Beruflich Dokumente
Kultur Dokumente
Copyright 2008-2012, Hangzhou H3C Technologies Co., Ltd. and its licensors
Preface
The H3C WX Series Access Controllers Web-Based Configuration Guide describes the web functions of
the WX series, such as quick start, web overview, wireless service configuration, security and
authentication related configurations, QoS configuration, and advanced settings.
NOTE:
Support of the H3C WX series access controllers for features may vary by device model. For the feature
matrixes, see the chapter Feature Matrixes.
The interface types and output information may vary by device model.
The grayed-out functions and parameters on the web interface are unavailable or not configurable.
This preface includes:
Audience
Conventions
Obtaining documentation
Technical support
Documentation feedback
Audience
This documentation is intended for:
Network planners
Conventions
This section describes the conventions used in this documentation set.
GUI conventions
Convention
Description
Boldface
Window names, button names, field names, and menu items are in Boldface. For
example, the New User window appears; click OK.
>
Multi-level menus are separated by angle brackets. For example, File > Create > Folder.
Symbols
Convention
Description
WARNING
An alert that calls attention to important information that if not understood or followed can
result in personal injury.
CAUTION
An alert that calls attention to important information that if not understood or followed can
result in data loss, data corruption, or damage to hardware or software.
IMPORTANT
NOTE
TIP
Documents
Purposes
Marketing brochures
Category
Hardware specifications
and installation
Software configuration
Operations and
maintenance
Documents
Purposes
Card manuals
Installation guide
Configuration guides
Command references
Web-based configuration
guide
Release notes
Obtaining documentation
You can access the most up-to-date H3C product documentation on the World Wide Web
at http://www.h3c.com.
Click the links on the top navigation bar to obtain different categories of product documentation:
[Technical Support & Documents > Technical Documents] Provides hardware installation, software
upgrading, and software feature configuration and maintenance documentation.
[Products & Solutions] Provides information about products and technologies, as well as solutions.
[Technical Support & Documents > Software Download] Provides the documentation released with the
software version.
Technical support
service@h3c.com
http://www.h3c.com
Documentation feedback
You can e-mail your comments about product documentation to info@h3c.com.
We appreciate your comments.
Contents
Models of WX series access controllers 1
Typical network scenarios 2
Access controller network scenario 2
Access controller module network scenario 2
Wireless switch network scenario 3
Feature matrixes 4
Feature matrix for the WX5000 series 4
Feature matrix for the WX6000 series 5
Feature matrix for the WX3024E 8
Quick Start 9
Quick start wizard home page 9
Basic configuration 9
Admin configuration 10
IP configuration 11
Wireless configuration 12
RADIUS configuration 13
Portal configuration 15
Encryption configuration 16
AP configuration 17
Configuration summary 19
Web overview 20
Logging in to the Web interface 20
Logging out of the Web interface 21
Introduction to the Web interface 21
Web user level 22
Introduction to the Web-based NM functions 23
Common Web interface elements 35
Configuration guidelines 39
Troubleshooting Web browser 40
Failure to access the device through the Web interface 40
Summary 43
Device information 43
Device info 44
System resource state 44
Device interface information 44
Recent system logs 45
Displaying WLAN service 45
Displaying detailed information of WLAN service 45
Displaying statistics of WLAN service 48
Displaying connection history information of WLAN service 48
Displaying AP 49
Displaying WLAN service information of an AP 49
Displaying AP connection history information 49
Displaying AP radio information 50
Displaying AP detailed information 52
Displaying clients 57
i
Displaying
Displaying
Displaying
Displaying
License management 64
Configuring licenses 64
Adding a license 64
Displaying license information 65
Configuring enhanced licenses 65
Registering an enhanced license 65
Displaying registered enhanced licenses 66
Device basic information configuration 67
Configuring system name 67
Configuring Web idle timeout period 67
Device maintenance 69
Software upgrade 69
Rebooting the device 70
Generating the diagnostic information file 71
System time 73
Displaying the system time 73
Configuring the system time 73
Configuring the network time 74
System time configuration example 76
Configuration guidelines 77
Log management 78
Displaying syslog 78
Setting the log host 79
Setting buffer capacity and refresh interval 80
Configuration management 82
Backing up the configuration 82
Restoring the configuration 82
Saving the configuration 83
Initializing the configuration 84
File management 85
Displaying file list 85
Downloading a file 86
Uploading a file 86
Removing a file 86
Specifying the main boot file 86
Interface management 87
Interface management overview 87
Displaying interface information and statistics 87
Creating an interface 89
Modifying a Layer 2 interface 92
Modifying a Layer 3 interface 95
Interface management configuration example 97
Port mirroring 99
Introduction to port mirroring 99
Port mirroring configuration task list 100
ii
Index 621
xi
Model
NOTE:
The WX6103 access controller supports EWPX1WCMB0
and EWPX1WCMD0 main control boards.
Server
Switch
IP network
AP 1
AP 2
Client A
Client B
IP network
AP 1
AP 2
Client A
Client B
Feature matrixes
In this document, Yes means a feature is supported, and No means not supported.
Device
Network
Feature
WX5002V2
WX5004
LSWM1WCM10
LSWM1WCM20
License management
Supports 32 concurrent
APs by default, and can
be extended to support
64 concurrent APs.
Supports 64 concurrent
APs by default, and can
be extended to support
256 concurrent APs.
Supports 64 concurrent
APs by default, and can
be extended to support
256 concurrent APs.
Supports 32 concurrent
APs by default, and can
be extended to support
128 concurrent APs.
File management
CF Yes
CF Yes
CF Yes
Flash Yes
Port mirroring
Yes
Yes
No
No
Loopback test
Yes on GE interfaces
Yes on GE interfaces
IGMP Snooping
Module
Feature
WX5002V2
WX5004
LSWM1WCM10
LSWM1WCM20
AP
Access service
AC hot backup
Yes
Yes
Yes
No
No
1+1 AC backup
Yes
Yes
Yes
No
Yes
Yes
Yes
No
Stateful failover
Yes
Yes
Yes
No
Wireless Service
Advanced settings
High availability
Feature
WX6103
LSQM1WCMB0
LSQM1WCMD0
LSBM1WCM2A
0
LSRM1WCM2A
1
LSRM1WCM3A
1
License
management
EWPX1WCMB0
supports 128
concurrent APs by
default, and can
be extended to
support 640
concurrent APs.
EWPX1WCMD0
supports 128
concurrent APs by
default, and can
be extended to
support 1024
concurrent APs.
Supports 128
concurrent APs by
default, and can
be extended to
support 640
concurrent APs.
Supports 128
concurrent APs by
default, and can
be extended to
support 1024
concurrent APs.
Supports 128
concurrent APs by
default, and can
be extended to
support 640
concurrent APs.
Supports 128
concurrent APs by
default, and can
be extended to
support 640
concurrent APs.
Supports 128
concurrent APs by
default, and can
be extended to
support 1024
concurrent APs.
File management
CF and USB
supported
CF and USB
supported
CF and USB
supported
CF and USB
supported
CF and USB
supported
CF and USB
supported
Port mirroring
No
No
No
No
No
No
Loopback test
Internal loopback
testing supported
on XGE interfaces
only
Internal loopback
testing supported
on XGE interfaces
only
Internal loopback
testing supported
on XGE interfaces
only
Internal loopback
testing supported
on XGE interfaces
only
Internal loopback
testing supported
on XGE interfaces
only
Internal loopback
testing supported
on XGE interfaces
only
IGMP Snooping
The maximum
number of
multicast groups
ranges from 1 to
256 and defaults
to 256.
The maximum
number of
multicast groups
ranges from 1 to
256 and defaults
to 256.
The maximum
number of
multicast groups
ranges from 1 to
256 and defaults
to 256.
The maximum
number of
multicast groups
ranges from 1 to
256 and defaults
to 256.
The maximum
number of
multicast groups
ranges from 1 to
256 and defaults
to 256.
The maximum
number of
multicast groups
ranges from 1 to
256 and defaults
to 256.
Device
Network
Module
AP
Wireless Service
Advanced
settings
High availability
Feature
WX6103
LSQM1WCMB0
LSQM1WCMD0
LSBM1WCM2A
0
LSRM1WCM2A
1
LSRM1WCM3A
1
AP group
(Licenses must be
fully configured to
reach the
maximum number
of group IDs)
On
EWPX1WCMB0,
the number of
group IDs ranges
from 1 to 640.
On
EWPX1WCMD0,
the number of
group IDs ranges
from 1 to 1024.
The number of
group IDs ranges
from 1 to 640.
The number of
group IDs ranges
from 1 to 1024.
The number of
group IDs ranges
from 1 to 640.
The number of
group IDs ranges
from 1 to 640.
The number of
group IDs ranges
from 1 to 1024.
Access service
The maximum
number of
associated users
per SSID is 124
and defaults to
64.
The maximum
number of
associated users
per SSID is 124
and defaults to
64.
The maximum
number of
associated users
per SSID is 124
and defaults to
64.
The maximum
number of
associated users
per SSID is 124
and defaults to
64.
The maximum
number of
associated users
per SSID is 124
and defaults to
64.
The maximum
number of
associated users
per SSID is 124
and defaults to
64.
AC backup
Yes
Yes
Yes
Yes
Yes
Yes
Fast backup
(Hello interval)
1+1 AC backup
Yes
Yes
Yes
Yes
Yes
Yes
Stateful failover
Yes
Yes
Yes
Yes
Yes
Yes
Feature
WX3024E
License management
File management
Flash supported
Port mirroring
No
Loopback test
Network
IGMP Snooping
The maximum number of multicast groups ranges from 1 to 64 and defaults to 64.
AP
Wireless Service
Access service
The maximum number of associated users per SSID is 124, and defaults to 64.
AC backup
No
No
1+1 AC backup
No
Stateful failover
No
Device
Advanced settings
High availability
Quick Start
Quick start wizard home page
From the navigation tree, select Quick Start to enter the home page of the Quick Start wizard, as shown
in Figure 4.
Figure 4 Home page of the quick start wizard
Basic configuration
On the home page of the Quick Start wizard, click start to enter the basic configuration page, as shown
in Figure 5.
Description
Specify the name of the current device.
By default, the system name of the device is H3C.
Country/Region Code
Select the code of the country where you are. This field defines the radio frequency
characteristics such as the power and the total number of channels for frame
transmission. Before configuring the device, you need to configure the country
code correctly. If the Country Code field is grayed out, it cannot be modified.
Time Zone
Time
Admin configuration
On the basic configuration page, click Next to enter the admin configuration page, as shown in Figure
6.
10
Description
Password
Specify the password for user Admin to use to log into the device, in cipher text.
Confirm Password
IP configuration
On the Admin Configuration page, click Next to enter the IP configuration page, as shown in Figure 7.
11
Description
IP Address
Specify the IP address of VLAN-interface 1. This IP address is used for logging into
the device.
The default is 192.168.0.100.
Mask
Default Gateway
Wireless configuration
On the IP configuration page, click Next to enter the wireless configuration page, as shown in Figure 8.
12
Description
Select the authentication type for the wireless service, which can be:
Primary Service
Authentication type
Wireless Service
Encrypt
RADIUS configuration
On the wireless configuration page, select User authentication (802.1X) or Portal for the Primary Service
Authentication Type field, and then click Next to enter the RADIUS configuration page, as shown
in Figure 9.
13
Description
Select the type of the RADIUS server.
Two types are available: standard and enhanced:
In this case, the RADIUS client (access device) and the RADIUS server exchange
packets based on the specifications and packet format definitions of a private
RADIUS protocol.
client (access device) and the RADIUS server exchange packets based on the
specifications and packet format definitions of the standard RADIUS protocols
(RFC 2138, RFC 2139, and the updates).
Authentication IP
Authentication Key
Accounting IP
Accounting Key
14
Portal configuration
On the wireless configuration page, select Portal for the Primary Service Authentication Type field, and
then click Next to enter the RADIUS configuration page. After you complete RADIUS configuration, click
Next to enter the portal configuration page, as shown in Figure 10.
Figure 10 Portal configuration page
Description
Server-name
Server-IP
Port
Redirect-URL
15
Item
Description
Specify the portal authentication method to be used, which can be:
directly obtains a public IP address through DHCP, and can access only the
portal server and predefined free websites. After passing authentication, the
user can access the network resources. The authentication process of direct
authentication is relatively simple than that of the re-DHCP authentication.
Method
and can access only the portal server and predefined free websites. After
passing authentication, the user is allocated a public IP address and can access
the network resources.
Encryption configuration
On the wireless configuration page, select User authentication (802.1X) for Primary Service
Authentication Type and click Next to enter the encryption configuration page, as shown in Figure 11.
Figure 11 Encryption configuration page
16
Description
Specify whether to use WEP keys provided automatically or use static WEP keys.
WEP
Key ID
Select the key type of the WEP encryption mechanism, which can be WEP40,
WEP104 and WEP 128.
Select the WEP key index, which can be 1, 2, 3, or 4. Each number represents one
of the four static keys of WEP. The selected key index will be used for frame
encryption and decryption.
IMPORTANT:
If you select to enable Provide Key Automatically, only 1, 2, and 3 are available for
the Key ID option.
Select the key length.
When the key type is WEP40, the key length can be five alphanumeric
characters or ten hexadecimal characters.
Key Length
When the key type is WEP104, the key length can be 13 alphanumeric
characters or 26 hexadecimal characters.
When the key type is WEP128, the key length can be 16 alphanumeric
characters or 32 hexadecimal characters.
WEP Key
AP configuration
On the guest service configuration page, click Next to enter the AP configuration page, as shown
in Figure 12. You can configure an AP and click Add. You can configure multiple APs on the page. The
section at the bottom of the page displays all existing APs.
17
Description
AP Name
Model
If the Auto box is not selected, you need to manually enter a serial ID.
If the Auto box is selected, the AC automatically searches the serial ID of the AP.
Serial ID
By default, no country/region code is configured for the AP and the AP uses the
global country/region code (which is configured on the AC). If the country/region
code is specified on this page, the AP uses this configuration. For information
about the country/region code configured on the AC, see "Advanced settings."
Radio
Mode
Select the radio mode. The radio mode depends on the AP model.
18
Item
Description
Select the working channel.
The channel list for the radio depends on the country/region code and radio
mode, and varies with device models.
Channel
Auto: Specifies the automatic channel mode. With Auto specified, the AC
evaluates the quality of channels in the wireless network, and selects the best
channel as the working channel.
After the channel is changed, the power list is refreshed.
Select the transmission power.
Power
The maximum power of the radio depends on the country/region code, working
channel, AP model, radio mode, and antenna type. If 802.11n is specified as the
radio mode, the maximum power of the radio also depends on the bandwidth
mode.
Configuration summary
On the AP configuration page, click Next to enter the configuration summary page, as shown in Figure
13. The configuration summary page displays all configurations you have made. Click finish to save your
configurations.
Figure 13 Configuration summary page
19
Web overview
The device provides Web-based configuration interfaces for visual device management and
maintenance.
Figure 14 Web-based network management operating environment
Usernameadmin
Passwordadmin
Connect the Ethernet port of the device to the PC by using a crossover Ethernet cable.
By default, all ports belong to VLAN 1.
2.
Configure an IP address for the PC and make sure that the PC and the device can reach each
other.
For example, assign the PC an IP address (for example, 192.168.0.2) within the network segment
192.168.0.0/24 (except for 192.168.0.100).
3.
The login page of the Web interface (see Figure 15) appears.
b. Enter the username and password admin, and the verification code, select the language
20
c.
After you click Login, you will enter the following page. Select a country/region code from the
Country/Region list, and click Apply.
The PC where you configure the device is not necessarily the Web-based network management terminal.
A Web-based network management terminal is a PC (or another terminal) used to log in to the Web
interface and is required to be reachable to the device.
After logging in to the Web interface, you can create a new user and configure the IP address of the
interface connecting the user and the device.
If you click the verification code displayed on the Web login page, you can get a new verification code.
Up to 24 users can concurrently log in to the device through the Web interface.
21
Navigation areaOrganizes the Web-based NM function menus in the form of a navigation tree,
where you can select function menus as needed. The result is displayed in the body area. The Web
network management functions not supported by the device are not displayed in the navigation
area.
Body areaThe area where you can configure and display a function.
Title areaOn the left, displays the path of the current configuration interface in the navigation
area; on the right, provides the Save button to quickly save the current configuration, the Help button
to display the Web related help information, and the Logout button to log out of the Web interface.
VisitorUsers of this level can perform the ping and traceroute operations, but they can neither
access the device data nor configure the device.
MonitorUsers of this level can only access the device data but cannot configure the device.
ConfigureUsers of this level can access data from the device and configure the device, but they
cannot upgrade the host software, add/delete/modify users, or back up/restore the application
file.
ManagementUsers of this level can perform any operations for the device.
22
Description
User level
Quick Start
Configure
Device Info
Monitor
Wireless Service
Monitor
Monitor
Reboot an AP.
Configure
Monitor
Configure
Monitor
Add licenses.
Configure
Monitor
Configure
System Name
Configure
Configure
Software Upgrade
Management
Reboot
Management
Summary
AP
Client
License
License
Enhanced License
Device
Basic
Device
Maintenance
23
Function menu
Description
User level
Management
Monitor
Configure
Monitor
Configure
Monitor
Configure
Loghost
Configure
Log Setup
Configure
Backup
Management
Restore
Management
Save
Configure
Initialize
Configure
Management
Monitor
Configure
Summary
Monitor
Add
Configure
Remove
Configure
Modify Port
Configure
Summary
Monitor
Super Password
Management
Create
Management
Diagnostic
Information
System Time
System Time
Net Time
Loglist
Syslog
Configuration
File management
Interface
Port
Mirroring
Users
24
Function menu
Description
User level
Modify
Management
Remove
Management
Switch To
Management
Monitor
Setup
Monitor
Configure SNMP.
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Configure
Monitor
Configure
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Community
Group
SNMP
User
Trap
View
Loopback
MAC
MAC
Setup
VLAN
Network
VLAN
Port
ARP
Management
ARP Table
25
Function menu
Description
User level
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Summary
Monitor
Create
Configure
Remove
Configure
Summary
Monitor
Create
Configure
Remove
Configure
Monitor
Configure
Gratuitous ARP
ARP Detection
ARP
Anti-Attack
Advanced
Configuration
Basic
IGMP
Snooping
Advance
IPv4 Routing
IPv6 Routing
DHCP
DHCP Server
26
Function menu
Description
User level
Monitor
Configure
Monitor
Configure
Static
Configure
Dynamic
Configure
Configure
Management
IPv4 Ping
Visitor
IPv6 Ping
Visitor
Trace Route
Visitor
Monitor
Configure
Monitor
Configure
DHCP Relay
DHCP Snooping
DNS
Service
Diagnostic
Tools
AP Setup
AP
Auto AP
27
Function menu
AP Group
Access Service
Mesh Service
Mesh Policy
WLAN
Service
Mesh
Service
Global Setup
Mesh Channel
Optimize
Roam Group
Roam
Roam Client
Radio
Radio
Rate
28
Description
User level
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Monitor
Configure
Monitor
Function menu
Channel Scan
Operation
Calibration
Parameters
Radio Group
Antenna Switch
802.1X
Portal Server
Portal
Authenticat
ion
Free Rule
Domain Setup
AAA
Authentication
Authorization
29
Description
User level
Configure
Monitor
Configure
Monitor
Manual calibration
Configure
Monitor
Configure
Monitor
Configure
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Management
Monitor
Management
Monitor
Function menu
Accounting
RADIUS
Local User
User Group
Users
Guest
User Profile
Entity
Domain
Certificate
Management
Certificate
CRL
30
Description
User level
Management
Monitor
Management
Management
Monitor
Configure
Monitor
Management
Monitor
Management
Monitor
Management
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Function menu
Description
User level
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Summary
Management
Setup
Configure
Management
AP Monitor
Rule List
Rogue
detection
Monitor Record
History Record
WIDS Setup
Security
WIDS
History Record
Statistics
Blacklist
Filter
White List
Authorized IP
User Isolation
31
Function menu
Time Range
ACL IPv4
ACL IPv6
QoS
Description
User level
Summary
Monitor
Add
Configure
Remove
Configure
Summary
Monitor
Add
Configure
Basic Setup
Configure
Advanced Setup
Configure
Link Setup
Configure
Remove
Configure
Summary
Monitor
Add
Configure
Basic Setup
Configure
Advanced Setup
Configure
Remove
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Wireless QoS
Radio Statistics
Wireless
QoS
Client Statistics
32
Function menu
Description
User level
Configure
Monitor
Configure
Summary
Monitor
Setup
Configure
Monitor
Configure
Management
Management
Summary
Monitor
Add
Create a class.
Configure
Setup
Configure
Remove
Configure
Summary
Monitor
Add
Configure
Setup
Configure
Remove
Configure
Summary
Monitor
Add
Configure
Setup
Configure
Remove
Configure
Summary
Monitor
Setup
Configure
Remove
Configure
Monitor
Bandwidth
Guarantee
Line Rate
Port Priority
Trust Mode
Classifier
Behavior
QoS Policy
Port Policy
Service Policy
33
Function menu
Description
User level
Configure
Monitor
Configure
Monitor
Setup
Configure
Status
Monitor
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Country/Region Code
AC Backup
Continuous Transmit
Advanced
Load Balance
Load
Balancing
Load Balance Group
AP Module
AP
Switch to fat AP
Wireless Location
Wireless Sniffer
34
Function menu
Description
User level
High
Reliability
Monitor
Configure
Stateful Failover
Description
Bring the configuration on the current page into effect.
Cancel the configuration on the current page, and go to the corresponding
display page or device information page.
Refresh the information on the current page.
Clear all statistics or items in a list.
Enter the page for adding an entry.
Delete entries on a list.
Select all the entries on a list or all ports on a device panel.
Clear all the entries on a list or all ports on a device panel.
Restore the values of all the entries on the current page to the default.
Typically locating at a configuration procedure page of the configuration
wizard, it allows you to save the configuration of the current configuration
procedure (not bring it into effect) and go to the page of the next
configuration procedure.
Typically locating at a configuration procedure page of the configuration
wizard, it allows you to save the configuration of the current configuration
procedure (not bring it into effect) and return to the page of the previous
configuration procedure.
Typically locating at a configuration procedure page of the configuration
wizard, it allows you to bring all configurations into effect.
Typically locating at the Operation column of a display page, it allows you
to enter the modify page of a corresponding entry so as to display or
modify the configurations of the entry.
Typically locating at the Operation column of a display page, it allows you
to remove an entry.
Searching function
The Web interface provides you with the basic and advanced searching functions to display only the
entries that match specific searching criteria.
Basic searchAs shown in Figure 18, input the keyword in the text box above the list, select a
search item from the list and click Search to display the entries that match the criteria. Figure 19
shows an example of searching for entries with 00e0 included in the MAC address.
36
Advanced searchAdvanced search function: As shown in Figure 18, you can click the Advanced
Search link to open the advanced search page, as shown in Figure 20. Specify the search criteria,
and click Apply to display the entries that match the criteria.
Take the ARP table shown in Figure 18 as an example. If you want to search for the ARP entries with 000f
at the beginning of the MAC address, and IP address range being 192.168.1.50 to 192.168.1.59, follow
these steps:
1.
Click the Advanced Search link, specify the search criteria on the advanced search page as shown
in Figure 21, and click Apply. The ARP entries with 000f at the beginning of the MAC address are
displayed.
2.
Click the Advanced Search link, specify the search criteria on the advanced search page as shown
in Figure 22, and click Apply. The ARP entries with 000f at the beginning of the MAC address and
IP address range 192.168.1.50 to 192.168.1.59 are displayed as shown in Figure 23.
37
Sorting function
The Web interface provides you with the basic functions to display entries in certain orders.
On a list page, you can click the blue heading item of each column to sort the entries based on the
heading item you selected. After your clicking, the heading item is displayed with an arrow beside it as
shown in Figure 24. The upward arrow indicates the ascending order, and the downward arrow
indicates the descending order.
38
Figure 24 Basic sorting function example (based on IP address in the descending order)
Configuration guidelines
The Web-based configuration interface supports the operating systems of Windows XP, Windows
2000, Windows Server 2003 Enterprise Edition, Windows Server 2003 Standard Edition,
Windows Vista, Linux, and MAC OS.
The Web-based configuration interface supports the browsers of Microsoft Internet Explorer 6.0
SP2 and higher, Mozilla Firefox 3.0 and higher, Google Chrome 2.0.174.0 and higher.
The Web-based configuration interface does not support the Back, Next, and Refresh buttons.
Using these buttons may result in abnormal display of Web pages.
The Windows firewall limits the number of TCP connections, so when you use IE to log in to the Web
interface, sometimes you may be unable to open the Web interface. To avoid this problem, turn off
the Windows firewall before login.
If the software version of the device changes, clear the cache data on the browser before logging
in to the device through the Web interface; otherwise, the Web page content may not be displayed
correctly.
You can display at most 20,000 entries that support content display by pages.
39
Analysis
If you use the Microsoft Internet Explorer, you can access the Web interface only when these
functions are enabled: Run ActiveX controls and plug-ins, script ActiveX controls marked safe for
scripting and active scripting.
If you use the Mozilla Firefox, you can access the Web interface only when JavaScript is enabled.
Open the Internet Explorer, and then select Tools > Internet Options.
2.
Click the Security tab, and then select a Web content zone to specify its security settings.
3.
4.
As shown in Figure 26, set the enable these functions: Run ActiveX controls and plug-ins, script
ActiveX controls marked safe for scripting and active scripting.
5.
Open the Firefox Web browser, and then select Tools > Options.
2.
Click the Content tab, select Enable JavaScript, and click OK.
41
42
Summary
Device information
You can view the following information on the Device Info menu:
Device information
After logging in to the Web interface, you enter the Summary > Device Info page.
Figure 28 Device info page
If you select a specific refresh period (for example, 1 minute), the system periodically refreshes the
Device Info page according to the selected refresh period.
If you select Manual, you need to click Refresh to refresh the page.
43
Device info
Table 15 Field description
Field
Description
Device Name
Product Information
Device Location
To configure the device location information, select Device > SNMP > Setup; for
more information, see "SNMP configuration."
Display the contact information for device maintenance.
Contact Information
To configure the contact information, select Device > SNMP > Setup; for more
information, see "SNMP configuration."
SerialNum
Software Version
Hardware Version
Bootrom Version
Running Time
Display the running time after the latest boot of the device.
Description
CPU Usage
Memory Usage
Display the real-time memory usage and the total memory size.
Temperature
Description
Interface
IP Address/Mask
Status
44
NOTE:
For more information about device interfaces, click the More hyperlink under the Device Interface
Information area to enter the Device > Interface page to view and operate the interfaces. For more
information, see "Interface management."
Description
Time
Level
Description
NOTE:
For more information about system logs, click the More hyperlink under the Recent System Operation
Logs area to enter the Device > Syslog > Loglist page to view the logs. For more information, see "Log
management."
2.
Click the specified WLAN service to view the detailed information, statistics, or connection history.
45
Description
SSID
Binding Interface
Authentication Method
SSID-hide
Forwarding mode:
Bridge Mode
The detailed information of WLAN service (crypto type) is as shown in Figure 30. For the description of
the fields in the detailed information, see Table 20.
46
Description
SSID
Binding Interface
Security IE
Authentication Method
SSID-hide
Cipher Suite
GTK Rekey
Forwarding mode:
Bridge Mode
47
Field
Description
Status of service template:
48
Displaying AP
Select Summary > AP from the navigation tree to enter the AP page, as shown in Figure 33. You can
display the WLAN service information, connection history, radio and detailed information of an AP by
clicking the tabs on the page.
49
50
NOTE:
The Noise Floor item in the table indicates various random electromagnetic waves during the wireless
communication. For the environment with a high noise floor, you can improve the signal-to-noise ratio
(SNR) by increasing the transmit power or reducing the noise floor.
The Service Type item in the table has two options: Access and Mesh.
Res Using Ratio represents the resource utilization of a radio within a certain period. For example, in a
period of 10 seconds, if a radio has occupied the channel for five seconds, the resource utilization of the
radio is 5 seconds divided by 10 seconds: 50%.
Table 21 Field description
Field
Description
AP name
Radio Id
Radio ID.
Total Frames
Unicast Frames
Field
Description
Broadcast/Multicast Frames
Others
Discard Frames
Retry Count
Authentication Frames
Failed RTS
Successful RTS
Failed ACK
Association Frames
Total Frames
Unicast Frames
Broadcast/Multicast Frames
Fragmented Frames
FCS Failures
Authentication Frames
Duplicate Frames
Decryption Errors
Association Frames
52
Description
APID
AP System Name
Map Configuration
IdleThe AP is idle. If the Idle state persists, check the following: 1) If the
State
ConfigThe AC is delivering configuration file to the fit AP, and the fit AP
is collecting radio information through the radio interface and reporting
to the AC. This state is an instantaneous state.
Up Time(hh:mm:ss)
Time duration for which the AP has been connected to the AC. NA indicates
AP is not connected to the AC.
Model
AP model name.
53
Field
Description
Serial-ID
IP Address
H/W Version
S/W Version
Boot-Rom version
Description
Connection Type
Priority Level
AP connection priority.
Echo Interval(s)
Cir (Kbps)
Cbs (Bytes)
Jumboframe Threshold
Latest IP Address
No ReasonOther reasons.
54
Field
Description
Connection count between the AP and AC. This field is reset in one of the
following situations:
Connection Count
AC is rebooted.
You re-configure an AP template after deleting the old one.
If you click Reboot on this page to reboot the AP, the connection count will
not be reset.
AP Mode
Mode supported by the AP. Currently only the split MAC mode is supported.
AP operation mode
Portal Service
Device Detection
Interval to detect clients segregated from the system due to various reasons
such as power failure or crash, and disconnect them from the AP.
If the client is idle for more than the specified interval, that is, if the AP does
not receive any data from the client within the specified interval, the client
will be removed from the network.
Basic BSSID
Wireless Mode
Client Dot11n-only
Channel Band-width
55
Field
Description
802.11n protection modes:
HT protection mode
802.11n mode, but non-802.11n wireless devices exist within the coverage
of the AP.
associated with the AP and the wireless devices within the coverage of the
AP operate in 802.11n mode, and at least one 802.11n client operating in
20 MHz mode is associated with the radio of the AP.
A-MSDU
A-MPDU
Configured Channel
power is displayed.
If auto TPC is adopted, two values are displayed, with the first being the
maximum power, and the second auto (number), where number in the
brackets represents the actual power.
Interference (%)
Utilization (%)
Channel Health
Preamble Type
Radio Policy
Service Template
SSID
Port
Mesh Policy
Field
Description
ANI Support
11g Protection
Admin State
Physical State
Displaying clients
Select Summary > Client from the navigation tree to enter the page as shown in Figure 37. For the
description of the fields in the client information, see Table 23.
Figure 37 Displaying clients
Description
Refresh
Add to Blacklist
Add the selected client to the static blacklist, which you can display by
selecting Security > Filter from the navigation tree.
Reset Statistic
Disconnect
57
Description
MAC address
AID
uses the portal authentication method, the field does not display the
portal username of the client.
AP Name
Radio Id
SSID
BSSID
Port
VLAN
State
Wireless Mode
Field
Description
Channel Band-width
Not Supported.
Supported.
Whether the client supports short GI when its channel bandwidth is 40
MHz.
Not Supported.
Supported.
MCS supported by the client.
BLOCK ACK is negotiated based on QoS priority ID 0:
BLOCK ACK-TID 0
OUTOutbound direction.
IN Inbound direction.
BOTHBoth directions.
BLOCK ACK is negotiated based on QoS priority ID 1:
BLOCK ACK-TID 1
OUTOutbound direction.
INInbound direction.
BOTHBoth directions.
BLOCK ACK is negotiated based on QoS priority ID 2:
BLOCK ACK-TID 2
OUTOutbound direction.
INInbound direction.
BOTHBoth directions.
BLOCK ACK is negotiated based on QoS priority ID 3:
BLOCK ACK-TID 3
OUTOutbound direction.
INInbound direction.
BOTHBoth directions.
QoS Mode
Specifies how often the client wakes up to receive frames saved in the
AP and is expressed in units of beacon interval.
RSSI
Rx/Tx Rate
Client Type
Authentication Method
AKM Method
59
Field
Description
Displays either of the 4-way handshake states:
Roam Status
Roam Count
For inter-AC roaming, this field is reset after the client leaves the
mobility group to which the AC belongs.
Up Time
Time for which the client has been associated with the AP.
60
Description
AP Name
Radio Id
Radio ID.
SSID
BSSID
MAC Address
RSSI
Received signal strength indication. This value indicates the client signal
strength detected by the AP.
Transmitted Frames
Back Ground(Frames/Bytes)
Best Effort(Frames/Bytes)
Video(Frames/Bytes)
Voice(Frames/Bytes)
Received Frames
Discarded Frames
NOTE:
You can collect statistics of priority queues such as Back Ground, Best Effort, Video and Voice on a QoS
client only. Traffic including SVP packets sent and received on a client where QoS is not enabled falls into
Best Effort priority queue. Therefore, the queues collected may be different from the queues actually sent.
You can collect statistics of priority queues carried in Dot11E or WMM packets; otherwise, statistics
collection of priority queues on the receive end may fail.
61
Description
BSSID
Online-time
AC-IP-address
The IP address of the AC connected with the client. When the configured roaming
channel type is IPv6, the IPv6 address of the AC is displayed.
62
Description
No./MCS
Rate(Mbps)
TxCnt
RxCnt
Number of wireless ping frames that the radio interface received from the client.
RSSI
Received signal strength indication. This value indicates the client signal strength
detected by the AP.
Retries
RTT(ms)
63
License management
Configuring licenses
A license controls the maximum number of online APs. You can add a license on a device to increase the
maximum number of online APs that the device supports. However, the upper limit of online APs that a
device supports is restricted by its specification and varies by device model. For more information, see
"Feature matrixes."
Adding a license
CAUTION:
After adding a license, you must reboot the device to validate the license.
You can also increase the maximum number of online APs by adding an enhanced license. For more
information about enhanced license, see "Enhanced license management."
1.
Figure 42 License
2.
In the Add License area, configure the license information as described in Table 28.
3.
Click Add.
Description
License Key
Activation Key
2.
Description
default AP number
max AP number
current AP number
License Key
Activation Key
AP Number
2.
65
3.
4.
Click Add.
Description
Select the name of the feature to be registered.
For example, AP allows you to increase the number of APs.
Type the serial number of the license.
2.
3.
View the registered enhanced licenses at the lower part of the page.
Description
Feature Name
Serial Number
Left time of the license. After the time elapses, the license expires.
The value Forever means that the license is an official version.
Number of APs that the license supports.
66
Set the system name of the device. The configured system name will be displayed on the top of the
navigation bar.
Set the idle timeout period for a logged-in user. That is, the system logs an idle user off the Web for
security purpose after the configured period.
2.
3.
Click Apply.
2.
67
3.
4.
Click Apply.
68
Device maintenance
Software upgrade
A boot file, also known as the system software or device software, is an application file used to boot the
device. Software upgrade allows you to obtain a target application file from the local host and set the file
as the boot file to be used at the next reboot. In addition, you can select whether to reboot the device to
bring the upgrade software into effect.
CAUTION:
A software upgrade takes some time. Avoid performing any operation on the Web interface during the
upgrading procedure. Otherwise, the upgrade operation may be interrupted.
You can keep the original file name or change it to another one (extension name not changed) after you
get the target application file from the local host.
1.
2.
3.
Click Apply.
Description
File
69
Item
Description
Specify the type of the boot file for the next boot:
File Type
unavailable.
If you do not select the option, when a file with the same name
exists, the system prompts "The file has existed.", and you
cannot upgrade the software.
Specify whether to reboot the device to make the upgraded
software take effect after the application file is uploaded.
2.
3.
Clear the box before "Check whether the current configuration is saved in the next startup
configuration file" or keep it selected.
4.
Click Apply.
A confirmation dialog box appears.
5.
Click OK.
If you select the box before "Check whether the current configuration is saved in the next startup
configuration file", the system checks the configuration before rebooting the device. If the check
succeeds, the system reboots the device; if the check fails, the system displays a dialog box to
inform you that the current configuration and the saved configuration are inconsistent, and
70
does not reboot the device. In this case, you must save the current configuration manually
before you can reboot the device.
If you do not select the box, the system reboots the device directly.
2.
3.
4.
71
NOTE:
The generation of the diagnostic file will take a period of time. During this process, do not perform any
operation on the Web page.
To view this file after the diagnostic file is generated successfully, select Device > File Management, or
download this file to the local host. For more information, see "File management configuration."
72
System time
You need to configure a correct system time so that the device can work with other devices properly.
System time allows you to display and set the device system time on the Web interface.
The device supports setting system time through manual configuration and automatic synchronization of
NTP server time.
An administrator cannot keep time synchronized among all the devices within a network by changing the
system clock on each device, because this is time-consuming task and cannot guarantee clock precision.
Defined in RFC 1305, the Network Time Protocol (NTP) synchronizes timekeeping among distributed
time servers and clients.
NTP can keep consistent timekeeping among all clock-dependent devices within the network and ensure
a high clock precision so that the devices can provide diverse applications based on consistent time.
2.
2.
73
3.
Modify the system time either in the System Time Configuration field, or through the calendar
page.
You can perform the following operations on the calendar page:
a. Click Today to set the current date on the calendar to the current system date of the local host,
Click Apply in the system time configuration page to save your configuration.
2.
74
3.
4.
Click Apply.
Description
Clock status
If the IP address of the local clock source is specified, the local clock
Local Reference Source
is used as the reference clock, and thus can provide time for other
devices.
If the IP address of the local clock source is not specified, the local
clock is not used as the reference clock.
The stratum level of the local clock decides the precision of the local
clock. A higher value indicates a lower precision. A stratum 1 clock has
the highest precision, and a stratum 16 clock is not synchronized and
cannot be used as a reference clock.
Set the source interface for an NTP message.
Source Interface
75
Item
Description
Set NTP authentication key.
The NTP authentication feature should be enabled for a system running
NTP in a network where there is a high security demand. This feature
enhances the network security by means of client-server key
authentication, which prohibits a client from synchronizing with a
device that has failed authentication.
Key 1
Key 2
ID is the ID of a key.
Key string is a character string for MD5 authentication key.
NTP Server
1/Reference
Key ID
You can configure two NTP servers. The clients will choose the optimal
reference source.
External
Reference Source
NTP Server
2/Reference
Key ID
TimeZone
IMPORTANT:
As shown in Figure 53, the local clock of Switch is set as the reference clock.
Configuring the AC
To configure Switch as the NTP server of AC:
1.
2.
76
3.
Enter 24 for the ID of key 1, and aNiceKey for the key string. Enter 1.0.1.12 in the NTP Server 1
box and 24 in the Reference Key ID box.
4.
Click Apply.
Configuration guidelines
A device can act as a server to synchronize the clock of other devices only after its clock has been
synchronized. If the clock of a server has a stratum level higher than or equal to that of a client's
clock, the client will not synchronize its clock to the server's.
The synchronization process takes a period of time. The clock status may be displayed as
unsynchronized after your configuration. In this case, you can refresh the page to view the clock
status later on.
If the system time of the NTP server is ahead of the system time of the device, and the difference
between them exceeds the Web idle time specified on the device, all online Web users are logged
out because of timeout.
77
Log management
System logs contain a large amount of network and device information, including running status and
configuration changes. System logs are an important way for administrators to know network and device
status. With system logs, administrators can take corresponding actions against network problems and
security problems.
The system sends system logs to the following destinations:
Console
Monitor terminal, which is a user terminal that has login connections through the AUX, VTY, or TTY
user interface.
Log buffer
Loghost
Web interface
Displaying syslog
The Web interface provides abundant search and sorting functions. You can view syslogs through the
Web interface conveniently.
To display syslog:
1.
78
TIP:
You can click Reset to clear all system logs saved in the log buffer on the Web interface.
You can click Refresh to manually refresh the page, or you can set the refresh interval on the Log Setup
page to enable the system to automatically refresh the page periodically. For more information, see
"Setting buffer capacity and refresh interval."
2.
Description
Time/Date
Source
Level
Digest
Description
2.
79
3.
4.
Click Apply.
Description
IPv4/Domain
IPv6
Loghost IP/Domain
2.
80
3.
4.
Click Apply.
Description
Buffer Capacity
Set the number of logs that can be stored in the log buffer of the Web interface.
Set the refresh period on the log information displayed on the Web interface.
You can select manual refresh or automatic refresh:
Refresh Interval
81
Configuration management
NOTE:
When backing up a configuration file, back up the configuration file with the extension .xml. Otherwise
some configuration information may not be restored in some cases (for example, when the configuration
is removed).
Open and view the configuration file (.cfg file or .xml file) for the next startup
Back up the configuration file (.cfg file or .xml file) for the next startup to the host of the current user
2.
3.
Upload the .cfg file on the host of the current user to the device for the next startup
Upload the .xml file on the host of the current user to the device for the next startup, and delete the
previous .xml configuration file that was used for the next startup
1.
2.
3.
4.
5.
Click Apply.
Fast
Click the Save button at the upper right of the auxiliary area, and you can save the configuration to the
configuration file.
83
Common
1.
2.
3.
Click Save Current Settings to save the current configuration to the configuration file.
2.
3.
84
File management
NOTE:
There are many types of storage media such as flash, compact flash (CF), and so on. Different devices
support different types of storage device. For more information, see "Feature matrixes."
The device saves useful files (such as host software, configuration file) into the storage device, and the
system provides the file management function for the users to manage those files conveniently and
effectively.
2.
Select a disk from the Please select disk list on the top of the page.
3.
View the used space, free space and capacity of the disk at the right of the list.
4.
View all files saved in this disk (in the format of path + filename), file sizes, and the boot file types
(Main or Backup is displayed if the file is an application file, that is, with the extension of .bin
or .app).
85
Downloading a file
1.
2.
3.
Uploading a file
NOTE:
Uploading a file takes some time. H3C recommends you not to perform any operation on the Web
interface during the upgrading procedure.
1.
2.
Select the disk to save the file in the Upload File box.
3.
4.
Click Apply.
Removing a file
1.
2.
3.
NOTE:
You can also remove a file by clicking the
icon.
2.
Select the box to the left of an application file (with the extension of .bin or .app).
You can set one file at a time.
3.
Click Set as Main Boot File to set the main boot file to be used at the next startup.
86
Interface management
Interface management overview
An interface is the point of interaction or communication used for exchanging data between entities.
There are two types of interfaces: physical and logical. A physical interface refers to an interface that
physically exists as a hardware component. An example is Ethernet interfaces. A logical interface refers
to an interface that can implement data switching but does not exist physically. A logical interface must
be created manually. An example is VLAN interfaces.
You can use the interface management feature on the Web-based configuration interface to manage the
following types of interfaces.
Layer 2 Ethernet interfacePhysical interface operating on the data link layer for forwarding Layer
2 protocol packets.
Management Ethernet interfacePhysical interface operating on the network layer. You can
configure IP addresses for a management Ethernet interface. You can log in to the device through
a management Ethernet interface to manage the device.
Loopback interfaceA loopback interface is a software-only virtual interface. The physical layer
state and link layer protocols of a loopback interface are always up unless the loopback interface
is manually shut down. You can enable routing protocols on a loopback interface, and a loopback
interface can send and receive routing protocol packets. When you assign an IPv4 address whose
mask is not 32-bit, the system automatically changes the mask into a 32-bit mask.
Null interfaceA null interface is a completely software-based logical interface, and is always up.
However, you cannot use it to forward data packets or configure an IP address or link layer protocol
on it. With a null interface specified as the next hop of a static route to a specific network segment,
any packets routed to the network segment are dropped. The null interface provides a simpler way
to filter packets than ACL. You can filter uninteresting traffic by transmitting it to a null interface
instead of applying an ACL.
VLAN interfaceVirtual Layer 3 interface used for Layer 3 communications between VLANs. A
VLAN interface corresponds to a VLAN. You can assign an IP address to a VLAN interface and
specify it as the gateway of the corresponding VLAN to forward traffic destined for an IP network
segment different from that of the VLAN.
Virtual template (VT) interfaceTemplate used for configuring virtual access (VA) interfaces.
With the interface management feature, you can view interface information, create/remove logical
interfaces, change interface status, and reset interface parameters.
2.
Click an interface name in the Name column to display the statistics of that interface.
The page for displaying interface statistics appears.
88
Creating an interface
1.
2.
Click Add.
The page for creating an interface appears.
89
3.
4.
Click Apply.
Description
Interface Name
VID
MTU
IMPORTANT:
Support for this configuration item depends on the interface type. All Layer 3 interfaces
support MTU.
90
Item
Description
Set the maximum segment size (MSS) for IP packets on the interface.
The TCP MSS value affects fragmentation and reassembly of IP packets.
TCP MSS
IMPORTANT:
Support for this configuration item depends on the interface type. All Layer 3 interfaces
support MTU.
Set the way for the interface to obtain an IP address, include:
NoneSelect this option if you do not want to assign an IP address for the
interface.
Static AddressSelect the option to manually assign an IP address and mask for
the interface. If this option is selected, you must set the IP Address and Mask
fields.
DHCPSelect the option for the interface to obtain an IP address through DHCP
automatically.
IP Config
the same device for the interface. If this option is selected, you must select the
interface whose IP address you want to borrow in the Unnumbered Interfaces list.
IMPORTANT:
Support for the way of obtaining an IP address depends on the interface type.
IP Address/Mask
After selecting the Static Address option for the IP Config configuration item, you
need to set the primary IP address and mask, and secondary IP addresses and
masks for the interface.
Secondary IP
Address/Mask
IMPORTANT:
device model..
Unnumbered Interface
If the Unnumbered option is selected as the way for the interface to obtain an IP
address, you must set the interface whose IP address is to be borrowed.
Set the way for the interface to obtain an IPv6 link-local address, include.
NoneSelect this option if you do not want to assign an IPv6 link-local address
to the interface.
IPv6 Config
AutoSelect this option for the system to automatically assign an IPv6 link-local
address to the interface.
interface. If this option is selected, you must set the IPv6 Link Local Address field.
If the Manual option is selected as the way for the interface to obtain an IPv6
link-local address, you must set an IPv6 link-local address for the interface.
91
2.
Click the
3.
Modify the information about the Layer 2 physical interface as described in Table 38.
4.
Click Apply.
Description
Enable or disable the interface.
Port State
In some cases, modification to the interface parameters does not take effect
immediately. You need to shut down and then bring up the interface to make the
modification work.
92
Item
Description
Set the transmission rate of the interface.
Available options include:
Speed
1010 Mbps.
100100 Mbps.
10001000 Mbps.
AutoAuto-negotiation.
Auto 10The auto-negotiation rate of the interface is 10 Mbps.
Auto 100The auto-negotiation rate of the interface is 100 Mbps.
Auto 1000The auto-negotiation rate of the interface is 1000 Mbps.
Auto 10 100The auto-negotiation rate of the interface is 10 Mbps or 100 Mbps.
Auto 10 1000The auto-negotiation rate of the interface is 10 Mbps or 1000
Mbps.
Auto 100 1000The auto-negotiation rate of the interface is 100 Mbps or 1000
Mbps.
AutoAuto-negotiation.
FullFull duplex.
HalfHalf duplex.
Set the link type of the current interface, which can be access, hybrid, or trunk. For
more information, see Table 39.
Link Type
IMPORTANT:
To change the link type of a port from trunk to hybrid or vice versa, you must first set its
link type to access.
Set the default VLAN ID of the hybrid or trunk port.
PVID
IMPORTANT:
The trunk ports at the two ends of a link must have the same PVID.
93
Item
Description
Set the Medium Dependent Interface (MDI) mode for the interface.
Two types of Ethernet cables can be used to connect Ethernet devices: crossover
cable and straight-through cable. To accommodate these two types of cables, an
Ethernet interface on the device can operate in one of the following three MDI
modes:
Across mode.
Normal mode.
Auto mode.
An Ethernet interface is composed of eight pins. By default, each pin has its
particular role. For example, pin 1 and pin 2 are used for transmitting signals; pin 3
and pin 6 are used for receiving signals. You can change the pin roles through
setting the MDI mode.
MDI
In across mode, the default pin roles are kept, that is, pin 1 and pin 2 for
transmitting signals, and pin 3 and pin 6 for receiving signals.
In auto mode, the pin roles are determined through auto negotiation.
In normal mode, pin 1 and pin 2 are used for receiving signals while pin 3 and
pin 6 are used for transmitting signals.
To enable normal communication, you should connect the local transmit pins to the
remote receive pins. Therefore, you should configure the MDI mode depending on
the cable types.
Generally, the auto mode is recommended. The other two modes are useful only
when the device cannot determine the cable types.
When straight-through cables are used, the local MDI mode must be different
from the remote MDI mode.
When crossover cables are used, the local MDI mode must be the same as the
remote MDI mode, or the MDI mode of at least one end must be set to auto.
Flow Control
After flow control is enabled on both ends, if there is traffic congestion on the device
on the local end, it sends information to notify the peer end to stop sending packets
temporarily; upon receiving the information, the peer end stops sending packets;
and vice versa. This is used to avoid packet loss.
IMPORTANT:
Flow control can be realized only when it is enabled on both ends.
Jumbo Frame
94
Item
Description
Set multicast suppression. You can suppress multicast traffic by percentage or by PPS
as follows:
Set unicast suppression. You can suppress unicast traffic by percentage or by PPS as
follows:
Ethernet interface per second. When this option is selected, you need to enter a
number in the box below.
Description
Access
An access port can belong to only one VLAN and is usually used to connect a user
device.
Hybrid
A hybrid port can be assigned to multiple VLANs to receive and send packets for
them and allows packets of multiple VLANs to pass through untagged.
Hybrid ports can be used to connect network devices, as well as user devices.
Trunk
A trunk port can be assigned to multiple VLANs to receive and send packets for them
but allows only packets of the default VLAN to pass through untagged.
Trunk ports are usually used to connect network devices.
2.
Click the
95
3.
4.
Click Apply.
Description
Interface Type
Set the interface type, which can be Electrical port, Optical port, or None.
Display and set the interface status.
The display of Connected indicates that the current status of the interface is up and
connected. You can click Disable to shut down the interface.
The display of Not connected indicates that the current status of the interface is up
but not connected. You can click Disable to shut down the interface.
Interface Status
The display of Administratively Down indicates that the interface is shut down by
the administrator. You can click Enable to bring up the interface.
After you click Enable or Disable, the page displaying interface information appears.
IMPORTANT:
For an interface whose status cannot be changed, the Enable or Disable button is not
available.
Working Mode
Configuration procedure
1.
c.
d. Click Apply.
2.
97
c.
Select Vlan-interface from the Interface Name list, enter the interface ID 100, select the Static
Address option in the IP Config area, enter the IP address 10.1.1.2, and select 24
(255.255.255.0) from the Mask list.
d. Click Apply.
98
Port mirroring
NOTE:
There are two kinds of port mirroring: local port mirroring and remote port mirroring. Unless otherwise
specified, port mirroring described in this chapter all refers to local port mirroring.
Support for the port mirroring feature depends on the device model. For more information, see "Feature
matrixes."
Port mirroring is implemented through mirroring groups. The mirroring ports and the monitor port are in
the same mirroring group. With port mirroring enabled, the device copies packets passing through the
mirroring ports to the monitor port.
99
Remarks
Required.
2.
3.
4.
Click Apply.
100
Description
Mirroring Group ID
Type
2.
3.
Configure the port information for the mirroring group as described in Table 43.
4.
Click Apply.
The progress bar appears.
5.
Click Close after the progress bar prompts that the configuration is complete.
Description
Mirroring Group ID
Port Type
101
Item
Description
Set the direction of the traffic monitored by the monitor port of the mirroring group.
This configuration item is available when Mirror Port is selected is the Port Type list.
Stream Orientation
interface name
Configuration examples
Network requirements
As shown in Figure 73, the customer network is as described below:
Configure port mirroring to monitor the bidirectional traffic on GigabitEthernet 1/0/1 of AC on the
server.
To satisfy the above requirement through port mirroring, perform the following configuration on AC:
2.
Click Add.
The page for adding a mirroring group appears.
102
3.
Enter 1 for Mirroring Group ID and select Local in the Type list.
4.
Click Apply.
2.
Select 1 Local for Mirroring Group ID, select Mirror Port for Port Type, select both for Stream
Orientation, and select GigabitEthernet 1/0/1 from the interface name list.
3.
Click Apply.
The progress bar appears.
4.
Click Close after the progress bar prompts that the configuration is complete.
103
2.
Select 1 Local for Mirroring Group ID, select Monitor Port for Port Type, and select
GigabitEthernet 1/0/2 from the interface name list.
3.
Click Apply.
A progress bar appears.
4.
Click Close after the progress bar prompts that the configuration is complete.
Configuration guidelines
When you configure port mirroring, follow these guidelines:
Depending on the device model, you can assign these types of ports to a mirroring group as
mirroring ports: Layer 2 Ethernet, Layer 3 Ethernet, POS, CPOS, serial, and MP-group.
Depending on the device model, you can configure these types of ports as the monitor port: Layer
2 Ethernet, Layer 3 Ethernet, and tunnel.
To ensure normal operation of your device, do not enable STP, MSTP, or RSTP on the monitor port.
On some types of devices, you can configure a member port in link aggregation as the monitor
port.
You can configure multiple mirroring ports but only one monitor port for a mirroring group.
104
User management
In the user management part, you can perform the following configuration:
Create a local user, and set the password, access level, and service type for the user.
Set the super password for switching the current Web user level to the management level.
Switch the current Web user access level to the management level.
Creating a user
1.
2.
3.
4.
Click Apply.
Description
Username
105
Item
Description
Set the access level for a user. Users of different levels can perform different operations.
Web user levels, from low to high, are visitor, monitor, configure, and management.
VisitorUsers of visitor level can perform the ping and traceroute operations, but they
can neither access the device data nor configure the device.
Access Level
MonitorUsers of this level can only access the device data but cannot configure the
device.
ConfigureUsers of this level can access data on the device and configure the
device, but they cannot upgrade the host software, add/delete/modify users, or back
up/restore the application file.
Confirm Password
Enter the same password again. Otherwise, the system prompts that the two passwords
enter are not consistent when you apply the configuration.
Service Type
Set the service type, including Web, FTP, and Telnet services. You must select one of
them.
2.
3.
4.
Click Apply.
106
Description
Set the operation type:
Create/Remove
Password
Confirm Password
Enter the same password again. Otherwise, the system prompts that the two passwords
enter are not consistent when you apply the configuration.
Before switching, make sure that the super password is already configured. A user cannot switch to
the management level without a super password.
The access level switchover of a user is valid for the current login only. The access level configured
for the user is not changed. When the user re-logs in to the Web interface, the access level of the
user is still the original level.
2.
3.
4.
Click Login.
107
SNMP configuration
SNMP overview
Simple Network Management Protocol (SNMP) offers the communication rules between a management
device and the managed devices on the network; it defines a series of messages, methods and syntaxes
to implement the access and management from the management device to the managed devices. SNMP
shields the physical differences between various devices and realizes automatic management of
products from different manufacturers.
An SNMP enabled network comprises the network management system (NMS) and agents.
The NMS manages agents by exchanging management information through SNMP. The NMS and
managed agents must use the same SNMP version.
SNMP agents support SNMPv1, SNMPv2c, and SNMPv3.
SNMPv1 uses community name for authentication. Community name defines the relationship
between an SNMP NMS and an SNMP agent. SNMP packets with community names that do not
pass the authentication on the device are simply discarded. A community name plays a similar role
as a key word and can be used to control access from NMS to the agent.
SNMPv2c uses community name for authentication. Compatible with SNMPv1, it extends the
functions of SNMPv1. SNMPv2c provides more operation modes such as GetBulk and
InformRequest; it supports more data types such as Counter64; and it provides various error codes,
thus being able to distinguish errors in more detail.
SNMPv3 offers an authentication that is implemented with a User-Based Security Model (USM).
You can set the authentication and privacy functions. The former is used to authenticate the validity
of the sending end of the authentication packets, preventing access of illegal users; the latter is used
to encrypt packets between the NMS and agents, preventing the packets from being intercepted.
USM ensures a more secure communication between SNMP NMS and SNMP agent by
authentication with privacy.
For more information about SNMP, see H3C WX Series Access Controllers Network Management and
Monitoring Configuration Guide.
Remarks
Required.
The SNMP agent function is disabled by default.
Enabling SNMP
IMPORTANT:
If SNMP agent is disabled, all SNMP agent-related configurations are
removed.
108
Task
Remarks
Optional.
After creating SNMP views, you can specify an SNMP view for an
SNMP group to limit the MIB objects that can be accessed by the
SNMP group.
Required.
Optional.
Allows you to configure that the agent can send SNMP traps to the
NMS, and configure information about the target host of the SNMP
traps.
By default, an agent is allowed to send SNMP traps to the NMS.
Optional.
Remarks
Required.
The SNMP agent function is disabled by default.
Enabling SNMP
IMPORTANT:
If SNMP agent is disabled, all SNMP agent-related configurations are
removed.
Optional.
After creating SNMP views, you can specify an SNMP view for an SNMP
group to limit the MIB objects that can be accessed by the SNMP group.
Required.
After creating an SNMP group, you can add SNMP users to the group
when creating the users. Therefore, you can realize centralized
management of users in the group through the management of the group.
Required.
Before creating an SNMP user, you need to create the SNMP group to
which the user belongs.
Optional.
Allows you to configure that the agent can send SNMP traps to the NMS,
and configure information about the target host of the SNMP traps
By default, an agent is allowed to send SNMP traps to the NMS.
Optional.
Enabling SNMP
1.
Figure 80 Set up
2.
Configure SNMP settings on the upper part of the page as described in Table 48.
3.
Click Apply.
Description
SNMP
Local Engine ID
110
Item
Description
Configure the maximum size of an SNMP packet that the agent can
receive/send.
Contact
Location
SNMP Version
2.
3.
Click Add.
The Add View window appears.
111
4.
5.
Click Apply.
The page in Figure 83 appears.
6.
7.
Click Add.
8.
Repeat steps 6 and 7 to add more rules for the SNMP view.
9.
Click Apply.
To cancel the view, click Cancel.
Description
View Name
Rule
Subtree Mask
2.
3.
Click the
4.
5.
Click Apply.
NOTE:
You can modify the rules of a view in the page you enter by clicking the
2.
3.
Click Add.
The Add SNMP Community page appears.
113
4.
5.
Click Apply.
Description
Community Name
Read onlyThe NMS can perform read-only operations to the MIB objects
Access Right
Read and writeThe NMS can perform both read and write operations to
the MIB objects when it uses this community name to access the agent.
View
Specify the view associated with the community to limit the MIB objects that
can be accessed by the NMS.
ACL
Associate the community with a basic ACL to allow or prohibit the access to the
agent from the NMS with the specified source IP address.
2.
114
3.
Click Add.
The Add SNMP Group page appears.
4.
5.
Click Apply.
Description
Group Name
Security Level
Read View
115
Item
Description
Select the write view of the SNMP group.
Write View
Notify View
ACL
2.
3.
Click Add.
The Add SNMP User page appears.
116
4.
5.
Click Apply.
Description
User Name
Security Level
Group Name
Authentication Mode
117
Item
Description
Authentication Password
Privacy Mode
Privacy Password
The confirm privacy password must be the same with the privacy
password.
ACL
Associate a basic ACL with the user to restrict the source IP address
of SNMP packets, that is, you can configure to allow or prohibit
SNMP packets with a specific source IP address, so as to allow or
prohibit the specified NMS to access the agent by using this user
name.
2.
3.
4.
Click Apply.
5.
Click Add.
The page for adding a target host of SNMP traps appears.
118
6.
Configure the settings for the target host as described in Table 53.
7.
Click Apply.
Description
Set the destination IP address or domain.
Destination IP Address
Security Name
Select the IP address type: IPv4/Domain or IPv6, and then type the
corresponding IP address or domain in the field according to the IP
address type.
Set the security name, which can be an SNMPv1 community name,
an SNMPv2c community name, or an SNMPv3 user name.
Set UDP port number.
IMPORTANT:
UDP Port
The default port number is 162, which is the SNMP-specified port used
for receiving traps on the NMS. Generally (such as using iMC or MIB
Browser as the NMS), you can use the default port number. To change
this parameter to another value, you need to make sure that the
configuration is the same with that on the NMS.
Security Model
Select the security model, that is, the SNMP version, which must be
the same with that running on the NMS; otherwise, the NMS cannot
receive any trap.
Security Level
Set the authentication and privacy mode for SNMP traps when the
security model is selected as v3. The available security levels are: no
authentication no privacy, authentication but no privacy, and
authentication and privacy.
d. Click Apply.
120
2.
Select the Included radio box, enter the MIB subtree OID interfaces, and click Add.
f. Click Apply.
121
3.
Enter group1 in the field of Group Name, select view1 from the Read View box, and select
view1 from the Write View box.
d. Click Apply.
4.
Enter user1 in the field of User Name and select group1 from the Group Name box.
d. Click Apply.
5.
Click Apply.
123
6.
enter the user name user1, and select v3 from the Security Model list.
c.
Click Apply.
124
SNMPv3 adopts a security mechanism of authentication and privacy. You must configure username and
security level. According to the configured security level, you must configure the related authentication
mode, authentication password, privacy mode, privacy password, and so on.
You must also configure the aging time and retry times. After these configurations, you can configure the
device as needed through the NMS. For more information about NMS configuration, see the manual
provided for NMS.
After the above configuration, an SNMP connection is established between the NMS and the agent.
The NMS can get and configure the values of some parameters on the agent through MIB nodes.
If an idle interface on the agent is shut down or brought up, the NMS receives a trap information
sent by the agent.
125
Loopback
You can check whether an Ethernet port works normally by performing the Ethernet port loopback test,
during which the port cannot forward data packets normally.
Ethernet port loopback test can be an internal loopback test or an external loopback test.
In an internal loopback test, self loop is established in the switching chip to check whether there is
a chip failure related to the functions of the port.
In an external loopback test, a self-loop header is used on the port. Packets forwarded by the port
will be received by itself through the self-loop header. The external loopback test can be used to
check whether there is a hardware failure on the port.
Loopback operation
1.
2.
3.
Description
External
Set the loopback test type, which can be selected between External and
Internal.
Internal
Configuration guidelines
When you perform a loopback test, follow these guidelines:
You can perform an internal loopback test but not an external loopback test on a port that is
physically down, while you can perform neither test on a port that is manually shut down.
The system does not allow Rate, Duplex, Cable Type, and Port Status configuration on a port under
a loopback test.
An Ethernet port operates in full duplex mode when the loopback test is performed, and restores its
original duplex mode after the loopback test.
127
Overview
A device maintains a MAC address table for frame forwarding. Each entry in this table indicates the
MAC address of a connected device, to which interface this device is connected and to which VLAN the
interface belongs. A MAC address table consists of two types of entries: static and dynamic. Static
entries are manually configured and never age out. Dynamic entries can be manually configured or
dynamically learned and will age out.
When a frame arrives at a port, Port A for example, the device performs the following tasks:
1.
Checks the frame for the source MAC address (MAC-SOURCE for example).
2.
When receiving a frame destined for MAC-SOURCE, the device looks up the MAC address table and
forwards it from port A.
NOTE:
Dynamically learned MAC addresses cannot overwrite static MAC address entries, but the latter can
overwrite the former.
When forwarding a frame, the device adopts the following forwarding modes based on the MAC
address table:
Unicast modeIf an entry matching the destination MAC address exists, the device forwards the
frame directly from the sending port recorded in the entry.
Broadcast modeIf the device receives a frame with the destination address being all Fs, or no
entry matches the destination MAC address, the device broadcasts the frame to all the ports except
the receiving port.
128
Port
MAC A
MAC B
MAC C
MAC D
MAC A
MAC C
MAC B
MAC D
Port 1
Port 2
Select Network > MAC from the navigation tree. The system automatically displays the MAC tab,
which shows all the MAC address entries on the device, as shown in Figure 105.
2.
Click Add in the bottom to enter the page for creating MAC address entries, as shown in Figure
106.
129
3.
4.
Click Apply.
Description
MAC
Port
2.
Click the Setup tab to enter the page for setting the MAC address entry aging time, as shown
in Figure 107.
130
Figure 107 Setting the aging time for MAC address entries
3.
4.
Click Apply.
Description
No-aging
Aging time
Configuration procedure
1.
Enter MAC address 00e0-fc35-dc71, select static from the Type list, select 1 from the VLAN list,
and select GigabitEthernet1/0/1 from the Port list.
d. Click Apply.
131
132
VLAN configuration
Overview
Ethernet is a network technology based on the Carrier Sense Multiple Access/Collision Detect
(CSMA/CD) mechanism. As the medium is shared, collisions and excessive broadcasts are common on
an Ethernet. To address the issue, virtual LAN (VLAN) was introduced to break a LAN down into separate
VLANs. VLANs are isolated from each other at Layer 2. A VLAN is a bridging domain, and all broadcast
traffic is contained within it, as shown in Figure 109.
Figure 109 A VLAN diagram
VLAN 2
Switch A
Router
Switch B
VLAN 5
You can implement VLANs based on a variety of criteria. The web interface, however, is available only
for port-based VLANs, which group VLAN members by port. A port forwards traffic for a VLAN only after
it is assigned to the VLAN.
For more information about VLAN, see H3C WX Series Access Controllers Layer 2 Configuration Guide.
Remarks
1.
Creating a VLAN
Required.
2.
Modifying a VLAN
Required.
3.
Modifying a port
Creating a VLAN
1.
Select Network > VLAN from the navigation tree. The system automatically selects the VLAN tab
and enters the page as shown in Figure 110.
133
TIP:
To easily configure a specific range of VLANs within a large number of VLANs, enter a VLAN range in the
VLAN Range field and click Select, and all undesired VLANs will be filtered out. If you click Remove, all
VLANs within this range will be deleted.
2.
Click Add to enter the page for creating a VLAN, as shown in Figure 111.
3.
4.
Click Apply.
Modifying a VLAN
1.
Select Network > VLAN from the navigation tree. The system automatically selects the VLAN tab
and enters the page as shown in Figure 110.
2.
Click the
icon of the VLAN you want to modify to enter the page as shown in Figure 112.
134
3.
Configure the description and port members for the VLAN as described in Table 57.
4.
Click Apply.
Description
ID
Description
By default, the description string of a VLAN is its VLAN ID, such as VLAN
0001.
Untagged Member
Find the port to be modified and select the Untagged Member, Tagged
Member, or Not a Member option for the port:
UntaggedIndicates that the port sends the traffic of the VLAN with the
VLAN tag removed.
TaggedIndicates that the port sends the traffic of the VLAN without
Port
Tagged Member
Not a Member
When you configure an access port as a tagged member of a VLAN, the link
type of the port is automatically changed into hybrid.
Modifying a port
1.
2.
Click the Port tab to enter the page as shown in Figure 113.
135
3.
Click the
icon for the port to be modified to enter the page as shown in Figure 114.
4.
5.
Click Apply.
Description
Port
Untagged Member
Tagged Member
136
Item
Description
Untagged
Tagged
UntaggedIndicates that the port sends the traffic of the VLAN with the VLAN
tag removed.
TaggedIndicates that the port sends the traffic of the VLAN without removing
the VLAN tag.
IMPORTANT:
Not a
Member
configure a trunk port as an untagged member of multiple VLANs in bulk, the link
type of the port is automatically changed into hybrid.
VLAN ID
GigabitEthernet 1/0/1 on both devices are hybrid ports with VLAN 100 as their default VLAN.
Configure GigabitEthernet 1/0/1 to permit packets of VLAN 2, VLAN 6 through VLAN 50, and
VLAN 100 to pass through.
Configuring AC
1.
d. Click Apply.
137
2.
c.
Click the
d. Select the Untagged Member option for port GigabitEthernet 1/0/1, as shown in Figure 118.
e. Click Apply.
138
3.
Configure GigabitEthernet 1/0/1 as a tagged member of VLAN 2, and VLAN 6 through VLAN
50:
a. Select Network > VLAN from the navigation tree and then select the Port tab.
b. Click the
c.
Select the Tagged option, and enter VLAN IDs 2, 6-50, as shown in Figure 119.
d. Click Apply. A dialog box appears asking you to confirm the operation.
e. Click OK in the dialog box.
139
Configuring Switch
The configuration on Switch is similar to that on AC.
Configuration guidelines
When you configure VLAN, follow these guidelines:
Some VLANs are reserved for special purposes. You cannot manually create or remove them.
140
ARP configuration
Overview
Introduction to ARP
The Address Resolution Protocol (ARP) is used to resolve an IP address into an Ethernet MAC address (or
physical address).
In an Ethernet LAN, a device uses ARP to resolve the IP address of the next hop to the corresponding
MAC address.
For more information about ARP, see H3C WX Series Access Controllers Layer 3 Configuration Guide.
Determine whether its IP address is already used by another device. If the IP address is already used,
the device will be informed of the conflict by an ARP reply.
141
Select Network > ARP Management from the navigation tree to enter the default ARP Table page
shown in Figure 120.
2.
Click Add to enter the New Static ARP Entry page, as shown in Figure 121.
3.
4.
Click Apply.
Description
IP Address
MAC Address
142
Item
Description
VLAN ID
Advanced
Options
Port
Enter a VLAN ID and specify a port for the static ARP entry.
IMPORTANT:
The VLAN ID must be the ID of the VLAN that has already been created,
and the port must belong to the VLAN. The corresponding VLAN interface
must have been created.
Select Network > ARP Management from the navigation tree to enter the default ARP Table page
shown in Figure 120.
2.
2.
Click the Gratuitous ARP tab to enter the page shown in Figure 122.
3.
Description
Enable the device to send gratuitous ARP packets upon receiving ARP
requests from another network segment.
Enabled by default.
Disabled by default.
143
Configuration procedure
1.
d. Click Apply.
2.
Click Apply.
144
3.
On the page that appears, select Vlan-interface from the Interface Name list, and enter 100,
select the Static Address option for IP Config, enter 192.168.1.2 for IP Address., and select 24
(255.255.255.0) for Mask.
d. Click Apply.
145
4.
page.
b. Click Add.
c.
On the page that appears, enter 192.168.1.1 for IP Address, enter 00e0-fc01-0000 for MAC
Address, select the Advanced Options option, enter 100 for VLAN ID, and select
GigabitEthernet1/0/1 from the Port list.
d. Click Apply.
146
147
ARP detection
The ARP detection feature enables access devices to block ARP packets from unauthorized clients to
prevent user spoofing and gateway spoofing attacks.
ARP detection provides the following functions:
User validity checkThe device compares the sender IP and MAC addresses of a received ARP
packet against the static IP source guard binding entries, DHCP snooping entries, 802.1X security
entries, or OUI MAC addresses. If no match is found, the ARP packet is discarded.
ARP packet validity checkThe device does not check ARP packets received from an ARP trusted
port. Upon receiving an ARP packet from an ARP untrusted port, the device checks the ARP packet
based on source MAC address, destination MAC address, or source and destination IP addresses.
ARP packets that fail the check are discarded.
For more information about ARP detection, see H3C WX Series Access Controllers Security
Configuration Guide.
148
Select Network > ARP Anti-Attack from the navigation tree to enter the default ARP Detection page
shown in Figure 128.
2.
3.
Click Apply.
Description
Select VLANs on which ARP detection is to be enabled.
VLAN Settings
To add VLANs to the Enabled VLANs list box, select one or multiple VLANs from the
Disabled VLANs list box and click the << button.
To remove VLANs from the Enabled VLANs list box, select one or multiple VLANs from the
list box and click the >> button.
149
Item
Description
Select trusted ports and untrusted ports.
Trusted Ports
To add ports to the Trusted Ports list box, select one or multiple ports from the Untrusted
Ports list box and click the << button.
To remove ports from the Trusted Ports list box, select one or multiple ports from the list box
and click the >> button.
Select ARP packet validity check modes, including:
Discard the ARP packet whose sender MAC address is different from the source MAC
address in the Ethernet header.
Discard the ARP packet whose target MAC address is all 0s, all 1s, or inconsistent with
ARP Packet
Validity Check
Discard the ARP request whose source IP address is all 0s, all 1s, or a multicast address,
and discard the ARP reply whose source and destination IP addresses are all 0s, all 1s,
or multicast addresses.
ARP packet validity check takes precedence over user validity check. If none of the above
is selected, the system does not check the validity of ARP packets.
2.
Click the Advanced Configuration tab to enter the page shown in Figure 129.
3.
4.
Click Apply.
150
Description
Select the detection mode for source MAC address based ARP attack
detection. The detection mode can be:
Detection Mode
sourced from a MAC address if the number of ARP packets received from
the MAC address within five seconds exceeds the specified value.
The device only generates an alarm if the number of ARP packets sent
Source
MAC
Address
Attack
Detection
from a MAC address within five seconds exceeds the specified value.
Aging Time
Enter the aging time of the source MAC address based ARP attack detection
entries.
Threshold
Enter the threshold of source MAC address based ARP attack detection.
Add a protected MAC address in the following way:
Protected MAC
Configuration
1.
2.
3.
Click Add.
151
IGMP snooping sends Layer 2 multicast packets to the intended receivers only. This mechanism provides
the following advantages:
For more information about IGMP snooping, see H3C WX Series Access Controllers IP Multicast
Configuration Guide.
152
Remarks
Enabling IGMP snooping globally
Required.
By default, IGMP snooping is disabled.
Required.
Enable IGMP snooping in the VLAN and configure the IGMP
snooping version and querier feature.
2.
Optional.
Configure the maximum number of multicast groups allowed and the
fast leave function for ports in the specified VLAN.
3.
IMPORTANT:
4.
Optional.
Select Network > IGMP snooping from the navigation tree to enter the basic configuration page
shown in Figure 132.
2.
153
Select Network > IGMP snooping from the navigation tree to enter the basic configuration page
shown in Figure 132.
2.
Click the
icon corresponding to the VLAN to enter the page you can configure IGMP snooping
in the VLAN, as shown in Figure 133.
3.
4.
Click Apply.
Description
VLAN ID
IGMP snooping
You can proceed with the subsequent configurations only if Enable is selected
here.
By configuring an IGMP snooping version, you actually configure the versions
of IGMP messages that IGMP snooping can process.
Version
IGMP snooping version 2 can process IGMPv1 and IGMPv2 messages, but
not IGMPv3 messages, which will be flooded in the VLAN.
With the function of dropping unknown multicast data enabled, the device
drops all the unknown multicast data received.
With the function of dropping unknown multicast data disabled, the device
floods unknown multicast data in the VLAN to which the unknown multicast
data belong.
Querier
Query interval
Select Network > IGMP snooping from the navigation tree to enter the basic configuration page.
2.
Click the Advanced tab to enter the page shown in Figure 134.
155
3.
4.
Click Apply.
Description
Select the port on which advanced IGMP snooping features are to be configured.
Port
VLAN ID
After a port is selected, advanced features configured on this port are displayed at
the lower part of this page.
Specify a VLAN in which you can configure the fast leave function for the port or the
maximum number of multicast groups allowed on the port.
Configure the maximum number of multicast groups that the port can join.
With this feature, you can regulate multicast traffic on the port.
IMPORTANT:
When the number of multicast groups a port has joined reaches the configured
Group Limit
threshold, the system deletes all the forwarding entries persistent on that port from
the IGMP snooping forwarding table, and the hosts on this port must join the
multicast groups again.
Support for the maximum number of multicast groups that a port can join may
vary depending on your device model. For more information, see "Feature
matrixes."
156
Item
Description
Enable or disable the fast leave function for the port.
Fast Leave
With the fast leave function enabled on a port, the device, when receiving an IGMP
leave message on the port, immediately deletes that port from the outgoing port list
of the corresponding forwarding table entry. Then, when receiving IGMP
group-specific queries for that multicast group, the device will not forward them to
that port. In VLANs where only one host is attached to each port, the fast leave
function helps improve bandwidth and resource usage.
IMPORTANT:
If fast leave is enabled for a port to which more than one host is attached, when one
host leaves a multicast group, the other hosts listening to the same multicast group will
fail to receive multicast data.
Select Network > IGMP snooping from the navigation tree to enter the basic configuration page
shown in Figure 132.
2.
Click the plus sign (+) in front of Show Entries to display IGMP snooping multicast entries, as shown
in Figure 135.
3.
Clicking the
icon corresponding to an entry to display the detailed information of the entry, as
shown in Figure 136.
157
Description
VLAN ID
Source
Group
Router port
Member port
As shown in Figure 137, Router A connects to a multicast source (Source) through Ethernet 1/2, and
to AC through Ethernet 1/1.
The multicast source sends multicast data to group 224.1.1.1. Host A is a receiver of the multicast
group.
The function of dropping unknown multicast packets is enabled on AC to prevent AC from flooding
multicast packets in the VLAN if no corresponding Layer 2 forwarding entry exists.
The fast leave function is enabled for GigabitEthernet 1/0/2 on AC to improve bandwidth and
resource usage.
Configuring IP addresses
Configure the IP address for each interface, as shown in Figure 137. (Details not shown.)
Configuring Router A
Enable IP multicast routing, enable PIM-DM on each interface, and enable IGMP on Ethernet 1/1.
(Details not shown.)
Configuring the AC
1.
d. Click Apply.
158
2.
b. Select the Untagged Member option for GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2,
Click Apply.
3.
page.
Click Apply.
159
4.
Enable IGMP snooping and the function of dropping unknown multicast data on VLAN 1:
a. Click the
b. On the page that appears, select the Enable option for IGMP Snooping, select the 2 option for
Click Apply.
5.
160
b. Select GigabitEthernet 1/0/2 from the Port list, enter the VLAN ID 100, and select the Enable
c.
Click Apply.
Select Network > IGMP snooping from the navigation tree to enter the basic configuration page.
2.
Click the plus sign (+) in front of Show Entries to view IGMP snooping multicast entries, as shown
in Figure 143.
3.
Click the
icon corresponding to the multicast entry to view information about this entry, as
shown in Figure 144. The page shows that GigabitEthernet 1/0/2 of AC is added to multicast
group 224.1.1.1.
161
162
Overview
Upon receiving a packet, a router determines the optimal route based on the destination address and
forwards the packet to the next router in the path. When the packet reaches the last router, it then
forwards the packet to the destination host. Routing provides the path information that guides the
forwarding of packets.
A router selects optimal routes from the routing table, and sends them to the forwarding information base
(FIB) table to guide packet forwarding. Each router maintains a routing table and a FIB table.
Static routes are manually configured. If a network's topology is simple, you only need to configure static
routes for the network to work properly. Static routes cannot adapt to network topology changes. If a fault
or a topological change occurs in the network, the network administrator must modify the static routes
manually.
For more information about routing table and static routing, see H3C WX Series Access Controllers Layer
3 Configuration Guide.
163
Description
Destination IP address and subnet mask of the IPv4 route.
Protocol that discovered the IPv4 route.
Preference value for the IPv4 route.
The smaller the number, the higher the preference.
Next Hop
Interface
Outgoing interface of the IPv4 route. Packets destined for the specified
network segment will be sent out the interface.
2.
Click the Create tab to enter the IPv4 static route configuration page, as shown in Figure 146.
3.
4.
Click Apply.
Description
Destination IP Address
Item
Description
Enter the mask of the destination IP address.
Mask
Preference
Next Hop
Interface
Description
Destination IP address and prefix length of the IPv6 route.
Protocol that discovered the IPv6 route.
Preference value for the IPv6 route.
The smaller the number, the higher the preference.
Next Hop
Interface
2.
Click the Create tab to enter the IPv6 static route configuration page, as shown in Figure 148.
3.
4.
Click Apply.
Description
Destination IP Address
Prefix Length
Preference
Next Hop
For example, specifying the same preference for multiple static routes
to the same destination enables load sharing on the routes, while
specifying different priorities for them enables route backup.
Enter the next hop address, in the same format as the destination IP
address.
166
Item
Description
Select the outgoing interface.
Interface
You can select any available Layer 3 interface, for example, a virtual
interface, of the device. If you select NULL 0, the destination IPv6
address is unreachable.
Configuration outlines
1.
2.
On Switch B, configure one static route with Switch A as the next hop and the other with AC as the
next hop.
3.
Configuration procedure
1.
Configure a default route with the next hop address 1.1.4.2 on Switch A.
2.
Configure two static routes on Switch B: one with destination address 1.1.2.0/24 and next hop
address 1.1.4.1, and the other with destination address 1.1.3.0/24 and next hop address
1.1.5.6.
3.
Enter 0.0.0.0 for Destination IP Address, 0 for Mask, and 1.1.5.5 for Next Hop.
d. Click Apply.
167
2.
Ping Host B from Host A (assuming both hosts run Windows XP):
C:\Documents and Settings\Administrator>ping 1.1.3.2
Vlan-int300
5::2/64
Switch B
Vlan-int200
4::1/64
Vlan-int300
5::1/64
Vlan-int100
1::1/64
Host A 1::2/64
Vlan-int500
3::1/64
AC
Switch A
AP
Host B 3::2/64
Configuration outlines
1.
2.
On Switch B, configure one static route with Switch A as the next hop and the other with AC as the
next hop.
3.
Configuration procedure
1.
Configure a default route with the next hop address 4::2 on Switch A.
2.
Configure two static routes on Switch B: one with destination address 1::/64 and next hop
address 4::1, and the other with destination address 3::/64 and next hop address 5::1.
3.
Enter :: for Destination IP Address, select 0 for Prefix Length, and enter 5::2 for Next Hop.
d. Click Apply.
169
2.
time = 63 ms
time = 62 ms
time = 62 ms
time = 63 ms
time = 63 ms
Configuration guidelines
When you configure a static route, follow these guidelines:
1.
If you do not specify the preference when you configure a static route, the default preference is
used. Reconfiguration of the default preference applies only to newly created static routes.
Currently, the Web interface does not support configuration of the default preference.
2.
When you configure a static route, the static route does not take effect if you specify the next hop
address first and then configure it as the IP address of a local interface, such as an Ethernet
interface and VLAN interface.
3.
170
If you want to specify a broadcast interface (such as an Ethernet interface, virtual template, or
VLAN interface) as the output interface, which may have multiple next hops, you must specify
the next hop at the same time.
171
DHCP overview
NOTE:
After the DHCP client is enabled on an interface, the interface can dynamically obtain an IP address and
other configuration parameters from the DHCP server. This facilitates configuration and centralized
management. For more information about the DHCP client configuration, see "Interface management."
For more information about DHCP, see H3C WX Series Access Controllers Layer 3 Configuration Guide.
The Dynamic Host Configuration Protocol (DHCP) provides a framework to assign configuration
information to network devices.
DHCP uses the client/server model. Figure 153 shows a typical a DHCP application.
Figure 153 A typical DHCP application
A DHCP client can obtain an IP address and other configuration parameters from a DHCP server on
another subnet through a DHCP relay agent.
Figure 154 DHCP relay agent application
DHCP client
DHCP client
IP network
DHCP relay agent
DHCP client
DHCP client
DHCP server
NOTE:
The DHCP snooping-enabled device must be either between the DHCP client and relay agent, or between
the DHCP client and server. It does not work if it is between the DHCP relay agent and DHCP server.
As a DHCP security feature, DHCP snooping can implement the following:
1.
2.
UntrustedAn untrusted port discards the DHCP-ACK or DHCP-OFFER messages received from
any DHCP server.
Remarks
Required.
1.
Enabling DHCP
2.
173
Step
Remarks
Optional.
With the DHCP server enabled on an interface, upon
receiving a client's request, the DHCP server will
assign an IP address from its address pool to the
DHCP client.
3.
IMPORTANT:
4.
Optional.
Enabling DHCP
1.
Select Network > DHCP from the navigation tree to enter the default DHCP Server page shown
in Figure 155.
2.
Select the Enable option on the upper part of the page to enable DHCP globally.
174
Select Network > DHCP from the navigation tree to enter the default DHCP Server page shown
in Figure 155.
2.
Select the Static option in the Address Pool field to view all static address pools.
3.
4.
5.
Click Apply.
Description
IP Pool Name
IP Address
Mask
Enter an IP address and select a subnet mask for the static address pool.
The IP address cannot be the IP address of any interface on the DHCP server.
Otherwise, an IP address conflict may occur and the bound client cannot obtain an
IP address correctly.
You can enter a mask length or a mask in dotted decimal notation..
Configure the client MAC address or the client ID for the static address pool.
IMPORTANT:
Client ID
The client ID must be identical to the ID of the client to be bound. Otherwise, the client
cannot obtain an IP address..
Enter the domain name suffix for the client.
With the suffix assigned, the client only needs to enter part of a domain name, and
the system adds the domain name suffix for name resolution.
175
Item
Description
Enter the gateway addresses for the client.
Gateway Address
A DHCP client that wants to access an external host needs to send requests to a
gateway. You can specify gateways in each address pool and the DHCP server will
assign gateway addresses while assigning an IP address to the client.
Up to eight gateways can be specified in a DHCP address pool, separated by
commas.
Enter the DNS server addresses for the client.
To allow the client to access a host on the Internet through DNS, you need to specify
a DNS server address.
Up to eight DNS servers can be specified in a DHCP address pool, separated by
commas.
Enter the WINS server addresses for the client.
If b-node is specified for the client, you do not need to specify any WINS server
address.
Up to eight WINS servers can be specified in a DHCP address pool, separated by
commas.
Select Network > DHCP from the navigation tree to enter the default DHCP Server page shown
in Figure 155.
2.
Select the Dynamic option in the Address Pool field to view all dynamic address pools.
3.
176
4.
5.
Click Apply.
Description
IP Pool Name
IP Address
Mask
Lease
Duration
days/hours/minutes/seconds.
With the suffix assigned, the client only needs to enter part of a
domain name, and the system will add the domain name suffix
for name resolution.
177
Item
Description
Enter the gateway addresses for the client.
DHCP clients that want to access hosts outside the local subnet
request gateways to forward data. You can specify gateways in
each address pool for clients and the DHCP server will assign
gateway addresses while assigning an IP address to the client.
Gateway Address
To allow the client to access a host on the Internet via the host
name, you need to specify DNS server addresses.
Up to eight DNS servers can be specified in a DHCP address
pool, separated by commas.
Enter the WINS server addresses for the client.
If b-node is specified for the client, you do not need to specify any
WINS server address.
Up to eight WINS servers can be specified in a DHCP address
pool, separated by commas.
Select Network > DHCP from the navigation tree to enter the default DHCP Server page shown
in Figure 155.
2.
Click the
3.
4.
Click Apply.
icon next to a specific interface to enter the page shown in Figure 158.
Select Network > DHCP > DHCP Server from the navigation tree to enter the page, as shown
in Figure 155.
2.
Click Addresses in Use in the Address In Use field on the lowest part of the page to view
information about the IP address assigned from the address pool.
178
Description
IP Address
Assigned IP address.
Pool Name
Lease Expiration
Remarks
Enabling DHCP and configuring
advanced parameters for the
DHCP relay agent
Required.
Enable DHCP globally and configure advanced DHCP parameters.
By default, global DHCP is disabled.
Required.
2.
179
Step
Remarks
Required.
Enable the DHCP relay agent on an interface, and correlate the
interface with a DHCP server group.
With DHCP enabled, interfaces work in the DHCP server mode by
default.
IMPORTANT:
3.
An interface cannot serve as both the DHCP server and the DHCP
relay agent. The latest configuration takes effect.
Optional.
Create a static IP-to-MAC binding, and view static and dynamic
bindings.
4.
2.
Click the DHCP Relay tab to enter the page as shown in Figure 160.
180
3.
4.
Click Display Advanced Configuration to expand the advanced DHCP relay agent configuration
field, as shown in Figure 161.
5.
Configure the advanced DHCP relay agent parameters as described in Table 73.
6.
Click Apply. You must also click Apply for enabling the DHCP service.
181
Description
Enable or disable unauthorized DHCP server detection.
There are unauthorized DHCP servers on networks, which reply DHCP clients with
wrong IP addresses.
Unauthorized Server
Detect
With this feature enabled, upon receiving a DHCP request, the DHCP relay agent will
record the IP address of any DHCP server that assigned an IP address to the DHCP
client and the receiving interface. The administrator can use this information to check
out DHCP unauthorized servers. The device puts a record once for each DHCP
server. The administrator needs to find unauthorized DHCP servers from the log
information. After the information of recorded DHCP servers is cleared, the relay
agent will re-record server information following this mechanism.
Enable or disable periodic refresh of dynamic client entries, and set the refresh
interval.
Dynamic Bindings
Refresh
Via the DHCP relay agent, a DHCP client sends a DHCP-RELEASE unicast message to
the DHCP server to relinquish its IP address. In this case the DHCP relay agent simply
conveys the message to the DHCP server, thus it does not remove the IP address from
dynamic client entries. To solve this problem, the periodic refresh of dynamic client
entries feature is introduced.
With this feature, the DHCP relay agent uses the IP address of a client and the MAC
address of the DHCP relay agent interface to periodically send a DHCP-REQUEST
message to the DHCP server.
If the server returns a DHCP-ACK message or does not return any message within
Track Timer Interval
a specified interval, which means that the IP address is assignable now, the DHCP
relay agent will age out the client entry.
If the server returns a DHCP-NAK message, which means the IP address is still in
use, the relay agent will not age it out.
If the Auto option is selected, the refresh interval is calculated by the relay agent
according to the number of client entries..
2.
Click the DHCP Relay tab to enter the page as shown in Figure 160.
3.
In the Server Group field, click Add to enter the page as shown in Figure 162.
4.
5.
Click Apply.
182
Description
Enter the ID of a DHCP server group.
You can create up to 20 DHCP server groups.
Enter the IP address of a server in the DHCP server group.
IP Address
The server IP address cannot be on the same subnet as the IP address of the DHCP
relay agent. Otherwise, the client cannot obtain an IP address.
2.
Click the DHCP Relay tab to enter the page as shown in Figure 160.
3.
4.
5.
Click Apply.
Description
Interface Name
DHCP Relay
If the DHCP relay agent is disabled, the DHCP server is enabled on the
interface.
Enable or disable IP address check.
Server Group ID
With this function enabled, the DHCP relay agent checks whether a requesting
client's IP and MAC addresses match a binding (dynamic or static) on the
DHCP relay agent. If not, the client cannot access outside networks via the
DHCP relay agent. This prevents invalid IP address configuration.
Correlate the interface with a DHCP server group.
A DHCP server group can be correlated with multiple interfaces.
183
2.
Click the DHCP Relay tab to enter the page as shown in Figure 160.
3.
In the User Information field, click User Information to view static and dynamic bindings, as shown
in Figure 164.
4.
5.
6.
Click Apply.
Description
IP Address
MAC Address
Interface Name
IMPORTANT:
The interface of a static binding entry must be configured as a DHCP relay agent.
Otherwise, address entry conflicts may occur.
184
Remarks
Enabling DHCP snooping
Required.
By default, DHCP snooping is disabled.
Required.
Specify an interface as trusted and configure DHCP snooping to support
Option 82.
2.
3.
Optional.
Display clients' IP-to-MAC bindings recorded by DHCP snooping.
2.
Click the DHCP Snooping tab to enter the page as shown in Figure 166.
3.
185
2.
Click the DHCP Snooping tab to enter the page as shown in Figure 166.
3.
4.
5.
Click Apply.
186
Description
Interface Name
Interface State
Option 82 Support
Option 82 Strategy
2.
Click the DHCP Snooping tab to enter the page as shown in Figure 166.
3.
Click User Information to enter the DHCP snooping user information page, as shown in Figure
168.
4.
View clients' IP-to-MAC bindings recorded by DHCP snooping as described in Table 78.
Description
IP Address
This field displays the IP address assigned by the DHCP server to the client.
MAC Address
Type
Interface Name
This field displays the device interface to which the client is connected.
VLAN
187
Host
DHCP client
AP
DHCP client
AC
DHCP server
Configuration procedure
1.
Enable DHCP:
a. Select Network > DHCP from the navigation tree to enter the default DHCP Server page.
b. Select the Enable option for DHCP Service.
188
2.
Enable the DHCP server on VLAN-interface 2: (This operation can be omitted because the DHCP
server is enabled on the interface by default.)
a. In the Interface Config field, click the
icon of VLAN-interface 2.
Click Apply.
3.
255.255.255.0 for Mask, enter 10 days 12 hours 0 minutes 0 seconds for Lease Duration, and
enter 10.1.1.1 for Gateway Address.
c.
Click Apply.
Figure 172 Configuring a dynamic address pool for the DHCP server
189
Configuration procedure
NOTE:
Because the DHCP relay agent and server are on different subnets, you must configure a static route or
dynamic routing protocol so they can communicate.
1.
Enable DHCP:
a. Select Network > DHCP from the navigation tree.
b. Click the DHCP Relay tab.
c.
d. Click Apply.
190
2.
Click Apply.
3.
icon of VLAN-interface 1.
b. Select the Enable option for DHCP Relay, and select 1 for Server Group ID.
c.
Click Apply.
Figure 176 Enabling the DHCP relay agent on an interface and correlate it with a server group
Enable DHCP snooping on the AC and configure DHCP snooping to support Option 82. Configure
the handling strategy for DHCP requests containing Option 82 as replace.
Enable GigabitEthernet 1/0/2 to forward DHCP server responses; disable GigabitEthernet 1/0/1
from forwarding DHCP server responses.
Configure the AC to record clients' IP-to-MAC address bindings in DHCP-REQUEST messages and
DHCP-ACK messages received from a trusted port.
Configuration procedure
1.
192
2.
Click Apply.
3.
Click Apply.
193
194
DNS configuration
Overview
Domain Name System (DNS) is a distributed database used by TCP/IP applications to translate domain
names into corresponding IP addresses. With DNS, you can use easy-to-remember domain names in
some applications and let the DNS server translate them into correct IP addresses.
There are two types of DNS services, static and dynamic. After a user specifies a name, the device checks
the local static name resolution table for an IP address. If no IP address is available, it contacts the DNS
server for dynamic name resolution, which takes more time than static name resolution. Therefore, some
frequently queried name-to-IP address mappings are stored in the local static name resolution table to
improve efficiency.
DNS proxy
A DNS proxy forwards DNS requests and replies between DNS clients and a DNS server.
A DNS client considers the DNS proxy as the DNS server and sends a DNS request to the DNS proxy,
which forwards the request to the designated DNS server, and conveys the reply from the DNS server to
the client.
The DNS proxy simplifies network management. When the DNS server address is changed, you only
need to change the configuration on the DNS proxy instead of on each DNS client.
For more information about DNS, see H3C WX Series Access Controllers Layer 3 Configuration Guide.
Remarks
Required.
195
Remarks
1.
2.
3.
4.
Required.
This function is disabled by default.
Required.
Not configured by default.
Optional.
Not configured by default.
Optional.
Remarks
1.
2.
Required.
By default, the device is not a DNS proxy.
Required.
Not configured by default.
Select Network > DNS from the navigation tree to enter the default static domain name resolution
configuration page shown in Figure 181.
2.
196
3.
4.
Click Apply.
Description
Host Name
Configure the mapping between a host name and an IP address in the static domain
mane table.
Host IP Address
Each host name corresponds to only one IP address. If you configure multiple IP
addresses for a host name, the last configured one takes effect..
2.
Click the Dynamic tab to enter the page shown in Figure 183.
3.
4.
Click Apply.
197
2.
Click the Dynamic tab to enter the page shown in Figure 183.
3.
4.
Click Apply.
2.
Click the Dynamic tab to enter the page shown in Figure 183.
3.
4.
5.
Click Apply.
198
2.
Click the Dynamic tab to enter the page shown in Figure 183.
3.
4.
5.
Click Apply.
2.
Click the Dynamic tab to enter the page shown in Figure 183.
3.
4.
Click Apply.
AC serves as a DNS client, and uses dynamic domain name resolution and the suffix to access the host
with the domain name host.com and the IP address 3.1.1.1/16.
Figure 186 Network diagram
NOTE:
Before performing the following configuration, make sure that the AC and the host are reachable to
each another, and the IP addresses of the interfaces are configured as shown in Figure 186.
This configuration may vary with DNS servers. The following configuration is performed on a PC
running Windows Server 2000.
2.
200
b. In the dialog box as shown in Figure 189, enter host name host and IP address 3.1.1.1.
c.
Configuring the AC
1.
Select the Enable option for Dynamic DNS, as shown in Figure 190.
d. Click Apply.
2.
Click Apply.
3.
Enter com for DNS Domain Name Suffix, as shown in Figure 192.
Click Apply.
202
Select Diagnostic Tools > Ping from the navigation tree to enter the IPv4 Ping configuration page.
2.
3.
4.
203
Service management
Overview
The service management module provides the following types of services: FTP, Telnet, SSH, SFTP, HTTP
and HTTPS. You can enable or disable the services as needed. In this way, the performance and security
of the system can be enhanced, thus secure management of the device can be achieved.
The service management module also provides the function to modify HTTP and HTTPS port numbers,
and the function to associate the FTP, HTTP, or HTTPS service with an ACL, thus reducing attacks of illegal
users on these services.
FTP service
The File Transfer Protocol (FTP) is an application layer protocol for sharing files between server and client
over a TCP/IP network.
Telnet service
The Telnet protocol is an application layer protocol that provides remote login and virtual terminal
functions on the network.
SSH service
Secure Shell (SSH) offers an approach to securely logging in to a remote device. By encryption and
strong authentication, it protects devices against attacks such as IP spoofing and plain text password
interception.
SFTP service
The secure file transfer protocol (SFTP) is a new feature in SSH2.0. SFTP uses the SSH connection to
provide secure data transfer. The device can serve as the SFTP server, allowing a remote user to log in to
the SFTP server for secure file management and transfer. The device can also serve as an SFTP client,
enabling a user to login from the device to a remote device for secure file transfer.
HTTP service
The Hypertext Transfer Protocol (HTTP) is used for transferring web page information across the Internet.
It is an application-layer protocol in the TCP/IP protocol suite.
You can log in to the device using the HTTP protocol with HTTP service enabled, accessing and
controlling the device with Web-based network management.
HTTPS service
The Secure HTTP (HTTPS) refers to the HTTP protocol that supports the Security Socket Layer (SSL)
protocol.
The SSL protocol of HTTPS enhances the security of the device in the following ways:
Uses the SSL protocol to ensure the legal clients to access the device securely and prohibit the illegal
clients;
Encrypts the data exchanged between the HTTPS client and the device to ensure the data security
and integrity, realizing the security management of the device;
204
Defines certificate attribute-based access control policy for the device to control the access right of
the client, in order to further avoid attacks from illegal clients.
Select Network > Service from the navigation tree to enter the service management configuration
page, as shown in Figure 194.
2.
3.
Click Apply.
Description
Enable FTP
service
FTP
ACL
Telnet
Enable Telnet
service
SSH
Enable SSH
service
SFTP
Enable SFTP
service
205
Item
Description
Enable HTTP
service
HTTP
Port Number
You can view this configuration item by clicking the expanding button in
front of HTTP.
IMPORTANT:
When you modify a port, make sure that the port is not used by other service.
ACL
Enable HTTPS
service
Associate the HTTP service with an ACL. Only the clients that pass the ACL
filtering are permitted to use the HTTP service.
You can view this configuration item by clicking the expanding button in
front of HTTP.
Specify whether to enable the HTTPS service.
The HTTPS service is disabled by default.
Set the port number for HTTPS service.
Port Number
You can view this configuration item by clicking the expanding button in
front of HTTPS.
IMPORTANT:
When you modify a port, make sure that the port is not used by other service.
ACL
HTTPS
Associate the HTTPS service with an ACL. Only the clients that pass the ACL
filtering are permitted to use the HTTPS service.
You can view this configuration item by clicking the expanding button in
front of HTTPS.
Set the local certificate for the HTTPS service. The list displays certificate
subjects.
Certificate
You can configure the available PKI domains by selecting Authentication >
Certificate Management from the navigation tree at the left side of the
interface. For more information, see "Certificate management."
IMPORTANT:
The service management, portal authentication and local EAP service
modules always reference the same PKI domain. Changing the referenced
PKI domain in any of the three modules also changes that referenced in the
other two modules.
206
Diagnostic tools
Ping
You can use the ping function to check whether a device with a specified address is reachable, and to
examine network connectivity.
A successful execution of the ping command involves the following steps:
1.
The source device sends an ICMP echo request (ECHO-REQUEST) to the destination device.
2.
The destination device responds by sending an ICMP echo reply (ECHO-REPLY) to the source
device after receiving the ICMP echo request.
3.
The source device displays related statistics after receiving the reply.
The ping command can be applied to the destination's host name or IP address. If the destination's
host name is unknown, the prompt information is displayed.
If the source device does not receive an ICMP echo reply within the timeout time, it displays the
prompt information and the statistics during the ping operation. If the source device receives an
ICMP echo reply within the timeout time, it displays the number of bytes of the echo reply, the
message sequence number, Time to Live (TTL), the response time, and the statistics during the ping
operation. Statistics during the ping operation include number of packets sent, number of echo
reply messages received, percentage of messages not received, and the minimum, average, and
maximum response time.
Trace route
By using the trace route command, you can display the Layer 3 devices involved in delivering a packet
from source to destination. This function is useful for identification of failed node(s) in the event of network
failure.
The trace route command involves the following steps in its execution:
1.
The source device sends a packet with a TTL value of 1 to the destination device.
2.
The first hop (the Layer 3 device that first receives the packet) responds by sending a TTL-expired
ICMP message to the source, with its IP address encapsulated. In this way, the source device can
get the address of the first Layer 3 device.
3.
The source device sends a packet with a TTL value of 2 to the destination device.
4.
The second hop responds with a TTL-expired ICMP message, which gives the source device the
address of the second Layer 3 device.
5.
This process continues until the ultimate destination device is reached. In this way, the source
device can trace the addresses of all the Layer 3 devices involved to get to the destination device.
The traceroute command can be applied to the destination's host name or IP address. If the destination's
host name is unknown, the prompt information is displayed.
207
Ping operation
IPv4 ping operation
1.
Select Diagnostic Tools > Ping from the navigation tree to enter the IPv4 Ping configuration page.
2.
Click the expansion button before Advanced Setup to display the configurations of the advanced
parameters of IPv4 ping operation, as shown in Figure 195.
3.
Enter the IPv4 address or host name of the destination device in the Destination IP address or host
name field.
4.
5.
6.
208
2.
3.
Expand Advanced Setup to display the configurations of the advanced parameters of IPv6 ping
operation, as shown in Figure 197.
209
4.
Enter the IPv6 address or host name of the destination device in the Destination IP address or host
name field.
5.
6.
7.
210
Select Diagnostic Tools > Trace Route from the navigation tree.
2.
Click the Trace Route tab to enter the Trace Route configuration page, as shown in Figure 199.
211
3.
4.
5.
212
AP configuration
The AP configuration module allows you to perform the following configurations:
Configure auto AP
Configure an AP group
AC-AP connection
An AP and an AC establish a tunnel connection based on UDP.
An AP uses a data tunnel to encapsulate data packets to be sent to the AC. These packets can be raw
802.11 packets or 802.11 to 802.3 translated packets. An AC provides a control tunnel to support remote
AP configuration and management, and WLAN and mobile management.
The AC can dynamically configure an AP based on the information provided by the administrator.
Auto AP
The auto AP feature allows an AP to automatically connect to an AC. When you deploy a wireless
network with many APs, the auto AP function avoids configuration of many AP serial IDs, thus simplifying
configuration.
AP group
Some wireless service providers need to control the access positions of clients. For example, as shown in
the figure below, to meet security or billing needs, it is required to connect wireless clients 1, 2 and 3 to
the wired network through APs 1, 2 and 3 respectively. To achieve this, you can configure an AP group
that the clients can be associated with and then apply the AP group in a user profile.
Figure 201 Client access control
213
Configuring an AP
Creating an AP
1.
2.
3.
4.
Click Apply.
Description
AP Name
AP name.
Model
AP model.
AutoIf selected, the AC automatically searches the AP serial ID. This function is
used together with the auto AP function. For how to configure auto AP, see
"Configuring auto AP."
Serial ID
Configuring an AP
1.
2.
Click the
icon corresponding to the target AP to enter the page for configuring an AP.
214
3.
4.
Click Apply.
Description
AP Name
Radio Number
Select the number of the radios on the AP. The value depends on the AP model.
Select the radio type, which can be one of the following values:
Radio Type
802.11a.
802.11b.
802.11g.
802.11n (2.4 GHz)
802.11n (5 GHz)
AutoIf selected, the AP serial ID is automatically found. This option is used together
with the auto AP function. For how to configure auto AP, see "Configuring auto AP."
Serial ID
Description
215
Item
Description
By default, no district code is configured for an AP, which uses the global district code.
An AP configured with a district code uses its own district code rather than the global
one. For how to configure the global district code, see "Advanced settings".
IMPORTANT:
District Code
Some ACs and fit APs use locked district codes, whichever is used is determined as follows:
An AC's locked district code cannot be changed, and all managed fit APs whose
district codes are not locked must use the AC's locked district code.
A fit AP's locked district code cannot be changed and the fit AP can only use the
district code.
If an AC and a managed fit AP use different locked district codes, the fit AP uses its
own locked district code.
2.
Click the
3.
On the page that appears, expand Advanced Setup to enter the page for advanced AP setup.
4.
5.
Click Apply.
216
Description
AP connection priority.
AP Connection
Priority
Specify the AP connection priority on the AC. For more information, see "AP connection
priority configuration example." It can also be used together with the backup function.
For more information, see "Advanced settings."
Broadcast Probe
Configuration File
When local forwarding is enabled, you can use the configuration file to configure the
AP. For example, when you configure a user profile when local forwarding is enabled,
you must write the user profile, QoS policy, and ACL commands to the configuration
file, and download the configuration file to the AP.
IMPORTANT:
The commands in the configuration file must be in their complete form.
Set the maximum size of jumbo frames.
When this function is enabled, the AC can send frames whose size does not exceed the
maximum size to the AP.
By default, the AC cannot send jumbo frames to the AP.
Set the interval for sending echo requests.
AP Echo Interval
There is a keep-live mechanism between AP and AC, to confirm whether the tunnel is
working or not. An AP periodically sends echo requests to an AC. The AC responds to
echo requests by sending echo responses, which indicates that the tunnel is up.
Set the client keep alive interval.
The keep-alive mechanism is used to detect clients segregated from the system due to
various reasons such as power failure or crash, and disconnect them from the AP.
By default, the client keep-alive functionality is disabled.
Maximum interval for which the link between the AP and a client can be idle.
Backup AC IPv4
Address
Backup AC IPv6
Address
AP CAR
217
Item
Description
EnableEnable the remote AP function.
DisableDisable the remote AP function.
By default, the remote AP function is disabled.
Remote AP
With this function enabled, when the tunnel between the AP and AC is terminated, the
AP automatically enables local forwarding (despite whether or not local forwarding is
configured on the AC) to provide wireless access for logged-in clients but not allow new
clients. When a tunnel is established between the AP and AC again, the AP
automatically switches to the centralized forwarding mode and logs off all clients on the
remote AP.
IMPORTANT:
If a tunnel has been established between the remote AP and AC, when the tunnel between
the AP and AC is terminated, the remote AP uses the backup tunnel to provide wireless
access for logged-in clients. For more information about AC backup, see "Advanced
settings."
CIR
CBS
By default, the CBS is the number of bytes transmitted in 500 ms at the rate of CIR. For
example, if CIR is 100, CBS is 50000 bits, or, 6250 bytes by default.
Configuring auto AP
Enabling auto AP
1.
2.
218
Description
enableEnable the auto AP function. You must also select Auto
from the Serial ID list on the AP setup page to use the auto AP
function.
Renaming an AP
1.
2.
3.
4.
Click Apply.
Description
Old AP Name
AP Rename
Select the AP Rename check box, and type the new AP name.
For the example of configuring auto AP, see "Access service configuration."
Batch switch
If you do not need to modify the automatically found AP names, you can select the AP Name box, and
then click Transmit All AP to complete auto AP setup.
219
Configuring an AP group
Creating an AP group
1.
2.
Click Add.
3.
Description
AP group ID.
AP Group ID
The value range varies with devices. For more information, see
"Feature matrixes."
Configuring an AP group
1.
2.
Click the
group.
icon corresponding to the target AP group to enter the page for configuring an AP
220
3.
4.
Click Apply.
Description
AP Group ID
Description
added to the AP group, and click the > button in the AP List
area.
Exist AP List
To delete the selected APs from the AP group, select the APs
to be deleted in the Selected AP List, and click the < button.
AC 1
Switch
AP
Client
AC 2
Configuring AC 1
1.
2.
221
c.
Expand Advanced Setup to enter the page shown in Figure 210 and set the AP connection
priority to 6.
d. Click Apply.
Configuring AC 2
1.
2.
222
SSID
The service set identifier. A client scans all networks at first, and then selects a specific SSID to connect
to a specific wireless network.
Client access
A client access process involves three steps: active/passive scanning surrounding wireless services,
authentication, and association, as shown in Figure 211.
223
Scanning
Wireless clients can get the surrounding wireless network information in two ways, active scanning and
passive scanning. With active scanning, a wireless client actively sends probe requests during scanning,
and receives probe responses. With passive scanning, a wireless client listens to Beacon frames sent by
surrounding APs.
A wireless client usually uses both passive scanning and active scanning to get information about
surrounding wireless networks.
1.
Active scanning
When a wireless client operates, it periodically searches for (that is, scans) surrounding wireless
networks. Active scanning falls into two modes according to whether a specified SSID is carried in
a probe request.
Mode 1A client sends a probe request without any SSID on supported channels to scan wireless
networks. APs that receive the probe request frame send a probe response frame. The client
associates with the AP with the strongest signal.
Client
S
no S
with
(
t
s
ue
e re q
e
Prob
pons
e res
Pro b
AP 1
AC 1
AP 2
AC 2
ID)
Prob
e re q
uest
(with
no S
Prob
SID)
e re s
pons
e
Mode 2When a wireless client is configured to access a specific wireless network or has already
been connected to a wireless network, the client periodically sends a probe request carrying the
specified SSID. When an AP that can provide the wireless service with the specified SSID receives
the probe request, it sends a probe response. This active scanning mode enables a client to access
a specified wireless network. The active scanning process is as shown in Figure 213.
224
Figure 213 Active scanning (the probe request carries the specified SSID AP 1)
2.
Passive scanning
Passive scanning is used by clients to discover surrounding wireless networks through listening to
the beacon frames periodically sent by an AP. All APs providing wireless services periodically
send beacons frames, so that wireless clients can listen to beacon frames on the supported
channels to get information about surrounding wireless networks. Passive scanning is used by a
client when it wants to save battery power. Typically, VoIP clients adopt the passive scanning
mode. The passive scanning process is as shown in Figure 214.
Authentication
To secure wireless links, the wireless clients must be authenticated before accessing an AP. 802.11 links
define two authentication mechanisms: open system authentication and shared key authentication.
225
Client
AC
AP
Authentication request
Authentication response
The client uses the shared key to encrypt the challenge and sends it to the AP.
d. The AP uses the shared key to encrypt the challenge and compares the result with that received
from the client. If they are identical, the client passes the authentication. If not, the
authentication fails.
Association
A client that wants to access a wireless network via an AP must be associated with that AP. Once the
client chooses a compatible network with a specified SSID and authenticates to an AP, it sends an
association request frame to the AP. The AP sends an association response to the client and adds the
client's information in its database. At a time, a client can associate with only one AP. An association
process is always initiated by the client, but not by the AP.
1.
WEP encryption
Wired Equivalent Privacy (WEP) was developed to protect data exchanged among authorized
users in a wireless LAN from casual eavesdropping. WEP uses RC4 encryption (a stream
encryption algorithm) for confidentiality. WEP encryption falls into static and dynamic encryption
according to how a WEP key is generated.
2.
TKIP encryption
Temporal key integrity Protocol (TKIP) and WEP both use the RC4 algorithm, but TKIP has many
advantages over WEP, and provides more secure protection for WLAN as follows:
First, TKIP provides longer IVs to enhance encryption security. Compared with WEP encryption,
TKIP encryption uses 128bit RC4 encryption algorithm, and increases the length of IVs from
24 bits to 48 bits.
Second, TKIP allows for dynamic key negotiation to avoid static key configuration. TKIP
replaces a single static key with a base key generated by an authentication server. TKIP
dynamic keys cannot be easily deciphered.
Third, TKIP offers Message Integrity Check (MIC) and countermeasures. If a packet fails the
MIC, the data may be tampered, and the system may be attacked. If two packets fail the MIC
in a certain period, the AP automatically takes countermeasures. It will not provide services in
a certain period to prevent attacks.
3.
CCMP encryption
CTR with CBC-MAC protocol (CCMP) is based on the CCM of the AES encryption algorithm. CCM
combines CTR for confidentiality and CBC-MAC for authentication and integrity. CCM protects the
integrity of both the MPDU Data field and selected portions of the IEEE 802.11 MPDU header. The
AES block algorithm in CCMP uses a 128-bit key and a 128-bit block size. Similarly, CCMP
contains a dynamic key negotiation and management method, so that each wireless client can
dynamically negotiate a key suite, which can be updated periodically to further enhance the
security of the CCMP encryption mechanism. During the encryption process, CCMP uses a 48-bit
packet number (PN) to ensure that each encrypted packet uses a different PN, thus improving the
security to a certain extent.
PSK authentication
To implement PSK authentication, the client and the authenticator must have the same shared key
configured. Otherwise, the client cannot pass pre-shared key (PSK) authentication.
2.
802.1X authentication
227
As a port-based access control protocol, 802.1X authenticates and controls accessing devices at
the port level. A device connected to an 802.1X-enabled port of a WLAN access control device
can access the resources on the WLAN only after passing authentication.
The administrators of access devices can select to use RADIUS or local authentication to cooperate
with 802.1X for authenticating users. For more information about remote/local 802.1X
authentication, see "802.1X configuration."
3.
MAC authentication
MAC authentication provides a way for authenticating users based on ports and MAC addresses.
You can configure permitted MAC address lists to filter MAC addresses of clients. However, the
efficiency will be reduced when the number of clients increases. Therefore, MAC authentication is
applicable to environments without high security requirements, for example, SOHO and small
offices.
MAC authentication falls into two modes:
Local MAC authenticationWhen this authentication mode is adopted, you need to configure
a permitted MAC address list on the device. If the MAC address of a client is not in the list, its
access request will be denied.
Permitted MAC
address list:
0009-5bcf-cce3
0011-9548-4007
000f-e200-00a2
Client: 0009-5bcf-cce3
Client: 0011-9548-4007
AC
L2 switch
AP
Client: 001a-9228-2d3e
228
When a RADIUS server is used for MAC authentication, you can specify a domain for each wireless
service, and thus send MAC authentication information of different SSIDs to different remote RADIUS
servers.
802.11n
As the next generation wireless LAN technology, 802.11n supports both 2.4GHz and 5GHz bands. It
provides higher throughput to customers by using the following methods:
1.
Increasing bandwidth: 802.11n can bond two adjacent 20-MHz channels together to form a
40-MHz channel. During data forwarding, the two 20-MHz channels can work separately with
one acting as the primary channel and the other acting as the secondary channel or work together
as a 40-MHz channel. This provides a simple way of doubling the data rate.
2.
229
Remarks
1.
Required.
2.
Required.
3.
Required.
4.
Required.
5.
Enabling a radio
Optional.
6.
Optional.
Select Wireless Service > Access Service from the navigation tree.
2.
Click Add.
3.
4.
Click Apply.
230
Description
Set the Service Set Identifier (SSID), a case-sensitive string of 1 to 32
characters, which can include letters, digits, underlines, and spaces.
icon.
1.
Select Wireless Service > Access Service from the navigation tree.
2.
Click the
icon corresponding to the target clear type wireless service to enter the page for
configuring wireless service.
3.
Configure basic settings for the clear type wireless service as described in Table 89.
4.
Click Apply.
Description
Wireless Service
VLAN (Untagged)
Enter the ID of the VLAN whose packets are to be sent untagged. VLAN
(Untagged) indicates that the port sends the traffic of the VLAN with the
VLAN tag removed.
231
Item
Description
Set the default VLAN of a port.
Default VLAN
Delete VLAN
By default, the default VLAN of all ports is VLAN 1. After you set the
new default VLAN, VLAN 1 is the ID of the VLAN whose packets are to
be sent untagged.
Remove the IDs of the VLANs whose packets are to be sent untagged
and tagged.
IMPORTANT:
Select Wireless Service > Access Service from the navigation tree.
2.
Click the
icon corresponding to the target clear type wireless service to enter the page for
configuring advanced settings for a clear type wireless service.
Figure 222 Advanced settings for the clear type wireless service
3.
Configure advanced settings for the clear type wireless service as described in Table 90.
4.
Click Apply.
232
Description
Local Forwarding
Clients using the same SSID may belong to different VLANs. You can configure
a local forwarding VLAN when configuring a local forwarding policy.
Maximum number of clients of an SSID to be associated with the same radio of
the AP.
IMPORTANT:
When the number of clients of an SSID to be associated with the same radio of
the AP reaches the maximum, the SSID is automatically hidden.
Web interface management right of online clients.
Management Right
MAC VLAN
IMPORTANT:
Before binding an AP radio to a VLAN, a step of enabling AP-based access
VLAN recognition, enable the MAC VLAN feature first.
Select Wireless Service > Access Service from the navigation tree.
2.
Click the
icon corresponding to the target clear type wireless service to enter the page for
configuring security settings for the clear type wireless service.
233
3.
Configure security settings for the clear type wireless service as described in Table 91.
4.
Click Apply.
Description
Authentication Type
For the clear type wireless service, you can select Open-System
only.
234
Item
Description
mac-authenticationPerform MAC address authentication on
users.
Max User
a. Configure mac-authentication
235
Description
mac-authenticationMAC-based authentication is performed on
access users.
Port Mode
Select Wireless Service > Access Service from the navigation tree,
click MAC Authentication List, and enter the MAC address of the
client.
Max User
MAC Authentication
Domain
b. Configure userlogin-secure/userlogin-secure-ext
236
Description
userlogin-securePerform MAC-based 802.1X authentication for access users.
Port Mode
In this mode, multiple 802.1X authenticated users can access the port, but only
one user can be online.
Max User
Control the maximum number of users allowed to access the network through the
port.
Select an existing domain from the list.
The default domain is system. To create a domain, select Authentication > AAA from
the navigation tree, click the Domain Setup tab, and enter a new domain name in
the Domain Name field.
Mandatory Domain
The selected domain name applies to only the current wireless service, and all
clients accessing the wireless service use this domain for authentication,
authorization, and accounting.
Do not delete a domain name in use. Otherwise, the clients that access the
wireless service will be logged out.
Authentication Method
default, CHAP is used. CHAP transmits usernames in simple text and passwords
in cipher text over the network. Therefore this method is safer.
EnableEnable the online user handshake function so that the device can
Handshake
237
Item
Description
EnableEnable the multicast trigger function of 802.1X to send multicast trigger
messages to the clients periodically for initiating authentication. By default, the
multicast trigger function is enabled.
IMPORTANT:
For a WLAN, the clients can actively initiate authentication, or the AP can discover
users and trigger authentication. Therefore, the ports do not need to send 802.1X
multicast trigger messages for initiating authentication periodically. H3C recommends
that you disable the multicast trigger function in a WLAN because the multicast trigger
messages consume bandwidth.
c.
Figure 226 Port security configuration page for the other four security modes
(mac-else-userlogin-secure is taken for example)
238
Description
mac-else-userlogin-secureThis mode is the combination of
the mac-authentication and userlogin-secure modes, with MAC
authentication having a higher priority. Upon receiving a
non-802.1X frame, a port in this mode performs only MAC
authentication; upon receiving an 802.1X frame, the port
performs MAC authentication and then, if MAC authentication
fails, 802.1X authentication.
Port Mode
Select Wireless Service > Access Service from the navigation tree,
click MAC Authentication List, and enter the MAC address of the
client.
Max User
Mandatory Domain
Authentication Method
239
Item
Description
EnableEnable the multicast trigger function of 802.1X to send
multicast trigger messages to the clients periodically for
initiating authentication. By default, the multicast trigger
function is enabled.
IMPORTANT:
For a WLAN, the clients can actively initiate authentication, or the AP
can discover users and trigger authentication. Therefore, the ports
do not need to send 802.1X multicast trigger messages periodically
for initiating authentication. You are recommended to disable the
multicast trigger function in a WLAN because the multicast trigger
messages consume bandwidth.
MAC Authentication
Domain
Select Wireless Service > Access Service from the navigation tree.
2.
Click the
icon corresponding to the target crypto type wireless service to enter the page for
configuring wireless service.
3.
Configure basic settings for the crypto type wireless service as described in Table 89.
4.
Click Apply.
240
Select Wireless Service > Access Service from the navigation tree.
2.
Click the
icon corresponding to the target crypto type wireless service to enter the page for
configuring wireless service.
Figure 228 Advanced settings for the crypto type wireless service
3.
Configure advanced settings for the crypto type wireless service as described in Table 95.
4.
Click Apply.
Description
Local Forwarding
Clients using the same SSID may belong to different VLANs. You can
configure a local forwarding VLAN when configuring a local
forwarding policy.
241
Item
Description
Maximum number of clients of an SSID to be associated with the
same radio of the AP.
IMPORTANT:
When the number of clients of an SSID to be associated with the same
radio of the AP reaches the maximum, the SSID is automatically
hidden.
TKIP CM Time
Management Right
IMPORTANT:
Before you bind an AP radio to a VLAN, a step of enabling AP-based
access VLAN recognition, enable the MAC VLAN feature first.
242
Select Wireless Service > Access Service from the navigation tree.
2.
Click the
icon corresponding to the target crypto type wireless service to enter the page for
configuring crypto type wireless service.
Figure 229 Security settings for the crypto type wireless service
3.
Configure security settings for the crypto type wireless service as described in Table 96.
4.
Click Apply.
Description
Open-SystemNo authentication. With this authentication mode enabled, all
the clients will pass the authentication.
Shared-KeyThe two parties need to have the same shared key configured for
this authentication mode. You can select this option only when WEP encryption
mode is used.
Authentication Type
IMPORTANT:
WEP encryption can be used together with open system and shared-key
authentication.
key is used for both authentication and encryption. If the two parties do not use
the same key, the client cannot pass the authentication, and thus cannot access
the wireless network.
243
Item
Description
Encryption mechanisms supported by the wireless service, which can be:
Cipher Suite
AES-CCMP and TKIPIt indicates that you can select both CCMP and TKIP
encryption.
Wireless service type (IE information carried in the beacon or probe response
frame):
Security IE
WPA and RSNIt indicates that you can select both WPA and RSN..
Encryption
IMPORTANT:
frames is negotiated between client and server. If the WEP default key is
configured, the WEP default key is used to encrypt multicast frames. If not, the
device randomly generates a multicast WEP key.
WEP
Key ID
1Key index 1.
2Key index 2.
3Key index 3.
4Key index 4.
There are 4 static keys in WEP. The key index can be 1, 2, 3 or 4. The key
corresponding to the specified key index will be used for encrypting and
decrypting broadcast and multicast frames.
Key length.
Key Length
WEP Key
244
Item
Description
See Table 91.
Parameters such as authentication type and encryption type determine the port
mode. For more information, see Table 99.
After you select the Cipher Suite option, the following three port security modes are
added:
Port Security
pskAn access user must use the pre-shared key (PSK) that is pre-configured to
negotiate with the device. The access to the port is allowed only after the
negotiation succeeds.
Description
Port Mode
Max User
MAC Authentication
245
Item
Description
Select an existing domain from the list.
The default domain is system. To create a domain, select
Authentication > AAA from the navigation tree, click the Domain Setup
tab, and enter a new domain name in the Domain Name field.
Domain
b. Configure psk
Description
Port Mode
pskAn access user must use the pre-shared key (PSK) that is
pre-configured to negotiate with the device. The access to the port is
allowed only after the negotiation succeeds.
Max User
c.
Configure userlogin-secure-ext
246
Authenticati
on mode
Encryption
type
Security IE
WEP
encryption/key ID
Port mode
mac-authentication
mac-else-userlogin-secu
re
mac-else-userlogin-secu
Clear
Open-System
Unavailable
Selected
Unavailable
Required
Open-System
Unselected
Crypto
Shared-Key
Unavailable
Selected
Unavailable
Unavailable
Required
Open-System
and
Shared-Key
Unselected
Unavailable
Unavailable
WEP encryption is
available
The key ID can be 2,
3, or 4.
WEP encryption is
required
The key ID can be 1,
2, or 3.
WEP encryption is
required
The key ID can be 1,
2, 3 or 4.
WEP encryption is
required
The key ID can be 1,
2, 3 or 4.
WEP encryption is
required
The key ID can be 1,
2, 3 or 4.
Select Wireless Service > Access Service from the navigation tree.
247
re-ext
userlogin-secure
userlogin-secure-ext
userlogin-secure-or-mac
userlogin-secure-or-mac
-ext
mac-authentication
2.
3.
Click Enable.
Select Wireless Service > Access Service from the navigation tree.
2.
Click the
icon corresponding to the target wireless service to enter the page for binding an AP
radio to a wireless service.
3.
4.
Click Bind.
A configuration progress dialog box appears.
5.
Users with the same SSID but accessing through different APs can be assigned to different VLANs
based on their configurations.
For a user roaming between ACs, if the local AC does not have a VLAN-interface, the user needs
to use an HA in the AC group for forwarding packets to avoid packet loss.
248
Figure 234 Schematic diagram for WLAN support for AP-based access VLAN recognition
RADIUS server
AC 1
HA
AC 2
IACTP tunnel
FA
VLAN 2
VLAN 3
VLAN 3
Intra AC roaming
VLAN 3
Inter AC roaming
AP 1
AP 2
AP 3
AP 4
Client 1
Client 1
Client 1
Client 2
As shown in Figure 234, Client 1 goes online through AP 1 and belongs to VLAN 3. When Client 1
roams within an AC or between ACs, Client 1 always belongs to VLAN 3. When Client 1 roams between
ACs, if FA, that is, AC 2, has VLAN-interface 3, AC 2 forwards packets from Client 1. Otherwise, packets
from Client 1 are sent to HA (AC 1) through the data tunnel and then HA forwards these packets.
Client 2 goes online through AP 4 and belongs to VLAN 2. That is, a client going online through a
different AP is assigned to a different VLAN.
1.
Select Wireless Service > Access Service from the navigation tree.
2.
Click the
icon corresponding to the target wireless service to enter the AP radio setup page, as
shown in Figure 233.
3.
4.
5.
Click Bind.
Enabling a radio
1.
249
2.
3.
Click Enable.
A configuration progress dialog box appears.
4.
Select Wireless Service > Access Service from the navigation tree.
2.
Click the specified clear-type wireless service to see its detailed information.
250
Description
SSID
Binding Interface
Authentication Method
SSID-hide
Select Wireless Service > Access Service from the navigation tree.
2.
251
Description
SSID
Binding Interface
Security IE
Authentication Method
SSID-hide
Cipher Suite
WEP Key
WEP key.
252
Field
Description
GTK Rekey
Bridge Mode
The AP provides clear type wireless access service with SSID service1.
Configuring the AC
1.
Create an AP:
a. Select AP > AP Setup from the navigation tree.
b. Click Add.
c.
On the page that appears, set the AP name to ap, select the AP model WA2620-AGN, select
the serial ID manual, and enter the serial ID of the AP.
d. Click Apply.
253
2.
On the page that appears, set the service name to service1 and select the wireless service type
clear.
d. Click Apply.
3.
4.
c.
On the page that appears, select the box before ap with radio type 802.11n(2.4GHz).
d. Click Bind.
5.
Click Enable.
The client can successfully associate with the AP and access the WLAN network.
You can view the online clients on the page that you enter by selecting Summary > Client from the
navigation tree.
255
Configuration guidelines
Select a correct district code.
The AP provides a clear type wireless service with the SSID service1.
Configuring the AC
1.
Create an AP:
a. Select AP > AP Setup from the navigation tree.
b. Click Add.
c.
On the page that appears, set the AP name to ap, select the AP model WA2620-AGN, select
the serial ID auto, and click Apply.
256
2.
On the page that appears, set the service name to service1, select the wireless service type
clear, and click Apply.
3.
Click Enable.
4.
257
c.
On the page that appears, select the box before ap with radio mode 802.11n(2.4GHz), and
click Bind.
d. To view the AP status, select AP > AP Setup from the navigation tree. You can see that the AP
is in IDLE state.
Figure 250 AP status before auto AP is enabled
5.
Enable auto AP
a. Select AP > Auto AP from the navigation tree.
b. Select enable.
c.
Click Apply.
258
6.
d. Click Apply.
e. To view the renamed AP, select AP > AP Setup from the navigation tree.
259
7.
Click Enable.
You can see that the AP is in the Run state on the page you enter by selecting AP > AP Setup from
the navigation tree.
The client can successfully associate with the AP and access the WLAN network.
You can view the online clients on the page that you enter by selecting Summary > Client from the
navigation tree.
260
Configuration guidelines
Follow these guidelines when you configure an auto AP:
Select the renamed AP (AP 1 in the example) rather than the auto AP (ap in the example) when
enabling the radio. If you enable the radio of the automatically found AP, the radios of all the
automatically found APs are enabled.
802.11gn is adopted to inter-work with the existing 802.11g network and protect the current
investment.
261
Configuring the AC
1.
Create an AP:
a. Select AP > AP Setup from the navigation tree.
b. Click Add.
c.
2.
On the page that appears, set the AP name to 11nap, select the AP model WA22610E-AGN,
select the serial ID manual, enter the serial ID of the AP, and click Apply.
3.
On the page that appears, set the service name to 11nservice, select the wireless service type
clear, and click Apply.
4.
Click Enable.
Bind an AP radio:
a. Select Wireless Service > Access Service from the navigation tree.
b. Click the
c.
d. Click Bind.
5.
Click Enable.
The client can successfully associate with the AP and access the WLAN network.
You can view the online clients on the page you enter by selecting Summary > Client from the
navigation tree.
In this example, 0014-6c8a-43ff is an 802.11g user, and 001c-f0bf-9c92 is an 802.11n user. Both of the
two users can access the WLAN network because there is no limit on the user type. If you enable client
802.11n only, only 001c-f0bf-9c92 can access the WLAN network.
262
Configuration guidelines
Follow these guidelines when you configure 802.11n:
Select Radio > Radio from the navigation tree, select the AP to be configured, and click
to enter
the page for configuring a radio. Then you can modify the 802.11n parameters, including
bandwidth mode, A-MPDU, A-MSDU, short GI and whether 802.11n clients are allowed.
Select Radio > Rate from the navigation tree to set 802.11n rates.
Configuring the AC
1.
Create an AP:
a. Select AP > AP Setup from the navigation tree.
b. Click Add.
c.
On the page that appears, set the AP name to ap, select the AP model WA2620-AGN, select
the serial ID manual, enter the AP serial ID, and click Apply.
2.
On the page that appears, set the service name to psk, select the wireless service type crypto,
and click Apply.
263
3.
c.
Select the Port Set box, and select psk from the Port Mode list.
d. Select pass-phrase from the Pre-shared Key list, and enter the key ID 12345678.
e. Click Apply.
4.
Click Enable.
264
5.
On the page that appears, select the box before ap with radio mode 802.11n(2.4GHz) and
click Bind.
A configuration progress dialog box appears.
6.
Click Enable.
A configuration progress dialog box appears.
265
2.
Select the configured service in Choose a wireless network (PSK in this example).
3.
Click Connect.
4.
In the popup dialog box, enter the key (12345678 in this example), and then click Connect.
266
The client has the same pre-shared PSK key as the AP, so the client can associate with the AP.
267
The client can successfully associate with the AP and access the WLAN network.
You can view the online clients on the page you enter by selecting Summary > Client from the
navigation tree.
Configuring the AC
1.
Create an AP:
a. Select AP > AP Setup from the navigation tree.
b. Click Add.
268
c.
On the page that appears, set the AP name to ap, select the AP model WA2620-AGN, select
the serial ID manual, enter the AP serial ID, and click Apply.
2.
On the page that appears, set the service name to mac-auth, select the wireless service type
clear, and click Apply.
3.
Select the MAC Authentication box, and select system from the Domain list.
To create a domain, select Authentication > AAA from the navigation tree, click the Domain
Setup tab, and enter a domain name in the Domain Name field.
d. Click Apply.
269
4.
Click Enable.
5.
a. Select Wireless Service > Access Service from the navigation tree.
b. Click MAC Authentication List.
c.
On the page that appears, add a local user in the MAC Address field. 0014-6c8a-43ff is used
in this example.
d. Click Add.
6.
On the page that appears, select the box before ap with radio mode 802.11n(2.4GHz) and
click Bind.
A configuration progress dialog box appears.
7.
c.
Click Enable.
A configuration progress dialog box appears.
2.
Select the configured service in Choose a wireless network (mac-auth in this example).
3.
Click Connect.
If the MAC address of the client is in the MAC address list, the client can pass the MAC
authentication and access the wireless network.
272
The client can successfully associate with the AP and access the WLAN network.
You can view the online clients on the page you enter by selecting Summary > Client.
Use the intelligent management center (IMC) as the RADIUS server for authentication, authorization,
and accounting (AAA). On the RADIUS server, configure the client's username and password as
the MAC address of the client and the shared key as expert. The IP address of the RADIUS server
is 10.18.1.88.
The IP address of the AC is 10.18.1.1. On the AC, configure the shared key for communication with
the RADIUS server as expert, and configure the AC to remove the domain name of a username
before sending it to the RADIUS server.
273
Configuring the AC
1.
2.
On the page that appears, add two servers in the RADIUS Server Configuration area, and
specify the key expert.
g. Click Apply.
274
3.
Configure AAA:
a. From the navigation tree, select Authentication > AAA.
b. Optional: On the Domain Setup tab, create a new ISP domain.
On the Authentication tab, select the ISP domain system, select the LAN-access AuthN box,
select the authentication mode RADIUS, select the authentication scheme mac-auth from the
Name list, and click Apply.
A configuration progress dialog box appears.
275
Figure 278 Configuring the AAA authentication method for the ISP domain
e. On the Authorization tab, select the ISP domain system, select the LAN-access AuthZ box,
select the authorization mode RADIUS, select the authorization scheme mac-auth from the
Name list, and click Apply.
A configuration progress dialog box appears.
f.
Figure 279 Configuring the AAA authorization method for the ISP domain
g. On the Accounting tab, select the ISP domain system, select the Accounting Optional box, and
select Enable from the Accounting Optional list, select the LAN-access Accounting box, select
the accounting method RADIUS, select the accounting scheme mac-auth from the Name list,
and click Apply.
A configuration progress dialog box appears.
276
Figure 280 Configuring the AAA accounting method for the ISP domain
4.
Create an AP:
a. Select AP > AP Setup from the navigation tree.
b. Click Add.
c.
On the page that appears, set the AP name to ap., select the AP model WA2620-AGN., select
the serial ID manual, enter the AP serial ID, and click Apply.
5.
On the page that appears, set the wireless service name to mac-auth, select the wireless
service type clear, and click Apply.
277
6.
Select the MAC Authentication box, and select system from the Domain list.
d. Click Apply.
7.
a. Select Wireless Service > Access Service from the navigation tree.
b. On the page that appears, select the mac-auth box.
c.
Click Enable.
A configuration progress dialog box appears.
8.
d. Click Bind.
9.
c.
Click Enable.
A configuration progress dialog box appears.
Click Add.
d. On the page that appears, add expert for Shared Key, add ports 1812 and 1813 for
Authentication Port and Accounting Port respectively, select LAN Access Service for Service
Type, select H3C for Access Device Type, select or manually add an access device with the IP
address 10.18.1.1, and click Apply.
280
2.
Add service.
a. Click the Service tab.
b. Select Access Service > Access Device from the navigation tree.
c.
Click Add.
d. On the page that appears, set the service name to mac, keep the default values for other
3.
Add account.
a. Click the User tab.
b. Select User > All Access Users from the navigation tree.
c.
Click Add.
d. On the page that appears, enter a username 00146c8a43ff, add an account and password
281
Click Add.
d. On the page that appears, enter 12345678 as the Shared Key, keep the default values for
other parameters, select or manually add the access device with the IP address 10.18.1.1,
and click Apply.
2.
Add service.
a. Click the Service tab.
282
b. Select User Access Manager > Service Configuration from the navigation tree.
c.
Click Add.
d. On the page that appears, set the service name to mac, keep the default values for other
3.
Add an account.
a. Click the User tab.
b. Select User > All Access Users from the navigation tree to enter the user page.
c.
Click Add.
d. On the page that appears, enter username 00146c8a43ff, set the account name and
password both to 00146c8a43ff, select the service mac, and click Apply.
During authentication, the user does not need to enter the username or password. After passing
MAC authentication, the client can associate with the AP and access the WLAN.
You can view the online clients on the page you enter by selecting Summary > Client from the
navigation tree.
283
Use the IMC as a RADIUS server for AAA. On the RADIUS server, configure the client's username
as user, password as dot1x, and shared key as expert. The IP address of the RADIUS server is
10.18.1.88.
On the AC, configure the shared key as expert, and configure the AC to remove the domain name
of a username before sending it to the RADIUS server. The IP address of the AC is 10.18.1.1.
Configuring the AC
1.
2.
On the page that appears, add two servers in the RADIUS Server Configuration, and specify
the key expert.
list.
f.
Click Apply.
284
3.
Configure AAA
a. Select Authentication > AAA from the navigation tree.
b. Optional: On the Domain Setup tab, create a new ISP domain.
On the Authentication tab, select the ISP domain system, select the LAN-access AuthN box,
select the authentication mode RADIUS, select the authentication scheme 802.1x from the
Name list, and click Apply.
Figure 295 Configuring the AAA authentication method for the ISP domain
285
d. On the Authorization tab, select the domain name system, select the LAN-access AuthZ box,
select the authorization mode RADIUS, select the authorization scheme 802.1x from the Name
list, and click Apply.
Figure 296 Configuring the AAA authorization method for the ISP domain
e. On the Accounting tab, select the ISP domain name system, select the Accounting Optional box
and then select Enable from the Accounting Optional list, select the LAN-access Accounting box,
select the accounting method RADIUS, select the accounting scheme 802.1x from the Name list,
and click Apply.
Figure 297 Configuring the AAA accounting method for the ISP domain
4.
Create an AP.
a. Select AP > AP Setup from the navigation tree.
b. Click Add.
c.
On the page that appears, set the AP name to ap, select the AP model WA2620-AGN, select
the serial ID manual, enter the AP serial ID, and click Apply.
286
5.
On the page that appears, set the service name to dot1x, select the wireless service type crypto,
and click Apply.
6.
Cipher Suite box, select AES-CCMP from the Cipher Suite list, and select WPA2 from the
Security IE list.
b. Select the Port Set box, and select userlogin-secure-ext from the Port Mode list.
c.
Click Apply.
g. A progress dialog box appears. During the process, another dialog box appears asking you
287
7.
8.
d. Click Bind.
288
9.
Click Enable.
A configuration progress dialog box appears.
Click Add.
d. On the page that appears, enter the shared key expert, enter the authentication and
accounting ports 1812 and 1813, select LAN Access Service from the Service Type list, select
H3C from the Access Device Type list, select or manually add an access device with the IP
address 10.18.1.1, and click Apply.
Figure 304 Adding access device
2.
Add service.
a. Click the Service tab.
b. Select Access Service > Access Device from the navigation tree.
c.
Click Add.
d. On the page that appears, set the service name to dot1x, and set the Certificate Type to
EAP-PEAP AuthN and the Certificate Sub Type to MS-CHAPV2 AuthN, and click Apply.
290
3.
Add account.
a. Click the User tab.
b. Select User > All Access Users from the navigation tree.
c.
Click Add.
d. On the page that appears, enter a username user, add an account user and password dot1x,
291
Click Add.
d. On the page that appears, enter 12345678 as the Shared Key, keep the default values for
other parameters, and select or manually add the access device with the IP address 10.18.1.1,
and click Apply.
Figure 307 Adding access device
2.
Add a service.
a. Click the Service tab.
b. Select User Access Manager > Service Configuration from the navigation tree.
c.
Click Add.
d. On the page that appears, set the service name to dot1x, and set the Certificate Type to
EAP-PEAP AuthN and the Certificate Sub Type to MS-CHAPV2 AuthN, and click Apply.
292
3.
Add an account.
a. Click the User tab.
b. Select User > All Access Users from the navigation tree.
c.
Click Add.
d. On the page that appears, enter username user, set the account name to user and password
293
3.
In the Wireless Networks tab, select wireless network with the SSID dot1x, and then click
Properties.
The dot1x Properties window appears.
4.
In the Authentication tab, select Protected EAP (PEAP) from the EAP type list, and click Properties.
5.
In the popup window, clear Validate server certificate, and click Configure.
6.
In the popup dialog box, clear Automatically use my Windows logon name and password (and
domain if any).
294
295
296
After the user enters username user and password dot1x in the popup dialog box, the client can
associate with the AP and access the WLAN.
You can view the online clients on the page you enter by selecting Summary > Client.
Use the IMC as a RADIUS server for AAA. On the RADIUS server, configure the client's username
as user, password as dot1x, and shared key as expert. The IP address of the RADIUS server is
10.18.1.88.
On the AC, configure the shared key as expert, and configure the AC to remove the domain name
of a username before sending it to the RADIUS server. The IP address of the AC is 10.18.1.1.
297
Configuration procedure
1.
2.
3.
Configure AAA:
See "Configure AAA."
4.
5.
On the page that appears, set the service name to dot1x, select the wireless service type crypto,
and click Apply.
6.
Select the Cipher Suite box, select CCMP from the Cipher Suite list, and select WPA2 from the
Security IE list.
d. Select the Port Set box, and select userlogin-secure-ext from the Port Mode list.
e. Select system from the Mandatory Domain list.
f.
7.
8.
b. Click the
c.
On the page that appears, select the box of the AP with the radio mode 802.11n(2.4GHz)
and click Bind.
9.
10.
11.
2.
3.
Click Properties.
The Wireless Network window appears.
4.
Click Add.
5.
Click the Association tab, and enter dot1x in the Network name (SSID) field. Make sure that you
have selected The key is provided for me automatically.
300
6.
On the Authentication tab, select Protected EAP (PEAP) from the EAP type list, and click Properties.
7.
In the popup window, clear Validate server certificate, and click Configure.
8.
In the popup dialog box, clear Automatically use my Windows logon name and password (and
domain if any), and then click OK.
301
302
After the user enters username user and password dot1x in the popup dialog box, the client can
associate with the AP and access the WLAN.
You can view the online clients on the page you enter by selecting Summary > Client.
303
Mesh overview
Basic concepts in WLAN mesh
Figure 321 Typical WLAN mesh network
AC
MPP
MP
MP
MP
MAP
MAP
MAP
MAP
Client
Client
Client
Client
As shown in Figure 321, the concepts involved in WLAN mesh are described below.
Concept
Description
A device that controls and manages all the APs in the WLAN.
Mesh link
304
High performance/price ratioIn a mesh network, only the MPPs need to connect to a wired
network. In this way, the dependency on the wired network is reduced to the minimum extent, and
the investment in wired devices, cabling, and installation is greatly reduced.
Excellent scalabilityIn a mesh network, the APs can automatically discover each other and initiate
wireless link setup. To add new APs to the mesh network, you just need to install these new APs and
perform the related configurations on them.
Fast deploymentSince only the MPPs need to connect to a wired network, WLAN mesh greatly
reduces the network deployment time.
Various application scenariosThe mesh network is applicable to enterprise, office, and campus
networks, which are common application scenarios of traditional WLANs, and also applicable to
large-sized warehouse, port, MAN, railway transportation, and crisis communication networks.
High reliabilityIn a traditional WLAN, when the wired upstream link of an AP fails, all clients
associated with the AP cannot access the WLAN. Comparatively, in a mesh network, all APs are
fully meshed. There are multiple available wireless links for a mesh AP to reach a portal node in the
wired network, thus avoiding single point failure effectively.
Deployment scenarios
This section covers deployment scenarios of WLAN mesh, which are in two categories: subway
networking and normal networking.
305
2.
3.
306
As shown in Figure 324, Radio 1 of MP 1 joins the mesh through the MPP. In this case, only Radio
1 can provide access for downstream MPs. Radio 2 cannot automatically access the mesh and
provide the mesh service.
Figure 324 Two radios on different meshes
If an MP supports three radios, you can configure Radio 1 as the uplink interface, Radio 2 as the
downlink interface, and Radio 3 as the multi-beam antenna. To utilize the dual-radio resources on
MPs, you can establish the network as shown in Figure 325. In such a network, when Radio 1 of
MP 1 accesses the mesh, Radio 2 on MP 1 also automatically joins the mesh. In this network, you
should apply the same mesh service to both Radio 1 and Radio 2. For more information, see
"Tri-radio mesh configuration example."
Figure 325 Two radios on the same mesh
Radio 1
AC
Radio 2
MPP
Radio 3
Radio 1 Radio 2
MP 1
Radio 3
Radio 1 Radio 2
Radio 3
Radio 1 Radio 2
MP 2
MP 2
307
The subway WLAN mesh deployment is based on the Mobile Link Switch Protocol (MLSP), which is used
for high-speed link switch with zero packet loss during train movement. New IEEE standard 802.11s is
adopted as the underlying protocol for link formation and communication between mobile radio (MR)
and wayside AP. Train MPs are not required to act as authenticators.
308
Active Link: Logical link through which all data communication from/to a train MP happens.
Dormant Link: Logical link over which no data transfer happens, but it satisfies all the criteria for
becoming an active link.
MLSP advantages
MLSP ensures that the link switch time is less than 30 ms.
MLSP works well even if the devices get saturated at high power level.
Operation of MLSP
MLSP establishes multiple links at any given time between a train MP and multiple rail MPs to provide link
redundancy, thus ensuring high performance and good robustness for the network.
The following parameters are considered by MLSP for link switch. Based on the deployment, all these
parameters are tunable to achieve best results.
Link formation RSSI/link hold RSSIThis is the minimum RSSI to allow a link to be formed and held.
Therefore, the minimum RSSI must be ensured at any given point in the tunnel. Otherwise, the error
rate can be very high.
Link switch marginIf the RSSI of the new link is greater than that of the current active link by the
link switch margin, active link switch occurs. This mechanism is used to avoid frequent link switch.
Link hold timeAn active link remains up within the link hold time, even if the link switch margin is
reached. This mechanism is used to avoid frequent link switch.
Link saturation RSSIThis is the upper limit of RSSI on the active link. If the value is reached, link
switch occurs.
309
2.
Active link switch will not happen within the link hold time, except the following two conditions:
Condition 1The active link RSSI exceeds the link saturation RSSI.
Condition 2The active link RSSI is below the link hold RSSI.
3.
When the link hold timer expires, if no dormant link has RSSI greater than the active link RSSI by
the link switch margin, link switch will not happen.
4.
In normal scenarios, active link switch will happen when all of these following conditions are met:
The link hold timer expires.
The dormant link's RSSI is higher than the current active link's RSSI by the link switch margin.
The dormant link RSSI is not greater than the link saturation RSSI.
5.
Once the RSSI of the active and dormant links has gone below the link hold RSSI, links should be
broken. However, to ensure service availability in worse cases, if the active link RSSI has gone
below the link hold RSSI and no dormant links exist, the active link is not broken.
310
AP 2
AP 3
AC
AP 1
AP 4
AP 5
AC
AP 3
AP 1
AP 4
Select Wireless Service > Mesh Service from the navigation tree.
2.
311
3.
Click Add.
4.
5.
Click Apply.
Description
Select Wireless Service > Mesh Service from the navigation tree.
2.
3.
Click the
service.
icon corresponding to the target mesh service to enter the page for configuring mesh
312
4.
5.
Click Apply.
Description
Mesh Service
VLAN (Tagged)
Enter the ID of the VLAN whose packets are to be sent tagged. VLAN (Tagged)
indicates that the port sends the traffic of the VLAN without removing the VLAN tag.
VLAN (Untagged)
Enter the ID of the VLAN whose packets are to be sent untagged. VLAN (Untagged)
indicates that the ports send the traffic of the VLAN with the VLAN tag removed.
Set the default VLAN.
Default VLAN
By default, the default VLAN of all ports is VLAN 1. After you set the new default
VLAN, VLAN 1 is the ID of the VLAN whose packets are to be sent untagged.
Exclude VLAN
Remove the IDs of the VLANs whose packets are to be sent untagged and tagged.
Enable or disable mesh route selection algorithm:
Mesh Route
Security Configuration
Pass Phrase
313
Item
Description
Raw Key
Pre-shared Key
Select Wireless Service > Mesh Service from the navigation tree.
2.
Click the
3.
4.
Click Bind.
Select Wireless Service > Mesh Service from the navigation tree.
2.
Click the Mesh Service tab to enter the mesh service configuration page.
3.
4.
Click Enable.
314
Select Wireless Service > Mesh Service from the navigation tree.
2.
Click the Mesh Service tab to enter the mesh service configuration page.
3.
Description
Mesh ID
Binding Interface
MKD Service
315
Select Wireless Service > Mesh Service from the navigation tree.
2.
Click the Mesh Service tab to enter the mesh policy configuration page.
3.
Click Add.
4.
5.
Click Apply.
Description
Name of the created mesh policy.
Select Wireless Service > Mesh Service from the navigation tree.
2.
3.
Click the
page.
icon corresponding to the target mesh policy to enter the mesh policy configuration
316
4.
5.
Click Apply.
Description
Mesh Policy
Link establishment
An active link remains up within the link hold time, even if the link
switch margin is reached. This mechanism is used to avoid
frequent link switch.
Set the maximum number of links that an MP can form in a mesh
network.
IMPORTANT:
When configuring mesh, if the number of mesh links configured on
an AP is greater than 2, you need to configure the maximum links
that an MP can form as needed.
317
Item
Description
Set link formation/link hold RSSI (received signal strength
indicator).
If the RSSI of the new link is greater than that of the current active
link by the link switch margin, active link switch will happen. This
mechanism is used to avoid frequent link switch.
Set link saturation RSSI.
This is the upper limit of RSSI on the active link. If the value is
reached, the chipset is saturated and link switch will happen.
Role as authenticator
ratemode
is, the rate changes with the change of the RSSI of the current
radio.
Select the Proxy MAC Address option to specify the MAC address
of the peer device.
Proxy VLAN
Select Wireless Service > Mesh Service from the navigation tree.
2.
3.
Click the
4.
5.
Click Bind.
Select Wireless Service > Mesh Service from the navigation tree.
2.
Click the Mesh Policy tab to enter the mesh policy configuration page.
3.
318
Description
MP Policy Name
Mlsp
Authenticator Role
Max Links
Link rate-mode
319
Select Wireless Service > Mesh Service from the navigation tree.
2.
Click the Global Setup tab to enter the mesh global setup page.
3.
4.
Click Apply.
Description
Make sure the MAC address configured is unused and has the correct
MKD-ID
all mesh networks where the working channels of the radios are
automatically selected. With auto DFS enabled, an AC makes DFS
decisions at the calibrate interval automatically.
Select Wireless Service > Mesh Service from the navigation tree.
320
2.
Click the Global Setup tab to enter the mesh portal service configuration page.
3.
4.
Click Enable.
Manual
1.
2.
On the page that appears, select a specified channel from the Channel list.
3.
Click Apply.
NOTE:
Specify a working channel for the radios of the MAP and MPP, and the working channel on the radio of
the MAP should be consistent with that on the MPP.
321
Auto
Set the working channel mode on the MPP and MAP to auto so that the working channel is automatically
negotiated when a WDS link is established between the MPP and MAP.
NOTE:
If you configure the working channel mode of the radios of the MPP and MAP as auto, the automatically
selected working channel is a non-radar channel.
Enabling radio
1.
Select Radio > Radio from the navigation tree to enter the radio setup page.
2.
3.
Click Enable.
Select Wireless Service > Mesh Service from the navigation tree.
2.
Click
3.
322
4.
5.
Click Apply.
Description
The mesh feature supports three topologies. For more information, see "Mesh
network topologies." The mesh feature is implemented through configuration of
peer MAC addresses for each AP.
Sets the STP cost of the mesh link to the peer. If not configured, the STP cost is
automatically calculated by STP.
cos
You can view the cost of the mesh link on the page shown in Figure 345.
Mesh DFS
Displaying radio information
1.
Select Wireless Service > Mesh Service from the navigation tree.
2.
Click the Mesh Channel Optimize tab to enter the mesh optimization tab.
3.
Click the specified mesh network, and click the Radio Info tab to enter the page shown in Figure
346 to view radio information.
323
Select Wireless Service > Mesh Service from the navigation tree.
2.
Click the Mesh Channel Optimize tab to enter the mesh optimization tab.
3.
Click the mesh network, and then select the Channel Switch Info tab to enter the page shown
in Figure 347 to view the channel switching information.
NOTE:
If you select Auto or Close for dynamic channel selection on the Global Setup tab, when you enter the
Mesh Channel Optimize page, the Channel Optimize button is grayed out, meaning you cannot
perform the operation.
If you select manual DFS on the Global Setup tab, select mesh networks where DFS will be performed,
and then click Channel Optimize to complete DFS. In auto mode, DFS is performed at the calibration
interval; in manual mode, DFS is performed for once.
324
Description
AP
Radio
Chl(After/Before)
Date(yyyy-mm-dd)
Time(hh:mm:ss)
Select Wireless Service > Mesh Service from the navigation tree.
2.
Click the Mesh Link Info tab to enter the mesh link monitoring page.
You can monitor the mesh link status in real-time on the mesh link monitoring page.
Select Wireless Service > Mesh Service from the navigation tree.
2.
Click the Mesh Link Test tab to enter the mesh link test page.
325
3.
4.
Click Begin.
Establish a mesh link between the MPP and the MAP by following these steps:
Configure MAP and MPPSelect AP > AP Setup from the navigation tree, and click Add to
configure MAP and MPP. For more information, see "Create an MAP and MPP."
Configure mesh serviceAfter creating a mesh service and configuring a pre-shared key, you
can bind the mesh service to the AP and enable the mesh service. For more information, see
"Create a mesh service:."
Configure a mesh policyA mesh policy exists by default. You can create a mesh policy and
bind the mesh policy to an AP. For more information, see "(Optional) Configure a mesh policy."
Mesh global setupConfigure an MKD-ID (which exists by default), enable mesh portal
service for the MPP. For more information, see "Configure mesh service globally."
Configure the same working channel, and enable the radio. For more information, see
"Configure the same working channel and enable the radio on the MAP and MPP:."
2.
Configure 802.11g service on the MAP to enable the client to access the WLAN network.
802.11a
AC
MPP
MAP
Client
326
Configuring the AC
1.
On the page that appears, set the AP name to map, select the AP model WA2620-AGN, select
the serial ID manual, enter the AP serial ID, and click Apply.
Click Add.
d. On the page that appears, set the mesh service name to outdoor and click Apply.
After completing mesh service configuration, you enter the page shown in Figure 353.
Figure 352 Creating a mesh service
Click Apply.
327
3.
icon corresponding to the mesh service outdoor to enter the page for binding an
AP radio to a mesh service.
c.
d. Click Bind.
4.
(Optional) Configure a mesh policy (by default, the default mesh policy default_mp_plcy already
exists.)
NOTE:
A mesh policy exists by default. You can create a mesh policy and bind the mesh policy to an AP as
needed. By default, the default_mp_plcy mesh policy is mapped to an AP.
6.
a. (Optional) Select Wireless Service > Mesh Service from the navigation tree, and click the
Global Setup tab to enter the mesh global setup page to set the MKD-ID (By default, the MKD-ID
exists.)
b. Select the MPP that has wired connectivity with the AC to enable mesh portal service.
c.
Click Enable.
7.
Configure the same working channel and enable the radio on the MAP and MPP:
a. Select Radio > Radio from the navigation tree.
b. Click the
icon corresponding to the target MAP to enter the radio setup page.
c.
d. Click Apply.
329
You can follow this step to configure the working channel for the MPP. Note that the working
channel of the radio on the MPP must be the same as that on the MAP.
8.
Enable radio:
a. Select Radio > Radio from the navigation tree.
b. Select the radio modes to be enabled for the MAP and MPP.
c.
Click Enable.
The mesh link between the MAP and the MPP has been established, and they can ping each other.
After 802.11n(2.4GHz) is configured on the MAP, the client can access the network through the
mesh link.
Configure WLAN mesh so that the train MP will form links with rail MPs during movement, among
them one link is the active link and all others are dormant links.
Subway WLAN mesh configuration is basically the same as normal WLAN mesh configuration. Note the
following guidelines when you configure subway WLAN mesh:
1.
2.
330
Set the value of maximum links that an MP can form in a mesh network (the default value is 2.).
For more information, see "Configuring a mesh policy."
Figure 359 Network diagram
Configuring the AC
Subway mesh configuration differs from normal WLAN mesh configuration in the mesh policy
configuration of rail APs and train APs. Other configurations are the same. For more information, see
"Configuring the AC."
AP 2
AP 3
AC
AP 1
AP 4
AP 5
Configuration considerations
Configure a peer MAC address for each radio interface. Configure the MAC addresses of AP 2
through AP 5 on AP 1, and configure the MAC address of AP 1 on AP 2 through AP 5.
331
Set the value of maximum links that an MP can form in a mesh network (The default value is 2. It
should be set to 4 in this example.). For more information, see "Configuring a mesh policy."
Configuring the AC
Mesh configuration is the same as normal WLAN mesh configuration. For more information, see
"Configuring the AC."
Configuration considerations
1.
332
On Radio 1 of the MPP, configure Radio 1 of MP 1 as the peer MAC address. Similarly,
configure Radio 1 of the MPP as the peer MAC address on MP 1. Perform the same operation
for Radio 2 of MP 1 and Radio 1 of MP 2.
2.
Configuration procedure
The mesh configuration here is similar to a common wireless mesh configuration. For more information,
see "Configuring the AC."
As shown in Figure 363, establish an 802.11a mesh link between the MAP and MPP. The working
channel is automatically selected.
Enable one-time DFS. After that, the AC performs DFS for the radios when certain trigger conditions
are met on the channel.
Configuration considerations
The mesh configuration in this example is similar to a common wireless mesh configuration. Note the
following guidelines:
Configure the working channel mode of the radios that provide mesh services as auto.
Do not configure any wireless service on radios that provide mesh services.
Configuration procedure
The mesh configuration is the same as the normal WLAN mesh configuration. For configuration
procedures, see "Normal WLAN mesh configuration example." Perform the following operations after
completing mesh configuration:
1.
On the page that appears, enter the calibration interval 3 and click OK.
333
2.
On the page that appears, select the Manual box for Dynamic Channel Select.
d. Click OK.
3.
334
Select Wireless Service > Mesh Service from the navigation tree.
2.
Click the Mesh Channel Optimize tab to enter the Mesh Channel Optimize tab.
3.
4.
335
2.
3.
Click Apply.
336
Description
Service status
IP type
Source address
Auth mode
Auth key
2.
3.
Click Add.
4.
Click Apply.
Description
Add the IP address of an AC to a roaming group.
IP address
IMPORTANT:
When you configure a roaming group, the roaming group name configured
for the ACs in the same roaming group must be the same.
337
Item
VLAN
Description
Configure the VLAN to which the roaming group member belongs.
This configuration item is optional.
NOTE:
The user profile configurations of the ACs in a roaming group must be the same. For more information,
see "User configuration."
The ACs in a roaming group cannot be configured as hot backup ACs.
By clicking a target client, you can view the detailed information and roaming information of the client.
The detailed information and roaming information of a client you can view by selecting Roam > Client
Information are the same as those you can view by selecting Summary > Client. For the related
information, see "Summary."
338
AC
L2 switch
AP 1
AP 2
000f-e27b-3d90
000f-e233-5500
VLAN 1
AP 2
VLAN 1
Roaming
Client
Configuring the AC
NOTE:
If remote authentication is required in the authentication mode you select, configure the RADIUS server.
For how to configure the RADIUS server, see "AAA configuration."
1.
On the page that appears, set the AP name to ap1, select the AP model WA2620-AGN, select
manual from the Serial ID list, enter the serial ID of the AP, and click Apply.
On the page that appears, set the service name to Roam. And click Apply.
NOTE:
For how to configure the authentication mode, see "Access service configuration." However, fast roaming
can be implemented only when the RSN+802.1X authentication mode is adopted.
3.
4.
Click Enable.
a. Select Wireless Service > Access Service from the navigation tree.
b. Click the
icon corresponding to the wireless service Roam to enter the page for binding
AP radio.
c.
Select the box before ap1 with radio type 802.11n(2.4GHz), and the box before ap2 with
radio type 802.11n(2.4GHz).
d. Click Bind.
5.
and select the box before ap2 with the radio mode 802.11n(2.4GHz).
c.
Click Enable.
Click the desired client to view the roaming information of the client.
From the roaming information, you can see that the client accesses the WLAN through AP 1,
and the BSSID of AP 1 is 000f-e27b-3d90 (see Figure 374.).
d. Click Refresh.
On the page that appears, you can see that the client is connected to the WLAN through AP
2, and the BSSID of AP 2 is 000f-e233-5500.
Figure 375 Client status after intra-AC roaming
2.
Configuration guidelines
When you configure intra-AC roaming, the SSIDs of the two APs must be the same. The same wireless
service must be bound to the radios of the two APs in Bind AP radios to the wireless service.
342
Configuring AC 1 and AC 2
NOTE:
If remote authentication is required in the authentication mode you select, configure the RADIUS server.
For how to configure the RADIUS server, see "AAA configuration."
1.
NOTE:
For the configuration of authentication mode, see "Access service configuration." Fast roaming
supporting key caching can be implemented only when RSN+802.1X authentication is adopted.
2.
list, enter 192.168.1.100 for Source address, the IP address of AC 1, enter the IP address of
AC 2 in the member list, and click Add.
c.
Click Apply.
343
d. Create a roaming group on AC 2. The source address is the IP address of AC 2, and the
b. On AC 2, select Roam > Roam Group from the navigation tree, and you can see that the group
2.
344
View connection information about the client that is associated with the AP, and the Roam Status
field in the client detailed information:
a. Before roaming, select Summary > Client from the navigation tree on AC 1.
The client has roamed from AP 1 to AP 2, so no client information is displayed on the page.
c.
d. Select the Detail Information tab, and then click the desired client.
You will see that Inter-AC roam association is displayed in the Roam Status field, which
indicates that the client has roamed to AP 2.
Figure 382 Verifying inter-AC roaming
4.
Information tab, and click the desired client to view the roaming information of the client.
The roaming information in Figure 383 shows that the client connects to the WLAN through AP
1, and the BSSID of AP 1 is 000f-e27b-3d90.
345
b. Select Summary > Client, from the navigation tree on AC 2, select the Detail Information tab,
and click the desired client to view the roaming information of the client.
The roaming information in Figure 384 shows that the client connects to the WLAN through AP
2, and the BSSID of AP 2 is 000f-e233-5500.
Figure 384 Client status after intra-AC roaming
Configuration guidelines
Follow these guidelines when you configure inter-AC roaming:
The SSIDs and the authentication and encryption modes of two APs should be the same.
346
Radio configuration
Radio overview
Radio frequency (RF) refers to electrical signals that can be transferred over the space to a long distance.
802.11b/g in the IEEE 802.11 standards operates at the 2.4 GHz band, 802.11a operates at the 5 GHz
band, and 802.11n operates at both the 2.4 GHz and 5 GHz bands. Radio frequency is allocated in
bands, each of which corresponds to a range of frequencies.
RetransmissionAPs retransmit data if they do not receive ACK messages from the AC.
Radar signal detected on a working channelthe AC immediately notifies the AP to change its
working channel.
If the first three conditions are met, the AC calculates the channel quality. The AP does not use the new
channel until the channel quality difference between the new and old channels exceeds the tolerance
level.
347
348
As shown in Figure 387, when AP 3 fails or goes offline, the other APs increase their transmission power
to cover the signal blackhole.
349
Radio setup
Configuring radio parameters
1.
2.
Click the
350
3.
Description
AP Name
Radio Unit
Radio Mode
Transmit Power
Channel
802.11n
bandwidth mode
client dot11n-only
If you select the client dot11n-only option, non-802.11n clients are prohibited
from access. If you want to provide access for all 802.11a/b/g clients, you
must disable this function.
351
Item
Description
Select the A-MSDU option to enable A-MSDU.
A-MSDU
Multiple MAC Service Data Units (MSDU) can be aggregated into a single
A-MSDU. This reduces the MAC header overhead and thus improves MAC
layer forwarding efficiency.
At present, only A-MSDUs can be received.
IMPORTANT:
When 802.11n radios are used in a mesh WLAN, ensure that they have the
same A-MSDU configuration.
Select the A-MPDU option to enable A-MPDU.
A-MPDU
802.11n introduces the A-MPDU frame format. By using only one PHY header,
each A-MPDU can accommodate multiple Message Protocol Data Units
(MPDUs) which have their PHY headers removed. This reduces the overhead in
transmission and the number of ACK frames to be used, and thus improves
network throughput.
IMPORTANT:
When 802.11n radios are used in a mesh WLAN, ensure that they have the
same A-MSDU configuration.
Select short GI to enable short GI.
short GI
4.
The 802.11a/g GI is 800ns. You can configure a short GI, 400 ns for
802.11n. The short GI increases the throughput by 10 percent.
352
5.
6.
Click Apply.
Description
Preamble is a pattern of bits at the beginning of a frame so that the receiver
can sync up and be ready for the real data.
point and some legacy client devices. Therefore, you can select this option
to make legacy client devices support short preamble.
ANI
Adaptive Noise Immunity (ANI). After the ANI function is enabled, the device
automatically adjusts the noise immunity level according to the surrounding
signal environment to eliminate RF interference.
EnableEnable ANI.
DisableDisable ANI.
Specify the maximum length of frames that can be transmitted without
fragmentation. When the length of a frame exceeds the specified fragment
threshold value, it is fragmented.
In a wireless network where error rate is high, you can decrease the
Fragment Threshold
Beacon Interval
Interval for sending beacon frames. Beacon frames are transmitted at a regular
interval to allow mobile clients to join the network. Beacon frames are used for
a client to identify nearby APs or network control devices.
353
Item
Description
There are two data collision avoidance mechanisms, RTS/CTS and CTS-to-self.
RTS (CTS)
DTIM Period
Number of retransmission attempts for unicast frames larger than the RTS/CTS
threshold.
Interval for which a frame received by an AP can stay in the buffer memory.
Enabling a radio
1.
Select Radio > Radio from the navigation tree to enter the radio setup page.
354
2.
3.
Click Enable.
Select Radio > Radio from the navigation tree to enter the page as shown in Figure 391.
2.
3.
355
Select Radio > Radio from the navigation tree to enter the page as shown in Figure 392.
2.
3.
Select Radio > Rate from the navigation tree to enter the rate setting page.
356
2.
3.
Click Apply.
Description
Configure rates (in Mbps) for 802.11a.
By default:
802.11a
357
Item
Description
Configure rates (in Mbps) for 802.11g.
By default:
802.11g
Number of
spatial streams
Modulation
400ns GI
BPSK
6.5
7.2
QPSK
13.0
14.4
QPSK
19.5
21.7
16-QAM
26.0
28.9
16-QAM
39.0
43.3
64-QAM
52.0
57.8
64-QAM
58.5
65.0
64-QAM
65.0
72.2
BPSK
13.0
14.4
QPSK
26.0
28.9
10
QPSK
39.0
43.3
11
16-QAM
52.0
57.8
12
16-QAM
78.0
86.7
13
64-QAM
104.0
115.6
14
64-QAM
117.0
130.0
15
64-QAM
130.0
144.4
358
Number of
spatial streams
Modulation
400ns GI
BPSK
13.5
15.0
QPSK
27.0
30.0
QPSK
40.5
45.0
16-QAM
54.0
60.0
16-QAM
81.0
90.0
64-QAM
108.0
120.0
64-QAM
121.5
135.0
64-QAM
135.0
150.0
BPSK
27.0
30.0
QPSK
54.0
60.0
10
QPSK
81.0
90.0
11
16-QAM
108.0
120.0
12
16-QAM
162.0
180.0
13
64-QAM
216.0
240.0
14
64-QAM
243.0
270.0
15
64-QAM
270.0
300.0
For example, if you specify the maximum MCS index as 5 for mandatory rates, rates corresponding to
MCS indexes 0 through 5 are configured as 802.11n mandatory rates.
Mandatory rates must be supported by the AP and the clients that want to associate with the AP.
Supported rates allow some clients that support both mandatory and supported rates to choose
higher rates when communicating with the AP.
Select Radio > Rate from the navigation tree to enter the rate setting page.
2.
3.
Click Apply.
359
Description
Set the maximum MCS index for 802.11n mandatory rates.
IMPORTANT:
If you select the client dot11n-only option, you must configure the mandatory
maximum MCS.
Set the multicast MCS for 802.11n.
The multicast MCS is adopted only when all the clients use 802.11n. If a non
802.11n client exists, multicast traffic is transmitted at a mandatory MCS data
rate.
Multicast MCS
IMPORTANT:
If you configure a multicast MCS index greater than the maximum MCS
index supported by the radio, the maximum MCS index is adopted.
When the multicast MCS takes effect, the corresponding data rates defined
for 20 MHz are adopted no matter whether the 802.11n radio operates in
40 MHz mode or in 20 MHz mode.
NOTE:
When 802.11n radios are used in a mesh WLAN, make sure that they have the same MCS configuration.
Select Radio > Scan from the navigation tree to enter the page for setting channel scanning.
2.
3.
Click Apply.
360
Description
Set the scan mode.
Scan Mode
AutoLegal channels with the scanning mode under country code are
scanned.
request. This scanning mode enables a client to discover APs more easily.
Scan Type
If you set active scanning for the AP, it is more likely to discover devices in the
WLAN.
Set the scan report interval.
Scan Interval
If an AP has the monitoring function, the scan report interval will affect whether
the scanning results can be processed in time and the frequency of message
exchanges. Therefore, you need to set the interval properly according to the
actual network conditions.
Configuring calibration
Parameter setting
1.
2.
361
3.
4.
Click Apply.
NOTE:
Channel switching results in temporary service interruption, so use the dynamic channel adjustment
function with caution.
Table 120 Configuration items
Item
Basic Setup
Description
Calibration
Interval
362
Item
Description
RTS/CTSUse RTS/CTS mode to implement 802.11g protection. Before
802.11g
Protection
Mode
802.11n
Protection
Mode
or non 802.11n clients exist within the coverage of the AP, you need to
enable 802.11n protection.
Before configuring channel adjustment, make sure that the AC adopts the auto channel
adjustment mode (for more information, see "Configuring radio parameters."). Otherwise,
channel adjustment does not work.
Channel
Setup
If you lock the channel first, and then enable channel adjustment (by selecting Dynamic
Channel Select), channel adjustment does not work because the channel is locked. Before
enabling channel adjustment, make sure that the channel is not locked.
If you enable channel adjustment and then lock the channel, the last selected channel is
locked.
For how to lock the channel, see "Locking the channel."
363
Item
Description
CloseDisables the DFS function.
AutoWith auto DFS enabled, an AC performs DFS for a radio when
Dynamic
Channel Select
certain trigger conditions are met on the channel, and returns the result to
the AP after a calibration interval (the default calibration interval is 8
minutes, which can be set through the Calibration Interval option). After
that, the AC will make DFS decisions at the calibration interval
automatically.
for the radio when certain trigger conditions are met on the channel, and
returns the result to the AP after a calibration interval. After that, if you
want the AC to perform DFS for the radio, you have to make this
configuration again.
IMPORTANT:
If you select the manual mode, click Calibration on the Calibration page every
time you perform channel calibration.
CRC Error
Threshold
Channel
Interference
Threshold
Tolerance
Factor
A new channel is selected when either the configured CRC error threshold or
interference threshold is exceeded on the current channel. However, the new
channel is not applied until the quality of the current channel is worse than
that of the new channel by the tolerance threshold.
Spectrum
Management
If you lock the power first, and then enable power adjustment (by selecting Dynamic
Channel Select), power adjustment does not work because the power is locked. Therefore,
before enabling power adjustment, make sure that the power is not locked.
If you enable power adjustment and then lock the power, the last selected power is locked.
For how to lock the power, see "Locking the power."
Power Setup
Dynamic
Power Select
If you select the manual mode, click Calibration on the Calibration page every
time you perform channel calibration.
364
Item
Description
Max Neighbor
Count
Power
Constraint
Specify the maximum number of neighbors, which are managed by the same
AC.
Set the power constraint for all 802.11a radios. After power constraint is set,
the transmission power of a client is the current transmission power minus the
configured power constraint value.
IMPORTANT:
Enable spectrum management before configuring the power constraint;
otherwise, the configuration does not take effect.
2.
3.
Click Add.
The Radio Group page appears.
365
4.
5.
Click Apply.
Description
Group ID
Description
Channel
Holddown
Interval
Power
Holddown
Interval
Select the target radios from the Radios Available area, and then click << to add them
Radio List
Select the radios to be removed from the Radios Selected, and the click >> to remove
them from the radio group.
366
Calibration operations
NOTE:
If RRM is not enabled, or the radio to be displayed works on a fixed channel, you can only view the work
channel and the power of the radio on the Operations tab in the Radio > Calibration page. Other
information such as interference observed and the number of neighbors is displayed when RRM is
enabled, that is, dynamic power selection or automatic dynamic frequency selection is enabled. For the
configuration of RRM parameters, see "Parameter setting."
2.
3.
Click the desired radio to enter the page for displaying channel status.
Description
Channel No
Running channel.
Neighbor Num
Load (%)
Utilization (%)
Channel utilization.
Interference (%)
Radar Detect
2.
3.
Click the desired radio to enter the page for displaying neighbor information.
367
Description
AP MAC Address
Channel No
Running channel.
Interference (%)
RSSI (dBm)
AP Type
2.
3.
Click the desired radio to enter the page for displaying neighbor information.
368
Description
Radio
Basic BSSID
Chl
Channel on which the radio operates in case of the change of channel or power.
Power
Load
Load observed on the radio in percentage in case of the change of channel or power.
Util
Intf
PER
Retry
Reason
Reason for the change of channel or power, such as Interference, packets discarded,
retransmission, radar or coverage.
Date
Time
Antenna
1.
Select Radio > Antenna to select an appropriate antenna for the corresponding radio.
2.
Select the antenna type, Internal Antenna, or User-Default external antenna, for a specific radio
from the Antenna list.
3.
Click Apply.
369
Configuration procedure
1.
2.
d. Click Apply.
370
3.
You can view the channel status on the Operation tab you enter by selecting Radio > Calibration
from the navigation tree.
371
After you perform manual channel calibration, the AC informs the adjusted channel to the AP after
a calibration interval.
You can view the detailed information, such as the specific reason for channel adjustment on the
History Info tab you enter by selecting Radio > Calibration from the navigation tree, clicking
Operation, and then clicking History Info.
Configuration guidelines
If you select manual channel adjustment, click Channel Optimize on the Operation tab every time you
perform manual channel adjustment.
Configuration procedure
1.
2.
d. Click Apply.
372
You can view the power of each AP on the Operation tab you enter by selecting Radio > Calibration
from the navigation tree.
When AP 4 joins (the adjacency number becomes 3), the maximum number of neighbors reaches
the upper limit (3 by default), and the AC performs power adjustment after the calibration interval.
You can view the detailed information, such as decrease of the Tx power value, on the History Info
tab you enter by selecting Radio > Calibration from the navigation tree, selecting the Operation tab,
and then selecting History Info.
Configure automatic channel adjustment so that the AC can automatically switch the channel when
the signal quality on a channel is degraded to a certain level.
373
Configure automatic power adjustment so that the AC can automatically adjust the power when the
third neighbor is discovered (or in other words, when AP 4 joins) to avoid interference.
Add radio 2 of AP 1 and radio 2 of AP 2 to a radio group to prevent frequent channel or power
adjustments for the radios.
Configuration procedure
1.
2.
Select Auto from the Dynamic Channel Select list, select Auto from the Dynamic Power Select list,
and click Apply.
374
3.
Click Add.
d. On the page that appears, enter the channel holddown interval 20 and enter the power
Selected area.
f.
Click Apply.
375
The working channel of radio 2 of AP 1 and that of radio 2 of AP 2 do not change within 20
minutes after each automatic channel adjustment.
The power of radio 2 of AP 1 and that of radio 2 of AP 2 do not change within 30 minutes after
each automatic power adjustment.
376
Configuring 802.1X
802.1X is a port-based network access control protocol initially proposed by the IEEE 802 LAN/WAN
committee for the security of wireless LANs (WLANs). It has been widely used on Ethernet networks for
access control.
802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports.
You can also configure the port security feature to perform 802.1X. Port security combines and extends
802.1X and MAC authentication. It applies to a network, a WLAN, for example, that requires different
authentication methods for different users on a port. Port security is beyond the scope of this chapter. It
is described in Security Configuration Guide for the product.
802.1X architecture
802.1X operates in the client/server model. It comprises three entities: client (the supplicant), the network
access device (the authenticator), and the authentication server, as shown in Figure 410.
Figure 410 802.1X architecture
Device
Authentication server
Client
The client is a user terminal seeking access to the LAN. It must have 802.1X software to authenticate
to the network access device.
The network access device authenticates the client to control access to the LAN. In a typical 802.1X
environment, the network access device uses an authentication server to perform authentication.
The authentication server is the entity that provides authentication services for the network access
device. It authenticates 802.1X clients by using the data sent from the network access device, and
returns the authentication results for the network access device to make access decisions. The
authentication server is typically a Remote Authentication Dial-in User Service (RADIUS) server. In a
small LAN, you can also use the network access device as the authentication server.
For more information about the 802.1X protocol, see H3C WX Series Access Controllers Security
Configuration Guide.
With port-based access control, once an 802.1X user passes authentication on a port, any
subsequent user can access the network through the port without authentication. When the
authenticated user logs off, all other users are logged off.
377
With MAC-based access control, each user is separately authenticated on a port. When a user logs
off, no other online users are affected.
Configuring 802.1X
Configuration prerequisites
Configure an ISP domain and AAA scheme (local or RADIUS authentication) for 802.1X users. For
more information, see "Configuring AAA" and "Configuring RADIUS."
If local authentication is used, create local user accounts on the access device and set the service
type to LAN-access.
If you want to use EAP relay when the RADIUS server does not support any EAP authentication
method or no RADIUS server is available, configure the EAP server function on your network access
device.
NOTE:
Configure 802.1X on a wired port. Wireless ports support only the port security feature, and the port
security is enabled by default on the wireless ports.
Description
Required.
1.
2.
378
2.
3.
Select an authentication method for 802.1X users. Options include CHAP, PAP, and EAP.
CHAPSets the access device to perform EAP termination and use the CHAP to communicate
with the RADIUS server.
PAPSets the access device to perform EAP termination and use the PAP to communicate with
the RADIUS server.
EAPSets the access device to relay EAP packets, and supports any of the EAP authentication
methods to communicate with the RADIUS server.
NOTE:
When you configure EAP relay or EAP termination, consider the following factors:
Whether the RADIUS server supports EAP packets.
The authentication methods supported by the 802.1X client and the RADIUS server.
If the client is using only MD5-Challenge EAP authentication or the "username + password" EAP
authentication initiated by an H3C iNode 802.1X client, you can use both EAP termination and EAP relay.
To use EAP-TL, PEAP, or any other EAP authentication methods, you must use EAP relay.
4.
379
5.
6.
Click Apply.
Description
Specify whether to enable the quiet timer.
Quiet
The quiet timer enables the network access device to wait a period of time before it can
process any authentication request from a client that has failed an 802.1X authentication.
Quiet Period
Retry Times
The timer starts when the device sends an EAP-Request/Identity packet to a client in
TX Period
The timer also sets the interval at which the network device sends multicast
EAP-Request/Identity packets to detect clients that cannot actively request
authentication.
The timer sets the interval at which the access device sends client handshake requests to
check the online status of a client that has passed authentication. If the device receives no
response after sending the maximum number of handshake requests, it considers that the
client has logged off. For information about how to enable the online user handshake
function, see "Configuring 802.1X on a port."
Set the periodic online user re-authentication timer.
Re-Authentication
Period
The timer sets the interval at which the network device periodically re-authenticates online
802.1X users. The change to the periodic re-authentication timer applies to the users that
have been online only after the old timer expires. For information about how to enable
periodic online user re-authentication on a port, see "Configuring 802.1X on a port."
380
Item
Description
Set the client timeout timer.
Supplicant Timeout
Time
Server Timeout
Time
TIP:
You can set the client timeout
timer to a high value in a
low-performance network, and
adjust the server timeout timer
to adapt to the performance of
different authentication
servers. In most cases, the
default settings are sufficient.
IMPORTANT:
Do not change the timer parameters of global 802.1X from their default values unless you have
determined that the changes would better the interaction process.
From the navigation tree, select Authentication > 802.1X to enter the page, as shown in Figure
411.
The Ports With 802.1X Enabled area shows the 802.1X configuration on ports.
2.
Click Add.
3.
4.
Click Apply.
381
Port
Description
Select the port to be enabled with 802.1X authentication. Only 802.1X-disabled ports
are available.
NOTE:
802.1X is mutually exclusive with link aggregation group configuration on a port.
Set the access control method for the port, which can be MAC Based or Port Based.
Port Control
NOTE:
To use both 802.1X and portal authentication on a port, you must select MAC Based.
Select the port authorization state for 802.1X.
Options include:
AutoPlaces the port initially in unauthorized state to allow only EAPOL packets to
Port Authorization
pass, and after a user passes authentication, sets the port in authorized state to allow
access to the network. You can use this option in most scenarios.
Max Number of
Users
Enable Handshake
The online user handshake function checks the connectivity status of online 802.1X users.
The network access device sends handshake messages to online users at the interval
specified by the Handshake Period setting. If no response is received from an online user
after the maximum number of handshake attempts (set by the Retry Times setting) has
been made, the network access device sets the user in offline state. For information about
the timers, see Table 125.
NOTE:
If the network has 802.1X clients that cannot exchange handshake packets with the network
access device, disable the online user handshake function to prevent their connections from
being inappropriately torn down.
Specify whether to enable periodic online user re-authentication on the port.
Periodic online user re-authentication tracks the connection status of online users and
updates the authorization attributes assigned by the server, such as the ACL, and VLAN.
The re-authentication interval is specified by the Re-Authentication Period setting in Table
125.
NOTE:
The periodic online user re-authentication timer can also be set by the authentication
Enable
Re-Authentication
server in the session-timeout attribute. The server-assigned timer overrides the timer
setting on the access device, and enables periodic online user re-authentication, even
if the function is not configured. Support for the server assignment of re-authentication
timer and the re-authentication timer configuration on the server vary with servers.
The VLAN assignment status must be consistent before and after re-authentication. If
the authentication server has assigned a VLAN before re-authentication, it must also
assign a VLAN at re-authentication. If the authentication server has assigned no VLAN
before re-authentication, it must not assign one at re-authentication. Violation of either
rule can cause the user to be logged off. The VLANs assigned to an online user before
and after re-authentication can be the same or different.
382
Item
Description
Guest VLAN
Specify an existing VLAN as the guest VLAN. For more information, see "Configuring an
802.1X guest VLAN."
Select the box to enable MAC-based VLAN.
NOTE:
Only hybrid ports support the feature.
Auth-Fail VLAN
Specify an existing VLAN as the Auth-Fail VLAN to accommodate users that have failed
802.1X authentication.
For more information, see "Configuring an Auth-Fail VLAN."
Configuration guidelines:
You can configure only one 802.1X guest VLAN on a port. The 802.1X guest VLANs on
different ports can be different.
Assign different IDs for the default VLAN, and 802.1X guest VLAN on a port, so the port can
correctly process incoming VLAN tagged traffic.
With 802.1X authentication, a hybrid port is always assigned to a VLAN as an untagged
member. After the assignment, do not re-configure the port as a tagged member in the VLAN.
Use Table 127 when you configure multiple security features on a port.
Table 127 Relationships of the 802.1X guest VLAN and other security features
Feature
Relationship description
Only the 802.1X guest VLAN take effect. A user that fails
MAC authentication will not be assigned to the MAC
authentication guest VLAN.
The 802.1X guest VLAN function has higher priority than the
block MAC action but lower priority than the shut down port
action of the port intrusion protection feature.
Configuration prerequisites:
Create the VLAN to be specified as the 802.1X guest VLAN.
If the 802.1X-enabled port performs port-based access control, enable 802.1X multicast trigger
at the command-line interface (CLI). (802.1X multicast trigger is enabled by default.)
If the 802.1X-enabled port performs MAC-based access control, configure the port as a hybrid
port, enable MAC-based VLAN on the port, and assign the port to the 802.1X guest VLAN as
an untagged member.
Configuration guidelines:
Assign different IDs for the default VLAN, and 802.1X Auth-Fail VLAN on a port, so the port can
correctly process VLAN tagged incoming traffic.
Use Table 128 when you configure multiple security features on a port.
383
Table 128 Relationships of the 802.1X Auth-Fail VLAN with other features
Feature
Relationship description
Configuration prerequisites:
Create the VLAN to be specified as the 802.1X Auth-Fail VLAN.
If the 802.1X-enabled port performs port-based access control, enable 802.1X multicast trigger.
(802.1X multicast trigger is enabled by default.)
If the 802.1X-enabled port performs MAC-based access control, configure the port as a hybrid
port, enable MAC-based VLAN on the port, and assign the port to the Auth-Fail VLAN as an
untagged member.
384
Authentication client
Authentication client
Access device
Portal server
Authentication/accounting
server
Authentication client
When an unauthenticated user enters a website address in the address bar of the browser to
access the Internet, an HTTP request is created and sent to the access device, which redirects the
HTTP request to the web authentication homepage of the portal server. For extended portal
functions, authentication clients must run the portal client software.
385
2.
On the authentication homepage/authentication dialog box, the user enters and submits the
authentication information, which the portal server then transfers to the access device.
3.
Upon receipt of the authentication information, the access device communicates with the
authentication/accounting server for authentication and accounting.
4.
After successful authentication, the access device checks whether there is a corresponding security
policy for the user. If not, it allows the user to access the Internet. Otherwise, the client
communicates with the access device and the security policy server for security check. If the client
passes security check, the security policy server authorizes the user to access the Internet
resources.
NOTE:
The web interface of the device supports configuring portal authentication only on Layer 3 interfaces. For
more information about portal authentication, see H3C WX Series Access Controllers Security
Configuration Guide.
The portal authentication-enabled interfaces of the access device are configured with valid IP
addresses or have obtained valid IP addresses through DHCP.
The portal server and the RADIUS server have been installed and configured properly. Local portal
authentication requires no independent portal server.
With re-DHCP authentication, the invalid IP address check function of DHCP relay is enabled on the
access device, and the DHCP server is installed and configured properly.
With RADIUS authentication, usernames and passwords of the users are configured on the RADIUS
server, and the RADIUS client configurations are performed on the access device. For information
about RADIUS client configuration, see "Configuring RADIUS."
To implement extended portal functions, install and configure IMC EAD, and make sure that the
ACLs configured on the access device correspond to those specified for the resources in the
quarantined area and for the restricted resources on the security policy server. For information
about security policy server configuration on the access device, see "Configuring RADIUS."
Remarks
Required.
1.
386
Step
2.
Remarks
Configuring advanced
parameters for portal
authentication
Optional.
Specify an auto redirection URL, set the time that the device must wait
before redirecting an authenticated user to the auto redirection URL,
and add web proxy server port numbers.
Optional.
Configure a portal-free rule, specifying the source and destination
information for packet filtering.
3.
387
TIP:
On the page shown in Figure 415, the portal service applied on a Layer 3 interface can be in either of the
following states:
RunningPortal authentication has taken effect on the interface.
EnabledPortal authentication has been enabled on the interface but has not taken effect.
2.
3.
4.
Click Apply.
Description
Interface
Select ServerSelect an existing portal server from the Portal Server list.
New ServerIf you select this option from the list, the portal server configuration area,
Portal Server
as shown in Figure 417, will be displayed at the lower part of the page. You can add
a remote portal server and apply the portal server to the interface. For detailed
configuration, see Table 130.
Enable Local ServerIf you select this option from the list, the local portal service
configuration area, as shown in Figure 418, will be displayed at the lower part of the
page. You can configure the parameters for local portal service. For detailed
configuration, see Table 131.
388
Item
Description
Specify the portal authentication mode, which can be:
In re-DHCP portal authentication mode, a client is allowed to send out packets using
If the local portal server is used, you can configure the re-DHCP mode but it does not
take effect.
Auth Network IP
Network Mask
Specify the IP address and mask of the authentication subnet. This field is configurable
when you select the Layer3 mode (cross-subnet portal authentication).
By configuring an authentication subnet, you specify that only HTTP packets from users on
the authentication subnet can trigger portal authentication. If an unauthenticated user is
not on any authentication subnet, the access device discards all the user's HTTP packets
that do not match any portal-free rule.
IMPORTANT:
The authentication subnet in direct mode is any source IP address, and that in re-DHCP
mode is the private subnet to which the interface's private IP address belongs.
Specify the authentication domain for Layer 3 portal users.
Authentication
Domain
After you specify an authentication domain on a Layer 3 interface, the device will use the
authentication domain for authentication, authorization, and accounting (AAA) of the
portal users on the interface, ignoring the domain names carried in the usernames. You
can specify different authentication domains for different interfaces as needed.
The available authentication domains are those specified on the page you enter by
selecting Authentication > AAA from the navigation tree. For more information, see
"Configuring AAA."
389
Description
Server Name
IP
Key
Enter the shared key to be used for communication between the device and the remote
portal server.
Port
URL
IMPORTANT:
Redirection URL supports domain name resolution; however, you must configure a
portal-free rule and add the DNS server address into the portal-free address range.
Description
Server Name
IP
Specify the IP address of the local portal server. You need to specify the IP address of
the interface where the local portal server is applied.
Specify the URL for HTTP packets redirection, in the format
http://ip-address/portal/logon.htm or https://ip-address/portal/logon.htm
(depending on the protocol type).
By default, the IP address of the local portal server is used in the URL.
URL
IMPORTANT:
To use the local portal server for stateful failover in a wireless environment, you must
specify the redirection URL, and the IP address of the URL must be the virtual IP
address of the VRRP group where the VRRP downlink resides.
URL redirection supports domain name resolution, but you need to configure a
portal-free rule and add the DNS server address into the portal-free address range.
Protocol
Specify the protocol to be used for authentication information exchange between the
local portal server and the client. It can be HTTP or HTTPS.
390
Item
Description
Specify the PKI domain for HTTPS. This field is configurable when you select HTTPS.
PKI Domain
The available PKI domains are those specified on the page you enter by selecting
Authentication > Certificate Management from the navigation tree. For more
information, see "Managing certificates."
IMPORTANT:
The service management, local portal authentication, and local EAP service modules
always reference the same PKI domain. Changing the referenced PKI domain in any of the
three modules will also change that referenced in the other two modules.
Specify the authentication page files to be bound with SSIDs as required.
SSID
Page
Custom
ization
Page File
After you bind SSIDs with authentication page files, when a user access the portal
page, the local portal server pushes the authentication pages for the user according to
the SSID of the user login interface and the bound authentication page file.
By default, an SSID is not bound with any authentication page file. In this case, the
system pushes the default authentication pages.
You can edit an authentication page file as required and save it in the root directory or
the portal directory under the root directory of the access device. For rules of
customizing authentication pages, see "Customizing authentication pages."
2.
Expand the Advanced area to show the advanced parameters for portal authentication.
3.
4.
Click Apply.
391
Description
Add the web proxy server ports to allow HTTP requests proxied by the specified proxy
servers to trigger portal authentication. By default, only HTTP requests that are not
proxied can trigger portal authentication.
Different clients may have different web proxy configurations. To make sure that clients
using a web proxy can trigger portal authentication, you must first complete some other
relevant configurations. When the IMC portal server is used, you must first complete the
following configurations:
If the client does not specify the portal server's IP address as a proxy exception, ensure
the IP connectivity between the portal server and the web proxy server and perform
the following configurations on the IMC portal server:
Select NAT as the type of the IP group associated with the portal device.
If the client specifies the portal server's IP address as an exception of the web proxy
server, configure the IP group and port group to not support NAT.
IMPORTANT:
If a user's browser uses the Web Proxy Auto-Discovery (WPAD) protocol to discover
web proxy servers, add the port numbers of the web proxy servers on the device, and
configure portal-free rules to allow user packets destined for the IP address of the
WPAD server to pass without authentication.
If the web proxy server port 80 is added on the device, clients that do not use a proxy
server can trigger portal authentication only when they access a reachable host
enabled with the HTTP service.
Authorized ACLs to be assigned to users who have passed portal authentication must
contain a rule that permits the web proxy server's IP address. Otherwise, the user cannot
receive heartbeat packets from the remote portal server.
Specify the auto redirection URL to which users will be automatically redirected after they
pass portal authentication.
Redirection URL
Wait-Time
2.
392
3.
Click Add.
The page for adding a new portal-free rule appears.
4.
5.
Click Apply.
Description
Number
Source-interface
Source IP address
Mask
Source MAC
IMPORTANT:
If you configure both the source IP address and the source MAC address, make sure that
the mask of the specified source IP address is 255.255.255.255. Otherwise, the specified
source MAC address will not take effect.
393
Item
Description
Specify the source VLAN of the portal-free rule.
Source-VLAN
Destination IP
Address
IMPORTANT:
If you configure both a source interface and a source VLAN for a portal-free rule, make
sure that the source interface is in the source VLAN. Otherwise, the portal-free rule will not
take effect.
Specify the destination IP address and mask of the portal-free rule.
Mask
File name
Logon page
logon.htm
logonSuccess.htm
logonFail.htm
Online page
online.htm
busy.htm
logoffSuccess.htm
NOTE:
You can name the files other than the main page files. The file names and directory names are case
insensitive.
394
Get requests are used to get the static files in the authentication pages and allow no recursion. For
example, if file Logon.htm includes contents that perform Get action on file ca.htm, file ca.htm
cannot include any reference to file Logon.htm.
Post requests are used when users submit usernames and passwords, log on to the system, and log
off the system.
An authentication page can have multiple forms, but there must be one and only one form whose
action is logon.cgi. Otherwise, user information cannot be sent to the local portal server.
The username attribute is fixed as PtUser, and the password attribute is fixed as PtPwd.
Attribute PtButton is required to indicate the action that the user requests, which can be Logon or
Logoff.
A logon Post request must contain PtUser, PtPwd, and PtButton attributes.
2.
Authentication pages logon.htm and logonFail.htm must contain the logon Post request.
3.
Authentication pages logonSuccess.htm and online.htm must contain the logoff Post request.
A set of authentication page files must be compressed into a standard zip file. The name of a zip
file can contain only letters, digits, and underscores. The zip file of the default authentication pages
must be saved with the name defaultfile.zip.
The set of authentication pages must be located in the root directory of the zip file.
Zip files can be transferred to the device through FTP or TFTP. The default authentication pages file
must be saved in the root directory of the device, and customized authentication files can be saved
in the root directory or in the portal directory under the root directory of the device.
395
The size of the zip file of each set of authentication pages, including the main authentication pages
and the page elements, must be no more than 500 KB.
The size of a single page, including the main authentication page and the page elements, must be
no more than 50 KB before being compressed.
Page elements can contain only static contents such as HTML, JS, CSS, and pictures.
Logging off a user who closes the logon success or online page
After a user passes authentication, the system pushes the logon success page logonSuccess.htm to the
user. If the user initiates another authentication through the logon page, the system pushes the online
page online.htm. You can configure the device to forcibly log off the user when the user closes either of
these two pages. To do so, add the following contents in logonSuccess.htm and online.htm:
1.
2.
3.
4.
The following is a script example with the added contents highlighted in gray:
<html>
<head>
<script type="text/javascript" language="javascript" src="pt_private.js"></script>
</head>
<body onload="pt_init();" onbeforeunload="return pt_unload();">
... ...
<form action=logon.cgi method = post onsubmit="pt_submit()">
... ...
</body>
</html>
2.
396
NOTE:
H3C recommends using browser IE 6.0 or later on the authentication clients.
Make sure that the browser of an authentication client permits pop-ups or permits pop-ups from the
access device. Otherwise, the user cannot log off by closing the logon success or online page and can
only click Cancel to return to the logon success or online page.
If a user refreshes the logon success or online page, or jumps to another web site from either of the
pages, the device also logs off the user.
If a user is using the Chrome browser, the device cannot log off the user when the user closes the logon
success or online page.
Configuration prerequisites
Complete the follow tasks before you perform the portal configuration:
Configure IP addresses for the devices as shown in Figure 422 and make sure they can reach each
other.
Configure PKI domain test, and make sure that a local certificate and a CA certificate are obtained
successfully. For more information, see "Managing certificates."
Complete the editing of the authentication page files to be bound with the client SSID.
Configure the RADIUS server properly to provide authentication and accounting functions for users.
Configuring the AC
1.
b. Click Add.
c.
On the page that appears, enter the scheme name system, select the server type Extended, and
select Without domain name for Username Format.
address 1.1.1.2, the port number 1812, and the key expert, enter expert again in the Confirm
Key field, and click Apply.
The RADIUS server configuration page closes, and the RADIUS Server Configuration area on
the RADIUS scheme configuration page displays the authentication server you have just
configured.
f.
g. On the page that appears, select Primary Accounting as the server type, enter the IP address
1.1.1.2, the port number 1813, and the key expert, enter expert again in the Confirm Key field,
and click Apply.
The RADIUS server configuration page closes, and the RADIUS Server Configuration area on
the RADIUS scheme configuration page displays the accounting server you have just
configured.
h. Click Apply.
2.
398
Click Apply.
3.
Select the Default AuthN box and then select RADIUS as the authentication mode.
d. Select system from the Name list to use it as the authentication scheme
e. Click Apply.
399
Figure 425 Configuring the authentication method for the ISP domain
4.
Select system from the Name list to use it as the authorization scheme
d. Click Apply.
Figure 426 Configuring the authorization method for the ISP domain
5.
Select the Accounting Optional box, and then select Enable for this parameter.
d. Select the Default Accounting box and then select RADIUS as the accounting mode.
e. Select system from the Name list to use it as the accounting scheme
400
f.
Click Apply.
The configuration progress dialog box appears
Figure 427 Configuring the accounting method for the ISP domain
6.
Create an AP.
a. From the navigation tree, select AP > AP Setup.
b. Click Create.
c.
Click Apply.
7.
On the page that appears, enter the wireless service name abc, select clear as the wireless
service type, and click Apply.
The wireless service configuration page appears.
401
d. Enter 2 in the VLAN (Untagged) field, enter 2 in the Default VLAN field, and click Apply.
8.
402
9.
b. On the page that appears, select the box before ap1 with the radio mode of 802.11g.
c.
Click Bind.
A configuration progress dialog box appears.
10.
Enable radio.
a. From the navigation tree, select Radio > Radio.
403
b. Select the box before ap1 with the radio mode of 802.11g.
c.
Click Enable.
11.
Select interface Vlan-interface2, select Enable Local Server for Portal Server, select Direct as
the authentication method, select the authentication domain test, enter 192.168.1.1 as the
server IP address, select HTTPS as the protocol type, select test as the PKI domain, select the
box before Page Customization, and select the authentication page file ssid1.zip for SSID abc.
d. Click Apply.
404
12.
On the page that appears, enter the rule number 0, and select the source interface
GigabitEthernet1/0/1.
d. Click Apply.
405
Configuring AAA
The web interface supports configuring Internet Service Provider (ISP) domains and configuring AAA
methods for ISP domains.
AAA overview
Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing
network access management. It provides the following security functions:
AuthorizationGrants different users different rights and controls their access to resources and
services. For example, a user who has successfully logged in to the device can be granted read and
print permissions to the files on the device.
AccountingRecords all network service usage information of users, including the service type,
start time, and traffic. The accounting function not only provides the information required for
charging, but also allows for network security surveillance.
AAA usually uses a client/server model. The client runs on the network access server (NAS) and the
server maintains user information centrally. In an AAA network, a NAS is a server for users but a client
for the AAA servers.
Figure 435 Network diagram for AAA
AAA can be implemented through multiple protocols. The device supports using RADIUS, the most
commonly used protocol in practice. For more information about RADIUS, see "Configuring RADIUS."
For more information about AAA and ISP, see H3C WA Series WLAN Access Points Security
Configuration Guide.
Configuring AAA
Configuration prerequisites
To deploy local authentication, configure local users on the access device as described in
"Configuring users."
406
Remarks
Optional.
1.
2.
3.
4.
Configuring an ISP
domain
Configuring
authentication
methods for the ISP
domain
Configuring
authorization methods
for the ISP domain
Configuring
accounting methods
for the ISP domain
Create ISP domains and specify one of them as the default ISP domain.
By default, there is an ISP domain named system, which is the default ISP
domain.
Optional.
Configure authentication methods for various types of
users.
By default, all types of users use local authentication.
Optional.
Specify the authorization methods for various types of
users.
By default, all types of users use local authorization.
Required.
Specify the accounting methods for various types of
users.
By default, all types of users use local accounting.
407
2.
3.
Click Apply.
Description
Enter the ISP domain name, which is for identifying the domain.
Domain Name
You can enter a new domain name to create a domain, or specify an existing domain
to change its status (whether it is the default domain).
Specify whether to use the ISP domain as the default domain. Options include:
Default Domain
2.
Click the Authentication tab to enter the authentication method configuration page.
408
3.
Configure authentication methods for different types of users in the domain, as described in Table
136.
4.
Click Apply.
A configuration progress dialog box appears.
5.
Description
Select an ISP
domain
Select the ISP domain for which you want to specify authentication methods.
Default AuthN
Configure the default authentication method and secondary authentication method for all
types of users.
Name
Options include:
Secondary
Method
Configure the authentication method and secondary authentication method for LAN
access users.
Name
Options include:
this mode.
409
Item
Description
Login AuthN
Configure the authentication method and secondary authentication method for login
users.
Name
Options include:
Secondary
Method
Configure the authentication method and secondary authentication method for PPP users.
Options include:
this mode.
this mode.
2.
Click the Authorization tab to enter the authorization method configuration page.
410
3.
Configure authorization methods for different types of users in the domain, as described in Table
137.
4.
Click Apply.
A configuration progress dialog box appears.
5.
Description
Select an ISP
domain
Select the ISP domain for which you want to specify authentication methods.
Default AuthZ
Configure the default authorization method and secondary authorization method for all
types of users.
Name
Options include:
Secondary
Method
Configure the authorization method and secondary authorization method for LAN access
users.
Name
Options include:
Secondary
Method
411
Item
Login AuthZ
Name
Secondary
Method
Description
Configure the authorization method and secondary authorization method for login users.
Options include:
Secondary
Method
Configure the authorization method and secondary authorization method for PPP users.
Options include:
Name
scheme to be used.
2.
Click the Accounting tab to enter the accounting method configuration page.
412
3.
Configure accounting methods for different types of users in the domain, as described in Table
138.
4.
Click Apply.
A configuration progress dialog box appears.
5.
Description
Select an ISP
domain
Select the ISP domain for which you want to specify authentication methods.
Specify whether to enable the accounting optional feature.
Accounting
Optional
With the feature enabled, a user that will be disconnected otherwise can use the network
resources even when there is no accounting server available or communication with the
current accounting server fails.
If accounting for such a user fails, the device will not send real-time accounting updates
for the user anymore.
Default Accounting
Name
Configure the default accounting method and secondary accounting method for all types
of users.
Options include:
Secondary
Method
413
Item
Description
LAN-access
Accounting
Configure the accounting method and secondary accounting method for LAN access
users.
Name
Secondary
Method
Options include:
Secondary
Method
Configure the accounting method and secondary accounting method for login users.
Options include:
Secondary
Method
Configure the accounting method and secondary accounting method for PPP users.
Options include:
Name
414
Configuration procedure
1.
Click Apply.
2.
Click Apply.
3.
Configure the ISP domain to use local authentication for login users:
a. Select Authentication > AAA from the navigation tree
b. Click the Authentication tab.
c.
d. Select the Login AuthN box and select the authentication method Local.
e. Click Apply.
416
4.
Configure the ISP domain to use local authorization for login users:
a. Select Authentication > AAA from the navigation tree.
b. Click the Authorization tab.
c.
d. Select the Login AuthZ box and select the authorization method Local.
e. Click Apply.
5.
Log in to the CLI, enable Telnet service, and configure the AC to use AAA for Telnet users.
<AC> system-view
[AC] telnet server enable
[AC] user-interface vty 0 4
[AC-ui-vty0-4] authentication-mode scheme
[AC-ui-vty0-4] quit
417
6.
Telnet to the AC and enter the username telnet@test and password abcd. You should be serviced as a
user in domain test.
418
Configuring RADIUS
RADIUS overview
The Remote Authentication Dial-In User Service (RADIUS) protocol implements Authentication,
Authorization, and Accounting (AAA). RADIUS uses the client/server model. It can protect networks
against unauthorized access and is often used in network environments where both high security and
remote user access are required. RADIUS defines the packet format and message transfer mechanism,
and uses UDP as the transport layer protocol for encapsulating RADIUS packets. It uses UDP port 1812
for authentication and UDP port 1813 for accounting.
RADIUS was originally designed for dial-in user access. With the addition of new access methods,
RADIUS has been extended to support additional access methods, for example, Ethernet and ADSL.
RADIUS provides access authentication and authorization services, and its accounting function collects
and records network resource usage information.
For more information about AAA and RADIUS, see H3C WA Series WLAN Access Points Security
Configuration Guide.
2.
Click Add.
419
3.
4.
Description
Select the type of the RADIUS servers supported by the device, which can be:
StandardSpecifies the standard RADIUS server. That is, the RADIUS client and
Server Type
this case, the RADIUS client and the RADIUS server communicate by using the
proprietary RADIUS protocol and packet format.
Username Format
5.
Click the expand button before Advanced in the Common Configuration area to expand the
advanced configuration area.
420
6.
421
Description
Authentication Key
Set the shared key for RADIUS authentication packets and that for RADIUS
accounting packets.
Confirm Authentication
Key
Accounting Key
The RADIUS client and the RADIUS authentication/accounting server use MD5 to
encrypt RADIUS packets, and they verify the validity of packets through the
specified shared key. Only if the shared key of the client and that of the server are
the same, will the client and the server receive and respond to packets from each
other.
IMPORTANT:
The shared keys configured on the device must be consistent with those
configured on the RADIUS servers.
The shared keys configured in the common configuration part are used only
when no corresponding shared keys are configured in the RADIUS server
configuration part.
Set the time the device keeps an unreachable RADIUS server in blocked state.
Quiet Time
If you set the quiet time to 0, when the device needs to send an authentication or
accounting request but finds that the current server is unreachable, it does not
change the server's status that it maintains. It simply sends the request to the next
server in active state. As a result, when the device needs to send a request of the
same type for another user, it still tries to send the request to the server because the
server is in active state.
You can use this parameter to control whether the device changes the status of an
unreachable server. For example, if you determine that the primary server is
unreachable because the device's port for connecting the server is out of service
temporarily or the server is busy, you can set the time to 0 so that the device uses the
primary server as much.
Set the RADIUS server response timeout time.
Request Transmission
Attempts
422
IMPORTANT:
The server response timeout
time multiplied by the
maximum number of RADIUS
packet transmission attempts
must not exceed 75.
Item
Description
Set the interval for sending real-time accounting information. The interval must be a
multiple of 3.
Realtime Accounting
Interval
Realtime Accounting
Attempts
Set the maximum number of attempts for sending a real-time accounting request.
Specify the unit for data flows sent to the RADIUS server, which can be byte,
kilo-byte, mega-byte, or giga-byte.
Specify the unit for data packets sent to the RADIUS server, which can be:
One-packet.
Kilo-packet.
Mega-packet.
Giga-packet.
After receiving an EAP packet, the access device enabled with the EAP offload
function first converts the authentication information in the EAP packet into the
corresponding RADIUS attributes through the local EAP server, encapsulates the
EAP packet into a RADIUS request and then sends the request to the RADIUS server
for authentication. When the RADIUS server receives the request, it analyzes the
carried authentication information, encapsulates the authentication result in a
RADIUS packet, and then sends the packet to the local EAP server on the access
device for subsequent interaction with the client.
Specify the IP address of the security policy server.
Specify the source IP address for the device to use in RADIUS packets sent to the
RADIUS server.
In a stateful failover environment, the backup source IP address must be the source
IP address for the remote device to use in RADIUS packets sent to the RADIUS
server.
Configuring the backup source IP address in a stateful failover environment makes
sure that the backup server can receive the RADIUS packets sent from the RADIUS
server when the master device fails.
Buffer stop-accounting
packets
Item
Description
Set the maximum number of stop-accounting attempts.
The maximum number of stop-accounting attempts, together with some other
parameters, controls how the NAS deals with stop-accounting request packets.
Stop-Accounting
Attempts
Suppose that the RADIUS server response timeout period is three seconds, the
maximum number of transmission attempts is five, and the maximum number of
stop-accounting attempts is 20. For each stop-accounting request, if the device
receives no response within three seconds, it retransmits the request. If it receives no
responses after retransmitting the request five times, it considers the stop-accounting
attempt a failure, buffers the request, and makes another stop-accounting attempt.
If 20 consecutive attempts fail, the device discards the request.
Enable or disable the accounting-on feature.
Send accounting-on
packets
Accounting-On Interval
Set the interval for sending accounting-on packets. This field is configurable only
when the Send accounting-on packets option is selected.
Accounting-On Attempts
Set the maximum number of accounting-on packets transmission attempts. This field
is configurable only when the Send accounting-on packets option is selected.
Attribute
Interpretation
7.
Enable or disable the device to interpret the RADIUS class attribute as CAR
parameters.
In the RADIUS Server Configuration area, click Add to enter the RADIUS server configuration page.
8.
Configure a RADIUS server for the RADIUS scheme as described in Table 141.
9.
10.
Repeat step 7 through step 9 to add more RADIUS servers to the RADIUS scheme.
11.
424
Description
Server Type
Select the type of the RADIUS server to be configured. Possible values include
primary authentication server, primary accounting server, secondary
authentication server, and secondary accounting server.
IP Address
Port
Key
Specify the shared key for communication with the RADIUS server.
Confirm Key
If no shared key is specified here, the shared key specified in the common
configuration part is used.
Configuration procedure
1.
Enter the scheme name system, select the server type Extended, and select the username format
Without domain name.
d. In the RADIUS Server Configuration area, click Add to enter the RADIUS server configuration
page.
e. Select the server type Primary Authentication, enter 10.1.1.1 as the IP address of the primary
authentication server, 1812 as the port number, and expert as the key, and click Apply to add
the primary authentication server to the scheme.
425
f.
In the RADIUS Server Configuration area, click Add to enter the RADIUS server configuration
page again.
g. Select Primary Accounting as the server type, enter 10.1.1.1 as the IP address of the primary
accounting server, enter the port number 1813, the key expert, and click Apply, as shown
in Figure 451.
The RADIUS scheme configuration page refreshes and the added servers appear in the server
list, as shown in Figure 452.
h. Click Apply to finish the scheme configuration.
426
2.
Click Apply.
427
3.
Select the Default AuthN box and then select the authentication mode RADIUS.
d. Select the RADIUS scheme system from the Name list to use it as the authentication scheme.
e. Click Apply.
428
4.
Select the Default AuthZ box and select the authorization mode RADIUS.
d. Select the RADIUS scheme system from the Name list to use it as the authorization scheme.
e. Click Apply.
5.
Configure an accounting method for the ISP domain, and enable accounting optional:
a. Click the Accounting tab.
b. Select the domain name bbb.
c.
d. Select the Default Accounting box and then select accounting mode RADIUS.
e. Select the RADIUS scheme system from the Name list to use it as the accounting scheme.
f.
Click Apply.
A configuration progress dialog box appears.
429
6.
Click Apply.
7.
Log in to the CLI, and configure the VTY user interfaces to use AAA for user access control.
<AC> system-view
[AC] user-interface vty 0 4
[AC-ui-vty0-4] authentication-mode scheme
[AC-ui-vty0-4] quit
Configuration guidelines
When you configure the RADIUS client, follow these guidelines:
430
If you remove the accounting server used for online users, the device cannot send real-time
accounting requests and stop-accounting messages for the users to the server, and the
stop-accounting messages are not buffered locally.
The status of RADIUS servers (blocked or active) determines which servers the device will
communicate with or turn to when the current servers are not available. In practice, you can specify
one primary RADIUS server and multiple secondary RADIUS servers, with the secondary servers
that function as the backup of the primary servers. Generally, the device chooses servers based on
these rules:
When the primary server is in active state, the device communicates with the primary server. If
the primary server fails, the device changes the state of the primary server to blocked, starts a
quiet timer for the server, and turns to a secondary server in active state (a secondary server
configured earlier has a higher priority). If the secondary server is unreachable, the device
changes the state of the secondary server to blocked, starts a quiet timer for the server, and
continues to check the next secondary server in active state. This search process continues until
the device finds an available secondary server or has checked all secondary servers in active
state. If the quiet timer of a server expires or an authentication or accounting response is
received from the server, the status of the server changes back to active automatically, but the
device does not check the server again during the authentication or accounting process. If no
server is found reachable during one search process, the device considers the authentication or
accounting attempt a failure.
Once the accounting process of a user starts, the device keeps sending the user's real-time
accounting requests and stop-accounting requests to the same accounting server. If you remove
the accounting server, real-time accounting requests and stop-accounting requests for the user
cannot be delivered to the server any more.
If you remove an authentication or accounting server in use, the communication of the device
with the server will soon time out, and the device will look for a server in active state from
scratch: it checks the primary server (if any) first and then the secondary servers in the order
they are configured.
When the primary server and secondary servers are all in blocked state, the device
communicates with the primary server. If the primary server is available, its statues changes to
active. Otherwise, its status remains to be blocked.
If one server is in active state but all the others are in blocked state, the device only tries to
communicate with the server in active state, even if the server is unavailable.
After receiving an authentication/accounting response from a server, the device changes the
status of the server identified by the source IP address of the response to active if the current
status of the server is blocked.
It is a good practice to use the recommended real-time accounting intervals listed in Table 142.
1 to 99
100 to 499
500 to 999
12
1000
15
431
Configuration procedure
1.
2.
3.
Click Apply.
Description
Enable or disable the EAP server.
Status
If the EAP server is enabled, the EAP authentication method and PKI domain
configurations are required.
432
Item
Description
Specify the EAP authentication methods, including:
When an EAP client and the local server communicate for EAP authentication, they first
negotiate the EAP authentication method to be used. During negotiation, the local
server prefers the authentication method with the highest priority from the EAP
authentication method list. If the client supports the authentication method, the
negotiation succeeds and they proceed with the authentication process. Otherwise, the
local server tries the one with the next highest priority until a supported one is found, or
if none of the authentication methods are found supported, the local server sends an
EAP-Failure packet to the client for notification of the authentication failure.
TIP:
You can select more than one authentication method. An authentication method
selected earlier has a higher priority.
PKI domain
The available PKI domains are those configured on the page you enter by selecting
Authentication > Certificate Management. For more information, see "Managing
certificates."
NOTE:
The service management, local portal authentication, and local EAP service modules
always reference the same PKI domain. Changing the referenced PKI domain in any of the
three modules will also change that referenced in the other two modules.
433
Configuration procedure
NOTE:
To implement local EAP authentication and authorization for 802.1X users, make sure that port security
is enabled and 802.1X authentication uses the EAP authentication mode.
To use the authentication method of EAP-TLS, configure the network properties of the connection and the
client certificate properly on the client.
For more information about how to configure PKI domain test, requesting a local certificate, and
retrieving a CA certificate, see "Managing certificates."
1.
Enter the username usera and password 1234, and select the service type LAN-Access.
d. Click Apply.
2.
Configure the ISP domain system to use local authentication and local authorization.
The ISP domain system uses local authentication and local authorization by default. For the
configuration procedure, see "Configuring AAA."
3.
Enable the EAP server, configure the authentication method as TLS, and the PKI domain as test:
a. Select Authentication > Local EAP Server from the navigation tree.
b. Select Enabled for Status.
c.
Select TLS from the Available methods list and click << to add TLS to the Selected methods list.
434
4.
Click Apply.
5.
e. Click Apply.
6.
Select the Cipher Suite box, and then select AES-CCMP and TKIP (select a cipher suite
according to your actual network requirements). Select WPA as the security IE.
d. Click the expand button before Port Security to expand the configuration items.
e. Select the Port Set box and Select the port mode userlogin-secure-ext.
f.
Click Apply.
A configuration progress dialog box appears.
j.
When a dialog box appears asking for your confirmation to enable the EAP service, confirm
the operation to proceed.
436
7.
437
8.
Figure 466 Binding the radio mode with the wireless service
9.
Enable 802.11n(2.4GHz).
a. Select Radio > Radio from the navigation tree.
b. Select the AP of ap1 with the radio mode 802.11n(2.4GHz).
438
c.
Click Enable.
439
Configuring users
Overview
This module allows you to configure local users, user groups, guests, and user profiles.
Local user
A local user represents a set of user attributes configured on a device (such as the user password, user
type, service type, and authorization attribute), and is uniquely identified by the username. For a user
requesting a network service to pass local authentication, you must add an entry as required in the local
user database of the device. For more information about local authentication, see "Configuring AAA."
User group
A user group consists of a group of local users and has a set of local user attributes. You can configure
local user attributes for a user group to implement centralized management of user attributes for the local
users in the group. All local users in a user group inherit the user attributes of the group, but if you
configure user attributes for a local user, the settings of the local user take precedence over the settings
for the user group.
By default, every newly added local user belongs to a user group named system, which is automatically
created by the system.
Guest
A guest is a local user for specific applications. If Portal or LAN-access users need to access the network
temporarily, you can establish a guest account for them and control access of the users as required.
User profile
A user profile is a configuration template for saving predefined configurations. You can configure
different items such as Quality of Service (QoS) policy, rate limit, wireless service, and AP group for
different user profiles to accommodate to different application scenarios.
When accessing the device, a user needs to be authenticated. During the authentication process, the
authentication server sends the user profile name to the device, which then enables the configurations in
the user profile. After the user passes the authentication and accesses the device, the device restricts the
user's access based on the configurations in the user profile. When the user logs out, the device
automatically disables the configurations in the user profile, removing the restrictions on the user as a
result. As the mechanism indicates, user profiles are for restricting online users' access. If no user is online
(no user is accessing the network, no user has passed authentication, or all users have logged out), user
profiles do not take effect.
With user profiles, you can:
Make use of system resources more granularly. For example, you can apply a QoS policy on a
per-user basis.
Restrict users' access rate more flexibly. For example, you can deploy traffic policing on a per-user
basis by defining a rate limit in user profiles.
Restrict users' access more specifically. For example, you can deploy user access control on a
per-wireless service basis by defining an SSID in user profiles. Or you can deploy user access
control on a per-AP basis by defining APs in the user profiles.
440
NOTE:
On the Local User tab, you can modify a guest user, but the user type changes to another one after your
modification.
Figure 468 Local user list
2.
Click Add.
The local user configuration page appears. On this page, you can create a local user of any type
except guest.
3.
4.
Click Apply.
441
Description
Username
Password
Specify a password for the local user and confirm the password.
The two passwords must be identical.
Confirm
Group
IMPORTANT:
It is a good practice to specify a password with no leading spaces. The spaces will be
ignored, but they count at the user login page.
Select a user group for the local user.
For information about user group configuration, see "Configuring a user group."
Specify the user type for the local user:
User Type
Common User.
Security Log AdminUsers of this type can only manage security log files through
the web interface. Only Users of this type can manage security log files.
Guest AdminUsers of this type can only manage guest accounts through the web
interface, log in to the Authentication > User > Guest page to add, modify, or delete
a guest user.
Select an authorization level for the local user, which can be Visitor, Monitor,
Configure, or Management, in ascending order of priority. A local user has the rights
of the specified level and all levels lower than the specified level (if any).
VisitorA user of this level can perform ping and trace route operations but cannot
read any data from the device or configure the device.
MonitorA user of this level can read data from the device but cannot configure the
Level
device.
ConfigureA user of this level can read data from the device and configure the
device but cannot upgrade the device software, add/delete/modify users, or
backup/restore configuration files.
ManagementA user of this level can perform all operations except for security log
file reading and management.
IMPORTANT:
This option is effective only for web, FTP, Telnet, and SSH users.
Select the service types for the local user to use, including FTP, Telnet, PPP, Portal, LAN
access (accessing through the Ethernet, such as 802.1X users), and SSH.
IMPORTANT:
Service Type
If you do not specify any service type for a local user who uses local authentication,
the user cannot pass authentication and cannot log in.
The service type of the guest administrator and security log administrator is web.
The service type of the guest administrator and security log administrator is Portal
and LAN-Access.
When authenticating a local user with the expiration time argument configured, the
access device checks whether the expiration time has elapsed. If not, the device permits
the user to log in.
442
Item
Description
Specify the VLAN to be authorized to the local user after the user passes authentication.
VLAN
IMPORTANT:
This option is effective only for Portal and LAN-access users.
Specify the ACL to be used by the access device to restrict the access of the local user
after the user passes authentication.
ACL
IMPORTANT:
This option is effective only for PPP, Portal, and LAN-access users.
Specify the user profile for the local user.
User-profile
IMPORTANT:
This option is effective only for PPP, Portal, and LAN-access users.
2.
Click the User Group tab to display the existing user groups.
3.
443
4.
5.
Click Apply.
Description
Group-name
Level
Select an authorization level for the user group, which can be Visitor, Monitor,
Configure, or Management, in ascending order of priority.
VLAN
Specify the VLAN to be authorized to a user in the user group after the user passes
authentication.
ACL
Specify the ACL to be used by the access device to restrict the access of a user in the
user group after the user passes authentication.
User-profile
Allow Guest
Accounts
IMPORTANT:
User group system is an optional group of guest accounts by default, and cannot be
modified.
Configuring a guest
Two categories of administrators can configure guests: guest administrators and administrators of the
management level.
NOTE:
For information about user type and authorization level, see Table 144.
2.
3.
4.
5.
Click Apply.
Description
Create Users in a
Batch
Username
Specify a name for the guest when users are not created in a batch.
Specify the username prefix and number for guests to be created in a batch.
User-name(prefix)
For example, if you specify the username prefix as abc and number as 50, 50 guests
will be created, with the usernames abc0 through abc49.
Password
Same as the
Username
If you select this option, you do not need to enter the password and confirm password,
and the guest password is the same as the username.
445
Item
Confirm
Description
If you do not select this option, you must enter the password and confirm password,
and they must be the same.
IMPORTANT:
If the password starts with a space, the space will be omitted.
Group
ValidTime
When authenticating a local user with the valid time argument configured, the access
device checks whether the valid time has elapsed. If not, the device permits the user to
log in.
Log in to the AC as a guest administrator and select Authentication > User from the navigation tree.
The guest management page appears.
2.
446
3.
4.
Click Apply.
NOTE:
The guest accounts are also displayed in the local user list. You can click the icon
to edit the guest information and authorization attributes.
2.
Click the User Profile tab to display the existing user profiles
3.
447
4.
5.
Click Apply.
The user profile configuration page appears.
448
6.
7.
Click Apply.
Description
Userprofile name
Qos-out policy
Qos-in policy
limited-out rate
limited-in rate
Services permitted
Select the services in the Services list box and click the < button to add them to the
Selected services list box.
The available wireless services are those configured on the page you enter by
selecting Wireless Service > Access Service. For more information, see "Access
service configuration."
Specify the APs permitted in the user profile:
APs permitted
Select the APs in the APs list box and click the < button to add them to the Selected
APs list box.
The available APs are those you configured on the page you enter by selecting
AP > AP Group. For more information, see "AP configuration."
8.
From the page displaying the existing user profiles, select the option before the user profile to be
enabled.
9.
Click Enable.
NOTE:
By default, a newly added user profile is disabled.
A user profile takes effect and the authentication server notifies users of authentication results only after
the user profile is enabled. Therefore, if you do not enable the user profile, users using the user profile
will not be able to get online.
Only enabled user profiles can be referenced by users. Disabling a user profile logs out all users using
the user profile.
Enabled user profiles cannot be modified or removed. To modify or remove an enabled user profile, you
must disable it first.
449
Managing certificates
PKI overview
The Public Key Infrastructure (PKI) is a general security infrastructure for providing information security
through public key technologies, and it is the most widely applied encryption mechanism currently.
H3C's PKI system provides certificate management for IP Security (IPsec), and Secure Sockets Layer (SSL).
PKI, also called asymmetric key infrastructure, uses a key pair to encrypt and decrypt data. The key pair
consists of a private key and a public key. The private key must be kept secret but the public key needs
to be distributed. Data encrypted by one of the two keys can only be decrypted by the other.
A key problem of PKI is how to manage the public keys. Currently, PKI employs the digital certificate
mechanism to solve this problem. The digital certificate mechanism binds public keys to their owners,
helping distribute public keys in large networks securely.
With digital certificates, the PKI system provides network communication and e-commerce with security
services such as user authentication, data non-repudiation, data confidentiality, and data integrity.
The PKI technology can satisfy the security requirements of online transactions. As an infrastructure, PKI
has a wide range of applications. Here are some application examples:
Web securityFor Web security, two peers can establish a Secure Sockets Layer (SSL) connection
first for transparent and secure communications at the application layer. With PKI, SSL enables
encrypted communications between a browser and a server. Both the communication parties can
verify the identity of each other through digital certificates.
NOTE:
For more information about PKI, see Security Configuration Guide.
Configuring PKI
The system supports the following PKI certificate request modes:
ManualIn manual mode, you must retrieve a CA certificate, generate a local RSA key pair, and
submit a local certificate request for an entity.
AutoIn auto mode, an entity automatically requests a certificate through the Simple Certification
Enrollment Protocol (SCEP) when it has no local certificate or the present certificate is about to
expire.
You can specify the PKI certificate request mode for a PKI domain. Different PKI certificate request modes
require different configurations.
450
Remarks
Required.
Create a PKI entity and configure the identity information.
1.
A certificate is the binding of a public key and an entity, where an entity is the
collection of the identity information of a user. A CA identifies a certificate
applicant by entity.
The identity settings of an entity must be compliant to the CA certificate issue
policy. Otherwise, the certificate request might be rejected.
Required.
Create a PKI domain, setting the certificate request mode to Manual.
2.
3.
Generating an RSA key pair is an important step in certificate request. The key
pair includes a public key and a private key. The private key is kept by the
user, and the public key is transferred to the CA along with some other
information.
IMPORTANT:
If a local certificate already exists, you must remove the certificate before
generating a new key pair, so as to keep the consistency between the key pair
and the local certificate.
Required.
Certificate retrieval serves the following purposes:
Locally store the certificates associated with the local security domain for
improved query efficiency and reduced query count,
4.
Retrieving the CA
certificate
451
Step
Remarks
Required.
When requesting a certificate, an entity introduces itself to the CA by
providing its identity information and public key, which will be the major
components of the certificate.
A certificate request can be submitted to a CA in online mode or offline mode.
Requesting a local
certificate
IMPORTANT:
If a local certificate already exists, you cannot perform the local certificate
retrieval operation. This will avoid possible mismatch between the local
certificate and registration information resulting from relevant changes. To
retrieve a new local certificate, you must remove the CA certificate and local
certificate first.
Optional.
6.
If the certificate to be retrieved contains an RSA key pair, you must destroy the
existing RSA key pair. Otherwise, the certificate cannot be retrieved.
Destroying the existing RSA key pair also destroys the corresponding local
certificate.
Required if you request a certificate in offline mode.
Retrieve an existing certificate and display its contents.
7.
Retrieving and
displaying a certificate
IMPORTANT:
8.
Retrieving and
displaying a CRL
Optional.
Retrieve a CRL and display its contents.
Remarks
Required.
Create a PKI entity and configure the identity information.
1.
A certificate is the binding of a public key and an entity, where an entity is the
collection of the identity information of a user. A CA identifies a certificate
applicant by entity.
The identity settings of an entity must be compliant to the CA certificate issue
policy. Otherwise, the certificate request might be rejected.
452
Step
Remarks
Required.
Create a PKI domain, setting the certificate request mode to Auto.
2.
3.
If the certificate to be retrieved contains an RSA key pair, you must destroy the
existing RSA key pair. Otherwise, the certificate cannot be retrieved.
Destroying the existing RSA key pair also destroys the corresponding local
certificate.
Optional.
Retrieve an existing certificate and display its contents.
IMPORTANT:
4.
Retrieving and
displaying a certificate
5.
Retrieving and
displaying a CRL
Optional.
Retrieve a CRL and display its contents.
2.
453
3.
4.
Click Apply.
Description
Entity Name
Common Name
IP Address
FQDN
An FQDN is a unique identifier of an entity on the network. It consists of a host name and
a domain name and can be resolved to an IP address. For example, www.whatever.com
is an FQDN, where www indicates the host name and whatever.com the domain name.
Country/Region
Code
State
Locality
Organization
Organization Unit
2.
3.
4.
5.
Click Apply.
Description
Domain Name
CA Identifier
An entity requests a certificate from a trusted CA. The trusted CA takes the responsibility
of certificate registration, distribution, and revocation, and query.
In offline mode, this item is optional. In other modes, this item is required.
Select the local PKI entity.
Entity Name
When submitting a certificate request to a CA, an entity needs to show its identity
information.
Available PKI entities are those that have been configured.
455
Item
Description
Select the authority for certificate request.
Institution
Requesting URL
The entity will submit the certificate request to the server at this URL through the SCEP
protocol. The SCEP protocol is intended for communication between an entity and an
authentication authority.
In offline mode, this item is optional. In other modes, this item is required.
IMPORTANT:
This item does not support domain name resolution.
LDAP IP
Enter the IP address, port number and version of the LDAP server.
Port
In a PKI system, the storage of certificates and CRLs is a crucial problem, which is usually
addressed by deploying an LDAP server.
Version
Request Mode
Password Encrypt
Password
Select the online certificate request mode, which can be auto or manual.
Select this box to display the password in cipher text.
This box is available only when the certificate request mode is set to Auto.
Enter the password for certificate revocation.
This item is available only when the certificate request mode is set to Auto.
Specify the fingerprint used for verifying the CA root certificate.
Fingerprint Hash
After receiving the root certificate of the CA, an entity needs to verify the fingerprint of the
root certificate, namely, the hash value of the root certificate content. This hash value is
unique to every certificate. If the fingerprint of the root certificate does not match the one
configured for the PKI domain, the entity will reject the root certificate.
If you specify MD5 as the hash algorithm, enter an MD5 fingerprint. The fingerprint
must a string of 32 characters in hexadecimal notation.
If you specify SHA1 as the hash algorithm, enter an SHA1 fingerprint. The fingerprint
must a string of 40 characters in hexadecimal notation.
If you do not specify the fingerprint hash, do not enter any fingerprint. The entity will
Fingerprint
not verify the CA root certificate, and you yourself must make sure that the CA server
is trusted.
IMPORTANT:
The fingerprint must be configured if you specify the certificate request mode as Auto. If you
specify the certificate request mode as Manual, you can leave the fingerprint settings null. If
you do not configure the fingerprint, the entity will not verify the CA root certificate and you
yourself must make sure that the CA server is trusted.
Polling Count
Polling Interval
Enable CRL
Checking
Set the polling interval and attempt limit for querying the certificate request status.
After an entity makes a certificate request, the CA might need a long period of time if it
verifies the certificate request in manual mode. During this period, the applicant needs to
query the status of the request periodically to get the certificate as soon as possible after
the certificate is signed.
Click this box to specify that CRL checking is required during certificate verification.
456
Item
Description
Enter the CRL update period, that is, the interval at which the PKI entity downloads the
latest CRLs.
This item is available when the Enable CRL Checking box is selected.
By default, the CRL update period depends on the next update field in the CRL file.
Enter the URL of the CRL distribution point.
This item is available when the Enable CRL Checking box is selected.
CRL URL
When the URL of the CRL distribution point is not set, you should acquire the CA
certificate and a local certificate, and then acquire a CRL through SCEP.
IMPORTANT:
This item does not support domain name resolution.
2.
3.
Click Create Key to enter RSA key pair parameter configuration page.
4.
5.
Click Apply.
457
2.
3.
4.
Click Apply to destroy the existing RSA key pair and the corresponding local certificate.
2.
3.
4.
5.
Click Apply.
Description
Domain Name
Certificate Type
Enable Offline
Mode
Click this box to retrieve a certificate in offline mode (that is, by an out-of-band means like
FTP, disk, or email) and then import the certificate into the local PKI system.
458
Item
Description
Specify the path and name of the certificate file if you retrieve the certificate in offline
mode.
If the certificate file is saved on the device, select Get File From Device and then specify
Get File From PC
If the certificate file is saved on a local PC, select Get File From PC and. then specify
the path to the file and select the partition of the device for saving the file.
Password
6.
Enter the password for protecting the private key if you retrieve the certificate in offline
mode. The password was specified when the certificate was exported.
After retrieving a certificate, click View Cert corresponding to the certificate from the PKI
certificates list to display the contents of the certificate.
2.
3.
4.
Description
Domain Name
Password
Click this box to request a certificate in offline mode, that is, by an out-of-band
means like FTP, disk, or email.
5.
Click Apply.
If you request the certificate in online mode, the system displays "Certificate request has been
submitted." Click OK. If you request the certificate in offline mode, the system displays the offline
certificate request information. You can submit the information to the CA by an out-of-band means.
2.
460
3.
4.
Click View CRL for the domain to display the contents of the CRL.
The AC submits a local certificate request to the CA server, which runs the RSA Keon software.
461
2.
3.
Configuring the AC
1.
462
2.
certificate request. The URL must be in the format of http://host:port/Issuing Jurisdiction ID,
where Issuing Jurisdiction ID is the hexadecimal string generated on the CA.
h. Select Manual as the certificate request mode.
i.
Click the expansion button before Advanced Configuration to display the advanced
configuration items.
j.
Click Apply.
The system displays "Fingerprint of the root certificate not specified. No root certificate
validation will occur. Continue?"
m. Click OK.
463
3.
4.
e. Click Apply.
5.
Click OK.
6.
465
Configuration guidelines
When you configure PKI, note the following guidelines:
Make sure the clocks of entities and the CA are synchronous. Otherwise, the validity period of
certificates will be abnormal.
The Windows 2000 CA server has some restrictions on the data length of a certificate request. If the
PKI entity identity information in a certificate request goes beyond a certain limit, the server will not
respond to the certificate request.
The SCEP plug-in is required when you use the Windows Server as the CA. In this case, you need
to specify RA as the authority for certificate request when you configure the PKI domain.
The SCEP plug-in is not required when you use the RSA Keon software as the CA. In this case, you
need to specify CA as the authority for certificate request when you configure the PKI domain.
466
Rogue detection
Terminology
Rogue APAn unauthorized or malicious access point on the network, such as an employee setup
AP, misconfigured AP, neighbor AP or an attacker operated AP. As it is not authorized, if there is
any vulnerability in the AP, the hacker will have chance to compromise your network security.
Monitor APAn AP that scans or listens to 802.11 frames to detect rogue devices in the network.
Ad hoc modeA wireless client in ad-hoc mode can directly communicate with other stations
without support from any other device.
Monitor mode: In this mode, an AP scans all 802.11g frames in the WLAN, but cannot provide
WLAN services. As shown in Figure 499, AP 1 works as an access AP, and AP 2 works as a monitor
AP to listen to all 802.11g frames. AP 2 cannot provide wireless access services.
467
Hybrid mode: In this mode, an AP can both scan devices in the WLAN and provide WLAN data
services.
If the rogue device is a rogue AP, legal clients will not use the rogue AP to access the WLAN.
If the rogue device is an ad-hoc client, it is denied and ad-hoc clients cannot communicate with
each other.
468
Functionalities supported
The rogue detection feature supports the following functionalities:
Rogue AP detection
Flood attack
Spoofing attack
Weak IV attack
Probe requests
Weak IV detection
Wired Equivalent Privacy (WEP) uses an Initialization Vector (IV) to encrypt each frame. An IV and a key
are used to generate a key stream, and thus encryptions using the same key have different results. When
a WEP frame is sent, the IV used in encrypting the frame is also sent as part of the frame header.
However, if a WLAN device generates IVs in an insecure way, for example, if it uses a fixed IV for all
frames, the shared secret key may be exposed to any potential attackers. When the shared secret key is
compromised, the attacker can access network resources.
Weak IV detection counters this attack by verifying the IVs in WEP frames. Whenever a frame with a
weak IV is detected, it is immediately logged.
White listContains the MAC addresses of all clients allowed to access the WLAN. If the white list
is used, only permitted clients can access the WLAN, and all frames from other clients will be
discarded.
Static blacklistContains the MAC addresses of clients forbidden to access the WLAN. This list is
manually configured.
Dynamic blacklistContains the MAC addresses of clients forbidden to access the WLAN. A client
is dynamically added to the list if it is considered sending attacking frames until the timer of the
entry expires. A dynamic blacklist can collaborate with ARP detection. When ARP detection detects
any attacks, the MAC addresses of attackers are added to the dynamic blacklist. For more
information about ARP detection, see "ARP attack defense configuration."
When an AP receives an 802.11 frame, it checks the source MAC address of the frame and processes the
frame as follows:
1.
If the source MAC address does not match any entry in the white list, the frame is dropped. If there
is a match, the frame is considered valid and will be further processed.
2.
If no white list entries exist, the static and dynamic blacklists are searched.
3.
If the source MAC address matches an entry in any of the two lists, the frame is dropped.
470
4.
If there is no match, or no blacklist entries exist, the frame is considered valid and will be further
processed.
A static blacklist or white list configured on an AC applies to all APs connected to the AC, while a
dynamic blacklist applies to APs that receive attack frames.
Figure 502 Network diagram for WLAN client access control
In the topology above, three APs are connected to an AC. Configure white list and static blacklist
entries on the AC, which will send all the entries to the APs. If the MAC address of a station, Client
1 for example, is present in the blacklist, it cannot access any of the APs. If only Client 1 is present
in the white list, it can access any of the APs, and other clients cannot access any of the APs.
Enable dynamic blacklist function on the AC. If AP 1 receives attack frames from Client 1, a dynamic
blacklist entry is generated in the blacklist, and Client 1 cannot associate with AP 1, but can
associate with AP 2 or AP 3. If AP 2 or AP 3 receives attack frames from Client 1, a new dynamic
blacklist entry is generated in the blacklist.
Remarks
Required.
1.
2.
Required.
3.
Optional.
471
2.
3.
4.
Click Apply.
Description
Configure the AP operating mode:
In normal mode, an AP provides WLAN data services but does not perform scanning.
In monitor mode, an AP scans all 802.11g frames in the WLAN, but cannot provide
WLAN services.
Work mode
In hybrid mode, an AP can both scan devices in the WLAN and provide WLAN data
services.
IMPORTANT:
When an AP has its operating mode changed from normal to monitor, it does not
restart.
When an AP has its operating mode changed from monitor to normal, it restarts.
NOTE:
An AP operating in hybrid mode can provide WLAN data services as well as scanning devices in the
WLAN, so WLAN service configurations are needed.
An AP operating in monitor mode cannot provide WLAN data services, so WLAN service
configurations are not needed.
473
In the static
attack list?
Yes
In the permitted
MAC address list?
Yes
Check if AP (BSSID)
associated with the client
is legal
No
Yes
Legal client
(Friend)
Illegal client
(Rogue)
474
2.
Click the Rule List tab to enter detection rule list configuration page.
3.
Description
MACYou can add MAC addresses to be permitted after selecting this option.
Wireless ServiceYou can add SSIDs to be permitted after selecting this
List Type
option.
4.
Select MAC from the list and click Add to enter the MAC address configuration page.
475
5.
6.
Click Apply.
Description
MAC
If you select this option, the MAC address table displays MAC addresses of the
current devices. Select the MAC addresses to be permitted.
The operation to add other types of lists is similar to the add operation of a MAC address list, and thus
the description is omitted.
2.
476
3.
4.
Click Apply.
Description
Unlaw SetAllows you to take countermeasures against rogue devices
(including illegal APs and illegal clients).
Reverse Mode
Once a rogue device is detected, an entry for it is added to the monitor record and
the aging time starts. The aging time restarts if the device is detected again during
the time. When the aging time is reached, the entry is deleted from the monitor
record and added to the history record.
2.
Click the Monitor Record tab to enter the monitor record page.
477
Type
Description
rRogue device.
pPermitted device.
aAd hoc device.
wAP.
bWireless bridge.
cClient.
2.
Click the History Record tab to enter the history record page.
478
Configuring WIDS
Configuring WIDS
1.
2.
3.
Click Apply.
Description
If you select the option, flood attack detection is enabled.
It is disabled by default.
2.
Click the History Record tab to enter the history information page.
479
2.
480
2.
On the Blacklist tab, configure the dynamic blacklist as described in Table 158.
3.
Click Apply.
Description
Dynamic Blacklist
Lifetime
Configure the lifetime of the entries in the blacklist. When the lifetime of an entry
expires, the entry is removed from the blacklist.
NOTE:
At present, these attacks can be detected through a dynamic blacklist: Assoc-Flood, Reassoc-Flood,
Disassoc-Flood, ProbeReq-Flood, Action-Flood, Auth-Flood, Deauth-Flood and NullData-Flood.
2.
On the Blacklist tab, click Static to enter the static blacklist configuration page.
481
3.
4.
5.
Click Apply.
Description
MAC Address
Select MAC Address, and then add a MAC address to the static blacklist.
If you select the option, the table below lists the current existing clients. Select the
options of the clients to add their MAC addresses to the static blacklist.
482
2.
3.
Click Add.
4.
5.
Click Apply.
483
Description
MAC Address
Select MAC Address, and then add a MAC address to the white list.
If you select the option, the table below lists the current existing clients. Select the
options of the clients to add their MAC addresses to the white list.
AP 2 operates in monitor mode, and scans all 802.11g frames in the WLAN.
Client 1 (MAC address 000f-e215-1515), Client 2 (MAC address 000f-e215-1530), and Client 3
(MAC address 000f-e213-1235) are connected to AP 1. They are configured as friends.
Configuration procedure
1.
2.
On the page that appears, set the AP name to ap2., select the AP model WA2620-AGN, select
Manual and enter the serial ID of AP 2.
484
d. Click Apply.
Click Apply.
3.
Click Enable.
485
4.
d. Select Attacker, and click Add. Enter 000f-e220-405e in the MAC Address field and click
Apply.
5.
Select Static Rogue Device. This is because the MAC address of Client 4 is added manually to
the attacker list.
d. Click Apply.
Configuration guidelines
The radio must be disabled so that the AP operation mode can be changed.
If you configure more than one detection rule, you need to specify the rogue device types (AP, client,
bridge, and ad hoc) and the rule matching order. For more information, see "User isolation."
The wireless service configuration is needed for an AP operating in hybrid mode, and not needed
for an AP in monitor mode.
486
User isolation
User isolation overview
Without user isolation, all the devices in the same VLAN can access each other directly, which brings
forth security problems. User isolation can solve this problem. When an AC configured with user
isolation receives unicast packets (broadcast packets and multicast packets in a VLAN are not isolated)
from a wireless client to another wireless client or a wired PC in the same VLAN, or from a wired PC to
a wireless client in the same VLAN, the AC determines whether to isolate the two devices according to
the configured list of permitted MAC addresses.
To avoid user isolation from affecting communications between users and the gateway, you can add the
MAC address of the gateway to the list of permitted MAC addresses.
User isolation both provides network services for users and isolates users, disabling them from
communication at Layer-2 and thus ensuring service security.
487
If you add the MAC address of the gateway to the permitted MAC address list, Client A, Client B,
and Host A in the same VLAN are isolated, but they can access the Internet.
If you add the MAC address of a user (Client A, for example) to the permitted MAC address list,
Client A and Client B, and Client A and Host A can access each other directly, but Client B and Host
A cannot.
To enable all the users in the VLAN to access one another and the Internet, you need to add the MAC
address of the gateway and the MAC addresses of the users to the permitted MAC address list.
2.
Click Add .
The page for configuring user isolation appears.
3.
4.
Click Apply.
Description
VLAN ID
488
Item
Description
Specify the MAC addresses to be permitted by the AC. For more information, see
"After user isolation is enabled."
AccessMAC
489
Configuration procedure
1.
2.
On the page that appears, enter the VLAN ID 2, add MAC address 000f-e212-7788 to the
permitted MAC address list, and click Apply.
490
Authorized IP
Overview
The authorized IP function is to associate the HTTP or Telnet service with an ACL to filter the requests of
clients. Only clients that pass the ACL filtering can access the device.
Configuring authorized IP
Before you configure authorized IP, you must create and configure the ACL. For ACL configuration, see
"QoS configuration."
1.
2.
3.
4.
Click Apply.
491
Description
Select the IPv4 to be associated with the Telnet service.
IPv4 ACL
Telnet
Web
(HTTP)
Available IPv4 ACLs are those configured on the page you enter by selecting
QoS > ACL IPv4.
Available IPv6 ACLs are those configured on the page you enter by selecting
QoS > ACL IPv6.
Select the IPv4 ACL to be associated with the HTTP service.
IPv4 ACL
Available IPv4 ACLs are those configured on the page you enter by selecting
QoS > ACL IPv4.
492
ACL overview
An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based on
criteria such as source IP address, destination IP address, and port number.
ACLs are essentially used for packet filtering. A packet filter drops packets that match a deny rule and
permits packets that match a permit rule. ACLs are also widely used by many modules, for example, QoS
and IP routing, for traffic identification.
ACLs fall into the following categories.
Category
ACL number
Basic ACLs
2000 to 2999
Advanced ACLs
Ethernet frame
header ACLs
IP version
Match criteria
IPv4
IPv6
IPv4
IPv6
3000 to 3999
4000 to 4999
NOTE:
For more information about ACL, see ACL and QoS Configuration Guide.
QoS overview
Quality of Service (QoS) is a concept concerning service demand and supply. It reflects the ability to
meet customer needs. Generally, QoS does not focus on grading services precisely, but on improving
services under certain conditions.
In the internet, QoS refers to the ability of the network to forward packets. The evaluation on QoS of a
network can be based on different aspects because the network may provide various services. Generally,
QoS refers to the ability to provide improved service by solving the core issues such as delay, jitter, and
packet loss ratio in the packet forwarding process.
packets can obtain completely depends on the time they arrive. This service is called "best-effort". It
delivers packets to their destinations as possibly as it can, without any guarantee for delay, jitter, packet
loss ratio, reliability and so on.
This service policy is only suitable for applications insensitive to bandwidth and delay, such as WWW,
file transfer and email.
Configuring an ACL
Recommend configuration procedures
Recommended IPv4 ACL configuration procedure
Step
Remarks
Optional.
1.
2.
3.
Required.
4.
5.
494
Remarks
Optional.
1.
2.
3.
Required.
4.
2.
Click the Add tab to enter the time range adding page.
3.
4.
Click Apply.
Description
Item
Periodic
Time
Range
Absolute
Time
Range
Description
Start Time
End Time
Set the end time of the periodic time range. The end time must
be greater than the start time.
Sun, Mon,
Tue, Wed,
Thu, Fri, and
Sat.
Select the day or days of the week on which the periodic time
range is valid. You can select any combination of the days of
the week.
From
Set the start time of the absolute time range. The time of the
day is in the hh:mm format (24-hour clock), and the date is in
the MM/DD/YYYY format.
To
Set the end time of the absolute time range. The time of the
day is in the hh:mm format (24-hour clock), and the date is in
the MM/DD/YYYY format. The end time must be greater
than the start time.
2.
Click the Add tab to enter the IPv4 ACL adding page, as shown in Figure 533.
3.
4.
Click Apply.
496
Description
ACL Number
Match Order
ConfigPackets are compared against ACL rules in the order that the rules are
configured.
AutoPackets are compared against ACL rules in the depth-first match order.
Description
2.
Click the Basic Setup tab to enter the rule configuration page for a basic IPv4 ACL, as shown
in Figure 534.
3.
4.
Click Add.
497
Description
Select the basic IPv4 ACL for which you want to configure rules.
Available ACLs are basic IPv4 ACLs.
Select the Rule ID option and enter a number for the rule.
If you do not specify the rule number, the system will assign one automatically.
Rule ID
IMPORTANT:
If the rule number you specify already exists, the following operations modify the
configuration of the rule.
Select the action to be performed for IPv4 packets matching the rule.
Action
Check Fragment
Check Logging
A log entry contains the ACL rule number, operation for the matched packets,
protocol that IP carries, source/destination address, source/destination port
number, and number of matched packets.
Source IP Address
Source Wildcard
Select the Source IP Address option and enter a source IPv4 address and source
wildcard, in dotted decimal notation.
Time Range
Select the time range during which the rule takes effect.
2.
Click the Advanced Setup tab to enter the rule configuration page for an advanced IPv4 ACL, as
shown in Figure 535.
498
3.
4.
Click Add.
Description
ACL
499
Item
Description
Select the Rule ID option and enter a number for the rule.
If you do not specify the rule number, the system will assign
one automatically.
Rule ID
IMPORTANT:
If the rule number you specify already exists, the following
operations modify the configuration of the rule.
Select the action to be performed for IPv4 packets matching
the rule.
Action
Logging
Source IP Address
IP Address Filter
Source Wildcard
Destination IP Address
Destination Wildcard
Protocol
ICMP Type
ICMP Message
ICMP Type
These items are available only when you select 1 ICMP from
the Protocol list.
ICMP Code
If you select Other from the ICMP Message list, you must enter
values in the ICMP Type and ICMP Code fields. Otherwise, the
two fields will take the default values, which cannot be
changed.
500
Item
Description
TCP Connection
Established
Operator
Source
Port
-
TCP/UDP Port
Operator
Port
Select this option to make the rule match packets used for
establishing and maintaining TCP connections.
These items are available only when you select 6 TCP from the
Protocol list.
Select the operators and enter the source port numbers and
destination port numbers as required.
These items are available only when you select 6 TCP or 17
UDP from the Protocol list.
Different operators have different configuration requirements
for the port number fields:
Destination
-
Precedence
Filter
Time Range
DSCP
TOS
Precedence
2.
Click the Link Setup tab to enter the rule configuration page for an Ethernet frame header IPv4 ACL,
as shown in Figure 536.
501
3.
Configure an Ethernet frame header IPv4 ACL rule, as described in Table 167.
4.
Click Add.
Description
ACL
Select the Ethernet frame header IPv4 ACL for which you want to configure
rules.
Available ACLs are Ethernet frame header IPv4 ACLs.
Select the Rule ID option and enter a number for the rule.
Rule ID
If you do not specify the rule number, the system will assign one
automatically.
IMPORTANT:
If the rule number you specify already exists, the following operations modify
the configuration of the rule.
502
Item
Description
Select the action to be performed for IPv4 packets matching the rule.
Action
Source MAC
Address
MAC
Address
Filter
Source Mask
Destination MAC
Address
Destination Mask
COS(802.1p priority)
LSAP Type
Select the Source MAC Address option and enter a source MAC address
and wildcard.
Select the Destination MAC Address option and enter a destination MAC
address and wildcard.
Specify the 802.1p priority for the rule.
Select the LSAP Type option and specify the DSAP and SSAP fields in the LLC
encapsulation by configuring the following items:
TIP:
You can select only one of the LSAP Type option and the Protocol Type option.
Type Filter
Protocol Type
Select the Protocol Type option and specify the link layer protocol type by
configuring the following items:
Protocol Mask
Time Range
Select the time range during which the rule takes effect.
2.
Click the Add tab to enter the IPv6 ACL adding page, as shown in Figure 537.
503
3.
4.
Click Apply.
Description
ACL Number
Match Order
ConfigPackets are compared against ACL rules in the order the rules are
configured.
AutoPackets are compared against ACL rules in the depth-first match order.
Description
2.
Click the Basic Setup tab to enter the rule configuration page for a basic IPv6 ACL, as shown
in Figure 538.
504
3.
Configure the basic IPv6 ACL rule information, as described in Table 169.
4.
Click Add.
Description
Select the basic IPv6 ACL for which you want to configure rules.
Available ACLs are basic IPv6 ACLs.
Select the Rule ID option and enter a number for the rule.
If you do not specify the rule number, the system will assign one automatically.
Rule ID
IMPORTANT:
If the rule number you specify already exists, the following operations modify the
configuration of the rule.
Select the operation to be performed for IPv6 packets matching the rule.
Operation
Check Fragment
Check Logging
A log entry contains the ACL rule number, operation for the matched packets,
protocol that IP carries, source/destination address, source/destination port
number, and number of matched packets.
505
Item
Description
Source IP Address
Select the Source IP Address option and enter a source IPv6 address and prefix
length.
Source Prefix
Time Range
The IPv6 address must be in a format like X:X::X:X. An IPv6 address consists of eight
16-bit long fields, each of which is expressed with two hexadecimal numbers and
separated from its neighboring fields by colon (:).
Select the time range during which the rule takes effect.
2.
Click the Advanced Setup tab to enter the rule configuration page for an advanced IPv6 ACL.
3.
Configure the advanced IPv6 ACL rule information, as described in Table 170.
4.
Click Add.
506
Description
Select the advanced IPv6 ACL for which you want to configure
rules.
Available ACLs are advanced IPv6 ACLs.
Select the Rule ID option and enter a number for the rule.
If you do not specify the rule number, the system will assign one
automatically.
Rule ID
IMPORTANT:
If the rule number you specify already exists, the following operations
modify the configuration of the rule.
Select the operation to be performed for IPv6 packets matching the
rule.
Operation
Check Fragment
If you do no select this option, the rule applies to all fragments and
non-fragments.
Select this option to keep a log of matched IPv6 packets.
A log entry contains the ACL rule number, operation for the
matched packets, protocol that IP carries, source/destination
address, source/destination port number, and number of matched
packets.
Check Logging
Source IP Address
Source Prefix
IP Address
Filter
Select the Source IP Address option and enter a source IPv6 address
and prefix length.
Destination IP Address
Destination Prefix
Protocol
ICMPv6
Type
ICMPv6 Type
These items are available only when you select 58 ICMPv6 from the
Protocol list.
If you select Other from the Named ICMPv6 Type list, you must enter
values in the ICMPv6 Type and ICMPv6 Code fields. Otherwise, the
two fields will take the default values, which cannot be changed.
ICMPv6 Code
TCP/UDP
Source
Operator
Select the operators and enter the source port numbers and
d
b
d
507
Item
Description
Port
To Port
Operator
Destination
Port
Port
Time Range
Select the time range during which the rule takes effect.
2.
Click the Setup tab to enter the line rate configuration page, as shown in Figure 540.
3.
4.
Click Apply.
508
Description
Select the types of interfaces to be configured with line rate.
The interface types available for selection depend on your device model.
Select Enable or Disable to enable or disable line rate on the specified port.
Select a direction in which the line rate is to be applied.
Direction
CIR
Set the committed information rate (CIR), the average traffic rate.
CBS
Set the committed burst size (CBS), number of bits that can be sent in each
interval.
Set the excess burst size (EBS).
EBS
Click the ports to be configured with line rate in the port list. You can select
one or more ports.
If packet priority is trusted, the device uses the specified priority field of the incoming packet to look
up the priority mapping tables for the set of QoS priority parameters to assign to the packet. Note
that, if a received packet does not carry the specified priority field, the device uses the port priority
to look up the priority mapping tables for the set of QoS priority parameters to assign to the packet.
If port priority is trusted, the device uses the port priority rather than packet priority to look up the
priority mapping tables for the set of QoS priority parameters to assign to the packet.
In the first approach, you can configure a port to use the 802.1p or 802.11e priority carried in
received packets for priority mapping. This approach is supported for the WLAN-ESS interface in
addition to other types of interface.
509
In the second approach, more options are available. In addition, you can change port priority
(local precedence) of a port for priority mapping. This approach is not supported on the
WLAN-ESS interface.
Approach 1
1.
Select QoS > Trust Mode from the navigation tree to enter the priority trust mode configuration
page, as shown in Figure 541.
2.
Configure the priority trust mode of the interfaces, as described in Table 172.
3.
Click Apply.
510
Description
Select the type of the ports to be configured. The interface types available for
selection depend on your device model.
IMPORTANT:
If a WLAN-ESS interface in use has WLAN-DBSS interfaces created on it, its
priority cannot be modified. To modify the priority of the WLAN-ESS interface,
you must stop the service the interface provides (make the current users on the
interface offline).
Select the priority trust mode:
Trust Mode
Click the ports to be configured in the port list. You can select one or more
ports.
Approach 2
1.
Select QoS > Port Priority from the navigation tree to enter the page shown in Figure 542.
2.
Click the
icon for a port to enter the page for configuring the priority and priority trust mode of
the port, as shown in Figure 543.
511
3.
4.
Click Apply.
Remarks
Interface Name
Priority
Local precedence is allocated by the device and has only local significance. A local
precedence value corresponds to an output queue. A packet with higher local
precedence is assigned to a higher priority output queue to be preferentially
scheduled.
Set the priority trust mode of the port:
UntrustUses the port priority rather than a packet priority value for priority
mapping.
Trust Mode
Class
Classes identify traffic.
A class is identified by a class name and contains some match criteria for identifying traffic. The
relationship between the criteria can be:
ANDA packet is considered belonging to a class only when the packet matches all the criteria in
the class.
ORA packet is considered belonging to a class if it matches any of the criteria in the class.
512
Traffic behavior
A traffic behavior, identified by a name, defines a set of QoS actions for packets.
Policy
A policy associates a class with a traffic behavior to define what actions to take on which class of traffic.
You can define multiple class-traffic behavior associations in a policy.
You can apply a policy to a port to regulate traffic sent or received on the port. A QoS policy can be
applied to multiple ports, but in one direction (inbound or outbound) of a port, only one QoS policy can
be applied.
Step
Remarks
1.
Adding a class
2.
3.
4.
5.
Adding a policy
Required.
Add a class and specify the operator of the class.
Required.
Configure match criteria for the class.
Required.
Add a traffic behavior.
Use either approach.
Configure various actions for the traffic behavior.
Required.
Add a policy.
Required.
6.
7.
Adding a class
1.
2.
Click the Add tab to enter the page for adding a class, as shown in Figure 544.
513
3.
4.
Click Add.
Description
Classifier Name
AndSpecifies the relationship between the rules in a class as logic AND. The
Operator
device considers a packet belongs to a class only when the packet matches all the
rules in the class.
OrSpecifies the relationship between the rules in a class as logic OR. The device
considers a packet belongs to a class as long as the packet matches one of the
rules in the class.
2.
Click the Setup tab to enter the page for setting a class, as shown in Figure 545.
514
3.
4.
Click Apply.
A progress dialog box appears.
5.
Click Close on the progress dialog box when the progress dialog box prompts that the
configuration succeeds.
Description
Any
515
Item
Description
Define a rule to match DSCP values.
If multiple such rules are configured for a class, the new configuration does not
overwrite the previous one.
DSCP
You can configure up to eight DSCP values each time. If multiple identical DSCP
values are specified, the system considers them as one. The relationship
between different DSCP values is OR. After such configurations, all the DSCP
values are arranged in ascending order automatically.
Define a rule to match IP precedence values.
If multiple such rules are configured for a class, the new configuration does not
overwrite the previous one.
IP Precedence
Classifier
TIP:
This configuration item is not supported.
Define a rule to match inbound interfaces.
Inbound Interface
TIP:
This configuration item is not supported.
Define a rule to match a range of RTP ports.
Specify the start port in the from field and the end port in the to field.
RTP Port
TIP:
This configuration item is not supported.
Define a rule to match the service 802.1p precedence values.
If multiple such rules are configured for a class, the new configuration does not
overwrite the previous one.
Service 802.1p
You can configure up to eight Dot1p values each time. If multiple identical
Dot1p values are specified, the system considers them as one. The relationship
between different Dot1p values is OR. After such configurations, all the Dot1p
values are arranged in ascending order automatically.
TIP:
Dot1p
If multiple such rules are configured for a class, the new configuration does not
overwrite the previous one.
You can configure up to eight Dot1p values each time. If multiple identical
Dot1p values are specified, the system considers them as one. The relationship
between different Dot1p values is OR. After such configurations, all the Dot1p
values are arranged in ascending order automatically.
516
Item
Description
Define a rule to match a source MAC address.
Source MAC
If multiple such rules are configured for a class, the new configuration does not
overwrite the previous one.
A rule to match a source MAC address is significant only to Ethernet interfaces.
MAC
If multiple such rules are configured for a class, the new configuration does not
overwrite the previous one.
A rule to match a destination MAC address is significant only to Ethernet
interfaces.
Define a rule to match service VLAN IDs.
If multiple such rules are configured for a class, the new configuration does not
overwrite the previous one.
Service VLAN
You can configure multiple VLAN IDs each time. If the same VLAN ID is
specified multiple times, the system considers them as one. The relationship
between different VLAN IDs is logical OR. After such a configuration. You can
specify VLAN IDs in two ways:
Enter a range of VLAN IDs, such as 10-500. The number of VLAN IDs in the
range is not limited.
VLAN
Customer VLAN
You can configure multiple VLAN IDs each time. If the same VLAN ID is
specified multiple times, the system considers them as one. The relationship
between different VLAN IDs is logical OR. You can specify VLAN IDs in two
ways:
Enter a range of VLAN IDs, such as 10-500. The number of VLAN IDs in the
range is not limited.
ACL
ACL IPv4
ACL IPv6
2.
Click the Add tab to enter the page for adding a traffic behavior, as shown in Figure 546.
3.
4.
Click Add.
517
2.
Click the Setup tab to enter the page for setting a traffic behavior, as shown in Figure 547.
518
3.
4.
Click Apply.
A progress dialog box appears.
5.
Click Close on the progress dialog box when the progress dialog box prompts that the
configuration succeeds.
Description
519
Item
Description
Enable/Disable
CIR
Set the committed information rate (CIR), the average traffic rate.
CBS
Set the committed burst size (CBS), number of bits that can be sent
in each interval.
CAR
Discard
Red
Pass
IP Precedence
Dot1p
Remark
Select the Local Precedence option and then select the local
precedence value to be marked for packets in the following list.
Select Not Set to cancel the action of marking local precedence.
Configure the action of marking DSCP values for packets.
Select the DSCP option and then select the DSCP value to be marked
for packets in the following list. Select Not Set to cancel the action of
marking DSCP values.
DSCP
TIP:
This configuration item is not supported.
EF
Queue
Max Bandwidth
CBS
Percent
CBS-Ratio
Min Bandwidth
Percent
AF
WFQ
520
TIP:
These
configuration
items are not
supported.
Item
Description
Configure the packet filtering action.
After selecting the Filter option, select one item in the following list:
Filter
Accounting
Adding a policy
1.
2.
Click the Add tab to enter the page for adding a policy, as shown in Figure 548.
3.
4.
Click Add.
2.
Click the Setup tab to enter the page for setting a policy, as shown in Figure 549.
521
3.
4.
Click Apply.
Description
Classifier Name
Behavior Name
2.
Click the Setup tab to enter the page for applying a policy to a port, as shown in Figure 550.
522
3.
Select a policy and apply the policy to the specified ports, as described in Table 178.
4.
Click Apply.
Description
Direction
Select QoS > Service Policy from the navigation tree to enter the service policy page shown
in Figure 551.
523
2.
Click the
icon for a wireless service to enter the service policy setup page shown in Figure 551.
3.
4.
Click Apply.
524
Remarks
Wlan Service
Display the specified WLAN service to which you want to apply a QoS policy.
Inbound Policy
Apply the QoS policy to the packets received by the wireless service.
Outbound Policy
Apply the QoS policy to the packets sent by the wireless service.
Set the priority trust mode:
Trust Mode
QoS Priority
Add an ACL to prohibit the hosts from accessing the FTP server from 8:00 to 18:00 every day.
2.
3.
Apply the QoS policy in the inbound direction of the wireless service named service1.
10.1.1.1/24
Client 1
AP 1
L2 switch
Client 2
AC
FTP server
AP 2
Configuration procedure
NOTE:
Before performing the following configurations, make sure the AC has been configured with wireless
service service1. For more information about the wireless service configuration, see "Configuring access
services."
1.
Define a time range to cover the time range from 8:00 to 18:00 every day:
525
On the page as shown in Figure 554, enter the time range name test-time, select the Periodic
Time Range option, set the Start Time to 8:00 and the End Time to 18:00, and select the
options Sun through Sat.
d. Click Apply.
Figure 554 Defining a time range covering 8:00 to 18:00 every day
2.
d. Click Apply.
526
3.
enter rule ID 2.
c.
d. Select the Destination IP Address option, and enter IP address 10.1.1.1 and destination
wildcard 0.0.0.0.
e. Select test-time in the Time Range list.
f.
Click Add.
527
Figure 556 Defining an ACL rule for traffic to the FTP server
4.
Add a class:
a. Select QoS > Classifier from the navigation tree.
b. Click the Add tab.
c.
On the page as shown in Figure 557, enter the class name class1.
d. Click Add.
528
5.
Click Apply.
A progress dialog box appears.
d. Click Close on the progress dialog box when the progress dialog box prompts that the
configuration succeeds.
529
6.
On the page as shown in Figure 559, enter the behavior name behavior1.
d. Click Add.
530
7.
Click Apply.
A progress dialog box appears.
d. Click Close when the progress dialog box prompts that the configuration succeeds.
531
8.
Add a policy:
a. Select QoS > QoS Policy from the navigation tree.
b. Click the Add tab.
c.
On the page as shown in Figure 561, enter the policy name policy1.
d. Click Add.
532
9.
Click Apply.
10.
Apply the QoS policy in the inbound direction of the wireless service named service1:
a. Select QoS > Service Policy from the navigation tree.
b. Click the
c.
On the page as shown in Figure 563, select the Inbound Policy option, and select policy1 from
the following list.
d. Click Apply.
533
Figure 563 Applying the QoS policy in the inbound direction of WLAN service service1
Configuration guidelines
When you configure an ACL and QoS, follow these guidelines:
You cannot add a ACL rule with, or modify a rule to have, the same permit/deny statement as an
existing rule in the ACL.
You can only modify the existing rules of an ACL that uses the match order of config. When
modifying a rule of such an ACL, you may choose to change just some of the settings, in which case
the other settings remain the same.
When you configure line rate and traffic policing for a behavior, make sure the ratio of CBS to CIR
is more than 100:16. Otherwise, the handling for bursty traffic may be affected.
If an ACL is referenced by a QoS policy for defining traffic classification rules, the operation of the
QoS policy varies by interface (the definition of software/hardware interface varies with device
models). The specific process is as follows:
If the QoS policy is applied to a software interface and the referenced ACL rule is a deny
clause, the ACL rule does not take effect and packets go to the next classification rule.
If the QoS policy is applied to a hardware interface, packets matching the referenced ACL rule
are organized as a class and the behavior defined in the QoS policy applies to the class
regardless of whether the referenced ACL rule is a deny or permit clause.
If a QoS policy is applied in the outbound direction of a port, the QoS policy cannot influence local
packets. Local packets refer to the important protocol packets that maintain the normal operation of
the device. QoS must not process such packets to avoid packet drop. Commonly used local packets
are: link maintenance packets, ISIS packets, OSPF packets, RIP packets, BGP packets, LDP packets,
RSVP packets, and SSH packets and so on.
In a policy, a traffic behavior with EF configured cannot be associated with the default class,
and a traffic behavior with WFQ configured can only be associated with the default class.
In a policy, the total bandwidth assigned to the AF and EF classes cannot be greater than the
available bandwidth of the interface to which the policy applies; the total bandwidth
percentage assigned to the AF and EF classes cannot be greater than 100%.
In the same policy, the same bandwidth unit must be used to configure bandwidth for AF
classes and EF classes, either absolute bandwidth value or percent.
535
Terminology
WMM
WMM is a wireless QoS protocol designed to preferentially transmit packets with high priority, and
guarantees better QoS services for voice and video applications in a wireless network.
EDCA
Enhanced distributed channel access (EDCA) is a channel contention mechanism designed by WMM to
preferentially transmit packets with high priority and allocate more bandwidth to such packets.
AC
WMM uses access categories (ACs) for handling channel contentions. WMM assigns WLAN data into
four access categories: AC-VO (voice), AC-VI (video), AC-BE (best-effort), and AC-BK (background), in
the descending order of priority. Each access category uses an independent priority queue for
transmitting data. When contention occurs, WMM guarantees that a high-priority access category
preempts a low-priority access category.
CAC
Connection admission control (CAC) limits the number of clients that are using high-priority access
categories (AC-VO and AC-VI) to guarantee sufficient bandwidth for existing high-priority traffic.
U-APSD
Unscheduled automatic power-save delivery (U-APSD) is a new power saving mechanism defined by
WMM to enhance the power saving capability of clients.
SVP
SpectraLink voice priority (SVP) is a voice priority protocol designed by the Spectralink company to
guarantee QoS for voice traffic.
data transmission. When the specified idle duration of the channel times out, APs or clients randomly
select a backoff slot within the contention window to perform backoff. The device that finishes backoff first
gets the channel. With 802.11, all devices have the same idle duration and contention window. They are
equal when contending for a channel. In WMM, this fair contention mechanism is changed.
EDCA parameters
WMM assigns data packets to four access categories. By allowing a high-priority access category to
have more channel contention opportunities than a low-priority access category, WMM offers different
service levels to access categories.
WMM define a set of EDCA parameters for each access category, covering the following:
Arbitration inter-frame spacing number (AIFSN)Different from the 802.11 protocol where the idle
duration (set using DIFS) is a constant value, WMM can define an idle duration per access category.
The idle duration increases as the AIFSN value increases (see Figure 564 for the AIFS durations).
Transmission opportunity limit (TXOPLimit)Indicates the maximum time for which a user can hold
a channel after a successful contention. The greater the TXOPLimit is, the longer the user can hold
the channel. The value 0 indicates that the user can send only one packet each time it holds the
channel.
Channel utilization-based admission policyThe AP calculates the total time that the existing
high-priority access categories occupy the channel in one second, and then calculates the time that
the requesting traffic will occupy the channel in one second. If the sum of the two values is smaller
537
than or equal to the maximum hold time of the channel, the client can use the requested access
category. Otherwise, the request is rejected.
Users-based admission policyIf the number of clients using high-priority access categories plus
the requesting clients is smaller than or equal to the maximum number of high-priority access
category clients, the request is accepted. Otherwise, the request is rejected. During calculation, a
client is counted once even if it is using both AC-VO and AC-VI.
SVP service
SVP service implements differentiated treatment of SVP packets by mapping each SVP packet (IP protocol
number 119) to an access category, which corresponds to a transmit queue with certain priority.
ACK policy
WMM defines the following ACK policies:
No ACKWhen the no acknowledgement (No ACK) policy is used, the recipient does not
acknowledge received packets during wireless packet exchange. This policy can improve
transmission efficiency in the environment where communication quality is fine and interference is
weak. However, in the environment where communication quality is poor, it can cause increased
packet loss and deteriorated communication quality.
Normal ACKWhen the Normal ACK policy is used, the recipient acknowledges each received
unicast packet.
2.
3.
Click Enable.
538
2.
Click the
icon in the Operation column for the desired AP to enter the page for mapping SVP
service to an access category, as shown in Figure 567.
3.
4.
Click Apply.
Description
AP Name
Item
Description
Radio
SVP Mapping
AC-VO.
AC-VI.
AC-BE.
AC-BK.
2.
Click the
icon in the Operation column for the desired AP to enter the page for setting CAC
admission policy, as shown in Figure 568.
3.
4.
Click Apply.
Channel Utilization
Description
Users-based admission policy, or the maximum number of clients allowed to be
connected. A client is counted only once, even if it is using both AC-VO and AC-VI.
By default, the users-based admission policy applies, with the maximum number of
users being 20.
Channel utilization-based admission policy, or the rate of the medium time of the
accepted AC-VO and AC-VI traffic to the valid time during the unit time. The valid
time is the total time during which data is transmitted.
2.
Click the
icon in the Operation column for the desired AP to enter the page for configuring
wireless QoS.
3.
4.
5.
Click Apply.
Description
AP Name
Radio
Priority type
AIFSN
TXOP Limit
ECWmin
ECWmax
No ACK
TXOP Limit
AIFSN
ECWmin
ECWmax
AC-BK
10
AC-BE
AC-VI
94
AC-VO
47
NOTE:
ECWmin cannot be greater than ECWmax.
On an AP operating in 802.11b radio mode, H3C recommends that you set the TXOP-Limit to 0, 0, 188,
and 102 for AC-BK, AC-BE, AC-VI, and AC-VO.
541
2.
Click the
icon in the Operation column for the desired AP to enter the page for configuring
wireless QoS.
3.
4.
5.
Click Apply.
Description
AP Name
Radio
Priority type
AIFSN
TXOP Limit
ECWmin
ECWmax
EnableEnable CAC.
DisableDisable CAC.
CAC
AC-VO and AC-VI support CAC, which is disabled by default. This item is not
available for AC-BE or AC-BK, because they do not support CAC.
TXOP Limit
AIFSN
ECWmin
ECWmax
AC-BK
10
AC-BE
10
AC-VI
94
542
Access category
TXOP Limit
AIFSN
ECWmin
ECWmax
AC-VO
47
NOTE:
ECWmin cannot be greater than ECWmax.
If all clients operate in 802.11b radio mode, set TXOPLimit to 188 and 102 for AC-VI and AC-VO.
If some clients operate in 802.11b radio mode and some clients operate in 802.11g radio mode in the
network, H3C recommends the TXOPLimit parameters in Table 185.
Once you enable CAC for an access category, it is enabled automatically for all higher priority access
categories. For example, if you enable CAC for AC-VI, CAC is also enabled for AC-VO. However,
enabling CAC for AC-VO does not enable CAC for AC-VI.
2.
Click the Radio Statistics tab to enter the page displaying radio statistics.
3.
Description
AP ID
AP ID.
AP Name
AP name.
Radio
Radio ID.
543
Field
Description
QoS mode:
QoS mode
Client accepted
Number of clients that have been admitted to access the radio, including the
number of clients that have been admitted to access the AC-VO and the AC-VI
queues.
Total request
mediumtime(us)
Total requested medium time, including that of the AC-VO and the AC-VI
queues.
2.
Click the Client Statistics tab to enter the page displaying client statistics.
3.
544
Description
MAC address
SSID
QoS Mode
Max SP length
AC
Access category.
APSD attribute of an access category:
State
Assoc State
APSD attribute of the four access categories when a client accesses the AP.
Downgrade packets
Downgrade bytes
Discard packets
Discard bytes
545
Configure the total bandwidth shared by all clients in the same BSS. This is called "dynamic mode".
The rate limit of a client is the configured total rate/the number of online clients. For example, if the
configure total rate is 10 Mbps and five clients are online, the rate of each client is 2 Mbps.
Configure the maximum bandwidth that can be used by each client in the BSS. This is called "static
mode". For example, if the configured rate is 1 Mbps, the rate limit of each user online is 1 Mbps.
When the set rate limit multiplied by the number of access clients exceeds the available bandwidth
provided by the AP, no clients can get the guaranteed bandwidth.
Select QoS > Wireless QoS from the navigation tree on the left.
2.
3.
Click Add in the Service-Based Configuration area to enter the page for setting wireless
service-based client rate limits, as shown in Figure 573.
4.
5.
Click Apply.
Description
Wireless Service
Direction
546
Item
Description
Set a rate limiting mode:
Mode
Rate
If you select the static mode, Per-Client Rate is displayed, and the rate is the rate
of each client.
If you select the dynamic mode, Total Rate is displayed, and the rate is the total
rate of all clients.
Select QoS > Wireless QoS from the navigation tree on the left.
2.
3.
Click Add in the Radio-Based Configuration area to enter the page for setting radio-based client
rate limiting, as shown in Figure 573.
4.
5.
Click Apply.
547
Description
Radio List
List of radios available. You can create the rate limiting rules for one or multiple
radios.
Traffic direction:
Direction
If you select the static mode, Per-Client Rate is displayed, and the rate is the rate
of each client.
Rate
If you select the dynamic mode, Total Rate is displayed, and the rate is the total
rate of all clients.
2.
Click the Bandwidth Guarantee tab to enter the page for configuring bandwidth guarantees, as
shown in Figure 575.
548
3.
4.
Click Apply.
NOTE:
The reference radio bandwidth modification does not immediately take effect on the radios with the
bandwidth guarantee function enabled. To make the modification take effect, disable and then enable the
radios.
Table 190 Configuration items
Item
802.11a Mode
802.11b Mode
802.11g Mode
802.11n Mode
Description
Set the reference radio bandwidth.
IMPORTANT:
Set the reference radio bandwidth slightly lower than the maximum available bandwidth..
549
2.
3.
Click Apply.
Description
Guaranteed Bandwidth
Percent (%)
Select QoS > Wireless QoS from the navigation tree on the left.
2.
Click the Bandwidth Guarantee tab to enter the page for configuring bandwidth guarantee.
3.
Select the AP and the corresponding radio mode for which you want to enable bandwidth
guarantee on the list under the Bandwidth Guarantee title bar.
4.
Click Enable.
550
Select QoS > Wireless QoS from the navigation tree on the left.
2.
3.
Click the specified radio unit of the AP on the list under the Bandwidth Guarantee title bar to view
the wireless services bound to the radio unit and the guaranteed bandwidth setting for each
wireless service.
Configure the AP, and establish a connection between the AC and the AP.
For related configurations, see "Configuring access services." Follow the steps in the related
configuration example to establish a connection between the AC and the AP.
2.
3.
As shown in Figure 580, select the AP to be configured on the list and click the
in the Operation column to enter the page for configuring wireless QoS.
4.
On the Client EDCA list, select the priority type (AC_VO, for example) to be modified, and click the
icon for the priority type in the Operation column to enter the page for setting client EDCA
parameters.
5.
6.
Click Apply.
7.
Enable CAC for AC_VI in the same way. (Details not shown.)
8.
9.
Click the
icon in the Operation column for the desired AP to enter the page for configuring
wireless QoS.
10.
11.
Click Apply.
552
2.
3.
Click Add in the Service-Based Configuration area to enter the page for configuring wireless
service-based rate limit settings for clients, as shown in Figure 584.
4.
Click Apply.
Client1 and Client2 access the WLAN through the SSID named service1.
2.
Check that traffic from Client1 is rate limited to around 128 kbps, so is traffic from Client2.
554
2.
3.
Click Add in the Service-Based Configuration area to enter the page for configuring wireless
service-based rate limit settings for clients, as shown in Figure 586.
4.
Click Apply.
When only Client1 accesses the WLAN through SSID service2, its traffic can pass through at a rate
as high as 8000 kbps.
2.
When both Client1 and Client2 access the WLAN through SSID service2, their traffic flows can
each pass through at a rate as high as 4000 kbps.
2.
Click Bandwidth Guarantee to enter the page for configuring bandwidth guarantee, as shown
in Figure 588.
3.
4.
Click Apply.
556
5.
Click the
icon in the Operation column for 802.11a to enter the page for setting guaranteed
bandwidth, as shown in Figure 589.
6.
7.
Click Apply.
After you apply the guaranteed bandwidth settings, the page for enabling bandwidth guarantee
appears, as shown in Figure 590.
557
8.
9.
Click Enable.
558
Send traffic from the AP to the three wireless clients at a rate lower than 30000 kbps. The rate of
traffic from the AP to the three wireless clients is not limited.
Send traffic at a rate higher than 6000 kbps from the AP to Client 1 and at a rate higher than
24000 kbps from the AP to Client 2. The total rate of traffic rate from the AP to the two wireless
clients exceeds 30000 kbps. Because you have enabled bandwidth guarantee for wireless services
research and office, the AP forwards traffic to Client 1 and Client 2 respectively at 6000 kbps and
24000 kbps, and limits the traffic to Client 3.
NOTE:
Guaranteed bandwidth in kbps = reference radio bandwidth guaranteed bandwidth percent.
Set the reference radio bandwidth slightly lower than the available maximum bandwidth.
The guaranteed bandwidth configuration applies to only the traffic from the AP to clients.
559
Advanced settings
Advanced settings overview
Country/Region code
Radio frequencies for countries and regions vary based on country regulations. A country/region code
determines characteristics such as frequency range, channel, and transmit power level. Configure the
valid country/region code for a WLAN device to meet the specific country regulations.
1+1 AC backup
NOTE:
Support for the 1+1 backup feature may vary depending on your device model. For more information, see
"Feature matrixes."
Dual-link backup
1.
Dual links
Dual links allow for AC backup. An AP establishes links with two different ACs. The active AC
provides services for APs in the network and the standby AC provides backup service for the active
AC. If the active AC fails, the standby AC takes over to provide services for the APs.
2.
Using fast link fault detection, you can configure 1+1 fast backup (see "1+1 fast backup") to
provide uninterrupted services.
3.
Primary AC recovery
Primary AC provides a mechanism to make sure the primary AC is chosen in precedence by APs
as an active AC. When the primary AC goes down, the APs switch to connect to the standby AC.
As soon as the active AC recovers, the APs automatically connect to the primary AC again.
AC 1 is the primary AC with the connection priority of 7, and it establishes a connection with the
AP. AC 2 acts as the secondary AC. If AC 1 goes down, AC 2 takes over to provide services to
AP until AC 1 recovers. Once the primary AC is reachable again, the AP automatically establishes
a connection with the primary AC. For more information about priority configuration, see
"Configuring AP connection priority."
1+N AC backup
1+N AC backup allows an AC to operate as a backup for multiple ACs. The active ACs independently
provide services for APs that connect to them, and the only one standby AC provides backup service for
the active ACs. If an active AC goes down, the APs connecting to it can detect the failure quickly and
make connections to the standby AC. As soon as the active AC recovers, the APs automatically connect
to the original active AC again. This makes sure the standby AC operates as a dedicated backup for the
active ACs. 1+N AC backup delivers high reliability and saves network construction cost greatly.
561
Load-balancing modes
The AC supports two load balancing modes, session mode and traffic mode.
of sessions is 5 and the maximum session gap is 4. Then, Client 7 sends an association request to
AP 2. The maximum session threshold and session gap have been reached on AP 2, so it rejects
the request. At last, Client 7 associates with AP 1.
Figure 594 Network diagram for session-mode load balancing
563
Load-balancing methods
The AC supports AP-based load balancing and group-based load balancing.
1.
2.
AP version setting
A fit AP is a zero-configuration device. It can automatically discover an AC after power-on. To make sure
a fit AP can associate with an AC, their software versions must be consistent by default, which
complicates maintenance. This task allows you to designate the software version of an AP on the AC, so
that they can associate with each other even if their software versions are inconsistent.
Switching to fat AP
You can switch the working mode of an AP between the fit mode and the fat mode.
Wireless location
Wireless location is a technology to locate, track and monitor specified devices by using WiFi-based
Radio Frequency Identification (RFID) and sensors. With this function enabled, APs send Tag or MU
messages to an AeroScout Engine (referred to as AE hereinafter), which performs location calculation
and then sends the data to the graphics software. You can get the location information of the assets by
maps, forms, or reports. Meanwhile, the graphics software provides the search, alert and query functions
to facilitate your operations.
564
Wireless location can be applied to medical monitoring, asset management, and logistics, helping users
effectively manage and monitor assets.
Devices or sources to be located, which can be Tags (small, portable RFIDs, which are usually
placed or glued to the assets to be located) of Aero Scout or Mobile Units (MU). The MUs are
wireless terminals or devices running 802.11. The tags and MUs can send wireless messages
periodically.
Location information receivers, for example, 802.11 APs, and AeroScout Exciters that are standard
compliant Tags to send wireless messages but do not collect location information.
Location systems, including location server, AE calculation software, and different types of graphics
software.
2.
NOTE:
For more information about monitor mode and hybrid mode, see "WLAN security configuration."
An AP operates in normal mode when it functions as a WLAN access point. For more information, see
"Configuring access services."
After the processes, the AP begins to collect Tag and MU messages.
Upon receiving Tag messages (suppose that the Tags mode has been configured on the AC, and
the location server has notified the AP to report Tag messages), the AP checks the Tag messages,
encapsulates those passing the check and reports them to the location server. The AP encapsulates
565
Tag messages by copying all the information (message header and payload inclusive) except the
multicast address, and adding the BSSID, channel, timestamp, data rate, RSSI, SNR and radio
mode of the radio on which the relevant Tag messages were received.
Upon receiving MU messages (suppose that the MUs mode has been configured on the AC, and
the location server has notified the AP to report MU messages), the AP checks the messages,
encapsulates those that pass the check and reports the messages to the location server. The AP
encapsulates an MU message by copying its source address, Frame Control field and Sequence
Control field, and adding the BSSID, channel, timestamp, data rate, RSSI, SNR and radio mode of
the radio on which the relevant Tag messages were received.
3.
Wireless sniffer
In a wireless network, it is difficult to locate signal interference or packet collision by debugging
information or terminal display information of WLAN devices. To facilitate the troubleshooting, configure
an AP as a packet sniffer to listen to, capture, and record wireless packets. The sniffed packets are
recorded in the .dmp file for troubleshooting.
As shown in Figure 596, enable wireless sniffer on the Capture AP. The Capture AP is able to listen to the
wireless packets in the network, including the packets from other APs, rouge APs, and clients.
Administrators can download the .dmp file to the PC and make further analysis.
Figure 596 Network diagram
Client
AP 1
Switch
Capture AP
AC
Rogue AP
AP 2
PDA
PC
Band navigation
The 2.4 GHz band is often congested. Band navigation enables APs to accept dual-band (2.4 GHz and
5 GHz) clients on their 5 GHz radio, increasing overall network performance.
When band navigation is enabled, the AP directs clients to its 2.4 GHz or 5 GHz radio by following
these principles:
For a 2.4 GHz client, the AP associates to the client after rejecting it several times.
566
For a dual-band client, the AP directs the client to its 5 GHz radio.
For a 5 GHz- client, the AP associates to the client on its 5 GHz radio.
The AP checks the RSSI of a dual-band client before directing the client to the 5 GHz radio. If the RSSI is
lower than the value, the AP does not direct the client to the 5 GHz band.
If the number of clients on the 5 GHz radio reaches the upper limit, and the gap between the number of
clients on the 5 GHz radio and that on the 2.4 GHz radio reaches the upper limit, the AP denies the
clients association to the 5 GHz radio, and allows new clients to associate to the 2.4 GHz radio. If a
client has been denied more than the maximum times on the 5 GHz radio, the AP considers that the client
is unable to associate to any other AP, and allows the 5 GHz radio to accept the client.
Select Advanced > Country/Region Code from the navigation tree to enter the page for setting a
country/region code.
2.
3.
Click Apply.
Description
Select a country/region code.
Country/Region Code
Configure the valid country/region code for a WLAN device to meet the
country regulations.
If the list is grayed out, the setting is preconfigured to meet the
requirements of the target market and is locked. It cannot be changed.
If you do not specify a country/region code for an AP, the AP uses the global country/region code
configured on this page. For how to specify the country/region code for an AP, see "Quick start." If an
AP is configured with a country/region code, the AP uses its own country code.
Some ACs and fit APs have fixed country/region codes, whichever is used is determined as follows: An
AC's fixed country/region code cannot be changed, and all managed fit APs whose country/region
codes are not fixed must use the AC's fixed country/region code. A fit AP's fixed country/region code
cannot be changed and the fit AP can only use the country/region code. If an AC and a managed fit AP
use different fixed country/region codes, the fit AP uses its own fixed country/region code.
567
2.
3.
4.
5.
Click Apply.
Description
AP Connection Priority
568
2.
Configure an IP address and switch delay time for the backup AC as described in Table 194.
3.
Click Apply.
Description
IPv4
IPv6
Delay time for the AP to switch from the primary AC to the backup AC.
569
2.
3.
Click Apply.
Description
Hello Interval
VLAN ID
ID of the VLAN to which the port where the backup is performed belongs.
Backup Domain ID
2.
Click the Status tab to enter the page as shown in Figure 601.
570
Description
AP Name
Status
Vlan ID
Domain ID
Link State
Hello Interval
2.
3.
571
4.
5.
Click Apply.
Description
AP Connection Priority
2.
Click the
3.
572
4.
5.
Click Apply.
Description
Select Advanced > Continuous Transmit from the navigation tree to enter the continuous
transmitting mode configuration page.
573
2.
Click the
icon corresponding to the target radio to enter the page for configuring transmission
rate. The transmission rate varies with radio mode.
When the radio mode is 802.11a/b/g, the page as shown in Figure 605 appears. Select a
transmission rate from the list.
When the radio mode is 802.11n, the page as shown in Figure 606 appears. Select an MCS
index value to specify the 802.11n transmission rate. For more information about MCS, see
"Radio configuration."
Figure 606 Selecting an MCS index (802.11n)
3.
Click Apply.
Select Advanced > Channel Busy Test from the navigation tree to enter the channel busy test
configuration page.
574
2.
Click the
3.
4.
Description
AP Name
Radio Unit
Radio Mode
NOTE:
During a channel busy test, the AP does not provide any WLAN services. All the connected clients are
disconnected.
Before the channel busy test completes, do not start another test for the same channel.
575
Configuration prerequisites
Before you configure load balancing, make sure:
The fast association function is disabled. By default, the fast association function is disabled. For
more information about fast association, see "Configuring access services."
Remarks
1.
Required.
2.
Required.
Use either approach.
4.
Optional.
This configuration takes effect for both AP-based load balancing
and radio group based load balancing.
balancing.
b. Select Session from the Loadbalance Mode list.
c.
Click Apply.
576
Description
Loadbalance Mode
Select Session.
The function is disabled by default.
Threshold
Load balancing is carried out for a radio when the session threshold
and session gap threshold are reached.
Gap
Load balancing is carried out for a radio when the session threshold
and session gap threshold are reached.
2.
balancing.
b. Select Traffic from the Loadbalance Mode list.
c.
Click Apply.
577
Description
Select Traffic.
The function is disabled by default.
Traffic
Load balancing is carried out for a radio when the traffic threshold
and traffic gap threshold are reached.
Gap
Load balancing is carried out for a radio when the traffic threshold
and traffic gap threshold (the traffic gap between the two APs) are
reached.
NOTE:
If you select the traffic-mode load balancing, the maximum throughput of 802.11g/802.11a is 30 Mbps.
2.
Click the Load Balance Group tab to enter the page for configuring a load balancing group.
3.
Click Add.
4.
5.
Click Apply.
578
Remarks
Group ID
Description
In the Radios Available area, select the target radios, and then click << to add them into
Radio List
In the Radios Selected area, select the radios to be removed, and then click >> to remove
them from the load balancing group.
Select Advanced > Load Balance from the navigation tree. See Figure 609.
2.
3.
Click Apply.
Remarks
Maximum denial count of client association requests.
If a client has been denied more than the specified maximum times, the AP
considers that the client is unable to associate to any other AP and accepts the
association request from the client.
Load balancing RSSI threshold.
RSSI Threshold
Configuring AP
Upgrading AP version
1.
2.
3.
4.
5.
Click Apply.
Description
AP Model
Software Version
Switching to fat AP
1.
2.
3.
4.
NOTE:
Before you switch the work mode, you must download the fat AP software to the AP.
Select Advanced > Wireless Location from the navigation tree to enter the page for displaying and
configuring wireless location on an AC.
580
2.
3.
Click Apply.
Description
EnableEnables the wireless location function globally. The device begins to
listen to packets when wireless location is enabled.
message multicast address, and dilution factor on the location server. These
settings will be notified to the APs through the configuration message. For more
information about location server and configuration parameters, see the
location server manuals.
On the ACConfigure the AP mode settings, and enable the wireless location
function.
When configurations are correctly made, APs wait for the configuration message
sent by the location server, and after receiving that message, start to receive and
report Tag and MU messages.
Vendor Port
Set listening port number for vendors. The port number must be the same as that
defined in AE.
Tag Mode
Select this option to enable the Tag report function on the radio (you also need to
enable Tags mode on the AE).
MU Mode
Select this option to enable the MU report function on the radio (you also need to
enable the MUs mode on the AE).
581
An AP reports IP address change and device reboot events to the location server so that the location
server is able to respond in time. The AP reports a reboot message according to the IP address and port
information of the location server recorded in its flash.
The AP updates the data in the flash after receiving a configuration message. To protect the flash,
the AP does not update the flash immediately after receiving a configuration message, but waits for
10 minutes. If receiving another configuration message within 10 minutes, the AP only updates the
configuration information in the cache, and when the 10-minute timer is reached, saves the cache
information in the flash.
If the AP reboots within 10 minutes after receiving the first configuration message, and no
configuration is saved in the flash, it does not send a reboot message to the location server.
Select Advanced > Wireless Sniffer from the navigation tree to enter the wireless sniffer
configuration page.
2.
To enable the wireless sniffer function for a specified radio, click the
Before you enable wireless sniffer, make sure the AP operates in normal mode and in run state.
Wireless sniffer can be enabled for only one radio configured with a fixed channel.
When you configure wireless sniffer, follow these guidelines:
When the Capture AP is capturing packets, if the radio for which the wireless sniffer is disabled, the
Capture AP is deleted, the Capture AP is disconnected from the AC, or the number of captured
packets reaches the upper limit, the sniffer operation is stopped and the packets are saved to the
specified .dmp file. The default storage medium varies with device models.
You can click Stop to stop the wireless sniffer, and choose whether to save the packets to a CAP file.
If not, no CAP file is generated.
582
NOTE:
Do not enable or run wireless services for the radio with wireless sniffer enabled. Disable all wireless
services before enabling wireless sniffer.
3.
4.
Click Apply.
Capture Limit
Description
The maximum number of packets that can be captured. Once the limit is exceeded, the
device stops capturing packets.
IMPORTANT:
You cannot change the value when the device is capturing packets.
Name of the CAP file to which the packets are saved.
Filename
Configuration prerequisites
To enable band navigation to operate properly, make sure of the following:
The fast association function is disabled. By default, the fast association function is disabled. For
more information about fast association, see "Configuring access services."
Band navigation is enabled for the AP. By default, band navigation is enabled for the AP.
The SSID is bound to the 2.4 GHz and 5 GHz radios of the AP.
583
2.
3.
Click Apply.
Description
Band Navigation
Session Threshold
Gap
If the number of clients on the 5 GHz radio has reached the upper limit, and the gap
between the number of clients on the 5 GHz radio and that on the 2.4 GHz radio has
reached the upper limit, the AP denies the clients association to the 5 GHz radio, and
allows new clients to associate to the 2.4 GHz radio.
When band navigation is enabled, the value is 0 by default. To restore the default value
0, delete the configured number.
Maximum denial count of client association requests.
If a client has been denied more than the maximum times on the 5 GHz radio, the AP
considers that the client is unable to associate to any other AP, and allows the 5 GHz
radio to accept the client.
When band navigation is enabled, the value is 0 by default. To restore the default value
0, delete the configured number.
Band navigation RSSI threshold.
RSSI Threshold
The AP checks the RSSI of a dual-band client before directing the client to the 5 GHz
radio. If the RSSI is lower than the value, the AP does not direct the client to the 5 GHz
band.
584
Item
Description
Client information aging time.
Aging Time
The AP records the client information when a client tries to associate to it. If the AP
receives the probe request or association request sent by the client before the aging time
expires, the AP refreshes the client information and restarts the aging timer. If not, the AP
removes the client information, and does not count the client during band navigation.
Assign a higher priority to the AP connection to AC 1, 6 in this example, to make sure AP will first
establish a connection with AC 1. In this way, AC 1 acts as the active AC.
When the AC 1 recovers, no switchover to AC 1 occurs, in which case AC 2 remains the active and
AC 1 acts as the standby AC. This is because the AP connection priority on AC 1 is not the highest.
Configuring AC 1
1.
Configure AP to establish a connection between AC 1 and AP. For more information about
configurations, see "Configuring access services."
2.
3.
4.
5.
6.
Click Apply.
585
7.
8.
On the page that appears, set the IP address of the backup AC to 1.1.1.5 and select enable to
enable the fast backup mode.
9.
Click Apply.
586
Configuring AC 2
1.
2.
Leave the default value of the AP connection priority unchanged. (Details not shown.)
3.
4.
On the page that appears, set the address of the backup AC to 1.1.1.4 and select enable to
enable the fast backup mode.
5.
Click Apply.
587
c.
2.
When AC 1 operates properly, display the client status on AC 1 and AC 2. Client establish
connections with the AP through AC 1 and AC 2 has backed up the client status.
a. On AC 1, select Summary > Client from the navigation tree.
b. Click the Detail Information tab.
c.
Click the name of the specified client to view the detailed information of the client.
The information shows that Client is running and is connecting to AC 1 through an active link.
588
Click the name of the specified client to view the detailed information of the client.
The information shows that Client is running and is connecting to AC 2 through a standby link.
3.
When AC 1 goes down, the standby AC, AC 2 detects the failure immediately through the
heartbeat detection mechanism. Then AC 2 takes over to become the new active AC, providing
services to AP.
On AC 2 (the new active AC), display the AP status. (Details not shown.)
The information shows that AC 2 has become the active AC.
On AC 2, display the client information. (Details not shown.)
589
The value for the State field becomes Running, which indicates that Client is connecting to AC
2 through an active link.
4.
When AC 1 recovers, AC 2 still acts as the active AC and AC 1 becomes the standby AC. AC 1
establishes a backup link with the AP and backs up the client status.
Configuration guidelines
AC backup has no relation with the access authentication method; however, the authentication
method of the two ACs must be the same.
If any of the two active AC is down, AC 3 becomes the new active AC.
When the faulty AC recovers, AP that connects to AC 3 automatically connects to the original active
AC. This is because the AP connection priority on the active AC is the highest. In this way, AC 3 can
always act as a dedicated standby AC to provide backup services for AC 1 and AC 2.
Configuring AC 1
1.
2.
3.
4.
5.
6.
Click Apply.
590
Configuring AC 2
1.
2.
3.
Click the
Click Apply.
591
i.
j.
k. Click Apply.
592
2.
As shown in Figure 629, all APs operate in 802.11g mode. Client 1 is associated with AP 1. Client
2 through Client 6 are associated with AP 2.
Configure session-mode load balancing on the AC. The threshold, that is, the maximum number of
sessions, is 5, and the session gap is 4.
593
Configuration procedure
1.
2.
Use the default values for Max Denial Count and RSSI Threshold.
d. Click Apply.
594
Configuration guidelines
An AP starts session-mode load balancing only when both the maximum sessions and maximum session
gap are reached.
As shown in Figure 631, all APs operate in 802.11g mode. Client 1 and Client 2 are associated with
AP 1, and no client is associated with AP 2.
Configure traffic-mode load balancing on the AC. The traffic threshold is 3 Mbps that corresponds
to the threshold value of 10 in percentage, and the traffic gap is 12 Mbps that corresponds to the
traffic gap value 40 in percentage.
Configuration procedure
1.
2.
40.
c.
Use the default values for Max Denial Count and RSSI Threshold.
d. Click Apply.
595
Configuration guidelines
An AP starts traffic-mode load balancing only when both the maximum traffic threshold and maximum
traffic gap are reached.
As shown in Figure 633, all APs operate in 802.11g mode. Client 1 is associated with AP 1. Client
2 through Client 6 are associated with AP 2, and no client is associated with AP 3.
Configure session-mode load balancing on the AC. The maximum number of sessions is 5 and the
maximum session gap is 4.
596
L2 Switch
AP 1
Client 1
AP 3
AP 2
Client 2
Client 7
Client 5
Client 3
Client 4
Configuration procedure
1.
2.
Use the default values for Max Denial Count and RSSI Threshold.
d. Click Apply..
3.
Click Add.
d. On the page that appears, select ap1. radio 2 and ap2. radio 2 in the Radios Available area,
and click << to add them into the Radios Selected area and click Apply.
Figure 635 Configuring a load balancing group
Radio 2 of AP 1 and radio 2 of AP 2 are in the same load balancing group, and the radio of AP
3 does not belong to any load balancing group. Because load balancing takes effect on only
radios in a load balancing group, AP 3 does not take part in load balancing.
Assume Client 7 wants to associate with AP 2. The number of clients associated with radio 2 of AP
2 reaches 5 and the session gap between radio 2 of AP 2 and AP 1 reaches 4, so Client 7 is
associated with AP 1.
As shown in Figure 636, all APs operate in 802.11g mode. Client 1 and Client 2 are associated with
AP 1, and no client is associated with AP 2 and AP 3.
Configure traffic-mode load balancing on the AC. The maximum traffic threshold is 10% and the
maximum traffic gap is 20%.
Traffic-mode load balancing is required on only radio 2 of AP 1 and radio 2 of AP 2. Therefore, add
them to a load balancing group.
598
Configuration procedure
1.
2.
c.
Use the default values for Max Denial Count and RSSI Threshold.
d. Click Apply.
599
3.
Click Add.
d. On the page that appears, select ap1. radio 2 and ap2. radio 2 in the Radios Available area,
click << to add them into the Radios Selected area, and click Apply.
Figure 638 Configuring a load balancing group
Radio 2 of AP 1 and radio 2 of AP 2 are in the same load balancing group, and the radio of AP
3 does not belong to any load balancing group. Because load balancing takes effect on only
radios in a load balancing group, AP 3 does not take part in load balancing.
600
Assume Client 3 wants to associate with AP 1. Because the maximum traffic threshold and traffic
gap have been reached on radio 2 of AP 1, Client 3 is associated with AP 2.
Client
AP 1
AC
Switch
Rogue AP
AP 2
AP 3
AP
Configuring the AE
1.
Configure the IP addresses of AP 1, AP 2, and AP 3 on the AE, or select broadcast for the AE to
discover APs.
2.
2.
Click Add.
3.
On the page that appears, enter the AP name ap1, select the model WA2620-AGN, select manual
from the Serial ID list, enter the AP serial ID in the field, and click Apply.
601
4.
5.
6.
7.
Click Apply.
Enabling 802.11n
1.
Select Radio > Radio from the navigation tree to enter the page for configuring radio.
2.
3.
Click Enable.
602
2.
On the page that appears, select Enable, select the tag mode and MU mode for 802.11n (2.4
GHz).
3.
Click Apply.
Configuration guidelines
Before you enable the wireless location function, make sure at least three APs operate in monitor or
hybrid mode so that the APs can detect Tags and clients not associated with them, and the AE can
implement location calculation.
An AP monitors clients on different channels periodically, so if the Tag message sending interval is
configured as 1 second, the AP scans and reports Tag messages every half a minute. If higher
location efficiency is required, you can set the Tag sending interval to the smallest value, 124
milliseconds.
603
Client
AP 1
Switch
Capture AP
AC
Rogue AP
AP 2
PDA
PC
Configuring Capture_AP
1.
2.
Click Add.
3.
On the page that appears, enter the AP name capture_ap, select the model WA2620-AGN., select
manual from the Serial ID list, enter the AP serial ID in the field, and click Apply.
4.
5.
Click the
6.
7.
Click Apply.
604
8.
9.
10.
Click Enable.
2.
On the page that appears, enter the capture limit 5000, enter the file name CapFile, and click
Apply.
3.
Click the
icon corresponding to the target radio to enable wireless sniffer for the radio.
605
Capture AP captures wireless packets and saves the packets to a CAP file in the default storage
medium. Administrators can download the file to the PC and get the packet information by using
tools like Ethereal.
When the total number of captured packets reaches the upper limit, Capture AP stops capturing
packets.
606
Configuring the AC
To enable band navigation to operate properly, make sure of the following:
The fast association function is disabled. By default, the fast association function is disabled.
Band navigation is enabled for the AP. By default, band navigation is enabled for the AP.
1.
Create an AP:
a. Select AP > AP Setup from the navigation tree.
b. Click New.
c.
On the page that appears, enter the AP name ap 1, select the model WA2620E-AGN, select
manual from the Serial ID list, and enter the AP serial ID in the field.
d. Click Apply.
2.
3.
On the page that appears, set the service name to band-navigation, select the wireless service
type Clear, and click Apply.
4.
Click Enable.
icon for the wireless service band-navigation to enter the page for binding an AP
radio.
c.
Select the boxes before ap1 with radio types 802.11n(2.4GHz) and 802.11n(5GHz).
d. Click Bind.
607
5.
6.
Click Enable.
Click Apply.
608
Overview
Introduction to stateful failover
Some customers require their wireless networks to be highly reliable to ensure continuous data
transmission. In Figure 652, deploying only one AC (even with high reliability) risks a single point of
failure and therefore cannot meet the requirement.
Figure 652 Network with one AC deployed
The stateful failover feature (supporting portal service) was introduced to meet the requirement. In Figure
653, two ACs that are enabled with stateful failover are deployed in the network. You need to specify a
VLAN on the two ACs as the backup VLAN, and add the interfaces between the ACs to the backup
VLAN. The backup VLAN is like a failover link, through which the two ACs exchange state negotiation
messages periodically. After the two ACs enter the synchronization state, they back up the service entries
of each other to make sure that the service entries on them are consistent. If one AC fails, the other AC,
which has already backed up the service information, can take over the services, thus avoiding service
interruption.
609
Silence: Indicates that the device has just started, or is transiting from synchronization state to
independence state.
Independence: Indicates that the silence timer has expired, but no failover link is established.
Synchronization: Indicates that the device has completed state negotiation with the other device
and is ready for data backup.
Select High reliability > Stateful Failover from the navigation tree to enter the stateful failover
configuration page, as shown in Figure 655.
2.
View the current stateful failover state at the lower part of the page as described in Table 209.
610
3.
Configure stateful failover parameters at the upper part of the page as described in Table 208.
4.
Click Apply.
Description
Unsupport Asymmetric Path. In this mode, sessions enter and leave the internal
Backup Type
network through one device. The two devices work in the active/standby mode.
Support Asymmetric Path. In this mode, sessions enter and leave the internal
network through different devices to achieve load sharing. The two devices
work in the active/active mode.
An interface added to the backup VLAN can transmit other packets besides
stateful failover packets.
Description
Current Status
611
the ACs perform portal authentication through the IMC server. Configure stateful failover on AC 1 and
AC 2 so that when one AC fails, the other AC can take over portal and other services.
Figure 656 Network diagram
NOTE:
The portal group configuration on the two ACs must be consistent.
Configuring AC 1
1.
Click Apply.
612
2.
Click Apply.
3.
Type system for Scheme Name, select Extended for Server Type, and select Without domain
name for Username Format.
d. Click Add in the RADIUS Server Configuration field to enter the page as shown in Figure 659.
e. Select Primary Authentication for Server Type, specify an IPv4 address 8.1.1.16 and 1812 as
g. Click Apply.
613
h. Click Add in the RADIUS Server Configuration field to enter the page as shown in Figure 660.
i.
Select Primary Accounting for Server Type, and specify an IPv4 address 8.1.1.16 and 1813 as
the port number.
j.
k. Click Apply.
l.
After the configurations are complete, the RADIUS scheme configuration page is as shown
in Figure 661. Click Apply.
614
4.
Select RADIUS from the list, and system from the Name list.
d. Click Apply.
Figure 662 Configuring AAA authentication scheme for the ISP domain
615
5.
Select RADIUS from the list and system from the Name list.
d. Click Apply.
Figure 663 Configuring AAA authorization scheme for the ISP domain
6.
Select Enable from the list, and select the Default Accounting box.
d. Select RADIUS from the list and system from the Name list.
e. Click Apply.
616
Figure 664 Configuring AAA accounting scheme for the ISP domain
7.
b. Click Add.
c.
Select Vlan-interface1 from the Interface list, Add from the Portal Server list, and Direct from the
Method list, and select system for Authentication Domain.
d. Type newpt for Server Name, 8.1.1.16 for IP, expert for Key, 50100 for Port, and
617
8.
d. Click Apply.
618
9.
Configure portal to support stateful failover at the command line interface (CLI):
# Specify AC 1's device ID to be used in stateful failover mode as 1, and specify portal group 2
for interface VLAN-interface 1.
<AC1>system-view
[AC1]nas device-id 1
[AC1]interface Vlan-interface 1
[AC1-Vlan-interface1]portal backup-group 2
# Configure the virtual IP address of VRRP group 1 as 8.190.1.100, and specify the priority of AC
1 as 200. AC 2 uses the default priority.
[AC1-Vlan-interface1]vrrp vrid 1 virtual-ip 8.190.1.100
[AC1-Vlan-interface1]vrrp vrid 1 priority 200
[AC1-Vlan-interface1]quit
# Configure the source IP address for portal packets as 8.190.1.100 (same as the AC's IP address
configured on the IMC server for portal authentication).
[AC1-Vlan-interface1]portal nas-ip 8.190.1.100
Configuring AC 2.
The configuration on AC 2 is similar to that on AC 1 except that:
When you configure AC backup, specify AC 1's IP address as the backup AC address.
Configuration guidelines
When you configure stateful failover, follow these guidelines:
You must configure the 1+1 AC backup function to make sure that the traffic can automatically
switch to the other device if one device fails. For more information, see "Advanced settings."
619
To back up portal related information from the active device to the standby device, you must
configure portal to support stateful failover besides the configurations described in this chapter. For
more information, see WX Series Access Controllers Security Configuration Guide.
Stateful failover can be implemented only between two devices rather than among more than two
devices.
620
Index
ABCDEFGILMNOPQRSTUVW
Configuration guidelines,127
Configuration guidelines,104
Configuration guidelines,140
AAA overview,406
Configuration guidelines,619
AC-AP connection,213
Configuration guidelines,77
Configuration guidelines,170
Configuration guidelines,39
Configuration procedure,432
Configuration summary,19
Configuring 802.1X,378
ACL overview,493
Configuring a guest,444
Adding a license,64
Admin configuration,10
Antenna,369
Configuring AAA,406
AP configuration,17
Configuring an ACL,494
AP group,213
Configuring an AP,214
Auto AP,213
Configuring an AP group,220
Basic configuration,9
Configuring calibration,361
Configuring channel scanning,360
Configuration examples,102
Configuration guidelines,534
Configuration guidelines,430
Configuration guidelines,466
621
Configuring licenses,64
Displaying syslog,78
Configuring PKI,450
Downloading a file,86
Enabling DHCP,174
Configuring WIDS,479
Encryption configuration,16
F
Creating a user,105
Creating a VLAN,133
Creating an interface,89
Device information,43
Displaying AP,49
Displaying clients,57
IP configuration,11
IPv4 static route configuration example,167
Radio setup,350
RADIUS configuration,13
RADIUS overview,419
Loopback operation,126
Mesh overview,304
Mesh point-to-multipoint configuration example,331
Modifying a port,135
Modifying a VLAN,134
Removing a file,86
Overview,133
Overview,491
Overview,440
Overview,128
Overview,195
Overview,609
Overview,163
Overview,536
Overview,152
Overview,204
Overview,141
Ping operation,208
PKI overview,450
SNMP overview,108
Software upgrade,69
Portal configuration,15
QoS overview,493
Quick start wizard home page,9
Radio overview,347
623
Wireless configuration,12
Uploading a file,86
624