSID) Wireless Separation Basic Rate

Parameters RTS Threshold

Fragmentation Length Beacon Interval Preamble Type Antenna Selection

Output Power Level

Configuring Wireless Operating Modes
The ME103 802.11b ProSafe Wireless Access Point lets you build large bridged wireless networks. Examples of wireless bridged configurations are: Client Access Point to Access Point. Point-to-Point Bridge. Multi-point bridging. These features are discussed below.
How to Configure a ME103 as a Point-to-Point Bridge
ME103 in Point-to-Point Bridge Mode

Router

Hub or Switch

192.168.0.1

LAN Segment 1
Figure 5-9: Point-to-Point Bridge

LAN Segment 2

Configure the ME103 (AP1) on LAN Segment 1 in Point-to-Point Bridge mode. 2. Configure the ME103 (AP2) on LAN Segment 2 in Point-to-Point Bridge mode. AP1 must have AP2s MAC address in its Remote MAC Address field and AP2 must have AP1s MAC address in its Remote MAC Address field. 3. Configure and verify the following parameters for both access points: Verify that the LAN network configuration of the ME103 Access Points both are configured to operate in the same LAN network address range as the LAN devices Both use the same ESSID, Channel, authentication mode, if any, and security settings if security is in use.
1. 5-10 August 2003 Advanced Configuration
Verify connectivity across the LAN 1 and LAN 2. A PC on either LAN segment should be able to connect to the Internet or share files and printers of any other PCs or servers connected to LAN Segment 1 or LAN Segment 2.
How to Configure Multi-Point Wireless Bridging
"Master" ME103 in Point-to-Multi-Point Bridge Mode

LAN Segment 3

Figure 5-10: Multi-Point bridging 1.
Configure the Operating Mode of the ME103 Access Points. ME103 (AP1) on LAN Segment 1 in Point-to-Point Bridge mode with the Remote MAC Address of AP2. Because it is in the central location, configure ME103 (AP2) on LAN Segment 2 in Point-to-Multi-Point Bridge mode. No MAC address is required because it will respond to Point-to-Point APs which are configured communicating to it. Configure the ME103 (AP3) on LAN 3 in Point-to-Point Bridge mode with the Remote MAC Address of AP2.
Verify the following parameters for all access points: Verify that the LAN network configuration the ME103 Access Points are configured to operate in the same LAN network address range as the LAN devices Only one AP is configured in Point-to-Multi-Point Bridge mode, and all the others are in Point-to-Point Bridge mode.

All APs must be on the same LAN. That is, all the APs LAN IP address must be in the same network. If using DHCP, all ME103 Access Points should be set to Obtain an IP address automatically (DHCP Client) in the IP Address Source portion of the Basic IP Settings menu. All ME103 Access Points use the same SSID, Channel, authentication mode, if any, and encryption in use. All Point-to-Point APs must have AP2s MAC address in its Remote AP MAC address field.
Verify connectivity across the LANs. A PC on any LAN segment should be able to connect to the Internet or share files and printers with any other PCs or servers connected to any of the three LAN segments. Wireless stations will not be able to connect to the ME103 Access Points in the illustration above. If you require warless stations to access any lan segment, you can additional ME103 Access Points configured in Wireless Access Point mode to any LAN segment.
Note: You can extend this multi-point bridging by adding additional ME103s configured in Point-to-Point mode for each additional LAN segment. Furthermore, you can extend the range of the wireless network with NETGEAR wireless antenna accessories.

5-12 August 2003

Antenna Installation
The ME103 comes with two removable 2-dBi antenna. Two antennae provide what is called space diversity, which helps to combat the addition of electromagnetic waves in the space where the unit is installed. This effect is called multipath fading. Multipath fading is generated by the multiple reflections of electromagnetic waves in an office due to walls, ceiling, floors, partitions, doors, metallic polls, cubicles, etc. and the motion of people and objects. The benefits of two antennae are evident when there is distance or obstructions in the line of sight between the ME103 and the clients. When only one antenna is used, a degradation of up to 50% of data throughput can be noticed in several spots of the coverage and also at the fringes of the range. The two 2dBi antenna are dipole and use vertical polarization. They provide an optimal radiation pattern in the plane perpendicular to their direction. When oriented vertically, they provide a optimal range in the horizontal plane (horizontal donut shaped signals). If the office is small and on multiple floors, it is advised to put the antenna flat so that the maximum coverage is vertical rather than horizontal. When the office is an odd shape, NETGEAR advises you to do some orientation trials. For applications requiring more range, wireless accessories can be used such as external antennae and bi-directional booster(s). The first optional update is replacing the two 2dBi antennae by two 5-7dBi dipole antennae. Simply turn the ME103 off, unscrew the two antenna, and screw on the new ones. Be sure to use antenna with a reversed SMA connector. Another solution is to relocate the antenna(e) with an RF cable to an optimal spot such as a ceiling, high on a wall, etc. One typical application is to locate the ME103 is in a secure location like a data center. Two external antenna are placed outside the room, for example on the ceiling, and connected with RF cables to the ME103. Another application is two external directional antennae, one pointing to one side of the building, and the other to the other side. Be aware of the loss in the cable. If the cable is too long and used with a medium gain antenna, the gain from placing the antenna in good spot may be reduced or eliminated. Only high gain antenna (more than 10dBi) should be used with a long cable such as 5 or 10m. To cope with this inherent limitation, NETGEAR also provides bi-directional booster. This component amplifies the RF signal in transmit mode and in receive mode. It automatically switches itself to the receive or transmit mode. The booster is placed very close to the antenna and provides an outstanding output RF power of 500mW or 27dBm. It also includes a low noise amplifier for the receive path of 10dB gain minimum. The antenna and booster can be connected with a cable as long as 10 to 15m from the ME103 without any performance reduction.

Note that ME103 diversity is provided only in receive mode, not in transmit mode. The Primary RF port provides transmit and receive. The Secondary RF port provides receive mode only. Therefore passive components such as external antennae can be connected to either Primary or Secondary ME103 RF ports. However, an active device such as bi-directional booster has to be used on the Primary RF port only. If using one booster on each Primary and Secondary RF port, the one connected to the Secondary will boost only the receive signals.
Blank Configuration Worksheet
EAP-TLS Configuration Worksheet
EAP-TLS 802.1x Security Settings WEP Encryption Key Length:
RADIUS Port: RADIUS Shared Key:

Network

LAN IP Network Address

Subnet Mask

Gateway IP (LAN IP Address)

5-14 August 2003

Chapter 6 Troubleshooting
This chapter provides information about troubleshooting your ME103 802.11b ProSafe Wireless Access Point. After each problem description, instructions are given to help you diagnose and solve the problem. For the common problems listed, go to the section indicated. Is the ME103 on? Have I connected the wireless access point correctly? Go to Installing the ME103 802.11b ProSafe Wireless Access Point on page 3-5. I cannot remember the wireless access points configuration password. Go to Changing the Administrator Password on page 4-10.
Note: For up-to-date ME103 installation details and troubleshooting guidance visit www.NETGEAR.com.
If you have trouble setting up your ME103, check the tips below.
No lights are lit on the access point.
It takes a few seconds for the power indicator to light up. Wait a minute and check the power light status on the access point.
If the access point has no power. Make sure the power cord is connected to the access point. Make sure the power adapter is connected to a functioning power outlet. If it is in a power strip, make sure the power strip is turned on. If it is plugged directly into the wall, verify that it is not a switched outlet. Make sure you are using the correct NETGEAR power adapter supplied with your access point.
Troubleshooting August 2003
The Wireless LAN activity light does not light up.
The access points antennae are not working. If the Wireless LAN activity light stays off, disconnect the adapter from its power source and then plug it in again. Make sure the antennas are tightly connected to the ME103. Contact NETGEAR if the Wireless LAN activity light remains off.
The LAN light is not lit.
There is a hardware connection problem.Check these items: Make sure the cable connectors are securely plugged in at the access point and the network device (hub, switch, or router). A switch, hub, or router must be installed between the access point and the Ethernet LAN or broadband modem. Make sure the connected device is turned on. Be sure the correct cable is used. Use a standard Category 5 Ethernet patch cable. If the network device has Auto Uplink (MDI/MDIX) ports, you can use either a cross-over cable or a normal patch cable.

I cannot access the Internet or the LAN with a wireless capable computer.
There is a configuration problem.Check these items: You may not have restarted the computer with the wireless adapter to have TCP/IP changes take effect. Restart the computer. The computer with the wireless adapter may not have the correct TCP/IP settings to communicate with the network. Restart the computer and check that TCP/IP is set up properly for that network. The usual setting for Windows the Network Properties is set to Obtain an IP address automatically. The access points default values may not work with your network. Check the access point default configuration against the configuration of other devices in your network.

6-2 August 2003

Troubleshooting
I am using EAP-TLS security but get disconnected.
With 802.1x, occasionally, sporadic wireless communications interference might cause the encryption key to get dropped. This is not a breach of security. However, if so, your wireless client can be disconnected from the ME103. Perform these steps:
Simply disable and then enable the wireless NIC from the Windows Control Panel in the Network connections section, or from the windows system tray on the lower right of the Windows task bar at the bottom of your screen.
Upon restarting your wireless adapter, the ME103 will re-authenticate you and establish a new wireless connection.
I cannot connect to the ME103 to configure it.
Check these items: The ME103 is properly installed, LAN connections are OK, and it is powered on. Check that the LAN port LED is green to verify that the Ethernet connection is OK. If you are using the NetBIOS name of the ME103 to connect, ensure that your PC and the ME103 are on the same network segment or that there is a WINS server on your network. If your PC is set to Obtain an IP Address automatically (DHCP client), restart it. If your PC uses a Fixed (Static) IP address, ensure that it is using an IP Address in the range of the ME103. The ME103 default IP Address is 192.168.0.224 and the default Subnet Mask is 255.255.255.0. If you are not sure about these settings, follow the instructions for Installing the ME103 802.11b ProSafe Wireless Access Point on page 3-5.

C-2 Network, Routing, Firewall, and Cabling Basics August 2003

Class A

Network Class B

Class C

Figure 6-3: Three Main Address Classes
The five address classes are: Class A Class A addresses can have up to 16,777,214 hosts on a single network. They use an eight-bit network number and a 24-bit node number. Class A addresses are in this range:

1.x.x.x to 126.x.x.x.

Class B Class B addresses can have up to 65,354 hosts on a network. A Class B address uses a 16-bit network number and a 16-bit node number. Class B addresses are in this range:
128.1.x.x to 191.254.x.x.
Class C Class C addresses can have 254 hosts on a network. Class C addresses use 24 bits for the network address and eight bits for the node. They are in this range:
192.0.1.x to 223.255.254.x.
Class D Class D addresses are used for multicasts (messages sent to many hosts). Class D addresses are in this range:
224.0.0.0 to 239.255.255.255.
Class E Class E addresses are for experimental use.
This addressing structure allows IP addresses to uniquely identify each physical network and each node on each physical network. For each unique value of the network portion of the address, the base address of the range (host address of all zeros) is known as the network address and is not usually assigned to a host. Also, the top address of the range (host address of all ones) is not assigned, but is used as the broadcast address for simultaneously sending a packet to all hosts with the same network address.

Netmask

In each of the address classes previously described, the size of the two parts (network address and host address) is implied by the class. This partitioning scheme can also be expressed by a netmask associated with the IP address. A netmask is a 32-bit quantity that, when logically combined (using an AND operator) with an IP address, yields the network address. For instance, the netmasks for Class A, B, and C addresses are 255.0.0.0, 255.255.0.0, and 255.255.255.0, respectively. For example, the address 192.168.170.237 is a Class C IP address whose network portion is the upper 24 bits. When combined (using an AND operator) with the Class C netmask, as shown here, only the network portion of the address remains:

(192.168.170.237)

combined with:

(255.255.255.0)

Equals:

(192.168.170.0)

As a shorter alternative to dotted-decimal notation, the netmask may also be expressed in terms of the number of ones from the left. This number is appended to the IP address, following a backward slash (/), as /n. In the example, the address could be written as 192.168.170.237/24, indicating that the netmask is 24 ones followed by 8 zeros.

The following figure illustrates a single IP address operation.
Private IP addresses assigned by user
IP addresses assigned by ISP 192.168.0.2

192.168.0.3

172.21.15.105 Internet

192.168.0.4

192.168.0.5
Figure 6-5: Single IP Address Operation Using NAT

7786EA

This scheme offers the additional benefit of firewall-like protection because the internal LAN addresses are not available to the Internet through the translated connection. All incoming inquiries are filtered out by the router. This filtering can prevent intruders from probing your system. However, using port forwarding, you can allow one PC (for example, a Web server) on your local network to be accessible to outside users. For more information about IP address translation, refer to RFC 1631, The IP Network Address Translator (NAT).

IP Configuration by DHCP

When an IP-based local area network is installed, each PC must be configured with an IP address. If the PCs need to access the Internet, they should also be configured with a gateway address and one or more DNS server addresses. As an alternative to manual configuration, there is a method by which each PC on the network can automatically obtain this configuration information. A device on the network may act as a Dynamic Host Configuration Protocol (DHCP) server. The DHCP server stores a list or pool of IP addresses, along with other information (such as gateway and DNS addresses) that it may assign to the other devices on the network. The ME103 Access Point has the capacity to act as a DHCP server.
C-8 Network, Routing, Firewall, and Cabling Basics August 2003
The ME103 Access Point also functions as a DHCP client when connecting to the ISP. The firewall can automatically obtain an IP address, subnet mask, DNS server addresses, and a gateway address if the ISP provides this information by DHCP.

Domain Name Server

Many of the resources on the Internet can be addressed by simple descriptive names such as www.NETGEAR.com. This addressing is very helpful at the application level, but the descriptive name must be translated to an IP address in order for a user to actually contact the resource. Just as a telephone directory maps names to phone numbers, or as an ARP table maps IP addresses to MAC addresses, a domain name system (DNS) server maps descriptive names of network resources to IP addresses. When a PC accesses a resource by its descriptive name, it first contacts a DNS server to obtain the IP address of the resource. The PC sends the desired message using the IP address. Many large organizations, such as ISPs, maintain their own DNS servers and allow their customers to use the servers to look up addresses.

To check your PCs TCP/IP configuration:
On the Windows taskbar, click the Start button, and then click Run. The Run window opens.
Type cmd and then click OK. A command window opens
Type ipconfig /all Your IP Configuration information will be listed, and should match the values below if you are using the default TCP/IP settings that NETGEAR recommends for connecting through a router or gateway: The IP address is between 192.168.0.2 and 192.168.0.254 The subnet mask is 255.255.255.0 The default gateway is 192.168.0.1

Type exit

D-12 August 2003

Glossary

Use the list below to find definitions for technical terms used in this manual.

10BASE-T

IEEE 802.3 specification for 10 Mbps Ethernet over twisted pair wiring.

100BASE-Tx

IEEE 802.3 specification for 100 Mbps Ethernet over twisted pair wiring.

802.1x

802.1x defines port-based, network access control used to provide authenticated network access and automated data encryption key management. The IEEE 802.1x draft standard offers an effective framework for authenticating and controlling user traffic to a protected network, as well as dynamically varying encryption keys. 802.1x uses a protocol called EAP (Extensible Authentication Protocol) and supports multiple authentication methods, such as token cards, Kerberos, one-time passwords, certificates, and public key authentication. For details on EAP specifically, refer to IETF's RFC 2284.
IEEE specification for wireless networking at 11 Mbps using direct-sequence spread-spectrum (DSSS) technology and operating in the unlicensed radio spectrum at 2.5GHz.

802.11g

A soon to be ratified IEEE specification for wireless networking at 54 Mbps using direct-sequence spread-spectrum (DSSS) technology and operating in the unlicensed radio spectrum at 2.5GHz. 802.11g is backwards compatible with 802.11b.
Short for asymmetric digital subscriber line, a technology that allows data to be sent over existing copper telephone lines at data rates of from 1.5 to 9 Mbps when receiving data (known as the downstream rate) and from 16 to 640 Kbps when sending data (known as the upstream rate). ADSL requires a special ADSL modem. ADSL is growing in popularity as more areas around the world gain access.

Denial of Service Attack....B-11 Ethernet Cabling.... B-12 Uplink Switches, Crossover Cables, and MDI/MDIX Switching.. B-12 Cable Quality.... B-13 Appendix D Preparing Your PCs for Network Access Preparing Your Computers for TCP/IP Networking.. C-1 Configuring Windows 98 and Me for TCP/IP Networking... C-1 Install or Verify Windows Networking Components.. C-1 Enabling DHCP to Automatically Configure TCP/IP Settings.. C-3 Selecting Windows Internet Access Method... C-5 Verifying TCP/IP Properties... C-5 Configuring Windows 2000 or XP for TCP/IP Networking.. C-6 Install or Verify Windows Networking Components.. C-6 DHCP Configuration of TCP/IP in Windows XP.. C-7 DHCP Configuration of TCP/IP in Windows 2000.. C-9 Verifying TCP/IP Properties for Windows XP or 2000.. C-11 Glossary Index

Preface About This Guide

Thank you for purchasing the NETGEAR ME103 Access Point.

Audience

This reference manual assumes that the reader has basic to intermediate computer and Internet skills. However, basic computer network, Internet, and wireless technologies tutorial information is provided in the Appendices.
Typographical Conventions
This guide uses the following typographical conventions:

Table 1.

italics bold times roman Internet Protocol (IP) courier font [Enter] [Ctrl]+C
Typographical conventions
Emphasis. User input. First time an abbreviated term is used. Screen text, user-typed command-line entries. Named keys in text are shown enclosed in square brackets. The notation [Enter] is used for the Enter key and the Return key. Two or more keys that must be pressed simultaneously are shown in text linked with a plus (+) sign. DOS file and directory names.

SMALL CAPS

Special Message Formats
This guide uses the following formats to highlight special messages:
Note: This format is used to highlight information of importance or special interest.

About This Guide

Chapter 1 Introduction
This chapter introduces the NETGEAR ME103 802.11b ProSafe Wireless Access Point. Minimal prerequisites for installation are presented in System Requirements on page 1-4.
About the ME103 802.11b ProSafe Wireless Access Point
The ME103 802.11b ProSafe Wireless Access Point is the basic building block of a wireless LAN infrastructure. It provides connectivity between Ethernet wired networks and radio-equipped wireless notebook systems, desktop systems, print servers, and other devices. The ME103 provides wireless connectivity to multiple wireless network devices within a fixed range or area of coverage, interacting with a wireless network interface card (NIC) via an antenna. Typically, an individual in-building access point provides a maximum connectivity area with about a 300 foot radius. The ME103 802.11b ProSafe Wireless Access Point can support a small group of users in a range of several hundred feet. Most access points are rated between 30-70 users simultaneously. The ME103 802.11b ProSafe Wireless Access Point acts as a bridge between the wired LAN and wireless clients. Connecting multiple ME103 Access Point via a wired Ethernet backbone can further lengthen the wireless network coverage. As a mobile computing device moves out of the range of one access point, it moves into the range of another. As a result, wireless clients can freely roam from one Access Point to another and still maintain seamless connection to the network. The auto-sensing capability of the ME103 802.11b ProSafe Wireless Access Point allows packet transmission at up to 11Mbps, or at reduced speeds to compensate for distance or electromagnetic noise interference.

The ME103 Access Point connects to your LAN via twisted-pair Category 5 Ethernet cable with RJ-45 connectors.
Note: The power adapter and cord shipped with the ME103 limits the distance from an AC outlet. To overcome this, consider using NETGEARs POE101 Power Over Ethernet Adapter with a Cat 5 Ethernet cable like the one included with your ME103. This adapter sends DC power through an Ethernet cable to enable you to power an access point in a remote location up to 328 feet away.

Default Factory Settings

When you first receive your ME103, the default factory settings will be set as shown below. You can restore these defaults with the Factory Default Restore switch on the rear panel see ME103 Wireless Access Point Rear Panel on page 1-7.
FEATURE User Name (case sensitive) Password (case sensitive) Access Point Name DHCP IP Configuration (if DHCP server is unavailable) FACTORY DEFAULT SETTINGS admin password netgearxxxxxx where xxxxxx are the last six digits of the wireless access point's MAC address DHCP client IP Address: 192.168.0.224 Subnet Mask: 255.255.255.0 Gateway: 0.0.0.0 Primary DNS Server: 0.0.0.0 Secondary DNS Server: 0.0.0.0 NETGEAR 11 Open System Disabled Disabled
Network Name (SSID) 802.11b Radio Frequency Channel Authentication Type WEP 802.1x
Understanding ME103 Wireless Security Options
Unlike wired network data, your wireless data transmissions can be received well beyond your walls by anyone with a compatible adapter. For this reason, use the security features of your wireless equipment. The ME103 Access Point provides highly effective security features which are covered in detail in this chapter. Deploy the security features appropriate to your needs.
Wireless Data Security Options Range: Up to 500 Feet
ProSafeWireless Access Point
1) Open System: Easy but no security 2) MAC Access List: No data security 3) WEP: Security but some vulnerabilities 4) 802.1x: Secure
Figure 2-1: ME103 wireless data security options
There are several ways you can enhance the security of you wireless network. Restrict Access Based on MAC address. You can restrict access to only trusted PCs so that unknown PCs cannot wirelessly connect to the ME103. MAC address filtering adds an obstacle against unwanted access to your network, but the data broadcast over the wireless link is fully exposed. Turn Off the Broadcast of the Wireless Network Name (SSID). If you disable broadcast of the SSID, only devices that have the correct SSID can connect. This nullifies the wireless network discovery feature of some products such as Windows XP, but the data is still fully exposed to a determined snoop using specialized test equipment like wireless sniffers. Use WEP. Wired Equivalent Privacy (WEP) data encryption provides data security. WEP Shared Key authentication and WEP data encryption will block all but the most determined eavesdropper. Implement 802.1x. IEEE 802.1x provides very strong security. Although it can use the same data encryption scheme as WEP, it enables stronger authentication as well as the ability to dynamically vary the encryption keys.

Understanding WEP Authentication and Data Encryption
Restricting wireless access to your network prevents intruders from connecting to your network. However, the wireless data transmissions are still vulnerable to snooping. Using the WEB data encryption settings described below will prevent a determined intruder from eavesdropping on your wireless data communications. Also, if you are using the Internet for such activities as purchases or banking, those Internet sites use another level of highly secure encryption called SSL. You can tell if a web site is using SSL because the web address begins with HTTPS rather than HTTP. Authentication Scheme Selection The ME103 lets you select the following WEP wireless authentication schemes. Automatic. Open System. Shared key.
Note: The authentication scheme is separate from the data encryption. You can
choose an authentication scheme which requires a shared key but still leave the data transmissions unencrypted. If you require strong security, use the 802.1x RADIUS authentication with EAP-TLS encryption settings as explained in
Configuring Advanced Security 802.1x Options on page 4-1.
Be sure to set your wireless adapters according to whatever authentication and data encryption scheme you choose for the ME103 Access Point. Please refer to Authentication and WEP on page B-2 for a full explanation of each of these options, as defined by the IEEE 802.11 wireless communication standard. Data Encryption Choices Choose the encryption key length from the drop-down list. Please refer to Overview of WEP Parameters on page B-5 for a full explanation of each of these options, as defined by the IEEE 802.11 wireless communication standard. The key length choices are 64-bit or 128-bit. If WEP is enabled, you can manually or automatically program the four data encryption keys. These values must be identical on all PCs and access points in your network. There are two methods for creating WEP encryption keys: Passphrase. Enter a word or group of printable characters in the Passphrase box and click the Generate button. These characters are case sensitive. Manual. For 64-bit WEP, enter 10 hexadecimal digits (any combination of 0-9, a-f, or A-F). For 128-bit WEP, enter 26 hexadecimal digits (any combination of 0-9, a-f, or A-F). These values are not case sensitive.
Before You Change the SSID and WEP Settings
Before customizing your wireless settings, print this form and record the following information. If you are working with an existing wireless network, the person who set up or is responsible for the network will be able to provide this information. Otherwise, you will choose the settings for your wireless network. Either way, record the settings for your wireless network in the spaces below. Network Name (SSID): ______________________________ The Service Set Identification (SSID), called the wireless network name in Windows XP, identifies the wireless network. You may use up to 32 alphanumeric characters. Record your customized SSID on the line below. The SSID is case sensitive. Note: The SSID in the wireless access point is the SSID you configure in the wireless adapter card. In some configuration utilities (such as in Windows XP), the term wireless network name is used instead of SSID. For the access point and wireless nodes to communicate with each other, all must be configured with the same SSID. Authentication. Circle one: Automatic, Open System, or Shared Key. Authentication is unrelated to encryption of transmissions. Shared Key provides more network access security. Note: If you select shared key, the other devices in the network will not connect unless they are set to Shared Key as well and are configured with the correct key. WEP Encryption key size. Choose one: 64 or 128 bit. 128-bit provides stronger data security. Data Encryption (WEP) Keys. There are two methods for creating WEP data encryption keys. Whichever method you use, record the key values in the spaces below. Passphrase method. ______________________________ These characters are case sensitive. Enter a word or group of printable characters. When you enter the Passphrase and click the Generate button on the ME103, the keys will be generated. Manual method. These values are not case sensitive. For 64-bit WEP, enter 10 hex digits (any combination of 0-9 or a-f). For 128-bit WEP, enter 26 hex digits. Key 1: ___________________________________ Key 2: ___________________________________ Key 3: ___________________________________ Key 4: ___________________________________ Use the procedures described in the following sections to configure the ME103. Store this information in a safe place.

Note: When configuring the ME103 from a wireless PC whose MAC address is not in the access control list, if you select Turn Access Control On, you will lose your wireless connection when you click on Apply. You must then access the wireless access point from a wired PC or from a wireless PC which is on the access control list to make any further changes.
From the Wireless Settings menu, click the Setup Access List button to display the Wireless Access menu shown below.
Figure 2-8: Wireless Card Access List Setup 3.
Click Add to add a wireless device to the wireless access control list. The Wireless Adapter Access Setup menu displays.
Users Guide for the ME103 802.11b ProSafe Wireless Access Point 4. 5.
Click the Turn Access Control On check box. Then, either select from the list of available wireless cards the ME103 has found in your area, or enter the MAC address and device name for a device you plan to use. You can usually find the MAC address printed on the wireless adapter. Tip: You can copy and paste the MAC addresses from the ME103s Station List menu into the MAC Address box of this menu. To do this, configure each wireless PC to obtain a wireless link to the ME103. The PC should then appear in the Station List menu. Tip: You can import a list of MAC addresses from saved a Netgear ME102 access point access control list. Or, you can produce a list in a text file where each line is a single MAC address. The following formats are accepted. For example the MAC address is 34 aa bb cc 001234aabbcc 34 aa bb cc 00-12-34-aa-bb-cc 00:12:34:aa:bb:cc Only one MAC address per line is allowed. The valid characters are 0 to 9 and a, b, c, d, e, and f. The valid separators are those shown above. An invalid character will cause the line to be ignored.
Click Add to add this wireless device to the access list. Repeat these steps for each additional device you wish to add to the list. Be sure to click Apply to save your wireless access control list settings.
Now, only devices on this list will be allowed to wirelessly connect to the ME103.

How to Configure WEP

To configure WEP data encryption, follow these steps: Log in to the ME103 using the NetBIOS name printed on the bottom of the unit or at its default address of http://192.168.0.224 or at whatever IP address the unit is currently configured with its default user name of admin and default password of password, or using whatever LAN address and password you have set up. 2. Click the Wireless Settings link in the Basic section of the main menu of the ME103. 3. From the Wireless Settings menu drop-down list, select 64- or 128-bit encryption. 4. You can manually or automatically program the four data encryption keys. These values must be identical on all PCs and Access Points in your network.

Note: If you change the LAN IP address of the wireless access point while connected through the browser, you will be disconnected. You may need to restart your computer for the new IP address setting to take effect.
Access Point Name (NetBIOS) Enter a new name for the wireless access point and click Apply save your changes. Enable EWINS This allows your wirelessly connected PCs to browse that remote network using the Windows Network Neighborhood feature. Click this check box, enter the WINS Server name or IP address and click Apply to save your changes.

Chapter 3 Management

This chapter describes how to use the management features of your ME103 802.11b ProSafe Wireless Access Point. These features can be found by clicking on the Maintenance heading in the Main Menu of the browser interface.
Viewing General, Log, Station, and Statistical Information
The General information screen provides a summary of the current ME103 configuration settings. From the main Menu of the browser interface, click on General to view the System Status screen, shown below.
Figure 3-1: Wireless Access Point Status screen
This screen shows the following parameters:

Management

Table 3-1.
General Information Fields

Description

Access Point Information Access Point Name The default name may be changed if desired. Note: In 802.1x mode, this name is used as the Client Login Name for the RADIUS Server. This field displays the Media Access Control address (MAC address) of the wireless access points Ethernet port. This will display the domain or region for which the wireless access point is licensed for use. It may not be legal to operate this wireless access point in a region other than one of those identified in this field. The version of the firmware currently installed. These parameters apply to the Local ME103 firewall. The IP address of the wireless access point. The subnet mask for the wireless access point. The default gateway for the wireless access point communicates. Automatic (DHCP Client) indicates that the current IP address was obtained from a DHCP server on your network. These parameters apply to the target remote ME103 firewall, VPN gateway. or VPN client. This field displays the wireless network name (SSID) being used by the wireless port of the wireless access point. The default is NETGEAR. Identifies if the channel the wireless port is using. 11 is the default channel setting. See Wireless Channels on page B-7 for the frequencies used on each channel. This field identifies the operating mode of the ME103.

Upgrading the Wireless Access Point Software
Note: When uploading software to the ME103 Access Point, it is important not to interrupt the Web browser by closing the window, clicking a link, or loading a new page. If the browser is interrupted, the upload may fail, corrupt the software, and render the ME103 completely inoperable. Note: You cannot perform the firmware upgrade from a workstation connected to the ME103 via a wireless link. The firmware upgrade must be performed via a workstation connected to the ME103 via the Ethernet LAN interface. The software of the ME103 Access Point is stored in FLASH memory, and can be upgraded as new software is released by NETGEAR. Upgrade files can be downloaded from Netgear's website. If the upgrade file is compressed (.ZIP file), you must first extract the image (.IMG) file before sending it to the wireless access point. The upgrade file can be sent using your browser. Note: The Web browser used to upload new firmware into the ME103 Access Point must support HTTP uploads, such as Microsoft Internet Explorer or Netscape Navigator 4.0 or above.
Download the new software file from NETGEAR, save it to your hard disk, and unzip it.
Figure 3-5: ME103 Upgrade menu 2. 3.
From the main menu Management section, click the Upgrade Firmware link to display the screen above. In the Upgrade Firmware menu, click the Browse button and browse to the location of the image (.IMG) upgrade file.
Click Upload. When the upload is complete, your wireless access point will automatically restart. The upgrade process will typically take about one minute.
In some cases, you may need to reconfigure the wireless access point after upgrading.
Configuration File Management
The configuration settings of the ME103 Access Point are stored in the wireless access point in a configuration file. This file can be saved (backed up) to a users PC, retrieved (restored) from the users PC, or cleared to factory default settings. From the main menu Management heading, click the Backup/Restore Settings link to bring up the menu shown below.
Figure 3-6: Settings Backup menu
Three options are available, and are described in the following sections.

Network ME103

LAN IP Network Address 192.168.0.2
Subnet Mask 255.255.255.0
Gateway IP (LAN IP Address) 192.168.0.1
1. Configure the RADIUS server to use the 802.1x settings in the worksheet above.
Add the ME103 to the RADIUS server with either its IP address or the NetBIOS name. Configure the shared key so that the RADIUS server allows the ME103 to log in. Log in to the ME103 using the NetBIOS name printed on the bottom of the unit or at its default address of http://192.168.0.224 or at the current IP address of the unit. Use the default user name of admin and password of password. Click the Security Settings link in the Advanced section of the main menu to display the menu shown below.
2. Configure the ME103 802.1x EAP-MD5 parameters.
Figure 4-1: Advanced Security Settings EAP-MD5 Menu Advanced Configuration 4-3
Note: You may find it more convenient to perform this procedure from a LAN connected computer rather than over a wireless link. Because this procedure will change the ME103s data encryption settings, all wireless connections will be disconnected.
Fill in the settings from the worksheet as illustrated above. Click Apply.
Note: The idle timeout on the ME103 is 10 minutes. If there is no traffic for 10 minutes, the 802.1x supplicant (wireless client) will be automatically disconnected.
3. Configure the PCs on network to use the 802.1x and WEP settings you just applied to the ME103. Note: At this time, only Windows XP includes built-in support for 802.1x. Windows 2000 can support 802.1x with the appropriate SP4 patch. There are also third party client software packages which will provide 802.1x support for a variety of Windows, Macintosh, Unix, and Linux clients. The information below is only an example of one of many possible scenarios you may encounter when deploying 802.1x. Netgear does not support Windows or third party software.
Verify that the Use Windows to configure my wireless network settings check box is checked in the Windows XP Network Connections wireless adapter properties dialog box Wireless Networks tab page.
Figure 4-2: Windows XP wireless adapter configuration utility
Users Guide for the ME103 802.11b ProSafe Wireless Access Point b.
Select the wireless network to which you will connect (NETGEAR in the screen above), and click the Configure button to display the dialog box shown below.
Figure 4-3: Configure a Windows XP wireless adapter association c.
Check the Data encryption (WEP enabled) and Network Authentication (Shared mode) check boxes and enter key # 1 from the ME103 Advanced Wireless Security generate keys from Passphrase Key 1 results field in the Network key and Confirm network key fields. Click the Authentication tab to display the screen below.

Network Name: Extended Service Set Identification (ESSID)
The Extended Service Set Identification (ESSID) is one of two types of Service Set Identification (SSID). In an ad hoc wireless network with no access points, the Basic Service Set Identification (BSSID) is used. In an infrastructure wireless network that includes an access point, the ESSID is used, but may still be referred to as SSID. An SSID is a thirty-two character (maximum) alphanumeric key identifying the name of the wireless local area network. Some vendors refer to the SSID as network name. For the wireless devices in a network to communicate with each other, all devices must be configured with the same SSID.

Authentication and WEP

The absence of a physical connection between nodes makes the wireless links vulnerable to eavesdropping and information theft. To provide a certain level of security, the IEEE 802.11 standard has defined two types of authentication methods, Open System and Shared Key. With Open System authentication, a wireless PC can join any network and receive any messages that are not encrypted. With Shared Key authentication, only those PCs that possess the correct authentication key can join the network. By default, IEEE 802.11 wireless devices operate in an Open System network. Wired Equivalent Privacy (WEP) data encryption is used when the wireless devices are configured to operate in Shared Key authentication mode. There are two shared key methods implemented in most commercially available products, 64-bit and 128-bit WEP data encryption.
B-2 Wireless Networking Basics

802.11 Authentication

The 802.11 standard defines several services that govern how two 802.11 devices communicate. The following events must occur before an 802.11 Station can communicate with an Ethernet network through an access point such as the one built in to the ME103:

1. 2. 3. 4. 5. 6. 7. 8.

Turn on the wireless station. The station listens for messages from any access points that are in range. The station finds a message from an access point that has a matching SSID. The station sends an authentication request to the access point. The access point authenticates the station. The station sends an association request to the access point. The access point associates with the station. The station can now communicate with the Ethernet network through the access point.
An access point must authenticate a station before the station can associate with the access point or communicate with the network. The IEEE 802.11 standard defines two types of authentication: Open System and Shared Key. Open System Authentication allows any device to join the network, assuming that the device SSID matches the access point SSID. Alternatively, the device can use the ANY SSID option to associate with any available Access Point within range, regardless of its SSID. Shared Key Authentication requires that the station and the access point have the same WEP Key to authenticate. These two authentication procedures are described below.

Appendix C Network, Routing, Firewall, and Cabling Basics
This chapter provides an overview of IP networks, routing, and wireless networking. As you read this document, you may be directed to various RFC documents for further information. An RFC is a Request For Comment (RFC) published by the Internet Engineering Task Force (IETF), an open organization that defines the architecture and operation of the Internet. The RFC documents outline and define the standard protocols and procedures for the Internet. The documents are listed on the World Wide Web at www.ietf.org and are mirrored and indexed at many other sites worldwide.

Basic Router Concepts

Large amounts of bandwidth can be provided easily and relatively inexpensively in a local area network (LAN). However, providing high bandwidth between a local network and the Internet can be very expensive. Because of this expense, Internet access is usually provided by a slower-speed wide-area network (WAN) link such as a cable or DSL modem. In order to make the best use of the slower WAN link, a mechanism must be in place for selecting and transmitting only the data traffic meant for the Internet. The function of selecting and forwarding this data is performed by a router.
Network, Routing, Firewall, and Cabling Basics

What is a Router?

A router is a device that forwards traffic between networks based on network layer information in the data and on routing tables maintained by the router. In these routing tables, a router builds up a logical picture of the overall network by gathering and exchanging information with other routers in the network. Using this information, the router chooses the best path for forwarding network traffic. Routers vary in performance and scale, number of routing protocols supported, and types of physical WAN connection they support. The ME103 802.11b ProSafe Wireless Access Point is a small office router that routes the IP protocol over a single-user broadband connection.
IP Addresses and the Internet
Because TCP/IP networks are interconnected across the world, every machine on the Internet must have a unique address to make sure that transmitted data reaches the correct destination. Blocks of addresses are assigned to organizations by the Internet Assigned Numbers Authority (IANA). Individual users and small organizations may obtain their addresses either from the IANA or from an Internet service provider (ISP). You can contact IANA at www.iana.org. The Internet Protocol (IP) uses a 32-bit address structure. The address is usually written in dot notation (also called dotted-decimal notation), in which each group of eight bits is written in decimal form, separated by decimal points. For example, the following binary address: is normally written as: 195.34.12.7 The latter version is easier to remember and easier to enter into your computer. In addition, the 32 bits of the address are subdivided into two parts. The first part of the address identifies the network, and the second part identifies the host node or station on the network. The dividing point may vary depending on the address range and the application. There are five standard classes of IP addresses. These address classes have different ways of determining the network and host sections of the address, allowing for different numbers of hosts on a network. Each address type begins with a unique bit pattern, which is used by the TCP/IP software to identify the address class. After the address class has been determined, the software can correctly identify the host section of the address. The follow figure shows the three main address classes, including network and host sections of the address for each address type.

Internet Security and Firewalls
When your LAN connects to the Internet through a router, an opportunity is created for outsiders to access or disrupt your network. A NAT router provides some protection because by the very nature of the process, the network behind the router is shielded from access by outsiders on the Internet. However, there are methods by which a determined hacker can possibly obtain information about your network or at the least can disrupt your Internet access. A greater degree of protection is provided by a firewall router.

What is a Firewall?

A firewall is a device that protects one network from another, while allowing communication between the two. A firewall incorporates the functions of the NAT router, while adding features for dealing with a hacker intrusion or attack. Several known types of intrusion or attack can be recognized when they occur. When an incident is detected, the firewall can log details of the attempt, and can optionally send email to an administrator notifying them of the incident. Using information from the log, the administrator can take action with the ISP of the hacker. In some types of intrusions, the firewall can fend off the hacker by discarding all further packets from the hackers IP address for a period of time.
Stateful Packet Inspection
Unlike simple Internet sharing routers, a firewall uses a process called stateful packet inspection to ensure secure firewall filtering to protect your network from attacks and intrusions. Since user-level applications such as FTP and Web browsers can create complex patterns of network traffic, it is necessary for the firewall to analyze groups of network connection states. Using Stateful Packet Inspection, an incoming packet is intercepted at the network layer and then analyzed for state-related information associated with all network connections. A central cache within the firewall keeps track of the state information associated with all network connections. All traffic passing through the firewall is analyzed against the state of these connections in order to determine whether or not it will be allowed to pass through or rejected.

Denial of Service Attack

A hacker may be able to prevent your network from operating or communicating by launching a Denial of Service (DoS) attack. The method used for such an attack can be as simple as merely flooding your site with more requests than it can handle. A more sophisticated attack may attempt to exploit some weakness in the operating system used by your router or gateway. Some operating systems can be disrupted by simply sending a packet with incorrect length information.

Ethernet Cabling

Although Ethernet networks originally used thick or thin coaxial cable, most installations currently use unshielded twisted pair (UTP) cabling. The UTP cable contains eight conductors, arranged in four twisted pairs, and terminated with an RJ45 type connector. A normal straight-through UTP Ethernet cable follows the EIA568B standard wiring and pinout as described in Table 5-1.

Table 5-1.

Pin 7 8
UTP Ethernet cable wiring, straight-through
Signal Transmit (Tx) + Transmit (Tx) Receive (Rx) +
Wire color Orange/White Orange Green/White Blue Blue/White Green Brown/White Brown

Receive (Rx) -

Uplink Switches, Crossover Cables, and MDI/MDIX Switching
In the wiring table above, the concept of transmit and receive are from the perspective of the PC, which is wired as Media Dependant Interface (MDI). In this wiring, the PC transmits on pins 1 and 2. At the hub, the perspective is reversed, and the hub receives on pins 1 and 2. This wiring is referred to as Media Dependant Interface - Crossover (MDI-X). When connecting a PC to a PC, or a hub port to another hub port, the transmit pair must be exchanged with the receive pair. This exchange is done by one of two mechanisms. Most hubs provide an Uplink switch which will exchange the pairs on one port, allowing that port to be connected to another hub using a normal Ethernet cable. The second method is to use a crossover cable, which is a special cable in which the transmit and receive pairs are exchanged at one of the two cable connectors. Crossover cables are often unmarked as such, and must be identified by comparing the two connectors. Since the cable connectors are clear plastic, it is easy to place them side by side and view the order of the wire colors on each. On a straight-through cable, the color order will be the same on both connectors. On a crossover cable, the orange and blue pairs will be exchanged from one connector to the other.
The ME103 Access Point incorporates Auto UplinkTM technology (also called MDI/MDIX). The Ethernet port will automatically sense whether the Ethernet cable plugged into the port should have a normal connection (e.g. connecting to a PC) or an uplink connection (e.g. connecting to a router, switch, or hub). That port will then configure itself to the correct configuration. This feature also eliminates the need to worry about crossover cables, as Auto UplinkTM will accommodate either type of cable to make the right connection.

Cable Quality

A twisted pair Ethernet network operating at 10 Mbits/second (10BASE-T) will often tolerate low quality cables, but at 100 Mbits/second (10BASE-Tx) the cable must be rated as Category 5, or Cat 5 or Cat V, by the Electronic Industry Association (EIA). This rating will be printed on the cable jacket. A Category 5 cable will meet specified requirements regarding loss and crosstalk. In addition, there are restrictions on maximum cable length for both 10 and 100 Mbits/second networks.

Type exit

Glossary
Use the list below to find definitions for technical terms used in this manual.

10BASE-T

IEEE 802.3 specification for 10 Mbps Ethernet over twisted pair wiring.

100BASE-Tx

IEEE 802.3 specification for 100 Mbps Ethernet over twisted pair wiring.

802.1x

802.1x defines port-based, network access control used to provide authenticated network access and automated data encryption key management. The IEEE 802.1x draft standard offers an effective framework for authenticating and controlling user traffic to a protected network, as well as dynamically varying encryption keys. 802.1x uses a protocol called EAP (Extensible Authentication Protocol) and supports multiple authentication methods, such as token cards, Kerberos, one-time passwords, certificates, and public key authentication. For details on EAP specifically, refer to IETF's RFC 2284.
IEEE specification for wireless networking at 11 Mbps using direct-sequence spread-spectrum (DSSS) technology and operating in the unlicensed radio spectrum at 2.5GHz.

802.11g

A soon to be ratified IEEE specification for wireless networking at 54 Mbps using direct-sequence spread-spectrum (DSSS) technology and operating in the unlicensed radio spectrum at 2.5GHz. 802.11g is backwards compatible with 802.11b.
Short for asymmetric digital subscriber line, a technology that allows data to be sent over existing copper telephone lines at data rates of from 1.5 to 9 Mbps when receiving data (known as the downstream rate) and from 16 to 640 Kbps when sending data (known as the upstream rate). ADSL requires a special ADSL modem. ADSL is growing in popularity as more areas around the world gain access.

Auto Uplink

Auto UplinkTM technology (also called MDI/MDIX) eliminates the need to worry about crossover vs. straight-through Ethernet cables. Auto UplinkTM will accommodate either type of cable to make the right connection.
A Certificate Authority is a trusted third-party organization or company that issues digital certificates used to create digital signatures and public-private key pairs.
Category 5 unshielded twisted pair (UTP) cabling. An Ethernet network operating at 10 Mbits/second (10BASE-T) will often tolerate low quality cables, but at 100 Mbits/second (10BASE-Tx) the cable must be rated as Category 5, or Cat 5 or Cat V, by the Electronic Industry Association (EIA). This rating will be printed on the cable jacket. Cat 5 cable contains eight conductors, arranged in four twisted pairs, and terminated with an RJ45 type connector. In addition, there are restrictions on maximum cable length for both 10 and 100 Mbits/second networks.