Enabling Radios & MIMO Operation 6 Enabling Radios & MIMO Operation Aclara 5900 Series nodes ship with one 900 MHz radio and one radio capable of operation on 2.4, 4.9, or 5 GHz. This multi-band radio can be upgraded to 802.11n (MIMO operation, if desired. (The 900 MHz radio does not support MIMO.) Firetide HotPort 7000 Series nodes used as part of the STAR system can be ordered with a single 900 MHz radio, or a dual radio configuration similar to the Aclara 5900.
38 HotView Pro Software Operation Figure 5.47 Selecting Nodes to Upgrade The left side of the screen shows the nodes that have already been upgraded. The right side shows nodes available for upgrade. To upgrade a node on the right, select it and click on Add. If the node you wish to upgrade does not appear, cancel and trouble-shoot the problem. A node must be connected to be upgraded. Figure 5.48 Ready for Upgrade The nodes to be upgraded have been added to the left side. Click Save.
Keeping the Mesh Secure 7 Keeping the Mesh Secure By default, a Firetide mesh is open; this makes initial configuration easy. Most applications, however, will want a higher level of security. Firetide offers a number of features that allow you to implement various levels of security. These security features fall into three categories: • Radio security • Mesh connection security • User security Firetide HotPort 7000 Series nodes are FIPS 140 compliant.
0 HotView Pro Software Operation Radio Security Figure 6.49 Enabling Radio Encryption Over-the-air traffic should be encrypted using the built-in 256-bit AES encryption engine. Select either hex or ASCII key formats, and enter the key string. The encryption is performed in hardware, and there is no measurable performance impact. Figure 6.
Keeping the Mesh Secure Mesh Connection Security Mesh Connection security covers all of the available techniques used to prevent an intruder from either adding a node to the mesh, or making a wired Ethernet connection to an existing mesh node. There are several facets to mesh intrusion prevention. These are: Blocking Unauthorized Nodes In even the simplest, low-security applications, you should always change the basic mesh parameters: mesh ID number, mesh name, mesh IP address, and mesh ESSID.
42 HotView Pro Software Operation Limiting Unauthorized Connections It is possible for unauthorized users to attach equipment to the existing mesh. There are two steps you can take to prevent this: • Disable unused Ethernet ports. • Create an automatic alarm/e-mail alert if an Ethernet port is tampered with. Figure 6.53 Active and Disabled Ethernet Ports The icon on the left shows an outdoor node with one port in use (green) and two active, but unused ports (yellow).
Keeping the Mesh Secure MAC Address Filtering MAC Address Filtering is a powerful but dangerous tool. It simply blocks all Ethernet frames from traversing the mesh, except those which have a permitted source MAC address. It is critical to make sure that ALL necessary MAC addresses are added to the list; in particular the MAC address of the HotView Pro server and/or any intervening switches, routers, or other equipment.
44 HotView Pro Software Operation User Security Figure 6.56 Mesh Login Credential - Mesh HotView Pro connects to the mesh using the mesh’s User Account login credential, shown here. You should change the Read/Write user name and password. The default values are admin and firetide. Figure 6.57 Mesh Login Credential - HotView Pro Server After changing the mesh login credential on the mesh itself, you must tell HotView Pro what the new credential is.
Keeping the Mesh Secure Defining Human Users Human users of HotView Pro are defined as part of HotView Pro Server Configuration. Two default users are pre-defined, hv_admin and hv_guest. The default user hv_admin has full privileges on all meshes and system administration privileges; the default user hv_guest is read-only. There are three assignable privileges for each user: • Server Configuration Granting this privilege allows the user to configure the HotView Pro Server, and add other users.
46 HotView Pro Software Operation Figure 6.59 User Lockout In high-security mode, you can specify a maximum number of login attempts. Exceeding this level will lock the user out. The user will remain locked out for the lockout period. If this is set to 0, the user will be locked out until he is manually unlocked. Figure 6.60 Remote Access User Configuration HotView Pro allows remote access via telnet or SSH to each node in the mesh. The access credentials for this should be either disabled or changed.
Configuring an Ethernet Direct Connection 8 Configuring an Ethernet Direct Connection An Ethernet Direct connection is a wired connection between two nodes in the same mesh. (There can be wired connections between meshes, but these are not Ethernet Direct.) Ethernet Direct is commonly used between nodes that are relatively close together, but may not be in RF contact. Typically this occurs with nodes which are mounted on a building roof or tower, and use direction antennas to cover the landscape.
48 HotView Pro Software Operation Figure 7.62 Far-End Tunnel Endpoint At the top of the window, select the blue text - this is the first tunnel endpoint. It will highlight, as shown. Click on mirror. The IP addresses at the bottom fill in, but are reversed for near and far ends. Select the node for the other end of the tunnel, and select the port. Next, fill in the subnet mask and default gateway, then click add again.
Configuring an Ethernet Direct Connection Figure 7.63 Completed Tunnel When you have completed the data entry for both ends of the tunnel, and clicked Add, the tunnel text will turn green. It is now time to click Save. It is also time to complete the wired connection between the two nodes. Make sure you complete the wired connection to the ports shown in the Ethernet Direct tunnel listing. Figure 7.
50 HotView Pro Software Operation Tearing Down an Ethernet Direct Connection If the Ethernet Direct connection is not needed, it can easily be removed. Simply go to the Ethernet Direct setup window via the Mesh menu, select the tunnel to be removed, and click on Remove. You will see a warning message. Figure 7.65 Ethernet Direct Port Disable Warning When you tear down an Ethernet Direct connection, the ports involved will be disabled. Remove the wired connection, if you have not done so already.
Creating Gateway Groups 9 Creating Gateway Groups Gateway groups provide redundant, load-balancing connections between a wireless mesh and the wired infrastructure. There are two key elements in a Gateway Group: the Gateway Interface nodes and the Gateway Server. The Gateway Interface nodes act as the gateways between the wireless world and the wired world. There are at least two, for redundancy, and there can be as many as eight. Gateway interface nodes are 5900 series nodes.
52 HotView Pro Software Operation Steps to Create a Gateway Group There are seven basic steps involved in creating a Gateway Group. Figure 8.68 Creating a Gateway Server Node Right-click on the node you wish to re-configure, and select the Configure this node as a Gateway Server... 1. Use the Import Mesh Configuration command to make a current copy of the mesh configuration for the mesh to which you are adding the Gateway Group. 2.
Creating Gateway Groups Step 3: Tell the New Gateway Server Node Which Mesh it is the Gateway Server For Use the Apply Saved Mesh Configuration command to do this. Note: it is a common error to skip this step; the Gateway Group will not work if you have not done this. Note that this will change the Mesh IP address; you will need to log out of the mesh, and then add the mesh back at the new address.
54 HotView Pro Software Operation Step 5: Manually Configure the First Gateway Interface Node Log out of the one-node Gateway Server “mesh”, and physically disconnect from it. Physically connect to the original mesh again. Use the Add Mesh command to re-connect to it. Figure 8.72 Gateway Interface Settings Right-click on one of the nodes that will be a Gateway Interface node, but is NOT the current head node.
Creating Gateway Groups Step 7: Gateway Server Configures the Gateway Interface Nodes Now that the Gateway Server is in communication with the mesh, it can automatically configure other Gateway Interface nodes. To tell it to do so, right-click on the Gateway Server node and bring up the Gateway Server Configuration window. Note that one of the Gateway Interfaces is already configured, but the others are not. Figure 8.
56 HotView Pro Software Operation
Multicast 10 Multicast Multicast is a layer-3 protocol widely used for audio and video distribution. It is also used for various zero-configuration protocols, such as Bonjour. Multicast, while a layer-3 protocol, also affects layer 2, because it uses a special range of Ethernet MAC addresses. Certain characteristics of the 802.
58 HotView Pro Software Operation Creating a Multicast Group First, determine which Multicast IP addresses will be in use on the mesh. It is possible to configure the system to allow all Multicast, but this may not give the same performance if there is ‘random’ Multicast traffic present. You should also identify the nodes which represent the source of the Multicast traffic (typically the camera nodes) and the destination (usually the head node or the Gateway Interface nodes. Figure 9.
Multicast Figure 9.80 Completed Multicast Groups Here, three Multicast groups have been defined. Allowing All Multicast You can also allow all Multicast traffic to or from either all nodes, or a subset thereof. This is recommended only if you do not know what the Multicast IP address groups will be. Figure 9.81 Allowing All Multicast Traffic This can include all nodes, or a selected subset.
60 HotView Pro Software Operation Figure 9.82 Reserved Addresses These tables show the reserved addresses used for various Multicast functions and Ethernet MAC addresses. This information may be of use in troubleshooting Multicast problems. IP Address Reserved Function 224.0.0.0 Base address (reserved) 224.0.0.1 All Hosts multicast group addresses all hosts on the same network segment. 224.0.0.2 All Routers multicast group addresses all routers on the same network segment. 224.0.0.
VLANs 11 VLANs Virtual LANs are created to provide segmentation and isolation services that would otherwise be implemented using physically-distinct Ethernet switches, with routers as the sole interconnect between LAN segments. Figure 10.83 shows three subnets, each isolated by virtue of being on its own switch. A router interconnects them. This provides the desired traffic isolation and security, but it is inflexible because it is implemented in hardware. Router provides layer-3 connectivity Subnet 192.
62 HotView Pro Software Operation VLAN Terminology Most common computer equipment is not VLAN-aware; that is, it is not capable of generating VLAN-tagged traffic. This untagged traffic gets a tag added to it by the Ethernet switch. Access Points are one of the varieties of network equipment which can create tagged traffic. One of the most common uses of VLANs is to isolate 802.11 wireless APs from each other, especially if the APs serve different classes of users.
VLANs Implementing VLANs VLAN implementation on a Firetide mesh should begin by determining the following key parameters of the overall network VLAN implementation. • Are end-point devices VLAN-aware? • Will you need to carry trunked VLAN traffic across the mesh? • Will you need wired ports on the mesh capable of handling both VLAN trunks and untagged traffic? (These are called hybrid ports.
64 HotView Pro Software Operation VLAN Trunks A VLAN trunk is simply a connection between two switches that carries multiple VLANs. To create a trunk, select the VLANs command from the Mesh menu, and click on Edit VLAN Trunks... Figure 10.89 Editing VLANs and VLAN Trunks Use this window to view VLANs and VLAN trunks. A VLAN trunk port will only accept tagged traffic. Untagged traffic will be blocked.
VLANs Figure 10.91 VLAN Trunk Configuring a Here, a trunk port has been configured on one node, and second trunk port is about to be set up. Hybrid Ports If your network design requires that you handle both tagged and untagged traffic on a port, you must configure that port as a Hybrid Port. Figure 10.92 Hybrid VLAN Configuration Here, port 2, which is already a trunk port, is being enabled for hybrid VLAN operation.
66 HotView Pro Software Operation
67 Appendix A Regulatory Information FCC Class A Notice Aclara devices comply with Part 15 of the FCC Rules. Operation is subject to the following two conditions: • This device may not cause harmful interference. • This device must accept any interference received, including interference that may cause undesired operation. FCC Part 15 Note This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules.
HotView Pro Software Operation Installation Antenna(s) for this unit must be installed by a qualified professional. Operation of the unit with non-approved antennas is a violation of U.S. FCC Rules, Part 15.203(c), Code of Federal Regulations, Title 47. Canadian Compliance Statement This Class A Digital apparatus meets all the requirements of the Canadian Interference-Causing Equipment Regulations.
69 Distance You must determine if there are any transmitting elements (i.e., any Aclara product) within 35 km of any TDWR system. Refer to Table 11.2 for a list of TDWR installations in the US. If there are, you should register the installation. Registration A voluntary WISPA-sponsored database has been developed that allows registration of devices within 35 km of any TDWR location (see http:// www.spectrumbridge.com/udia/home.aspx).
70 HotView Pro Software Operation Table 11.2 TDWR Installations This list is current as of August 2011. Elevation and antenna height shown in feet. Refer to www.fcc.gov for the most current version.
Revision History Revision Date Notes 1.
