H3C WX Series Access Controllers Web-Based Configuration Guide (R3308 - R2308) - 6W106-Book

H3C WX Series Access Controllers
Web-Based Configuration Guide
Hangzhou H3C Technologies Co., Ltd.

http://www.h3c.com
Software version: WX3000-CMW520-R3308 (WX3024E)
WX5004-CMW520-R2308 (WX5000 series)
WX6103-CMW520-R2308 (WX6000 series)
Document version: 6W106-20120824
Copyright 2008-2012, Hangzhou H3C Technologies Co., Ltd. and its licensors
All rights reserved

No part of this manual may be reproduced or transmitted in any form or by any means without prior
written consent of Hangzhou H3C Technologies Co., Ltd.
Trademarks
, TOP G,
, IRF, NetPilot, Neocean, NeoVTL,
H3C,
, Aolynk,
, H3Care,
SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V2G, VnG, PSPT,
XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co.,
Ltd.
All other trademarks that may be mentioned in this manual are the property of their respective owners
Notice
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Preface
The H3C WX Series Access Controllers Web-Based Configuration Guide describes the web functions of
the WX series, such as quick start, web overview, wireless service configuration, security and
authentication related configurations, QoS configuration, and advanced settings.
NOTE:
Support of the H3C WX series access controllers for features may vary by device model. For the feature
matrixes, see the chapter Feature Matrixes.
The interface types and output information may vary by device model.
The grayed-out functions and parameters on the web interface are unavailable or not configurable.
This preface includes:
Audience
Conventions
About the H3C WX Series documentation set
Obtaining documentation
Technical support
Documentation feedback
Audience
This documentation is intended for:
Network planners
Field technical support and servicing engineers
Network administrators working with the WX series
Conventions
This section describes the conventions used in this documentation set.
GUI conventions
Convention
Description
Boldface
Window names, button names, field names, and menu items are in Boldface. For
example, the New User window appears; click OK.
>
Multi-level menus are separated by angle brackets. For example, File > Create > Folder.
Symbols
Convention
Description
WARNING
An alert that calls attention to important information that if not understood or followed can
result in personal injury.
CAUTION
An alert that calls attention to important information that if not understood or followed can
result in data loss, data corruption, or damage to hardware or software.
IMPORTANT
An alert that calls attention to essential information.

An alert that contains additional or supplementary information.
NOTE
TIP
An alert that provides helpful information.
Network topology icons

Represents a generic network device, such as a router, switch, or firewall.
Represents a routing-capable device, such as a router or Layer 3 switch.
Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports
Layer 2 forwarding and other Layer 2 features.
Represents an access controller, an access controller module, or a switching engine on a
unified switch.
Represents an access point.
Represents a mesh access point.
Represents omnidirectional signals.

Represents directional signals.
Port numbering in examples

The port numbers in this document are for illustration only and might be unavailable on your device.
About the H3C WX Series documentation set

The H3C WX series documentation set includes:
Category
Product description and
specifications
Documents
Purposes
Marketing brochures
Describe product specifications and benefits.
Technology white papers
Provide an in-depth description of software features

and technologies.
Category
Hardware specifications
and installation
Software configuration
Operations and
maintenance
Documents
Purposes
Card manuals
Provide the hardware specifications of cards and

describe how to install and remove the cards.
Installation guide
Provides a complete guide to hardware installation

and hardware specifications.
Getting started guide
Guides you through the main functions of your

device, and describes how to install and log in to
your device, perform basic configurations, maintain
software, and troubleshoot your device.
Configuration guides
Describe software features and configuration

procedures.
Command references
Provide a quick reference to all available

commands.
Web-based configuration
guide
Describes configuration procedures through the web

interface.
Release notes
Provide information about the product release,

including the version history, hardware and
software compatibility matrix, version upgrade
information, technical support information, and
software upgrading.
Obtaining documentation
You can access the most up-to-date H3C product documentation on the World Wide Web
at http://www.h3c.com.
Click the links on the top navigation bar to obtain different categories of product documentation:
[Technical Support & Documents > Technical Documents] Provides hardware installation, software
upgrading, and software feature configuration and maintenance documentation.
[Products & Solutions] Provides information about products and technologies, as well as solutions.
[Technical Support & Documents > Software Download] Provides the documentation released with the
software version.
Technical support
service@h3c.com
http://www.h3c.com
Documentation feedback
You can e-mail your comments about product documentation to info@h3c.com.
We appreciate your comments.
Contents
Models of WX series access controllers 1
Typical network scenarios 2
Access controller network scenario 2
Access controller module network scenario 2
Wireless switch network scenario 3
Feature matrixes 4
Feature matrix for the WX5000 series 4
Feature matrix for the WX6000 series 5
Feature matrix for the WX3024E 8
Quick Start 9
Quick start wizard home page 9
Basic configuration 9
Admin configuration 10
IP configuration 11
Wireless configuration 12
RADIUS configuration 13
Portal configuration 15
Encryption configuration 16
AP configuration 17
Configuration summary 19
Web overview 20
Logging in to the Web interface 20
Logging out of the Web interface 21
Introduction to the Web interface 21
Web user level 22
Introduction to the Web-based NM functions 23
Common Web interface elements 35
Configuration guidelines 39
Troubleshooting Web browser 40
Failure to access the device through the Web interface 40
Summary 43
Device information 43
Device info 44
System resource state 44
Device interface information 44
Recent system logs 45
Displaying WLAN service 45
Displaying detailed information of WLAN service 45
Displaying statistics of WLAN service 48
Displaying connection history information of WLAN service 48
Displaying AP 49
Displaying WLAN service information of an AP 49
Displaying AP connection history information 49
Displaying AP radio information 50
Displaying AP detailed information 52
Displaying clients 57
i
Displaying
Displaying
Displaying
Displaying
client detailed information 57

client statistics 60
client roaming information 61
RF ping information 62
License management 64
Configuring licenses 64
Adding a license 64
Displaying license information 65
Configuring enhanced licenses 65
Registering an enhanced license 65
Displaying registered enhanced licenses 66
Device basic information configuration 67
Configuring system name 67
Configuring Web idle timeout period 67
Device maintenance 69
Software upgrade 69
Rebooting the device 70
Generating the diagnostic information file 71
System time 73
Displaying the system time 73
Configuring the system time 73
Configuring the network time 74
System time configuration example 76
Log management 78
Displaying syslog 78
Setting the log host 79
Setting buffer capacity and refresh interval 80
Configuration management 82
Backing up the configuration 82
Restoring the configuration 82
Saving the configuration 83
Initializing the configuration 84
File management 85
Displaying file list 85
Downloading a file 86
Uploading a file 86
Removing a file 86
Specifying the main boot file 86
Interface management 87
Interface management overview 87
Displaying interface information and statistics 87
Creating an interface 89
Modifying a Layer 2 interface 92
Modifying a Layer 3 interface 95
Interface management configuration example 97
Port mirroring 99
Introduction to port mirroring 99
Port mirroring configuration task list 100
ii
Adding a mirroring group 100

Configuring ports for a mirroring group 101
Configuration examples 102
User management 105

Creating a user 105
Setting the super password 106
Switching the user access level to the management level 107
SNMP configuration 108
SNMP overview 108
SNMP configuration task list 108
Enabling SNMP 109
Configuring an SNMP view 111
Creating an SNMP view 111
Adding rules to an SNMP view 112
Configuring an SNMP community 113
Configuring an SNMP group 114
Configuring an SNMP user 116
Configuring SNMP trap function 118
Displaying SNMP packet statistics 119
SNMP configuration example 120
Loopback 126
Loopback operation 126
MAC address configuration 128
Overview 128
Configuring a MAC address entry 129
Setting the aging time of MAC address entries 130
MAC address configuration example 131
VLAN configuration 133
Overview 133
Recommended configuration procedure 133
Creating a VLAN 133
Modifying a VLAN 134
Modifying a port 135
VLAN configuration examples 137
ARP configuration 141
Overview 141
Introduction to ARP 141
Introduction to gratuitous ARP 141
Displaying ARP entries 141
Creating a static ARP entry 142
Removing ARP entries 143
Configuring gratuitous ARP 143
Static ARP configuration example 144
ARP attack protection configuration 148
ARP detection 148
Source MAC address based ARP attack detection 148
ARP active acknowledgement 148
iii
ARP packet source MAC address consistency check 149

Configuring ARP detection 149
Configuring other ARP attack protection functions 150
IGMP snooping configuration 152

Overview 152
Enabling IGMP snooping globally 153
Configuring IGMP snooping on a VLAN 154
Configuring IGMP snooping on a port 155
Displaying IGMP snooping multicast entry information 157
IGMP snooping configuration examples 158
IPv4 and IPv6 routing configuration 163
Overview 163
Displaying the IPv4 active route table 163
Creating an IPv4 static route 164
Displaying the IPv6 active route table 165
Creating an IPv6 static route 166
IPv4 static route configuration example 167
IPv6 static route configuration example 168
DHCP overview 172
Introduction to DHCP snooping 172
Recommended configuration procedure (for DHCP server) 173
Enabling DHCP 174
Creating a static address pool for the DHCP server 175
Creating a dynamic address pool for the DHCP server 176
Enabling the DHCP server on an interface 178
Displaying information about assigned IP addresses 178
Recommended configuration procedure (for DHCP relay agent) 179
Enabling DHCP and configuring advanced parameters for the DHCP relay agent 180
Creating a DHCP server group 182
Enabling the DHCP relay agent on an interface 183
Configuring and displaying clients' IP-to-MAC bindings 184
Recommended configuration procedure (for DHCP snooping) 185
Enabling DHCP snooping 185
Configuring DHCP snooping functions on an interface 186
Displaying clients' IP-to-MAC bindings 187
DHCP server configuration example 188
DHCP relay agent configuration example 190
DHCP snooping configuration example 192
DNS configuration 195
Overview 195
Static domain name resolution 195
Dynamic domain name resolution 195
DNS proxy 195
Configuring static name resolution table 195
Configuring dynamic domain name resolution 196
Configuring DNS proxy 196
Configuring static name resolution table 196
Configuring dynamic domain name resolution 197
Configuring DNS proxy 198
iv
Adding a DNS server address 198

Adding a domain name suffix 199
Clearing dynamic DNS cache 199
DNS configuration example 199
Service management 204

Overview 204
Configuring service management 205
Diagnostic tools 207
Ping 207
Trace route 207
Ping operation 208
IPv4 ping operation 208
IPv6 ping operation 209
Trace route operation 211
AP configuration 213
AC-AP connection 213
Auto AP 213
AP group 213
Configuring an AP 214
Creating an AP 214
Configuring an AP 214
Configuring advanced settings 216
Configuring auto AP 218
Enabling auto AP 218
Renaming an AP 219
Batch switch 219
Configuring an AP group 220
Creating an AP group 220
Configuring an AP group 220
Applying the AP group 221
AP connection priority configuration example 221
Configuring access services 223
Access service overview 223
Terminology 223
Client access 223
WLAN data security 226
Client access authentication 227
802.11n 229
Configuring access service 230
Creating a WLAN service 230
Configuring clear type wireless service 231
Configuring crypto type wireless service 240
Security parameter dependencies 247
Enabling a wireless service 247
Binding an AP radio to a wireless service 248
Enabling a radio 249
Displaying the detailed information of a wireless service 250
Wireless service configuration example 253
Auto AP configuration example 256
802.11n configuration example 261
WPA-PSK authentication configuration example 263
v
Local MAC authentication configuration example 268

Remote MAC authentication configuration example 273
Remote 802.1X authentication configuration example 284
Dynamic WEP encryption-802.1X authentication configuration example 297
Configuring mesh services 304

Mesh overview 304
Basic concepts in WLAN mesh 304
Advantages of WLAN mesh 305
Deployment scenarios 305
WLAN mesh security 308
Mobile link switch protocol 308
Mesh network topologies 310
Configuring mesh service 311
Configuring mesh service 311
Configuring a mesh policy 316
Mesh global setup 320
Configuring a working channel 321
Enabling radio 322
Configuring a peer MAC address 322
Mesh DFS 323
Displaying the mesh link status 325
Normal WLAN mesh configuration example 326
Subway WLAN mesh configuration example 330
Mesh point-to-multipoint configuration example 331
Tri-radio mesh configuration example 332
Mesh DFS configuration example 333
WLAN roaming configuration 336
Configuring WLAN roaming 336
Configuring a roaming group 336
Adding a group member 337
Displaying client information 338
WLAN roaming configuration examples 338
Intra-AC roaming configuration example 338
Inter-AC roaming configuration example 342
Radio configuration 347
Radio overview 347
WLAN RRM overview 347
Dynamic frequency selection 347
Transmit power control 348
Radio setup 350
Configuring radio parameters 350
Enabling a radio 354
Locking the channel 355
Locking the power 356
Configuring data transmit rates 356
Configuring 802.11a/802.11b/802.11g rates 356
Configuring 802.11n MCS 358
Configuring channel scanning 360
Configuring calibration 361
Parameter setting 361
Configuring a radio group 365
Calibration operations 367
Antenna 369
vi
Manual channel adjustment configuration example 370

Automatic power adjustment configuration example 372
Radio group configuration example 373
Configuring 802.1X 377

802.1X architecture 377
Access control methods 377
Configuring 802.1X 378
Configuration prerequisites 378
Configuring 802.1X globally 378
Configuring 802.1X on a port 381
Configuring portal authentication 385
Introduction to portal authentication 385
Configuring portal authentication 386
Configuring the portal service 387
Configuring advanced parameters for portal authentication 391
Configuring a portal-free rule 392
Customizing authentication pages 394
Portal authentication configuration example 397
Configuring AAA 406
AAA overview 406
Configuring AAA 406
Configuring an ISP domain 407
Configuring authentication methods for the ISP domain 408
Configuring authorization methods for the ISP domain 410
Configuring accounting methods for the ISP domain 412
AAA configuration example 414
Network requirements 414
Configuration procedure 415
Configuring RADIUS 419
RADIUS overview 419
Configuring a RADIUS scheme 419
RADIUS configuration example 425
Verifying the configuration 430
Configuring the local EAP service 432
Local EAP service configuration example 433
Configuring users 440
Overview 440
Configuring a local user 441
Configuring a user group 443
vii
Configuring a guest 444

Configuring a user profile 447
Managing certificates 450

PKI overview 450
Configuring PKI 450
Recommended configuration procedure for manual request 451
Recommended configuration procedure for automatic request 452
Creating a PKI entity 453
Creating a PKI domain 454
Generating an RSA key pair 457
Destroying the RSA key pair 458
Retrieving and displaying a certificate 458
Requesting a local certificate 459
Retrieving and displaying a CRL 460
Certificate management configuration example 461
WLAN security configuration 467
WLAN security overview 467
Terminology 467
WIDS attack detection 469
Blacklist and white list 470
Configuring rogue device detection 471
Recommended configure procedure 471
Configuring AP operating mode 471
Configuring detection rules 472
Configuring detection rule lists 475
Enabling countermeasures and configuring aging time for detected rogue devices 476
Displaying monitor record 477
Displaying history record 478
Configuring WIDS 479
Configuring WIDS 479
Displaying history record 479
Displaying statistics information 480
Configuring the blacklist and white list functions 480
Configuring dynamic blacklist 481
Configuring static blacklist 481
Configuring white list 483
Rogue detection configuration example 484
User isolation 487
User isolation overview 487
Before user isolation is enabled 487
After user isolation is enabled 488
Configuring user isolation 488
Configuring user isolation 488
Displaying user isolation information 489
User isolation configuration example 489
Authorized IP 491
Overview 491
Configuring authorized IP 491
Configuring ACL and QoS 493
ACL overview 493
QoS overview 493
viii
Configuring an ACL 494

Recommend configuration procedures 494
Adding a time range 495
Adding an IPv4 ACL 496
Configuring a rule for a basic IPv4 ACL 497
Configuring a rule for an advanced IPv4 ACL 498
Configuring a rule for an Ethernet frame header ACL 501
Adding an IPv6 ACL 503
Configuring a rule for a basic IPv6 ACL 504
Configuring a rule for an advanced IPv6 ACL 506
Configuring line rate 508
Configuring the priority trust mode of a port 509
Priority mapping overview 509
Configuring priority mapping 509
Configuring a QoS policy 512
Recommended QoS policy configuration procedure 512
Adding a class 513
Configuring classification rules 514
Adding a traffic behavior 517
Configuring actions for a traffic behavior 518
Adding a policy 521
Configuring classifier-behavior associations for the policy 521
Applying a policy to a port 522
Applying a QoS policy to a WLAN service 523
ACL and QoS configuration example 525
Configuring wireless QoS 536

Overview 536
Terminology 536
WMM protocol overview 536
Enabling wireless QoS 538
Setting the SVP service 539
Setting CAC admission policy 540
Setting radio EDCA parameters for APs 540
Setting client EDCA parameters for wireless clients 542
Displaying the radio statistics 543
Displaying the client statistics 544
Setting rate limiting 546
Setting wireless service-based client rate limiting 546
Setting radio-based client rate limiting 547
Configuring the bandwidth guarantee function 548
Setting the reference radio bandwidth 548
Setting guaranteed bandwidth percents 549
Enabling bandwidth guaranteeing 550
Displaying guaranteed bandwidth settings 551
CAC service configuration example 551
Configuring the wireless service 551
Configuring wireless QoS 551
Wireless service-based static rate limiting configuration example 553
ix

Configuring static rate limiting 553
Wireless service-based dynamic rate limiting configuration example 554
Configuring dynamic rate limiting 555
Bandwidth guarantee configuration example 555
Configuring the wireless services 556
Configuring bandwidth guaranteeing 556
Advanced settings 560

Advanced settings overview 560
Country/Region code 560
1+1 AC backup 560
1+N AC backup 561
Continuous transmitting mode 562
Channel busy test 562
WLAN load balancing 562
AP version setting 564
Switching to fat AP 564
Wireless location 564
Wireless sniffer 566
Band navigation 566
Configuring WLAN advanced settings 567
Setting a country/region code 567
Configuring 1+1 AC backup 568
Configuring 1+N AC backup 571
Configuring continuous transmitting mode 573
Configuring a channel busy test 574
Configuring load balancing 576
Configuring AP 579
Configuring wireless location 580
Configuring wireless sniffer 582
Configuring band navigation 583
Advanced settings configuration examples 585
1+1 fast backup configuration example 585
1+N backup configuration example 590
AP-based session-mode load balancing configuration example 593
AP-based traffic-mode load balancing configuration example 595
Group-based session-mode load balancing configuration example 596
Group-based traffic-mode load balancing configuration example 598
Wireless location configuration example 601
Wireless sniffer configuration example 603
Band navigation configuration example 606
Configuring stateful failover 609
Overview 609
Introduction to stateful failover 609
Introduction to stateful failover states 610
Configuring stateful failover 610
x
Stateful failover configuration example 611

Index 621
xi
Models of WX series access controllers

H3C WX series access controllers include the WX3000E series wireless switches, and WX5000 and
WX6000 series access controllers. Table 1 shows the models of WX series.
Table 1 Models of WX series access controllers
Product
Model
WX3000E series wireless switches
WX3024E wireless switch

WX5002V2 access controller
WX5000 series access controllers
WX6103 access controller
WX6000 series access controllers
WX5004 access controller

LSWM1WCM10 access controller module
LSWM1WCM20 access controller module
LSQM1WCMB0 access controller module
LSQM1WCMD0 access controller module
LSBM1WCM2A0 access controller module
LSRM1WCM2A1 access controller module
LSRM1WCM3A1 access controller module
NOTE:
The WX6103 access controller supports EWPX1WCMB0
and EWPX1WCMD0 main control boards.
Typical network scenarios

Access controller network scenario
As shown in Figure 1, the AC connects to a Layer 2 or Layer 3 switch through GE1/0/1, the switch is
connected to APs directly or over an IP network, and clients access the network through the APs.
Figure 1 AC networking
Access controller module network scenario

As shown in Figure 2, the AC is installed on a Layer 2 or Layer 3 switch, the switch is connected to APs
directly or over an IP network, and clients access the network through the APs.
Figure 2 Access controller module networking

Scheme 2
Access
controller
module
Server
Switch
IP network
AP 1
AP 2
Client A
Client B
Wireless switch network scenario

As shown in Figure 3, the wireless switch that has both AC and switch functions is connected to APs
directly or over an IP network, and clients access the network through the APs.
Figure 3 Unified switch networking diagram
Scheme 3
Server
Wireless switch
IP network
AP 1
AP 2
Client A
Client B
Feature matrixes
In this document, Yes means a feature is supported, and No means not supported.
Feature matrix for the WX5000 series

NOTE:
The LSWM1WCM10 and LSWM1WCM20 access controller modules of the WX5000 series adopt the OAP architecture. They work as OAP cards to
exchange data and status and control information with the switch through their internal interfaces. Do not configure services such as QoS rate limiting and
802.1X authentication on XGE 1/0/1 of the LSWM1WCM10, and the logical aggregate interface BAGG1 formed by GE 1/0/1 and GE 1/0/2 of the
LSWM1WCM20.
Table 2 Feature matrix for the WX5000 series
Module
Device
Network
Feature
WX5002V2
WX5004
LSWM1WCM10
LSWM1WCM20
License management
Supports 32 concurrent
APs by default, and can
be extended to support
64 concurrent APs.
256 concurrent APs.
256 concurrent APs.
128 concurrent APs.
File management
CF Yes
CF Yes
CF Yes
Flash Yes
Port mirroring
Yes
Yes
No
No
Loopback test
Yes on GE interfaces
Internal loopback testing

Yes on XGE interfaces
only
Internal loopback testing

only
IGMP Snooping
The maximum number of

multicast groups ranges
from 1 to 256 and
defaults to 256.

from 1 to 256 and
defaults to 256.

from 1 to 256 and
defaults to 256.

from 1 to 256 and
defaults to 256.
Module
Feature
WX5002V2
WX5004
LSWM1WCM10
LSWM1WCM20
AP
AP group (Licenses must

be fully configured to
reach the maximum
number of group IDs)
The number of group IDs

ranges from 1 to 64.



Access service

associated users per
SSID is 124 and defaults
to 64.

to 64.

to 64.

to 64.
AC hot backup
Yes
Yes
Yes
No
Fast backup (Hello

interval)
Yes (The hello interval

ranges from 100 to
2000 and defaults to
2000.)

ranges from 100 to
2000.)

ranges from 100 to
2000.)
No
1+1 AC backup
Yes
Yes
Yes
No
1+1 fast backup
Yes
Yes
Yes
No
Stateful failover
Yes
Yes
Yes
No
Wireless Service
Advanced settings
High availability
Feature matrix for the WX6000 series

NOTE:
The switch interface board of the WX6103 adopts OAP architecture and is installed on the slot with purple paint at slot sides. The WX6103 supports
EWPX1WCMB0 and EWPX1WCMD0 main control boards. The switch interface board exchanges data, and state and control information with the main
control board through internal interfaces. Do not configure services such as QoS rate limiting and 802.1X authentication on the internal interfaces.
For configuration information about the switch interface board of the WX6103, see the H3C WX6103 Access Controller Switch Interface Board
Configuration Guide and H3C WX6103 Access Controller Switch Interface Board Command Reference.
The LSQM1WCMB0/LSQM1WCMD0/LSBM1WCM2A0/LSRM1WCM2A1/LSRM1WCM3A1 of the WX6000 series are OAP cards. Each OAP card is
installed on the expansion slot of the switch and exchanges data and status and control information with the switch through internal interfaces. Do not
configure services such as QoS rate limiting and 802.1X authentication on the internal interfaces.
Table 3 Feature matrix for the WX6000 series

Module
Feature
WX6103
LSQM1WCMB0
LSQM1WCMD0
LSBM1WCM2A
0
LSRM1WCM2A
1
LSRM1WCM3A
1
License
management
EWPX1WCMB0
supports 128
concurrent APs by
default, and can
be extended to
support 640
concurrent APs.
EWPX1WCMD0
supports 128
concurrent APs by
default, and can
be extended to
support 1024
concurrent APs.
Supports 128
concurrent APs by
default, and can
be extended to
support 640
concurrent APs.
Supports 128
concurrent APs by
default, and can
be extended to
support 1024
concurrent APs.
Supports 128
concurrent APs by
default, and can
be extended to
support 640
concurrent APs.
Supports 128
concurrent APs by
default, and can
be extended to
support 640
concurrent APs.
Supports 128
concurrent APs by
default, and can
be extended to
support 1024
concurrent APs.
File management
CF and USB
supported
CF and USB
supported
CF and USB
supported
CF and USB
supported
CF and USB
supported
CF and USB
supported
Port mirroring
No
No
No
No
No
No
Loopback test
Internal loopback
testing supported
on XGE interfaces
only
Internal loopback
testing supported
on XGE interfaces
only
Internal loopback
testing supported
on XGE interfaces
only
Internal loopback
testing supported
on XGE interfaces
only
Internal loopback
testing supported
on XGE interfaces
only
Internal loopback
testing supported
on XGE interfaces
only
IGMP Snooping
The maximum
number of
multicast groups
ranges from 1 to
256 and defaults
to 256.
The maximum
number of
multicast groups
ranges from 1 to
256 and defaults
to 256.
The maximum
number of
multicast groups
ranges from 1 to
256 and defaults
to 256.
The maximum
number of
multicast groups
ranges from 1 to
256 and defaults
to 256.
The maximum
number of
multicast groups
ranges from 1 to
256 and defaults
to 256.
The maximum
number of
multicast groups
ranges from 1 to
256 and defaults
to 256.
Device
Network
Module
AP
Wireless Service
Advanced
settings
High availability
Feature
WX6103
LSQM1WCMB0
LSQM1WCMD0
LSBM1WCM2A
0
LSRM1WCM2A
1
LSRM1WCM3A
1
AP group
(Licenses must be
fully configured to
reach the
maximum number
of group IDs)
On
EWPX1WCMB0,
the number of
group IDs ranges
from 1 to 640.
On
EWPX1WCMD0,
the number of
group IDs ranges
from 1 to 1024.
The number of
group IDs ranges
from 1 to 640.
The number of
group IDs ranges
from 1 to 1024.
The number of
group IDs ranges
from 1 to 640.
The number of
group IDs ranges
from 1 to 640.
The number of
group IDs ranges
from 1 to 1024.
Access service
The maximum
number of
associated users
per SSID is 124
and defaults to
64.
The maximum
number of
associated users
per SSID is 124
and defaults to
64.
The maximum
number of
associated users
per SSID is 124
and defaults to
64.
The maximum
number of
associated users
per SSID is 124
and defaults to
64.
The maximum
number of
associated users
per SSID is 124
and defaults to
64.
The maximum
number of
associated users
per SSID is 124
and defaults to
64.
AC backup
Yes
Yes
Yes
Yes
Yes
Yes
Fast backup
(Hello interval)
Yes (The hello

interval ranges
from 30 to 2000
and defaults to
2000.)
Yes (The hello

interval ranges
from 30 to 2000
and defaults to
2000.)
Yes (The hello

interval ranges
from 30 to 2000
and defaults to
2000.)
Yes (The hello

interval ranges
from 30 to 2000
and defaults to
2000.)
Yes (The hello

interval ranges
from 30 to 2000
and defaults to
2000.)
Yes (The hello

interval ranges
from 30 to 2000
and defaults to
2000.)
1+1 AC backup
Yes
Yes
Yes
Yes
Yes
Yes
Stateful failover
Yes
Yes
Yes
Yes
Yes
Yes
Feature matrix for the WX3024E

NOTE:
The access controller engine and switching engine of the WX3024E adopt the OAP architecture. The switching engine is integrated on the access controller
engine and adopts OAP architecture. You actually log in to the access controller engine when you log in to the switch by default. The GE 1/0/1 and GE
1/0/2 interfaces of the access controller engine form a logical interface BAGG1, and the GE1/0/29 and GE1/0/30 interfaces of the switching engine
form a logical interface BAGG1. The two BAGG1 interfaces exchange data, status, and control information. Do not configure services such as QoS rate
limiting and 802.1X authentication on these internal interfaces.
For configuration information about the switching engine of the WX3024E, see the H3C WX3024E Wireless Switch Switching Engine Configuration Guide
and H3C WX3024E Wireless Switch Switching Engine Command Reference.
Table 4 Feature matrix for the WX3024E
Module
Feature
WX3024E
License management
Supports 24 concurrent APs by default, and can be extended to support 60

concurrent APs.
File management
Flash supported
Port mirroring
No
Loopback test
Internal loopback testing supported on GE interfaces only
Network
IGMP Snooping
The maximum number of multicast groups ranges from 1 to 64 and defaults to 64.
AP
AP group (Licenses must be fully configured to reach the

maximum number of group IDs)
The number of group IDs ranges from 1 to 60.
Wireless Service
Access service
The maximum number of associated users per SSID is 124, and defaults to 64.
AC backup
No
Fast backup (Hello interval)
No
1+1 AC backup
No
Stateful failover
No
Device
Advanced settings
High availability
Quick Start
Quick start wizard home page
From the navigation tree, select Quick Start to enter the home page of the Quick Start wizard, as shown
in Figure 4.
Figure 4 Home page of the quick start wizard
Basic configuration
On the home page of the Quick Start wizard, click start to enter the basic configuration page, as shown
in Figure 5.
Figure 5 Basic configuration page
Table 5 Configuration items

Item
System Name
Description
Specify the name of the current device.
By default, the system name of the device is H3C.
Country/Region Code
Select the code of the country where you are. This field defines the radio frequency
characteristics such as the power and the total number of channels for frame
transmission. Before configuring the device, you need to configure the country
code correctly. If the Country Code field is grayed out, it cannot be modified.
Time Zone
Select a time zone for the system.
Time
Specify the current time and date.
Admin configuration
On the basic configuration page, click Next to enter the admin configuration page, as shown in Figure
6.
10
Figure 6 Admin configuration page

Item
Description
Password
Specify the password for user Admin to use to log into the device, in cipher text.
Confirm Password
Enter the password again to confirm the password.
IP configuration
On the Admin Configuration page, click Next to enter the IP configuration page, as shown in Figure 7.
11
Figure 7 IP configuration page

Item
Description
IP Address
Specify the IP address of VLAN-interface 1. This IP address is used for logging into
the device.
The default is 192.168.0.100.
Mask
Default Gateway
Specify the IP address mask of VLAN-interface 1.

By default, the mask is 24-bit long.
Specify the IP address of the default gateway that connects the device to the
network.
By default, the IP address of the default gateway is not specified.
Wireless configuration
On the IP configuration page, click Next to enter the wireless configuration page, as shown in Figure 8.
12
Figure 8 Wireless configuration page

Item
Description
Select the authentication type for the wireless service, which can be:
Primary Service
Authentication type
None: Performs no authentication.

User authentication (802.1X): Performs 802.1X authentication.
Portal: Performs Portal authentication.
Wireless Service
Specify the Service Set Identifier (SSID).

Select this box to go to the 7/13: Encryption Configuration step.
Encrypt
By default, no encryption is performed. If this option is not selected, the 7/13:

Encryption Configuration step is skipped.
RADIUS configuration
On the wireless configuration page, select User authentication (802.1X) or Portal for the Primary Service
Authentication Type field, and then click Next to enter the RADIUS configuration page, as shown
in Figure 9.
13
Figure 9 RADIUS configuration page

Item
Description
Select the type of the RADIUS server.
Two types are available: standard and enhanced:
extendedSpecifies extended RADIUS server, which is usually an IMC server.

Service Type
In this case, the RADIUS client (access device) and the RADIUS server exchange
packets based on the specifications and packet format definitions of a private
RADIUS protocol.
standardSpecifies the standard RADIUS server. In this case, the RADIUS
client (access device) and the RADIUS server exchange packets based on the
specifications and packet format definitions of the standard RADIUS protocols
(RFC 2138, RFC 2139, and the updates).
Authentication IP
Enter the IP address of the RADIUS authentication server.
Authentication UDP Port
Enter the port number of the RADIUS authentication server.
Authentication Key
Enter the shared key of the RADIUS authentication server.
Accounting IP
Enter the IP address of the RADIUS accounting server.
Accounting UDP Port
Enter the port number of the RADIUS accounting server.
Accounting Key
Enter the shared key of the RADIUS accounting server.
14
Portal configuration
On the wireless configuration page, select Portal for the Primary Service Authentication Type field, and
then click Next to enter the RADIUS configuration page. After you complete RADIUS configuration, click
Next to enter the portal configuration page, as shown in Figure 10.
Figure 10 Portal configuration page

Item
Description
Server-name
Specify the system name of the portal server.
Server-IP
Enter the IP address of the portal server.
Port
Enter the port number of the portal server.
Redirect-URL
Enter the URL of the portal authentication server.
15
Item
Description
Specify the portal authentication method to be used, which can be:
DirectBefore authentication, a user manually configures an IP address or
directly obtains a public IP address through DHCP, and can access only the
portal server and predefined free websites. After passing authentication, the
user can access the network resources. The authentication process of direct
authentication is relatively simple than that of the re-DHCP authentication.
Method
Layer3Layer 3 authentication is similar to direct authentication but allows
Layer 3 forwarding devices to be present between the authentication client and

the access device.
RedhcpBefore authentication, a user gets a private IP address through DHCP
and can access only the portal server and predefined free websites. After
passing authentication, the user is allocated a public IP address and can access
the network resources.
Encryption configuration
On the wireless configuration page, select User authentication (802.1X) for Primary Service
Authentication Type and click Next to enter the encryption configuration page, as shown in Figure 11.
Figure 11 Encryption configuration page
16

Item
Description
Specify whether to use WEP keys provided automatically or use static WEP keys.
Enable: Use WEP keys provided automatically.

Disable: Use static WEP keys.
Provide Key
Automatically
By default, static WEP keys are used.

After you select Enable, WEP104 is displayed for WEP.
IMPORTANT:
Automatically provided WEP keys must be used together with 802.1X authentication.
Therefore, This option is available only after you select User authentication (802.1X)
for Primary Service Authentication type on the wireless configuration page.
WEP
Key ID
Select the key type of the WEP encryption mechanism, which can be WEP40,
WEP104 and WEP 128.
Select the WEP key index, which can be 1, 2, 3, or 4. Each number represents one
of the four static keys of WEP. The selected key index will be used for frame
encryption and decryption.
IMPORTANT:
If you select to enable Provide Key Automatically, only 1, 2, and 3 are available for
the Key ID option.
Select the key length.
When the key type is WEP40, the key length can be five alphanumeric
characters or ten hexadecimal characters.
Key Length
When the key type is WEP104, the key length can be 13 alphanumeric
characters or 26 hexadecimal characters.
When the key type is WEP128, the key length can be 16 alphanumeric
characters or 32 hexadecimal characters.
WEP Key
Enter the WEP key.
AP configuration
On the guest service configuration page, click Next to enter the AP configuration page, as shown
in Figure 12. You can configure an AP and click Add. You can configure multiple APs on the page. The
section at the bottom of the page displays all existing APs.
17
Figure 12 AP configuration page

Item
Description
AP Name
Enter the name of the AP.
Model
Select the model of the AP.

Specify the serial ID of the AP.
If the Auto box is not selected, you need to manually enter a serial ID.
If the Auto box is selected, the AC automatically searches the serial ID of the AP.
Serial ID
This option needs to cooperate with the auto AP function to implement

automatic AP discovery so that the AP can connect with the AC automatically.
If there are a large number of APs, the automatic AP discovery function can
avoid repeated configuration of AP serial numbers. For how to configure auto
AP, see "AP configuration."
Select a country/region code for the AP.

Country/Region Code
By default, no country/region code is configured for the AP and the AP uses the
global country/region code (which is configured on the AC). If the country/region
code is specified on this page, the AP uses this configuration. For information
about the country/region code configured on the AC, see "Advanced settings."
Radio
Radio unit of the AP.
Mode
Select the radio mode. The radio mode depends on the AP model.
18
Item
Description
Select the working channel.
The channel list for the radio depends on the country/region code and radio
mode, and varies with device models.
Channel
Auto: Specifies the automatic channel mode. With Auto specified, the AC
evaluates the quality of channels in the wireless network, and selects the best
channel as the working channel.
After the channel is changed, the power list is refreshed.
Select the transmission power.
Power
The maximum power of the radio depends on the country/region code, working
channel, AP model, radio mode, and antenna type. If 802.11n is specified as the
radio mode, the maximum power of the radio also depends on the bandwidth
mode.
Configuration summary
On the AP configuration page, click Next to enter the configuration summary page, as shown in Figure
13. The configuration summary page displays all configurations you have made. Click finish to save your
configurations.
Figure 13 Configuration summary page
19
Web overview
The device provides Web-based configuration interfaces for visual device management and
maintenance.
Figure 14 Web-based network management operating environment
Logging in to the Web interface

You can use the following default settings to log in to the Web interface through HTTP:
Usernameadmin
Passwordadmin
IP address of VLAN-interface 1 of the device192.168.0.100.
To log in to the Web interface of the device from a PC:

1.
Connect the Ethernet port of the device to the PC by using a crossover Ethernet cable.
By default, all ports belong to VLAN 1.
2.
Configure an IP address for the PC and make sure that the PC and the device can reach each
other.
For example, assign the PC an IP address (for example, 192.168.0.2) within the network segment
192.168.0.0/24 (except for 192.168.0.100).
3.
Open the browser and input the login information:

a. Type the IP address http://192.168.0.100 in the address bar and press Enter.
The login page of the Web interface (see Figure 15) appears.
b. Enter the username and password admin, and the verification code, select the language
(English and Chinese are supported at present), and click Login.

Figure 15 Login page of the Web interface
20
c.
After you click Login, you will enter the following page. Select a country/region code from the
Country/Region list, and click Apply.
Figure 16 Selecting a country/region code
The PC where you configure the device is not necessarily the Web-based network management terminal.
A Web-based network management terminal is a PC (or another terminal) used to log in to the Web
interface and is required to be reachable to the device.
After logging in to the Web interface, you can create a new user and configure the IP address of the
interface connecting the user and the device.
If you click the verification code displayed on the Web login page, you can get a new verification code.
Up to 24 users can concurrently log in to the device through the Web interface.
Logging out of the Web interface

As shown in Figure 17, click Logout in the upper-right corner of the Web interface to quit Web-based
network management.
The system does not save the current configuration before you log out of the Web interface. H3C
recommends you to save the current configuration before logout.
CAUTION:
A logged-in user cannot automatically log out by directly closing the browser.
Introduction to the Web interface

The Web interface comprises three parts: navigation tree, title area, and body area.
21
Figure 17 Web-based configuration interface
(1) Navigation area
(2) Body area
(3) Title area
Navigation areaOrganizes the Web-based NM function menus in the form of a navigation tree,
where you can select function menus as needed. The result is displayed in the body area. The Web
network management functions not supported by the device are not displayed in the navigation
area.
Body areaThe area where you can configure and display a function.
Title areaOn the left, displays the path of the current configuration interface in the navigation
area; on the right, provides the Save button to quickly save the current configuration, the Help button
to display the Web related help information, and the Logout button to log out of the Web interface.
Web user level

Web user levels, ranging from low to high, are visitor, monitor, configure, and management. A user with
a higher level has all the operating rights of a user with a lower level.
VisitorUsers of this level can perform the ping and traceroute operations, but they can neither
access the device data nor configure the device.
MonitorUsers of this level can only access the device data but cannot configure the device.
ConfigureUsers of this level can access data from the device and configure the device, but they
cannot upgrade the host software, add/delete/modify users, or back up/restore the application
file.
ManagementUsers of this level can perform any operations for the device.
22
Introduction to the Web-based NM functions

NOTE:
Support for the configuration items depends on the device model. For more information, see "Feature
matrixes."
A user level in Table 13 indicates that users of this level or users of a higher level can perform the
corresponding operations.
Table 13 Description for Web-based NM functions
Function menu
Description
User level
Quick Start
Perform quick configuration of the

device.
Configure
Device Info
Display and refresh system resource

state, device information, device
interface information, and recent
system operation logs.
Monitor
Wireless Service
Display the information of the queried

WLAN service, including the detailed
information, statistics, and connection
history.
Monitor
Display the information of the queried

AP, including wireless service,
connection history, radio, and detailed
information.
Monitor
Reboot an AP.
Configure
Display the detailed information,

statistics, and roaming information of
the client.
Monitor
Clear statistics of the client, disconnect

the connection, and add the client into
the blacklist.
Configure
Display license information.
Monitor
Add licenses.
Configure
Display enhanced license information.
Monitor
Register enhanced licenses.
Configure
System Name
Display and configure the system

name.
Configure
Web Idle Timeout
Display and configure the idle timeout

period for a logged-in user.
Configure
Software Upgrade
Upload the file to be upgraded from the

local host to upgrade the system
software.
Management
Reboot
Reboot the device.
Management
Summary
AP
Client
License
License
Enhanced License
Device
Basic
Device
Maintenance
23
Function menu
Description
User level
Generate a diagnostic information file,

view the file, or save the file to the local
host.
Management
Display the system date and time.
Monitor
Manually set the system time.
Configure
Set local and external clock sources

and system time zone.
Monitor
Set the network time.
Configure
Display and refresh system logs.
Monitor
Clear system logs.
Configure
Loghost
Display and configure the loghost.
Configure
Log Setup
Display and configure the buffer

capacity, and refresh interval for
displaying system logs.
Configure
Backup
Back up the configuration file for the

next startup to the host of the current
user.
Management
Restore
Upgrade the configuration file on the

host of the current user to the device for
the next startup.
Management
Save
Save the current configuration to the

configuration file for the next startup.
Configure
Initialize
Restore the system to factory defaults.
Configure
Manage files on the device, including

displaying file list, downloading a file,
uploading a file, removing a file, and
setting the main boot file.
Management
Display interface information and

statistics.
Monitor
Create, modify, and delete an

interface, and clear interface statistics.
Configure
Summary
Display the configuration information

of a port mirroring group.
Monitor
Add
Create a port mirroring group.
Configure
Remove
Remove a port mirroring group.
Configure
Modify Port
Configure ports for a mirroring group.
Configure
Summary
Display brief information of FTP and

Telnet users.
Monitor
Super Password
Configure the password for a

lower-level user to switch from the
current access level to the management
level.
Management
Create
Create an FTP or Telnet user.
Management
Diagnostic
Information
System Time
System Time
Net Time
Loglist
Syslog
Configuration
File management
Interface
Port
Mirroring
Users
24
Function menu
Description
User level
Modify
Modify FTP or Telnet user information.
Management
Remove
Remove an FTP or a Telnet user.
Management
Switch To
Management
Switch the current user level to the

management level.
Monitor
Setup
Display and refresh SNMP

configuration and statistics
information.
Monitor
Configure SNMP.
Configure
Display SNMP community information.
Monitor
Create, modify, and delete an SNMP

community.
Configure
Display SNMP group information.
Monitor

group.
Configure
Display SNMP user information.
Monitor

user.
Configure
Display the status of the SNMP trap

function and information about target
hosts.
Monitor
Enable or disable the SNMP trap

function, or create, modify, and delete
a target host.
Configure
Display SNMP view information.
Monitor

view.
Configure
Perform the loopback test on Ethernet

interfaces.
Configure
Display MAC address information.
Monitor
Create or remove MAC addresses.
Configure
Display and configure MAC address

aging time.
Configure
Display all VLANs on the device and

information about their member ports.
Monitor
Create, modify, and delete VLANs.
Configure
Display VLANs to which a port on the

device belongs.
Monitor
Modify the VLANs to which a port

belongs.
Configure
Display ARP table information.
Monitor
Add, modify, or delete an ARP entry.
Configure
Community
Group
SNMP
User
Trap
View
Loopback
MAC
MAC
Setup
VLAN
Network
VLAN
Port
ARP
Management
ARP Table
25
Function menu
Description
User level
Display configuration information of

gratuitous ARP.
Monitor
Configure gratuitous ARP.
Configure

of ARP detection.
Monitor
Configure ARP detection.
Configure

of source MAC address based ARP
attack detection, ARP active
acknowledgement, and ARP packet
source MAC address consistency
check.
Monitor
Configure source MAC address based

ARP attack detection, ARP active
acknowledgement, and ARP packet
source MAC address consistency
check.
Configure
Display global IGMP Snooping

configuration information and the
IGMP Snooping configuration
information in a VLAN, and view the
IGMP Snooping multicast entry
information.
Monitor
Configure IGMP Snooping globally

and in a VLAN.
Configure
Display the IGMP Snooping

configuration information on a port.
Monitor
Configure IGMP Snooping on a port.
Configure
Summary
Display the IPv4 active route table.
Monitor
Create
Create an IPv4 static route.
Configure
Remove
Delete the selected IPv4 static routes.
Configure
Summary
Display the IPv6 active route table.
Monitor
Create
Create an IPv6 static route.
Configure
Remove
Delete the selected IPv6 static routes.
Configure
Display the DHCP service status, the

DHCP address pool information, the
DHCP server status on an interface,
and addresses in use.
Monitor
Set the DHCP service status, add,

modify, or delete a DHCP address
pool, and modify the DHCP server
status on an interface.
Configure
Gratuitous ARP
ARP Detection
ARP
Anti-Attack
Advanced
Configuration
Basic
IGMP
Snooping
Advance
IPv4 Routing
IPv6 Routing
DHCP
DHCP Server
26
Function menu
Description
User level
Display the status of a DHCP service

and advanced configuration
information of DHCP relay, display
information of a DHCP group, and
status of the DHCP relay agent on an
interface, and view the DHCP relay
user information.
Monitor
Configure the status of a DHCP service

and advanced configuration
information of DHCP relay, add or
delete a DHCP group, and modify the
status of the DHCP relay agent on an
interface.
Configure
Display the status of the DHCP

Snooping function, and the trusted and
untrusted attributes of a port, and view
the DHCP Snooping user information.
Monitor
Configure the status of the DHCP

Snooping function, and modify the
trusted and untrusted attributes of a
port.
Configure
Static
Display, create, modify, or delete a

static host name-to-IP address
mapping.
Configure
Dynamic
Display and configure related

parameters for dynamic domain name
resolution. Display, create, or delete an
IP address and the domain name suffix.
Configure
Display the states of the services:

enabled or disabled.
Configure
Specify whether to enable various

services, and set related parameters.
Management
IPv4 Ping
Ping an IPv4 address or host and

display the result.
Visitor
IPv6 Ping
Ping an IPv6 address or host and

display the result.
Visitor
Trace Route
Perform trace route operations and

display the result.
Visitor
Display AP-related information,

including AP name, AP IP address,
serial ID, model and status.
Monitor
Add an AP and modify the AP

configuration.
Configure
Display auto AP information after auto

AP is enabled, including AP name,
model, serial ID and IP address.
Monitor
Enable auto AP.
Configure
DHCP Relay
DHCP Snooping
DNS
Service
Diagnostic
Tools
AP Setup
AP
Auto AP
27
Function menu
AP Group
Access Service
Mesh Service
Mesh Policy
WLAN
Service
Mesh
Service
Global Setup
Mesh Channel
Optimize
Mesh Link Info
Mesh Link Test
Roam Group
Roam
Roam Client
Radio
Radio
Rate
28
Description
User level
Display AP group information.
Monitor
Create and configure an AP group.
Configure
Display an access service, including

security type, detailed information,
service status and binding status.
Monitor
Create and configure an access

service, map an access service to an
AP radio, and add a MAC
authentication list.
Configure
Display a mesh service, including its

detailed information, status, and
binding information.
Monitor
Create and configure a mesh service,

including security settings.
Configure
Display mesh policies.
Monitor
Create and configure a mesh policy.
Configure
Display mesh global setting, including

basic setting, mesh DFS, and mesh
portal service.
Monitor
Configure mesh global setting,

including basic setting, mesh DFS, and
mesh portal service.
Configure
Display radio information and channel

switch information in a mesh network.
Monitor
Configure mesh channel optimization.
Configure
Display mesh link status information.
Monitor
Monitor mesh link status and refresh

mesh link status information.
Configure
Display mesh link test results.
Monitor
Test mesh links and refresh mesh link

test results.
Configure
Display a roaming group and its

members.
Monitor
Configure a roaming group and add a

group member.
Configure
Display client information, including

MAC address, BSSID, VLAN ID, home
AC and roaming direction.
Monitor
Display radio status, including radio

mode and radio status.
Monitor
Configure radio parameters, including

802.11n settings.
Configure
Display rate settings.
Monitor
Function menu
Channel Scan
Operation
Calibration
Parameters
Radio Group
Antenna Switch
802.1X
Portal Server
Portal
Authenticat
ion
Free Rule
Domain Setup
AAA
Authentication
Authorization
29
Description
User level
Configure 802.11n rates, including

MCS index.
Configure
Display channel scanning, including

scanning mode, scanning type and
scanning interval.
Monitor
Configure channel scanning, including

scanning mode and scanning type.
Configure
Display or refresh AP status, including

channel status, neighbor information,
and history information.
Monitor
Manual calibration
Configure
Display basic setup, channel setup and

power setup.
Monitor
Configure channel calibration

parameters.
Configure
Display radio group configuration.
Monitor
Configure a radio group.
Configure
Configure the antenna of an AP.
Configure
Display the global 802.1X information

and 802.1X information of a port.
Monitor
Display the global 802.1X features

and 802.1x features of a port.
Configure
Display configuration information

about the portal server and advanced
parameters for portal authentication.
Monitor
Add and delete a portal server, and

modify advanced parameters for portal
authentication.
Configure
Display the portal-free rule

configuration information.
Monitor
Add and delete a portal-free rule.
Configure
Display ISP domain configuration

information.
Monitor
Add and remove ISP domains.
Management
Display the authentication method

configuration information of an ISP
domain.
Monitor
Specify authentication methods for an

ISP domain.
Management
Display the authorization method

domain.
Monitor
Function menu
Accounting
RADIUS
Local EAP Server
Local User
User Group
Users
Guest
User Profile
Entity
Domain
Certificate
Management
Certificate
CRL
30
Description
User level
Specify authorization methods for an

ISP domain.
Management
Display the accounting method

domain.
Monitor
Specify accounting methods for an ISP

domain.
Management
Display and add, modify, and delete a

RADIUS scheme.
Management

of the local EAP service.
Monitor
Configure the local EAP service.
Configure
Display local users' configuration

information.
Monitor
Add, modify, and remove local users.
Management
Display user groups' configuration

information.
Monitor
Add, modify, and remove user groups.
Management
Display guest users' configuration

information.
Monitor
Add, modify, and remove guest users.
Management
Display user profile configuration

information.
Monitor
Add, modify, remove, enable, and

disable user profiles.
Configure
Display information about PKI entities.
Monitor
Add, modify, and delete a PKI entity.
Configure
Display information about PKI

domains.
Monitor
Add, modify, and delete a PKI domain.
Configure
Display the certificate information of

PKI domains and view the contents of a
certificate.
Monitor
Generate a key pair, destroy a key

pair, retrieve a certificate, request a
certificate, and delete a certificate.
Configure
Display the contents of the CRL.
Monitor
Receive the CRL of a domain.
Configure
Function menu
Description
User level
Display AP operating mode.
Monitor
Configure AP operating mode.
Configure
Display list types for the rogue device

detection and the detection rules.
Monitor
Configure list types for rogue device

detection and the rules.
Configure
Display monitor record of rogue device

detection.
Monitor
Clear monitor record of rogue device

detection, and add rogue devices to
blacklist.
Configure
Display rogue device detection history.
Monitor
Clear history of rogue device detection

and add rogue devices to blacklist.
Configure
Display IDS configuration.
Monitor
Configure IDS detection, including

flood attack detection, spoofing attack
detection, and weak IV detection.
Configure
Display IDS attack detection history.
Monitor
Clear history record of IDS attack

detection and add the detected devices
that initiate attacks to blacklist.
Configure
Display statistics of IDS attack

detection.
Monitor
Clear the statistics.
Configure
Display dynamic and static blacklists.
Monitor
Clear dynamic blacklist and static

blacklist; enable dynamic blacklist;
add entries to the static blacklist.
Configure
Display white list.
Monitor
Clear white list and add entries to the

white list.
Configure
Summary
Display the configurations of the

authorized IP, the associated IPv4 ACL
rule list, and the associated IPv6 ACL
rule list.
Management
Setup
Configure the authorized IP.
Configure
Display, add, modify, and remove user

isolation configuration.
Management
AP Monitor
Rule List
Rogue
detection
Monitor Record
History Record
WIDS Setup
Security
WIDS
History Record
Statistics
Blacklist
Filter
White List
Authorized IP
User Isolation
31
Function menu
Time Range
ACL IPv4
ACL IPv6
QoS
Description
User level
Summary
Display time range configuration

information.
Monitor
Add
Create a time range.
Configure
Remove
Delete a time range.
Configure
Summary
Display IPv4 ACL configuration

information.
Monitor
Add
Create an IPv4 ACL.
Configure
Basic Setup
Configure a rule for a basic IPv4 ACL.
Configure
Advanced Setup
Configure a rule for an advanced IPv4

ACL.
Configure
Link Setup
Create a rule for an Ethernet frame

header ACL.
Configure
Remove
Delete an IPv4 ACL or its rules.
Configure
Summary
Display IPv6 ACL configuration

information.
Monitor
Add
Create an IPv6 ACL.
Configure
Basic Setup
Configure a rule for a basic IPv6 ACL.
Configure
Advanced Setup
Configure a rule for an advanced IPv6

ACL.
Configure
Remove
Delete an IPv6 ACL or its rules.
Configure
Display wireless QoS, including SVP

mapping, CAC admission policy,
radio EDCA and client EDCA.
Monitor
Configure wireless QoS, including SVP

mapping, CAC admission policy,
radio EDCA and client EDCA.
Configure
Display radio statistics, including

WMM status and detailed radio
information.
Monitor
Display radio statistics, including

WMM status and detailed radio
information, and clear the radio
statistics.
Configure
Display client statistics, including

WMM status and detailed client
information.
Monitor
Display client statistics, including

WMM status and detailed client
information, and clear the client
statistics.
Configure
Display the configured client rate limit

information.
Monitor
Wireless QoS
Radio Statistics
Wireless
QoS
Client Statistics
Client Rate Limit
32
Function menu
Description
User level
Configure and modify client rate

limiting mode, direction and rate.
Configure
Display bandwidth settings for different

radio types.
Monitor
Configure bandwidth guarantee

settings.
Configure
Summary
Display line rate configuration

information.
Monitor
Setup
Configure the line rate.
Configure
Display the priority and trust mode of a

port.
Monitor
Modify the priority and trust mode of a

port.
Configure
Display priority trust mode

configuration information.
Management
Configure the priority trust mode.
Management
Summary
Display classifier configuration

information.
Monitor
Add
Create a class.
Configure
Setup
Configure the classification rules for a

class.
Configure
Remove
Delete a class or its classification rules.
Configure
Summary
Display traffic behavior configuration

information.
Monitor
Add
Create a traffic behavior.
Configure
Setup
Configure actions for a traffic

behavior.
Configure
Remove
Delete a traffic behavior.
Configure
Summary
Display QoS policy configuration

information.
Monitor
Add
Create a QoS policy.
Configure
Setup
Configure the classifier-behavior

associations for a QoS policy.
Configure
Remove
Delete a QoS policy or its

classifier-behavior associations.
Configure
Summary
Display the QoS policy applied to a

port.
Monitor
Setup
Apply a QoS policy to a port.
Configure
Remove
Remove the QoS policy from the port.
Configure
Display the QoS policy applied to a

WLAN-ESS port.
Monitor
Bandwidth
Guarantee
Line Rate
Port Priority
Trust Mode
Classifier
Behavior
QoS Policy
Port Policy
Service Policy
33
Function menu
Description
User level
Configure the QoS policy applied to a

WLAN-ESS port.
Configure
Display the country/region code.
Monitor
Modify the country/region code.
Configure
Display the address of the backup AC.
Monitor
Setup
Configure the address of the backup

AC.
Configure
Status
Display the status of the AC.
Monitor
Display the continuous transmitting

mode of an AP.
Monitor
Switch the continuous transmitting

mode of an AP.
Configure
Display channel busy rate test results.
Monitor
Test busy rate of channels, and output

test results.
Configure
Display the load balancing mode and

the current connection status.
Monitor
Configure the load balancing mode

and refresh the current connection
status.
Configure
Display load balancing group

configuration.
Monitor
Configure a load balancing group.
Configure
Display the AP version, including the

AP model and software version.
Monitor
Upgrade the software.
Configure
Display the model and IP address of the

AP.
Monitor
Switch to fat AP.
Configure
Display wireless location settings.
Monitor
Configure, enable, and disable

wireless location.
Configure
Display wireless sniffer configuration.
Monitor
Configure, enable, and disable

wireless sniffer parameters.
Configure
Country/Region Code
AC Backup
Continuous Transmit
Channel Busy Test
Advanced
Load Balance
Load
Balancing
Load Balance Group
AP Module
AP
Switch to fat AP
Wireless Location
Wireless Sniffer
34
Function menu
Description
User level
High
Reliability
Display stateful failover information.
Monitor
Modify stateful failover configuration.
Configure
Stateful Failover
Common Web interface elements

Common buttons and icons
Table 14 Common buttons and icons
Button and icon
Description
Bring the configuration on the current page into effect.
Cancel the configuration on the current page, and go to the corresponding
display page or device information page.
Refresh the information on the current page.
Clear all statistics or items in a list.
Enter the page for adding an entry.
Delete entries on a list.
Select all the entries on a list or all ports on a device panel.
Clear all the entries on a list or all ports on a device panel.
Restore the values of all the entries on the current page to the default.
Typically locating at a configuration procedure page of the configuration
wizard, it allows you to save the configuration of the current configuration
procedure (not bring it into effect) and go to the page of the next
configuration procedure.
wizard, it allows you to save the configuration of the current configuration
procedure (not bring it into effect) and return to the page of the previous
configuration procedure.
wizard, it allows you to bring all configurations into effect.
Typically locating at the Operation column of a display page, it allows you
to enter the modify page of a corresponding entry so as to display or
modify the configurations of the entry.
Typically locating at the Operation column of a display page, it allows you
to remove an entry.
Content display by pages

The Web interface can display contents by pages, as shown in Figure 18. You can set the number of
entries displayed per page, and view the contents on the first, previous, next, and last pages, or go to any
page that you want to check.
35
Figure 18 Content display by pages
Searching function
The Web interface provides you with the basic and advanced searching functions to display only the
entries that match specific searching criteria.
Basic searchAs shown in Figure 18, input the keyword in the text box above the list, select a
search item from the list and click Search to display the entries that match the criteria. Figure 19
shows an example of searching for entries with 00e0 included in the MAC address.
Figure 19 Basic search function example
36
Advanced searchAdvanced search function: As shown in Figure 18, you can click the Advanced
Search link to open the advanced search page, as shown in Figure 20. Specify the search criteria,
and click Apply to display the entries that match the criteria.
Figure 20 Advanced search
Take the ARP table shown in Figure 18 as an example. If you want to search for the ARP entries with 000f
at the beginning of the MAC address, and IP address range being 192.168.1.50 to 192.168.1.59, follow
these steps:
1.
Click the Advanced Search link, specify the search criteria on the advanced search page as shown
in Figure 21, and click Apply. The ARP entries with 000f at the beginning of the MAC address are
displayed.
Figure 21 Advanced search function example (I)
2.
Click the Advanced Search link, specify the search criteria on the advanced search page as shown
in Figure 22, and click Apply. The ARP entries with 000f at the beginning of the MAC address and
IP address range 192.168.1.50 to 192.168.1.59 are displayed as shown in Figure 23.
37
Figure 22 Advanced search function example (II)
Figure 23 Advanced search function example (III)
Sorting function
The Web interface provides you with the basic functions to display entries in certain orders.
On a list page, you can click the blue heading item of each column to sort the entries based on the
heading item you selected. After your clicking, the heading item is displayed with an arrow beside it as
shown in Figure 24. The upward arrow indicates the ascending order, and the downward arrow
indicates the descending order.
38
Figure 24 Basic sorting function example (based on IP address in the descending order)
Configuration guidelines
The Web-based configuration interface supports the operating systems of Windows XP, Windows
2000, Windows Server 2003 Enterprise Edition, Windows Server 2003 Standard Edition,
Windows Vista, Linux, and MAC OS.
The Web-based configuration interface supports the browsers of Microsoft Internet Explorer 6.0
SP2 and higher, Mozilla Firefox 3.0 and higher, Google Chrome 2.0.174.0 and higher.
The Web-based configuration interface does not support the Back, Next, and Refresh buttons.
Using these buttons may result in abnormal display of Web pages.
The Windows firewall limits the number of TCP connections, so when you use IE to log in to the Web
interface, sometimes you may be unable to open the Web interface. To avoid this problem, turn off
the Windows firewall before login.
If the software version of the device changes, clear the cache data on the browser before logging
in to the device through the Web interface; otherwise, the Web page content may not be displayed
correctly.
You can display at most 20,000 entries that support content display by pages.
39
Troubleshooting Web browser

Failure to access the device through the Web interface
Symptom
You can ping the device successfully, and log in to the device through telnet. HTTP is enabled and the
operating system and browser version meet the Web interface requirements. However, you cannot
access the Web interface of the device.
Analysis
If you use the Microsoft Internet Explorer, you can access the Web interface only when these
functions are enabled: Run ActiveX controls and plug-ins, script ActiveX controls marked safe for
scripting and active scripting.
If you use the Mozilla Firefox, you can access the Web interface only when JavaScript is enabled.
Configuring the Internet Explorer settings

1.
Open the Internet Explorer, and then select Tools > Internet Options.
2.
Click the Security tab, and then select a Web content zone to specify its security settings.
Figure 25 Internet Explorer setting (I)
3.
Click Custom Level, and a dialog box Security Settings appears.

40
4.
As shown in Figure 26, set the enable these functions: Run ActiveX controls and plug-ins, script
ActiveX controls marked safe for scripting and active scripting.
Figure 26 Internet Explorer setting (II)
5.
Click OK in the Security Settings dialog box.
Configuring Firefox Web browser settings

1.
Open the Firefox Web browser, and then select Tools > Options.
2.
Click the Content tab, select Enable JavaScript, and click OK.
41
Figure 27 Firefox Web browser setting
42
Summary
Device information
You can view the following information on the Device Info menu:
Device information
System resource state
Device interface information
Recent system logs (at most five)
After logging in to the Web interface, you enter the Summary > Device Info page.
Figure 28 Device info page
Select the refresh mode from the Refresh Period list.
If you select a specific refresh period (for example, 1 minute), the system periodically refreshes the
Device Info page according to the selected refresh period.
If you select Manual, you need to click Refresh to refresh the page.
43
Device info
Table 15 Field description
Field
Description
Device Name
Display the device model.
Product Information
Display the product information.

Display the location of the device.
Device Location
To configure the device location information, select Device > SNMP > Setup; for
more information, see "SNMP configuration."
Display the contact information for device maintenance.
Contact Information
To configure the contact information, select Device > SNMP > Setup; for more
information, see "SNMP configuration."
SerialNum
Display the serial number of the device.
Software Version
Display the software version of the device.
Hardware Version
Display the hardware version of the device.
Bootrom Version
Display the Boot ROM version of the device.
Running Time
Display the running time after the latest boot of the device.
System resource state

Field
Description
CPU Usage
Display the real-time CPU usage.
Memory Usage
Display the real-time memory usage and the total memory size.
Temperature
Display the temperature of the device.
Device interface information

Field
Description
Interface
Display interface name and interface number.
IP Address/Mask
Display the IP address and mask of an interface.

Display interface status.
Status
The interface is up and is connected.

The interface is up, but not connected.
The interface is down.
44
NOTE:
For more information about device interfaces, click the More hyperlink under the Device Interface
Information area to enter the Device > Interface page to view and operate the interfaces. For more
information, see "Interface management."
Recent system logs

Field
Description
Time
Display the time when the system logs are generated.
Level
Display the level of the system logs.
Description
Display the contents of the system logs.
NOTE:
For more information about system logs, click the More hyperlink under the Recent System Operation
Logs area to enter the Device > Syslog > Loglist page to view the logs. For more information, see "Log
management."
Displaying WLAN service

1.
Select Summary > Wireless Service from the navigation tree
2.
Click the specified WLAN service to view the detailed information, statistics, or connection history.
Displaying detailed information of WLAN service

The detailed information of WLAN service (clear type) is as shown in Figure 29. For the description of the
fields, see Table 19.
45
Figure 29 Display detailed information of WLAN service (clear type)

Field
Description
Service Template Number
Service template number.
SSID
Service set identifier (SSID) for the ESS.
Binding Interface
Name of the interface bound with the service template.
Service Template Type
Service template type.

Type of authentication used.
Authentication Method
SSID-hide
WLAN service of the clear type only uses open system

authentication.
DisableThe SSID is advertised in beacon frames.

EnableDisables the advertisement of the SSID in beacon
frames.
Forwarding mode:
Bridge Mode
Local forwardingUses local forwarding in the service

template.
Remote forwardingUses AC remote forwarding in the

service template.
Status of service template:

Service Template Status
EnableEnables WLAN service.

DisableDisables WLAN service.
Maximum clients per BSS
Maximum number of associated clients per BSS.
The detailed information of WLAN service (crypto type) is as shown in Figure 30. For the description of
the fields in the detailed information, see Table 20.
46
Figure 30 Display detailed information of WLAN service (crypto type)

Field
Description
SSID
SSID for the ESS.
Binding Interface
Name of the interface bound with the service template.
Security IE
Security IE: WPA or WPA2 (RSN)
Authentication method: open system or shared key.
SSID-hide
DisableThe SSID is advertised in beacon frames.

EnableDisables the advertisement of the SSID in beacon frames.
Cipher Suite
Cipher suite: AES-CCMP, TKIP, WEP40, WEP104, or WEP128.
TKIP Countermeasure Time(s)
TKIP countermeasure time in seconds.
PTK Life Time(s)
PTK lifetime in seconds.
GTK Rekey
GTK rekey configured.
GTK Rekey Method
GTK rekey method configured: packet based or time based.

Time for GTK rekey in seconds.
GTK Rekey Time(s)
If Time is selected, the GTK will be refreshed after a specified period

of time.
If Packet is selected, the GTK will be refreshed after a specified

number of packets are transmitted.
Forwarding mode:
Bridge Mode
Local forwardingUses local forwarding in the service template.

Remote forwardingUses AC remote forwarding in the service
template.
47
Field
Description
Status of service template:
EnableEnables WLAN service.

DisableDisables WLAN service.
Displaying statistics of WLAN service

The statistics of WLAN service are as shown in Figure 31.
Figure 31 Displaying WLAN service statistics
Displaying connection history information of WLAN service

The connection history information of WLAN service is as shown in Figure 32.
48
Figure 32 Displaying the connection history information of WLAN service
Displaying AP
Select Summary > AP from the navigation tree to enter the AP page, as shown in Figure 33. You can
display the WLAN service information, connection history, radio and detailed information of an AP by
clicking the tabs on the page.
Displaying WLAN service information of an AP

The WLAN service information of an AP is as shown in Figure 33.
Figure 33 Displaying WLAN service information
Displaying AP connection history information

The connection history information of an AP is as shown in Figure 34.
49
Figure 34 Displaying AP connection history information
Displaying AP radio information

Select Summary > AP from the navigation tree to enter the AP page, click the Radio tab on the page, and
click the name of the specified AP to view the radio statistics of an AP.
The radio statistics of an AP are as shown in Figure 35. For the description of the fields in the AP radio
statistics, see Table 21.
50
Figure 35 Displaying AP radio information
NOTE:
The Noise Floor item in the table indicates various random electromagnetic waves during the wireless
communication. For the environment with a high noise floor, you can improve the signal-to-noise ratio
(SNR) by increasing the transmit power or reducing the noise floor.
The Service Type item in the table has two options: Access and Mesh.
Res Using Ratio represents the resource utilization of a radio within a certain period. For example, in a
period of 10 seconds, if a radio has occupied the channel for five seconds, the resource utilization of the
radio is 5 seconds divided by 10 seconds: 50%.
Field
Description
AP name
Access point name.
Radio Id
Radio ID.
Transmitted Frames Statistics
Statistics of transmitted frames.
Total Frames
Unicast Frames
Total number of frames (probe response frames and beacon frames)

transmitted.
Total Frames = Unicast Frames + Broadcast/Multicast Frames +
Others.
Number of unicast frames (excluding probe response frames)
transmitted.
51
Field
Description
Broadcast/Multicast Frames
Number of broadcast or multicast frames (excluding beacon frames)

transmitted.
Others
Total number of other type of frames transmitted.
Discard Frames
Number of frames discarded.
Retry Count
Number of transmission retries.
Multiple Retry Count
Number of frames that have been retransmitted.
Authentication Frames
Number of authentication responses transmitted.
Failed RTS
Number of RTS failed during transmission.
Successful RTS
Number of RTS transmitted successfully.
Failed ACK
Number of transmitted frames for which no acknowledgement is

received.
Association Frames
Number of association responses transmitted.
Received Frames Statistics
Statistics of received frames.
Total Frames
Number of frames received.
Unicast Frames
Number of unicast frames received.
Broadcast/Multicast Frames
Number of broadcast or multicast frames received.
Fragmented Frames
Number of fragmented frames received.
FCS Failures
Number of frames dropped due to FCS failure.
Authentication Frames
Number of authentication requests received.
Duplicate Frames
Number of duplicate frames received.
Decryption Errors
Number of frames dropped due to decryption error.
Association Frames
Number of association requests received.
Displaying AP detailed information

Select Summary > AP from the navigation tree to enter the AP page, click the Detail tab on the page, and
click the name of the specified AP to view the detailed information of an AP.
The detailed information of an AP is as shown in Figure 36. For the description of the fields in the AP
detailed information, see Table 22.
52
Figure 36 Displaying AP detailed information

Field
Description
APID
Access point identifier.
AP System Name
Access point name.
Map Configuration
Configuration file mapped to the AP.

Current state of the AP:
ImageDownloadThe AP is downloading the version. If the
ImageDownload state persists, check the following: 1) The version of the

fit AP saved on the AC matches with the version that the AC requires; 2)
The space of the flash is enough.
IdleThe AP is idle. If the Idle state persists, check the following: 1) If the
State
fields of Latest IP Address and Tunnel Down Reason are displayed as

-NA-, it indicates that the AP has never connected to the AC successfully.
You need to check the network cable, power supply of the fit AP, and the
AP serial number if the serial number was manually input. 2) If the fields
of Latest IP Address and Tunnel Down Reason are displayed as other
contents, it indicates that the AP has connected to the AC successfully.
See the output of the Tunnel Down Reason field for the detailed reason.
RunThe AP is operating. It indicates that the AP has connected to the

AC successfully.
ConfigThe AC is delivering configuration file to the fit AP, and the fit AP
is collecting radio information through the radio interface and reporting
to the AC. This state is an instantaneous state.
Up Time(hh:mm:ss)
Time duration for which the AP has been connected to the AC. NA indicates
AP is not connected to the AC.
Model
AP model name.
53
Field
Description
Serial-ID
Serial ID of the AP.
IP Address
IP address of the AP.
H/W Version
Hardware version of the AP.
S/W Version
Software version of the AP.
Boot-Rom version
Boot ROM version of the AP.
Description
Description of the AP.
Connection Type
AP connection type: "Master" or "Backup"
Peer AC MAC Address
Peer AC MAC address in case of AC backup.
Priority Level
AP connection priority.
Echo Interval(s)
Interval for sending echo requests, in seconds.
Statistics report Interval(s)
Interval for sending statistics information messages, in seconds.
Cir (Kbps)
Committed information rate in kbps.
Cbs (Bytes)
Committed burst size in bytes.
Jumboframe Threshold
Threshold value of jumbo frames.
Transmitted control packets
Number of transmitted control packets.
Received control packets
Number of received control packets.
Transmitted data packets
Number of transmitted data packets.
Received data packets
Number of received data packets.
Configuration Failure Count
Count of configuration request message failures.
Last Failure Reason
Last configuration request failure reason.

Last reboot reason of the AP:
Last Reboot Reason
NormalThe AP was powered off.

CrashThe AP crashed, and the information is needed for analysis.
Tunnel InitiatedThe reset wlan ap command is executed on the AC (in
this case, the Tunnel Down Reason is displayed as Reset AP).
Tunnel Link FailureThe fit AP rebooted abnormally because an error

occurred when the AP was establishing a connection with the AC.
Latest IP Address
IP address of the last AP.

The tunnel between the AC and the AP is down when one of the following
occurs:
Neighbor Dead Timer ExpireThe AC does not receive an Echo request

from the AP within three times the handshake interval.
Tunnel Down Reason
Response Timer ExpireThe AC sends a control packet to the AP but

does not receive any response within the specified waiting time.
Reset APThe AP is rebooted by the execution of a command on the AC.

AP Config Change: The corresponding configurations are modified on
the AC.
No ReasonOther reasons.
54
Field
Description
Connection count between the AP and AC. This field is reset in one of the
following situations:
Connection Count
AC is rebooted.
You re-configure an AP template after deleting the old one.
If you click Reboot on this page to reboot the AP, the connection count will
not be reset.
AP Mode
Mode supported by the AP. Currently only the split MAC mode is supported.
AP operation mode
Operation mode of AP. Currently Normal and Monitor modes are

supported.
Portal Service
Whether the portal service is enabled or not.
Device Detection
Whether device detection is enabled or not.
Maximum Number of Radios
Maximum number of radios supported by the AP.
Current Number of Radios
Number of radios in use on the AP.
Client Keep-alive Interval
Interval to detect clients segregated from the system due to various reasons
such as power failure or crash, and disconnect them from the AP.
Client Idle Interval(s)
If the client is idle for more than the specified interval, that is, if the AP does
not receive any data from the client within the specified interval, the client
will be removed from the network.
Broadcast-probe Reply Status
Whether the AP is enabled to respond to broadcast probe requests or not.
Basic BSSID
MAC address of the AP.
Current BSS Count
Number of BSSs connected with the AP.
Running Clients Count
Number of clients currently running.
Wireless Mode
Wireless mode: 802.11a, 802.11b, or 802.11g.
Client Dot11n-only
EnabledOnly 802.11n clients can be associated with the AP.

Disabled802.11a/b/g/n clients can be associated with the AP.
Channel Band-width
Channel bandwidth, 20 MHz or 40 MHz.

Secondary channel information for 802.11n radio mode:
SCA (Second Channel Above)The AP operates in 40 MHz bandwidth

Secondary channel offset
mode, and the secondary channel is above the primary channel.
SCB (Second Channel Below)The AP operates in 40 MHz bandwidth

mode, and the secondary channel is below the primary channel.
SCNThe AP operates in 20 MHz bandwidth mode.
55
Field
Description
802.11n protection modes:
no protection mode(0)The clients associated with the AP, and the
wireless devices within the coverage of the AP operate in 802.11n mode,

and all the clients associated with the AP operate in either 40 MHz or 20
MHz mode.
HT protection mode
Non-member mode(1)The clients associated with the AP operate in
802.11n mode, but non-802.11n wireless devices exist within the coverage
of the AP.
20 MHz mode(2)The radio mode of the AP is 40 MHz. The clients
associated with the AP and the wireless devices within the coverage of the
AP operate in 802.11n mode, and at least one 802.11n client operating in
20 MHz mode is associated with the radio of the AP.
Non-HT mix mode(3)All situations except the above three.

Short GI for 20MHz
Whether the AP supports short GI when it operates in 20 MHz mode.
Short GI for 40MHz
Whether the AP supports short GI when it operates in 40 MHz mode.
Mandatory MCS Set
Mandatory MCS for the AP.
Supported MCS Set
Supported MCS for the AP.
A-MSDU
Status of the A-MSDU function: enable or disable.
A-MPDU
Status of the A-MPDU function: enable or disable.

Operating channel:
If the channel is manually configured, the configured channel number is

displayed.
Configured Channel
If the channel is automatically selected, auto(channel) is displayed, where
channel is the optimal channel automatically selected by the AC.If the AP

operates in 802.11n radio mode and 40 MHz bandwidth mode, this field
displays the primary channel.
Transmission power on the radio.
If one-time (transmit power control) is adopted, the configured transmit

Configured Power(dBm)
power is displayed.
If auto TPC is adopted, two values are displayed, with the first being the
maximum power, and the second auto (number), where number in the
brackets represents the actual power.
Interference (%)
Interference observed on the operating channel, in percentage.
Channel Load (%)
Load observed on the operating channel, in percentage.
Utilization (%)
Utilization rate of the operating channel, in percentage.
Co-channel Neighbor Count
Number of neighbors found on the operating channel.
Channel Health
Status of the channel.
Preamble Type
Type of preamble that the AP can support: short or long.
Radio Policy
Radio policy used.
Service Template
SSID
SSID for the ESS.
Port
WLAN-DBSS interface associated with the service template.
Mesh Policy
Mesh policy adopted.

56
Field
Description
ANI Support
ANI (Adaptive Noise Immunity) status: enabled or disabled.
11g Protection
11.g protection status: enable or disable.
Admin State
Administrative state of the radio.
Physical State
Physical state of the radio.
Operational Rates (Mbps)
Operational rates in Mbps.
Radar detected Channels
Channels on which radar signals are detected.
Displaying clients
Select Summary > Client from the navigation tree to enter the page as shown in Figure 37. For the
description of the fields in the client information, see Table 23.
Figure 37 Displaying clients

Field
Description
Refresh
Refresh the current page.
Add to Blacklist
Add the selected client to the static blacklist, which you can display by
selecting Security > Filter from the navigation tree.
Reset Statistic
Clear statistics of the specified client.
Disconnect
Log off the selected client.
Displaying client detailed information

Select Summary > Client from the navigation tree to enter the Client page, click the Detail Information tab
on the page, and click the name of the specified client to view the detailed information of the client.
The detailed information of a client is as shown in Figure 38. For the description of the fields in the client
detailed information, see Table 24.
57
Figure 38 Displaying client detailed information

Field
Description
MAC address
MAC address of the client.
AID
Association ID of the client.

Username of the client.
The field is displayed as NA if the client adopts plain-text

User Name
authentication or an authentication method that does not require a

username.
The field is irrelevant to the portal authentication method. If the client
uses the portal authentication method, the field does not display the
portal username of the client.
AP Name
Name of the AP.
Radio Id
Radio ID of the client.
SSID
SSID of the AP.
BSSID
BSSID of the AP.
Port
WLAN-DBSS interface associated with the client.
VLAN
VLAN to which the client belongs.
State
State of the client.

Backup indicates a backup client.
Power Save Mode
Client's power save mode: active or sleep.
Wireless Mode
Wireless mode such as 802.11a, 802.11b, 802.11g, 802.11an, or

803.11gn.
58
Field
Description
Channel Band-width
Channel bandwidth, 20 MHz or 40 MHz.
SM Power Save Enable
Short GI for 20MHz
Short GI for 40MHz
Support MCS Set
SM Power Save enables a client to have one antenna in active state,

and others in sleep state to save power.
Enabled: SM Power Save is supported.

Disabled: SM Power Save is not supported.
Whether the client supports short GI when its channel bandwidth is 20
MHz.
Not Supported.
Supported.
Whether the client supports short GI when its channel bandwidth is 40
MHz.
Not Supported.
Supported.
MCS supported by the client.
BLOCK ACK is negotiated based on QoS priority ID 0:
BLOCK ACK-TID 0
OUTOutbound direction.
IN Inbound direction.
BOTHBoth directions.
BLOCK ACK-TID 1
INInbound direction.
BLOCK ACK-TID 2
BLOCK ACK-TID 3
QoS Mode
Whether the AP supports the WMM function.
Listen Interval (Beacon Interval)
Specifies how often the client wakes up to receive frames saved in the
AP and is expressed in units of beacon interval.
RSSI
Received signal strength indication. This value indicates the client

signal strength detected by the AP.
Rx/Tx Rate
Represents the frame reception/transmission rate of the client,

including data, management, and control frames. For the AC + fit AP
mode, there is delay because Rx Rate is transmitted from AP to AC
periodically depending on the statistics interval.
Client Type
Client type such as RSN, WPA, or Pre-RSN.
Authentication method such as open system or shared key.
AKM Method
AKM suite used, such as Dot1X or PSK.
59
Field
Description
Displays either of the 4-way handshake states:
4-Way Handshake State
IDLEDisplayed in initial state.

PTKSTARTDisplayed when the 4way handshake is initialized.
PTKNEGOTIATINGDisplayed after valid message 3 was sent.
PTKINITDONEDisplayed when the 4-way handshake is successful.
Displays the group key state:

Group Key State
IDLEDisplayed in initial state.

REKEYNEGOTIATEDisplayed after the AC sends the initial
message to the client.
REKEYESTABLISHEDDisplayed when re-keying is successful.

Encryption Cipher
Encryption password: clear or crypto.
Roam Status
Displays the roaming status: Normal or Fast Roaming.

Roaming count of the client, including intra-AC roaming and inter-AC
roaming.
Roam Count
For intra-AC roaming, this field is reset after the client is

de-associated with the AP connected to the AC.
For inter-AC roaming, this field is reset after the client leaves the
mobility group to which the AC belongs.
Up Time
Time for which the client has been associated with the AP.
Displaying client statistics

Select Summary > Client from the navigation tree to enter the Client page, click the Statistic Information
tab on the page, and click the name of the specified client to view the statistics of the client.
The statistics of a client is as shown in Figure 39. For the description of the fields in the client statistic
information, see Table 25.
Figure 39 Displaying client statistics
60

Field
Description
AP Name
Name of the associated access point.
Radio Id
Radio ID.
SSID
SSID of the AP.
BSSID
BSSID of the AP.
MAC Address
MAC Address of the client.
RSSI
Received signal strength indication. This value indicates the client signal
strength detected by the AP.
Transmitted Frames
Number of transmitted frames.
Back Ground(Frames/Bytes)
Statistics of background traffic, in frames or in bytes.
Best Effort(Frames/Bytes)
Statistics of best effort traffic, in frames or in bytes.
Video(Frames/Bytes)
Statistics of video traffic, in frames or in bytes.
Voice(Frames/Bytes)
Statistics of voice traffic, in frames or in bytes.
Received Frames
Number of received frames.
Discarded Frames
Number of discarded frames.
NOTE:
You can collect statistics of priority queues such as Back Ground, Best Effort, Video and Voice on a QoS
client only. Traffic including SVP packets sent and received on a client where QoS is not enabled falls into
Best Effort priority queue. Therefore, the queues collected may be different from the queues actually sent.
You can collect statistics of priority queues carried in Dot11E or WMM packets; otherwise, statistics
collection of priority queues on the receive end may fail.
Displaying client roaming information

Select Summary > Client from the navigation tree to enter the Client page, click the Roam Information tab
on the page, and click the name of the specified client to view the roaming information of the client.
Client roaming information is as shown in Figure 40. For the detailed description of the fields in the client
roaming information, see Table 26.
61
Figure 40 Displaying client roaming information

Field
Description
BSSID
BSSID of the AP associated with the client.
Online-time
Online time of the client.
AC-IP-address
The IP address of the AC connected with the client. When the configured roaming
channel type is IPv6, the IPv6 address of the AC is displayed.
Displaying RF ping information

Radio Frequency Ping (RF Ping) is a ping function performed on wireless links. This function enables you
to get the connection information between the AP and its associated clients, such as signal strength,
packet re-transmission attempts, and round trip time (RTT).
Select Summary > Client from the navigation tree to enter the Client page, click the Link Test Information
tab on the page, and click the name of the specified client to view the link test information of the client,
as shown in Figure 41. For the description of the fields in the client link test information, see Table 27.
62
Figure 41 View link test information

Field
Description
No./MCS
Rate number for a non-802.11n client.

MCS value for an 802.11n client.
Rate(Mbps)
Rate at which the radio interface sends wireless ping frames.
TxCnt
Number of wireless ping frames that the radio interface sent.
RxCnt
Number of wireless ping frames that the radio interface received from the client.
RSSI
Received signal strength indication. This value indicates the client signal strength
detected by the AP.
Retries
Total number of retransmitted ping frames.
RTT(ms)
Round trip time.
63
License management
Configuring licenses
A license controls the maximum number of online APs. You can add a license on a device to increase the
maximum number of online APs that the device supports. However, the upper limit of online APs that a
device supports is restricted by its specification and varies by device model. For more information, see
"Feature matrixes."
Adding a license
CAUTION:
After adding a license, you must reboot the device to validate the license.
You can also increase the maximum number of online APs by adding an enhanced license. For more
information about enhanced license, see "Enhanced license management."
1.
Select Device > License from the navigation tree.

The License page appears.
Figure 42 License
2.
In the Add License area, configure the license information as described in Table 28.
3.
Click Add.

Item
Description
License Key
Enter the license key.
Activation Key
Enter the activation key for the license.

64
Displaying license information

1.
Select Device > License from the navigation tree

The page Figure 42 in appears.
2.
View the license information in the License area.

Field
Description
default AP number
Maximum number of APs that the device supports by default.
max AP number
Upper limit of APs that the device supports.
current AP number
Maximum number of APs that the device currently supports.
License Key
License key of the license.
Activation Key
Activation key of the license.
AP Number
Number of APs that the license supports.
Configuring enhanced licenses

Some features of the device can be used only after you register them by using an enhanced license. The
enhanced license required for registration can be a beta version or an official version. A beta version has
a lifetime, and the features registered by using the version cannot be used any more after the version
expires. An official version, obtained by purchasing the features, provides the serial number for
registering the features and presents a description of the features.
Registering an enhanced license

CAUTION:
After registering an enhanced license, you must reboot the device to validate the newly added features.
You can also increase the number of allowed APs by adding a license. For more information about
license, see "License management."
1.
2.
Click the Enhanced License tab.

The Enhanced License tab page appears.
65
Figure 43 Enhanced license
3.
Configure enhanced license information as described in Table 30.
4.
Click Add.

Item
Feature Name
Serial Number
Description
Select the name of the feature to be registered.
For example, AP allows you to increase the number of APs.
Type the serial number of the license.
Displaying registered enhanced licenses

1.
2.
Click the Enhanced License tab

The page in Figure 43 appears.
3.
View the registered enhanced licenses at the lower part of the page.

Filed
Description
Feature Name
Name of the feature registered.
Serial Number
Serial number of the license.
Available Time Left

AP Number
Left time of the license. After the time elapses, the license expires.
The value Forever means that the license is an official version.
Number of APs that the license supports.
66
Device basic information configuration

The device basic information feature provides you the following functions:
Set the system name of the device. The configured system name will be displayed on the top of the
navigation bar.
Set the idle timeout period for a logged-in user. That is, the system logs an idle user off the Web for
security purpose after the configured period.
Configuring system name

1.
Select Device > Basic from the navigation tree

The page for configuring the system name appears.
Figure 44 System name
2.
Set the system name for the device.
3.
Click Apply.
Configuring Web idle timeout period

1.
Select Device > Basic from the navigation tree.
2.
Click the Web Idle Timeout tab.

The page for configuring Web idle timeout period appears.
Figure 45 Configuring Web idle timeout period
67
3.
Set the Web idle timeout period for a logged-in user.
4.
Click Apply.
68
Device maintenance
Software upgrade
A boot file, also known as the system software or device software, is an application file used to boot the
device. Software upgrade allows you to obtain a target application file from the local host and set the file
as the boot file to be used at the next reboot. In addition, you can select whether to reboot the device to
bring the upgrade software into effect.
CAUTION:
A software upgrade takes some time. Avoid performing any operation on the Web interface during the
upgrading procedure. Otherwise, the upgrade operation may be interrupted.
You can keep the original file name or change it to another one (extension name not changed) after you
get the target application file from the local host.
1.
Select Device > Device Maintenance from the navigation tree.

The software upgrade configuration page appears.
Figure 46 Software upgrade configuration page
2.
Configure the software upgrade parameters as described in Table 32.
3.
Click Apply.

Item
Description
File
Specify the path of the local application file, which must be

with an extension .app or .bin.
69
Item
Description
Specify the type of the boot file for the next boot:
MainBoots the device.

BackupBoots the device when the main boot file is
File Type
unavailable.
Specify whether to overwrite the file with the same name.

If a file with the same name already exists,
overwrite it without any prompt
Reboot after the upgrade is finished.
If you do not select the option, when a file with the same name
exists, the system prompts "The file has existed.", and you
cannot upgrade the software.
Specify whether to reboot the device to make the upgraded
software take effect after the application file is uploaded.
Rebooting the device

CAUTION:
Before rebooting the device, save the configuration. Otherwise, all unsaved configurations are lost after
device reboot.
Re-log in to the Web interface after the device reboots.
1.
2.
Click the Reboot tab.

The reboot tab page appears.
Figure 47 Device reboot page
3.
Clear the box before "Check whether the current configuration is saved in the next startup
configuration file" or keep it selected.
4.
Click Apply.
A confirmation dialog box appears.
5.
Click OK.
If you select the box before "Check whether the current configuration is saved in the next startup
configuration file", the system checks the configuration before rebooting the device. If the check
succeeds, the system reboots the device; if the check fails, the system displays a dialog box to
inform you that the current configuration and the saved configuration are inconsistent, and
70
does not reboot the device. In this case, you must save the current configuration manually
before you can reboot the device.
If you do not select the box, the system reboots the device directly.
Generating the diagnostic information file

Each functional module has its own running information, and generally, you need to view the output
information for each module one by one. To receive as much information as possible in one operation
during daily maintenance or when system failure occurs, the device supports generating diagnostic
information. When you perform the diagnostic information generation operation, the system saves the
running statistics of multiple functional modules to a file named default.diag, and then you can locate
problems faster by checking this file.
To generate the diagnostic information file:
1.
2.
Click the Diagnostic Information tab.

The diagnostic information tab page appears.
Figure 48 Diagnostic information
3.
Click Create Diagnostic Information File.

The system begins to generate diagnostic information file, and after the file is generated, the page
in Figure 49 appears.
Figure 49 The diagnostic information file is created
4.
Click Click to Download.

The File Download dialog box appears. You can select to open this file or save this file to the local
host.
71
NOTE:
The generation of the diagnostic file will take a period of time. During this process, do not perform any
operation on the Web page.
To view this file after the diagnostic file is generated successfully, select Device > File Management, or
download this file to the local host. For more information, see "File management configuration."
72
System time
You need to configure a correct system time so that the device can work with other devices properly.
System time allows you to display and set the device system time on the Web interface.
The device supports setting system time through manual configuration and automatic synchronization of
NTP server time.
An administrator cannot keep time synchronized among all the devices within a network by changing the
system clock on each device, because this is time-consuming task and cannot guarantee clock precision.
Defined in RFC 1305, the Network Time Protocol (NTP) synchronizes timekeeping among distributed
time servers and clients.
NTP can keep consistent timekeeping among all clock-dependent devices within the network and ensure
a high clock precision so that the devices can provide diverse applications based on consistent time.
Displaying the system time

1.
Select Device > System Time from the navigation tree.

The page for configuring system time appears.
Figure 50 System time page
2.
View the current system time on the top of the page.
Configuring the system time

1.

2.
Click the System Time Configuration field.

The calendar page appears.
73
Figure 51 Calendar page
3.
Modify the system time either in the System Time Configuration field, or through the calendar
page.
You can perform the following operations on the calendar page:
a. Click Today to set the current date on the calendar to the current system date of the local host,
and the time keeps unchanged.

b. Set the year, month, date and time, and then click OK.
4.
Click Apply in the system time configuration page to save your configuration.
Configuring the network time

1.
2.
Click Net Time.

The network time page appears.
74
Figure 52 Network time
3.
Configure system time parameters as described in Table 33.
4.
Click Apply.

Item
Description
Clock status
Display the synchronization status of the system clock.

Set the IP address of the local clock source to 127.127.1.u, where u
ranges from 0 to 3, representing the NTP process ID.
If the IP address of the local clock source is specified, the local clock
Local Reference Source
is used as the reference clock, and thus can provide time for other
devices.
If the IP address of the local clock source is not specified, the local
clock is not used as the reference clock.
Set the stratum level of the local clock.

Stratum
The stratum level of the local clock decides the precision of the local
clock. A higher value indicates a lower precision. A stratum 1 clock has
the highest precision, and a stratum 16 clock is not synchronized and
cannot be used as a reference clock.
Set the source interface for an NTP message.
Source Interface
If you do not want the IP address of a certain interface on the local

device to become the destination address of response messages, you
can specify the source interface for NTP messages, so that the source IP
address in the NTP messages is the primary IP address of this interface.
If the specified source interface is down, the source IP address of the
NTP messages sent is the primary IP address of the outbound interface.
75
Item
Description
Set NTP authentication key.
The NTP authentication feature should be enabled for a system running
NTP in a network where there is a high security demand. This feature
enhances the network security by means of client-server key
authentication, which prohibits a client from synchronizing with a
device that has failed authentication.
Key 1
You can set two authentication keys, each of which is composed of a

key ID and key string.
Key 2
ID is the ID of a key.
Key string is a character string for MD5 authentication key.
NTP Server
1/Reference
Key ID
You can configure two NTP servers. The clients will choose the optimal
reference source.
External
Reference Source
NTP Server
2/Reference
Key ID
TimeZone
Specify the IP address of an NTP server, and configure the

authentication key ID used for the association with the NTP server. The
device synchronize its time to the NTP server only if the key provided by
the server is the same with the specified key.
IMPORTANT:
The IP address of an NTP server is a unicast address, and cannot

be a broadcast or a multicast address, or the IP address of the
local clock source.
Set the time zone for the system.
System time configuration example

Network requirements
As shown in Figure 53, the local clock of Switch is set as the reference clock.
AC operates in client mode, and uses Switch as the NTP server.
NTP authentication is configured on both AC and Switch.
Figure 53 Network diagram
Configuring the switch

Configure the local clock as the reference clock, with the stratum of 2, configure authentication, with the
key ID of 24, and trusted key as aNiceKey. (Details not shown.)
Configuring the AC
To configure Switch as the NTP server of AC:
1.
2.
Click the Net Time tab.

The Net Time tab page appears.
76
Figure 54 Configuring Switch as the NTP server of AC
3.
Enter 24 for the ID of key 1, and aNiceKey for the key string. Enter 1.0.1.12 in the NTP Server 1
box and 24 in the Reference Key ID box.
4.
Click Apply.
Verifying the configuration

After the above configuration, the current system time displayed on the System Time page is the same for
AC and Switch.
A device can act as a server to synchronize the clock of other devices only after its clock has been
synchronized. If the clock of a server has a stratum level higher than or equal to that of a client's
clock, the client will not synchronize its clock to the server's.
The synchronization process takes a period of time. The clock status may be displayed as
unsynchronized after your configuration. In this case, you can refresh the page to view the clock
status later on.
If the system time of the NTP server is ahead of the system time of the device, and the difference
between them exceeds the Web idle time specified on the device, all online Web users are logged
out because of timeout.
77
Log management
System logs contain a large amount of network and device information, including running status and
configuration changes. System logs are an important way for administrators to know network and device
status. With system logs, administrators can take corresponding actions against network problems and
security problems.
The system sends system logs to the following destinations:
Console
Monitor terminal, which is a user terminal that has login connections through the AUX, VTY, or TTY
user interface.
Log buffer
Loghost
Web interface
Displaying syslog
The Web interface provides abundant search and sorting functions. You can view syslogs through the
Web interface conveniently.
To display syslog:
1.
Select Device > Syslog from the navigation tree.

The page for displaying syslog appears.
Figure 55 Displaying syslog
78
TIP:
You can click Reset to clear all system logs saved in the log buffer on the Web interface.
You can click Refresh to manually refresh the page, or you can set the refresh interval on the Log Setup
page to enable the system to automatically refresh the page periodically. For more information, see
"Setting buffer capacity and refresh interval."
2.
View system logs.

Field
Description
Time/Date
Display the time/date when system logs are generated.
Source
Display the module that generates system logs.

Display the system information levels. The information is classified into eight levels
by severity:
Level
EmergencyThe system is unusable.

AlertAction must be taken immediately.
CriticalCritical conditions.
ErrorError conditions.
WarningWarning conditions.
NotificationNormal but significant condition.
InformationalInformational messages.
DebugDebug-level messages.
Digest
Display the brief description of system logs.
Description
Display the contents of system logs.
Setting the log host

You can set the loghost on the Web interface to enable the system to output syslogs to the log host. You
can specify at most four different log hosts.
To set the log host:
1.
2.
Click the Loghost tab

The loghost configuration page appears.
79
Figure 56 Setting loghost
3.
Configure the log host as described in Table 35.
4.
Click Apply.

Item
Description
IPv4/Domain
IPv6
Set the IPv4 address, domain, or IPv6 address of the loghost..
Loghost IP/Domain
Setting buffer capacity and refresh interval

1.
2.
Click the Log Setup tab.

The syslog configuration page appears.
80
Figure 57 Syslog configuration page
3.
Configure buffer capacity and refresh interval as described in Table 36.
4.
Click Apply.

Item
Description
Buffer Capacity
Set the number of logs that can be stored in the log buffer of the Web interface.
Set the refresh period on the log information displayed on the Web interface.
You can select manual refresh or automatic refresh:
Refresh Interval
ManualClick Refresh to refresh the Web interface when displaying log

information.
AutomaticYou can select to refresh the Web interface every 1 minute, 5

minutes, or 10 minutes.
81
Configuration management
NOTE:
When backing up a configuration file, back up the configuration file with the extension .xml. Otherwise
some configuration information may not be restored in some cases (for example, when the configuration
is removed).
Backing up the configuration

Configuration backup provides the following functions:
Open and view the configuration file (.cfg file or .xml file) for the next startup
Back up the configuration file (.cfg file or .xml file) for the next startup to the host of the current user
To back up the configuration:

1.
Select Device > Configuration from the navigation tree.

The page for backing up configuration appears.
Figure 58 Backup configuration page
2.
Click the upper Backup button.

A file download dialog box appears. You can select to view the .cfg file or to save the file locally.
3.
Click the lower Backup button.

A file download dialog box appears. You can select to view the .xml file or to save the file locally.
Restoring the configuration

CAUTION:
The restored configuration file takes effect at the next device reboot.
Configuration restore provides the following functions:
Upload the .cfg file on the host of the current user to the device for the next startup
Upload the .xml file on the host of the current user to the device for the next startup, and delete the
previous .xml configuration file that was used for the next startup
To restore the configuration:

82
1.
2.
Click the Restore tab.

The page for restoring configuration appears.
Figure 59 Configuration restore page
3.
Click the upper Browse button.

The file upload dialog box appears. You can select the .cfg file to be uploaded.
4.
Click the lower Browse button in this figure.

The file upload dialog box appears. You can select the .xml file to be uploaded.
5.
Click Apply.
Saving the configuration

CAUTION:
Saving the configuration takes some time.
The system does not support the operation of saving configuration of two or more consecutive users. If
such a case occurs, the system prompts the latter users to try later.
The save configuration module provides the function to save the current configuration to the configuration
file (.cfg file or .xml file) to be used at the next startup. You can save the configuration in one of the
following ways:
Fast
Click the Save button at the upper right of the auxiliary area, and you can save the configuration to the
configuration file.
83
Figure 60 Saving configuration confirmation
Common
1.
2.
Click the Save tab.

3.
Click Save Current Settings to save the current configuration to the configuration file.
Initializing the configuration

This operation restores the system to factory defaults, delete the current configuration file, and reboot the
device.
To initialize the configuration:
1.
2.
Click the Initialize tab.

The initialize confirmation page appears.
Figure 61 Initializing the configuration
3.
Click Restore Factory-Default Settings to restore the system to factory defaults.
84
File management
NOTE:
There are many types of storage media such as flash, compact flash (CF), and so on. Different devices
support different types of storage device. For more information, see "Feature matrixes."
The device saves useful files (such as host software, configuration file) into the storage device, and the
system provides the file management function for the users to manage those files conveniently and
effectively.
Displaying file list

1.
Select Device > File Management from the navigation tree.

The file management page appears.
Figure 62 File management
2.
Select a disk from the Please select disk list on the top of the page.
3.
View the used space, free space and capacity of the disk at the right of the list.
4.
View all files saved in this disk (in the format of path + filename), file sizes, and the boot file types
(Main or Backup is displayed if the file is an application file, that is, with the extension of .bin
or .app).
85
Downloading a file
1.

2.
Select a file from the list.

You can select one file at a time.
3.
Click Download File.

The File Download dialog box appears. You can select to open the file or to save the file to a
specified path.
Uploading a file
NOTE:
Uploading a file takes some time. H3C recommends you not to perform any operation on the Web
interface during the upgrading procedure.
1.

2.
Select the disk to save the file in the Upload File box.
3.
Click Browse to set the path and name of the file.
4.
Click Apply.
Removing a file
1.

2.
Select one or multiple files from the file list,
3.
Click Remove File.
NOTE:
You can also remove a file by clicking the
icon.
Specifying the main boot file

1.

2.
Select the box to the left of an application file (with the extension of .bin or .app).
You can set one file at a time.
3.
Click Set as Main Boot File to set the main boot file to be used at the next startup.
86
Interface management
Interface management overview
An interface is the point of interaction or communication used for exchanging data between entities.
There are two types of interfaces: physical and logical. A physical interface refers to an interface that
physically exists as a hardware component. An example is Ethernet interfaces. A logical interface refers
to an interface that can implement data switching but does not exist physically. A logical interface must
be created manually. An example is VLAN interfaces.
You can use the interface management feature on the Web-based configuration interface to manage the
following types of interfaces.
Layer 2 Ethernet interfacePhysical interface operating on the data link layer for forwarding Layer
2 protocol packets.
Management Ethernet interfacePhysical interface operating on the network layer. You can
configure IP addresses for a management Ethernet interface. You can log in to the device through
a management Ethernet interface to manage the device.
Loopback interfaceA loopback interface is a software-only virtual interface. The physical layer
state and link layer protocols of a loopback interface are always up unless the loopback interface
is manually shut down. You can enable routing protocols on a loopback interface, and a loopback
interface can send and receive routing protocol packets. When you assign an IPv4 address whose
mask is not 32-bit, the system automatically changes the mask into a 32-bit mask.
Null interfaceA null interface is a completely software-based logical interface, and is always up.
However, you cannot use it to forward data packets or configure an IP address or link layer protocol
on it. With a null interface specified as the next hop of a static route to a specific network segment,
any packets routed to the network segment are dropped. The null interface provides a simpler way
to filter packets than ACL. You can filter uninteresting traffic by transmitting it to a null interface
instead of applying an ACL.
VLAN interfaceVirtual Layer 3 interface used for Layer 3 communications between VLANs. A
VLAN interface corresponds to a VLAN. You can assign an IP address to a VLAN interface and
specify it as the gateway of the corresponding VLAN to forward traffic destined for an IP network
segment different from that of the VLAN.
Virtual template (VT) interfaceTemplate used for configuring virtual access (VA) interfaces.
Bridge-Aggregation interface (BAGG)Multiple Layer 2 Ethernet interfaces can be combined to

form a Layer 2 aggregation group. The logical interface created for the group is called an
aggregate interface.
With the interface management feature, you can view interface information, create/remove logical
interfaces, change interface status, and reset interface parameters.
Displaying interface information and statistics

1.
Select Device > Interface from the navigation tree.

The interface management page appears. The page displays the interfaces' names, IP addresses,
masks, and status.
87
Figure 63 Interface management page
2.
Click an interface name in the Name column to display the statistics of that interface.
The page for displaying interface statistics appears.
88
Figure 64 Statistics on an interface
Creating an interface
1.

2.
Click Add.
The page for creating an interface appears.
89
Figure 65 Creating an interface
3.
Configure the interface as described in Table 37.
4.
Click Apply.

Item
Description
Interface Name
Set the type and number of a logical interface.

If you are creating a Layer 3 Ethernet subinterface, set the VLANs associated with
the subinterface.
VID
This parameter is available only for Layer 3 Ethernet subinterfaces.

IMPORTANT:
Currently, this configuration item is not configurable because the device does not
support Layer 3 Ethernet subinterfaces.
Set the maximum transmit unit (MTU) of the interface.
The MTU value affects fragmentation and reassembly of IP packets.
MTU
IMPORTANT:
Support for this configuration item depends on the interface type. All Layer 3 interfaces
support MTU.
90
Item
Description
Set the maximum segment size (MSS) for IP packets on the interface.
The TCP MSS value affects fragmentation and reassembly of IP packets.
TCP MSS
IMPORTANT:
Support for this configuration item depends on the interface type. All Layer 3 interfaces
support MTU.
Set the way for the interface to obtain an IP address, include:
NoneSelect this option if you do not want to assign an IP address for the
interface.
Static AddressSelect the option to manually assign an IP address and mask for
the interface. If this option is selected, you must set the IP Address and Mask
fields.
DHCPSelect the option for the interface to obtain an IP address through DHCP
automatically.
IP Config
BOOTPSelect the option for the interface to obtain an IP address through

BOOTP automatically.
PPP NegotiateSelect the option for the interface to obtain an IP address

through PPP negotiation.
UnnumberedSelect this option to borrow the IP address of another interface on
the same device for the interface. If this option is selected, you must select the
interface whose IP address you want to borrow in the Unnumbered Interfaces list.
IMPORTANT:
Support for the way of obtaining an IP address depends on the interface type.
IP Address/Mask
After selecting the Static Address option for the IP Config configuration item, you
need to set the primary IP address and mask, and secondary IP addresses and
masks for the interface.
Secondary IP
Address/Mask
The primary and secondary IP addresses cannot be 0.0.0.0.

For a loopback interface, the mask is fixed to 32 bits and is not configurable.
The number of secondary IP addresses supported by the device depends on the
IMPORTANT:
device model..
Unnumbered Interface
If the Unnumbered option is selected as the way for the interface to obtain an IP
address, you must set the interface whose IP address is to be borrowed.
Set the way for the interface to obtain an IPv6 link-local address, include.
NoneSelect this option if you do not want to assign an IPv6 link-local address
to the interface.
IPv6 Config
AutoSelect this option for the system to automatically assign an IPv6 link-local
address to the interface.
ManualSelect this option to manually assign an IPv6 link-local address to the
interface. If this option is selected, you must set the IPv6 Link Local Address field.
IPv6 Link Local Address
If the Manual option is selected as the way for the interface to obtain an IPv6
link-local address, you must set an IPv6 link-local address for the interface.
91
Modifying a Layer 2 interface

1.

2.
Click the
icon corresponding to a Layer 2 interface.
The page for modifying a Layer 2 interface appears.

Figure 66 Modifying a Layer 2 physical interface
3.
Modify the information about the Layer 2 physical interface as described in Table 38.
4.
Click Apply.

Item
Description
Enable or disable the interface.
Port State
In some cases, modification to the interface parameters does not take effect
immediately. You need to shut down and then bring up the interface to make the
modification work.
92
Item
Description
Set the transmission rate of the interface.
Available options include:
Speed
1010 Mbps.
100100 Mbps.
10001000 Mbps.
AutoAuto-negotiation.
Auto 10The auto-negotiation rate of the interface is 10 Mbps.
Auto 10 100The auto-negotiation rate of the interface is 10 Mbps or 100 Mbps.
Auto 10 1000The auto-negotiation rate of the interface is 10 Mbps or 1000
Mbps.
Auto 100 1000The auto-negotiation rate of the interface is 100 Mbps or 1000
Mbps.
Auto 10 100 1000The auto-negotiation rate of the interface is 10 Mbps, 100

Mbps or 1000 Mbps.
Set the duplex mode of the interface.

Duplex
AutoAuto-negotiation.
FullFull duplex.
HalfHalf duplex.
Set the link type of the current interface, which can be access, hybrid, or trunk. For
more information, see Table 39.
Link Type
IMPORTANT:
To change the link type of a port from trunk to hybrid or vice versa, you must first set its
link type to access.
Set the default VLAN ID of the hybrid or trunk port.
PVID
IMPORTANT:
The trunk ports at the two ends of a link must have the same PVID.
93
Item
Description
Set the Medium Dependent Interface (MDI) mode for the interface.
Two types of Ethernet cables can be used to connect Ethernet devices: crossover
cable and straight-through cable. To accommodate these two types of cables, an
Ethernet interface on the device can operate in one of the following three MDI
modes:
Across mode.
Normal mode.
Auto mode.
An Ethernet interface is composed of eight pins. By default, each pin has its
particular role. For example, pin 1 and pin 2 are used for transmitting signals; pin 3
and pin 6 are used for receiving signals. You can change the pin roles through
setting the MDI mode.
MDI
In across mode, the default pin roles are kept, that is, pin 1 and pin 2 for
transmitting signals, and pin 3 and pin 6 for receiving signals.
In auto mode, the pin roles are determined through auto negotiation.
In normal mode, pin 1 and pin 2 are used for receiving signals while pin 3 and
pin 6 are used for transmitting signals.
To enable normal communication, you should connect the local transmit pins to the
remote receive pins. Therefore, you should configure the MDI mode depending on
the cable types.
Generally, the auto mode is recommended. The other two modes are useful only
when the device cannot determine the cable types.
When straight-through cables are used, the local MDI mode must be different
from the remote MDI mode.
When crossover cables are used, the local MDI mode must be the same as the
remote MDI mode, or the MDI mode of at least one end must be set to auto.
Enable or disable flow control on the interface.
Flow Control
After flow control is enabled on both ends, if there is traffic congestion on the device
on the local end, it sends information to notify the peer end to stop sending packets
temporarily; upon receiving the information, the peer end stops sending packets;
and vice versa. This is used to avoid packet loss.
IMPORTANT:
Flow control can be realized only when it is enabled on both ends.
Jumbo Frame
Max MAC Count
Enable or disable the forwarding of jumbo frames.

Set the maximum number of MAC addresses the interface can learn. Available
options include:
User DefinedSelect this option to set the limit manually.

No LimitedSelect this option to set no limit.
Set broadcast suppression. You can suppress broadcast traffic by percentage or by
PPS as follows:
ratioSets the maximum percentage of broadcast traffic to the total transmission

Broadcast Suppression
capability of an Ethernet interface. When this option is selected, you need to

enter a percentage in the box below.
ppsSets the maximum number of broadcast packets that can be forwarded on

an Ethernet interface per second. When this option is selected, you need to enter
a number in the box below.
94
Item
Description
Set multicast suppression. You can suppress multicast traffic by percentage or by PPS
as follows:
ratioSets the maximum percentage of multicast traffic to the total transmission

Multicast Suppression

ppsSets the maximum number of multicast packets that can be forwarded on an

Ethernet interface per second. When this option is selected, you need to enter a
number in the box below.
Set unicast suppression. You can suppress unicast traffic by percentage or by PPS as
follows:
ratioSets the maximum percentage of unicast traffic to the total transmission

Unicast Suppression

ppsSets the maximum number of unicast packets that can be forwarded on an
Ethernet interface per second. When this option is selected, you need to enter a
number in the box below.
Table 39 Link type description

Link type
Description
Access
An access port can belong to only one VLAN and is usually used to connect a user
device.
Hybrid
A hybrid port can be assigned to multiple VLANs to receive and send packets for
them and allows packets of multiple VLANs to pass through untagged.
Hybrid ports can be used to connect network devices, as well as user devices.
Trunk
A trunk port can be assigned to multiple VLANs to receive and send packets for them
but allows only packets of the default VLAN to pass through untagged.
Trunk ports are usually used to connect network devices.
Modifying a Layer 3 interface

1.

2.
Click the
icon corresponding to a Layer 3 interface.
The page for modifying a Layer 3 interface appears.
95
Figure 67 Modifying a Layer 3 physical interface
3.
Modify the information about the Layer 3 interface.

The configuration items of modifying the Layer 3 interface are similar to those of creating an
interface. Table 40 describes configuration items proper to modifying a Layer 3 interface.
4.
Click Apply.

Item
Description
Interface Type
Set the interface type, which can be Electrical port, Optical port, or None.
Display and set the interface status.
The display of Connected indicates that the current status of the interface is up and
connected. You can click Disable to shut down the interface.
The display of Not connected indicates that the current status of the interface is up
but not connected. You can click Disable to shut down the interface.
Interface Status
The display of Administratively Down indicates that the interface is shut down by
the administrator. You can click Enable to bring up the interface.
After you click Enable or Disable, the page displaying interface information appears.
IMPORTANT:
For an interface whose status cannot be changed, the Enable or Disable button is not
available.
Working Mode
Set the interface to work in bridge mode or router mode.

96
Interface management configuration example

Create VLAN-interface 100 and specify its IP address as 10.1.1.2.
Configuration procedure
1.
Create VLAN 100:

a. Select Network > VLAN from the navigation tree.
The VLAN tab page appears.

b. Click Add.
The page for creating VLANs appears.

Figure 68 Creating VLAN 100
c.
Enter VLAN ID 100.
d. Click Apply.
2.
Create VLAN-interface 100 and assign an IP address for it:

a. Select Device > Interface from the navigation tree.
b. Click Add.
The page for creating an interface appears.
97
Figure 69 Creating VLAN-interface 100
c.
Select Vlan-interface from the Interface Name list, enter the interface ID 100, select the Static
Address option in the IP Config area, enter the IP address 10.1.1.2, and select 24
(255.255.255.0) from the Mask list.
d. Click Apply.
98
Port mirroring
NOTE:
There are two kinds of port mirroring: local port mirroring and remote port mirroring. Unless otherwise
specified, port mirroring described in this chapter all refers to local port mirroring.
Support for the port mirroring feature depends on the device model. For more information, see "Feature
matrixes."
Introduction to port mirroring

Port mirroring is to copy the packets passing through one or multiple ports (called mirroring ports) to a
port (called the monitor port) on the local device. The monitor port is connected with a monitoring device.
By analyzing on the monitoring device the packets mirrored to the monitor port, you can monitor the
network and troubleshoot possible network problems.
Figure 70 A port mirroring implementation
Port mirroring is implemented through mirroring groups. The mirroring ports and the monitor port are in
the same mirroring group. With port mirroring enabled, the device copies packets passing through the
mirroring ports to the monitor port.
99
Port mirroring configuration task list

Table 41 Port mirroring configuration task list
Task
Remarks
Required.
Add a mirroring group
For more information, see "Adding a mirroring group."

You need to select the mirroring group type local in the Type list.
Required.
Configure the mirroring ports
For more information, see "Configuring ports for a mirroring group."

During configuration, you need to select the port type Mirror Port.
Required.
Configure the monitor port
For more information, see "Configuring ports for a mirroring group."

During configuration, you need to select the port type Monitor Port.
Adding a mirroring group

1.
Select Device > Port Mirroring from the navigation tree.
2.
Click the Add tab.

The page for adding a mirroring group appears.
Figure 71 The page for adding a mirroring group
3.
Configure the mirroring group as described in Table 42.
4.
Click Apply.
100

Item
Description
Mirroring Group ID
ID of the mirroring group to be added.
Type
Specify the type of the mirroring group to be added:

Local: Adds a local mirroring group.
Configuring ports for a mirroring group

1.
2.
Click the Modify Port tab.

The page for configuring ports for a mirroring group appears.
Figure 72 The page for configuring ports for a mirroring group
3.
Configure the port information for the mirroring group as described in Table 43.
4.
Click Apply.
The progress bar appears.
5.
Click Close after the progress bar prompts that the configuration is complete.

Item
Description
Mirroring Group ID
ID of the mirroring group to be configured.

Set the types of the ports to be configured:
Port Type
Monitor PortConfigures the monitor port for the mirroring group.

Mirror PortConfigures mirroring ports for the mirroring group.
101
Item
Description
Set the direction of the traffic monitored by the monitor port of the mirroring group.
This configuration item is available when Mirror Port is selected is the Port Type list.
Stream Orientation
bothMirrors both received and sent packets on mirroring ports.

inboundMirrors only packets received by mirroring port.
outboundMirrors only packets sent by mirroring ports.
interface name
Select the ports to be configured from the interface name list.
Configuration examples
As shown in Figure 73, the customer network is as described below:
Packets from AP access AC through GigabitEthernet 1/0/1.
Server is connected to GigabitEthernet 1/0/2 of AC.
Configure port mirroring to monitor the bidirectional traffic on GigabitEthernet 1/0/1 of AC on the
server.
To satisfy the above requirement through port mirroring, perform the following configuration on AC:
Configure GigabitEthernet 1/0/1 of AC as a mirroring port.
Configure GigabitEthernet 1/0/2 of AC as the monitor port.
Adding a mirroring group

1.
2.
Click Add.
The page for adding a mirroring group appears.
102
Figure 74 Adding a mirroring group
3.
Enter 1 for Mirroring Group ID and select Local in the Type list.
4.
Click Apply.
Configuring the mirroring ports

1.
Click Modify Port.

The page for configuring a mirroring port appears.
Figure 75 Configuring a mirroring port
2.
Select 1 Local for Mirroring Group ID, select Mirror Port for Port Type, select both for Stream
Orientation, and select GigabitEthernet 1/0/1 from the interface name list.
3.
Click Apply.
The progress bar appears.
4.
103
Configuring the monitor port

1.
Click Modify Port tab.

The page for configuring the mirroring port appears.
Figure 76 Configuring the monitor port
2.
Select 1 Local for Mirroring Group ID, select Monitor Port for Port Type, and select
GigabitEthernet 1/0/2 from the interface name list.
3.
Click Apply.
A progress bar appears.
4.
When you configure port mirroring, follow these guidelines:
Depending on the device model, you can assign these types of ports to a mirroring group as
mirroring ports: Layer 2 Ethernet, Layer 3 Ethernet, POS, CPOS, serial, and MP-group.
Depending on the device model, you can configure these types of ports as the monitor port: Layer
2 Ethernet, Layer 3 Ethernet, and tunnel.
To ensure normal operation of your device, do not enable STP, MSTP, or RSTP on the monitor port.
On some types of devices, you can configure a member port in link aggregation as the monitor
port.
Other restrictions on the monitor port depend on your device model.
You can configure multiple mirroring ports but only one monitor port for a mirroring group.
A port can be assigned to only one mirroring group.
104
User management
In the user management part, you can perform the following configuration:
Create a local user, and set the password, access level, and service type for the user.
Set the super password for switching the current Web user level to the management level.
Switch the current Web user access level to the management level.
Creating a user
1.
Select Device > Users from the navigation tree.
2.
Click the Create tab.

The page for creating local users appears.
Figure 77 Creating a user
3.
Configure the user information as described in Table 44.
4.
Click Apply.

Item
Description
Username
Set the username for a user.
105
Item
Description
Set the access level for a user. Users of different levels can perform different operations.
Web user levels, from low to high, are visitor, monitor, configure, and management.
VisitorUsers of visitor level can perform the ping and traceroute operations, but they
can neither access the device data nor configure the device.
Access Level
MonitorUsers of this level can only access the device data but cannot configure the
device.
ConfigureUsers of this level can access data on the device and configure the
device, but they cannot upgrade the host software, add/delete/modify users, or back
up/restore the application file.
ManagementUsers of this level can perform any operations on the device.

Password
Set the password for a user.
Confirm Password
Enter the same password again. Otherwise, the system prompts that the two passwords
enter are not consistent when you apply the configuration.
Service Type
Set the service type, including Web, FTP, and Telnet services. You must select one of
them.
Setting the super password

In this part, users of the management level can specify the password for a lower-level user to switch from
the current access level to the management level. If no such a password is configured, the switchover will
fail.
To set the super password:
1.
2.
Click the Super Password tab.

The super password configuration page appears.
Figure 78 Super password
3.
Set the super password as described in Table 45.
4.
Click Apply.
106

Item
Description
Set the operation type:
Create/Remove
CreateConfigure or modify the super password.

RemoveRemove the current super password.
Password
Set the password for a user to switch to the management level.
Confirm Password
Enter the same password again. Otherwise, the system prompts that the two passwords
enter are not consistent when you apply the configuration.
Switching the user access level to the management

level
This function is provided for a user to switch the current user level to the management level. Note the
following:
Before switching, make sure that the super password is already configured. A user cannot switch to
the management level without a super password.
The access level switchover of a user is valid for the current login only. The access level configured
for the user is not changed. When the user re-logs in to the Web interface, the access level of the
user is still the original level.
To switch the user access level to the management level:

1.
2.
Click the Switch To Management tab.

The access level switching page appears.
Figure 79 Switching to the management level.
3.
Enter the super password.
4.
Click Login.
107
SNMP configuration
SNMP overview
Simple Network Management Protocol (SNMP) offers the communication rules between a management
device and the managed devices on the network; it defines a series of messages, methods and syntaxes
to implement the access and management from the management device to the managed devices. SNMP
shields the physical differences between various devices and realizes automatic management of
products from different manufacturers.
An SNMP enabled network comprises the network management system (NMS) and agents.
The NMS manages agents by exchanging management information through SNMP. The NMS and
managed agents must use the same SNMP version.
SNMP agents support SNMPv1, SNMPv2c, and SNMPv3.
SNMPv1 uses community name for authentication. Community name defines the relationship
between an SNMP NMS and an SNMP agent. SNMP packets with community names that do not
pass the authentication on the device are simply discarded. A community name plays a similar role
as a key word and can be used to control access from NMS to the agent.
SNMPv2c uses community name for authentication. Compatible with SNMPv1, it extends the
functions of SNMPv1. SNMPv2c provides more operation modes such as GetBulk and
InformRequest; it supports more data types such as Counter64; and it provides various error codes,
thus being able to distinguish errors in more detail.
SNMPv3 offers an authentication that is implemented with a User-Based Security Model (USM).
You can set the authentication and privacy functions. The former is used to authenticate the validity
of the sending end of the authentication packets, preventing access of illegal users; the latter is used
to encrypt packets between the NMS and agents, preventing the packets from being intercepted.
USM ensures a more secure communication between SNMP NMS and SNMP agent by
authentication with privacy.
For more information about SNMP, see H3C WX Series Access Controllers Network Management and
Monitoring Configuration Guide.
SNMP configuration task list

SNMPv1 or SNMPv2c configuration task list
Perform the tasks in Table 46 to configure SNMPv1 or SNMPv2c.
Table 46 SNMPv1 or SNMPv2c configuration task list
Task
Remarks
Required.
The SNMP agent function is disabled by default.
Enabling SNMP
IMPORTANT:
If SNMP agent is disabled, all SNMP agent-related configurations are
removed.
108
Task
Remarks
Optional.
Configuring an SNMP view
After creating SNMP views, you can specify an SNMP view for an
SNMP group to limit the MIB objects that can be accessed by the
SNMP group.
Configuring an SNMP community
Required.
Optional.
Configuring SNMP trap function
Allows you to configure that the agent can send SNMP traps to the
NMS, and configure information about the target host of the SNMP
traps.
By default, an agent is allowed to send SNMP traps to the NMS.
Displaying SNMP packet statistics
Optional.
SNMPv3 configuration task list

Perform the tasks in Table 47 to configure SNMPv3.
Table 47 SNMPv3 configuration task list
Task
Remarks
Required.
The SNMP agent function is disabled by default.
Enabling SNMP
IMPORTANT:
If SNMP agent is disabled, all SNMP agent-related configurations are
removed.
Optional.
After creating SNMP views, you can specify an SNMP view for an SNMP
group to limit the MIB objects that can be accessed by the SNMP group.
Required.
Configuring an SNMP group
After creating an SNMP group, you can add SNMP users to the group
when creating the users. Therefore, you can realize centralized
management of users in the group through the management of the group.
Required.
Configuring an SNMP user
Before creating an SNMP user, you need to create the SNMP group to
which the user belongs.
Optional.
Allows you to configure that the agent can send SNMP traps to the NMS,
and configure information about the target host of the SNMP traps
By default, an agent is allowed to send SNMP traps to the NMS.
Displaying SNMP packet

statistics
Optional.
Enabling SNMP
1.
Select Device > SNMP from the navigation tree.

The SNMP configuration page appears.
109
Figure 80 Set up
2.
Configure SNMP settings on the upper part of the page as described in Table 48.
3.
Click Apply.

Item
Description
SNMP
Specify to enable or disable SNMP.

Configure the local engine ID.
Local Engine ID
The validity of a user after it is created depends on the engine ID of

the SNMP agent. If the engine ID when the user is created is not
identical to the current engine ID, the user is invalid.
110
Item
Description
Maximum Packet Size
Configure the maximum size of an SNMP packet that the agent can
receive/send.
Contact
Set a character string to describe the contact information for system

maintenance.
If the device is faulty, the maintainer can contact the manufacture
factory according to the contact information of the device.
Location
Set a character string to describe the physical location of the

device.
SNMP Version
Set the SNMP version run by the system.

Creating an SNMP view
1.
2.
Click the View tab.

The view page appears.
Figure 81 View page
3.
Click Add.
The Add View window appears.
Figure 82 Creating an SNMP view (1)
111
4.
Enter the view name.
5.
Click Apply.
6.
Configure the parameters as described in Table 49.
7.
Click Add.
8.
Repeat steps 6 and 7 to add more rules for the SNMP view.
9.
Click Apply.
To cancel the view, click Cancel.

Item
Description
View Name
Set the SNMP view name.
Rule
Select to exclude or include the objects in the view range

determined by the MIB subtree OID and subtree mask.
Set the MIB subtree OID (such as 1.4.5.3.1) or name (such as
system).
MIB Subtree OID
MIB subtree OID identifies the position of a node in the MIB

tree, and it can uniquely identify a MIB subtree.
Set the subtree mask.
Subtree Mask
If no subtree mask is specified, the default subtree mask (all Fs)

will be used for mask-OID matching.
Adding rules to an SNMP view

1.
2.
Click the View tab.

3.
Click the
icon of the target view.

112
The Add rule for the view ViewDefault window appears.

Figure 84 Adding rules to an SNMP view
4.
5.
Click Apply.
NOTE:
You can modify the rules of a view in the page you enter by clicking the
Configuring an SNMP community

1.
2.
Click the Community tab.

The community tab page appears.
Figure 85 Configuring an SNMP community
3.
Click Add.
The Add SNMP Community page appears.
113
icon of that view.
Figure 86 Creating an SNMP Community
4.
Configure SNMP community settings as described in Table 50.
5.
Click Apply.

Item
Description
Community Name
Set the SNMP community name.

Configure SNMP NMS access right.
Read onlyThe NMS can perform read-only operations to the MIB objects
Access Right
when it uses this community name to access the agent.
Read and writeThe NMS can perform both read and write operations to
the MIB objects when it uses this community name to access the agent.
View
Specify the view associated with the community to limit the MIB objects that
can be accessed by the NMS.
ACL
Associate the community with a basic ACL to allow or prohibit the access to the
agent from the NMS with the specified source IP address.
Configuring an SNMP group

1.
2.
Click the Group tab.

The group tab page appears.
114
Figure 87 SNMP group
3.
Click Add.
The Add SNMP Group page appears.
Figure 88 Creating an SNMP group
4.
Configure SNMP group settings as described in Table 51.
5.
Click Apply.

Item
Description
Group Name
Set the SNMP group name.

Select the security level for the SNMP group. The available security
levels are:
Security Level
NoAuth/NoPrivNo authentication no privacy.

Auth/NoPrivAuthentication without privacy.
Auth/PrivAuthentication and privacy.
Read View
Select the read view of the SNMP group.
115
Item
Description
Select the write view of the SNMP group.
Write View
Notify View
If no write view is configured, the NMS cannot perform the write

operations to all MIB objects on the device.
Select the notify view of the SNMP group, that is, the view that can
send trap messages.
If no notify view is configured, the agent does not send traps to the
NMS.
Associate a basic ACL with the group to restrict the source IP address
of SNMP packets, that is, you can configure to allow or prohibit
SNMP packets with a specific source IP address, so as to restrict the
intercommunication between the NMS and the agent.
ACL
Configuring an SNMP user

1.
2.
Click the User tab.

The user tab page appears.
Figure 89 SNMP user
3.
Click Add.
The Add SNMP User page appears.
116
Figure 90 Creating an SNMP user
4.
Configure SNMP user settings as described in Table 52.
5.
Click Apply.

Item
Description
User Name
Set the SNMP user name.

Select the security level for the SNMP group. The available security
levels are:
Security Level
NoAuth/NoPrivNo authentication no privacy.

Auth/NoPrivAuthentication without privacy.
Auth/PrivAuthentication and privacy.
Select an SNMP group to which the user belongs.
When the security level is NoAuth/NoPriv, you can select an

SNMP group with no authentication no privacy.
Group Name
When the security level is Auth/NoPriv, you can select an

SNMP group with no authentication no privacy or
authentication without privacy.
When the security level is Auth/Priv, you can select an SNMP

group of any security level.
Authentication Mode
Select an authentication mode (including MD5 and SHA) when the

security level is Auth/NoPriv or Auth/Priv.
117
Item
Description
Authentication Password
Set the authentication password when the security level is

Auth/NoPriv or Auth/Priv.
Confirm Authentication Password
The confirm authentication password must be the same with the

authentication password.
Privacy Mode
Select a privacy mode (including DES56, AES128, and 3DES)

when the security level is Auth/Priv.
Privacy Password
Set the privacy password when the security level is Auth/Priv.
Confirm Privacy Password
The confirm privacy password must be the same with the privacy
password.
ACL
Associate a basic ACL with the user to restrict the source IP address
of SNMP packets, that is, you can configure to allow or prohibit
SNMP packets with a specific source IP address, so as to allow or
prohibit the specified NMS to access the agent by using this user
name.

1.
2.
Click the Trap tab.

The trap configuration page appears.
Figure 91 Traps configuration
3.
Select the box of Enable SNMP Trap.
4.
Click Apply.
5.
Click Add.
The page for adding a target host of SNMP traps appears.
118
Figure 92 Adding a target host of SNMP traps
6.
Configure the settings for the target host as described in Table 53.
7.
Click Apply.

Item
Description
Set the destination IP address or domain.
Destination IP Address
Security Name
Select the IP address type: IPv4/Domain or IPv6, and then type the
corresponding IP address or domain in the field according to the IP
address type.
Set the security name, which can be an SNMPv1 community name,
an SNMPv2c community name, or an SNMPv3 user name.
Set UDP port number.
IMPORTANT:
UDP Port
The default port number is 162, which is the SNMP-specified port used
for receiving traps on the NMS. Generally (such as using iMC or MIB
Browser as the NMS), you can use the default port number. To change
this parameter to another value, you need to make sure that the
configuration is the same with that on the NMS.
Security Model
Select the security model, that is, the SNMP version, which must be
the same with that running on the NMS; otherwise, the NMS cannot
receive any trap.
Security Level
Set the authentication and privacy mode for SNMP traps when the
security model is selected as v3. The available security levels are: no
authentication no privacy, authentication but no privacy, and
authentication and privacy.
Displaying SNMP packet statistics

1.

119
The page for displaying SNMP packet statistics appears.

Figure 93 SNMP packet statistics
SNMP configuration example

The NMS connects to the agent, an AC, through an Ethernet. The IP address of the NMS is 1.1.1.2/24.
The IP address of the VLAN interface on the AC is 1.1.1.1/24. Configure SNMP to achieve the following
purposes.
The NMS monitors the agent by using SNMPv3.
The agent reports errors or faults to the NMS.
Configuring the agent

1.
Enable SNMP agent:

a. Select Device > SNMP from the navigation tree.

b. Select the Enable option.
c.
Select the v3 box.
d. Click Apply.
120
Figure 95 Enabling SNMP
2.
Configure an SNMP view:

a. Click the View tab.
b. Click Add.

c. Enter view1 in the field.
d. Click Apply.

e.
Select the Included radio box, enter the MIB subtree OID interfaces, and click Add.
f. Click Apply.
A configuration progress dialog box appears.

g. Click Close after the configuration process is complete.
121
3.
Configure an SNMP group:

a. Click the Group tab.
b. Click Add.

c.
Enter group1 in the field of Group Name, select view1 from the Read View box, and select
view1 from the Write View box.
d. Click Apply.
Figure 98 Creating an SNMP group
4.
Configure an SNMP user:

a. Click the User tab.
b. Click Add.
122

c.
Enter user1 in the field of User Name and select group1 from the Group Name box.
d. Click Apply.
Figure 99 Creating an SNMP user
5.
Enable the agent to send SNMP traps:

a. Click the Trap tab

b. Select the Enable SNMP Trap box.
c.
Click Apply.
123
Figure 100 Enabling the agent to send SNMP traps
6.
Add target hosts of SNMP traps:

a. Click Add on the Trap tab.

b. Select the destination IP address type as IPv4/Domain, enter the destination address 1.1.1.2,
enter the user name user1, and select v3 from the Security Model list.
c.
Click Apply.
Figure 101 Adding target hosts of SNMP traps
Configuring the NMS

CAUTION:
The configuration on the NMS must be consistent with that on the agent. Otherwise, you cannot perform
corresponding operations.
124
SNMPv3 adopts a security mechanism of authentication and privacy. You must configure username and
security level. According to the configured security level, you must configure the related authentication
mode, authentication password, privacy mode, privacy password, and so on.
You must also configure the aging time and retry times. After these configurations, you can configure the
device as needed through the NMS. For more information about NMS configuration, see the manual
provided for NMS.
After the above configuration, an SNMP connection is established between the NMS and the agent.
The NMS can get and configure the values of some parameters on the agent through MIB nodes.
If an idle interface on the agent is shut down or brought up, the NMS receives a trap information
sent by the agent.
125
Loopback
You can check whether an Ethernet port works normally by performing the Ethernet port loopback test,
during which the port cannot forward data packets normally.
Ethernet port loopback test can be an internal loopback test or an external loopback test.
In an internal loopback test, self loop is established in the switching chip to check whether there is
a chip failure related to the functions of the port.
In an external loopback test, a self-loop header is used on the port. Packets forwarded by the port
will be received by itself through the self-loop header. The external loopback test can be used to
check whether there is a hardware failure on the port.
Loopback operation
1.
Select Device > Loopback from the navigation tree.

The loopback test configuration page appears.
Figure 102 Loopback test configuration page
2.
Configure the loopback test parameters as described in Table 54.

Item
Testing
type
3.
Description
External
Set the loopback test type, which can be selected between External and
Internal.
Internal
Support for the test type depends on the device model.
Click Test to start the loopback test.

126
The Result box displays the test results.

Figure 103 Loopback test result
When you perform a loopback test, follow these guidelines:
You can perform an internal loopback test but not an external loopback test on a port that is
physically down, while you can perform neither test on a port that is manually shut down.
The system does not allow Rate, Duplex, Cable Type, and Port Status configuration on a port under
a loopback test.
An Ethernet port operates in full duplex mode when the loopback test is performed, and restores its
original duplex mode after the loopback test.
127
MAC address configuration

NOTE:
MAC address configurations related to interfaces apply only to Layer 2 Ethernet interfaces.
This chapter covers only the management of static and dynamic MAC address entries, not multicast
MAC address entries.
Overview
A device maintains a MAC address table for frame forwarding. Each entry in this table indicates the
MAC address of a connected device, to which interface this device is connected and to which VLAN the
interface belongs. A MAC address table consists of two types of entries: static and dynamic. Static
entries are manually configured and never age out. Dynamic entries can be manually configured or
dynamically learned and will age out.
When a frame arrives at a port, Port A for example, the device performs the following tasks:
1.
Checks the frame for the source MAC address (MAC-SOURCE for example).
2.
Looks up the MAC address in the MAC address table.

If an entry is found, updates the entry.
If no entry is found, adds an entry for the MAC address and the receiving port (Port A) to the
MAC address table.
When receiving a frame destined for MAC-SOURCE, the device looks up the MAC address table and
forwards it from port A.
NOTE:
Dynamically learned MAC addresses cannot overwrite static MAC address entries, but the latter can
overwrite the former.
When forwarding a frame, the device adopts the following forwarding modes based on the MAC
address table:
Unicast modeIf an entry matching the destination MAC address exists, the device forwards the
frame directly from the sending port recorded in the entry.
Broadcast modeIf the device receives a frame with the destination address being all Fs, or no
entry matches the destination MAC address, the device broadcasts the frame to all the ports except
the receiving port.
128
Figure 104 MAC address table of the device

MAC address
Port
MAC A
MAC B
MAC C
MAC D
MAC A
MAC C
MAC B
MAC D
Port 1
Port 2
Configuring a MAC address entry

1.
Select Network > MAC from the navigation tree. The system automatically displays the MAC tab,
which shows all the MAC address entries on the device, as shown in Figure 105.
Figure 105 The MAC tab
2.
Click Add in the bottom to enter the page for creating MAC address entries, as shown in Figure
106.
129
Figure 106 Creating a MAC address entry
3.
Configure the MAC address entry as described in Table 55.
4.
Click Apply.

Item
Description
MAC
Set the MAC address to be added.

Set the type of the MAC address entry:
staticStatic MAC address entries that never age out.

dynamicDynamic MAC address entries that will age out.
blackholeBlackhole MAC address entries that never age out.
IMPORTANT:
Type
The tab displays the following types of MAC address entries:
Config staticStatic MAC address entries manually configured by the users.

Config dynamicDynamic MAC address entries manually configured by the
users.
BlackholeBlackhole MAC address entries.

LearnedDynamic MAC address entries learned by the device.
OtherOther types of MAC address entries.
VLAN
Set the ID of the VLAN to which the MAC address belongs.
Port
Set the port to which the MAC address belongs.
Setting the aging time of MAC address entries

1.
Select Network > MAC from the navigation tree.
2.
Click the Setup tab to enter the page for setting the MAC address entry aging time, as shown
in Figure 107.
130
Figure 107 Setting the aging time for MAC address entries
3.
Set the aging time as described in Table 56.
4.
Click Apply.

Item
Description
No-aging
Specify that the MAC address entry never ages out.
Aging time
Set the aging time for the MAC address entry.
MAC address configuration example

Use the MAC address table management function of the Web-based NMS. Create a static MAC address
00e0-fc35-dc71 for GigabitEthernet 1/0/1 in VLAN 1.
1.
Create a static MAC address entry:

a. Select Network > MAC from the navigation tree to enter the MAC tab.
b. Click Add.
The page shown in Figure 108 appears.

c.
Enter MAC address 00e0-fc35-dc71, select static from the Type list, select 1 from the VLAN list,
and select GigabitEthernet1/0/1 from the Port list.
d. Click Apply.
131
Figure 108 Creating a static MAC address entry
132
VLAN configuration
Overview
Ethernet is a network technology based on the Carrier Sense Multiple Access/Collision Detect
(CSMA/CD) mechanism. As the medium is shared, collisions and excessive broadcasts are common on
an Ethernet. To address the issue, virtual LAN (VLAN) was introduced to break a LAN down into separate
VLANs. VLANs are isolated from each other at Layer 2. A VLAN is a bridging domain, and all broadcast
traffic is contained within it, as shown in Figure 109.
Figure 109 A VLAN diagram
VLAN 2
Switch A
Router
Switch B
VLAN 5
You can implement VLANs based on a variety of criteria. The web interface, however, is available only
for port-based VLANs, which group VLAN members by port. A port forwards traffic for a VLAN only after
it is assigned to the VLAN.
For more information about VLAN, see H3C WX Series Access Controllers Layer 2 Configuration Guide.
Recommended configuration procedure

Step
Remarks
1.
Creating a VLAN
Required.
2.
Modifying a VLAN
Required.
3.
Modifying a port
Select either task.

Configure the untagged member ports and tagged member ports
of the VLAN, or remove ports from the VLAN.
Creating a VLAN
1.
Select Network > VLAN from the navigation tree. The system automatically selects the VLAN tab
and enters the page as shown in Figure 110.
133
Figure 110 VLAN configuration page
TIP:
To easily configure a specific range of VLANs within a large number of VLANs, enter a VLAN range in the
VLAN Range field and click Select, and all undesired VLANs will be filtered out. If you click Remove, all
VLANs within this range will be deleted.
2.
Click Add to enter the page for creating a VLAN, as shown in Figure 111.
3.
Enter the ID of the VLAN you want to create.
4.
Click Apply.
Figure 111 Creating a VLAN
Modifying a VLAN
1.
Select Network > VLAN from the navigation tree. The system automatically selects the VLAN tab
and enters the page as shown in Figure 110.
2.
Click the
icon of the VLAN you want to modify to enter the page as shown in Figure 112.
134
Figure 112 Modifying a VLAN
3.
Configure the description and port members for the VLAN as described in Table 57.
4.
Click Apply.

Item
Description
ID
Display the ID of the VLAN to be modified.

Set the description string of the VLAN.
Description
By default, the description string of a VLAN is its VLAN ID, such as VLAN
0001.
Untagged Member
Find the port to be modified and select the Untagged Member, Tagged
Member, or Not a Member option for the port:
UntaggedIndicates that the port sends the traffic of the VLAN with the
VLAN tag removed.
TaggedIndicates that the port sends the traffic of the VLAN without
Port
Tagged Member
removing the VLAN tag.
Not a MemberRemoves the port from the VLAN.

IMPORTANT:
Not a Member
When you configure an access port as a tagged member of a VLAN, the link
type of the port is automatically changed into hybrid.
Modifying a port
1.
Select Network > VLAN from the navigation tree
2.
Click the Port tab to enter the page as shown in Figure 113.
135
Figure 113 Port configuration page
3.
Click the
icon for the port to be modified to enter the page as shown in Figure 114.
Figure 114 Modifying a port
4.
Configure the port as described in Table 58.
5.
Click Apply.

Item
Description
Port
Display the port to be modified.
Untagged Member
Display the VLAN(s) to which the port belongs as an untagged member.
Tagged Member
Display the VLAN(s) to which the port belongs as a tagged member.
136
Item
Description
Untagged
Tagged
Select the Untagged, Tagged, or Not a Member option:
UntaggedIndicates that the port sends the traffic of the VLAN with the VLAN
tag removed.
TaggedIndicates that the port sends the traffic of the VLAN without removing
the VLAN tag.
Not a MemberRemoves the port from the VLAN.

Member
Type
IMPORTANT:
Not a
Member
You cannot configure an access port as an untagged member of a nonexistent

VLAN.
When you configure an access port as a tagged member of a VLAN, or
configure a trunk port as an untagged member of multiple VLANs in bulk, the link
type of the port is automatically changed into hybrid.
You can configure a hybrid port as a tagged or untagged member of a VLAN

only if the VLAN is an existing, static VLAN.
VLAN ID
Specify the VLAN to which the port belongs.
VLAN configuration examples

As shown in Figure 115:
GigabitEthernet 1/0/1 of AC is connected to GigabitEthernet 1/0/1 of Switch.
GigabitEthernet 1/0/1 on both devices are hybrid ports with VLAN 100 as their default VLAN.
Configure GigabitEthernet 1/0/1 to permit packets of VLAN 2, VLAN 6 through VLAN 50, and
VLAN 100 to pass through.
Configuring AC
1.
Create VLAN 2, VLAN 6 through VLAN 50, and VLAN 100:

a. Select Network > VLAN from the navigation tree to enter the VLAN tab.
b. Click Add.
c.
Enter VLAN IDs 2,6-50,100, as shown in Figure 116.
d. Click Apply.
137
Figure 116 Creating a VLAN
2.
Configure GigabitEthernet 1/0/1 as an untagged member of VLAN 100:

a. Enter 100 in the VLAN Range field, as shown in Figure 117.
b. Click Select to display only the information of VLAN 100.
Figure 117 Selecting a VLAN
c.
Click the
icon of VLAN 100.
d. Select the Untagged Member option for port GigabitEthernet 1/0/1, as shown in Figure 118.
e. Click Apply.
138
Figure 118 Modifying a VLAN
3.
Configure GigabitEthernet 1/0/1 as a tagged member of VLAN 2, and VLAN 6 through VLAN
50:
a. Select Network > VLAN from the navigation tree and then select the Port tab.
b. Click the
c.
icon of port GigabitEthernet 1/0/1.
Select the Tagged option, and enter VLAN IDs 2, 6-50, as shown in Figure 119.
Figure 119 Modifying a port
d. Click Apply. A dialog box appears asking you to confirm the operation.
e. Click OK in the dialog box.
139
Configuring Switch
The configuration on Switch is similar to that on AC.
When you configure VLAN, follow these guidelines:
VLAN 1 is the default VLAN, which cannot be manually created or removed.
Some VLANs are reserved for special purposes. You cannot manually create or remove them.
Dynamic VLANs cannot be manually removed.
140
ARP configuration
Overview
Introduction to ARP
The Address Resolution Protocol (ARP) is used to resolve an IP address into an Ethernet MAC address (or
physical address).
In an Ethernet LAN, a device uses ARP to resolve the IP address of the next hop to the corresponding
MAC address.
For more information about ARP, see H3C WX Series Access Controllers Layer 3 Configuration Guide.
Introduction to gratuitous ARP

Gratuitous ARP packets
In a gratuitous ARP packet, the sender IP address and the target IP address are the IP address of the
sending device, the sender MAC address is the MAC address of the sending device, and the target MAC
address is the broadcast address ff:ff:ff:ff:ff:ff.
A device sends a gratuitous ARP packet for either of the following purposes:
Determine whether its IP address is already used by another device. If the IP address is already used,
the device will be informed of the conflict by an ARP reply.
Inform other devices of the change of its MAC address.
Learning of gratuitous ARP packets

With this feature enabled, a device, upon receiving a gratuitous ARP packet, adds an ARP entry that
contains the sender IP and MAC addresses in the packet to its ARP table. If the corresponding ARP entry
exists, the device updates the ARP entry.
With this feature disabled, the device uses the received gratuitous ARP packets to update existing ARP
entries, but not to create new ARP entries.
Displaying ARP entries

Select Network > ARP Management from the navigation tree to enter the default ARP Table page shown
in Figure 120. All ARP entries are displayed on the page.
141
Figure 120 ARP Table configuration page
Creating a static ARP entry

1.
Select Network > ARP Management from the navigation tree to enter the default ARP Table page
shown in Figure 120.
2.
Click Add to enter the New Static ARP Entry page, as shown in Figure 121.
Figure 121 Adding a static ARP entry
3.
Configure the static ARP entry as described in Table 59.
4.
Click Apply.

Item
Description
IP Address
Enter an IP address for the static ARP entry.
MAC Address
Enter a MAC address for the static ARP entry.
142
Item
Description
VLAN ID
Advanced
Options
Port
Enter a VLAN ID and specify a port for the static ARP entry.
IMPORTANT:
The VLAN ID must be the ID of the VLAN that has already been created,
and the port must belong to the VLAN. The corresponding VLAN interface
must have been created.
Removing ARP entries

1.
Select Network > ARP Management from the navigation tree to enter the default ARP Table page
2.
Remove ARP entries:

To remove specific ARP entries, select target ARP entries, and click Del Selected.
To remove all static and dynamic ARP entries, click Delete Static and Dynamic.
To remove all static ARP entries, click Delete Static.
To remove all dynamic ARP entries, click Delete Dynamic.
Configuring gratuitous ARP

1.
Select Network > ARP Management from the navigation tree.
2.
Click the Gratuitous ARP tab to enter the page shown in Figure 122.
Figure 122 Gratuitous ARP configuration page
3.
Configure gratuitous ARP as described in Table 60.

Item
Description
Disable gratuitous ARP packets

learning function
Disable learning of ARP entries according to gratuitous ARP packets.
Send gratuitous ARP packets when

receiving ARP requests from another
network segment
Enable the device to send gratuitous ARP packets upon receiving ARP
requests from another network segment.
Enabled by default.
Disabled by default.
143
Static ARP configuration example

To enhance communication security between the AC and the router, configure a static ARP entry on the
AC.
1.
Create VLAN 100:

a. Select Network > VLAN from the navigation tree to enter the default VLAN page.
b. Click Add.
c.
Enter 100 for VLAN ID, as shown in Figure 124.
d. Click Apply.
2.
Add GigabitEthernet 1/0/1 to VLAN 100:

a. On the VLAN page, click the
icon of VLAN 100.
b. Select the Untagged Member option for GigabitEthernet1/0/1.

c.
Click Apply.
144
Figure 125 Adding GigabitEthernet 1/0/1 to VLAN 100
3.
Configure VLAN-interface 100:

a. Select Device > Interface from the navigation tree.
b. Click Add.
c.
On the page that appears, select Vlan-interface from the Interface Name list, and enter 100,
select the Static Address option for IP Config, enter 192.168.1.2 for IP Address., and select 24
(255.255.255.0) for Mask.
d. Click Apply.
145
Figure 126 Configuring VLAN-interface 100
4.
Create a static ARP entry:

a. Select Network > ARP Management from the navigation tree to enter the default ARP Table
page.
b. Click Add.
c.
On the page that appears, enter 192.168.1.1 for IP Address, enter 00e0-fc01-0000 for MAC
Address, select the Advanced Options option, enter 100 for VLAN ID, and select
GigabitEthernet1/0/1 from the Port list.
d. Click Apply.
146
Figure 127 Creating a static ARP entry
147
ARP attack protection configuration

Although ARP is easy to implement, it provides no security mechanism and thus is prone to network
attacks. Currently, ARP attacks and viruses are threatening LAN security. The device can provide multiple
features to detect and prevent such attacks. This chapter mainly introduces these features.
ARP detection
The ARP detection feature enables access devices to block ARP packets from unauthorized clients to
prevent user spoofing and gateway spoofing attacks.
ARP detection provides the following functions:
User validity checkThe device compares the sender IP and MAC addresses of a received ARP
packet against the static IP source guard binding entries, DHCP snooping entries, 802.1X security
entries, or OUI MAC addresses. If no match is found, the ARP packet is discarded.
ARP packet validity checkThe device does not check ARP packets received from an ARP trusted
port. Upon receiving an ARP packet from an ARP untrusted port, the device checks the ARP packet
based on source MAC address, destination MAC address, or source and destination IP addresses.
ARP packets that fail the check are discarded.
For more information about ARP detection, see H3C WX Series Access Controllers Security
Configuration Guide.
Source MAC address based ARP attack detection

This feature allows the device to check the source MAC address of ARP packets delivered to the CPU. If
the number of ARP packets from a MAC address within five seconds exceeds the specified threshold, the
device considers this an attack and adds the MAC address to the attack detection table. Before the attack
detection entry is aged out, the device generates a log message upon receiving an ARP packet sourced
from that MAC address and filters out subsequent ARP packets from that MAC address (in filter mode),
or only generates a log message upon receiving an ARP packet sourced from that MAC address (in
monitor mode).
A gateway or critical server may send a large number of ARP packets. To prevent these ARP packets from
being discarded, you can specify the MAC address of the gateway or server as a protected MAC
address. A protected MAC address is excluded from ARP attack detection even if it is an attacker.
ARP active acknowledgement

The ARP active acknowledgement feature is configured on gateway devices to identify invalid ARP
packets.
ARP active acknowledgement works before the gateway creates or modifies an ARP entry to avoid
generating any incorrect ARP entry.
148
ARP packet source MAC address consistency check

This feature enables a gateway device to filter out ARP packets with the source MAC address in the
Ethernet header different from the sender MAC address in the ARP message, so that the gateway device
can learn correct ARP entries.
Configuring ARP detection

NOTE:
If both the ARP detection based on specified objects and the ARP detection based on static IP Source
Guard binding entries/DHCP snooping entries/802.1X security entries/OUI MAC addresses are
enabled, the former one applies first, and then the latter applies.
1.
Select Network > ARP Anti-Attack from the navigation tree to enter the default ARP Detection page
Figure 128 ARP Detection configuration page
2.
Configure ARP detection as described in Table 61.
3.
Click Apply.

Item
Description
Select VLANs on which ARP detection is to be enabled.
VLAN Settings
To add VLANs to the Enabled VLANs list box, select one or multiple VLANs from the
Disabled VLANs list box and click the << button.
To remove VLANs from the Enabled VLANs list box, select one or multiple VLANs from the
list box and click the >> button.
149
Item
Description
Select trusted ports and untrusted ports.
Trusted Ports
To add ports to the Trusted Ports list box, select one or multiple ports from the Untrusted
Ports list box and click the << button.
To remove ports from the Trusted Ports list box, select one or multiple ports from the list box
and click the >> button.
Select ARP packet validity check modes, including:
Discard the ARP packet whose sender MAC address is different from the source MAC
address in the Ethernet header.
Discard the ARP packet whose target MAC address is all 0s, all 1s, or inconsistent with
ARP Packet
Validity Check
the destination MAC address in the Ethernet header.
Discard the ARP request whose source IP address is all 0s, all 1s, or a multicast address,
and discard the ARP reply whose source and destination IP addresses are all 0s, all 1s,
or multicast addresses.
ARP packet validity check takes precedence over user validity check. If none of the above
is selected, the system does not check the validity of ARP packets.
Configuring other ARP attack protection functions

Other ARP attack protection functions include source MAC address based ARP attack detection, ARP
active acknowledgement, and ARP packet source address consistency check.
1.
Select Network > ARP Anti-Attack from the navigation tree.
2.
Click the Advanced Configuration tab to enter the page shown in Figure 129.
Figure 129 Advanced Configuration page
3.
Configure ARP attack protection parameters as described in Table 62.
4.
Click Apply.
150

Item
Description
Select the detection mode for source MAC address based ARP attack
detection. The detection mode can be:
Detection Mode
DisableThe source MAC address attack detection is disabled.

Filter ModeThe device generates an alarm and filters out ARP packets
sourced from a MAC address if the number of ARP packets received from
the MAC address within five seconds exceeds the specified value.
The device only generates an alarm if the number of ARP packets sent
Source
MAC
Address
Attack
Detection
from a MAC address within five seconds exceeds the specified value.
Aging Time
Enter the aging time of the source MAC address based ARP attack detection
entries.
Threshold
Enter the threshold of source MAC address based ARP attack detection.
Add a protected MAC address in the following way:
Protected MAC
Configuration
1.
Expand Protected MAC Configuration and contents are displayed as

2.
Enter a MAC address.
3.
Click Add.
A protected MAC address is excluded from ARP attack detection even if it is

an attacker. You can specify certain MAC addresses, such as that of a
gateway or an important server, as a protected MAC address.
Enable ARP Packet Active
Acknowledgement
Enable or disable ARP packet active acknowledgement.
Enable Source MAC Address

Consistency Check
Enable or disable source MAC address consistency check.
Figure 130 Protected MAC configuration
151
IGMP snooping configuration

Overview
Internet Group Management Protocol (IGMP) snooping is a multicast constraining mechanism that runs
on Layer 2 devices to manage and control multicast groups.
By analyzing received IGMP messages, a Layer 2 device that is running IGMP snooping establishes
mappings between ports and multicast MAC addresses and forwards multicast data based on these
mappings.
As shown in Figure 131, when IGMP snooping is not running on the switch, multicast packets are flooded
to all devices at Layer 2. However, when IGMP snooping is running on the switch, multicast packets for
known multicast groups are multicast to the receivers, rather than broadcast to all hosts, at Layer 2.
Figure 131 Multicast forwarding before and after IGMP snooping runs
IGMP snooping sends Layer 2 multicast packets to the intended receivers only. This mechanism provides
the following advantages:
Reducing Layer 2 broadcast packets and saving network bandwidth
Enhancing the security of multicast packets
Facilitating the implementation of accounting for each host
For more information about IGMP snooping, see H3C WX Series Access Controllers IP Multicast
152

Step
1.
Remarks
Enabling IGMP snooping globally
Required.
By default, IGMP snooping is disabled.
Required.
Enable IGMP snooping in the VLAN and configure the IGMP
snooping version and querier feature.
2.
Configuring IGMP snooping on a

VLAN
By default, IGMP snooping is disabled in a VLAN.

IMPORTANT:
IGMP snooping must be enabled globally before it can be

enabled in a VLAN.
When you enable IGMP snooping in a VLAN, this function takes

effect for ports in this VLAN only.
Optional.
Configure the maximum number of multicast groups allowed and the
fast leave function for ports in the specified VLAN.
3.
Configuring IGMP snooping on a

port
IMPORTANT:
Multicast routing or IGMP snooping must be enabled globally

before IGMP snooping can be enabled on a port.
IGMP snooping configured on a port takes effect only after IGMP

snooping is enabled in the VLAN or IGMP is enabled on the
VLAN interface.
4.
Displaying IGMP snooping

multicast entry information
Optional.
Enabling IGMP snooping globally

1.
Select Network > IGMP snooping from the navigation tree to enter the basic configuration page
2.
Select Enable, and click Apply.
153
Figure 132 Basic IGMP snooping configurations
Configuring IGMP snooping on a VLAN

1.
2.
Click the
icon corresponding to the VLAN to enter the page you can configure IGMP snooping
in the VLAN, as shown in Figure 133.
Figure 133 Configuring IGMP snooping in the VLAN
3.
Configure IGMP snooping as described in Table 63.

154
4.
Click Apply.

Item
Description
VLAN ID
This field displays the ID of the VLAN to be configured.

Enable or disable IGMP snooping in the VLAN.
IGMP snooping
You can proceed with the subsequent configurations only if Enable is selected
here.
By configuring an IGMP snooping version, you actually configure the versions
of IGMP messages that IGMP snooping can process.
Version
IGMP snooping version 2 can process IGMPv1 and IGMPv2 messages, but
not IGMPv3 messages, which will be flooded in the VLAN.
IGMP snooping version 3 can process IGMPv1, IGMPv2, and IGMPv3

messages.
Enable or disable the function of dropping unknown multicast packets.

Unknown multicast data refers to multicast data for which no entries exist in the
IGMP snooping forwarding table.
Drop Unknown
With the function of dropping unknown multicast data enabled, the device
drops all the unknown multicast data received.
With the function of dropping unknown multicast data disabled, the device
floods unknown multicast data in the VLAN to which the unknown multicast
data belong.
Enable or disable the IGMP snooping querier function.
Querier
On a network without Layer 3 multicast devices, no IGMP querier-related

function can be implemented because a Layer 2 device does not support
IGMP. To address this issue, you can enable IGMP snooping querier on a
Layer 2 device so that the device can generate and maintain multicast
forwarding entries at data link layer, thereby implementing IGMP
querier-related functions.
Query interval
Configure the IGMP query interval.
General Query Source IP
Source IP address of IGMP general queries.
Special Query Source IP
Source IP address of IGMP group-specific queries.
Configuring IGMP snooping on a port

1.
Select Network > IGMP snooping from the navigation tree to enter the basic configuration page.
2.
Click the Advanced tab to enter the page shown in Figure 134.
155
Figure 134 Advanced configuration
3.
Configure IGMP snooping on a port as described in Table 64.
4.
Click Apply.

Item
Description
Select the port on which advanced IGMP snooping features are to be configured.
Port
VLAN ID
After a port is selected, advanced features configured on this port are displayed at
the lower part of this page.
Specify a VLAN in which you can configure the fast leave function for the port or the
maximum number of multicast groups allowed on the port.
Configure the maximum number of multicast groups that the port can join.
With this feature, you can regulate multicast traffic on the port.
IMPORTANT:
When the number of multicast groups a port has joined reaches the configured
Group Limit
threshold, the system deletes all the forwarding entries persistent on that port from
the IGMP snooping forwarding table, and the hosts on this port must join the
multicast groups again.
Support for the maximum number of multicast groups that a port can join may
vary depending on your device model. For more information, see "Feature
matrixes."
156
Item
Description
Enable or disable the fast leave function for the port.
Fast Leave
With the fast leave function enabled on a port, the device, when receiving an IGMP
leave message on the port, immediately deletes that port from the outgoing port list
of the corresponding forwarding table entry. Then, when receiving IGMP
group-specific queries for that multicast group, the device will not forward them to
that port. In VLANs where only one host is attached to each port, the fast leave
function helps improve bandwidth and resource usage.
IMPORTANT:
If fast leave is enabled for a port to which more than one host is attached, when one
host leaves a multicast group, the other hosts listening to the same multicast group will
fail to receive multicast data.
Displaying IGMP snooping multicast entry

information
1.
2.
Click the plus sign (+) in front of Show Entries to display IGMP snooping multicast entries, as shown
in Figure 135.
Figure 135 Displaying entry information
3.
Clicking the
icon corresponding to an entry to display the detailed information of the entry, as
Figure 136 Detailed information of an entry
157

Field
Description
VLAN ID
ID of the VLAN to which the entry belongs.
Source
Multicast source address, where 0.0.0.0 indicates all multicast sources.
Group
Multicast group address.
Router port
All router ports.
Member port
All member ports.
IGMP snooping configuration examples

As shown in Figure 137, Router A connects to a multicast source (Source) through Ethernet 1/2, and
to AC through Ethernet 1/1.
The multicast source sends multicast data to group 224.1.1.1. Host A is a receiver of the multicast
group.
IGMPv2 runs on Router A and IGMP snooping version 2 runs on AC.
The function of dropping unknown multicast packets is enabled on AC to prevent AC from flooding
multicast packets in the VLAN if no corresponding Layer 2 forwarding entry exists.
The fast leave function is enabled for GigabitEthernet 1/0/2 on AC to improve bandwidth and
resource usage.
Configuring IP addresses
Configure the IP address for each interface, as shown in Figure 137. (Details not shown.)
Configuring Router A
Enable IP multicast routing, enable PIM-DM on each interface, and enable IGMP on Ethernet 1/1.
(Details not shown.)
Configuring the AC
1.
Create VLAN 100:

a. Select Network > VLAN from the navigation tree to enter the VLAN displaying page.
b. Click Add.
c.
Enter the VLAN ID 100, as shown in Figure 138.
d. Click Apply.
158
2.
Configure GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 as untagged members of VLAN

100:
a. Click the
icon of VLAN 100 to enter its configuration page.
b. Select the Untagged Member option for GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2,
as shown in Figure 139.

c.
Click Apply.
Figure 139 Adding a port to the VLAN
3.
Enable IGMP snooping globally:

a. Select Network > IGMP snooping from the navigation tree to enter the basic configuration
page.
b. Select the Enable option for IGMP Snooping.

c.
Click Apply.
159
Figure 140 Enabling IGMP snooping globally
4.
Enable IGMP snooping and the function of dropping unknown multicast data on VLAN 1:
a. Click the
icon corresponding to VLAN 100.
b. On the page that appears, select the Enable option for IGMP Snooping, select the 2 option for
Version, and select the Enable option for Drop Unknown.

c.
Click Apply.
Figure 141 Configuring the VLAN
5.
Enable the fast leave function for GigabitEthernet 1/0/2:

a. Click the Advanced tab.
160
b. Select GigabitEthernet 1/0/2 from the Port list, enter the VLAN ID 100, and select the Enable
option for Fast Leave.
c.
Click Apply.

Display the IGMP snooping multicast entry information on AC.
1.
Select Network > IGMP snooping from the navigation tree to enter the basic configuration page.
2.
Click the plus sign (+) in front of Show Entries to view IGMP snooping multicast entries, as shown
in Figure 143.
Figure 143 IGMP snooping multicast entry information displaying page
3.
Click the
icon corresponding to the multicast entry to view information about this entry, as
shown in Figure 144. The page shows that GigabitEthernet 1/0/2 of AC is added to multicast
group 224.1.1.1.
161
Figure 144 Information about an IGMP snooping multicast entry
162
IPv4 and IPv6 routing configuration

NOTE:
The term router in this document refers to routers, access controllers, unified switches, and access
controller modules.
Overview
Upon receiving a packet, a router determines the optimal route based on the destination address and
forwards the packet to the next router in the path. When the packet reaches the last router, it then
forwards the packet to the destination host. Routing provides the path information that guides the
forwarding of packets.
A router selects optimal routes from the routing table, and sends them to the forwarding information base
(FIB) table to guide packet forwarding. Each router maintains a routing table and a FIB table.
Static routes are manually configured. If a network's topology is simple, you only need to configure static
routes for the network to work properly. Static routes cannot adapt to network topology changes. If a fault
or a topological change occurs in the network, the network administrator must modify the static routes
manually.
For more information about routing table and static routing, see H3C WX Series Access Controllers Layer
3 Configuration Guide.
Displaying the IPv4 active route table

Select Network > IPv4 Routing from the navigation tree to enter the page shown in Figure 145.
Figure 145 IPv4 active route table
163

Field
Mask
Protocol
Preference
Description
Destination IP address and subnet mask of the IPv4 route.
Protocol that discovered the IPv4 route.
Preference value for the IPv4 route.
The smaller the number, the higher the preference.
Next Hop
Next hop IP address of the IPv4 route.
Interface
Outgoing interface of the IPv4 route. Packets destined for the specified
network segment will be sent out the interface.
Creating an IPv4 static route

1.
Select Network > IPv4 Routing from the navigation tree.
2.
Click the Create tab to enter the IPv4 static route configuration page, as shown in Figure 146.
Figure 146 Creating an IPv4 static route
3.
Specify relevant information as described in Table 67.
4.
Click Apply.

Item
Description
Enter the destination host or network IP address, in dotted decimal

notation.
164
Item
Description
Enter the mask of the destination IP address.
Mask
You can enter a mask length or a mask in dotted decimal

notation.
Set a preference value for the static route. The smaller the
number, the higher the preference.
Preference
For example, specifying the same preference for multiple static

routes to the same destination enables load sharing on the routes,
while specifying different preferences enables route backup.
Next Hop
Enter the next hop IP address, in dotted decimal notation.

Select the outgoing interface.
Interface
You can select any available Layer 3 interface, for example, a

virtual interface, of the device. If you select NULL 0, the
destination IP address is unreachable.
Displaying the IPv6 active route table

Select Network > IPv6 Routing from the navigation tree to enter the page shown in Figure 147.
Figure 147 IPv6 active route table

Field
Prefix Length
Protocol
Preference
Description
Destination IP address and prefix length of the IPv6 route.
Protocol that discovered the IPv6 route.
Preference value for the IPv6 route.
The smaller the number, the higher the preference.
Next Hop
Next hop IP address of the IPv6 route.
Interface
Outgoing interface of the IPv6 route. Packets destined for the

specified network segment will be sent out the interface.
165
Creating an IPv6 static route

1.
Select Network > IPv6 Routing from the navigation tree.
2.
Click the Create tab to enter the IPv6 static route configuration page, as shown in Figure 148.
Figure 148 Creating an IPv6 static route
3.
Specify relevant information as described in Table 69.
4.
Click Apply.

Item
Description
Enter the destination host or network IP address, in the X:X::X:X

format. The 128-bit destination IPv6 address is a hexadecimal
address with eight parts separated by colons (:). Each part is
represented by a 4-digit hexadecimal integer.
Prefix Length
Enter the prefix length of the destination IPv6 address.

Set a preference value for the static route. The smaller the number, the
higher the preference.
Preference
Next Hop
For example, specifying the same preference for multiple static routes
to the same destination enables load sharing on the routes, while
specifying different priorities for them enables route backup.
Enter the next hop address, in the same format as the destination IP
address.
166
Item
Description
Select the outgoing interface.
Interface
You can select any available Layer 3 interface, for example, a virtual
interface, of the device. If you select NULL 0, the destination IPv6
address is unreachable.
IPv4 static route configuration example

The IP addresses of devices are shown in Figure 149. IPv4 static routes must be configured on Switch A,
Switch B and AC for Host A and Host B to communicate with each other.
Configuration outlines
1.
On Switch A, configure a default route with Switch B as the next hop.
2.
On Switch B, configure one static route with Switch A as the next hop and the other with AC as the
next hop.
3.
On AC, configure a default route with Switch B as the next hop.
1.
Configure a default route with the next hop address 1.1.4.2 on Switch A.
2.
Configure two static routes on Switch B: one with destination address 1.1.2.0/24 and next hop
address 1.1.4.1, and the other with destination address 1.1.3.0/24 and next hop address
1.1.5.6.
3.
Configure a default route on AC:

a. Select Network > IPv4 Routing from the navigation tree.
b. Click the Create tab to enter the IPv4 static route configuration page, as shown in Figure 150.
c.
Enter 0.0.0.0 for Destination IP Address, 0 for Mask, and 1.1.5.5 for Next Hop.
d. Click Apply.
167
Figure 150 Configuring a default route

1.
Display the route table:

Enter the IPv4 route page of Switch A, Switch B, and AC, respectively, to verify that the newly
configured static routes are displayed as active routes on the page.
2.
Ping Host B from Host A (assuming both hosts run Windows XP):
C:\Documents and Settings\Administrator>ping 1.1.3.2
Pinging 1.1.3.2 with 32 bytes of data:
Reply from 1.1.3.2: bytes=32 time=1ms TTL=128

Ping statistics for 1.1.3.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms
IPv6 static route configuration example

The IP addresses of devices are shown in Figure 151. IPv6 static routes must be configured on Switch A,
Switch B and AC for Host A and Host B to communicate with each other.
168

Vlan-int200
4::2/64
Vlan-int300
5::2/64
Switch B
Vlan-int200
4::1/64
Vlan-int300
5::1/64
Vlan-int100
1::1/64
Host A 1::2/64
Vlan-int500
3::1/64
AC
Switch A
AP
Host B 3::2/64
Configuration outlines
1.
On Switch A, configure a default route with Switch B as the next hop.
2.
On Switch B, configure one static route with Switch A as the next hop and the other with AC as the
next hop.
3.
On AC, configure a default route with Switch B as the next hop.
1.
Configure a default route with the next hop address 4::2 on Switch A.
2.
Configure two static routes on Switch B: one with destination address 1::/64 and next hop
address 4::1, and the other with destination address 3::/64 and next hop address 5::1.
3.
Configure a default route on AC:

a. Select Network > IPv6 Routing from the navigation tree.
b. Click the Create tab to enter the IPv6 static route configuration page, as shown in Figure 152.
c.
Enter :: for Destination IP Address, select 0 for Prefix Length, and enter 5::2 for Next Hop.
d. Click Apply.
Figure 152 Configuring a default route
169

1.
Display the route table:

Enter the IPv6 route page of Switch A, Switch B, and AC, respectively, to verify that the newly
configured static routes are displayed as active routes on the page.
2.
Ping Host B from Switch A:

<SwitchA> system-view
[SwitchA] ping ipv6 3::2
PING 3::2 : 56
data bytes, press CTRL_C to break
Reply from 3::2

bytes=56 Sequence=1 hop limit=254
time = 63 ms
Reply from 3::2

time = 62 ms
Reply from 3::2

time = 62 ms
Reply from 3::2

time = 63 ms
Reply from 3::2

time = 63 ms
--- 3::2 ping statistics --5 packet(s) transmitted

5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 62/62/63 ms
When you configure a static route, follow these guidelines:
1.
If you do not specify the preference when you configure a static route, the default preference is
used. Reconfiguration of the default preference applies only to newly created static routes.
Currently, the Web interface does not support configuration of the default preference.
2.
When you configure a static route, the static route does not take effect if you specify the next hop
address first and then configure it as the IP address of a local interface, such as an Ethernet
interface and VLAN interface.
3.
When specifying the output interface, note that:

If NULL 0 or a loopback interface is specified as the output interface, there is no need to
configure the next hop address.
If a point-to-point interface is specified as the output interface, you do not need to specify the
next hop or change the configuration after the peer address has changed. For example, a PPP
interface obtains the peer's IP address through PPP negotiation, and therefore, you only need
to specify it as the output interface.
If the output interface is an NBMA or P2MP interface, which supports point-to-multipoint
networks, the IP address-to-link layer address mapping must be established. Therefore, H3C
recommends that you specify the next hop IP address when you configure it as the output
interface.
170
If you want to specify a broadcast interface (such as an Ethernet interface, virtual template, or
VLAN interface) as the output interface, which may have multiple next hops, you must specify
the next hop at the same time.
171
DHCP overview
NOTE:
After the DHCP client is enabled on an interface, the interface can dynamically obtain an IP address and
other configuration parameters from the DHCP server. This facilitates configuration and centralized
management. For more information about the DHCP client configuration, see "Interface management."
For more information about DHCP, see H3C WX Series Access Controllers Layer 3 Configuration Guide.
The Dynamic Host Configuration Protocol (DHCP) provides a framework to assign configuration
information to network devices.
DHCP uses the client/server model. Figure 153 shows a typical a DHCP application.
Figure 153 A typical DHCP application
A DHCP client can obtain an IP address and other configuration parameters from a DHCP server on
another subnet through a DHCP relay agent.
Figure 154 DHCP relay agent application
DHCP client
DHCP client
IP network
DHCP relay agent
DHCP client
DHCP client
DHCP server
Introduction to DHCP snooping

172
NOTE:
The DHCP snooping-enabled device must be either between the DHCP client and relay agent, or between
the DHCP client and server. It does not work if it is between the DHCP relay agent and DHCP server.
As a DHCP security feature, DHCP snooping can implement the following:
1.
Recording IP-to-MAC mappings of DHCP clients
2.
Ensuring DHCP clients to obtain IP addresses from authorized DHCP servers
Recording IP-to-MAC mappings of DHCP clients

DHCP snooping reads DHCP-REQUEST messages and DHCP-ACK messages from trusted ports to record
DHCP snooping entries, including MAC addresses of clients, IP addresses obtained by the clients, ports
that connect to DHCP clients, and VLANs to which the ports belong.
Ensuring DHCP clients to obtain IP addresses from authorized DHCP servers

If there is an unauthorized DHCP server on a network, DHCP clients may obtain invalid IP addresses and
network configuration parameters, and cannot normally communicate with other network devices. With
DHCP snooping, the ports of a device can be configured as trusted or untrusted, ensuring the clients to
obtain IP addresses from authorized DHCP servers.
TrustedA trusted port forwards DHCP messages normally.
UntrustedAn untrusted port discards the DHCP-ACK or DHCP-OFFER messages received from
any DHCP server.
Recommended configuration procedure (for DHCP

server)
Step
Remarks
Required.
1.
Enabling DHCP
Enable DHCP globally.

By default, global DHCP is disabled.
Required.
Use at least one approach.
IMPORTANT:
2.
Creating an address pool for the DHCP server

Creating a static address pool for the DHCP
server
Creating a dynamic address pool for the DHCP
server
If the DHCP server and DHCP clients are on the
same subnet, make sure the address pool is on the

same network segment as the interface with the
DHCP server enabled; otherwise, the clients will
fail to obtain IP addresses.
If a DHCP client obtains an IP address via a DHCP

relay agent, an IP address pool on the same
network segment as the DHCP relay agent
interface must be configured; otherwise, the client
will fail to obtain an IP address.
173
Step
Remarks
Optional.
With the DHCP server enabled on an interface, upon
receiving a client's request, the DHCP server will
assign an IP address from its address pool to the
DHCP client.
3.
With DHCP enabled, interfaces work in the DHCP

server mode.
Enabling the DHCP server on an interface
IMPORTANT:
An interface cannot serve as both the DHCP server

and the DHCP relay agent. The latest configuration
takes effect.
The DHCP server works on interfaces with IP

addresses manually configured only.
4.
Displaying information about assigned IP

addresses
Optional.
Enabling DHCP
1.
Select Network > DHCP from the navigation tree to enter the default DHCP Server page shown
in Figure 155.
2.
Select the Enable option on the upper part of the page to enable DHCP globally.
Figure 155 DHCP configuration page
174
Creating a static address pool for the DHCP server

1.
in Figure 155.
2.
Select the Static option in the Address Pool field to view all static address pools.
3.
Click Add to enter the page shown in Figure 156.
Figure 156 Creating a static address pool
4.
Configure the static address pool as described in Table 70.
5.
Click Apply.

Item
Description
IP Pool Name
Enter the name of a static address pool.
IP Address
Mask
Enter an IP address and select a subnet mask for the static address pool.
The IP address cannot be the IP address of any interface on the DHCP server.
Otherwise, an IP address conflict may occur and the bound client cannot obtain an
IP address correctly.
You can enter a mask length or a mask in dotted decimal notation..
Client MAC Address
Configure the client MAC address or the client ID for the static address pool.
IMPORTANT:
Client ID
The client ID must be identical to the ID of the client to be bound. Otherwise, the client
cannot obtain an IP address..
Enter the domain name suffix for the client.
Client Domain Name
With the suffix assigned, the client only needs to enter part of a domain name, and
the system adds the domain name suffix for name resolution.
175
Item
Description
Enter the gateway addresses for the client.
Gateway Address
A DHCP client that wants to access an external host needs to send requests to a
gateway. You can specify gateways in each address pool and the DHCP server will
assign gateway addresses while assigning an IP address to the client.
Up to eight gateways can be specified in a DHCP address pool, separated by
commas.
Enter the DNS server addresses for the client.
DNS Server Address
To allow the client to access a host on the Internet through DNS, you need to specify
a DNS server address.
Up to eight DNS servers can be specified in a DHCP address pool, separated by
commas.
Enter the WINS server addresses for the client.
WINS Server Address
If b-node is specified for the client, you do not need to specify any WINS server
address.
Up to eight WINS servers can be specified in a DHCP address pool, separated by
commas.
NetBIOS Node Type
Select the NetBIOS node type for the client.

server
1.
in Figure 155.
2.
Select the Dynamic option in the Address Pool field to view all dynamic address pools.
3.
176
Figure 157 Creating a dynamic address pool
4.
Configure the dynamic address pool as described in Table 71.
5.
Click Apply.

Item
Description
IP Pool Name
Enter the name of a dynamic address pool.

Enter an IP address segment for dynamic allocation.
IP Address
To avoid address conflicts, the DHCP server excludes the IP

addresses used by gateways or FTP servers from dynamic
allocation.
Mask
Lease
Duration
You can enter a mask length or a mask in dotted decimal

notation.
Unlimited.
Configure the address lease duration for the address pool.
days/hours/minutes/seconds.
Unlimited indicates the infinite duration.

Enter the domain name suffix for the client.
Client Domain Name
With the suffix assigned, the client only needs to enter part of a
domain name, and the system will add the domain name suffix
for name resolution.
177
Item
Description
Enter the gateway addresses for the client.
DHCP clients that want to access hosts outside the local subnet
request gateways to forward data. You can specify gateways in
each address pool for clients and the DHCP server will assign
gateway addresses while assigning an IP address to the client.
Gateway Address
Up to eight gateways can be specified in a DHCP address pool,

separated by commas.
Enter the DNS server addresses for the client.
DNS Server Address
To allow the client to access a host on the Internet via the host
name, you need to specify DNS server addresses.
Up to eight DNS servers can be specified in a DHCP address
pool, separated by commas.
Enter the WINS server addresses for the client.
WINS Server Address
If b-node is specified for the client, you do not need to specify any
WINS server address.
Up to eight WINS servers can be specified in a DHCP address
pool, separated by commas.
NetBIOS Node Type
Select the NetBIOS node type for the client.
Enabling the DHCP server on an interface

1.
in Figure 155.
2.
Click the
3.
Select the Enable option for DHCP Server.
4.
Click Apply.
icon next to a specific interface to enter the page shown in Figure 158.
Figure 158 Configuring a DHCP server interface

addresses
1.
Select Network > DHCP > DHCP Server from the navigation tree to enter the page, as shown
in Figure 155.
2.
Click Addresses in Use in the Address In Use field on the lowest part of the page to view
information about the IP address assigned from the address pool.
178
Figure 159 Displaying addresses in use

Field
Description
IP Address
Assigned IP address.
Client MAC Address/Client

ID
Client MAC address or client ID bound to the IP address.
Pool Name
Name of the DHCP address pool where the IP address belongs.
Lease Expiration
Lease time of the IP address.

relay agent)
Step
1.
Remarks
Enabling DHCP and configuring
advanced parameters for the
DHCP relay agent
Required.
Enable DHCP globally and configure advanced DHCP parameters.
By default, global DHCP is disabled.
Required.
2.
Creating a DHCP server group
To improve reliability, you can specify several DHCP servers as a

group on the DHCP relay agent and correlate a relay agent interface
with the server group. When the interface receives requesting
messages from clients, the relay agent will forward them to all the
DHCP servers of the group.
179
Step
Remarks
Required.
Enable the DHCP relay agent on an interface, and correlate the
interface with a DHCP server group.
With DHCP enabled, interfaces work in the DHCP server mode by
default.
IMPORTANT:
3.
Enabling the DHCP relay agent

on an interface
An interface cannot serve as both the DHCP server and the DHCP
relay agent. The latest configuration takes effect.
If the DHCP relay agent is enabled on an Ethernet subinterface, a
packet received from a client on this interface must contain a VLAN

tag and the VLAN tag must be the same as the VLAN ID of the
subinterface; otherwise, the packet is discarded.
The DHCP relay agent works on interfaces with IP addresses

manually configured only.
If an Ethernet subinterface serves as a DHCP relay agent, it conveys

IP addresses only to subinterfaces of DHCP clients. In this case, a
PC cannot obtain an IP address as a DHCP client.
Optional.
Create a static IP-to-MAC binding, and view static and dynamic
bindings.
4.
Configuring and displaying

clients' IP-to-MAC bindings
The DHCP relay agent can dynamically record clients' IP-to-MAC

bindings after clients get IP addresses. It also supports static bindings.
In other words, you can manually configure IP-to-MAC bindings on the
DHCP relay agent, so that users can access external network using
fixed IP addresses.
By default, no static binding is created.
Enabling DHCP and configuring advanced

parameters for the DHCP relay agent
1.
Select Network > DHCP from the navigation tree.
2.
Click the DHCP Relay tab to enter the page as shown in Figure 160.
180
Figure 160 DHCP relay agent configuration page
3.
Select the Enable option for DHCP Service.
4.
Click Display Advanced Configuration to expand the advanced DHCP relay agent configuration
field, as shown in Figure 161.
Figure 161 Advanced DHCP relay agent configuration field
5.
Configure the advanced DHCP relay agent parameters as described in Table 73.
6.
Click Apply. You must also click Apply for enabling the DHCP service.
181

Item
Description
Enable or disable unauthorized DHCP server detection.
There are unauthorized DHCP servers on networks, which reply DHCP clients with
wrong IP addresses.
Unauthorized Server
Detect
With this feature enabled, upon receiving a DHCP request, the DHCP relay agent will
record the IP address of any DHCP server that assigned an IP address to the DHCP
client and the receiving interface. The administrator can use this information to check
out DHCP unauthorized servers. The device puts a record once for each DHCP
server. The administrator needs to find unauthorized DHCP servers from the log
information. After the information of recorded DHCP servers is cleared, the relay
agent will re-record server information following this mechanism.
Enable or disable periodic refresh of dynamic client entries, and set the refresh
interval.
Dynamic Bindings
Refresh
Via the DHCP relay agent, a DHCP client sends a DHCP-RELEASE unicast message to
the DHCP server to relinquish its IP address. In this case the DHCP relay agent simply
conveys the message to the DHCP server, thus it does not remove the IP address from
dynamic client entries. To solve this problem, the periodic refresh of dynamic client
entries feature is introduced.
With this feature, the DHCP relay agent uses the IP address of a client and the MAC
address of the DHCP relay agent interface to periodically send a DHCP-REQUEST
message to the DHCP server.
If the server returns a DHCP-ACK message or does not return any message within
Track Timer Interval
a specified interval, which means that the IP address is assignable now, the DHCP
relay agent will age out the client entry.
If the server returns a DHCP-NAK message, which means the IP address is still in
use, the relay agent will not age it out.
If the Auto option is selected, the refresh interval is calculated by the relay agent
according to the number of client entries..
Creating a DHCP server group

1.
2.
3.
In the Server Group field, click Add to enter the page as shown in Figure 162.
Figure 162 Creating a server group
4.
Specify the DHCP server group information as described in Table 74.
5.
Click Apply.
182

Item
Server Group ID
Description
Enter the ID of a DHCP server group.
You can create up to 20 DHCP server groups.
Enter the IP address of a server in the DHCP server group.
IP Address
The server IP address cannot be on the same subnet as the IP address of the DHCP
relay agent. Otherwise, the client cannot obtain an IP address.
Enabling the DHCP relay agent on an interface

1.
2.
3.
In the Interface Config field, click the

in Figure 163.
icon of a specific interface to enter the page as shown
Figure 163 Configuring a DHCP relay agent interface
4.
5.
Click Apply.

Item
Description
Interface Name
This field displays the name of a specific interface.

Enable or disable the DHCP relay agent on the interface.
DHCP Relay
If the DHCP relay agent is disabled, the DHCP server is enabled on the
interface.
Enable or disable IP address check.
Address Match Check
Server Group ID
With this function enabled, the DHCP relay agent checks whether a requesting
client's IP and MAC addresses match a binding (dynamic or static) on the
DHCP relay agent. If not, the client cannot access outside networks via the
DHCP relay agent. This prevents invalid IP address configuration.
Correlate the interface with a DHCP server group.
A DHCP server group can be correlated with multiple interfaces.
183
Configuring and displaying clients' IP-to-MAC

bindings
1.
Select Network > DHCP from the navigation tree
2.
3.
In the User Information field, click User Information to view static and dynamic bindings, as shown
in Figure 164.
Figure 164 Displaying clients' IP-to-MAC bindings
4.
Figure 165 Creating a static IP-to-MAC binding
5.
Configure static IP-to-MAC binding as described in Table 76.
6.
Click Apply.

Item
Description
IP Address
Enter the IP address of a DHCP client.
MAC Address
Enter the MAC address of the DHCP client.

Select the Layer 3 interface connected with the DHCP client.
Interface Name
IMPORTANT:
The interface of a static binding entry must be configured as a DHCP relay agent.
Otherwise, address entry conflicts may occur.
184

snooping)
Step
1.
Remarks
Enabling DHCP snooping
Required.
By default, DHCP snooping is disabled.
Required.
Specify an interface as trusted and configure DHCP snooping to support
Option 82.
2.
Configuring DHCP snooping

functions on an interface
By default, an interface is untrusted and DHCP snooping does not support

Option 82.
IMPORTANT:
You need to specify the ports connected to the authorized DHCP servers as
trusted to make sure that DHCP clients can obtain valid IP addresses. The
trusted port and the port connected to the DHCP client must be in the same
VLAN.
3.
Displaying clients' IP-to-MAC

bindings
Optional.
Display clients' IP-to-MAC bindings recorded by DHCP snooping.
Enabling DHCP snooping

1.
2.
Click the DHCP Snooping tab to enter the page as shown in Figure 166.
3.
Select the Enable option for DHCP Snooping.
185
Figure 166 DHCP snooping configuration page
Configuring DHCP snooping functions on an

interface
1.
2.
3.
In the Interface Config field, click the

in Figure 167.
icon of a specific interface to enter the page as shown
Figure 167 DHCP snooping interface configuration page
4.
5.
Click Apply.
186

Item
Description
Interface Name
This field displays the name of a specific interface.
Interface State
Configure the interface as trusted or untrusted.
Option 82 Support
Configure DHCP snooping to support Option 82 or not.

Select the handling strategy for DHCP requests containing Option 82. The strategies
include:
Option 82 Strategy
DropThe message is discarded if it contains Option 82.

KeepThe message is forwarded without its Option 82 being changed.
ReplaceThe message is forwarded after its original Option 82 is replaced with
the Option 82 padded in normal format.
Displaying clients' IP-to-MAC bindings

1.
2.
3.
Click User Information to enter the DHCP snooping user information page, as shown in Figure
168.
Figure 168 DHCP snooping user information
4.
View clients' IP-to-MAC bindings recorded by DHCP snooping as described in Table 78.

Item
Description
IP Address
This field displays the IP address assigned by the DHCP server to the client.
MAC Address
This field displays the MAC address of the client.

This field displays the client type, which can be:
Type
DynamicThe IP-to-MAC binding is generated dynamically.

StaticThe IP-to-MAC binding is configured manually. Currently, static
bindings are not supported.
Interface Name
This field displays the device interface to which the client is connected.
VLAN
This field displays the VLAN to which the device belongs.
Remaining Lease Time
This field displays the remaining lease time of the IP address.
187
DHCP server configuration example

As shown in Figure 169, the DHCP client on subnet 10.1.1.0/24 obtains an IP address dynamically from
the DHCP server (AC). The IP address of VLAN-interface 2 of the AC is 10.1.1.1/24.
In subnet 10.1.1.0/24, the address lease duration is ten days and twelve hours and the gateway address
is 10.1.1.1.
Vlan-int2
10.1.1.1/24
Host
DHCP client
AP
DHCP client
AC
DHCP server
1.
Enable DHCP:
a. Select Network > DHCP from the navigation tree to enter the default DHCP Server page.
b. Select the Enable option for DHCP Service.
Figure 170 Enabling DHCP
188
2.
Enable the DHCP server on VLAN-interface 2: (This operation can be omitted because the DHCP
server is enabled on the interface by default.)
a. In the Interface Config field, click the
icon of VLAN-interface 2.
b. Select the Enable option for DHCP Server.

c.
Click Apply.
Figure 171 Enabling the DHCP server on VLAN-interface 2
3.
Configure a dynamic address pool for the DHCP server:

a. Select the Dynamic option in the Address Pool field (default setting), and click Add.
b. On the page that appears, enter test for IP Pool Name, enter 10.1.1.0 for IP Address, enter
255.255.255.0 for Mask, enter 10 days 12 hours 0 minutes 0 seconds for Lease Duration, and
enter 10.1.1.1 for Gateway Address.
c.
Click Apply.
Figure 172 Configuring a dynamic address pool for the DHCP server
189
DHCP relay agent configuration example

As shown in Figure 173, VLAN-interface 1 on the DHCP relay agent (AC) connects to the network where
DHCP clients reside. The IP address of VLAN-interface 1 is 10.10.1.1/24 and the IP address of
VLAN-interface 2 is 10.1.1.1/24. VLAN-interface 2 is connected to the DHCP server whose IP address is
10.1.1.1/24.
The AC forwards messages between DHCP clients and the DHCP server.
NOTE:
Because the DHCP relay agent and server are on different subnets, you must configure a static route or
dynamic routing protocol so they can communicate.
1.
Enable DHCP:
a. Select Network > DHCP from the navigation tree.
b. Click the DHCP Relay tab.
c.
Select the Enable option for DHCP Service.
d. Click Apply.
190
Figure 174 Enabling DHCP
2.
Configure a DHCP server group:

a. In the Server Group field, click Add.
b. Enter 1 for Server Group ID, and 10.1.1.1 for IP Address.
c.
Click Apply.
Figure 175 Adding a DHCP server group
3.
Enable the DHCP relay agent on VLAN-interface 1:

a. In the Interface Config field, click the
191
icon of VLAN-interface 1.
b. Select the Enable option for DHCP Relay, and select 1 for Server Group ID.
c.
Click Apply.
Figure 176 Enabling the DHCP relay agent on an interface and correlate it with a server group
DHCP snooping configuration example

As shown in Figure 177, a DHCP snooping device (AC) is connected to a DHCP server through
GigabitEthernet 1/0/2, and to an AP through GigabitEthernet 1/0/1.
Enable DHCP snooping on the AC and configure DHCP snooping to support Option 82. Configure
the handling strategy for DHCP requests containing Option 82 as replace.
Enable GigabitEthernet 1/0/2 to forward DHCP server responses; disable GigabitEthernet 1/0/1
from forwarding DHCP server responses.
Configure the AC to record clients' IP-to-MAC address bindings in DHCP-REQUEST messages and
DHCP-ACK messages received from a trusted port.
1.
Enable DHCP snooping:

a. Select Network > DHCP from the navigation tree.
b. Click the DHCP Snooping tab.
c.
Select the Enable option for DHCP Snooping.
192
Figure 178 Enabling DHCP snooping
2.
Configure DHCP snooping functions on GigabitEthernet 1/0/2:

a. Click the
icon of GigabitEthernet 1/0/2 on the interface list.
b. Select the Trust option for Interface State.

c.
Click Apply.
Figure 179 Configuring DHCP snooping functions on GigabitEthernet 1/0/2
3.
Configure DHCP snooping functions on GigabitEthernet 1/0/1.

a. Click the
icon of GigabitEthernet 1/0/1 on the interface list.
b. To configure the DHCP snooping functions on the interface:
Select the Untrust option for Interface State.

Select the Enable option for Option 82 Support.
Select Replace from the Option 82 Strategy list.
c.
Click Apply.
193
Figure 180 Configuring DHCP snooping functions on GigabitEthernet 1/0/1
194
DNS configuration
Overview
Domain Name System (DNS) is a distributed database used by TCP/IP applications to translate domain
names into corresponding IP addresses. With DNS, you can use easy-to-remember domain names in
some applications and let the DNS server translate them into correct IP addresses.
There are two types of DNS services, static and dynamic. After a user specifies a name, the device checks
the local static name resolution table for an IP address. If no IP address is available, it contacts the DNS
server for dynamic name resolution, which takes more time than static name resolution. Therefore, some
frequently queried name-to-IP address mappings are stored in the local static name resolution table to
improve efficiency.
Static domain name resolution

Configuring static domain name resolution is to set up mappings between domain names and IP
addresses manually. IP addresses of the corresponding domain names can be found in the static domain
resolution table when you use applications such as telnet.
Dynamic domain name resolution

Dynamic domain name resolution is implemented by querying the DNS server.
DNS proxy
A DNS proxy forwards DNS requests and replies between DNS clients and a DNS server.
A DNS client considers the DNS proxy as the DNS server and sends a DNS request to the DNS proxy,
which forwards the request to the designated DNS server, and conveys the reply from the DNS server to
the client.
The DNS proxy simplifies network management. When the DNS server address is changed, you only
need to change the configuration on the DNS proxy instead of on each DNS client.
For more information about DNS, see H3C WX Series Access Controllers Layer 3 Configuration Guide.

Configuring static name resolution table
Step
Remarks
Required.
By default, no host name-to-IP address mappings are

configured in the static domain name resolution table.
195
Configuring dynamic domain name resolution

Step
Remarks
1.
2.
Adding a DNS server address
3.
Adding a domain name suffix
4.
Clearing dynamic DNS cache
Required.
This function is disabled by default.
Required.
Not configured by default.
Optional.
Optional.
Configuring DNS proxy

Step
Remarks
1.
2.
Required.
By default, the device is not a DNS proxy.
Required.

1.
Select Network > DNS from the navigation tree to enter the default static domain name resolution
configuration page shown in Figure 181.
Figure 181 Static domain name resolution configuration page
2.
196
Figure 182 Creating a static domain name resolution entry
3.
4.
Click Apply.

Item
Description
Host Name
Configure the mapping between a host name and an IP address in the static domain
mane table.
Host IP Address
Each host name corresponds to only one IP address. If you configure multiple IP
addresses for a host name, the last configured one takes effect..

1.
Select Network > DNS from the navigation tree.
2.
Click the Dynamic tab to enter the page shown in Figure 183.
3.
Select the Enable option for Dynamic DNS.
4.
Click Apply.
197
Figure 183 Dynamic domain name resolution configuration page

1.
2.
3.
Select the Enable option for DNS Proxy.
4.
Click Apply.

1.
2.
3.
Click Add IP to enter the page shown in Figure 184.
4.
Enter an IP address in DNS Server IP address field.
5.
Click Apply.
198
Figure 184 Adding a DNS server address
Adding a domain name suffix

1.
2.
3.
Click Add Suffix to enter the page shown in Figure 185.
4.
Enter a DNS suffix in the DNS Domain Name Suffix field.
5.
Click Apply.
Figure 185 Adding a domain name suffix
Clearing dynamic DNS cache

1.
2.
3.
Select the Clear Dynamic DNS cache box.
4.
Click Apply.
DNS configuration example

As shown in Figure 186, the AC wants to access the host by using an easy-to-remember domain name
rather than an IP address, and to request the DNS server on the network for an IP address by using
dynamic domain name resolution. The IP address of the DNS server is 2.1.1.2/16 and the DNS server has
a com domain, which stores the mapping between domain name host and IP address 3.1.1.1/16.
199
AC serves as a DNS client, and uses dynamic domain name resolution and the suffix to access the host
with the domain name host.com and the IP address 3.1.1.1/16.
NOTE:
Before performing the following configuration, make sure that the AC and the host are reachable to
each another, and the IP addresses of the interfaces are configured as shown in Figure 186.
This configuration may vary with DNS servers. The following configuration is performed on a PC
running Windows Server 2000.
Configuring the DNS server

1.
Create zone com:

a. Select Start > Programs > Administrative Tools > DNS.
b. As shown in Figure 187, right click Forward Lookup Zones and select New Zone.
c.
Follow the instructions to create a new zone named com.
Figure 187 Creating a zone
2.
Create a mapping between host name and IP address:

a. In Figure 188, right click zone com, and then select New Host.
200
Figure 188 Adding a host
b. In the dialog box as shown in Figure 189, enter host name host and IP address 3.1.1.1.
c.
Click Add Host.
Figure 189 Adding a mapping between domain name and IP address
Configuring the AC
1.
Enable dynamic domain name resolution.

201
a. Select Network > DNS from the navigation tree.

b. Click the Dynamic tab
c.
Select the Enable option for Dynamic DNS, as shown in Figure 190.
d. Click Apply.
Figure 190 Enabling dynamic domain name resolution
2.
Configure the DNS server address:

a. Click Add IP in Figure 190 to enter the page for adding a DNS server IP address.
b. Enter 2.1.1.2 for DNS Server IP Address, as shown in Figure 191.
c.
Click Apply.
Figure 191 Adding a DNS server address
3.
Configure the domain name suffix:
Click Add Suffix in Figure 190.
Enter com for DNS Domain Name Suffix, as shown in Figure 192.
Click Apply.
202
Figure 192 Adding a DNS domain name suffix

Use the ping host command on the AC to verify that the communication between the AC and the host is
normal and that the corresponding destination IP address is 3.1.1.1.
1.
Select Diagnostic Tools > Ping from the navigation tree to enter the IPv4 Ping configuration page.
2.
Enter host in the Destination IP address or host name field.
3.
Click Start to execute the ping command
4.
View the result in the Summary field.
Figure 193 Ping operation
203
Service management
Overview
The service management module provides the following types of services: FTP, Telnet, SSH, SFTP, HTTP
and HTTPS. You can enable or disable the services as needed. In this way, the performance and security
of the system can be enhanced, thus secure management of the device can be achieved.
The service management module also provides the function to modify HTTP and HTTPS port numbers,
and the function to associate the FTP, HTTP, or HTTPS service with an ACL, thus reducing attacks of illegal
users on these services.
FTP service
The File Transfer Protocol (FTP) is an application layer protocol for sharing files between server and client
over a TCP/IP network.
Telnet service
The Telnet protocol is an application layer protocol that provides remote login and virtual terminal
functions on the network.
SSH service
Secure Shell (SSH) offers an approach to securely logging in to a remote device. By encryption and
strong authentication, it protects devices against attacks such as IP spoofing and plain text password
interception.
SFTP service
The secure file transfer protocol (SFTP) is a new feature in SSH2.0. SFTP uses the SSH connection to
provide secure data transfer. The device can serve as the SFTP server, allowing a remote user to log in to
the SFTP server for secure file management and transfer. The device can also serve as an SFTP client,
enabling a user to login from the device to a remote device for secure file transfer.
HTTP service
The Hypertext Transfer Protocol (HTTP) is used for transferring web page information across the Internet.
It is an application-layer protocol in the TCP/IP protocol suite.
You can log in to the device using the HTTP protocol with HTTP service enabled, accessing and
controlling the device with Web-based network management.
HTTPS service
The Secure HTTP (HTTPS) refers to the HTTP protocol that supports the Security Socket Layer (SSL)
protocol.
The SSL protocol of HTTPS enhances the security of the device in the following ways:
Uses the SSL protocol to ensure the legal clients to access the device securely and prohibit the illegal
clients;
Encrypts the data exchanged between the HTTPS client and the device to ensure the data security
and integrity, realizing the security management of the device;
204
Defines certificate attribute-based access control policy for the device to control the access right of
the client, in order to further avoid attacks from illegal clients.
Configuring service management

1.
Select Network > Service from the navigation tree to enter the service management configuration
page, as shown in Figure 194.
Figure 194 Service management
2.
Enable or disable various services on the page as described in Table 80.
3.
Click Apply.

Item
Description
Enable FTP
service
FTP
ACL
Specify whether to enable the FTP service.

The FTP service is disabled by default.
Associate the FTP service with an ACL. Only the clients that pass the ACL
filtering are permitted to use the FTP service.
You can view this configuration item by clicking the expanding button in
front of FTP.
Telnet
Enable Telnet
service
Specify whether to enable the Telnet service.
SSH
Enable SSH
service
Specify whether to enable the SSH service.
The Telnet service is enabled by default.

The SSH service is disabled by default.
Specify whether to enable the SFTP service.
SFTP
Enable SFTP
service
The SFTP service is disabled by default.

IMPORTANT:
When you enable the SFTP service, the SSH service must be enabled.
205
Item
Description
Enable HTTP
service
Specify whether to enable the HTTP service.

The HTTP service is disabled by default.
Set the port number for HTTP service.
HTTP
Port Number
front of HTTP.
IMPORTANT:
When you modify a port, make sure that the port is not used by other service.
ACL
Enable HTTPS
service
Associate the HTTP service with an ACL. Only the clients that pass the ACL
filtering are permitted to use the HTTP service.
front of HTTP.
Specify whether to enable the HTTPS service.
The HTTPS service is disabled by default.
Set the port number for HTTPS service.
Port Number
front of HTTPS.
IMPORTANT:
When you modify a port, make sure that the port is not used by other service.
ACL
HTTPS
Associate the HTTPS service with an ACL. Only the clients that pass the ACL
filtering are permitted to use the HTTPS service.
front of HTTPS.
Set the local certificate for the HTTPS service. The list displays certificate
subjects.
Certificate
You can configure the available PKI domains by selecting Authentication >
Certificate Management from the navigation tree at the left side of the
interface. For more information, see "Certificate management."
IMPORTANT:
The service management, portal authentication and local EAP service
modules always reference the same PKI domain. Changing the referenced
PKI domain in any of the three modules also changes that referenced in the
other two modules.
206
Diagnostic tools
Ping
You can use the ping function to check whether a device with a specified address is reachable, and to
examine network connectivity.
A successful execution of the ping command involves the following steps:
1.
The source device sends an ICMP echo request (ECHO-REQUEST) to the destination device.
2.
The destination device responds by sending an ICMP echo reply (ECHO-REPLY) to the source
device after receiving the ICMP echo request.
3.
The source device displays related statistics after receiving the reply.
Output of the ping command falls into the following:
The ping command can be applied to the destination's host name or IP address. If the destination's
host name is unknown, the prompt information is displayed.
If the source device does not receive an ICMP echo reply within the timeout time, it displays the
prompt information and the statistics during the ping operation. If the source device receives an
ICMP echo reply within the timeout time, it displays the number of bytes of the echo reply, the
message sequence number, Time to Live (TTL), the response time, and the statistics during the ping
operation. Statistics during the ping operation include number of packets sent, number of echo
reply messages received, percentage of messages not received, and the minimum, average, and
maximum response time.
Trace route
By using the trace route command, you can display the Layer 3 devices involved in delivering a packet
from source to destination. This function is useful for identification of failed node(s) in the event of network
failure.
The trace route command involves the following steps in its execution:
1.
The source device sends a packet with a TTL value of 1 to the destination device.
2.
The first hop (the Layer 3 device that first receives the packet) responds by sending a TTL-expired
ICMP message to the source, with its IP address encapsulated. In this way, the source device can
get the address of the first Layer 3 device.
3.
The source device sends a packet with a TTL value of 2 to the destination device.
4.
The second hop responds with a TTL-expired ICMP message, which gives the source device the
address of the second Layer 3 device.
5.
This process continues until the ultimate destination device is reached. In this way, the source
device can trace the addresses of all the Layer 3 devices involved to get to the destination device.
The traceroute command can be applied to the destination's host name or IP address. If the destination's
host name is unknown, the prompt information is displayed.
207
Ping operation
IPv4 ping operation
1.
Select Diagnostic Tools > Ping from the navigation tree to enter the IPv4 Ping configuration page.
2.
Click the expansion button before Advanced Setup to display the configurations of the advanced
parameters of IPv4 ping operation, as shown in Figure 195.
Figure 195 IPv4 ping configuration page
3.
Enter the IPv4 address or host name of the destination device in the Destination IP address or host
name field.
4.
Set the advanced parameters for the IPv4 ping operation.
5.
Click Start to execute the ping command.
6.
View the result in the Summary field.
208
Figure 196 IPv4 ping operation results
IPv6 ping operation

1.
Select Diagnostic Tools > Ping from the navigation tree.
2.
Enter the IPv6 ping configuration page (default setting).
3.
Expand Advanced Setup to display the configurations of the advanced parameters of IPv6 ping
operation, as shown in Figure 197.
209
Figure 197 IPv6 ping
4.
Enter the IPv6 address or host name of the destination device in the Destination IP address or host
name field.
5.
Set the advanced parameters for the IPv6 ping operation.
6.
Click Start to execute the ping command.
7.
View the result in the Summary field, as shown in Figure 198.
210
Figure 198 IPv6 ping operation results
Trace route operation

NOTE:
The web interface does not support trace route on IPv6 addresses.
Before performing the trace route operations, execute the ip ttl-expires enable command on the
intermediate device to enable the sending of ICMP timeout packets and the ip unreachables enable
command on the destination device to enable the sending of ICMP destination unreachable packets.
1.
Select Diagnostic Tools > Trace Route from the navigation tree.
2.
Click the Trace Route tab to enter the Trace Route configuration page, as shown in Figure 199.
211
Figure 199 Trace Route configuration page
3.
Enter the destination IP address or host name.
4.
Click Start to execute the trace route command.
5.
View the result in the Summary field, as shown in Figure 200.
Figure 200 Trace route operation results
212
AP configuration
The AP configuration module allows you to perform the following configurations:
Establish a connection between AC and AP
Configure auto AP
Configure an AP group
AC-AP connection
An AP and an AC establish a tunnel connection based on UDP.
An AP uses a data tunnel to encapsulate data packets to be sent to the AC. These packets can be raw
802.11 packets or 802.11 to 802.3 translated packets. An AC provides a control tunnel to support remote
AP configuration and management, and WLAN and mobile management.
The AC can dynamically configure an AP based on the information provided by the administrator.
Auto AP
The auto AP feature allows an AP to automatically connect to an AC. When you deploy a wireless
network with many APs, the auto AP function avoids configuration of many AP serial IDs, thus simplifying
configuration.
AP group
Some wireless service providers need to control the access positions of clients. For example, as shown in
the figure below, to meet security or billing needs, it is required to connect wireless clients 1, 2 and 3 to
the wired network through APs 1, 2 and 3 respectively. To achieve this, you can configure an AP group
that the clients can be associated with and then apply the AP group in a user profile.
Figure 201 Client access control
213
Configuring an AP
Creating an AP
1.
Select AP > AP Setup from the navigation tree.
2.
Click Add to enter the page for adding an AP.
Figure 202 Adding an AP
3.
Create the AP as described in Table 81.
4.
Click Apply.

Item
Description
AP Name
AP name.
Model
AP model.
AutoIf selected, the AC automatically searches the AP serial ID. This function is
used together with the auto AP function. For how to configure auto AP, see
"Configuring auto AP."
Serial ID
ManualIf this mode is selected, you need to type an AP serial ID.
Configuring an AP
1.
2.
Click the
icon corresponding to the target AP to enter the page for configuring an AP.
214
Figure 203 AP setup
3.
Configure the AP as described in Table 82.
4.
Click Apply.

Item
Description
AP Name
Display the name of the AP selected.
Radio Number
Select the number of the radios on the AP. The value depends on the AP model.
Select the radio type, which can be one of the following values:
Radio Type
802.11a.
802.11b.
802.11g.
802.11n (2.4 GHz)
802.11n (5 GHz)
The value depends on the AP model and radio type.

Set a serial ID for the AP.
AutoIf selected, the AP serial ID is automatically found. This option is used together
with the auto AP function. For how to configure auto AP, see "Configuring auto AP."
Serial ID
ManualYou need to enter an AP serial ID.

IMPORTANT:
The serial ID is the unique identity of the AP. If the AP has connected to the AC, changing
or deleting its serial ID renders the tunnel down and the AP needs to discover the AC to
connect again.
Description
Description of the AP.
215
Item
Description
By default, no district code is configured for an AP, which uses the global district code.
An AP configured with a district code uses its own district code rather than the global
one. For how to configure the global district code, see "Advanced settings".
IMPORTANT:
District Code
Some ACs and fit APs use locked district codes, whichever is used is determined as follows:
An AC's locked district code cannot be changed, and all managed fit APs whose
district codes are not locked must use the AC's locked district code.
A fit AP's locked district code cannot be changed and the fit AP can only use the
district code.
If an AC and a managed fit AP use different locked district codes, the fit AP uses its
own locked district code.
Configuring advanced settings

1.
2.
Click the
3.
On the page that appears, expand Advanced Setup to enter the page for advanced AP setup.
icon corresponding to the target AP.
Figure 204 Advanced setup
4.
Configure advanced settings for the AP as described in Table 83.
5.
Click Apply.
216

Item
Description
AP connection priority.
AP Connection
Priority
Specify the AP connection priority on the AC. For more information, see "AP connection
priority configuration example." It can also be used together with the backup function.
For more information, see "Advanced settings."
EnableEnable the AP to respond to broadcast probe requests. The AP will respond

to broadcast probe requests with the SSID null.
Broadcast Probe
DisableDisable the AP from responding to broadcast probe requests. The AP will

respond to broadcast probe requests with the specified SSID.
By default, this option is enabled.

Specify a name for the configuration file in the storage media and maps the specified
configuration file to the AP.
Configuration File
When local forwarding is enabled, you can use the configuration file to configure the
AP. For example, when you configure a user profile when local forwarding is enabled,
you must write the user profile, QoS policy, and ACL commands to the configuration
file, and download the configuration file to the AP.
IMPORTANT:
The commands in the configuration file must be in their complete form.
Set the maximum size of jumbo frames.
Jumbo Frame Size
When this function is enabled, the AC can send frames whose size does not exceed the
maximum size to the AP.
By default, the AC cannot send jumbo frames to the AP.
Set the interval for sending echo requests.
AP Echo Interval
There is a keep-live mechanism between AP and AC, to confirm whether the tunnel is
working or not. An AP periodically sends echo requests to an AC. The AC responds to
echo requests by sending echo responses, which indicates that the tunnel is up.
Set the client keep alive interval.
Client Alive Time
The keep-alive mechanism is used to detect clients segregated from the system due to
various reasons such as power failure or crash, and disconnect them from the AP.
By default, the client keep-alive functionality is disabled.
Client Free Time
Maximum interval for which the link between the AP and a client can be idle.
Backup AC IPv4
Address
Set the IPv4 address of the backup AC for

the AP.
Backup AC IPv6
Address
Set the IPv6 address of the backup AC for

the AP.
AP CAR
Select this box to configure CAR for the AP.

By default, no CAR is set for an AP.
217
If you configure the global backup AC

information both in Advanced Setup > AC
Backup and AP > AP Setup, the
configuration in AP > AP Setup takes
precedence. For more information about
AC backup, see "Advanced settings."
Item
Description
EnableEnable the remote AP function.
DisableDisable the remote AP function.
By default, the remote AP function is disabled.
Remote AP
With this function enabled, when the tunnel between the AP and AC is terminated, the
AP automatically enables local forwarding (despite whether or not local forwarding is
configured on the AC) to provide wireless access for logged-in clients but not allow new
clients. When a tunnel is established between the AP and AC again, the AP
automatically switches to the centralized forwarding mode and logs off all clients on the
remote AP.
IMPORTANT:
If a tunnel has been established between the remote AP and AC, when the tunnel between
the AP and AC is terminated, the remote AP uses the backup tunnel to provide wireless
access for logged-in clients. For more information about AC backup, see "Advanced
settings."
CIR
Committed information rate, in Kbps.

Committed burst size, in bits.
CBS
By default, the CBS is the number of bytes transmitted in 500 ms at the rate of CIR. For
example, if CIR is 100, CBS is 50000 bits, or, 6250 bytes by default.
Configuring auto AP
Enabling auto AP
1.
Select Advance > Auto AP from the navigation tree.
Figure 205 Configuring auto AP
2.
Enable auto AP as described in Table 84.
218

Item
Description
enableEnable the auto AP function. You must also select Auto
from the Serial ID list on the AP setup page to use the auto AP
function.
disableDisable the auto AP function.

Auto AP
By default, the auto AP function is disabled.

IMPORTANT:
After using the auto AP function, H3C recommends you to disable the
auto AP function.
Renaming an AP
1.
After enabling auto AP, click Refresh.
2.
To modify the automatically found AP name, click the
icon in the Operation column.
Figure 206 Renaming an AP
3.
On the page that appears, rename the AP as described in Table 85.
4.
Click Apply.

Item
Description
Old AP Name
Display the name of the automatically discovered AP.
AP Rename
Select the AP Rename check box, and type the new AP name.
For the example of configuring auto AP, see "Access service configuration."
Batch switch
If you do not need to modify the automatically found AP names, you can select the AP Name box, and
then click Transmit All AP to complete auto AP setup.
219
Configuring an AP group
Creating an AP group
1.
Select AP > AP Group from the navigation tree.
2.
Click Add.
Figure 207 Creating an AP group
3.
Create the AP group as described in Table 86.

Item
Description
AP group ID.
AP Group ID
The value range varies with devices. For more information, see
"Feature matrixes."
Configuring an AP group
1.
Select AP > AP Group from the navigation tree.
2.
Click the
group.
icon corresponding to the target AP group to enter the page for configuring an AP
Figure 208 Configuring an AP group
220
3.
Configure the AP group as described in Table 87.
4.
Click Apply.

Item
Description
AP Group ID
Display the ID of the selected AP group.
Description
Select this option to configure a description for the AP group.

Set the APs in the configured AP group.
To add the APs to the Selected AP List, click the APs to be
added to the AP group, and click the > button in the AP List
area.
Exist AP List
To delete the selected APs from the AP group, select the APs
to be deleted in the Selected AP List, and click the < button.
The APs to be added in AP Group ID should be created by

selecting AP > AP Setup first.
Applying the AP group

Select Authentication > Users from the navigation tree to apply the AP group. For the related
configuration, see "Users."
AP connection priority configuration example

Configure a higher AP connection priority on AC 1 to enable the AP to establish a connection with AC
1.
AC 1
Switch
AP
Client
AC 2
Configuring AC 1
1.
Configure AP-related information:

For the detailed configuration, see "Access service configuration."
2.
Configure an AP connection priority:

a. Select AP > AP Setup from the navigation tree.
b. Click the
icon corresponding to the target AP to enter the AP setup page.
221
c.
Expand Advanced Setup to enter the page shown in Figure 210 and set the AP connection
priority to 6.
d. Click Apply.
Figure 210 Configuring AP connection priority
Configuring AC 2
1.
Configure AP-related information:

For the detailed configuration, see "Access service configuration."
2.
Configure AP connection priority:

Use the default AP connection priority on AC 2.

A higher AP connection priority is configured on AC 1, so AP must establish a connection with AC 1.
222
Configuring access services

Wireless Local Area Networks (WLAN) provide the following services:
Connectivity to the Internet
Secured WLAN access with different authentication and encryption methods
Seamless roaming of WLAN clients in a mobility domain
Access service overview

Terminology
Wireless client
A handheld computer or laptop with a wireless Network Interface Card (NIC) or a terminal supporting
WiFi can be a WLAN client.
Access point (AP)

An AP bridges frames between wireless and wired networks.
Access controller (AC)

An AC can control and manage APs associated with it in a WLAN. The AC communicates with an
authentication server for WLAN client authentication.
SSID
The service set identifier. A client scans all networks at first, and then selects a specific SSID to connect
to a specific wireless network.
Client access
A client access process involves three steps: active/passive scanning surrounding wireless services,
authentication, and association, as shown in Figure 211.
223
Figure 211 Establishing a client access
Scanning
Wireless clients can get the surrounding wireless network information in two ways, active scanning and
passive scanning. With active scanning, a wireless client actively sends probe requests during scanning,
and receives probe responses. With passive scanning, a wireless client listens to Beacon frames sent by
surrounding APs.
A wireless client usually uses both passive scanning and active scanning to get information about
surrounding wireless networks.
1.
Active scanning
When a wireless client operates, it periodically searches for (that is, scans) surrounding wireless
networks. Active scanning falls into two modes according to whether a specified SSID is carried in
a probe request.
Mode 1A client sends a probe request without any SSID on supported channels to scan wireless
networks. APs that receive the probe request frame send a probe response frame. The client
associates with the AP with the strongest signal.
Figure 212 Active scanning (no SSID in the probe request)
Client
S
no S
with
(
t
s
ue
e re q
e
Prob
pons
e res
Pro b
AP 1
AC 1
AP 2
AC 2
ID)
Prob
e re q
uest
(with
no S
Prob
SID)
e re s
pons
e
Mode 2When a wireless client is configured to access a specific wireless network or has already
been connected to a wireless network, the client periodically sends a probe request carrying the
specified SSID. When an AP that can provide the wireless service with the specified SSID receives
the probe request, it sends a probe response. This active scanning mode enables a client to access
a specified wireless network. The active scanning process is as shown in Figure 213.
224
Figure 213 Active scanning (the probe request carries the specified SSID AP 1)
2.
Passive scanning
Passive scanning is used by clients to discover surrounding wireless networks through listening to
the beacon frames periodically sent by an AP. All APs providing wireless services periodically
send beacons frames, so that wireless clients can listen to beacon frames on the supported
channels to get information about surrounding wireless networks. Passive scanning is used by a
client when it wants to save battery power. Typically, VoIP clients adopt the passive scanning
mode. The passive scanning process is as shown in Figure 214.
Figure 214 Passive scanning
Authentication
To secure wireless links, the wireless clients must be authenticated before accessing an AP. 802.11 links
define two authentication mechanisms: open system authentication and shared key authentication.
Open system authentication

Open system authentication is the default authentication algorithm. This is the simplest of the
available authentication algorithms. Essentially it is a null authentication algorithm. Any client that
requests authentication with this algorithm can become authenticated. Open system authentication
is not required to be successful as an AP may decline to authenticate the client. Open system
authentication involves a two-step authentication process. In the first step, the wireless client sends
a request for authentication. In the second step, the AP returns the result to the client.
225
Figure 215 Open system authentication process
Client
AC
AP
Authentication request
Authentication response
Shared key authentication

Figure 216 shows a shared key authentication process. The two parties have the same shared key
configured.
a. The client sends an authentication request to the AP.
b. The AP randomly generates a challenge and sends it to the client.
c.
The client uses the shared key to encrypt the challenge and sends it to the AP.
d. The AP uses the shared key to encrypt the challenge and compares the result with that received
from the client. If they are identical, the client passes the authentication. If not, the
authentication fails.
Figure 216 Shared key authentication process
Association
A client that wants to access a wireless network via an AP must be associated with that AP. Once the
client chooses a compatible network with a specified SSID and authenticates to an AP, it sends an
association request frame to the AP. The AP sends an association response to the client and adds the
client's information in its database. At a time, a client can associate with only one AP. An association
process is always initiated by the client, but not by the AP.
WLAN data security

Compared with wired networks, WLAN networks are more susceptible to attacks because all WLAN
devices share the same medium and thus every device can receive data from any other sending device.
If no security service is provided, plain-text data is transmitted over the WLAN.
To secure data transmission, 802.11 protocols provide some encryption methods to ensure that devices
without the right key cannot read encrypted data.
226
1.
WEP encryption
Wired Equivalent Privacy (WEP) was developed to protect data exchanged among authorized
users in a wireless LAN from casual eavesdropping. WEP uses RC4 encryption (a stream
encryption algorithm) for confidentiality. WEP encryption falls into static and dynamic encryption
according to how a WEP key is generated.
Static WEP encryption

With Static WEP encryption, all clients using the same SSID must use the same encryption key. If
the encryption key is deciphered or lost, attackers will get all encrypted data. In addition,
periodical manual key update brings great management workload.
Dynamic WEP encryption

Dynamic WEP encryption is a great improvement over static WEP encryption. With dynamic WEP
encryption, WEP keys are negotiated between client and server through the 802.1X protocol so
that each client is assigned a different WEP key, which can be updated periodically to further
improve unicast frame transmission security.
Although WEP encryption increases the difficulty of network interception and session hijacking, it
still has weaknesses due to limitations of RC4 encryption algorithm and static key configuration.
2.
TKIP encryption
Temporal key integrity Protocol (TKIP) and WEP both use the RC4 algorithm, but TKIP has many
advantages over WEP, and provides more secure protection for WLAN as follows:
First, TKIP provides longer IVs to enhance encryption security. Compared with WEP encryption,
TKIP encryption uses 128bit RC4 encryption algorithm, and increases the length of IVs from
24 bits to 48 bits.
Second, TKIP allows for dynamic key negotiation to avoid static key configuration. TKIP
replaces a single static key with a base key generated by an authentication server. TKIP
dynamic keys cannot be easily deciphered.
Third, TKIP offers Message Integrity Check (MIC) and countermeasures. If a packet fails the
MIC, the data may be tampered, and the system may be attacked. If two packets fail the MIC
in a certain period, the AP automatically takes countermeasures. It will not provide services in
a certain period to prevent attacks.
3.
CCMP encryption
CTR with CBC-MAC protocol (CCMP) is based on the CCM of the AES encryption algorithm. CCM
combines CTR for confidentiality and CBC-MAC for authentication and integrity. CCM protects the
integrity of both the MPDU Data field and selected portions of the IEEE 802.11 MPDU header. The
AES block algorithm in CCMP uses a 128-bit key and a 128-bit block size. Similarly, CCMP
contains a dynamic key negotiation and management method, so that each wireless client can
dynamically negotiate a key suite, which can be updated periodically to further enhance the
security of the CCMP encryption mechanism. During the encryption process, CCMP uses a 48-bit
packet number (PN) to ensure that each encrypted packet uses a different PN, thus improving the
security to a certain extent.
Client access authentication

1.
PSK authentication
To implement PSK authentication, the client and the authenticator must have the same shared key
configured. Otherwise, the client cannot pass pre-shared key (PSK) authentication.
2.
802.1X authentication
227
As a port-based access control protocol, 802.1X authenticates and controls accessing devices at
the port level. A device connected to an 802.1X-enabled port of a WLAN access control device
can access the resources on the WLAN only after passing authentication.
The administrators of access devices can select to use RADIUS or local authentication to cooperate
with 802.1X for authenticating users. For more information about remote/local 802.1X
authentication, see "802.1X configuration."
3.
MAC authentication
MAC authentication provides a way for authenticating users based on ports and MAC addresses.
You can configure permitted MAC address lists to filter MAC addresses of clients. However, the
efficiency will be reduced when the number of clients increases. Therefore, MAC authentication is
applicable to environments without high security requirements, for example, SOHO and small
offices.
MAC authentication falls into two modes:
Local MAC authenticationWhen this authentication mode is adopted, you need to configure
a permitted MAC address list on the device. If the MAC address of a client is not in the list, its
access request will be denied.
Figure 217 Local MAC authentication
Permitted MAC
address list:
0009-5bcf-cce3
0011-9548-4007
000f-e200-00a2
Client: 0009-5bcf-cce3
Client: 0011-9548-4007
AC
L2 switch
AP
Client: 001a-9228-2d3e
Remote MAC authenticationRemote Authentication Dial-In User Service (RADIUS) based

MAC authentication. If the device finds that the current client is an unknown client, it sends an
unsolicited authentication request to the RADIUS server. After the client passes the
authentication, the client can access the WLAN network and the corresponding authorized
information.
228
Figure 218 Remote MAC authentication
When a RADIUS server is used for MAC authentication, you can specify a domain for each wireless
service, and thus send MAC authentication information of different SSIDs to different remote RADIUS
servers.
802.11n
As the next generation wireless LAN technology, 802.11n supports both 2.4GHz and 5GHz bands. It
provides higher throughput to customers by using the following methods:
1.
Increasing bandwidth: 802.11n can bond two adjacent 20-MHz channels together to form a
40-MHz channel. During data forwarding, the two 20-MHz channels can work separately with
one acting as the primary channel and the other acting as the secondary channel or work together
as a 40-MHz channel. This provides a simple way of doubling the data rate.
2.
Improving channel utilization through the following ways:

802.11n introduces the A-MPDU frame format. By using only one PHY header, each A-MPDU
can accommodate multiple Message Protocol Data Units (MPDUs) which have their PHY
headers removed. This reduces the overhead in transmission and the number of ACK frames to
be used, and thus improves network throughput.
Similar with MPDU aggregation, multiple MAC Service Data Units (MSDU) can be aggregated
into a single A-MSDU. This reduces the MAC header overhead and thus improves MAC layer
forwarding efficiency.
To improve physical layer performance, 802.11n introduces the short GI function, which
shortens the GI interval of 800 us in 802.11a/g to 400 us. This can increase the data rate by
10 percent.
229
Configuring access service

Step
Remarks
1.
Creating a WLAN service
Required.
2.
Configuring wireless service
Required.
Configuring clear type wireless service
Use either approach.
Configuring crypto type wireless service
Complete the security settings as needed.
3.
Enabling a wireless service
Required.
4.
Binding an AP radio to a wireless service
Required.
5.
Enabling a radio
Optional.
6.
Displaying the detailed information of a wireless

service
Optional.
Creating a WLAN service

1.
Select Wireless Service > Access Service from the navigation tree.
Figure 219 Configuring access service
2.
Click Add.
Figure 220 Creating a wireless service
3.
Configure the wireless service as described in Table 88.
4.
Click Apply.
230

Item
Description
Set the Service Set Identifier (SSID), a case-sensitive string of 1 to 32
characters, which can include letters, digits, underlines, and spaces.
Wireless Service Name
An SSID should be as unique as possible. For security, the company

name should not be contained in the SSID. Meanwhile, it is not
recommended to use a long random string as the SSID, because a
long random string only adds payload to the header field, without
any improvement to wireless security.
Select the wireless service type:
Wireless Service Type
clearIndicates the SSID will not be encrypted.

cryptoIndicates the SSID will be encrypted.
Configuring clear type wireless service

Configuring basic settings for a clear type wireless service
NOTE:
Before configuring a clear-type wireless service, disable it first and then click the corresponding
icon.
1.
2.
Click the
icon corresponding to the target clear type wireless service to enter the page for
configuring wireless service.
Figure 221 Configuring clear type wireless service
3.
Configure basic settings for the clear type wireless service as described in Table 89.
4.
Click Apply.

Item
Description
Wireless Service
Display the selected Service Set Identifier (SSID).
VLAN (Untagged)
Enter the ID of the VLAN whose packets are to be sent untagged. VLAN
(Untagged) indicates that the port sends the traffic of the VLAN with the
VLAN tag removed.
231
Item
Description
Set the default VLAN of a port.
Default VLAN
Delete VLAN
By default, the default VLAN of all ports is VLAN 1. After you set the
new default VLAN, VLAN 1 is the ID of the VLAN whose packets are to
be sent untagged.
Remove the IDs of the VLANs whose packets are to be sent untagged
and tagged.
EnableDisable the advertisement of the SSID in beacon frames.

DisableEnable the advertisement of the SSID in beacon frames.
By default, the SSID is advertised in beacon frames.
SSID HIDE
IMPORTANT:
If the advertising of the SSID in beacon frames is disabled, the SSID

must be configured for the clients to associate with the AP.
Disabling the advertising of the SSID in beacon frames does little

good to wireless security. Allowing the advertising of the SSID in
beacon frames enables a client to discover an AP more easily.
Configuring advanced settings for the clear type wireless service

1.
2.
Click the
configuring advanced settings for a clear type wireless service.
Figure 222 Advanced settings for the clear type wireless service
3.
Configure advanced settings for the clear type wireless service as described in Table 90.
4.
Click Apply.
232

Item
Description
Local Forwarding
Local forwarding enables an AP to forward data frames between clients. In a

centralized WLAN architecture, an AP transparently transmits data frames to
an AC for processing. With the increase of clients, the forwarding load of the
AC increases either. With local forwarding enabled, an AP, rather the AC
forwards client data, greatly reducing the load of the AC.
EnableIf local forwarding is enabled, data frames from an associated

station will be forwarded by the AP itself.
DisableIf local forwarding is disabled, data frames from an associated

station will be handled by the AC.
Local Forwarding VLAN
Clients using the same SSID may belong to different VLANs. You can configure
a local forwarding VLAN when configuring a local forwarding policy.
Maximum number of clients of an SSID to be associated with the same radio of
the AP.
Client Max Users
IMPORTANT:
When the number of clients of an SSID to be associated with the same radio of
the AP reaches the maximum, the SSID is automatically hidden.
Web interface management right of online clients.
Management Right
DisableDisable the web interface management right of online clients.

EnableEnable the web interface management right of online clients.
EnableEnable the MAC VLAN feature for the wireless service.
DisableDisable the MAC VLAN feature for the wireless service.
MAC VLAN
IMPORTANT:
Before binding an AP radio to a VLAN, a step of enabling AP-based access
VLAN recognition, enable the MAC VLAN feature first.
EnableEnable fast association.

DisableDisable fast association.
Fast Association
By default, fast association is disabled.

When fast association is enabled, the device does not perform band
navigation and load balancing calculations for associated clients.
Configuring security settings for a clear type wireless service

1.
2.
Click the
configuring security settings for the clear type wireless service.
233
Figure 223 Security settings for the clear-type wireless service
3.
Configure security settings for the clear type wireless service as described in Table 91.
4.
Click Apply.

Item
Description
Authentication Type
For the clear type wireless service, you can select Open-System
only.
234
Item
Description
mac-authenticationPerform MAC address authentication on
users.
mac-else-userlogin-secureThis mode is the combination of
the mac-authentication and userlogin-secure modes, with MAC

authentication having a higher priority. Upon receiving a
non-802.1X frame, a port in this mode performs only MAC
authentication; upon receiving an 802.1X frame, the port
performs MAC authentication and then, if MAC authentication
fails, 802.1X authentication.
mac-else-userlogin-secure-extThis mode is similar to the
mac-else-userlogin-secure mode, except that it supports

multiple 802.1X and MAC authentication users on the port.
userlogin-secureIn this mode, MAC-based 802.1X
authentication is performed for users; multiple 802.1X

authenticated users can access the port, but only one user can
be online.
userlogin-secure-or-macThis mode is the combination of the

userlogin-secure and mac-authentication modes, with 802.1X
authentication having a higher priority. For a wireless user,
802.1X authentication is performed first. If 802.1X
authentication fails, MAC authentication is performed.
userlogin-secure-or-mac-extThis mode is similar to the

Port Mode
userlogin-secure-or-mac mode, except that it supports multiple

802.1X and MAC authentication users on the port.
userlogin-secure-extIn this mode, a port performs 802.1X

authentication on users in macbased mode and supports
multiple 802.1X users.
TIP:
There are multiple security modes. To remember them easily, follow
these rules to understand part of the port security mode names:
userLogin indicates port-based 802.1X authentication.

mac indicates MAC address authentication.
The authentication mode before Else is used preferentially. If
the authentication fails, the authentication after Else may be
used depending on the protocol type of the packets to be
authenticated.
The authentication mode before Or and that after Or have the

same priority. The device determines the authentication mode
according to the protocol type of the packets to be
authenticated. For wireless users, the 802.1X authentication
mode is used preferentially.
userLogin together with Secure indicates MAC-based 802.1X

authentication.
A security mode with Ext allows multiple 802.1X users to pass

the authentication. A security mode without Ext allows only
one 802.1X user to pass the authentication.
Max User
Maximum number of users that can be connected to the network

through a specific port.
a. Configure mac-authentication
235
Figure 224 mac-authentication port security configuration page

Item
Description
mac-authenticationMAC-based authentication is performed on
access users.
Port Mode
Select Wireless Service > Access Service from the navigation tree,
click MAC Authentication List, and enter the MAC address of the
client.
Max User
Control the maximum number of users allowed to access the network

through the port.
MAC Authentication
Select MAC Authentication.

Select an existing domain from the list.
The default domain is system. To create a domain, select
Authentication > AAA from the navigation tree, click the Domain
Setup tab, and enter a new domain name in the Domain Name field.
Domain
The selected domain name applies to only the current wireless

service, and all clients accessing the wireless service use this
domain for authentication, authorization, and accounting.
Do not delete a domain name in use. Otherwise, the clients that

access the wireless service will be logged out.
b. Configure userlogin-secure/userlogin-secure-ext
236
Figure 225 userlogin-secure/userlogin-secure-ext port security configuration page (userlogin-secure is

taken for example)

Item
Description
userlogin-securePerform MAC-based 802.1X authentication for access users.
Port Mode
In this mode, multiple 802.1X authenticated users can access the port, but only
one user can be online.
userlogin-secure-extPerform MAC-based 802.1X authentication for access

users. In this mode, the port supports multiple 802.1X users.
Max User
Control the maximum number of users allowed to access the network through the
port.
The default domain is system. To create a domain, select Authentication > AAA from
the navigation tree, click the Domain Setup tab, and enter a new domain name in
the Domain Name field.
Mandatory Domain
The selected domain name applies to only the current wireless service, and all
clients accessing the wireless service use this domain for authentication,
authorization, and accounting.
Do not delete a domain name in use. Otherwise, the clients that access the
wireless service will be logged out.
EAPUse the Extensible Authentication Protocol (EAP). With EAP authentication,
the authenticator encapsulates 802.1X user information in the EAP attributes of

RADIUS packets and sends the packets to the RADIUS server for authentication;
it does not need to repackage the EAP packets into standard RADIUS packets for
authentication.
CHAPUse the Challenge Handshake Authentication Protocol (CHAP). By
default, CHAP is used. CHAP transmits usernames in simple text and passwords
in cipher text over the network. Therefore this method is safer.
PAPUse the Password Authentication Protocol (PAP). PAP transmits passwords

in plain text.
EnableEnable the online user handshake function so that the device can
Handshake
periodically send handshake messages to a user to check whether the user is

online. By default, the function is enabled.
DisableDisable the online user handshake function.
237
Item
Description
EnableEnable the multicast trigger function of 802.1X to send multicast trigger
messages to the clients periodically for initiating authentication. By default, the
multicast trigger function is enabled.
DisableDisable the 802.1X multicast trigger function.

Multicast Trigger
IMPORTANT:
For a WLAN, the clients can actively initiate authentication, or the AP can discover
users and trigger authentication. Therefore, the ports do not need to send 802.1X
multicast trigger messages for initiating authentication periodically. H3C recommends
that you disable the multicast trigger function in a WLAN because the multicast trigger
messages consume bandwidth.
c.
Configure the other four port security modes
Figure 226 Port security configuration page for the other four security modes
(mac-else-userlogin-secure is taken for example)
238

Item
Description
mac-else-userlogin-secureThis mode is the combination of
the mac-authentication and userlogin-secure modes, with MAC
authentication having a higher priority. Upon receiving a
non-802.1X frame, a port in this mode performs only MAC
authentication; upon receiving an 802.1X frame, the port
performs MAC authentication and then, if MAC authentication
fails, 802.1X authentication.
mac-else-userlogin-secure-extThis mode is similar to the
mac-else-userlogin-secure mode, except that it supports multiple

Port Mode
userlogin-secure-or-macThis mode is the combination of the

userlogin-secure and mac-authentication modes, with 802.1X
authentication having a higher priority. For a wireless user,
802.1X authentication is performed first. If 802.1X
authentication fails, MAC authentication is performed.
userlogin-secure-or-mac-extThis mode is similar to the
userlogin-secure-or-mac mode, except that it supports multiple

Select Wireless Service > Access Service from the navigation tree,
click MAC Authentication List, and enter the MAC address of the
client.
Max User
Mandatory Domain
Control the maximum number of users allowed to access the

network through the port.
Select an existing domain from the list. After a mandatory domain
is configured, all 802.1X users accessing the port are forced to use
the mandatory domain for authentication, authorization, and
accounting.
Setup tab, and enter a new domain name in the Domain Name
field.
EAPUse the Extensible Authentication Protocol (EAP). With
EAP authentication, the authenticator encapsulates 802.1X user

information in the EAP attributes of RADIUS packets and sends
the packets to the RADIUS server for authentication; it does not
need to repackage the EAP packets into standard RADIUS
packets for authentication.
CHAPUse the Challenge Handshake Authentication Protocol
(CHAP). By default, CHAP is used. CHAP transmits usernames

in simple text and passwords in cipher text over the network.
Therefore this method is safer.
PAPUse the Password Authentication Protocol (PAP). PAP

transmits passwords in plain text.
EnableEnable the online user handshake function so that the

Handshake
device can periodically send handshake messages to a user to

check whether the user is online. By default, the function is
enabled.
DisableDisable the online user handshake function.
239
Item
Description
EnableEnable the multicast trigger function of 802.1X to send
multicast trigger messages to the clients periodically for
initiating authentication. By default, the multicast trigger
function is enabled.
DisableDisable the 802.1X multicast trigger function.

Multicast Trigger
IMPORTANT:
For a WLAN, the clients can actively initiate authentication, or the AP
can discover users and trigger authentication. Therefore, the ports
do not need to send 802.1X multicast trigger messages periodically
for initiating authentication. You are recommended to disable the
multicast trigger function in a WLAN because the multicast trigger
messages consume bandwidth.
MAC Authentication

Domain

Setup tab, and enter a new domain name in the Domain Name
field.


Configuring crypto type wireless service

Configuring basic settings for a crypto type wireless service
1.
2.
Click the
icon corresponding to the target crypto type wireless service to enter the page for
Figure 227 Crypto type wireless service
3.
Configure basic settings for the crypto type wireless service as described in Table 89.
4.
Click Apply.
240
Configuring advanced settings for a crypto type wireless service

1.
2.
Click the
Figure 228 Advanced settings for the crypto type wireless service
3.
Configure advanced settings for the crypto type wireless service as described in Table 95.
4.
Click Apply.

Item
Description
Local Forwarding
Local forwarding enables an AP to forward data frames between

clients. In a centralized WLAN architecture, an AP transparently
transmits data frames to an AC for processing. With the increase of
clients, the forwarding load of the AC increases either. With local
forwarding enabled, an AP, rather the AC, forwards client data,
greatly reducing the load of the AC.
EnableIf local forwarding is enabled, data frames from an

associated station will be forwarded by the AP itself.
DisableIf local forwarding is disabled, data frames from an

associated station will be handled by the AC.
Local Forwarding VLAN
Clients using the same SSID may belong to different VLANs. You can
configure a local forwarding VLAN when configuring a local
forwarding policy.
241
Item
Description
Maximum number of clients of an SSID to be associated with the
same radio of the AP.
Client Max Users
IMPORTANT:
When the number of clients of an SSID to be associated with the same
radio of the AP reaches the maximum, the SSID is automatically
hidden.
PTK Life Time
Set the pairwise transient key (PTK) lifetime. A PTK is generated

through a four-way handshake.
Set the TKIP countermeasure time.
By default, the TKIP countermeasure time is 0 seconds, that is, the
TKIP countermeasure policy is disabled.
TKIP CM Time
Message integrity check (MIC) is designed to avoid hacker

tampering. It uses the Michael algorithm and is extremely secure.
When failures occur to MIC, the data may have been tampered, and
the system may be under attack. With the countermeasure policy
enabled, if more than two MIC failures occur within the specified
time, the TKIP associations are disassociated and no new
associations are allowed within the TKIP countermeasure time.
Web interface management right of online clients.
Management Right
DisableDisable the web interface management right of online

clients.
EnableEnable the web interface management right of online

clients.
EnableEnable the MAC VLAN feature for the wireless service.

DisableDisable the MAC VLAN feature for the wireless service.
MAC VLAN
IMPORTANT:
Before you bind an AP radio to a VLAN, a step of enabling AP-based
access VLAN recognition, enable the MAC VLAN feature first.
EnableEnable fast association.

DisableDisable fast association.
Fast Association
By default, fast association is disabled.

When fast association is enabled, the device does not perform band
navigation and load balancing calculations for associated clients.
An AC generates a group transient key (GTK) and sends the GTK to
a client during the authentication process between an AP and the
client through group key handshake/the 4-way handshake. The
client uses the GTK to decrypt broadcast and multicast packets.
GTK Rekey Method
If Time is selected, the GTK will be refreshed after a specified

period of time.
If Packet is selected, the GTK will be refreshed after a specified

number of packets are transmitted.
By default, the GTK rekeying method is time-based, and the interval is

86400 seconds.
GTK User Down Status
Enable refreshing the GTK when some client goes offline.

By default, the GTK is not refreshed when a client goes off-line.
242
Configuring security settings for a crypto type wireless service

1.
2.
Click the
configuring crypto type wireless service.
Figure 229 Security settings for the crypto type wireless service
3.
Configure security settings for the crypto type wireless service as described in Table 96.
4.
Click Apply.

Item
Description
Open-SystemNo authentication. With this authentication mode enabled, all
the clients will pass the authentication.
Shared-KeyThe two parties need to have the same shared key configured for
this authentication mode. You can select this option only when WEP encryption
mode is used.
Open-System and Shared-KeyIt indicates that you can select both

open-system and shared-key authentication.
Authentication Type
IMPORTANT:
WEP encryption can be used together with open system and shared-key
authentication.
Open system authenticationWhen this authentication mode is used, a WEP

key is used for encryption only. If the two parities do not use the same key, a
wireless link can still be established, but all data will be discarded.
Shared-key authenticationWhen this authentication mode is used, a WEP
key is used for both authentication and encryption. If the two parties do not use
the same key, the client cannot pass the authentication, and thus cannot access
the wireless network.
243
Item
Description
Encryption mechanisms supported by the wireless service, which can be:
Cipher Suite
AES-CCMPEncryption mechanism based on the AES encryption algorithm.

TKIPEncryption mechanism based on the RC4 algorithm and dynamic key
management.
AES-CCMP and TKIPIt indicates that you can select both CCMP and TKIP
encryption.
Wireless service type (IE information carried in the beacon or probe response
frame):
Security IE
WPAWi-Fi Protected Access.

RSNAn RSN is a security network that allows only the creation of robust
security network associations (RSNAs). It provides greater protection than WEP

and WPA.
WPA and RSNIt indicates that you can select both WPA and RSN..
Encryption
EnableA WEP key is dynamically assigned.

DisableA static WEP key is used.
By default, a static WEP key is used.
When you enable this function, the WEP option is automatically set to wep104.
Provide Key
Automatically
IMPORTANT:
This function must be used together with 802.1X authentication.

With dynamic WEP encryption configured, the WEP key used to encrypt unicast
frames is negotiated between client and server. If the WEP default key is
configured, the WEP default key is used to encrypt multicast frames. If not, the
device randomly generates a multicast WEP key.
WEP
Key ID
wep40Indicates the WEP40 key option.

1Key index 1.
2Key index 2.
3Key index 3.
4Key index 4.
There are 4 static keys in WEP. The key index can be 1, 2, 3 or 4. The key
corresponding to the specified key index will be used for encrypting and
decrypting broadcast and multicast frames.
Key length.
For wep40, the key is a string of 5 alphanumeric characters or a 10-digit

hexadecimal number.
Key Length

hexadecimal number.

hexadecimal number.
WEP Key
Configure the WEP key.
244
Item
Description
See Table 91.
Parameters such as authentication type and encryption type determine the port
mode. For more information, see Table 99.
After you select the Cipher Suite option, the following three port security modes are
added:
mac and pskMAC-based authentication must be performed on access users

first. If MAC-based authentication succeeds, an access user has to use the
pre-configured PSK to negotiate with the device. Access to the port is allowed
only after the negotiation succeeds.
Port Security
pskAn access user must use the pre-shared key (PSK) that is pre-configured to
negotiate with the device. The access to the port is allowed only after the
negotiation succeeds.
userlogin-secure-extPerform MAC-based 802.1X authentication for access

users. In this mode, the port supports multiple 802.1X users.
a. Configure mac and psk
Figure 230 mac and psk port security configuration page

Item
Description
Port Mode
mac and psk: MAC-based authentication must be performed on access

users first. If MAC-based authentication succeeds, an access user has
to use the pre-configured PSK to negotiate with the device. Access to
the port is allowed only after the negotiation succeeds.
Select Wireless Service > Access Service from the navigation tree, click
MAC Authentication List, and enter the MAC address of the client.
Max User

through the port.
MAC Authentication
245
Item
Description
Authentication > AAA from the navigation tree, click the Domain Setup
tab, and enter a new domain name in the Domain Name field.
Domain


pass-phraseEnter a PSK in the form of a character string. You must

Pre-shared Key
enter a string that can be displayed and is of 8 to 63 characters.
raw-keyEnter a PSK in the form of a hexadecimal number. You

must enter a valid 64-bit hexadecimal number.
b. Configure psk
Figure 231 psk port security configuration page

Item
Description
Port Mode
pskAn access user must use the pre-shared key (PSK) that is
pre-configured to negotiate with the device. The access to the port is
allowed only after the negotiation succeeds.
Max User

through the port.
pass-phraseEnter a PSK in the form of a character string. You must

Pre-shared Key
enter a string that can be displayed and is of 8 to 63 characters.
raw-keyEnter a PSK in the form of a hexadecimal number. You must

enter a valid 64-bit hexadecimal number.
c.
Configure userlogin-secure-ext
Perform the configurations as shown in Configure userlogin-secure/userlogin-secure-ext.
246
Security parameter dependencies

For a clear-type wireless service or crypto-type wireless service, the security parameter dependencies are
as shown in Table 99.
Table 99 Security parameter dependencies
Service
type
Authenticati
on mode
Encryption
type
Security IE
WEP
encryption/key ID
Port mode
mac-authentication
mac-else-userlogin-secu
re
mac-else-userlogin-secu
Clear
Open-System
Unavailable
Selected
Unavailable
Required
Open-System
Unselected
Crypto
Shared-Key
Unavailable
Selected
Unavailable
Unavailable
Required
Open-System
and
Shared-Key
Unselected
Unavailable
Unavailable
WEP encryption is
available
The key ID can be 2,
3, or 4.
WEP encryption is
required
2, or 3.
WEP encryption is
required
2, 3 or 4.
WEP encryption is
required
2, 3 or 4.
WEP encryption is
required
2, 3 or 4.
Enabling a wireless service

1.
247
re-ext
userlogin-secure
userlogin-secure-ext
userlogin-secure-or-mac
userlogin-secure-or-mac
-ext
mac and psk

psk
mac-authentication
userlogin-secure
mac-authentication
mac and psk

psk
mac-authentication
userlogin-secure
Figure 232 Enabling a wireless service
2.
Select the wireless service to be bound.
3.
Click Enable.

1.
2.
Click the
icon corresponding to the target wireless service to enter the page for binding an AP
radio to a wireless service.
Figure 233 Binding an AP radio to a wireless service
3.
Select the AP radio to be bound.
4.
Click Bind.
5.
After the configuration process is complete, click Close.
Binding an AP radio to a VLAN

Traffic of different services is identified by SSIDs. Locations are identified by APs. Users at different
locations access different services. For a user roaming between different APs, you can provide services
for the user based on its access AP. The detailed requirements are as follows:
Users with the same SSID but accessing through different APs can be assigned to different VLANs
based on their configurations.
A roaming user always belongs to the same VLAN.
For a user roaming between ACs, if the local AC does not have a VLAN-interface, the user needs
to use an HA in the AC group for forwarding packets to avoid packet loss.
248
Figure 234 Schematic diagram for WLAN support for AP-based access VLAN recognition
RADIUS server
AC 1
HA
AC 2
IACTP tunnel
FA
VLAN 2
VLAN 3
VLAN 3
Intra AC roaming
VLAN 3
Inter AC roaming
AP 1
AP 2
AP 3
AP 4
Client 1
Client 1
Client 1
Client 2
As shown in Figure 234, Client 1 goes online through AP 1 and belongs to VLAN 3. When Client 1
roams within an AC or between ACs, Client 1 always belongs to VLAN 3. When Client 1 roams between
ACs, if FA, that is, AC 2, has VLAN-interface 3, AC 2 forwards packets from Client 1. Otherwise, packets
from Client 1 are sent to HA (AC 1) through the data tunnel and then HA forwards these packets.
Client 2 goes online through AP 4 and belongs to VLAN 2. That is, a client going online through a
different AP is assigned to a different VLAN.
1.
2.
Click the
icon corresponding to the target wireless service to enter the AP radio setup page, as
3.
Select the box corresponding to the AP radio mode to be bound.
4.
Enter the VLAN to be bound in the Binding VLAN field.
5.
Click Bind.
Enabling a radio
1.
Select Radio > Radio from the navigation tree.
249
Figure 235 Enabling 802.11n radio
2.
Select the box of the target radio.
3.
Click Enable.
4.
Displaying the detailed information of a wireless service

Displaying the detailed information of a clear-type wireless service
1.
2.
Click the specified clear-type wireless service to see its detailed information.
Figure 236 Displaying the detailed information of a clear-type wireless service
250

Field
Description
Current service template number.
SSID
Service set identifier.
Binding Interface
Name of the WLAN-ESS interface bound with the service template.

Type of authentication used.
SSID-hide
A clear-type wireless service can use only Open System

authentication.
DisableIndicates that SSID advertisement is enabled.

EnableIndicates that SSID advertisement is disabled, that is,
the AP does not advertise the SSID in the beacon frames.
Forwarding mode, which can be:

Bridge Mode
Local ForwardingUse the local forwarding mode.

Remote ForwardingUse the remote forwarding mode, that is,
uses the AC to forward data.
Service template status, which can be:

EnableIndicates that the wireless service is enabled.

DisableIndicates that the wireless service is disabled.
Displaying the detailed information of a crypto-type wireless service

1.
2.
Click a crypto-type wireless service to see its detailed information.
251
Figure 237 Displaying the detailed information of a crypto-type wireless service

Field
Description
Current service template number.
SSID
Service set identifier.
Binding Interface
Name of WLAN-ESS the interface bound with the service template.
Security IE
Security IE, which can be WPA or WPA2.
Type of authentication used, which can be Open System or Shared

Key.
SSID-hide
DisableIndicates that SSID advertisement is enabled.

EnableIndicates that SSID advertisement is disabled, that is,
the AP does not advertise the SSID in the beacon frames.
Cipher Suite
Cipher suite, which can be CCMP, TKIP, or

WEP40/WEP104/WEP128.
WEP Key Index
WEP key index for encryption or de-encryption frames.

WEP key mode:
WEP Key Mode
HEXWEP key in hexadecimal format.

ASCIIWEP key in the format of string.
WEP Key
WEP key.
TKIP Countermeasure Time(s)
TKIP MIC failure holdtime, in seconds.
PTK Life Time(s)
PTK lifetime in seconds.
252
Field
Description
GTK Rekey
GTK rekey configured.

GTK rekey method configured, which can be:
GTK Rekey Method
Time-based, which displays the GTK rekey time in seconds.

Packet-based, which displays the number of packets.
GTK Rekey Time
Time for GTK rekey in seconds.

Forwarding mode, which can be:
Bridge Mode
Local ForwardingUse the local forwarding mode.

Remote ForwardingUse the remote forwarding mode, that is,
uses the AC to forward data.
Service template status, which can be:

EnableIndicates that the wireless service is enabled.

DisableIndicates that the wireless service is disabled.
Wireless service configuration example

As shown in Figure 238, an AP is required to enable employees to access the internal resources at any
time. More specifically:
An AC and the AP (serial ID 210235A29G007C000020) is connected through a Layer 2 switch.
The AP provides clear type wireless access service with SSID service1.
802.11n (2.4GHz) radio mode is adopted.
Configuring the AC
1.
Create an AP:
b. Click Add.
c.
On the page that appears, set the AP name to ap, select the AP model WA2620-AGN, select
the serial ID manual, and enter the serial ID of the AP.
d. Click Apply.
253
Figure 239 Creating an AP
2.
Configure a wireless service:

a. Select Wireless Service > Access Service from the navigation tree.
b. Click Add.
c.
On the page that appears, set the service name to service1 and select the wireless service type
clear.
d. Click Apply.
3.
Enable the wireless service:

b. On the page that appears, select the service1 box and click Enable.
Figure 241 Enabling wireless service
4.
Bind an AP radio to a wireless service:

b. Click the
icon corresponding to the wireless service service1.

254
c.
On the page that appears, select the box before ap with radio type 802.11n(2.4GHz).
d. Click Bind.
Figure 242 Binding an AP radio
5.
Enable 802.11n(2.4GHz) radio

a. Select Radio > Radio from the navigation tree.
b. Select the box before ap with the radio mode 802.11n(2.4GHz).
c.
Click Enable.
Figure 243 Enabling 802.11n(2.4GHz) radio
The client can successfully associate with the AP and access the WLAN network.
You can view the online clients on the page that you enter by selecting Summary > Client from the
navigation tree.
255
Figure 244 Viewing the online clients
Select a correct district code.
Auto AP configuration example

As shown in Figure 245, enable the auto-AP function to enable APs to automatically connect to the AC.
The AP provides a clear type wireless service with the SSID service1.
802.11n(2.4GHz) radio mode is adopted.
Configuring the AC
1.
Create an AP:
b. Click Add.
c.
the serial ID auto, and click Apply.
256
2.
Configure a wireless service:

b. Click Add.
c.
On the page that appears, set the service name to service1, select the wireless service type
clear, and click Apply.
3.

b. Select the service1 box.
c.
Click Enable.
Figure 248 Enabling the wireless service
4.
Bind an AP to a wireless service:

b. Click the
icon corresponding to the wireless service service1.
257
c.
On the page that appears, select the box before ap with radio mode 802.11n(2.4GHz), and
click Bind.
Figure 249 Binding an AP
d. To view the AP status, select AP > AP Setup from the navigation tree. You can see that the AP
is in IDLE state.
Figure 250 AP status before auto AP is enabled
5.
Enable auto AP
a. Select AP > Auto AP from the navigation tree.
b. Select enable.
c.
Click Apply.
Figure 251 Configuring auto AP
d. To view the automatically found AP (ap_0001), click Refresh.
258
Figure 252 Viewing the automatically found AP
6.
Rename the automatically found AP

If you do not need to rename the automatically found AP, select the ap_0001 box, and then
click Transmit All AP.
To rename the automatically found AP:
a. Select AP > Auto AP from the navigation tree.
b. Click the
c.
icon of the target AP.
On the page that appears, select AP Rename and enter ap1.
d. Click Apply.
Figure 253 Modifying the AP name
e. To view the renamed AP, select AP > AP Setup from the navigation tree.
259
Figure 254 Displaying AP
7.

b. Select the box of the target AP.
c.
Click Enable.
You can see that the AP is in the Run state on the page you enter by selecting AP > AP Setup from
the navigation tree.
You can view the online clients on the page that you enter by selecting Summary > Client from the
navigation tree.
260
Follow these guidelines when you configure an auto AP:
Select a correct district code.
Select the renamed AP (AP 1 in the example) rather than the auto AP (ap in the example) when
enabling the radio. If you enable the radio of the automatically found AP, the radios of all the
automatically found APs are enabled.
802.11n configuration example

As shown in Figure 256, deploy an 802.11n network to provide high bandwidth access for multi-media
applications.
The AP provides a plain-text wireless service with SSID service.
802.11gn is adopted to inter-work with the existing 802.11g network and protect the current
investment.
261
Configuring the AC
1.
Create an AP:
b. Click Add.
c.
2.
On the page that appears, set the AP name to 11nap, select the AP model WA22610E-AGN,
select the serial ID manual, enter the serial ID of the AP, and click Apply.
Create a wireless service:

b. Click Add.
c.
3.
On the page that appears, set the service name to 11nservice, select the wireless service type
Enable wireless service:

b. Select the 11nservice box.
c.
4.
Click Enable.
Bind an AP radio:
b. Click the
c.
icon corresponding to the target wireless service.
Select the 11nap box.
d. Click Bind.
5.
Enable 802.11n(2.4GHZ) radio:

b. Select the 11nap box of the target AP.
c.
Click Enable.
You can view the online clients on the page you enter by selecting Summary > Client from the
navigation tree.
In this example, 0014-6c8a-43ff is an 802.11g user, and 001c-f0bf-9c92 is an 802.11n user. Both of the
two users can access the WLAN network because there is no limit on the user type. If you enable client
802.11n only, only 001c-f0bf-9c92 can access the WLAN network.
262
Follow these guidelines when you configure 802.11n:
Select Radio > Radio from the navigation tree, select the AP to be configured, and click
to enter
the page for configuring a radio. Then you can modify the 802.11n parameters, including
bandwidth mode, A-MPDU, A-MSDU, short GI and whether 802.11n clients are allowed.
Select Radio > Rate from the navigation tree to set 802.11n rates.
WPA-PSK authentication configuration example

As shown in Figure 258, connect the client to the wireless network through WPA-PSK authentication. The
PSK key configuration on the client is the same as that on the AC: 12345678.
Configuring the AC
1.
Create an AP:
b. Click Add.
c.
the serial ID manual, enter the AP serial ID, and click Apply.
2.
Create a wireless service

b. Click Add.
c.
On the page that appears, set the service name to psk, select the wireless service type crypto,
and click Apply.
263
3.
Configure wireless service.

After you create a wireless service, you will enter the wireless service configuration page.
a. In the Security Setup area, select Open-System from the Authentication Type list.
b. Select the Cipher Suite box, select ASE-CCMP and TKIP (select an encryption type as needed),
and then select WPA from the Security IE list.
c.
Select the Port Set box, and select psk from the Port Mode list.
d. Select pass-phrase from the Pre-shared Key list, and enter the key ID 12345678.
e. Click Apply.
Figure 261 Security setup
4.
Enable wireless service.

b. Select the psk[Bind] box.
c.
Click Enable.
264
5.
Bind an AP radio to a wireless service

b. Click the
c.
icon corresponding to the wireless service psk.
On the page that appears, select the box before ap with radio mode 802.11n(2.4GHz) and
click Bind.
d. After the configuration progress is complete, click Close.
6.

b. Select the ap box before 802.11n(2.4GHz).
c.
Click Enable.
d. After the configuration process is complete, click Close.
265
Configuring the client

1.
Launch the client, and refresh the network list.
2.
Select the configured service in Choose a wireless network (PSK in this example).
3.
Click Connect.
4.
In the popup dialog box, enter the key (12345678 in this example), and then click Connect.
266
Figure 265 Configuring the client
The client has the same pre-shared PSK key as the AP, so the client can associate with the AP.
267
Figure 266 The client is associated with the AP
navigation tree.
Local MAC authentication configuration example

AC is connected to AP through a Layer 2 switch, and they are in the same network. Perform MAC
authentication on the client.
Configuring the AC
1.
Create an AP:
b. Click Add.
268
c.
2.
Create a wireless service

b. Click Add.
c.
On the page that appears, set the service name to mac-auth, select the wireless service type
3.
Configure the wireless service:

After you have created a wireless service, you enter the wireless service configuration page.
b. Select the Port Set box, and select mac-authentication from the Port Mode list.
c.
Select the MAC Authentication box, and select system from the Domain list.
To create a domain, select Authentication > AAA from the navigation tree, click the Domain
Setup tab, and enter a domain name in the Domain Name field.
d. Click Apply.
269
4.
Enable wireless service.

b. Select the mac-auth box.
c.
Click Enable.
5.
Configure a MAC authentication list

270
b. Click MAC Authentication List.
c.
On the page that appears, add a local user in the MAC Address field. 0014-6c8a-43ff is used
in this example.
d. Click Add.
Figure 272 Adding a MAC authentication list
6.
Bind an AP radio to a wireless service

b. Click the
c.
icon corresponding to the wireless service mac-auth.
On the page that appears, select the box before ap with radio mode 802.11n(2.4GHz) and
click Bind.
7.

b. Select the ap 802.11n(2.4GHz) box of the target AP.
271
c.
Click Enable.
Configuring the client

1.
Launch the client, and refresh the network list.
2.
Select the configured service in Choose a wireless network (mac-auth in this example).
3.
Click Connect.
If the MAC address of the client is in the MAC address list, the client can pass the MAC
authentication and access the wireless network.
272
Figure 275 Configuring the client
You can view the online clients on the page you enter by selecting Summary > Client.
Remote MAC authentication configuration example

As shown in Figure 276, perform remote MAC authentication on the client.
Use the intelligent management center (IMC) as the RADIUS server for authentication, authorization,
and accounting (AAA). On the RADIUS server, configure the client's username and password as
the MAC address of the client and the shared key as expert. The IP address of the RADIUS server
is 10.18.1.88.
The IP address of the AC is 10.18.1.1. On the AC, configure the shared key for communication with
the RADIUS server as expert, and configure the AC to remove the domain name of a username
before sending it to the RADIUS server.
273
Configuring the AC
1.
Assign an IP address to the AC:

a. Select Network > VLAN to create a VLAN on the AC.
b. Select Device > Interface Management to assign an IP address to the VLAN interface.
2.
Configure a RADIUS scheme:

a. Select Authentication > RADIUS from the navigation tree.
b. Click Add.
c.
On the page that appears, add two servers in the RADIUS Server Configuration area, and
specify the key expert.
d. Enter mac-auth in the Scheme Name field.

e. Select Extended as the server type.
f.
Select Without domain name from the Username Format List.
g. Click Apply.
274
Figure 277 Configuring RADIUS
3.
Configure AAA:
a. From the navigation tree, select Authentication > AAA.
b. Optional: On the Domain Setup tab, create a new ISP domain.
This example uses the default domain system.

c.
On the Authentication tab, select the ISP domain system, select the LAN-access AuthN box,
select the authentication mode RADIUS, select the authentication scheme mac-auth from the
Name list, and click Apply.
275
Figure 278 Configuring the AAA authentication method for the ISP domain
e. On the Authorization tab, select the ISP domain system, select the LAN-access AuthZ box,
select the authorization mode RADIUS, select the authorization scheme mac-auth from the
f.
Figure 279 Configuring the AAA authorization method for the ISP domain
g. On the Accounting tab, select the ISP domain system, select the Accounting Optional box, and
select Enable from the Accounting Optional list, select the LAN-access Accounting box, select
the accounting method RADIUS, select the accounting scheme mac-auth from the Name list,
and click Apply.
h. After the configuration process is complete, click Close.
276
Figure 280 Configuring the AAA accounting method for the ISP domain
4.
Create an AP:
b. Click Add.
c.
On the page that appears, set the AP name to ap., select the AP model WA2620-AGN., select
Figure 281 AP setup
5.
Configure wireless service:

b. Click Add.
c.
On the page that appears, set the wireless service name to mac-auth, select the wireless
service type clear, and click Apply.
277
6.
Configure MAC authentication:

After you create a wireless service, the wireless service configuration page appears.
b. Select the Port Set box, and select mac-authentication from the Port Mode list.
c.
Select the MAC Authentication box, and select system from the Domain list.
d. Click Apply.

e. After the configuration process is complete, click Close.
7.

278
b. On the page that appears, select the mac-auth box.
c.
Click Enable.
8.
Bind an AP radio to the wireless service:

b. Click the
c.
icon corresponding to the wireless service mac-auth.
Select the box of the AP with the radio mode 802.11n(2.4GHz).
d. Click Bind.

9.
Enable 802.11n(2.4GHz) radio:

b. Select the ap 802.11n(2.4GHz) box of the target AP.
279
c.
Click Enable.
Configuring the RADIUS server (IMCv3)

NOTE:
The following takes the IMC (IMC PLAT 3.20-R2602 and IMC UAM 3.60-E6102) as an example to
illustrate the basic configuration of the RADIUS server.
1.
Add an access device.

a. Click the Service tab in the IMC Platform.
b. Select Access Service > Access Device from the navigation tree.
c.
Click Add.
d. On the page that appears, add expert for Shared Key, add ports 1812 and 1813 for
Authentication Port and Accounting Port respectively, select LAN Access Service for Service
Type, select H3C for Access Device Type, select or manually add an access device with the IP
address 10.18.1.1, and click Apply.
280
Figure 287 Adding access device
2.
Add service.
a. Click the Service tab.
c.
Click Add.
d. On the page that appears, set the service name to mac, keep the default values for other
parameters, and click Apply.

Figure 288 Adding service
3.
Add account.
b. Select User > All Access Users from the navigation tree.
c.
Click Add.
d. On the page that appears, enter a username 00146c8a43ff, add an account and password
00146c8a43ff, select the service mac, and click Apply.
281
Figure 289 Adding account
Configuring the RADIUS server (IMC v5)

NOTE:
The following takes the IMC (IMC PLAT 5.0 and IMC UAM 5.0) as an example to illustrate the basic
configuration of the RADIUS server.
1.

a. Click the Service tab in the IMC Platform.
b. Select User Access Manager > Access Device Management from the navigation tree.
c.
Click Add.
d. On the page that appears, enter 12345678 as the Shared Key, keep the default values for
other parameters, select or manually add the access device with the IP address 10.18.1.1,
and click Apply.
2.
Add service.
282
b. Select User Access Manager > Service Configuration from the navigation tree.
c.
Click Add.
d. On the page that appears, set the service name to mac, keep the default values for other
parameters, and click Apply.

3.
Add an account.
b. Select User > All Access Users from the navigation tree to enter the user page.
c.
Click Add.
d. On the page that appears, enter username 00146c8a43ff, set the account name and
password both to 00146c8a43ff, select the service mac, and click Apply.
During authentication, the user does not need to enter the username or password. After passing
MAC authentication, the client can associate with the AP and access the WLAN.
navigation tree.
283
Remote 802.1X authentication configuration

example
Perform remote 802.1X authentication on the client.
Use the IMC as a RADIUS server for AAA. On the RADIUS server, configure the client's username
as user, password as dot1x, and shared key as expert. The IP address of the RADIUS server is
10.18.1.88.
On the AC, configure the shared key as expert, and configure the AC to remove the domain name
of a username before sending it to the RADIUS server. The IP address of the AC is 10.18.1.1.
Configuring the AC
1.
Assign an IP address to the AC:

a. Select Network > VLAN to create a VLAN on the AC.
b. Select Device > Interface Management to assign an IP address to the VLAN interface.
2.

b. Click Add.
c.
On the page that appears, add two servers in the RADIUS Server Configuration, and specify
the key expert.
d. Enter 802.1x in the Scheme Name field.

e. Select the server type Extended, and select Without domain name from the Username Format
list.
f.
Click Apply.
284
Figure 294 Configuring RADIUS
3.
Configure AAA
a. Select Authentication > AAA from the navigation tree.
b. Optional: On the Domain Setup tab, create a new ISP domain.
This example uses the default domain system.

c.
On the Authentication tab, select the ISP domain system, select the LAN-access AuthN box,
select the authentication mode RADIUS, select the authentication scheme 802.1x from the
Figure 295 Configuring the AAA authentication method for the ISP domain
285
d. On the Authorization tab, select the domain name system, select the LAN-access AuthZ box,
select the authorization mode RADIUS, select the authorization scheme 802.1x from the Name
list, and click Apply.
Figure 296 Configuring the AAA authorization method for the ISP domain
e. On the Accounting tab, select the ISP domain name system, select the Accounting Optional box
and then select Enable from the Accounting Optional list, select the LAN-access Accounting box,
select the accounting method RADIUS, select the accounting scheme 802.1x from the Name list,
and click Apply.
Figure 297 Configuring the AAA accounting method for the ISP domain
4.
Create an AP.
b. Click Add.
c.
286
Figure 298 AP setup
5.
Configure wireless service

b. Click Add.
c.
On the page that appears, set the service name to dot1x, select the wireless service type crypto,
and click Apply.
6.
Configure 802.1X authentication.

a. In the Security Setup area, select Open-System from the Authentication Type list, select the
Cipher Suite box, select AES-CCMP from the Cipher Suite list, and select WPA2 from the
Security IE list.
b. Select the Port Set box, and select userlogin-secure-ext from the Port Mode list.
c.
Select system from the Mandatory Domain list.
d. Select EAP from the Authentication Method list.

e. Disable Handshake and Multicast Trigger (recommended).
f.
Click Apply.
g. A progress dialog box appears. During the process, another dialog box appears asking you
whether to enable EAP authentication. Click OK.

h. After the configuration progress is complete, click Close.
287
7.
Enable the wireless service

b. On the page that appears, select the dot1x box and click Enable.
8.
Bind an AP radio to the wireless service.

b. Click the
c.
icon corresponding to the wireless service dot1x.
Select the box of the AP with the radio mode 802.11n(2.4GHz).
d. Click Bind.
288

9.

b. Select the box of the target AP.
c.
Click Enable.
Configuring the RADIUS server (IMCv3)

NOTE:
The following takes the IMC (IMC PLAT 3.20-R2602 and IMC UAM 3.60-E6102) as an example to
illustrate the basic configuration of the RADIUS server.
1.
Add access device.

289
a. Click the Service tab in the IMC management platform.

c.
Click Add.
d. On the page that appears, enter the shared key expert, enter the authentication and
accounting ports 1812 and 1813, select LAN Access Service from the Service Type list, select
H3C from the Access Device Type list, select or manually add an access device with the IP
address 10.18.1.1, and click Apply.
2.
Add service.
c.
Click Add.
d. On the page that appears, set the service name to dot1x, and set the Certificate Type to
EAP-PEAP AuthN and the Certificate Sub Type to MS-CHAPV2 AuthN, and click Apply.
290
3.
Add account.
c.
Click Add.
d. On the page that appears, enter a username user, add an account user and password dot1x,
and select the service dot1x, and click Apply.

291
Configuring the RADIUS server (IMC v5)

NOTE:
The following takes the IMC (IMC PLAT 5.0 and IMC UAM 5.0) as an example to illustrate the basic
configuration of the RADIUS server.
1.

a. Click the Service tab in the IMC platform.
b. Select User Access Manager > Access Device Management from the navigation tree.
c.
Click Add.
d. On the page that appears, enter 12345678 as the Shared Key, keep the default values for
other parameters, and select or manually add the access device with the IP address 10.18.1.1,
and click Apply.
2.
Add a service.
b. Select User Access Manager > Service Configuration from the navigation tree.
c.
Click Add.
d. On the page that appears, set the service name to dot1x, and set the Certificate Type to
EAP-PEAP AuthN and the Certificate Sub Type to MS-CHAPV2 AuthN, and click Apply.
292
Figure 308 Adding a service
3.
Add an account.
c.
Click Add.
d. On the page that appears, enter username user, set the account name to user and password
to dot1x, and select the service dot1x, and click Apply.

Configuring the wireless client

1.
Double click the
icon at the bottom right corner of your desktop.
The Wireless Network Connection Status window appears.

2.
Click Properties in the General tab.

The Wireless Network Connection Properties window appears.
293
3.
In the Wireless Networks tab, select wireless network with the SSID dot1x, and then click
Properties.
The dot1x Properties window appears.
4.
In the Authentication tab, select Protected EAP (PEAP) from the EAP type list, and click Properties.
5.
In the popup window, clear Validate server certificate, and click Configure.
6.
In the popup dialog box, clear Automatically use my Windows logon name and password (and
domain if any).
294
Figure 310 Configuring the wireless client (I)
295
Figure 311 Configuring the wireless client (II)
296
Figure 312 Configuring the wireless client (III)
After the user enters username user and password dot1x in the popup dialog box, the client can
associate with the AP and access the WLAN.
Dynamic WEP encryption-802.1X authentication

configuration example
Perform dynamic WEP encryption-802.1X authentication on the client. More specifically,
Use the IMC as a RADIUS server for AAA. On the RADIUS server, configure the client's username
as user, password as dot1x, and shared key as expert. The IP address of the RADIUS server is
10.18.1.88.
On the AC, configure the shared key as expert, and configure the AC to remove the domain name
of a username before sending it to the RADIUS server. The IP address of the AC is 10.18.1.1.
297
1.
Assign an IP address for the AC:

See "Assign an IP address to the AC:."
2.

See "Configure a RADIUS scheme."
3.
Configure AAA:
See "Configure AAA."
4.
Configure the AP:

See "Create an AP.."
5.
Create a wireless service:

b. Click Add.
c.
On the page that appears, set the service name to dot1x, select the wireless service type crypto,
and click Apply.
6.
Configure 802.1X authentication.

b. Select Encryption, and select Enable from the Provide Key Automatically list.
c.
Select the Cipher Suite box, select CCMP from the Cipher Suite list, and select WPA2 from the
Security IE list.
d. Select the Port Set box, and select userlogin-secure-ext from the Port Mode list.
e. Select system from the Mandatory Domain list.
f.
Select EAP from the Authentication Method list.

298
g. Disable Handshake and Multicast Trigger (recommended).

h. Click Apply.
7.
Enable the wireless service.

b. On the page that appears, select the dot1x box and click Enable.
8.
Bind an AP radio to the wireless service.

299
b. Click the
c.
icon corresponding to the wireless service dot1x.
On the page that appears, select the box of the AP with the radio mode 802.11n(2.4GHz)
and click Bind.
9.
Enable 802.11n(2.4GHz) radio:

See "Enable 802.11n(2.4GHz) radio."
10.
Configure the RADIUS server (IMCv3):

See "Configuring the RADIUS server (IMCv3)."
11.
Configure the RADIUS server (IMCv5):

See "Configuring the RADIUS server (IMC v5)."
Configuring the wireless client

1.
Double click the
icon at the bottom right corner of your desktop.
2.
The Wireless Network Connection Status window appears.
3.
Click Properties.
The Wireless Network window appears.
4.
Click Add.
5.
Click the Association tab, and enter dot1x in the Network name (SSID) field. Make sure that you
have selected The key is provided for me automatically.
300
Figure 318 Configuring the wireless client (I)
6.
On the Authentication tab, select Protected EAP (PEAP) from the EAP type list, and click Properties.
7.
In the popup window, clear Validate server certificate, and click Configure.
8.
In the popup dialog box, clear Automatically use my Windows logon name and password (and
domain if any), and then click OK.
301
Figure 319 Configuring the wireless client (II)
302
Figure 320 Configuring the wireless client (III)
After the user enters username user and password dot1x in the popup dialog box, the client can
associate with the AP and access the WLAN.
303
Configuring mesh services

Different from a traditional WLAN, a WLAN mesh network allows for wireless connections between APs,
making the WLAN more mobile and flexible. Moreover, multi-hop wireless links can be established
between APs. From the perspective of end users, a WLAN mesh network has no difference from a
traditional WLAN.
Mesh overview
Basic concepts in WLAN mesh
Figure 321 Typical WLAN mesh network
AC
MPP
MP
MP
MP
MAP
MAP
MAP
MAP
WLAN mesh network
Client
Client
Client
Client
As shown in Figure 321, the concepts involved in WLAN mesh are described below.
Concept
Description
Access controller (AC)
A device that controls and manages all the APs in the WLAN.
Mesh point (MP)
A wireless AP that connects to a mesh portal point (MPP) through a

wireless connection but cannot have any client attached.
Mesh access point (MAP)
An AP providing the mesh service and the access service concurrently.
Mesh portal point (MPP)
A wireless AP that connects to an AC through a wired connection.
Mesh link
A wireless link between MPs.
304
Advantages of WLAN mesh

The WLAN mesh technology allows operators to easily deploy wireless networks anywhere and anytime.
WLAN mesh has the following advantages:
High performance/price ratioIn a mesh network, only the MPPs need to connect to a wired
network. In this way, the dependency on the wired network is reduced to the minimum extent, and
the investment in wired devices, cabling, and installation is greatly reduced.
Excellent scalabilityIn a mesh network, the APs can automatically discover each other and initiate
wireless link setup. To add new APs to the mesh network, you just need to install these new APs and
perform the related configurations on them.
Fast deploymentSince only the MPPs need to connect to a wired network, WLAN mesh greatly
reduces the network deployment time.
Various application scenariosThe mesh network is applicable to enterprise, office, and campus
networks, which are common application scenarios of traditional WLANs, and also applicable to
large-sized warehouse, port, MAN, railway transportation, and crisis communication networks.
High reliabilityIn a traditional WLAN, when the wired upstream link of an AP fails, all clients
associated with the AP cannot access the WLAN. Comparatively, in a mesh network, all APs are
fully meshed. There are multiple available wireless links for a mesh AP to reach a portal node in the
wired network, thus avoiding single point failure effectively.
Deployment scenarios
This section covers deployment scenarios of WLAN mesh, which are in two categories: subway
networking and normal networking.
Normal WLAN mesh deployment

1.
Normal fit MP scenario

As shown in Figure 322, two mesh networks are controlled by the same AC. At least one MPP in
a mesh has wired connectivity with the AC. When an MP comes up, it scans the network and forms
temporary connections with all available MPs in its vicinity. Such temporary connections allow the
MP to connect to the AC for downloading its configurations. After downloading its configurations
from the AC, the MP will establish secure connections with neighbors sharing the same pre-shared
key.
305
Figure 322 Normal fit MP scenario
2.
One fit MP with two radios, each on a different mesh

As shown in Figure 323, to avoid cross-interruption between Mesh 1 and Mesh 2, you can
configure two radios for an MP, each of which is present in a different mesh network. The only
constraint is that both meshes have to be managed by the same AC.
Figure 323 Two radios on different meshes
3.
One fit MP with two radios on the same mesh
306
As shown in Figure 324, Radio 1 of MP 1 joins the mesh through the MPP. In this case, only Radio
1 can provide access for downstream MPs. Radio 2 cannot automatically access the mesh and
provide the mesh service.
Figure 324 Two radios on different meshes
If an MP supports three radios, you can configure Radio 1 as the uplink interface, Radio 2 as the
downlink interface, and Radio 3 as the multi-beam antenna. To utilize the dual-radio resources on
MPs, you can establish the network as shown in Figure 325. In such a network, when Radio 1 of
MP 1 accesses the mesh, Radio 2 on MP 1 also automatically joins the mesh. In this network, you
should apply the same mesh service to both Radio 1 and Radio 2. For more information, see
"Tri-radio mesh configuration example."
Figure 325 Two radios on the same mesh
Radio 1
AC
Radio 2
MPP
Radio 3
Radio 1 Radio 2
MP 1
Radio 3
Radio 1 Radio 2
Radio 3
Radio 1 Radio 2
MP 2
MP 2
Subway WLAN mesh deployment

A subway is an important traffic means for a modern city. In a subway system, control information must
be sent to trains to effectively manage trains and provide various services to customers.
As shown in Figure 326, a subway WLAN mesh solution has fit MPs deployed along the rail, which are
managed by the same AC. A train MP (fat AP) continuously scans new rail MPs (fit APs), and sets up
active/dormant links with the rail MPs with the best signal quality. The active mesh link is used for data
transmission, and the dormant mesh link acts as the backup link.
307
Figure 326 Subway deployment of mesh
The subway WLAN mesh deployment is based on the Mobile Link Switch Protocol (MLSP), which is used
for high-speed link switch with zero packet loss during train movement. New IEEE standard 802.11s is
adopted as the underlying protocol for link formation and communication between mobile radio (MR)
and wayside AP. Train MPs are not required to act as authenticators.
WLAN mesh security

A WLAN network uses air as the communication medium, so it is vulnerable to malicious attacks. In a
mesh network, a wireless connection passes through multiple hops, and thus a mesh network is more
vulnerable to malicious attacks. Therefore, WLAN mesh network security becomes an essential part of
WLAN mesh networks. Security involves encryption algorithms and distribution and management of keys.
Currently, PSK + CCMP combination is used for securing mesh networks.
Mobile link switch protocol

At any given time, an active link should be available between a rail MP and a train MP for data
communication. MLSP was developed to create and break links during train movement.
As shown in Figure 327, when the train is moving, it must break the existing active link with rail MP 2 and
create a new active link with another rail MP.
308
Figure 327 Diagram for MLSP
Active Link: Logical link through which all data communication from/to a train MP happens.
Dormant Link: Logical link over which no data transfer happens, but it satisfies all the criteria for
becoming an active link.
MLSP advantages
MLSP ensures that the link switch time is less than 30 ms.
MLSP works well even if the devices get saturated at high power level.
MLSP achieves zero packet loss during link switch.
Operation of MLSP
MLSP establishes multiple links at any given time between a train MP and multiple rail MPs to provide link
redundancy, thus ensuring high performance and good robustness for the network.
The following parameters are considered by MLSP for link switch. Based on the deployment, all these
parameters are tunable to achieve best results.
Link formation RSSI/link hold RSSIThis is the minimum RSSI to allow a link to be formed and held.
Therefore, the minimum RSSI must be ensured at any given point in the tunnel. Otherwise, the error
rate can be very high.
Link switch marginIf the RSSI of the new link is greater than that of the current active link by the
link switch margin, active link switch occurs. This mechanism is used to avoid frequent link switch.
Link hold timeAn active link remains up within the link hold time, even if the link switch margin is
reached. This mechanism is used to avoid frequent link switch.
Link saturation RSSIThis is the upper limit of RSSI on the active link. If the value is reached, link
switch occurs.
Formation of dormant links

A train MP performs active scanning to find neighboring rail MPs by sending probe requests at a very
high rate. Based on probe responses received, the train MP forms a neighbor table.
After that, the train MP creates dormant links with rail MPs that have an RSSI value greater than the link
formation RSSI.
309
Selection of active link

A train MP selects the active link from dormant links based on the following rules:
1.
If no dormant link is available, the active link cannot be formed.
2.
Active link switch will not happen within the link hold time, except the following two conditions:
Condition 1The active link RSSI exceeds the link saturation RSSI.
Condition 2The active link RSSI is below the link hold RSSI.
3.
When the link hold timer expires, if no dormant link has RSSI greater than the active link RSSI by
the link switch margin, link switch will not happen.
4.
In normal scenarios, active link switch will happen when all of these following conditions are met:
The link hold timer expires.
The dormant link's RSSI is higher than the current active link's RSSI by the link switch margin.
The dormant link RSSI is not greater than the link saturation RSSI.
5.
Once the RSSI of the active and dormant links has gone below the link hold RSSI, links should be
broken. However, to ensure service availability in worse cases, if the active link RSSI has gone
below the link hold RSSI and no dormant links exist, the active link is not broken.
Mesh network topologies

The mesh feature supports the following three topologies. Mesh is implemented through configuration of
a peer MAC address for each AP. For more information, see "Configuring a peer MAC address."
Point to point connection

In this topology, by configuring the peer MAC address for an AP, you can determine the mesh link to be
formed.
Figure 328 Mesh point to point topology
Point to multi-point connection

In this topology, a centralized bridging device forms wireless links with multiple MPs to bridge data
among multiple LAN segments. As shown below, data transferred between different LAN segments goes
via AP 1.
310
Figure 329 Mesh point to multi-point topology
AP 2
AP 3
AC
AP 1
AP 4
AP 5
Self topology detection and bridging connection

In this topology, MPs automatically detect neighbors and form wireless links to provide wireless
connectivity between LAN segments, as shown Figure 330. Loops are easy to occur in the topology. In
the topology, you can use mesh routes to selectively block redundant links to eliminate loops, and back
up the links when the mesh links fail.
Figure 330 Self topology detection and bridging
AP 2
AC
AP 3
AP 1
AP 4
Configuring mesh service

Configuring mesh service
Creating a mesh service
1.
Select Wireless Service > Mesh Service from the navigation tree.
2.
Click the Mesh Service tab.
311
Figure 331 Mesh service configuration page
3.
Click Add.
Figure 332 Creating a mesh service
4.
Configure the mesh service as described in Table 102.
5.
Click Apply.

Item
Description
Mesh Service Name
Name of the created mesh service.
Configuring a mesh service

1.
2.
Click the Mesh Service tab.
3.
Click the
service.
icon corresponding to the target mesh service to enter the page for configuring mesh
312
Figure 333 Configuring mesh service
4.
Configure the mesh service as described in Table 103.
5.
Click Apply.

Item
Description
Mesh Service
Display the selected mesh service name.
VLAN (Tagged)
Enter the ID of the VLAN whose packets are to be sent tagged. VLAN (Tagged)
indicates that the port sends the traffic of the VLAN without removing the VLAN tag.
VLAN (Untagged)
Enter the ID of the VLAN whose packets are to be sent untagged. VLAN (Untagged)
indicates that the ports send the traffic of the VLAN with the VLAN tag removed.
Set the default VLAN.
Default VLAN
By default, the default VLAN of all ports is VLAN 1. After you set the new default
VLAN, VLAN 1 is the ID of the VLAN whose packets are to be sent untagged.
Exclude VLAN
Remove the IDs of the VLANs whose packets are to be sent untagged and tagged.
Enable or disable mesh route selection algorithm:
Mesh Route
DisableDisable the mesh route selection algorithm.

EnableEnable the mesh route selection algorithm.
By default, the mesh route selection algorithm is disabled.
Link Keep Alive Interval
Configure the mesh link keep-alive interval.
Link Backhaul Rate
Configure the backhaul radio rate.
Security Configuration
Pass Phrase
Enter a pre-shared key in the format of character string.
313
Item
Description
Raw Key
Enter a pre-shared key in the format of hexadecimal digits.

Pre-shared key.
Pre-shared Key
A string of 8 to 63 characters, or.

A valid hexadecimal number of 64 bits.
Binding an AP radio to a mesh service

1.
2.
Click the
3.
4.
Click Bind.
icon to enter the page for binding an AP radio to a mesh service.
Figure 334 Binding an AP radio to a mesh service
Enabling a mesh service

1.
2.
Click the Mesh Service tab to enter the mesh service configuration page.
Figure 335 Enabling a mesh service
3.
Select the mesh service to be enabled.
4.
Click Enable.
314
Displaying the detailed information of a mesh service

1.
2.
Click the Mesh Service tab to enter the mesh service configuration page.
3.
Click a mesh service to see its detailed information.
Figure 336 Mesh service detailed information

Field
Description
Mesh Profile Number
Mesh service number.
Mesh ID
Mesh ID of the mesh service.
Binding Interface
Mesh interface bound to the mesh service.

MKD service status, which can be:
MKD Service
EnableIndicates that the MKD service is enabled.

DisableIndicates that the MKD service is disabled.
Link Keep Alive Interval
Interval to send keep-alive packets.
Link Backhaul Rate
Link backhaul rate.

Mesh service status, which can be:
Mesh Profile Status
EnableIndicates that the mesh service is enabled.

DisableIndicates that the mesh service is disabled.
315
Configuring a mesh policy

Creating a mesh policy
1.
2.
Click the Mesh Service tab to enter the mesh policy configuration page.
Figure 337 Mesh policy configuration page
3.
Click Add.
Figure 338 Create a mesh policy
4.
Configure the mesh policy as described in Table 105.
5.
Click Apply.

Item
Description
Name of the created mesh policy.
Mesh Policy Name
The created mesh policies use the contents of the

default mesh policy default_mp_plcy.
Configuring a mesh policy

1.
2.
Click the Mesh Policy tab.
3.
Click the
page.
icon corresponding to the target mesh policy to enter the mesh policy configuration
316
Figure 339 Configuring a mesh policy
4.
Configure the mesh policy as described in Table 106.
5.
Click Apply.

Item
Description
Mesh Policy
Display the name of the created mesh policy.

By default, link initiation is enabled.
IMPORTANT:
Link establishment
This feature should be disabled when you configure an MP

policy for a rail AP.
This feature is used on train MPs in subway WLAN mesh

deployment.
Set the link hold time.

Minimum time to hold a link
An active link remains up within the link hold time, even if the link
switch margin is reached. This mechanism is used to avoid
frequent link switch.
Set the maximum number of links that an MP can form in a mesh
network.
Maximum number of links
IMPORTANT:
When configuring mesh, if the number of mesh links configured on
an AP is greater than 2, you need to configure the maximum links
that an MP can form as needed.
317
Item
Description
Set link formation/link hold RSSI (received signal strength
indicator).
Minimum rssi to hold a link
This is the minimum RSSI to allow a link to be formed and held.

Therefore, the minimum RSSI must be ensured at any given point
in the tunnel. Otherwise, the error rate can be very high.
Set the link switch margin.
Minimum margin rssi
If the RSSI of the new link is greater than that of the current active
link by the link switch margin, active link switch will happen. This
mechanism is used to avoid frequent link switch.
Set link saturation RSSI.
Maximum rssi to hold a link
This is the upper limit of RSSI on the active link. If the value is
reached, the chipset is saturated and link switch will happen.
Interval between probe requests
Set the probe request interval.
Role as authenticator
By default, whether a device plays the role of an authenticator is

based on negotiation results.
fixedThe rate adopted is of a fixed value. It is the maximum

rate of the current radio.
realtimeThe rate adopted changes with the link quality, that
ratemode
is, the rate changes with the change of the RSSI of the current
radio.
The fixed mode is adopted by default..

The Mobile Link Switch Protocol (MLSP) implements high-speed link switch with zero packet loss during train
movement. It is applicable to subway WLAN mesh deployment only.
Proxy MAC Address
Select the Proxy MAC Address option to specify the MAC address
of the peer device.
Proxy VLAN
VLAN ID of the peer device.
Binding an AP radio to a mesh policy

1.
2.
Click the Mesh Policy tab.
3.
Click the
4.
5.
Click Bind.
button corresponding to the target mesh policy.
Displaying the detailed information of a mesh policy

1.
2.
Click the Mesh Policy tab to enter the mesh policy configuration page.
3.
Click a mesh policy to see its detailed information.
318
Figure 340 Mesh policy detailed information

Field
Description
MP Policy Name
Name of the mesh policy.
Mesh Link Initiation
Whether link initiation is enabled or not.

Mobile Link Switch Protocol (MLSP) status, which can be:
Mlsp
EnableIndicates that MLSP is enabled.

DisableIndicates that MLSP is disabled.
Authenticator role status, which can be:
Authenticator Role
EnableIndicates that the authenticator role is enabled.

DisableIndicates that the authenticator role is disabled.
Max Links
Maximum number of links on a device using this mesh policy.
Probe Request Interval (ms)
Interval between probe requests sent by a device using this

mesh policy.
Link Hold RSSI
Link hold RSSI.
Link Hold Time (ms)
Link hold time.
Link Switch Margin
Link switch margin.
Link saturation RSSI
Link saturation RSSI.

Method of calculating the link cost, which can be:
Link rate-mode
FixedIndicates that the mesh interface rate is fixed.

real-timeIndicates that the mesh interface rate changes
with the RSSI in real-time.
319
Mesh global setup

Mesh basic setup
1.
2.
Click the Global Setup tab to enter the mesh global setup page.
Figure 341 Mesh basic setup
3.
Configure the basic mesh settings as described in Table 108.
4.
Click Apply.

Item
Description
Make sure the MAC address configured is unused and has the correct
MKD-ID
vendor specific part.
The MAC address of an AC should not be configured as the MKD ID.

ManualSelect one-time dynamic channel selection (DFS) and click
Apply to enable it. After manual mode is selected, if no mesh network is

manually specified when the next calibration interval is reached, the AC
will refresh radio information of all mesh networks that it manages, and
display it on the Radio Info tab of the Mesh Channel Optimize page. You
can view the radio information and select mesh networks for which
one-time DFS will be performed on the Mesh Channel Optimize tab. After
that, if you want the AC to perform DFS for the mesh network, you have
to make this configuration again.
AutoSelect auto-DFS and click Apply to enable it. Auto-DFS applies to

Dynamic Channel Select
all mesh networks where the working channels of the radios are
automatically selected. With auto DFS enabled, an AC makes DFS
decisions at the calibrate interval automatically.
CloseClose DFS. At the next calibration interval, the radio information
and channel switching information on the Mesh Channel Optimize page

will be cleared.
By default, DFS for a mesh network is disabled.

IMPORTANT:
Before enabling auto or one-time DFS for a mesh network, make sure that auto
mode is selected for the working channel of radios in the mesh network. For
the related configuration, see "Radio configuration."
Enabling mesh portal service

1.
320
2.
Click the Global Setup tab to enter the mesh portal service configuration page.
Figure 342 Mesh portal service configuration page
3.
Select the AP for which mesh portal service is to be enabled.
4.
Click Enable.
Configuring a working channel

You can configure a working channel in one of the following ways:
Manual
1.
Figure 343 Radio configuration page
2.
On the page that appears, select a specified channel from the Channel list.
3.
Click Apply.
NOTE:
Specify a working channel for the radios of the MAP and MPP, and the working channel on the radio of
the MAP should be consistent with that on the MPP.
321
Auto
Set the working channel mode on the MPP and MAP to auto so that the working channel is automatically
negotiated when a WDS link is established between the MPP and MAP.
NOTE:
If you configure the working channel mode of the radios of the MPP and MAP as auto, the automatically
selected working channel is a non-radar channel.
Enabling radio
1.
Select Radio > Radio from the navigation tree to enter the radio setup page.
Figure 344 Enabling radio
2.
Select the radio mode to be enabled.
3.
Click Enable.
Configuring a peer MAC address

1.
2.
Click
3.
Select the AP radio to be bound, and click the

MAC address.
to enter the page for binding an AP radio to a mesh service.
322
icon to enter the page for configuring a peer
Figure 345 Configuring a peer MAC address
4.
Configure the peer MAC address as described in Table 109.
5.
Click Apply.

Item
Description
Peer MAC Address
The mesh feature supports three topologies. For more information, see "Mesh
network topologies." The mesh feature is implemented through configuration of
peer MAC addresses for each AP.
Sets the STP cost of the mesh link to the peer. If not configured, the STP cost is
automatically calculated by STP.
cos
You can view the cost of the mesh link on the page shown in Figure 345.
Mesh DFS
Displaying radio information
1.
2.
Click the Mesh Channel Optimize tab to enter the mesh optimization tab.
3.
Click the specified mesh network, and click the Radio Info tab to enter the page shown in Figure
346 to view radio information.
323
Figure 346 Displaying radio information
Displaying channel switch information

1.
2.
Click the Mesh Channel Optimize tab to enter the mesh optimization tab.
3.
Click the mesh network, and then select the Channel Switch Info tab to enter the page shown
in Figure 347 to view the channel switching information.
Figure 347 Mesh channel switching information
NOTE:
If you select Auto or Close for dynamic channel selection on the Global Setup tab, when you enter the
Mesh Channel Optimize page, the Channel Optimize button is grayed out, meaning you cannot
perform the operation.
If you select manual DFS on the Global Setup tab, select mesh networks where DFS will be performed,
and then click Channel Optimize to complete DFS. In auto mode, DFS is performed at the calibration
interval; in manual mode, DFS is performed for once.
324

Field
Description
AP
AP name in the mesh network.
Radio
Radio of the AP.
Chl(After/Before)
Channels before and after channel optimization.
Date(yyyy-mm-dd)
Date, in the format of yyyy-mm-dd.
Time(hh:mm:ss)
Time, in the format of hh:mm:ss.
Displaying the mesh link status

Mesh link monitoring
1.
2.
Click the Mesh Link Info tab to enter the mesh link monitoring page.
Figure 348 Displaying the mesh link monitoring information
You can monitor the mesh link status in real-time on the mesh link monitoring page.
Mesh link test

1.
2.
Click the Mesh Link Test tab to enter the mesh link test page.
325
Figure 349 Displaying mesh link test information
3.
Select the box of the target AP.
4.
Click Begin.
Normal WLAN mesh configuration example

As shown in the figure below, establish a mesh link between the MAP and the MPP.
Configure 802.11g on the MAP so that the client can access the network.
1.
Establish a mesh link between the MPP and the MAP by following these steps:
Configure MAP and MPPSelect AP > AP Setup from the navigation tree, and click Add to
configure MAP and MPP. For more information, see "Create an MAP and MPP."
Configure mesh serviceAfter creating a mesh service and configuring a pre-shared key, you
can bind the mesh service to the AP and enable the mesh service. For more information, see
"Create a mesh service:."
Configure a mesh policyA mesh policy exists by default. You can create a mesh policy and
bind the mesh policy to an AP. For more information, see "(Optional) Configure a mesh policy."
Mesh global setupConfigure an MKD-ID (which exists by default), enable mesh portal
service for the MPP. For more information, see "Configure mesh service globally."
Configure the same working channel, and enable the radio. For more information, see
"Configure the same working channel and enable the radio on the MAP and MPP:."
2.
Configure 802.11g service on the MAP to enable the client to access the WLAN network.
For more information, see "Wireless service configuration example."

802.11g
802.11a
AC
MPP
MAP
Client
326
Configuring the AC
1.
Create an MAP and MPP:

a. Select AP> AP Setup from the navigation tree.
b. Click Add.
c.
On the page that appears, set the AP name to map, select the AP model WA2620-AGN, select
Figure 351 AP setup
d. Configure MPP by following the same steps.

2.
Create a mesh service:

a. Select Wireless Service > Mesh Service from the navigation tree.
b. Click the Mesh Service tab.
c.
Click Add.
d. On the page that appears, set the mesh service name to outdoor and click Apply.
After completing mesh service configuration, you enter the page shown in Figure 353.
Figure 352 Creating a mesh service
Figure 353 Configuring a pre-shared key
e. Select Pass Phrase, and set the pre-shared key to 12345678.

f.
Click Apply.
327
3.
Bind an AP radio to the mesh service.

b. Click the
icon corresponding to the mesh service outdoor to enter the page for binding an
AP radio to a mesh service.
c.
Select the AP radios to be bound.
d. Click Bind.
Figure 354 Binding an AP radio to a mesh service
4.
Enable the mesh service.

Figure 355 Enabling the mesh service
b. Select the mesh service to be enabled.

c. Click Enable.
5.
(Optional) Configure a mesh policy (by default, the default mesh policy default_mp_plcy already
exists.)
NOTE:
A mesh policy exists by default. You can create a mesh policy and bind the mesh policy to an AP as
needed. By default, the default_mp_plcy mesh policy is mapped to an AP.
6.
Configure mesh service globally:

328
a. (Optional) Select Wireless Service > Mesh Service from the navigation tree, and click the
Global Setup tab to enter the mesh global setup page to set the MKD-ID (By default, the MKD-ID
exists.)
b. Select the MPP that has wired connectivity with the AC to enable mesh portal service.
c.
Click Enable.
Figure 356 Mesh portal service configuration page
7.
Configure the same working channel and enable the radio on the MAP and MPP:
b. Click the
icon corresponding to the target MAP to enter the radio setup page.
Figure 357 Configuring the working channel
c.
Select the channel to be used from the Channel list.
d. Click Apply.
329
You can follow this step to configure the working channel for the MPP. Note that the working
channel of the radio on the MPP must be the same as that on the MAP.
8.
Enable radio:
b. Select the radio modes to be enabled for the MAP and MPP.
c.
Click Enable.
The mesh link between the MAP and the MPP has been established, and they can ping each other.
After 802.11n(2.4GHz) is configured on the MAP, the client can access the network through the
mesh link.
Subway WLAN mesh configuration example

As shown in Figure 359, all rail MPs are connected to an AC.
Configure WLAN mesh so that the train MP will form links with rail MPs during movement, among
them one link is the active link and all others are dormant links.
Subway WLAN mesh configuration is basically the same as normal WLAN mesh configuration. Note the
following guidelines when you configure subway WLAN mesh:
1.
Create a rail AP mesh policy:

Disable the link initiation function. For more information, see "Configuring a mesh policy."
Enable mesh portal service. For more information, see "Enabling mesh portal service."
2.
Create a train AP mesh policy:

Enable MLSP.
Configure MLSP proxy MAC address and VLAN information.
Disable Role as authenticator. For more information, see "Configuring a mesh policy."
330
Set the value of maximum links that an MP can form in a mesh network (the default value is 2.).
For more information, see "Configuring a mesh policy."
Configuring the AC
Subway mesh configuration differs from normal WLAN mesh configuration in the mesh policy
configuration of rail APs and train APs. Other configurations are the same. For more information, see
"Configuring the AC."
Mesh point-to-multipoint configuration example

AP 1 operates as an MPP to establish a mesh link with AP 2, AP 3, AP 4, and AP 5 respectively.
The mesh configuration is the same as the normal WLAN mesh configuration.
AP 2
AP 3
AC
AP 1
AP 4
AP 5
Configuration considerations
Configure a peer MAC address for each radio interface. Configure the MAC addresses of AP 2
through AP 5 on AP 1, and configure the MAC address of AP 1 on AP 2 through AP 5.
331
Set the value of maximum links that an MP can form in a mesh network (The default value is 2. It
should be set to 4 in this example.). For more information, see "Configuring a mesh policy."
Configuring the AC
Mesh configuration is the same as normal WLAN mesh configuration. For more information, see
"Configuring the AC."
Tri-radio mesh configuration example

As shown in Figure 361, set up mesh links between MPs and the MPP, and use radio resources to make
Radio 1 of MPP, Radio 1 and Radio 2 of MP, and Radio 1 of an MP 2 join the same mesh and use Radio
3 as the multi-beam antenna, which provides the wireless access service.
1.
Configure the mesh service:

The mesh configuration here is similar to a common wireless mesh configuration. Pay attention to
the following points:
Radios joining the same mesh must use the same mesh service. Thus, bind Radio 1 of MPP,
Radio 1 and Radio 2 of MP 1, and Radio 1 of MP 2 to the same mesh service.
Figure 362 Binding radios to the mesh service
332
On Radio 1 of the MPP, configure Radio 1 of MP 1 as the peer MAC address. Similarly,
configure Radio 1 of the MPP as the peer MAC address on MP 1. Perform the same operation
for Radio 2 of MP 1 and Radio 1 of MP 2.
2.
Configure the access service:

As the multi-beam antenna, Radio 3 provides the wireless access service. For more information,
see "Wireless service configuration example." You can strictly follow the configuration example to
configure the access service.
The mesh configuration here is similar to a common wireless mesh configuration. For more information,
see "Configuring the AC."
Mesh DFS configuration example

As shown in Figure 363, establish an 802.11a mesh link between the MAP and MPP. The working
channel is automatically selected.
Enable one-time DFS. After that, the AC performs DFS for the radios when certain trigger conditions
are met on the channel.
The mesh configuration in this example is similar to a common wireless mesh configuration. Note the
following guidelines:
Configure the working channel mode of the radios that provide mesh services as auto.
Do not configure any wireless service on radios that provide mesh services.
The mesh configuration is the same as the normal WLAN mesh configuration. For configuration
procedures, see "Normal WLAN mesh configuration example." Perform the following operations after
completing mesh configuration:
1.
(Optional) Set a calibration interval:

a. Select Radio > Calibration from the navigation tree.
b. Click the Parameters tab.
c.
On the page that appears, enter the calibration interval 3 and click OK.
333
Figure 364 Mesh calibration interval
2.
Configure mesh DFS:

b. Click the Global Setup tab.
c.
On the page that appears, select the Manual box for Dynamic Channel Select.
d. Click OK.
Figure 365 DFS
3.
Enable one time DFS for the mesh network:

b. Click the Mesh Channel Optimize tab.
c.
Select the outdoor mesh network.
d. Click Channel Optimize.
Figure 366 One-time mesh DFS
334

After a next calibration interval, you can view the channel switching information:
1.
2.
Click the Mesh Channel Optimize tab to enter the Mesh Channel Optimize tab.
3.
Click the Channel Info tab.
4.
Select the target mesh network to display the radio information.
Figure 367 Displaying mesh channel switching information
335
WLAN roaming configuration

The Inter AC Tunneling Protocol (IACTP) is a proprietary protocol of H3C which defines how access
controllers (ACs) communicate with each other. IACTP provides a generic packet encapsulation and
transport mechanism between ACs to provide secure AC-AC communications based on the standard TCP
client/server model.
A mobility group is a group of ACs that communicate with each other using the IACTP protocol. A
maximum of 8 ACs can be present in a mobility group in current version. Formation and maintenance of
a mobility group is done using IACTP.
IACTP provides a control tunnel for applications such as roaming to share/exchange messages. It also
provides a data tunnel to encapsulate data packets to be transported between ACs. It can be used either
with IPv4 or with IPv6.
Whenever a station supporting key caching associates to any of the ACs in a mobility group (which
would be its Home-AC (HA)) for the first time, it goes through 802.1X authentication followed by 11 Key
exchange. The station information is synchronized across the ACs in the mobility group prior to the
roaming of the station within an AC/across ACs. When this station roams to another AC in the mobility
group (which would be its Foreign-AC (FA)), the station information is used to fast authenticate the station
by skipping 802.1X authentication, and performing only 802.11 key exchange to facilitate seamless
roaming within the mobility group.
Configuring WLAN roaming

Configuring a roaming group
NOTE:
Roaming group configuration is available only for inter-AC roaming. For the configuration example of
inter-AC roaming, see "Inter-AC roaming configuration example."
1.
Select Roam > Roam Group from the navigation tree.
Figure 368 Configuring a roaming group
2.
Configure a roaming group as described in Table 111.
3.
Click Apply.
336

Item
Description
Service status
enableEnable IACTP service.

disableDisable IACTP service.
IP type
Select IPv4 or IPv6.
Source address
Source address of the IACTP protocol.

MD5Select the MD5 authentication mode. This item is optional.
Auth mode
The control message integrity can be verified when the MD5

authentication mode is selected. The sender (an AC) calculates a digest
based on the content of a control message. On receiving such a message,
the receiver (another AC in the roaming group) will calculate the digest
again and compare it against the digest present in the message to verify
the integrity of the packet received. If the digests are the same, the packet
is not tampered.
MD5 authentication key.
Auth key
If you select the MD5 authentication mode, you need to input an

authentication key.
Adding a group member

1.
Select Roam > Roam Group from the navigation tree.
Figure 369 Adding a group member
2.
Add a group member as described in Table 112.
3.
Click Add.
4.
Click Apply.

Item
Description
Add the IP address of an AC to a roaming group.
IP address
IMPORTANT:
When you configure a roaming group, the roaming group name configured
for the ACs in the same roaming group must be the same.
337
Item
VLAN
Description
Configure the VLAN to which the roaming group member belongs.
This configuration item is optional.
NOTE:
The user profile configurations of the ACs in a roaming group must be the same. For more information,
see "User configuration."
The ACs in a roaming group cannot be configured as hot backup ACs.
Displaying client information

1.
Select Roam > Roam Client from the navigation tree.
Figure 370 Displaying client information
By clicking a target client, you can view the detailed information and roaming information of the client.
The detailed information and roaming information of a client you can view by selecting Roam > Client
Information are the same as those you can view by selecting Summary > Client. For the related
information, see "Summary."
WLAN roaming configuration examples

Intra-AC roaming configuration example
As shown in Figure 371, an AC has two APs associated and all of them are in VLAN 1. A client is
associated with AP 1. Configure intra-AC roaming so that the client can associate with AP 2 when
roaming to AP 2.
338

RADIUS server
AC
L2 switch
AP 1
AP 2
000f-e27b-3d90
000f-e233-5500
VLAN 1
AP 2
VLAN 1
Roaming
Client
Configuring the AC
NOTE:
If remote authentication is required in the authentication mode you select, configure the RADIUS server.
For how to configure the RADIUS server, see "AAA configuration."
1.
Create two APs:

b. Click Add.
c.
On the page that appears, set the AP name to ap1, select the AP model WA2620-AGN, select
manual from the Serial ID list, enter the serial ID of the AP, and click Apply.
d. Follow the same steps to create the other AP.

2.

b. Click Add.
c.
On the page that appears, set the service name to Roam. And click Apply.
NOTE:
For how to configure the authentication mode, see "Access service configuration." However, fast roaming
can be implemented only when the RSN+802.1X authentication mode is adopted.
3.

b. Select the Roam box.
c.
4.
Click Enable.
Bind AP radios to the wireless service:

339
b. Click the
icon corresponding to the wireless service Roam to enter the page for binding
AP radio.
c.
Select the box before ap1 with radio type 802.11n(2.4GHz), and the box before ap2 with
radio type 802.11n(2.4GHz).
d. Click Bind.
Figure 372 Binding AP radios
5.
Enable dot11g radio:

a. Select Radio > Radio Setup from the navigation tree.
b. On the page that appears, select the box before ap1 with the radio mode 802.11n(2.4GHz),
and select the box before ap2 with the radio mode 802.11n(2.4GHz).
c.
Click Enable.

1.
Display the roaming information of the client:

340
a. Select Summary > Client from the navigation tree.

b. Select the Roam Information tab.
c.
Click the desired client to view the roaming information of the client.
From the roaming information, you can see that the client accesses the WLAN through AP 1,
and the BSSID of AP 1 is 000f-e27b-3d90 (see Figure 374.).
Figure 374 Client status before intra-AC roaming
d. Click Refresh.
On the page that appears, you can see that the client is connected to the WLAN through AP
2, and the BSSID of AP 2 is 000f-e233-5500.
Figure 375 Client status after intra-AC roaming
2.
View the Roam Status field:

a. Select Summary > Client from the navigation tree.
341
b. Click the Detail Information tab.

c.
Click the desired client.

You can see that Intra-AC roam association is displayed in the Roam Status field.
Figure 376 Verifying intra-AC roaming
When you configure intra-AC roaming, the SSIDs of the two APs must be the same. The same wireless
service must be bound to the radios of the two APs in Bind AP radios to the wireless service.
Inter-AC roaming configuration example

As shown in Figure 377, two ACs that each are connected to an AP are connected through a Layer 2
switch. Both ACs are in the same network. The IP address of AC 1 is 192.168.1.100 and that of AC 2 is
192.168.1.101. A client associates with AP 1.
Configure inter-AC roaming so that the client can associate with AP 2 when roaming to it.
342
Configuring AC 1 and AC 2
NOTE:
If remote authentication is required in the authentication mode you select, configure the RADIUS server.
For how to configure the RADIUS server, see "AAA configuration."
1.
Establish AC-AP connections:

Configure AC 1 and AC 2 so that a connection can be established between AP 1 and AC 1, and
between AP 2 and AC 2. Only after the connections are established can you see that the two APs
are in the running status. To view the AP status, select Summary > AP or AP > AP Setup.
For the related configuration, see "Access service configuration."
NOTE:
For the configuration of authentication mode, see "Access service configuration." Fast roaming
supporting key caching can be implemented only when RSN+802.1X authentication is adopted.
2.
Configure a roaming group:

a. Select Roam > Roam Group from the navigation tree.
b. On the page that appears, select enable from the Service status list, select IPv4 from the IP Type
list, enter 192.168.1.100 for Source address, the IP address of AC 1, enter the IP address of
AC 2 in the member list, and click Add.
c.
Click Apply.
343
Figure 378 Configuring a roaming group on AC 1
d. Create a roaming group on AC 2. The source address is the IP address of AC 2, and the
member address is the IP address of AC 1. (Details not shown.)

1.
Verify the status of the roaming group:

a. On AC 1, select Roam > Roam Group from the navigation tree, and you can see that the
group member 192.168.1.101 is in Run state.

Figure 379 Verifying the roaming group state
b. On AC 2, select Roam > Roam Group from the navigation tree, and you can see that the group
member 192.168.1.100 is in Run state.

Figure 380 Verifying the roaming group state:
2.
Display the client information:

a. After the client roams from AP 1 to AP 2, select Roam > Roam Client on AC 1.
You can see that the client roams out of 192.168.1.100.
344
Figure 381 Viewing client information
b. Select Roam > Roam Client on AC 2.
You can see that the client roams in to 192.168.1.100.

3.
View connection information about the client that is associated with the AP, and the Roam Status
field in the client detailed information:
a. Before roaming, select Summary > Client from the navigation tree on AC 1.
You can see that the client is associated with AP 1.

b. After roaming: Select Summary > Client from the navigation tree on AC 1.
The client has roamed from AP 1 to AP 2, so no client information is displayed on the page.
c.
Select Summary > Client from the navigation tree on AC 2.

You can view the client information.
d. Select the Detail Information tab, and then click the desired client.
You will see that Inter-AC roam association is displayed in the Roam Status field, which
indicates that the client has roamed to AP 2.
Figure 382 Verifying inter-AC roaming
4.
View the BSSID field

a. Before roaming, select Summary > Client from the navigation tree on AC 1, select the Detail
Information tab, and click the desired client to view the roaming information of the client.
The roaming information in Figure 383 shows that the client connects to the WLAN through AP
1, and the BSSID of AP 1 is 000f-e27b-3d90.
345
Figure 383 Client status before inter-AC roaming
b. Select Summary > Client, from the navigation tree on AC 2, select the Detail Information tab,
and click the desired client to view the roaming information of the client.
The roaming information in Figure 384 shows that the client connects to the WLAN through AP
2, and the BSSID of AP 2 is 000f-e233-5500.
Figure 384 Client status after intra-AC roaming
Follow these guidelines when you configure inter-AC roaming:
The SSIDs and the authentication and encryption modes of two APs should be the same.
A roaming group must be configured on both of the two ACs.
Do not configure the ACs in a roaming group as AC backup.
346
Radio configuration
Radio overview
Radio frequency (RF) refers to electrical signals that can be transferred over the space to a long distance.
802.11b/g in the IEEE 802.11 standards operates at the 2.4 GHz band, 802.11a operates at the 5 GHz
band, and 802.11n operates at both the 2.4 GHz and 5 GHz bands. Radio frequency is allocated in
bands, each of which corresponds to a range of frequencies.
WLAN RRM overview

Radio signals are susceptible to surrounding interference. The causes of radio signal attenuation in
different directions are very complex, so you need to make careful plans before deploying a WLAN
network. After WLAN deployment, the running parameters must still to be adjusted because the radio
environment is always varying due to interference from mobile obstacles, micro-wave ovens and so on.
To adapt to environment changes, radio resources such as working channels and transmit power should
be dynamically adjusted. Such adjustments are complex and require experienced personnel to
implement regularly, which brings high maintenance costs.
WLAN radio resource management (RRM) is a scalable radio resource management solution. Through
information collection (APs collect radio environment information in real time), information analysis (The
AC analyzes the collected information), decision-making (The AC makes radio resource adjustment
configuration according to analysis results), and implementation (APs implement the configuration made
by the AC for radio resource optimization), WLAN RRM delivers a real-time, intelligent, integrated radio
resource management solution, which enables a WLAN network to quickly adapt to radio environment
changes and ensures the optimal communication quality.
Dynamic frequency selection

A WLAN has limited working channels. Channel overlapping can easily occur. In addition, other radio
sources such as radar and micro-wave ovens may interfere with the operation of APs. Dynamic frequency
selection (DFS) can solve these problems.
With DFS, the AC selects an optimal channel for each AP in real time to avoid co-channel interference
and interference from other radio sources.
The following conditions determine DFS:
Error code ratephysical layer error code and CRC errors.
Interferenceinfluence of 802.11 and non-802.11 wireless signals on wireless services.
RetransmissionAPs retransmit data if they do not receive ACK messages from the AC.
Radar signal detected on a working channelthe AC immediately notifies the AP to change its
working channel.
If the first three conditions are met, the AC calculates the channel quality. The AP does not use the new
channel until the channel quality difference between the new and old channels exceeds the tolerance
level.
347
Figure 385 Dynamic channel adjustment
Transmit power control

Traditionally, an AP uses the maximum power to cover an area as large as possible. This method,
however, affects the operation of surrounding wireless devices. Transmit power control (TPC) is used to
select a proper transmission power for each AP to satisfy both coverage and usage requirements.
Whether the transmission power of an AP is increased or decreased is determined by these factors: the
maximum number of neighbors (detected neighbors that are managed by the same AC), the neighbor
AP that performs power detection, and the power adjustment threshold.
NOTE:
You cannot configure the neighbor AP that performs power detection and the power adjustment threshold
on the web interface.
As shown in Figure 386, APs 1, 2 and 3 cover an area. When AP 4 joins, the default maximum neighbor
number 3 (configurable) is reached. Then, the APs perform power adjustment. You can find from the
figure that they all reduce their transmission power.
348
Figure 386 Power reduction
As shown in Figure 387, when AP 3 fails or goes offline, the other APs increase their transmission power
to cover the signal blackhole.
349
Figure 387 Power increasing
Radio setup
Configuring radio parameters
1.
2.
Click the
icon of the desired AP to enter the page for AP radio setup.
350
Figure 388 Radio setup
3.
Configure the radio as described in Table 113.

Item
Description
AP Name
Display the selected AP.
Radio Unit
Display the selected AP's radios.
Radio Mode
Display the selected AP's radio mode.
Transmit Power
Maximum radio transmission power, which varies with country codes,

channels, AP models, radio modes and antenna types. If you adopt the
802.11n mode, the maximum transmit power of the radio also depends on the
bandwidth mode.
Specify the working channel of the radio, which varies with radio types and
country codes. The working channel list varies with device models.
Channel
autoThe working channel is automatically selected. If you select this mode,

the AP checks the channel quality in the WLAN network, and selects the
channel of the best quality as its working channel.
If you modify the working channel configuration, the transmit power is
automatically adjusted.
802.11n
The option is available only when the AP supports 802.11n.

802.11n can bond two adjacent 20-MHz channels together to form a
40-MHz channel. During data forwarding, the two 20-MHz channels can
work separately with one acting as the primary channel and the other acting
as the secondary channel or work together as a 40-MHz channel. This
provides a simple way of doubling the data rate.
bandwidth mode
By default, the channel bandwidth of the 802.11n radio (5 GHz) is 40 MHz,

and that of the 802.11n radio (2.4GHz) is 20 MHz.
IMPORTANT:
If the channel bandwidth of the radio is set to 40 MHz, a 40 MHz channel

is used as the working channel. If no 40 MHz channel is available, a 20
MHz channel is used. For the specifications, see IEEE P802.11n D2.00.
If you modify the bandwidth mode configuration, the transmit power is

automatically adjusted.
client dot11n-only
If you select the client dot11n-only option, non-802.11n clients are prohibited
from access. If you want to provide access for all 802.11a/b/g clients, you
must disable this function.
351
Item
Description
Select the A-MSDU option to enable A-MSDU.
A-MSDU
Multiple MAC Service Data Units (MSDU) can be aggregated into a single
A-MSDU. This reduces the MAC header overhead and thus improves MAC
layer forwarding efficiency.
At present, only A-MSDUs can be received.
IMPORTANT:
When 802.11n radios are used in a mesh WLAN, ensure that they have the
same A-MSDU configuration.
Select the A-MPDU option to enable A-MPDU.
A-MPDU
802.11n introduces the A-MPDU frame format. By using only one PHY header,
each A-MPDU can accommodate multiple Message Protocol Data Units
(MPDUs) which have their PHY headers removed. This reduces the overhead in
transmission and the number of ACK frames to be used, and thus improves
network throughput.
IMPORTANT:
When 802.11n radios are used in a mesh WLAN, ensure that they have the
same A-MSDU configuration.
Select short GI to enable short GI.
short GI
4.
The 802.11a/g GI is 800ns. You can configure a short GI, 400 ns for
802.11n. The short GI increases the throughput by 10 percent.
Expand Advanced Setup.
Figure 389 Radio setup (advanced setup)
352
5.
Configure the radio as described in Table 114.
6.
Click Apply.

Item
Description
Preamble is a pattern of bits at the beginning of a frame so that the receiver
can sync up and be ready for the real data.
Short preambleA short preamble improves network performance.

Preamble
Therefore, this option is always selected.
Long preambleA long preamble ensures compatibility between access
point and some legacy client devices. Therefore, you can select this option
to make legacy client devices support short preamble.
802.11a/802.11n (5 GHz) do not support this configuration.

Transmit Distance
Maximum coverage of a radio.
ANI
Adaptive Noise Immunity (ANI). After the ANI function is enabled, the device
automatically adjusts the noise immunity level according to the surrounding
signal environment to eliminate RF interference.
Client Max Count
Maximum number of clients that can be associated with one radio.
EnableEnable ANI.
DisableDisable ANI.
Specify the maximum length of frames that can be transmitted without
fragmentation. When the length of a frame exceeds the specified fragment
threshold value, it is fragmented.
In a wireless network where error rate is high, you can decrease the
Fragment Threshold
fragment threshold by a rational value. In this way, when a fragment of a

frame is not received, only this fragment rather than the whole frame needs
to be retransmitted, and thus the throughput of the wireless network is
improved.
In a wireless network where no collision occurs, you can increase the
fragment threshold by a rational value to decrease acknowledgement

packets and thus increase network throughput.
Beacon Interval
Interval for sending beacon frames. Beacon frames are transmitted at a regular
interval to allow mobile clients to join the network. Beacon frames are used for
a client to identify nearby APs or network control devices.
353
Item
Description
There are two data collision avoidance mechanisms, RTS/CTS and CTS-to-self.
RTS/CTSIn this mode, an AP sends an RTS packet before sending data to

a client. After receiving the RTS packet, all the devices within the coverage
of the AP will not send data within the specified time. Upon receiving the
RTS packet, the client sends a CTS packet, ensuring that all the devices
within the coverage of the client will not send data within the specified time.
The RTS/CTS mechanism requires two frames to implement data collision
avoidance, and thus has a higher cost.
RTS (CTS)
CTS-to-SelfIn this mode, an AP uses its IP address to send a CTS packet

before sending data to a client, ensuring that all the devices within the
coverage of the AP will not send data within the specified time. The
CTS-to-Self mechanism uses only one frame to avoid data collision.
However, if another device is in the coverage of the client, but not in the
coverage of the AP, data collision still may occur.
Compared with RTS/CTS, CTS-to-Self reduces the number of control frames.

However, data collisions still occur when some clients are hidden and thus
cannot receive the CTS frames sent by the AP. Therefore, the RTS/CTS
mechanism can solve the data collision problem in a larger coverage than
RTS/CTS.
If a frame is larger than the RTS (CTS) threshold, the data collision avoidance
mechanism is used.
RTS (CTS) Threshold
A smaller RTS/CTS threshold causes RTS/CTS packets to be sent more often,

thus consuming more bandwidth. However, the more often RTS/CTS packets
are sent, the quicker the system can recover from collisions.
In a high-density WLAN, you can decrease the RTS threshold to reduce
collisions in the network.
IMPORTANT:
The data collision avoidance mechanism occupies bandwidth. Therefore, this
mechanism applies only to data frames larger than the RTS/CTS threshold.
DTIM Period
Number of beacon intervals between delivery traffic indication message

(DTIM) transmissions. The AP sends buffered broadcast/multicast frames when
the DTIM counter reaches 0.
Long Retry Threshold
Number of retransmission attempts for unicast frames larger than the RTS/CTS
threshold.
Short Retry Threshold
Number of retransmission attempts for unicast frames smaller than the

RTS/CTS threshold if no acknowledgment is received for it.
Max Receive Duration
Interval for which a frame received by an AP can stay in the buffer memory.
Enabling a radio
1.
Select Radio > Radio from the navigation tree to enter the radio setup page.
354
2.
3.
Click Enable.
Locking the channel

1.
Select Radio > Radio from the navigation tree to enter the page as shown in Figure 391.
Figure 391 Locking a channel
2.
3.
Click Lock Channel.

Channel locking takes effect only when the AC adopts the auto mode. For more information
about automatic channel adjustment, see "Configuring radio parameters."
If you enable channel locking and then enable the radio, the AC automatically selects an
optimal channel, and then locks the channel.
When the AC detects any radar signals, it immediately selects another channel even if the
current channel is locked, and then locks the new channel.
If you lock the current channel first, and then enable channel adjustment, channel adjustment
does not work because the current channel is locked. Therefore, before enabling channel
adjustment, make sure that the current channel is not locked. If you enable channel adjustment
and then lock the current channel, the last selected channel is locked. For information about
channel adjustment, see "Dynamic frequency selection." For more information about channel
adjustment configuration, see "Parameter setting."
355
Locking the power

1.
Select Radio > Radio from the navigation tree to enter the page as shown in Figure 392.
Figure 392 Locking the current power
2.
3.
Click Lock Power.

For transmission power configuration, see "Configuring radio parameters."
If you lock the current power first, and then enable power adjustment, power adjustment does
not work because the power is locked. Therefore, before enabling power adjustment, make
sure that the current power is not locked. If you enable power adjustment, and then lock the
current power, the last selected power is locked. For information about power adjustment, see
"Transmit power control." For how to configure power adjustment, see "Parameter setting."
Configuring data transmit rates

Configuring 802.11a/802.11b/802.11g rates
1.
Select Radio > Rate from the navigation tree to enter the rate setting page.
356
Figure 393 Setting 802.11a/802.11b/802.11g rates
2.
Configure 802.11a/802.11b/802.11g rates as described in Table 115.
3.
Click Apply.

Item
Description
Configure rates (in Mbps) for 802.11a.
By default:
802.11a
Mandatory rates are 6, 12, and 24.

Supported rates are 9, 18, 36, 48, and 54.
Multicast rate: Automatically selected from the mandatory rates. The transmission rate of
multicasts in a BSS is selected from the mandatory rates supported by all the clients.
Configure rates (in Mbps) for 802.11b.

By default:
802.11b
Mandatory rates are 1 and 2.

Supported rates are 5.5 and 11.
357
Item
Description
Configure rates (in Mbps) for 802.11g.
By default:
802.11g
Mandatory rates are 1, 2, 5.5, and 11.

Supported rates are 6, 9, 12, 18, 24, 36, 48, and 54.
Configuring 802.11n MCS

Introduction to MCS
Configuration of mandatory and supported 802.11n rates is achieved by specifying the maximum
Modulation and Coding Scheme (MCS) index. The MCS data rate table shows relations between data
rates, MCS indexes, and parameters that affect data rates. Sample MCS data rate tables for 20 MHz
and 40 MHz are shown in Table 116 and Table 117 respectively. For the entire table, see IEEE P802.11n
D2.00.
Table 116 and Table 117 indicate that MCS 0 through 7 are for one single spatial stream, and when the
MCS is 7, the data rate is the highest. MCS 8 through 15 are for two spatial streams, and when the MCS
is 15, the data rate is the highest.
Table 116 MCS index table (20 MHz)
MCS index
Number of
spatial streams
Modulation
Data rate (Mbps)

800ns GI
400ns GI
BPSK
6.5
7.2
QPSK
13.0
14.4
QPSK
19.5
21.7
16-QAM
26.0
28.9
16-QAM
39.0
43.3
64-QAM
52.0
57.8
64-QAM
58.5
65.0
64-QAM
65.0
72.2
BPSK
13.0
14.4
QPSK
26.0
28.9
10
QPSK
39.0
43.3
11
16-QAM
52.0
57.8
12
16-QAM
78.0
86.7
13
64-QAM
104.0
115.6
14
64-QAM
117.0
130.0
15
64-QAM
130.0
144.4
358
Table 117 MCS index table (40 MHz)

MCS index
Number of
spatial streams
Modulation
Data rate (Mbps)

800ns GI
400ns GI
BPSK
13.5
15.0
QPSK
27.0
30.0
QPSK
40.5
45.0
16-QAM
54.0
60.0
16-QAM
81.0
90.0
64-QAM
108.0
120.0
64-QAM
121.5
135.0
64-QAM
135.0
150.0
BPSK
27.0
30.0
QPSK
54.0
60.0
10
QPSK
81.0
90.0
11
16-QAM
108.0
120.0
12
16-QAM
162.0
180.0
13
64-QAM
216.0
240.0
14
64-QAM
243.0
270.0
15
64-QAM
270.0
300.0
For example, if you specify the maximum MCS index as 5 for mandatory rates, rates corresponding to
MCS indexes 0 through 5 are configured as 802.11n mandatory rates.
Mandatory rates must be supported by the AP and the clients that want to associate with the AP.
Supported rates allow some clients that support both mandatory and supported rates to choose
higher rates when communicating with the AP.
Multicast MCS: Specifies 802.11n multicast data rates.
Configuring 802.11n rates

1.
Select Radio > Rate from the navigation tree to enter the rate setting page.
Figure 394 Setting 802.11n rate
2.
Configure the 802.11n rate as described in Table 118.
3.
Click Apply.
359

Item
Description
Set the maximum MCS index for 802.11n mandatory rates.
Mandatory Maximum MCS
IMPORTANT:
If you select the client dot11n-only option, you must configure the mandatory
maximum MCS.
Set the multicast MCS for 802.11n.
The multicast MCS is adopted only when all the clients use 802.11n. If a non
802.11n client exists, multicast traffic is transmitted at a mandatory MCS data
rate.
Multicast MCS
IMPORTANT:
If you configure a multicast MCS index greater than the maximum MCS
index supported by the radio, the maximum MCS index is adopted.
When the multicast MCS takes effect, the corresponding data rates defined
for 20 MHz are adopted no matter whether the 802.11n radio operates in
40 MHz mode or in 20 MHz mode.
Supported Maximum MCS
Set the maximum MCS index for 802.11n supported rates.
NOTE:
When 802.11n radios are used in a mesh WLAN, make sure that they have the same MCS configuration.
Configuring channel scanning

NOTE:
For more information about active passive scanning, see "WLAN service configuration."
1.
Select Radio > Scan from the navigation tree to enter the page for setting channel scanning.
Figure 395 Setting channel scanning
2.
Configure channel scanning as described in Table 119.
3.
Click Apply.
360

Item
Description
Set the scan mode.
Scan Mode
AutoLegal channels with the scanning mode under country code are
scanned.
AllAll the channels of the radio band are scanned.
Scan Non-802.11h Channel
Some of 802.11h channels, also called radar channels, overlap some

802.11a channels. If the device operates on an overlapping channel, its
service quality may be affected. With this function enabled, the device selects
a working channel from non-802.11h channels belonging to the configured
country code to avoid channel collision.
Selecting the Scan Non-802.11h Channel option enables the function of
scanning non-802.11h channels.
By default, the scan mode is auto, that is, all channels of the country code
being set are scanned.
Set the scan type.
ActiveThe active scanning mode requires a client to send a probe
request. This scanning mode enables a client to discover APs more easily.
PassivePassive scanning is used by a client when it wants to save battery

power. Typically, VoIP clients adopt the passive scanning mode.
Scan Type
For an AP that has the monitoring function:
ActiveThe AP simulates a client to send probe requests during the

scanning process.
PassiveThe AP does not send probe requests during the scanning

process.
If you set active scanning for the AP, it is more likely to discover devices in the
WLAN.
Set the scan report interval.
A longer scan interval enables an AP to discover more devices in the

WLAN.
Scan Interval
A shorter scan interval enables an AP to send scanning reports to an AC

more frequently.
If an AP has the monitoring function, the scan report interval will affect whether
the scanning results can be processed in time and the frequency of message
exchanges. Therefore, you need to set the interval properly according to the
actual network conditions.
Configuring calibration
Parameter setting
1.
Select Radio > Calibration from the navigation tree.
2.
Click the Parameters tab.
361
Figure 396 Setting channel calibration
3.
Configure channel calibration as described in Table 120.
4.
Click Apply.
NOTE:
Channel switching results in temporary service interruption, so use the dynamic channel adjustment
function with caution.
Item
Basic Setup
Description
Calibration
Interval
Channel and power calibration interval. A calibration interval takes effect on

both the mesh network channel calibration and channel and power
calibration of wireless services.
362
Item
Description
RTS/CTSUse RTS/CTS mode to implement 802.11g protection. Before
802.11g
Protection
Mode
sending data to a client, an AP sends an RTS packet to the client, ensuring

that all the devices within the coverage of the AP do not send data in the
specified time after receiving the RTS packet. Upon receiving the RTS
packet, the client will send a CTS packet again, ensuring that all the
devices within the coverage of the client do not send data in the specified
time.
CTS-to-SelfUses CTS-to-Self mode to implement 802.11g protection.
When an AP sends packets to a client, it uses its IP address to send a CTS

packet to inform the client that it will send a packet, ensuring that all the
devices within the coverage of the AP do not send data in the specified
time.
802.11b devices and 802.11g devices use different modulation modes, so

802.11g protection needs to be enabled for a 802.11g device to send
RTS/CTS or CTS-to-self packets to 802.11b devices, which will defer access
to the medium.
An AP running 802.11g uses the 802.11g protection function in the
following two cases:
802.11g
Protection
An 802.11b client is associated with it.

It detects APs or clients running 802.11b on the same channel.
EnableEnable 802.11g protection.
CloseDisable 802.11g protection.
IMPORTANT:
Enabling 802.11g protection reduces network performance.

Enabling 802.11g protection applies to the second case only, because
802.11g protection is always enabled for the first case.
802.11n
Protection
Mode
Both RTS/CTS and CTS-to-Self modes can be adopted. The implementation

of the two modes is the same as 802.11g.
EnableEnables 802.11n protection. When non 802.11n wireless devices

802.11n
Protection
or non 802.11n clients exist within the coverage of the AP, you need to
enable 802.11n protection.
CloseDisables 802.11n protection.
Note the following guidelines when configuring channel adjustment:
Before configuring channel adjustment, make sure that the AC adopts the auto channel
adjustment mode (for more information, see "Configuring radio parameters."). Otherwise,
channel adjustment does not work.
Channel
Setup
If you lock the channel first, and then enable channel adjustment (by selecting Dynamic
Channel Select), channel adjustment does not work because the channel is locked. Before
enabling channel adjustment, make sure that the channel is not locked.
If you enable channel adjustment and then lock the channel, the last selected channel is
locked.
For how to lock the channel, see "Locking the channel."
363
Item
Description
CloseDisables the DFS function.
AutoWith auto DFS enabled, an AC performs DFS for a radio when
Dynamic
Channel Select
certain trigger conditions are met on the channel, and returns the result to
the AP after a calibration interval (the default calibration interval is 8
minutes, which can be set through the Calibration Interval option). After
that, the AC will make DFS decisions at the calibration interval
automatically.
ManualWith one-time DFS configured for a radio, an AC performs DFS
for the radio when certain trigger conditions are met on the channel, and
returns the result to the AP after a calibration interval. After that, if you
want the AC to perform DFS for the radio, you have to make this
configuration again.
IMPORTANT:
If you select the manual mode, click Calibration on the Calibration page every
time you perform channel calibration.
CRC Error
Threshold
Set the CRC error threshold value, in percentage.
Channel
Interference
Threshold
Set the channel interference threshold value, in percentage.
Tolerance
Factor
A new channel is selected when either the configured CRC error threshold or
interference threshold is exceeded on the current channel. However, the new
channel is not applied until the quality of the current channel is worse than
that of the new channel by the tolerance threshold.
Spectrum
Management
EnableEnable spectrum management.

CloseDisable spectrum management.
Note the following guidelines when configuring power adjustment:
If you lock the power first, and then enable power adjustment (by selecting Dynamic
Channel Select), power adjustment does not work because the power is locked. Therefore,
before enabling power adjustment, make sure that the power is not locked.
If you enable power adjustment and then lock the power, the last selected power is locked.
For how to lock the power, see "Locking the power."
CloseDisables transmit power control (TPC).

AutoWith auto TPC enabled, the AC performs TPC for an AP upon
certain interference and returns the result to the AP after a calibration

interval (the default calibration interval is 8 minutes, which can be set
through the Calibration Interval option). After that, the AC makes TPC
decisions at the calibration interval automatically.
Power Setup
Dynamic
Power Select
ManualWith one-time TPC configured, an AC performs TPC for the AP
upon certain interference, and returns the result to the AP after a

calibration interval (the default calibration interval is 8 minutes, which
can be set through the Calibration Interval option). After that, if you want
the AC to perform TPC for the AP, you have to make this configuration
again.
IMPORTANT:
If you select the manual mode, click Calibration on the Calibration page every
time you perform channel calibration.
364
Item
Description
Max Neighbor
Count
Power
Constraint
Specify the maximum number of neighbors, which are managed by the same
AC.
Set the power constraint for all 802.11a radios. After power constraint is set,
the transmission power of a client is the current transmission power minus the
configured power constraint value.
IMPORTANT:
Enable spectrum management before configuring the power constraint;
otherwise, the configuration does not take effect.
Configuring a radio group

With DFS or TPC configured for a radio, the AC calculates the channel quality or power of the radio at
the calibration interval. When the result meets a trigger condition, the AC selects a new channel or
power for the radio. In an environment where interference is serious, frequent channel or power
adjustments may affect user access to the WLAN network. In this case, you can configure a radio group
to keep the channel or power of radios in the group unchanged within a specified time. The channel and
power of radios not in the radio group are adjusted normally.
After a channel or power adjustment (one-time, auto, or initial DFS or TPC), the channel or power of any
radio in the radio group keeps unchanged within the specified holddown time. When the holddown time
expires, the AC calculates the channel or power again. If the result meets a trigger condition, the channel
or power is changed, and the new channel or power keeps unchanged within the specified holddown
time. This mechanism continues.
NOTE:
Before entering the Radio Group page, configure channel or power adjustment on the Parameters tab.
1.
2.
Click Radio Group.
3.
Click Add.
The Radio Group page appears.
365
Figure 397 Configuring a radio group
4.
Configure the radio group as described in Table 121.
5.
Click Apply.

Item
Description
Group ID
ID of the radio group
Description
Channel
Holddown
Interval
Power
Holddown
Interval
Description of the radio group

By default, a radio group has no description.
Specify that the current channel keeps unchanged within the specified time after a channel
adjustment (manual, automatic, or initial channel selection).
IMPORTANT:
The AC immediately selects another channel when it detects any radar signals on the current
channel, and then resets the channel holddown timer.
Specify that the current power keeps unchanged within the specified time after a power
adjustment (manual or automatic power adjustment).
Select the target radios from the Radios Available area, and then click << to add them
Radio List
into the Radios Selected area.
Select the radios to be removed from the Radios Selected, and the click >> to remove
them from the radio group.
366
Calibration operations
NOTE:
If RRM is not enabled, or the radio to be displayed works on a fixed channel, you can only view the work
channel and the power of the radio on the Operations tab in the Radio > Calibration page. Other
information such as interference observed and the number of neighbors is displayed when RRM is
enabled, that is, dynamic power selection or automatic dynamic frequency selection is enabled. For the
configuration of RRM parameters, see "Parameter setting."
Displaying channel status

1.
2.
On the Operations tab, click the Channel Status tab.
3.
Click the desired radio to enter the page for displaying channel status.
Figure 398 Channel status

Item
Description
Channel No
Running channel.
Neighbor Num
Number of neighbors on a channel.
Load (%)
Load detected on a channel.
Utilization (%)
Channel utilization.
Interference (%)
Interference detected on a channel.
Packet Error Rate (%)
Error rate for packets on a channel.
Retransmission Rate (%)
Retransmission rate on a channel.
Radar Detect
Radar detection status.
Displaying neighbor information

1.
2.
On the Operations tab, click the Neighbor Info tab.
3.
Click the desired radio to enter the page for displaying neighbor information.
367
Figure 399 Neighbor information

Field
Description
AP MAC Address
MAC address of an AP.
Channel No
Running channel.
Interference (%)
Interference detected on a channel.
RSSI (dBm)
Received signal strength indication (RSSI) of AP, in dBm.
AP Type
AP type, managed or unmanaged.
Displaying history information

NOTE:
History information is available only if channel switching or power adjustment occurs after RRM is
enabled.
1.
2.
On the Operations tab, click History Info.
3.
Click the desired radio to enter the page for displaying neighbor information.
368
Figure 400 History information

Field
Description
Radio
Radio ID of the AP.
Basic BSSID
MAC address of the AP.
Chl
Channel on which the radio operates in case of the change of channel or power.
Power
Power of the radio in case of the change of channel or power.
Load
Load observed on the radio in percentage in case of the change of channel or power.
Util
Utilization of the radio in percentage in case of the change of channel or power.
Intf
Interference observed on the radio in percentage in case of the change of channel or

power.
PER
Packet error rate observed on a channel, in percentage.
Retry
Percentage of retransmission happened on the radio before/after the change of

channel or power.
Reason
Reason for the change of channel or power, such as Interference, packets discarded,
retransmission, radar or coverage.
Date
Date when the channel or power change occurred.
Time
Time when the channel or power change occurred.
Antenna
1.
Select Radio > Antenna to select an appropriate antenna for the corresponding radio.
2.
Select the antenna type, Internal Antenna, or User-Default external antenna, for a specific radio
from the Antenna list.
3.
Click Apply.
369
Figure 401 Antenna switch
Manual channel adjustment configuration example

As shown in Figure 402, configure manual channel adjustment on the AC so that the AC can perform
manual channel adjustment when the channel of AP 1 is unavailable.
1.
Before you configure manual channel adjustment, configure AP 1 on the AC to establish a

connection between them.
2.
Configure manual channel adjustment:

b. Select the Parameters tab.
c.
Select Manual from the Dynamic Channel Select list.
d. Click Apply.
370
Figure 403 Configuring manual channel adjustment
3.
Perform manual channel adjustment:

b. On the Operation tab, select the box of the target radio.
c.
Click Channel Optimize..
Figure 404 Performing manual channel adjustment
You can view the channel status on the Operation tab you enter by selecting Radio > Calibration
from the navigation tree.
371
After you perform manual channel calibration, the AC informs the adjusted channel to the AP after
a calibration interval.
You can view the detailed information, such as the specific reason for channel adjustment on the
History Info tab you enter by selecting Radio > Calibration from the navigation tree, clicking
Operation, and then clicking History Info.
If you select manual channel adjustment, click Channel Optimize on the Operation tab every time you
perform manual channel adjustment.
Automatic power adjustment configuration

example
As shown in Figure 405, AP 1 through AP 3 are connected to the AC. Configure automatic power
adjustment and specify the adjacency factor as 3 on the AC. In this way, when AP 4 joins, the AC
performs automatic power adjustment to avoid interference.
1.
Before you configure automatic power adjustment, configure AP 1 through AP 3 on the AC to

establish a connection between the AC and each AP.
2.
Configure automatic power adjustment:

c.
Select Auto from the Dynamic Power Select list.
d. Click Apply.
372
Figure 406 Configuring automatic power adjustment
You can view the power of each AP on the Operation tab you enter by selecting Radio > Calibration
from the navigation tree.
When AP 4 joins (the adjacency number becomes 3), the maximum number of neighbors reaches
the upper limit (3 by default), and the AC performs power adjustment after the calibration interval.
You can view the detailed information, such as decrease of the Tx power value, on the History Info
tab you enter by selecting Radio > Calibration from the navigation tree, selecting the Operation tab,
and then selecting History Info.
Radio group configuration example

As shown in Figure 407, AP 1 through AP 3 are connected to the AC.
Configure automatic channel adjustment so that the AC can automatically switch the channel when
the signal quality on a channel is degraded to a certain level.
373
Configure automatic power adjustment so that the AC can automatically adjust the power when the
third neighbor is discovered (or in other words, when AP 4 joins) to avoid interference.
Add radio 2 of AP 1 and radio 2 of AP 2 to a radio group to prevent frequent channel or power
adjustments for the radios.
1.
Before you configure a radio group, configure AP 1 through AP 3 on the AC to establish a

connection between the AC and each AP.
2.
Configure automatic channel and power adjustment:

c.
Select Auto from the Dynamic Channel Select list, select Auto from the Dynamic Power Select list,
and click Apply.
374
Figure 408 Configuring automatic channel and power adjustment
3.
Configure a radio group:

b. Click Radio Group.
c.
Click Add.
d. On the page that appears, enter the channel holddown interval 20 and enter the power
holddown interval 30.

e. In the Radios Available area, select the target radios and click << to add them into the Radios
Selected area.
f.
Click Apply.
375
Figure 409 Configuring the radio group
The working channel of radio 2 of AP 1 and that of radio 2 of AP 2 do not change within 20
minutes after each automatic channel adjustment.
The power of radio 2 of AP 1 and that of radio 2 of AP 2 do not change within 30 minutes after
each automatic power adjustment.
376
Configuring 802.1X
802.1X is a port-based network access control protocol initially proposed by the IEEE 802 LAN/WAN
committee for the security of wireless LANs (WLANs). It has been widely used on Ethernet networks for
access control.
802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports.
You can also configure the port security feature to perform 802.1X. Port security combines and extends
802.1X and MAC authentication. It applies to a network, a WLAN, for example, that requires different
authentication methods for different users on a port. Port security is beyond the scope of this chapter. It
is described in Security Configuration Guide for the product.
802.1X architecture
802.1X operates in the client/server model. It comprises three entities: client (the supplicant), the network
access device (the authenticator), and the authentication server, as shown in Figure 410.
Figure 410 802.1X architecture
Device
Authentication server
Client
The client is a user terminal seeking access to the LAN. It must have 802.1X software to authenticate
to the network access device.
The network access device authenticates the client to control access to the LAN. In a typical 802.1X
environment, the network access device uses an authentication server to perform authentication.
The authentication server is the entity that provides authentication services for the network access
device. It authenticates 802.1X clients by using the data sent from the network access device, and
returns the authentication results for the network access device to make access decisions. The
authentication server is typically a Remote Authentication Dial-in User Service (RADIUS) server. In a
small LAN, you can also use the network access device as the authentication server.
For more information about the 802.1X protocol, see H3C WX Series Access Controllers Security
Access control methods

H3C implements port-based access control as defined in the 802.1X protocol, and extends the protocol
to support MAC-based access control.
With port-based access control, once an 802.1X user passes authentication on a port, any
subsequent user can access the network through the port without authentication. When the
authenticated user logs off, all other users are logged off.
377
With MAC-based access control, each user is separately authenticated on a port. When a user logs
off, no other online users are affected.
Configuring 802.1X
Configuration prerequisites
Configure an ISP domain and AAA scheme (local or RADIUS authentication) for 802.1X users. For
more information, see "Configuring AAA" and "Configuring RADIUS."
If RADIUS authentication is used, create user accounts on the RADIUS server.
If local authentication is used, create local user accounts on the access device and set the service
type to LAN-access.
If you want to use EAP relay when the RADIUS server does not support any EAP authentication
method or no RADIUS server is available, configure the EAP server function on your network access
device.
NOTE:
Configure 802.1X on a wired port. Wireless ports support only the port security feature, and the port
security is enabled by default on the wireless ports.

Task
Description
Required.
1.
Configuring 802.1X globally
Enable 802.1X authentication globally and configure the authentication

method and advanced parameters.
By default, 802.1X authentication is disabled globally.
Required.
2.
Configuring 802.1X on a port
Enable 802.1X authentication on specified ports and configure 802.1X

parameters for the ports.
By default, 802.1X authentication is disabled on a port.
Configuring 802.1X globally

1.
From the navigation tree, select Authentication > 802.1X.
378
Figure 411 802.1X global configuration
2.
In the 802.1X Configuration area, select the Enable 802.1X box.
3.
Select an authentication method for 802.1X users. Options include CHAP, PAP, and EAP.
CHAPSets the access device to perform EAP termination and use the CHAP to communicate
with the RADIUS server.
PAPSets the access device to perform EAP termination and use the PAP to communicate with
the RADIUS server.
EAPSets the access device to relay EAP packets, and supports any of the EAP authentication
methods to communicate with the RADIUS server.
NOTE:
When you configure EAP relay or EAP termination, consider the following factors:
Whether the RADIUS server supports EAP packets.
The authentication methods supported by the 802.1X client and the RADIUS server.
If the client is using only MD5-Challenge EAP authentication or the "username + password" EAP
authentication initiated by an H3C iNode 802.1X client, you can use both EAP termination and EAP relay.
To use EAP-TL, PEAP, or any other EAP authentication methods, you must use EAP relay.
4.
Click Advanced to expand the advanced 802.1X configuration area.
379
5.
Configure advanced 802.1X settings as described in Table 125.
6.
Click Apply.

Item
Description
Specify whether to enable the quiet timer.
Quiet
The quiet timer enables the network access device to wait a period of time before it can
process any authentication request from a client that has failed an 802.1X authentication.
Quiet Period
Set the value of the quiet timer.

Set the maximum number of authentication request attempts.
Retry Times
The network access device retransmits an authentication request if it receives no response

to the request it has sent to the client within a period of time (specified by using the TX
Period option or the Supplicant Timeout Time option). The network access device stops
retransmitting the request, if it has made the maximum number of request transmission
attempts but still received no response.
Set the username request timeout timer.
The timer starts when the device sends an EAP-Request/Identity packet to a client in
TX Period
response to an authentication request. If the device receives no response before this

timer expires, it retransmits the request.
The timer also sets the interval at which the network device sends multicast
EAP-Request/Identity packets to detect clients that cannot actively request
authentication.
Set the handshake timer.

Handshake Period
The timer sets the interval at which the access device sends client handshake requests to
check the online status of a client that has passed authentication. If the device receives no
response after sending the maximum number of handshake requests, it considers that the
client has logged off. For information about how to enable the online user handshake
function, see "Configuring 802.1X on a port."
Set the periodic online user re-authentication timer.
Re-Authentication
Period
The timer sets the interval at which the network device periodically re-authenticates online
802.1X users. The change to the periodic re-authentication timer applies to the users that
have been online only after the old timer expires. For information about how to enable
periodic online user re-authentication on a port, see "Configuring 802.1X on a port."
380
Item
Description
Set the client timeout timer.
Supplicant Timeout
Time
The timer starts when the access device sends an

EAP-Request/MD5 Challenge packet to a client. If no
response is received when this timer expires, the access
device retransmits the request to the client.
Set the server timeout timer.
Server Timeout
Time
The timer starts when the access device sends a

RADIUS Access-Request packet to the authentication
server. If no response is received when this timer
expires, the access device retransmits the request to the
server.
TIP:
You can set the client timeout
timer to a high value in a
low-performance network, and
adjust the server timeout timer
to adapt to the performance of
different authentication
servers. In most cases, the
default settings are sufficient.
IMPORTANT:
Do not change the timer parameters of global 802.1X from their default values unless you have
determined that the changes would better the interaction process.
Configuring 802.1X on a port

1.
From the navigation tree, select Authentication > 802.1X to enter the page, as shown in Figure
411.
The Ports With 802.1X Enabled area shows the 802.1X configuration on ports.
2.
Click Add.
Figure 413 802.1X configuration on a port
3.
Configure 802.1X features on a port as described in Table 126.
4.
Click Apply.
381

Item
Port
Description
Select the port to be enabled with 802.1X authentication. Only 802.1X-disabled ports
are available.
NOTE:
802.1X is mutually exclusive with link aggregation group configuration on a port.
Set the access control method for the port, which can be MAC Based or Port Based.
Port Control
NOTE:
To use both 802.1X and portal authentication on a port, you must select MAC Based.
Select the port authorization state for 802.1X.
Options include:
AutoPlaces the port initially in unauthorized state to allow only EAPOL packets to
Port Authorization
pass, and after a user passes authentication, sets the port in authorized state to allow
access to the network. You can use this option in most scenarios.
Force-AuthorizedPlaces the port in authorized state, enabling users on the port to

access the network without authentication.
Force-UnauthorizedPlaces the port in unauthorized state, denying any access

requests from users on the port.
Max Number of
Users
Set the maximum number of concurrent 802.1X users on the port.

Specify whether to enable the online user handshake function.
Enable Handshake
The online user handshake function checks the connectivity status of online 802.1X users.
The network access device sends handshake messages to online users at the interval
specified by the Handshake Period setting. If no response is received from an online user
after the maximum number of handshake attempts (set by the Retry Times setting) has
been made, the network access device sets the user in offline state. For information about
the timers, see Table 125.
NOTE:
If the network has 802.1X clients that cannot exchange handshake packets with the network
access device, disable the online user handshake function to prevent their connections from
being inappropriately torn down.
Specify whether to enable periodic online user re-authentication on the port.
Periodic online user re-authentication tracks the connection status of online users and
updates the authorization attributes assigned by the server, such as the ACL, and VLAN.
The re-authentication interval is specified by the Re-Authentication Period setting in Table
125.
NOTE:
The periodic online user re-authentication timer can also be set by the authentication
Enable
Re-Authentication
server in the session-timeout attribute. The server-assigned timer overrides the timer
setting on the access device, and enables periodic online user re-authentication, even
if the function is not configured. Support for the server assignment of re-authentication
timer and the re-authentication timer configuration on the server vary with servers.
The VLAN assignment status must be consistent before and after re-authentication. If
the authentication server has assigned a VLAN before re-authentication, it must also
assign a VLAN at re-authentication. If the authentication server has assigned no VLAN
before re-authentication, it must not assign one at re-authentication. Violation of either
rule can cause the user to be logged off. The VLANs assigned to an online user before
and after re-authentication can be the same or different.
382
Item
Description
Guest VLAN
Specify an existing VLAN as the guest VLAN. For more information, see "Configuring an
802.1X guest VLAN."
Select the box to enable MAC-based VLAN.
Enable MAC VLAN
NOTE:
Only hybrid ports support the feature.
Auth-Fail VLAN
Specify an existing VLAN as the Auth-Fail VLAN to accommodate users that have failed
802.1X authentication.
For more information, see "Configuring an Auth-Fail VLAN."
Configuring an 802.1X guest VLAN
Configuration guidelines:
You can configure only one 802.1X guest VLAN on a port. The 802.1X guest VLANs on
different ports can be different.
Assign different IDs for the default VLAN, and 802.1X guest VLAN on a port, so the port can
correctly process incoming VLAN tagged traffic.
With 802.1X authentication, a hybrid port is always assigned to a VLAN as an untagged
member. After the assignment, do not re-configure the port as a tagged member in the VLAN.
Use Table 127 when you configure multiple security features on a port.
Table 127 Relationships of the 802.1X guest VLAN and other security features
Feature
Relationship description
MAC authentication guest VLAN on a port that

performs MAC-based access control
Only the 802.1X guest VLAN take effect. A user that fails
MAC authentication will not be assigned to the MAC
authentication guest VLAN.
802.1X Auth-Fail VLAN on a port that performs

MAC-based access control
The 802.1X Auth-Fail VLAN has a higher priority.
Port intrusion protection on a port that performs

The 802.1X guest VLAN function has higher priority than the
block MAC action but lower priority than the shut down port
action of the port intrusion protection feature.
Configuration prerequisites:
Create the VLAN to be specified as the 802.1X guest VLAN.
If the 802.1X-enabled port performs port-based access control, enable 802.1X multicast trigger
at the command-line interface (CLI). (802.1X multicast trigger is enabled by default.)
If the 802.1X-enabled port performs MAC-based access control, configure the port as a hybrid
port, enable MAC-based VLAN on the port, and assign the port to the 802.1X guest VLAN as
an untagged member.
Configuring an Auth-Fail VLAN
Configuration guidelines:
Assign different IDs for the default VLAN, and 802.1X Auth-Fail VLAN on a port, so the port can
correctly process VLAN tagged incoming traffic.
Use Table 128 when you configure multiple security features on a port.
383
Table 128 Relationships of the 802.1X Auth-Fail VLAN with other features
Feature
Relationship description
MAC authentication guest VLAN on a port that

performs MAC-based access control
The 802.1X Auth-Fail VLAN has a high priority.
Port intrusion protection on a port that performs

The 802.1X Auth-Fail VLAN function has higher priority

than the block MAC action but lower priority than the shut
down port action of the port intrusion protection feature.
Configuration prerequisites:
Create the VLAN to be specified as the 802.1X Auth-Fail VLAN.
If the 802.1X-enabled port performs port-based access control, enable 802.1X multicast trigger.
(802.1X multicast trigger is enabled by default.)
If the 802.1X-enabled port performs MAC-based access control, configure the port as a hybrid
port, enable MAC-based VLAN on the port, and assign the port to the Auth-Fail VLAN as an
untagged member.
384
Configuring portal authentication

Introduction to portal authentication
Portal authentication helps control access to the Internet. It is also called "web authentication." A website
implementing portal authentication is called a portal website.
With portal authentication, an access device forces all users to log onto the portal website first. Every
user can access the free services provided on the portal website; but to access the Internet, a user must
pass portal authentication on the portal website.
A user can access a known portal website and enter username and password for authentication. This
authentication mode is called active authentication. There is also another authentication mode, forced
authentication, in which the access device forces a user trying to access the Internet through HTTP to log
on to a portal website for authentication.
The portal feature provides the flexibility for Internet service providers (ISPs) to manage services. A portal
website can, for example, present advertisements, and deliver community services and personalized
services. In this way, broadband network providers, equipment vendors, and content service providers
form an industrial ecological system.
A typical portal system comprises these basic components: authentication client, access device, portal
server, authentication/accounting server, and security policy server.
Figure 414 Portal system components
Authentication client
Security policy server
Access device
Portal server
Authentication/accounting
server
The components of a portal system interact in the following procedure:

1.
When an unauthenticated user enters a website address in the address bar of the browser to
access the Internet, an HTTP request is created and sent to the access device, which redirects the
HTTP request to the web authentication homepage of the portal server. For extended portal
functions, authentication clients must run the portal client software.
385
2.
On the authentication homepage/authentication dialog box, the user enters and submits the
authentication information, which the portal server then transfers to the access device.
3.
Upon receipt of the authentication information, the access device communicates with the
authentication/accounting server for authentication and accounting.
4.
After successful authentication, the access device checks whether there is a corresponding security
policy for the user. If not, it allows the user to access the Internet. Otherwise, the client
communicates with the access device and the security policy server for security check. If the client
passes security check, the security policy server authorizes the user to access the Internet
resources.
NOTE:
The web interface of the device supports configuring portal authentication only on Layer 3 interfaces. For
more information about portal authentication, see H3C WX Series Access Controllers Security
Configuring portal authentication

The portal feature provides a solution for user identity authentication and security checking. However, the
portal feature cannot implement this solution by itself. RADIUS authentication needs to be configured on
the access device to cooperate with the portal feature to complete user authentication.
The prerequisites for portal authentication configuration are as follows:
The portal authentication-enabled interfaces of the access device are configured with valid IP
addresses or have obtained valid IP addresses through DHCP.
The portal server and the RADIUS server have been installed and configured properly. Local portal
authentication requires no independent portal server.
With re-DHCP authentication, the invalid IP address check function of DHCP relay is enabled on the
access device, and the DHCP server is installed and configured properly.
With RADIUS authentication, usernames and passwords of the users are configured on the RADIUS
server, and the RADIUS client configurations are performed on the access device. For information
about RADIUS client configuration, see "Configuring RADIUS."
To implement extended portal functions, install and configure IMC EAD, and make sure that the
ACLs configured on the access device correspond to those specified for the resources in the
quarantined area and for the restricted resources on the security policy server. For information
about security policy server configuration on the access device, see "Configuring RADIUS."

Step
Remarks
Required.
1.
Configuring the portal service
Configure a portal server, apply the portal server to a Layer 3

interface, and configure the portal authentication parameters.
By default, no portal server is configured.
386
Step
2.
Remarks
Configuring advanced
parameters for portal
authentication
Optional.
Specify an auto redirection URL, set the time that the device must wait
before redirecting an authenticated user to the auto redirection URL,
and add web proxy server port numbers.
Optional.
Configure a portal-free rule, specifying the source and destination
information for packet filtering.
3.
Configuring a portal-free rule
A portal-free rule allows specified users to access specified external

websites without portal authentication. Packets matching a portal-free
rule will not trigger portal authentication and the users can directly
access the specified external websites.
By default, no portal-free policy is configured.
Configuring the portal service

1.
Select Authentication > Portal from the navigation tree.

The portal server configuration page appears.
Figure 415 Portal server configuration
387
TIP:
On the page shown in Figure 415, the portal service applied on a Layer 3 interface can be in either of the
following states:
RunningPortal authentication has taken effect on the interface.
EnabledPortal authentication has been enabled on the interface but has not taken effect.
2.
Click Add to enter the portal service application page.
Figure 416 Portal service application
3.
Configure the portal application settings as described in Table 129.
4.
Click Apply.

Item
Description
Interface
Specify the Layer 3 interface to be enabled with portal authentication.

Specify the portal server to be applied on the specified interface. Options include:
Select ServerSelect an existing portal server from the Portal Server list.
New ServerIf you select this option from the list, the portal server configuration area,
Portal Server
as shown in Figure 417, will be displayed at the lower part of the page. You can add
a remote portal server and apply the portal server to the interface. For detailed
configuration, see Table 130.
Enable Local ServerIf you select this option from the list, the local portal service
configuration area, as shown in Figure 418, will be displayed at the lower part of the
page. You can configure the parameters for local portal service. For detailed
configuration, see Table 131.
388
Item
Description
Specify the portal authentication mode, which can be:
DirectDirect portal authentication.

Layer3Cross-subnet portal authentication.
Re DHCPRe-DHCP portal authentication.
IMPORTANT:
Method
In cross-subnet portal authentication mode, Layer 3 forwarding devices are not

required to be present between the authentication client and the access device.
However, if they are present, you must select the cross-subnet portal authentication
mode.
In re-DHCP portal authentication mode, a client is allowed to send out packets using
a public IP address before it passes portal authentication. However, responses of the

packets are restricted.
If the local portal server is used, you can configure the re-DHCP mode but it does not
take effect.
Auth Network IP
Network Mask
Specify the IP address and mask of the authentication subnet. This field is configurable
when you select the Layer3 mode (cross-subnet portal authentication).
By configuring an authentication subnet, you specify that only HTTP packets from users on
the authentication subnet can trigger portal authentication. If an unauthenticated user is
not on any authentication subnet, the access device discards all the user's HTTP packets
that do not match any portal-free rule.
IMPORTANT:
The authentication subnet in direct mode is any source IP address, and that in re-DHCP
mode is the private subnet to which the interface's private IP address belongs.
Specify the authentication domain for Layer 3 portal users.
Authentication
Domain
After you specify an authentication domain on a Layer 3 interface, the device will use the
authentication domain for authentication, authorization, and accounting (AAA) of the
portal users on the interface, ignoring the domain names carried in the usernames. You
can specify different authentication domains for different interfaces as needed.
The available authentication domains are those specified on the page you enter by
selecting Authentication > AAA from the navigation tree. For more information, see
"Configuring AAA."
Figure 417 Adding a portal server
389

Item
Description
Server Name
Enter a name for the remote portal server.
IP
Enter the IP address of the remote portal server.
Key
Enter the shared key to be used for communication between the device and the remote
portal server.
Port
Enter the port number of the remote portal server.

Specify the URL for HTTP packets redirection, in the format http://ip-address. By default,
the IP address of the portal server is used in the URL.
URL
IMPORTANT:
Redirection URL supports domain name resolution; however, you must configure a
portal-free rule and add the DNS server address into the portal-free address range.
Figure 418 Local portal service configuration

Item
Description
Server Name
Specify the local portal server name.
IP
Specify the IP address of the local portal server. You need to specify the IP address of
the interface where the local portal server is applied.
Specify the URL for HTTP packets redirection, in the format
http://ip-address/portal/logon.htm or https://ip-address/portal/logon.htm
(depending on the protocol type).
By default, the IP address of the local portal server is used in the URL.
URL
IMPORTANT:
To use the local portal server for stateful failover in a wireless environment, you must
specify the redirection URL, and the IP address of the URL must be the virtual IP
address of the VRRP group where the VRRP downlink resides.
URL redirection supports domain name resolution, but you need to configure a
portal-free rule and add the DNS server address into the portal-free address range.
Protocol
Specify the protocol to be used for authentication information exchange between the
local portal server and the client. It can be HTTP or HTTPS.
390
Item
Description
Specify the PKI domain for HTTPS. This field is configurable when you select HTTPS.
PKI Domain
The available PKI domains are those specified on the page you enter by selecting
Authentication > Certificate Management from the navigation tree. For more
information, see "Managing certificates."
IMPORTANT:
The service management, local portal authentication, and local EAP service modules
always reference the same PKI domain. Changing the referenced PKI domain in any of the
three modules will also change that referenced in the other two modules.
Specify the authentication page files to be bound with SSIDs as required.
SSID
Page
Custom
ization
Page File
After you bind SSIDs with authentication page files, when a user access the portal
page, the local portal server pushes the authentication pages for the user according to
the SSID of the user login interface and the bound authentication page file.
By default, an SSID is not bound with any authentication page file. In this case, the
system pushes the default authentication pages.
You can edit an authentication page file as required and save it in the root directory or
the portal directory under the root directory of the access device. For rules of
customizing authentication pages, see "Customizing authentication pages."
Configuring advanced parameters for portal authentication

1.
2.
Expand the Advanced area to show the advanced parameters for portal authentication.
3.
Configure the advanced parameters as described in Table 132.
4.
Click Apply.
391
Table 132 Advanced portal parameters

Item
Description
Add the web proxy server ports to allow HTTP requests proxied by the specified proxy
servers to trigger portal authentication. By default, only HTTP requests that are not
proxied can trigger portal authentication.
Different clients may have different web proxy configurations. To make sure that clients
using a web proxy can trigger portal authentication, you must first complete some other
relevant configurations. When the IMC portal server is used, you must first complete the
following configurations:
If the client does not specify the portal server's IP address as a proxy exception, ensure
the IP connectivity between the portal server and the web proxy server and perform
the following configurations on the IMC portal server:
Web Proxy Server

Ports
Select NAT as the type of the IP group associated with the portal device.
Specify the proxy server's IP address as the IP address after NAT.
Configure the port group to support NAT.
If the client specifies the portal server's IP address as an exception of the web proxy
server, configure the IP group and port group to not support NAT.
IMPORTANT:
If a user's browser uses the Web Proxy Auto-Discovery (WPAD) protocol to discover
web proxy servers, add the port numbers of the web proxy servers on the device, and
configure portal-free rules to allow user packets destined for the IP address of the
WPAD server to pass without authentication.
If the web proxy server port 80 is added on the device, clients that do not use a proxy
server can trigger portal authentication only when they access a reachable host
enabled with the HTTP service.
Authorized ACLs to be assigned to users who have passed portal authentication must
contain a rule that permits the web proxy server's IP address. Otherwise, the user cannot
receive heartbeat packets from the remote portal server.
Specify the auto redirection URL to which users will be automatically redirected after they
pass portal authentication.
Redirection URL
Wait-Time
To access the network, an unauthenticated user either goes to or is automatically forced

to the portal authentication page for authentication. If the user passes portal
authentication and the access device is configured with an auto redirection URL, the
access device will redirect the user to the URL after a specified period of time.
Period of time that the device must wait before redirecting an authenticated portal user to
the auto redirection URL.
Configuring a portal-free rule

1.
2.
Click the Free Rule tab.
392
Figure 420 Portal-free rule configuration
3.
Click Add.
The page for adding a new portal-free rule appears.
Figure 421 Adding a portal-free rule
4.
Configure the portal-free rule as described in Table 133.
5.
Click Apply.

Item
Description
Number
Specify the sequence number of the portal-free rule.
Source-interface
Source IP address
Mask
Specify the source interface of the portal-free rule.

The SSIDs in the list are the corresponding SSIDs of the wireless ESS interfaces.
Specify the source IP address and mask of the portal-free rule.
Specify the source MAC address of the portal-free rule.
Source MAC
IMPORTANT:
If you configure both the source IP address and the source MAC address, make sure that
the mask of the specified source IP address is 255.255.255.255. Otherwise, the specified
source MAC address will not take effect.
393
Item
Description
Specify the source VLAN of the portal-free rule.
Source-VLAN
Destination IP
Address
IMPORTANT:
If you configure both a source interface and a source VLAN for a portal-free rule, make
sure that the source interface is in the source VLAN. Otherwise, the portal-free rule will not
take effect.
Specify the destination IP address and mask of the portal-free rule.
Mask
Customizing authentication pages

When the local portal server is used for portal authentication, the local portal server pushes
authentication pages to users. You can customize the authentication pages. If you do not customize the
authentication pages, the local portal server pushes the system default authentication pages to users.
Customized authentication pages exist in the form of HTML files. You can compress them and then
upload them to the access device. A set of authentication pages include six main pages and some page
elements. The six main pages are the logon page, the logon success page, the logon failure page, the
online page, the system busy page, and the logoff success page. The page elements are the files that the
authentication pages reference, for example, back.jpg for page Logon.htm. Each main authentication
page can reference multiple page elements. If you define only some of the main pages, the local portal
server pushes the system default authentication pages for the undefined ones to users.
For the local portal server to operate normally and steadily, you need to follow the following rules when
customizing authentication pages:
Rules on file names

The main pages of the authentication pages have predefined file names, which cannot be changed.
Table 134 Main authentication page file names
Main authentication page
File name
Logon page
logon.htm
Logon success page
logonSuccess.htm
Logon failure page
logonFail.htm
Online page
online.htm
Pushed for online state notification

System busy page
Pushed when the system is busy or the user is in the
logon process
busy.htm
Logoff success page
logoffSuccess.htm
NOTE:
You can name the files other than the main page files. The file names and directory names are case
insensitive.
394
Rules on page requests

The local portal server supports only Post and Get requests.
Get requests are used to get the static files in the authentication pages and allow no recursion. For
example, if file Logon.htm includes contents that perform Get action on file ca.htm, file ca.htm
cannot include any reference to file Logon.htm.
Post requests are used when users submit usernames and passwords, log on to the system, and log
off the system.
Rules on Post request attributes

1.
Observe the following requirements when editing a form of an authentication page:
An authentication page can have multiple forms, but there must be one and only one form whose
action is logon.cgi. Otherwise, user information cannot be sent to the local portal server.
The username attribute is fixed as PtUser, and the password attribute is fixed as PtPwd.
Attribute PtButton is required to indicate the action that the user requests, which can be Logon or
Logoff.
A logon Post request must contain PtUser, PtPwd, and PtButton attributes.
A logoff Post request must contain the PtButton attribute.
2.
Authentication pages logon.htm and logonFail.htm must contain the logon Post request.
The following example shows part of the script in page logon.htm.

<form action=logon.cgi method = post >
<p>User name:<input type="text" name = "PtUser" style="width:160px;height:22px"
maxlength=64>
<p>Password :<input type="password" name = "PtPwd" style="width:160px;height:22px"
maxlength=32>
<p><input type=SUBMIT value="Logon" name = "PtButton" style="width:60px;"
onclick="form.action=form.action+location.search;>
</form>
3.
Authentication pages logonSuccess.htm and online.htm must contain the logoff Post request.
The following example shows part of the script in page online.htm.

<form action=logon.cgi method = post >
<p><input type=SUBMIT value="Logoff" name="PtButton" style="width:60px;">
</form>
Rules on page file compression and saving
A set of authentication page files must be compressed into a standard zip file. The name of a zip
file can contain only letters, digits, and underscores. The zip file of the default authentication pages
must be saved with the name defaultfile.zip.
The set of authentication pages must be located in the root directory of the zip file.
Zip files can be transferred to the device through FTP or TFTP. The default authentication pages file
must be saved in the root directory of the device, and customized authentication files can be saved
in the root directory or in the portal directory under the root directory of the device.
Rules on file size and contents

For the system to push customized authentication pages smoothly, you need comply with the following
size and content requirements on authentication pages.
395
The size of the zip file of each set of authentication pages, including the main authentication pages
and the page elements, must be no more than 500 KB.
The size of a single page, including the main authentication page and the page elements, must be
no more than 50 KB before being compressed.
Page elements can contain only static contents such as HTML, JS, CSS, and pictures.
Logging off a user who closes the logon success or online page
After a user passes authentication, the system pushes the logon success page logonSuccess.htm to the
user. If the user initiates another authentication through the logon page, the system pushes the online
page online.htm. You can configure the device to forcibly log off the user when the user closes either of
these two pages. To do so, add the following contents in logonSuccess.htm and online.htm:
1.
Reference to file pt_private.js.
2.
pt_unload(), the function for triggering page unloading.
3.
pt_submit(), the event handler function for Form.
4.
pt_init(), the function for triggering page loading.
The following is a script example with the added contents highlighted in gray:
<html>
<head>
<script type="text/javascript" language="javascript" src="pt_private.js"></script>
</head>
<body onload="pt_init();" onbeforeunload="return pt_unload();">
... ...
<form action=logon.cgi method = post onsubmit="pt_submit()">
... ...
</body>
</html>
Redirecting authenticated users to a specified web page

To make the device automatically redirect authenticated users to a specified web page, do the following
in logon.htm and logonSuccess.htm:
1.
In logon.htm, set the target attribute of the form object to blank.
See the contents in gray:

<form method=post action=logon.cgi target="blank">
2.
Add the function for page loading pt_init() to logonSucceess.htm.
See the contents in gray:

<html>
<head>
<title>LogonSuccessed</title>
<script type="text/javascript" language="javascript" src="pt_private.js"></script>
</head>
<body onload="pt_init();" onbeforeunload="return pt_unload();">
... ...
</body>
</html>
396
NOTE:
H3C recommends using browser IE 6.0 or later on the authentication clients.
Make sure that the browser of an authentication client permits pop-ups or permits pop-ups from the
access device. Otherwise, the user cannot log off by closing the logon success or online page and can
only click Cancel to return to the logon success or online page.
If a user refreshes the logon success or online page, or jumps to another web site from either of the
pages, the device also logs off the user.
If a user is using the Chrome browser, the device cannot log off the user when the user closes the logon
success or online page.
Portal authentication configuration example

As shown in Figure 422, the wireless client belongs to VLAN 2. It accesses the network through the AP,
which belongs to VLAN 3. The model and serial ID of the AP is WA2100 and 210235A29G007C00002,
respectively.
AC supports the local portal server, which runs HTTPS. The local portal server can push the
corresponding customized pages according to the SSID of the user logon interface.
A RADIUS server (IMC server) serves as the authentication/accounting server.
The client must pass direct portal authentication to access unrestricted Internet resources. Before
authentication, the client can access only the local portal server.
Complete the follow tasks before you perform the portal configuration:
Configure IP addresses for the devices as shown in Figure 422 and make sure they can reach each
other.
Configure PKI domain test, and make sure that a local certificate and a CA certificate are obtained
successfully. For more information, see "Managing certificates."
Complete the editing of the authentication page files to be bound with the client SSID.
Configure the RADIUS server properly to provide authentication and accounting functions for users.
Configuring the AC
1.
Configure the RADIUS scheme system:

a. From the navigation tree, select Authentication > RADIUS.
397
b. Click Add.
c.
On the page that appears, enter the scheme name system, select the server type Extended, and
select Without domain name for Username Format.
d. In the RADIUS Server Configuration area, click Add.

e. On the page that appears, select Primary Authentication as the server type, enter the IP
address 1.1.1.2, the port number 1812, and the key expert, enter expert again in the Confirm
Key field, and click Apply.
The RADIUS server configuration page closes, and the RADIUS Server Configuration area on
the RADIUS scheme configuration page displays the authentication server you have just
configured.
f.
In the RADIUS Server Configuration area, click Add.
g. On the page that appears, select Primary Accounting as the server type, enter the IP address
1.1.1.2, the port number 1813, and the key expert, enter expert again in the Confirm Key field,
and click Apply.
The RADIUS server configuration page closes, and the RADIUS Server Configuration area on
the RADIUS scheme configuration page displays the accounting server you have just
configured.
h. Click Apply.
Figure 423 Configuring the RADIUS scheme
2.
Create ISP domain test, and configure it as the default domain.

398
The Domain Setup tab appears.

b. Enter the domain name test, and select Enable from the Default Domain list to use the domain
test as the default domain.

c.
Click Apply.
Figure 424 Creating an ISP domain
3.
Configure an authentication method for the ISP domain.

a. Click the Authentication tab.
b. Select the domain name test.
c.
Select the Default AuthN box and then select RADIUS as the authentication mode.
d. Select system from the Name list to use it as the authentication scheme
e. Click Apply.

f.
399
Figure 425 Configuring the authentication method for the ISP domain
4.
Configure an authorization method for the ISP domain.

a. Click the Authorization tab.
b. Select the Default AuthZ box and then select RADIUS as the authorization mode.
c.
Select system from the Name list to use it as the authorization scheme
d. Click Apply.
A configuration progress dialog box appears

Figure 426 Configuring the authorization method for the ISP domain
5.
Configure an accounting method for the ISP domain.

a. Click the Accounting tab.
b. Select the domain name test.
c.
Select the Accounting Optional box, and then select Enable for this parameter.
d. Select the Default Accounting box and then select RADIUS as the accounting mode.
e. Select system from the Name list to use it as the accounting scheme
400
f.
Click Apply.
The configuration progress dialog box appears
g. After the configuration process is complete, click Close.
Figure 427 Configuring the accounting method for the ISP domain
6.
Create an AP.
a. From the navigation tree, select AP > AP Setup.
b. Click Create.
c.
Enter the AP name ap1.
d. Select model WA2100.

e. Select the manual mode for serial ID and then enter the serial ID 210235A29G007C00002.
f.
Click Apply.
7.
Create a wireless service.

a. From the navigation tree, select Wireless Service > Access Service.
b. Click New.
c.
On the page that appears, enter the wireless service name abc, select clear as the wireless
service type, and click Apply.
The wireless service configuration page appears.
401
d. Enter 2 in the VLAN (Untagged) field, enter 2 in the Default VLAN field, and click Apply.

Figure 430 Configuring parameters for the wireless service
8.
Enable the wireless service.

a. On wireless service list as shown in Figure 431, select the box before wireless service abc.
b. Click Enable.

c.
402
9.
Bind an AP radio with the wireless service.

a. On the wireless service list, click the
icon in the Operation column of wireless service abc.
b. On the page that appears, select the box before ap1 with the radio mode of 802.11g.
c.
Click Bind.
10.
Enable radio.
a. From the navigation tree, select Radio > Radio.
403
b. Select the box before ap1 with the radio mode of 802.11g.
c.
Click Enable.
Figure 433 Enabling 802.11g radio
11.
Configure portal authentication

a. From the navigation tree, select Authentication > Portal.
b. Click Add.
c.
Select interface Vlan-interface2, select Enable Local Server for Portal Server, select Direct as
the authentication method, select the authentication domain test, enter 192.168.1.1 as the
server IP address, select HTTPS as the protocol type, select test as the PKI domain, select the
box before Page Customization, and select the authentication page file ssid1.zip for SSID abc.
d. Click Apply.
404
Figure 434 Portal service application
12.
Configure a portal-free rule for Ethernet port GigabitEthernet 1/0/1.

a. Click the Free Rule tab.
b. Click Add.
c.
On the page that appears, enter the rule number 0, and select the source interface
GigabitEthernet1/0/1.
d. Click Apply.

When
a
user
accesses
subnet
1.1.1.0/24,
the
user
is
redirected
to
page
https://192.168.1.1/portal/logon.htm and, after entering the correct username and password on the
web page, the user passes the authentication.
405
Configuring AAA
The web interface supports configuring Internet Service Provider (ISP) domains and configuring AAA
methods for ISP domains.
AAA overview
Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing
network access management. It provides the following security functions:
AuthenticationIdentifies users and determines whether a user is valid.
AuthorizationGrants different users different rights and controls their access to resources and
services. For example, a user who has successfully logged in to the device can be granted read and
print permissions to the files on the device.
AccountingRecords all network service usage information of users, including the service type,
start time, and traffic. The accounting function not only provides the information required for
charging, but also allows for network security surveillance.
AAA usually uses a client/server model. The client runs on the network access server (NAS) and the
server maintains user information centrally. In an AAA network, a NAS is a server for users but a client
for the AAA servers.
Figure 435 Network diagram for AAA
AAA can be implemented through multiple protocols. The device supports using RADIUS, the most
commonly used protocol in practice. For more information about RADIUS, see "Configuring RADIUS."
For more information about AAA and ISP, see H3C WA Series WLAN Access Points Security
Configuring AAA
To deploy local authentication, configure local users on the access device as described in
"Configuring users."
406
To deploy remote authentication, authorization, or accounting, create the RADIUS schemes to be

referenced as described in "Configuring RADIUS."

Step
Remarks
Optional.
1.
2.
3.
4.
Configuring an ISP
domain
Configuring
authentication
methods for the ISP
domain
Configuring
authorization methods
for the ISP domain
Configuring
accounting methods
for the ISP domain
Create ISP domains and specify one of them as the default ISP domain.
By default, there is an ISP domain named system, which is the default ISP
domain.
Optional.
Configure authentication methods for various types of
users.
By default, all types of users use local authentication.
Optional.
Specify the authorization methods for various types of
users.
By default, all types of users use local authorization.
Required.
Specify the accounting methods for various types of
users.
By default, all types of users use local accounting.
Configuring an ISP domain

1.
Select Authentication > AAA from the navigation tree.

The Domain Setup page appears.
407
AAA user types

include LAN access
users (such as 802.1x
authentication users
and MAC
authentication users),
login users (such as
SSH, Telnet, FTP,
terminal access
users), PPP users,
Portal users, and
Command users.
Figure 436 Domain Setup page
2.
Configure an ISP domain as described in Table 135.
3.
Click Apply.

Item
Description
Enter the ISP domain name, which is for identifying the domain.
Domain Name
You can enter a new domain name to create a domain, or specify an existing domain
to change its status (whether it is the default domain).
Specify whether to use the ISP domain as the default domain. Options include:
Default Domain
EnableUses the domain as the default domain.

DisableUses the domain as a non-default domain.
There can only be one default domain at a time. If you specify a second domain as
the default domain, the original default domain will become a non-default domain.
Configuring authentication methods for the ISP domain

1.
2.
Click the Authentication tab to enter the authentication method configuration page.
408
Figure 437 Authentication method configuration page
3.
Configure authentication methods for different types of users in the domain, as described in Table
136.
4.
Click Apply.
5.
After the configuration progress is complete, click Close.

Item
Description
Select an ISP
domain
Select the ISP domain for which you want to specify authentication methods.
Default AuthN
Configure the default authentication method and secondary authentication method for all
types of users.
Name
Options include:
HWTACACSPerforms HWTACACS authentication. You must specify the

HWTACACS scheme to be used.
Secondary
Method
LocalPerforms local authentication.

NoneAll users are trusted and no authentication is performed. Generally, do not use
this mode.
RADIUSPerforms RADIUS authentication. You must specify the RADIUS scheme to be

used.
Not SetRestore the default, that is, local authentication.

LAN-access AuthN
Configure the authentication method and secondary authentication method for LAN
access users.
Name
Options include:

Secondary
Method
this mode.

used.
Not SetUses the default authentication methods.
409
Item
Description
Login AuthN
Configure the authentication method and secondary authentication method for login
users.
Name
Options include:

Secondary
Method

this mode.

used.

PPP AuthN
Name
Configure the authentication method and secondary authentication method for PPP users.
Options include:


Secondary
Method
this mode.

used.

Portal AuthN
Configure the authentication method for Portal users.

Options include:

Name
this mode.

used.
Configuring authorization methods for the ISP domain

1.
2.
Click the Authorization tab to enter the authorization method configuration page.
410
Figure 438 Authorization method configuration page
3.
Configure authorization methods for different types of users in the domain, as described in Table
137.
4.
Click Apply.
5.

Item
Description
Select an ISP
domain
Default AuthZ
Configure the default authorization method and secondary authorization method for all
types of users.
Name
Options include:
HWTACACSPerforms HWTACACS authorization. You must specify the HWTACACS

scheme to be used.
Secondary
Method
LocalPerforms local authorization.

NoneAll users are trusted and authorized. A user gets the default rights of the system.
RADIUSPerforms RADIUS authorization. You must specify the RADIUS scheme to be
used.
Not SetRestore the default, that is, local authorization.

LAN-access AuthZ
Configure the authorization method and secondary authorization method for LAN access
users.
Name
Options include:
Secondary
Method

used.
Not SetUses the default authorization methods.
411
Item
Login AuthZ
Name
Secondary
Method
Description
Configure the authorization method and secondary authorization method for login users.
Options include:

scheme to be used.

used.

PPP AuthZ
Name
Secondary
Method
Configure the authorization method and secondary authorization method for PPP users.
Options include:

scheme to be used.

used.

Portal AuthZ
Name
Configure the authorization method for Portal users.

Options include:

used.

Command AuthZ
Configure the authorization method for command users.

Options include:

Name
scheme to be used.
Configuring accounting methods for the ISP domain

1.
2.
Click the Accounting tab to enter the accounting method configuration page.
412
Figure 439 Accounting method configuration page
3.
Configure accounting methods for different types of users in the domain, as described in Table
138.
4.
Click Apply.
5.

Item
Description
Select an ISP
domain
Specify whether to enable the accounting optional feature.
Accounting
Optional
With the feature enabled, a user that will be disconnected otherwise can use the network
resources even when there is no accounting server available or communication with the
current accounting server fails.
If accounting for such a user fails, the device will not send real-time accounting updates
for the user anymore.
Default Accounting
Name
Configure the default accounting method and secondary accounting method for all types
of users.
Options include:
HWTACACSPerforms HWTACACS accounting. You must specify the HWTACACS

scheme to be used.
Secondary
Method
LocalPerforms local accounting.

NonePerforms no accounting.
RADIUSPerforms RADIUS accounting. You must specify the RADIUS scheme to be
used.
Not SetRestore the default, that is, local accounting.
413
Item
Description
LAN-access
Accounting
Configure the accounting method and secondary accounting method for LAN access
users.
Name
Secondary
Method
Options include:

used.
Not SetUses the default accounting methods.

Login Accounting
Name
Secondary
Method
Configure the accounting method and secondary accounting method for login users.
Options include:

scheme to be used.

used.

PPP Accounting
Name
Secondary
Method
Configure the accounting method and secondary accounting method for PPP users.
Options include:

scheme to be used.

used.

Portal Accounting
Name
Configure the accounting method for Portal users.

Options include:

used.
AAA configuration example

As shown in Figure 440, configure the AC to perform local authentication, authorization, and accounting
for Telnet users.
414
1.
Configure a local user:

a. Select Authentication > Users from the navigation tree.
The local user management page appears.

b. Click Add.
c.
Enter telnet the username.
d. Enter abcd as the password.

e. Enter abcd again to confirm the password.
f.
Select Common User as the user type.
g. Select Configure as the level.

h. Select Telnet as the service type.
i.
Click Apply.
Figure 441 Configuring the local user
2.
Configure ISP domain test.

The Domain Setup page appears, as shown in Figure 442.

415
b. Enter test as the domain name.

c.
Click Apply.
Figure 442 Configuring ISP domain test
3.
Configure the ISP domain to use local authentication for login users:
a. Select Authentication > AAA from the navigation tree
b. Click the Authentication tab.
c.
Select the domain test.
d. Select the Login AuthN box and select the authentication method Local.
e. Click Apply.

f.
416
Figure 443 Configuring the ISP domain to use local authentication
4.
Configure the ISP domain to use local authorization for login users:
b. Click the Authorization tab.
c.
Select the domain test.
d. Select the Login AuthZ box and select the authorization method Local.
e. Click Apply.

f.
Figure 444 Configuring the ISP domain to use local authorization
5.
Log in to the CLI, enable Telnet service, and configure the AC to use AAA for Telnet users.
<AC> system-view
[AC] telnet server enable
[AC] user-interface vty 0 4
[AC-ui-vty0-4] authentication-mode scheme
[AC-ui-vty0-4] quit
417
6.
Verify the configuration
Telnet to the AC and enter the username telnet@test and password abcd. You should be serviced as a
user in domain test.
418
Configuring RADIUS
RADIUS overview
The Remote Authentication Dial-In User Service (RADIUS) protocol implements Authentication,
Authorization, and Accounting (AAA). RADIUS uses the client/server model. It can protect networks
against unauthorized access and is often used in network environments where both high security and
remote user access are required. RADIUS defines the packet format and message transfer mechanism,
and uses UDP as the transport layer protocol for encapsulating RADIUS packets. It uses UDP port 1812
for authentication and UDP port 1813 for accounting.
RADIUS was originally designed for dial-in user access. With the addition of new access methods,
RADIUS has been extended to support additional access methods, for example, Ethernet and ADSL.
RADIUS provides access authentication and authorization services, and its accounting function collects
and records network resource usage information.
For more information about AAA and RADIUS, see H3C WA Series WLAN Access Points Security
Configuring a RADIUS scheme

A RADIUS scheme defines a set of parameters that the device uses to exchange information with the
RADIUS servers. There might be authentication servers and accounting servers, or primary servers and
secondary servers. The parameters mainly include the IP addresses of the servers, the shared keys, and
the RADIUS server type. By default, no RADIUS scheme exists.
To configure a RADIUS scheme:
1.
Select Authentication > RADIUS from the navigation tree.
Figure 445 RADIUS scheme list
2.
Click Add.
419
Figure 446 RADIUS scheme configuration page
3.
Enter a scheme name.
4.
Select a server type and a username format.

Item
Description
Select the type of the RADIUS servers supported by the device, which can be:
StandardSpecifies the standard RADIUS server. That is, the RADIUS client and
Server Type
RADIUS server communicate by using the standard RADIUS protocol and

packet format defined in RFC 2865/2866 or later.
ExtendedSpecifies an extended RADIUS server (usually running on IMC). In
this case, the RADIUS client and the RADIUS server communicate by using the
proprietary RADIUS protocol and packet format.
Select the format of usernames to be sent to the RADIUS server.
Username Format
A username is generally in the format of userid@isp-name, of which isp-name is

used by the device to determine the ISP domain to which a user belongs. If a
RADIUS server (such as a RADIUS server of some early version) does not accept a
username that contains an ISP domain name, you can configure the device to
remove the domain name of a username before sending it to the RADIUS server.
Original formatSends the username of a user on an "as is" basis.

With domain nameIncludes the domain name in a username to be sent to the
RADIUS server.
Without domain nameRemoves the domain name of a username to be sent to

the RADIUS server.
5.
Click the expand button before Advanced in the Common Configuration area to expand the
advanced configuration area.
420
Figure 447 Common configuration area
6.
Configure the advanced parameters.
421

Item
Description
Authentication Key
Set the shared key for RADIUS authentication packets and that for RADIUS
accounting packets.
Confirm Authentication
Key
Accounting Key
The RADIUS client and the RADIUS authentication/accounting server use MD5 to
encrypt RADIUS packets, and they verify the validity of packets through the
specified shared key. Only if the shared key of the client and that of the server are
the same, will the client and the server receive and respond to packets from each
other.
IMPORTANT:
The shared keys configured on the device must be consistent with those
configured on the RADIUS servers.
Confirm Accounting Key
The shared keys configured in the common configuration part are used only
when no corresponding shared keys are configured in the RADIUS server
configuration part.
Set the time the device keeps an unreachable RADIUS server in blocked state.
Quiet Time
If you set the quiet time to 0, when the device needs to send an authentication or
accounting request but finds that the current server is unreachable, it does not
change the server's status that it maintains. It simply sends the request to the next
server in active state. As a result, when the device needs to send a request of the
same type for another user, it still tries to send the request to the server because the
server is in active state.
You can use this parameter to control whether the device changes the status of an
unreachable server. For example, if you determine that the primary server is
unreachable because the device's port for connecting the server is out of service
temporarily or the server is busy, you can set the time to 0 so that the device uses the
primary server as much.
Set the RADIUS server response timeout time.
Server Response Timeout

Time
Request Transmission
Attempts
If the device sends a RADIUS request to a RADIUS

server but receives no response within the specified
server response timeout time, it retransmits the
request. Setting a proper value according to the
network conditions helps in improving the system
performance.
Set the maximum number of attempts for
transmitting a RADIUS packet to a single RADIUS
server. If the device does not receive a response to
its request from the RADIUS server within the
response timeout period, it retransmits the RADIUS
request. If the number of transmission attempts
exceeds the limit but the device still receives no
response from the RADIUS server, the device
considers the request a failure.
422
IMPORTANT:
The server response timeout
time multiplied by the
maximum number of RADIUS
packet transmission attempts
must not exceed 75.
Item
Description
Set the interval for sending real-time accounting information. The interval must be a
multiple of 3.
Realtime Accounting
Interval
To implement real-time accounting, the device must send real-time accounting

packets to the accounting server for online users periodically.
Different real-time accounting intervals impose different performance requirements
on the NAS and the RADIUS server. A shorter interval helps achieve higher
accounting precision but requires higher performance. Use a longer interval when
a large number of users (1000 or more) exist. For more information about the
recommended real-time accounting intervals, see "Configuration guidelines."
Realtime Accounting
Attempts
Set the maximum number of attempts for sending a real-time accounting request.
Unit for Data Flows
Specify the unit for data flows sent to the RADIUS server, which can be byte,
kilo-byte, mega-byte, or giga-byte.
Specify the unit for data packets sent to the RADIUS server, which can be:
Unit for Packets
One-packet.
Kilo-packet.
Mega-packet.
Giga-packet.
Enable or disable the EAP offload function.

Some RADIUS servers do not support EAP authentication. They cannot process EAP
packets. In this case, it is necessary to preprocess the EAP packets received from
clients on the access device. This is where the EAP offload function comes in.
Enable EAP offload
Security Policy Server
After receiving an EAP packet, the access device enabled with the EAP offload
function first converts the authentication information in the EAP packet into the
corresponding RADIUS attributes through the local EAP server, encapsulates the
EAP packet into a RADIUS request and then sends the request to the RADIUS server
for authentication. When the RADIUS server receives the request, it analyzes the
carried authentication information, encapsulates the authentication result in a
RADIUS packet, and then sends the packet to the local EAP server on the access
device for subsequent interaction with the client.
Specify the IP address of the security policy server.
Specify the source IP address for the device to use in RADIUS packets sent to the
RADIUS server.
RADIUS Packet Source IP
H3C recommends you to use a loopback interface address instead of a physical

interface address as the source IP address, because if the physical interface is
down, the response packets from the server cannot reach the device.
Specify the backup source IP address for the device to use in RADIUS packets sent
to the RADIUS server.
RADIUS Packet Backup

Source IP
In a stateful failover environment, the backup source IP address must be the source
IP address for the remote device to use in RADIUS packets sent to the RADIUS
server.
Configuring the backup source IP address in a stateful failover environment makes
sure that the backup server can receive the RADIUS packets sent from the RADIUS
server when the master device fails.
Buffer stop-accounting
packets
Enable or disable buffering of stop-accounting requests for which no responses are

received.
423
Item
Description
Set the maximum number of stop-accounting attempts.
The maximum number of stop-accounting attempts, together with some other
parameters, controls how the NAS deals with stop-accounting request packets.
Stop-Accounting
Attempts
Suppose that the RADIUS server response timeout period is three seconds, the
maximum number of transmission attempts is five, and the maximum number of
stop-accounting attempts is 20. For each stop-accounting request, if the device
receives no response within three seconds, it retransmits the request. If it receives no
responses after retransmitting the request five times, it considers the stop-accounting
attempt a failure, buffers the request, and makes another stop-accounting attempt.
If 20 consecutive attempts fail, the device discards the request.
Enable or disable the accounting-on feature.
Send accounting-on
packets
The accounting-on feature enables a device to send accounting-on packets to

RADIUS servers after it reboots, making the servers forcedly log out users who
logged in through the device before the reboot.
IMPORTANT:
When enabling the accounting-on feature on a device for the first time, you must save
the configuration so that the feature takes effect after the device reboots.
Accounting-On Interval
Set the interval for sending accounting-on packets. This field is configurable only
when the Send accounting-on packets option is selected.
Accounting-On Attempts
Set the maximum number of accounting-on packets transmission attempts. This field
is configurable only when the Send accounting-on packets option is selected.
Attribute
Interpretation
7.
Enable or disable the device to interpret the RADIUS class attribute as CAR
parameters.
In the RADIUS Server Configuration area, click Add to enter the RADIUS server configuration page.
Figure 448 RADIUS server configuration page
8.
Configure a RADIUS server for the RADIUS scheme as described in Table 141.
9.
Click Apply to add the server to the RADIUS scheme.
10.
Repeat step 7 through step 9 to add more RADIUS servers to the RADIUS scheme.
11.
On the RADIUS scheme configuration page, click Apply.
424

Item
Description
Server Type
Select the type of the RADIUS server to be configured. Possible values include
primary authentication server, primary accounting server, secondary
authentication server, and secondary accounting server.
IP Address
Specify the IP address of the RADIUS server.
Port
Specify the UDP port of the RADIUS server.
Key
Specify the shared key for communication with the RADIUS server.
Confirm Key
If no shared key is specified here, the shared key specified in the common
configuration part is used.
RADIUS configuration example

As shown in Figure 449, a RADIUS server running on IMC uses UDP ports 1812 and 1813 to provide
authentication and accounting services respectively.
Configure the AC to use the RADIUS server for Telnet user authentication and accounting, and to remove
domain names from the usernames sent to the server.
On the RADIUS server, configure a Telnet user account with the username hello@bbb and the password
abc, and set the EXEC privilege level to 3 for the user.
Set the shared keys for packet exchange between the AC and the RADIUS server to expert.
1.
Configure RADIUS scheme system:

b. Click Add.
c.
Enter the scheme name system, select the server type Extended, and select the username format
Without domain name.
d. In the RADIUS Server Configuration area, click Add to enter the RADIUS server configuration
page.
e. Select the server type Primary Authentication, enter 10.1.1.1 as the IP address of the primary
authentication server, 1812 as the port number, and expert as the key, and click Apply to add
the primary authentication server to the scheme.
425
Figure 450 RADIUS authentication server configuration page
f.
In the RADIUS Server Configuration area, click Add to enter the RADIUS server configuration
page again.
g. Select Primary Accounting as the server type, enter 10.1.1.1 as the IP address of the primary
accounting server, enter the port number 1813, the key expert, and click Apply, as shown
in Figure 451.
The RADIUS scheme configuration page refreshes and the added servers appear in the server
list, as shown in Figure 452.
h. Click Apply to finish the scheme configuration.
Figure 451 RADIUS accounting server configuration page
426
Figure 452 RADIUS scheme configuration
2.
Create an ISP domain:

The domain setup page appears.

b. Enter bbb in the Domain Name box.
c.
Click Apply.
427
Figure 453 Creating an ISP domain
3.
Configure an authentication method for the ISP domain:

b. Select the domain name bbb.
c.
Select the Default AuthN box and then select the authentication mode RADIUS.
d. Select the RADIUS scheme system from the Name list to use it as the authentication scheme.
e. Click Apply.

f.
Figure 454 Configuring an authentication method for the ISP domain
428
4.
Configure an authorization method for the ISP domain:

c.
Select the Default AuthZ box and select the authorization mode RADIUS.
d. Select the RADIUS scheme system from the Name list to use it as the authorization scheme.
e. Click Apply.

f.
Figure 455 Configuring an authorization method for the ISP domain
5.
Configure an accounting method for the ISP domain, and enable accounting optional:
c.
Select the Accounting Optional box and then select Enable.
d. Select the Default Accounting box and then select accounting mode RADIUS.
e. Select the RADIUS scheme system from the Name list to use it as the accounting scheme.
f.
Click Apply.
g. After the configuration progress is complete, click Close.
429
Figure 456 Configuring an accounting method for the ISP domain
6.
Enable the Telnet service.

a. From the navigation tree, select Network > Service.
b. Select the Enable Telnet service box.
c.
Click Apply.
Figure 457 Enabling the Telnet service
7.
Log in to the CLI, and configure the VTY user interfaces to use AAA for user access control.
<AC> system-view
[AC] user-interface vty 0 4
[AC-ui-vty0-4] authentication-mode scheme
[AC-ui-vty0-4] quit

Telnet to the AC and enter the username hello@bbb and password abc. You can log in and access
commands of levels 0 through 3.
When you configure the RADIUS client, follow these guidelines:
430
Accounting for FTP users is not supported.
If you remove the accounting server used for online users, the device cannot send real-time
accounting requests and stop-accounting messages for the users to the server, and the
stop-accounting messages are not buffered locally.
The status of RADIUS servers (blocked or active) determines which servers the device will
communicate with or turn to when the current servers are not available. In practice, you can specify
one primary RADIUS server and multiple secondary RADIUS servers, with the secondary servers
that function as the backup of the primary servers. Generally, the device chooses servers based on
these rules:
When the primary server is in active state, the device communicates with the primary server. If
the primary server fails, the device changes the state of the primary server to blocked, starts a
quiet timer for the server, and turns to a secondary server in active state (a secondary server
configured earlier has a higher priority). If the secondary server is unreachable, the device
changes the state of the secondary server to blocked, starts a quiet timer for the server, and
continues to check the next secondary server in active state. This search process continues until
the device finds an available secondary server or has checked all secondary servers in active
state. If the quiet timer of a server expires or an authentication or accounting response is
received from the server, the status of the server changes back to active automatically, but the
device does not check the server again during the authentication or accounting process. If no
server is found reachable during one search process, the device considers the authentication or
accounting attempt a failure.
Once the accounting process of a user starts, the device keeps sending the user's real-time
accounting requests and stop-accounting requests to the same accounting server. If you remove
the accounting server, real-time accounting requests and stop-accounting requests for the user
cannot be delivered to the server any more.
If you remove an authentication or accounting server in use, the communication of the device
with the server will soon time out, and the device will look for a server in active state from
scratch: it checks the primary server (if any) first and then the secondary servers in the order
they are configured.
When the primary server and secondary servers are all in blocked state, the device
communicates with the primary server. If the primary server is available, its statues changes to
active. Otherwise, its status remains to be blocked.
If one server is in active state but all the others are in blocked state, the device only tries to
communicate with the server in active state, even if the server is unavailable.
After receiving an authentication/accounting response from a server, the device changes the
status of the server identified by the source IP address of the response to active if the current
status of the server is blocked.
It is a good practice to use the recommended real-time accounting intervals listed in Table 142.
Table 142 Recommended real-time accounting intervals

Number of users
Real-time accounting interval (in minutes)
1 to 99
100 to 499
500 to 999
12
1000
15
431
Configuring the local EAP service

In some simple application environments, you may want to use an access device to authenticate users
locally, instead of deploying AAA servers for user authentication. When the Extensible Authentication
Protocol (EAP) is used for user authentication, configure the local EAP authentication server to cooperate
with local authentication method of AAA for local EAP authentication. For more information about AAA,
see "Configuring AAA."
1.
Select Authentication > Local EAP Server from the navigation.

The Local EAP service configuration page appears.
Figure 458 Local EAP service configuration page
2.
Configure the local EAP service as described in Table 143.
3.
Click Apply.

Item
Description
Enable or disable the EAP server.
Status
If the EAP server is enabled, the EAP authentication method and PKI domain
configurations are required.
432
Item
Description
Specify the EAP authentication methods, including:
MD5Uses Message Digest 5 (MD5) for authentication.

TLSUses the Transport Layer Security (TLS) protocol for authentication.
PEAP-MSCHAPV2Uses the Protected Extensible Authentication Protocol (PEAP) for
authentication and uses the Microsoft Challenge Handshake Authentication Protocol
version 2 (MSCHAPv2) for authentication in the established TLS tunnel.
PEAP-GTCUses the Protected Extensible Authentication Protocol (PEAP) for

authentication and uses the Microsoft Generic Token Card (GTC) for authentication
in the established TLS tunnel.
Method
When an EAP client and the local server communicate for EAP authentication, they first
negotiate the EAP authentication method to be used. During negotiation, the local
server prefers the authentication method with the highest priority from the EAP
authentication method list. If the client supports the authentication method, the
negotiation succeeds and they proceed with the authentication process. Otherwise, the
local server tries the one with the next highest priority until a supported one is found, or
if none of the authentication methods are found supported, the local server sends an
EAP-Failure packet to the client for notification of the authentication failure.
TIP:
You can select more than one authentication method. An authentication method
selected earlier has a higher priority.
PEAP-MSCHAPV2 and PEAP-GTC are mutually exclusive.

Specify the PKI domain for EAP authentication.
PKI domain
The available PKI domains are those configured on the page you enter by selecting
Authentication > Certificate Management. For more information, see "Managing
certificates."
NOTE:
The service management, local portal authentication, and local EAP service modules
always reference the same PKI domain. Changing the referenced PKI domain in any of the
three modules will also change that referenced in the other two modules.
Local EAP service configuration example

As shown in Figure 459, configure the AC to perform local EAP authentication and authorization for
802.1X users by using the authentication method EAP-TLS.
433
NOTE:
To implement local EAP authentication and authorization for 802.1X users, make sure that port security
is enabled and 802.1X authentication uses the EAP authentication mode.
To use the authentication method of EAP-TLS, configure the network properties of the connection and the
client certificate properly on the client.
For more information about how to configure PKI domain test, requesting a local certificate, and
retrieving a CA certificate, see "Managing certificates."
1.
Configure local user usera:

a. Select Authentication > Users from the navigation tree.
b. Click Add.
c.
Enter the username usera and password 1234, and select the service type LAN-Access.
d. Click Apply.
Figure 460 Local user configuration page
2.
Configure the ISP domain system to use local authentication and local authorization.
The ISP domain system uses local authentication and local authorization by default. For the
configuration procedure, see "Configuring AAA."
3.
Enable the EAP server, configure the authentication method as TLS, and the PKI domain as test:
a. Select Authentication > Local EAP Server from the navigation tree.
b. Select Enabled for Status.
c.
Select TLS from the Available methods list and click << to add TLS to the Selected methods list.
434
d. Select test from the PKI domain list.

e. Click Apply.
Figure 461 Configuring a local EAP server
4.
Configure the AP:

b. Click Add.
c.
Enter the AP name ap1.
d. Select the device model WA2620-AGN.

e. Select manual and enter the serial number in the following box.
f.
Click Apply.
Figure 462 Configuring the AP
5.
Create the wireless service:

b. Click Add.
c.
Enter the wireless service name 802.1x-auth.
d. Select the service type crypto.

435
e. Click Apply.
The wireless service configuration page appears.

6.
Configure the wireless service:

a. Click the expand button before Security Setup to expand the configuration items.
b. Select the authentication type Open-System.
c.
Select the Cipher Suite box, and then select AES-CCMP and TKIP (select a cipher suite
according to your actual network requirements). Select WPA as the security IE.
d. Click the expand button before Port Security to expand the configuration items.
e. Select the Port Set box and Select the port mode userlogin-secure-ext.
f.
Select the Mandatory Domain box, and then select system.
g. Select the authentication method EAP.

h. Disable handshake and multicast trigger.
i.
Click Apply.
j.
When a dialog box appears asking for your confirmation to enable the EAP service, confirm
the operation to proceed.
k. After the configuration process is complete, click Close.
436
Figure 464 Wireless service configuration page
7.

a. On the access service list page, select the wireless service 802.1x-auth.
b. Click Enable.
A progress dialog box appears.

c.
437
8.
Bind the AP's radio mode with the wireless service:

a. In the wireless service list, click the
icon of wireless service 802.1x-auth.
b. Select the AP of ap1 with the radio mode 802.11n(2.4GHz).

c.
Click Bind. A progress dialog box appears.
Figure 466 Binding the radio mode with the wireless service
9.
Enable 802.11n(2.4GHz).
b. Select the AP of ap1 with the radio mode 802.11n(2.4GHz).
438
c.
Click Enable.
Figure 467 Enabling 802.11n(2.4GHz)

After the configuration, a client should be able to pass EAP authentication and access the wireless
network. You can ping the client successfully from the AC.
439
Configuring users
Overview
This module allows you to configure local users, user groups, guests, and user profiles.
Local user
A local user represents a set of user attributes configured on a device (such as the user password, user
type, service type, and authorization attribute), and is uniquely identified by the username. For a user
requesting a network service to pass local authentication, you must add an entry as required in the local
user database of the device. For more information about local authentication, see "Configuring AAA."
User group
A user group consists of a group of local users and has a set of local user attributes. You can configure
local user attributes for a user group to implement centralized management of user attributes for the local
users in the group. All local users in a user group inherit the user attributes of the group, but if you
configure user attributes for a local user, the settings of the local user take precedence over the settings
for the user group.
By default, every newly added local user belongs to a user group named system, which is automatically
created by the system.
Guest
A guest is a local user for specific applications. If Portal or LAN-access users need to access the network
temporarily, you can establish a guest account for them and control access of the users as required.
User profile
A user profile is a configuration template for saving predefined configurations. You can configure
different items such as Quality of Service (QoS) policy, rate limit, wireless service, and AP group for
different user profiles to accommodate to different application scenarios.
When accessing the device, a user needs to be authenticated. During the authentication process, the
authentication server sends the user profile name to the device, which then enables the configurations in
the user profile. After the user passes the authentication and accesses the device, the device restricts the
user's access based on the configurations in the user profile. When the user logs out, the device
automatically disables the configurations in the user profile, removing the restrictions on the user as a
result. As the mechanism indicates, user profiles are for restricting online users' access. If no user is online
(no user is accessing the network, no user has passed authentication, or all users have logged out), user
profiles do not take effect.
With user profiles, you can:
Make use of system resources more granularly. For example, you can apply a QoS policy on a
per-user basis.
Restrict users' access rate more flexibly. For example, you can deploy traffic policing on a per-user
basis by defining a rate limit in user profiles.
Restrict users' access more specifically. For example, you can deploy user access control on a
per-wireless service basis by defining an SSID in user profiles. Or you can deploy user access
control on a per-AP basis by defining APs in the user profiles.
440
Configuring a local user

1.
Select Authentication > Users from the navigation tree.

The local user management page appears, displaying information about all local users including
common users, security log administrator, guest administrator, and guests.
NOTE:
On the Local User tab, you can modify a guest user, but the user type changes to another one after your
modification.
Figure 468 Local user list
2.
Click Add.
The local user configuration page appears. On this page, you can create a local user of any type
except guest.
Figure 469 Local user configuration page
3.
Configure a local user as described in Table 144.
4.
Click Apply.
441

Item
Description
Username
Specify a name for the local user.
Password
Specify a password for the local user and confirm the password.
The two passwords must be identical.
Confirm
Group
IMPORTANT:
It is a good practice to specify a password with no leading spaces. The spaces will be
ignored, but they count at the user login page.
Select a user group for the local user.
For information about user group configuration, see "Configuring a user group."
Specify the user type for the local user:
User Type
Common User.
Security Log AdminUsers of this type can only manage security log files through
the web interface. Only Users of this type can manage security log files.
Guest AdminUsers of this type can only manage guest accounts through the web
interface, log in to the Authentication > User > Guest page to add, modify, or delete
a guest user.
Select an authorization level for the local user, which can be Visitor, Monitor,
Configure, or Management, in ascending order of priority. A local user has the rights
of the specified level and all levels lower than the specified level (if any).
VisitorA user of this level can perform ping and trace route operations but cannot
read any data from the device or configure the device.
MonitorA user of this level can read data from the device but cannot configure the
Level
device.
ConfigureA user of this level can read data from the device and configure the
device but cannot upgrade the device software, add/delete/modify users, or
backup/restore configuration files.
ManagementA user of this level can perform all operations except for security log
file reading and management.
IMPORTANT:
This option is effective only for web, FTP, Telnet, and SSH users.
Select the service types for the local user to use, including FTP, Telnet, PPP, Portal, LAN
access (accessing through the Ethernet, such as 802.1X users), and SSH.
IMPORTANT:
Service Type
If you do not specify any service type for a local user who uses local authentication,
the user cannot pass authentication and cannot log in.
The service type of the guest administrator and security log administrator is web.
The service type of the guest administrator and security log administrator is Portal
and LAN-Access.
Specify an expiration time for the local user.

Expire-time
When authenticating a local user with the expiration time argument configured, the
access device checks whether the expiration time has elapsed. If not, the device permits
the user to log in.
442
Item
Description
Specify the VLAN to be authorized to the local user after the user passes authentication.
VLAN
IMPORTANT:
This option is effective only for Portal and LAN-access users.
Specify the ACL to be used by the access device to restrict the access of the local user
after the user passes authentication.
ACL
IMPORTANT:
This option is effective only for PPP, Portal, and LAN-access users.
Specify the user profile for the local user.
User-profile
IMPORTANT:
This option is effective only for PPP, Portal, and LAN-access users.
Configuring a user group

1.
2.
Click the User Group tab to display the existing user groups.
Figure 470 User group list
3.
Click Add to enter the user group configuration page.
443
Figure 471 User group configuration page
4.
Add a user group as described in Table 145.
5.
Click Apply.

Item
Description
Group-name
Specify a name for the user group.
Level
Select an authorization level for the user group, which can be Visitor, Monitor,
Configure, or Management, in ascending order of priority.
VLAN
Specify the VLAN to be authorized to a user in the user group after the user passes
authentication.
ACL
Specify the ACL to be used by the access device to restrict the access of a user in the
user group after the user passes authentication.
User-profile
Specify the user profile for the user group.

Specify whether to allow a guest to join the user group.
Allow Guest
Accounts
IMPORTANT:
User group system is an optional group of guest accounts by default, and cannot be
modified.
Configuring a guest
Two categories of administrators can configure guests: guest administrators and administrators of the
management level.
NOTE:
For information about user type and authorization level, see Table 144.
Procedure for a management level administrator to configure a guest

1.

444
2.
Click the Guest tab to display the guest information.
Figure 472 Guest list
3.
Click Add to enter the guest configuration page.
Figure 473 Guest configuration page
4.
Configure a single guest or a batch of guests as described in Table 146.
5.
Click Apply.

Item
Description
Create Users in a
Batch
Specify whether to create guests in a batch.
Username
Specify a name for the guest when users are not created in a batch.
Specify the username prefix and number for guests to be created in a batch.
User-name(prefix)
For example, if you specify the username prefix as abc and number as 50, 50 guests
will be created, with the usernames abc0 through abc49.
Password
Specify a password for the guest.
Same as the
Username
If you select this option, you do not need to enter the password and confirm password,
and the guest password is the same as the username.
445
Item
Confirm
Description
If you do not select this option, you must enter the password and confirm password,
and they must be the same.
IMPORTANT:
If the password starts with a space, the space will be omitted.
Group
Select a user group for the guest.

For information about user group configuration, see "Configuring a user group."
Specify a valid time range for the guest, including the start time and end time.
ValidTime
When authenticating a local user with the valid time argument configured, the access
device checks whether the valid time has elapsed. If not, the device permits the user to
log in.
Procedure for a guest administrator to configure a guest

NOTE:
A guest administrator can only manage guests through the web interface.
1.
Log in to the AC as a guest administrator and select Authentication > User from the navigation tree.
The guest management page appears.
Figure 474 Guest management page
2.
Click Add to enter the guest configuration page.
446
Figure 475 Guest configuration page
3.
Configure the guest as described in Table 146.
4.
Click Apply.
NOTE:
The guest accounts are also displayed in the local user list. You can click the icon
to edit the guest information and authorization attributes.
Configuring a user profile

1.
2.
Click the User Profile tab to display the existing user profiles
Figure 476 User profile list
3.
Click Add to enter the user profile name configuration page.
447
of a guest in the list
Figure 477 User profile name configuration item
4.
Enter a profile name profile.
5.
Click Apply.
The user profile configuration page appears.
Figure 478 User profile configuration page
448
6.
Configure the profile as described in Table 147.
7.
Click Apply.

Item
Description
Userprofile name
This field displays the user profile name.
Qos-out policy
Select a QoS policy in the outbound direction.
Qos-in policy
Select a QoS policy in the inbound direction.
limited-out rate
Specify the rate limit in the outbound direction.
limited-in rate
Specify the rate limit in the inbound direction.

Specify the wireless services permitted in the user profile:
Services permitted
Select the services in the Services list box and click the < button to add them to the
Selected services list box.
The available wireless services are those configured on the page you enter by
selecting Wireless Service > Access Service. For more information, see "Access
service configuration."
Specify the APs permitted in the user profile:
APs permitted
Select the APs in the APs list box and click the < button to add them to the Selected
APs list box.
The available APs are those you configured on the page you enter by selecting
AP > AP Group. For more information, see "AP configuration."
8.
From the page displaying the existing user profiles, select the option before the user profile to be
enabled.
9.
Click Enable.
NOTE:
By default, a newly added user profile is disabled.
A user profile takes effect and the authentication server notifies users of authentication results only after
the user profile is enabled. Therefore, if you do not enable the user profile, users using the user profile
will not be able to get online.
Only enabled user profiles can be referenced by users. Disabling a user profile logs out all users using
the user profile.
Enabled user profiles cannot be modified or removed. To modify or remove an enabled user profile, you
must disable it first.
449
Managing certificates
PKI overview
The Public Key Infrastructure (PKI) is a general security infrastructure for providing information security
through public key technologies, and it is the most widely applied encryption mechanism currently.
H3C's PKI system provides certificate management for IP Security (IPsec), and Secure Sockets Layer (SSL).
PKI, also called asymmetric key infrastructure, uses a key pair to encrypt and decrypt data. The key pair
consists of a private key and a public key. The private key must be kept secret but the public key needs
to be distributed. Data encrypted by one of the two keys can only be decrypted by the other.
A key problem of PKI is how to manage the public keys. Currently, PKI employs the digital certificate
mechanism to solve this problem. The digital certificate mechanism binds public keys to their owners,
helping distribute public keys in large networks securely.
With digital certificates, the PKI system provides network communication and e-commerce with security
services such as user authentication, data non-repudiation, data confidentiality, and data integrity.
The PKI technology can satisfy the security requirements of online transactions. As an infrastructure, PKI
has a wide range of applications. Here are some application examples:
Secure emailEmails require confidentiality, integrity, authentication, and non-repudiation. PKI

can address these needs. The secure email protocol that is currently developing rapidly is
Secure/Multipurpose Internet Mail Extensions (S/MIME), which is based on PKI and allows for
transfer of encrypted mails with signature.
Web securityFor Web security, two peers can establish a Secure Sockets Layer (SSL) connection
first for transparent and secure communications at the application layer. With PKI, SSL enables
encrypted communications between a browser and a server. Both the communication parties can
verify the identity of each other through digital certificates.
NOTE:
For more information about PKI, see Security Configuration Guide.
Configuring PKI
The system supports the following PKI certificate request modes:
ManualIn manual mode, you must retrieve a CA certificate, generate a local RSA key pair, and
submit a local certificate request for an entity.
AutoIn auto mode, an entity automatically requests a certificate through the Simple Certification
Enrollment Protocol (SCEP) when it has no local certificate or the present certificate is about to
expire.
You can specify the PKI certificate request mode for a PKI domain. Different PKI certificate request modes
require different configurations.
450
Recommended configuration procedure for manual request

Step
Remarks
Required.
Create a PKI entity and configure the identity information.
1.
Creating a PKI entity
A certificate is the binding of a public key and an entity, where an entity is the
collection of the identity information of a user. A CA identifies a certificate
applicant by entity.
The identity settings of an entity must be compliant to the CA certificate issue
policy. Otherwise, the certificate request might be rejected.
Required.
Create a PKI domain, setting the certificate request mode to Manual.
2.
Creating a PKI domain
Before requesting a PKI certificate, an entity needs to be configured with some

enrollment information, which is referred to as a PKI domain.
A PKI domain is intended only for convenience of reference by other
applications like IKE and SSL, and has only local significance.
Required.
Generate a local RSA key pair.
By default, no local RSA key pair exists.
3.
Generating an RSA key

pair
Generating an RSA key pair is an important step in certificate request. The key
pair includes a public key and a private key. The private key is kept by the
user, and the public key is transferred to the CA along with some other
information.
IMPORTANT:
If a local certificate already exists, you must remove the certificate before
generating a new key pair, so as to keep the consistency between the key pair
and the local certificate.
Required.
Certificate retrieval serves the following purposes:
Locally store the certificates associated with the local security domain for
improved query efficiency and reduced query count,
4.
Retrieving the CA
certificate
Prepare for certificate verification.

IMPORTANT:
If a local CA certificate already exists, you cannot perform the CA certificate
retrieval operation. This will avoid possible mismatch between certificates and
registration information resulting from relevant changes. To retrieve the CA
certificate, you must remove the CA certificate and local certificate first.
451
Step
Remarks
Required.
When requesting a certificate, an entity introduces itself to the CA by
providing its identity information and public key, which will be the major
components of the certificate.
A certificate request can be submitted to a CA in online mode or offline mode.
In online mode, if the request is granted, the local certificate will be

5.
Requesting a local
certificate
retrieved to the local system automatically.
In offline mode, you must retrieve the local certificate by an out-of-band

means.
IMPORTANT:
If a local certificate already exists, you cannot perform the local certificate
retrieval operation. This will avoid possible mismatch between the local
certificate and registration information resulting from relevant changes. To
retrieve a new local certificate, you must remove the CA certificate and local
certificate first.
Optional.
6.
Destroying the RSA key

pair
If the certificate to be retrieved contains an RSA key pair, you must destroy the
existing RSA key pair. Otherwise, the certificate cannot be retrieved.
Destroying the existing RSA key pair also destroys the corresponding local
certificate.
Required if you request a certificate in offline mode.
Retrieve an existing certificate and display its contents.
7.
Retrieving and
displaying a certificate
IMPORTANT:
If you request a certificate in offline mode, you must retrieve the CA

certificate and local certificate by an out-of-band means.
Before retrieving a local certificate in online mode, be sure to complete

LDAP server configuration.
8.
Retrieving and
displaying a CRL
Optional.
Retrieve a CRL and display its contents.
Recommended configuration procedure for automatic request

Step
Remarks
Required.
Create a PKI entity and configure the identity information.
1.
A certificate is the binding of a public key and an entity, where an entity is the
collection of the identity information of a user. A CA identifies a certificate
applicant by entity.
The identity settings of an entity must be compliant to the CA certificate issue
policy. Otherwise, the certificate request might be rejected.
452
Step
Remarks
Required.
Create a PKI domain, setting the certificate request mode to Auto.
2.
Before requesting a PKI certificate, an entity needs to be configured with some

enrollment information, which is referred to as a PKI domain.
A PKI domain is intended only for convenience of reference by other
applications like IKE and SSL, and has only local significance.
Optional.
3.
Destroying the RSA key

pair
If the certificate to be retrieved contains an RSA key pair, you must destroy the
existing RSA key pair. Otherwise, the certificate cannot be retrieved.
Destroying the existing RSA key pair also destroys the corresponding local
certificate.
Optional.
Retrieve an existing certificate and display its contents.
IMPORTANT:
4.
Retrieving and
displaying a certificate
Before retrieving a local certificate in online mode, be sure to complete

LDAP server configuration.
If a CA certificate already exists, you cannot retrieve another CA certificate.
This restriction avoids inconsistency between the certificate and registration

information due to related configuration changes. To retrieve a new CA
certificate, remove the existing CA certificate and local certificate first.
5.
Retrieving and
displaying a CRL
Optional.
Retrieve a CRL and display its contents.

1.
Select Authentication > Certificate Management from the navigation tree.

The PKI entity list page is displayed by default.
Figure 479 PKI entity list
2.
Click Add to enter the PKI entity configuration page.
453
Figure 480 PKI entity configuration page
3.
4.
Click Apply.

Item
Description
Entity Name
Enter the name for the PKI entity.
Common Name
Enter the common name for the entity.
IP Address
Enter the IP address of the entity.

Enter the fully qualified domain name (FQDN) for the entity.
FQDN
An FQDN is a unique identifier of an entity on the network. It consists of a host name and
a domain name and can be resolved to an IP address. For example, www.whatever.com
is an FQDN, where www indicates the host name and whatever.com the domain name.
Country/Region
Code
Enter the country or region code for the entity.
State
Enter the state or province for the entity.
Locality
Enter the locality for the entity.
Organization
Enter the organization name for the entity.
Organization Unit
Enter the unit name for the entity.

1.

454
2.
Click the Domain tab.
Figure 481 PKI domain list
3.
Click Add to enter the PKI domain configuration page.
Figure 482 PKI domain configuration page
4.
5.
Click Apply.

Item
Description
Domain Name
Enter the name for the PKI domain.

Enter the identifier of the trusted CA.
CA Identifier
An entity requests a certificate from a trusted CA. The trusted CA takes the responsibility
of certificate registration, distribution, and revocation, and query.
In offline mode, this item is optional. In other modes, this item is required.
Select the local PKI entity.
Entity Name
When submitting a certificate request to a CA, an entity needs to show its identity
information.
Available PKI entities are those that have been configured.
455
Item
Description
Select the authority for certificate request.
Institution
CAIndicates that the entity requests a certificate from a CA.

RAIndicates that the entity requests a certificate from an RA.
RA is recommended.
Enter the URL of the RA.
Requesting URL
The entity will submit the certificate request to the server at this URL through the SCEP
protocol. The SCEP protocol is intended for communication between an entity and an
authentication authority.
In offline mode, this item is optional. In other modes, this item is required.
IMPORTANT:
This item does not support domain name resolution.
LDAP IP
Enter the IP address, port number and version of the LDAP server.
Port
In a PKI system, the storage of certificates and CRLs is a crucial problem, which is usually
addressed by deploying an LDAP server.
Version
Request Mode
Password Encrypt
Password
Select the online certificate request mode, which can be auto or manual.
Select this box to display the password in cipher text.
This box is available only when the certificate request mode is set to Auto.
Enter the password for certificate revocation.
This item is available only when the certificate request mode is set to Auto.
Specify the fingerprint used for verifying the CA root certificate.
Fingerprint Hash
After receiving the root certificate of the CA, an entity needs to verify the fingerprint of the
root certificate, namely, the hash value of the root certificate content. This hash value is
unique to every certificate. If the fingerprint of the root certificate does not match the one
configured for the PKI domain, the entity will reject the root certificate.
If you specify MD5 as the hash algorithm, enter an MD5 fingerprint. The fingerprint
must a string of 32 characters in hexadecimal notation.
If you specify SHA1 as the hash algorithm, enter an SHA1 fingerprint. The fingerprint
must a string of 40 characters in hexadecimal notation.
If you do not specify the fingerprint hash, do not enter any fingerprint. The entity will
Fingerprint
not verify the CA root certificate, and you yourself must make sure that the CA server
is trusted.
IMPORTANT:
The fingerprint must be configured if you specify the certificate request mode as Auto. If you
specify the certificate request mode as Manual, you can leave the fingerprint settings null. If
you do not configure the fingerprint, the entity will not verify the CA root certificate and you
yourself must make sure that the CA server is trusted.
Polling Count
Polling Interval
Enable CRL
Checking
Set the polling interval and attempt limit for querying the certificate request status.
After an entity makes a certificate request, the CA might need a long period of time if it
verifies the certificate request in manual mode. During this period, the applicant needs to
query the status of the request periodically to get the certificate as soon as possible after
the certificate is signed.
Click this box to specify that CRL checking is required during certificate verification.
456
Item
CRL Update Period
Description
Enter the CRL update period, that is, the interval at which the PKI entity downloads the
latest CRLs.
This item is available when the Enable CRL Checking box is selected.
By default, the CRL update period depends on the next update field in the CRL file.
Enter the URL of the CRL distribution point.
This item is available when the Enable CRL Checking box is selected.
CRL URL
When the URL of the CRL distribution point is not set, you should acquire the CA
certificate and a local certificate, and then acquire a CRL through SCEP.
IMPORTANT:
This item does not support domain name resolution.
Generating an RSA key pair

1.
Select Authentication > Certificate Management from the navigation tree
2.
Click the Certificate tab.
Figure 483 Certificate configuration page
3.
Click Create Key to enter RSA key pair parameter configuration page.
Figure 484 Key pair parameter configuration page
4.
Set the key length.
5.
Click Apply.
457
Destroying the RSA key pair

1.
2.
3.
Click Destroy Key to enter RSA key pair destruction page.
4.
Click Apply to destroy the existing RSA key pair and the corresponding local certificate.
Figure 485 Key pair destruction page
Retrieving and displaying a certificate

You can download an existing CA certificate or local certificate from the CA server and save it locally.
To do so, you can use offline mode or online mode. In offline mode, you can retrieve a certificate by an
out-of-band means like FTP, disk, email and then import it into the local PKI system.
To retrieve a certificate:
1.
2.
3.
Click Retrieve Cert to enter PKI certificate retrieval page.
Figure 486 PKI certificate retrieval page
4.
5.
Click Apply.

Item
Description
Domain Name
Select the PKI domain for the certificate.
Certificate Type
Select the type of the certificate to be retrieved, which can be CA or local.
Enable Offline
Mode
Click this box to retrieve a certificate in offline mode (that is, by an out-of-band means like
FTP, disk, or email) and then import the certificate into the local PKI system.
458
Item
Description
Get File From

Device
Specify the path and name of the certificate file if you retrieve the certificate in offline
mode.
If the certificate file is saved on the device, select Get File From Device and then specify
Get File From PC
the path of the file on the device.
If the certificate file is saved on a local PC, select Get File From PC and. then specify
the path to the file and select the partition of the device for saving the file.
Password
6.
Enter the password for protecting the private key if you retrieve the certificate in offline
mode. The password was specified when the certificate was exported.
After retrieving a certificate, click View Cert corresponding to the certificate from the PKI
certificates list to display the contents of the certificate.
Figure 487 Certificate information
Requesting a local certificate

1.
2.
3.
Click Request Cert to enter the local certificate request page.

459
Figure 488 Local certificate request page
4.

Item
Description
Domain Name
Select the PKI domain for the certificate.
Password
Enter the password for certificate revocation.
Enable Offline Mode
Click this box to request a certificate in offline mode, that is, by an out-of-band
means like FTP, disk, or email.
5.
Click Apply.
If you request the certificate in online mode, the system displays "Certificate request has been
submitted." Click OK. If you request the certificate in offline mode, the system displays the offline
certificate request information. You can submit the information to the CA by an out-of-band means.
Figure 489 Offline certificate request information page
Retrieving and displaying a CRL

1.
2.
Click the CRL tab.
460
Figure 490 CRL page
3.
Click Retrieve CRL to retrieve the CRL of a domain.
4.
Click View CRL for the domain to display the contents of the CRL.
Figure 491 CRL information
Certificate management configuration example

As shown in Figure 492, configure the AC as the PKI entity, so that:
The AC submits a local certificate request to the CA server, which runs the RSA Keon software.
The AC acquires CRLs for certificate verification.
461
Configuring the CA server

1.
Create a CA server named myca.

In this example, you must first configure the basic attributes of Nickname and Subject DN on the
CA server: the nickname is the name of the trusted CA, and the subject DN is the DN attributes of
the CA, including the common name (CN), organization unit (OU), organization (O), and country
(C). Leave the default values of the other attributes.
2.
Configure extended attributes.

After you configure the basic attributes, perform configuration on the Jurisdiction Configuration
page of the CA server. This includes selecting the proper extension profiles, enabling the SCEP
autovetting function, and adding the IP address list for SCEP autovetting.
3.
Configure the CRL publishing behavior

After you complete the previous configuration, perform CRL related configurations.
In this example, select the local CRL publishing mode of HTTP and set the HTTP URL to
http://4.4.4.133:447/myca.crl.
After this configuration, make sure that the system clock of the AC is synchronous to that of the CA,
so that the AC can request certificates and retrieve CRLs properly.
Configuring the AC
1.
Create a PKI entity.

a. Select Authentication > Certificate Management from the navigation tree.
The PKI entity list page is displayed by default.

b. Click Add.
c.
Enter aaa as the PKI entity name.
d. Enter ac as the common name.

e. Click Apply.
462
Figure 493 Configuring a PKI entity
2.
Create a PKI domain.

a. Click the Domain tab.
b. Click Add.
c.
Enter torsa as the PKI domain name.
d. Enter myca as the CA identifier.

e. Select aaa as the local entity.
f.
Select CA as the authority for certificate request.
g. Enter http://4.4.4.133:446/c95e970f632d27be5e8cbf80e971d9c4a9a93337 as the URL for
certificate request. The URL must be in the format of http://host:port/Issuing Jurisdiction ID,
where Issuing Jurisdiction ID is the hexadecimal string generated on the CA.
h. Select Manual as the certificate request mode.
i.
Click the expansion button before Advanced Configuration to display the advanced
configuration items.
j.
Click the Enable CRL Checking box.
k. Enter http://4.4.4.133:447/myca.crl as the CRL URL.

l.
Click Apply.
The system displays "Fingerprint of the root certificate not specified. No root certificate
validation will occur. Continue?"
m. Click OK.
463
Figure 494 Configuring a PKI domain
3.
Generate an RSA key pair.

a. Click the Certificate tab.
b. Click Create Key to enter the page.
c.
Enter 1024 for the key length.
d. Click Apply to generate an RSA key pair.
Figure 495 Generating an RSA key pair
4.
Retrieve the CA certificate.

b. Click Retrieve Cert.
c.
Select torsa as the PKI domain.
d. Select CA as the certificate type.

464
e. Click Apply.
Figure 496 Retrieving the CA certificate
5.
Request a local certificate.

b. Click Request Cert.
c.
Select torsa for the PKI domain.
d. Select Password and then enter challenge-word as the password.

e. Click Apply.
The system displays "Certificate request has been submitted".

f.
Click OK.
Figure 497 Requesting a local certificate
6.
Retrieve the CRL.

a. Click the CRL tab.
b. Click Retrieve CRL of the PKI domain of torsa.
Figure 498 Retrieving the CRL
465

After the configuration, you can select Certificate Management > Certificate from the navigation tree to
view detailed information about the retrieved CA certificate and local certificate, or select Certificate
Management > CRL from the navigation tree to view detailed information about the retrieved CRL.
When you configure PKI, note the following guidelines:
Make sure the clocks of entities and the CA are synchronous. Otherwise, the validity period of
certificates will be abnormal.
The Windows 2000 CA server has some restrictions on the data length of a certificate request. If the
PKI entity identity information in a certificate request goes beyond a certain limit, the server will not
respond to the certificate request.
The SCEP plug-in is required when you use the Windows Server as the CA. In this case, you need
to specify RA as the authority for certificate request when you configure the PKI domain.
The SCEP plug-in is not required when you use the RSA Keon software as the CA. In this case, you
need to specify CA as the authority for certificate request when you configure the PKI domain.
466
WLAN security configuration

WLAN security overview
802.11 networks are susceptible to a wide array of threats such as unauthorized access points and clients,
ad hoc networks, and Denial of Service (DoS) attacks. Rogue devices are a serious threat to enterprise
security. To ensure security, the wireless intrusion detection system (WIDS) is introduced. WIDS provides
early detection of malicious attacks and intrusions on a wireless network without affecting network
performance, and provides real-time countermeasures.
WLAN security provides these features:
Rogue detection
WIDS attack detection
Blacklist and white list.
Terminology
Rogue APAn unauthorized or malicious access point on the network, such as an employee setup
AP, misconfigured AP, neighbor AP or an attacker operated AP. As it is not authorized, if there is
any vulnerability in the AP, the hacker will have chance to compromise your network security.
Rogue clientAn unauthorized or malicious client on the network.
Rogue wireless bridgeUnauthorized wireless bridge on the network.
Monitor APAn AP that scans or listens to 802.11 frames to detect rogue devices in the network.
Ad hoc modeA wireless client in ad-hoc mode can directly communicate with other stations
without support from any other device.
Detecting rogue devices

Rogue detection is applicable to large wireless networks. It detects the presence of rogue devices in a
WLAN network based on the pre-configured rules.
Rogue detection can detect different types of devices in a WLAN network, for example, rogue APs, rogue
clients, rogue wireless bridges, and ad-hoc terminals. An AP can work in either of the following modes
for rogue detection:
Monitor mode: In this mode, an AP scans all 802.11g frames in the WLAN, but cannot provide
WLAN services. As shown in Figure 499, AP 1 works as an access AP, and AP 2 works as a monitor
AP to listen to all 802.11g frames. AP 2 cannot provide wireless access services.
467
Figure 499 Monitor AP for rogue detection
Hybrid mode: In this mode, an AP can both scan devices in the WLAN and provide WLAN data
services.
Figure 500 Hybrid AP for rogue detection
Taking countermeasures against rogue device attacks

You can enable the countermeasures on a monitor AP. The monitor AP downloads an attack list from the
AC according to the countermeasure mode and takes countermeasures against detected rogue devices.
The processing methods vary with rogue devices:
If the rogue device is a rogue client, it will be logged out.
If the rogue device is a rogue AP, legal clients will not use the rogue AP to access the WLAN.
If the rogue device is an ad-hoc client, it is denied and ad-hoc clients cannot communicate with
each other.
468
Figure 501 Taking countermeasures against rogue devices
Functionalities supported
The rogue detection feature supports the following functionalities:
RF monitoring in different channels
Rogue AP detection
Rogue client detection
Ad hoc network detection
Wireless bridge detection
Countermeasures against rogue devices, clients and ad hoc networks
WIDS attack detection

The WIDS attack detection function detects intrusions or attacks on a WLAN network, and informs the
network administrator of the attacks through recording information or sending logs. WIDS detection
supports detection of the following attacks:
Flood attack
Spoofing attack
Weak IV attack
Flood attack detection

A flood attack refers to the case where WLAN devices receive large volumes of frames of the same kind
within a short span of time. When this occurs, the WLAN devices get overwhelmed and are unable to
service normal clients.
WIDS attacks detection counters flood attacks by constantly keeping track of the density of traffic
generated by each device. When the traffic density of a device exceeds the limit, the device is
considered flooding the network and, if the dynamic blacklist feature is enabled, will be added to the
blacklist and forbidden to access the WLAN for a period of time.
WIDS inspects the following types of frames:
Authentication requests and de-authentication requests

469
Association requests, disassociation requests and reassociation requests
Probe requests
802.11 null data frames
802.11 action frames.
Spoofing attack detection

In this kind of attack, a potential attacker can send frames in the air on behalf of another device. For
instance, a client in a WLAN has been associated with an AP and works normally. In this case, a
spoofed de-authentication frame can cause a client to get de-authenticated from the network and can
affect the normal operation of the WLAN.
At present, spoofing attack detection counters this type of attack by detecting broadcast
de-authentication and disassociation frames sent on behalf of an AP. When such a frame is received, it
is identified as a spoofed frame, and the attack is immediately logged.
Weak IV detection
Wired Equivalent Privacy (WEP) uses an Initialization Vector (IV) to encrypt each frame. An IV and a key
are used to generate a key stream, and thus encryptions using the same key have different results. When
a WEP frame is sent, the IV used in encrypting the frame is also sent as part of the frame header.
However, if a WLAN device generates IVs in an insecure way, for example, if it uses a fixed IV for all
frames, the shared secret key may be exposed to any potential attackers. When the shared secret key is
compromised, the attacker can access network resources.
Weak IV detection counters this attack by verifying the IVs in WEP frames. Whenever a frame with a
weak IV is detected, it is immediately logged.
Blacklist and white list

You can configure the blacklist and white list functions to filter frames from WLAN clients and thereby
implement client access control.
WLAN client access control is accomplished through the following three types of lists.
White listContains the MAC addresses of all clients allowed to access the WLAN. If the white list
is used, only permitted clients can access the WLAN, and all frames from other clients will be
discarded.
Static blacklistContains the MAC addresses of clients forbidden to access the WLAN. This list is
manually configured.
Dynamic blacklistContains the MAC addresses of clients forbidden to access the WLAN. A client
is dynamically added to the list if it is considered sending attacking frames until the timer of the
entry expires. A dynamic blacklist can collaborate with ARP detection. When ARP detection detects
any attacks, the MAC addresses of attackers are added to the dynamic blacklist. For more
information about ARP detection, see "ARP attack defense configuration."
When an AP receives an 802.11 frame, it checks the source MAC address of the frame and processes the
frame as follows:
1.
If the source MAC address does not match any entry in the white list, the frame is dropped. If there
is a match, the frame is considered valid and will be further processed.
2.
If no white list entries exist, the static and dynamic blacklists are searched.
3.
If the source MAC address matches an entry in any of the two lists, the frame is dropped.
470
4.
If there is no match, or no blacklist entries exist, the frame is considered valid and will be further
processed.
A static blacklist or white list configured on an AC applies to all APs connected to the AC, while a
dynamic blacklist applies to APs that receive attack frames.
Figure 502 Network diagram for WLAN client access control
In the topology above, three APs are connected to an AC. Configure white list and static blacklist
entries on the AC, which will send all the entries to the APs. If the MAC address of a station, Client
1 for example, is present in the blacklist, it cannot access any of the APs. If only Client 1 is present
in the white list, it can access any of the APs, and other clients cannot access any of the APs.
Enable dynamic blacklist function on the AC. If AP 1 receives attack frames from Client 1, a dynamic
blacklist entry is generated in the blacklist, and Client 1 cannot associate with AP 1, but can
associate with AP 2 or AP 3. If AP 2 or AP 3 receives attack frames from Client 1, a new dynamic
blacklist entry is generated in the blacklist.
Configuring rogue device detection

Recommended configure procedure
Step
Remarks
Required.
1.
Configuring AP operating mode
By default, the AP operates in normal mode and only

provides WLAN data services.
2.
Configuring detection rule lists
Required.
3.
Enabling countermeasures and configuring

aging time for detected rogue devices
Optional.
Configuring AP operating mode

1.
Select Security > Rogue Detection from the navigation tree.
471
Figure 503 AP monitor configuration
2.
On the AP Monitor tab, select the AP to be configured and click the

icon to enter the page
Figure 504 AP operating mode configuration
3.
Configure the AP operating mode as described in Table 152.
4.
Click Apply.

Item
Description
Configure the AP operating mode:
In normal mode, an AP provides WLAN data services but does not perform scanning.
In monitor mode, an AP scans all 802.11g frames in the WLAN, but cannot provide
WLAN services.
Work mode
In hybrid mode, an AP can both scan devices in the WLAN and provide WLAN data
services.
IMPORTANT:
When an AP has its operating mode changed from normal to monitor, it does not
restart.
When an AP has its operating mode changed from monitor to normal, it restarts.
NOTE:
An AP operating in hybrid mode can provide WLAN data services as well as scanning devices in the
WLAN, so WLAN service configurations are needed.
An AP operating in monitor mode cannot provide WLAN data services, so WLAN service
configurations are not needed.
Configuring detection rules

Configuring detection rules is to configure rogue device classification rules. An AC classifies devices as
rogues and friends based on the configured classification rules.
472
Check whether an AP is a rogue.
Figure 505 Checking whether an AP is a rogue
Check whether a client is a rogue.
473
Figure 506 Checking whether a client is a rogue

Client
In the static
attack list?
Yes
No or the list is not

configured
In the permitted
MAC address list?
No or the list is not

configured
Yes
Check if AP (BSSID)
associated with the client
is legal
No
Yes
Legal client
(Friend)
Illegal client
(Rogue)
Check whether an ad hoc network or a wireless bridge is a rogue.
Figure 507 Checking whether an ad hoc network or a wireless bridge is a rogue
474
Configuring detection rule lists

1.
2.
Click the Rule List tab to enter detection rule list configuration page.
Figure 508 Rule list configuration
3.
Configure the rule list as described in Table 153.

Item
Description
MACYou can add MAC addresses to be permitted after selecting this option.
Wireless ServiceYou can add SSIDs to be permitted after selecting this
List Type
option.
VendorYou can specify vendors to be permitted after selecting this option.

AttackerYou can add the MAC address of a device to configure the device as
a rogue.
4.
Select MAC from the list and click Add to enter the MAC address configuration page.
475
Figure 509 MAC address list configuration page
5.
Configure the MAC address list as described in Table 154.
6.
Click Apply.

Item
Description
MAC
Enter the permitted MAC address in the box.
Select the existent devices
If you select this option, the MAC address table displays MAC addresses of the
current devices. Select the MAC addresses to be permitted.
The operation to add other types of lists is similar to the add operation of a MAC address list, and thus
the description is omitted.
Enabling countermeasures and configuring aging time for

detected rogue devices
1.
2.
On the AP Monitor tab, click Common Set.
476
Figure 510 Common configuration
3.
Perform common configuration as described in Table 155.
4.
Click Apply.

Item
Description
Unlaw SetAllows you to take countermeasures against rogue devices
(including illegal APs and illegal clients).
Reverse Mode
Unlaw Adhoc DeviceAllows you to take countermeasures against ad hoc

devices.
Static Unlaw DeviceAllows you to take countermeasures against rogue

devices configured in the detection rule list.
Configure the aging time of entries in the device list.

Device Aging-Duration
Once a rogue device is detected, an entry for it is added to the monitor record and
the aging time starts. The aging time restarts if the device is detected again during
the time. When the aging time is reached, the entry is deleted from the monitor
record and added to the history record.
Displaying monitor record

1.
2.
Click the Monitor Record tab to enter the monitor record page.
477
Figure 511 Monitor record

Type
Type
Description
rRogue device.
pPermitted device.
aAd hoc device.
wAP.
bWireless bridge.
cClient.
For example, pw represents a permitted AP while rb represents a rogue wireless bridge.
Displaying history record

1.
2.
Click the History Record tab to enter the history record page.
478
Figure 512 History record page
Configuring WIDS
Configuring WIDS
1.
Select Security > WIDS from the navigation tree.
Figure 513 WIDS configuration
2.
On the WIDS Setup tab, configure WIDS as described in Table 157.
3.
Click Apply.

Item
Flood Attack Detect
Description
If you select the option, flood attack detection is enabled.
It is disabled by default.
Spoofing Attack Detect
If you select the option, spoofing attack detection is enabled. It is disabled by

default.
Weak IV Attack Detect
If you select the option, Weak IV attack detection is enabled. It is disabled by

default.
Displaying history record

1.
2.
Click the History Record tab to enter the history information page.
479
Figure 514 History information
Displaying statistics information

1.
2.
Click the Statistics tab to enter the statistics information page.
Figure 515 Statistics
Configuring the blacklist and white list functions

NOTE:
A static blacklist or white list configured on an AC applies to all APs connected to the AC, while a dynamic
blacklist applies to APs that receive attack frames. For more information, see "Blacklist and white list."
480
Configuring dynamic blacklist

1.
Select Security > Filter from the navigation tree.
Figure 516 Dynamic blacklist configuration page
2.
On the Blacklist tab, configure the dynamic blacklist as described in Table 158.
3.
Click Apply.

Item
Description
Dynamic Blacklist
EnableEnable dynamic blacklist.

DisableDisable dynamic blacklist.
Lifetime
Configure the lifetime of the entries in the blacklist. When the lifetime of an entry
expires, the entry is removed from the blacklist.
NOTE:
At present, these attacks can be detected through a dynamic blacklist: Assoc-Flood, Reassoc-Flood,
Disassoc-Flood, ProbeReq-Flood, Action-Flood, Auth-Flood, Deauth-Flood and NullData-Flood.
Configuring static blacklist

1.
2.
On the Blacklist tab, click Static to enter the static blacklist configuration page.
481
Figure 517 Static blacklist configuration
3.
Click Add Static to enter the static blacklist configuration page.
Figure 518 Adding static blacklist
4.
Add a static blacklist as described in Table 159.
5.
Click Apply.

Item
Description
MAC Address
Select MAC Address, and then add a MAC address to the static blacklist.
Select from Connected

Clients
If you select the option, the table below lists the current existing clients. Select the
options of the clients to add their MAC addresses to the static blacklist.
482
Configuring white list

1.
2.
Click the Whitelist tab.
Figure 519 Whitelist configuration
3.
Click Add.
Figure 520 Adding a whitelist
4.
Add a white list as described in Figure 508.
5.
Click Apply.
483

Item
Description
MAC Address
Select MAC Address, and then add a MAC address to the white list.
Select from Connected

Clients
If you select the option, the table below lists the current existing clients. Select the
options of the clients to add their MAC addresses to the white list.
Rogue detection configuration example

As shown in Figure 521, a monitor AP (AP 2 with serial ID SZ001) and AP 1 (serial ID SZ002) are
connected to an AC through a Layer 2 switch.
AP 1 operates in normal mode and provides WLAN data services only.
AP 2 operates in monitor mode, and scans all 802.11g frames in the WLAN.
Client 1 (MAC address 000f-e215-1515), Client 2 (MAC address 000f-e215-1530), and Client 3
(MAC address 000f-e213-1235) are connected to AP 1. They are configured as friends.
Client 4 (MAC address 000f-e220-405e) is connected to AP 2. It is configured as a rogue device.
1.
Configure AP 1 to operate in normal mode:

In normal mode, AP 1 provides WLAN data services only. For how to configure WLAN services,
see "Access service configuration."
2.
Configure AP 2 to operate in monitor mode:

b. Click Add.
c.
On the page that appears, set the AP name to ap2., select the AP model WA2620-AGN, select
Manual and enter the serial ID of AP 2.
484
d. Click Apply.
Figure 522 AP configuration
e. Select Security > Rogue Detection from the navigation tree.

f.
g. On the AP Monitor tab, click the
icon corresponding to the target AP to enter the operating
mode configuration page.

h. Select the operating mode Monitor.
i.
Click Apply.
Figure 523 AP operating mode configuration
3.
Enable the 802.11n(2.4GHz) radio mode:

a. Select Radio > Radio from the navigation tree to enter the AP radio configuration page.
b. Select the AP with the radio mode 802.11n(2.4GHz.
c.
Click Enable.
Figure 524 Radio configuration
485
4.
Configure rogue detection rules:

a. Select Security > Rogue Detection from the navigation tree.
b. Click the Rule List tab and click Add.
c.
On the page that appears, enter 000f-e215-1515, 000f-e215-1530, and 000f-e213-1235 in

the MAC Address field, and then click Apply.
d. Select Attacker, and click Add. Enter 000f-e220-405e in the MAC Address field and click
Apply.
5.
Enable countermeasures against the static rogue device:

a. Select Security > Rogue Detection from the navigation tree.
b. Click the AP Monitor tab, and click Common Set to enter the common configuration page.
c.
Select Static Rogue Device. This is because the MAC address of Client 4 is added manually to
the attacker list.
d. Click Apply.
Figure 525 Common configuration
The radio must be disabled so that the AP operation mode can be changed.
If you configure more than one detection rule, you need to specify the rogue device types (AP, client,
bridge, and ad hoc) and the rule matching order. For more information, see "User isolation."
The wireless service configuration is needed for an AP operating in hybrid mode, and not needed
for an AP in monitor mode.
486
User isolation
User isolation overview
Without user isolation, all the devices in the same VLAN can access each other directly, which brings
forth security problems. User isolation can solve this problem. When an AC configured with user
isolation receives unicast packets (broadcast packets and multicast packets in a VLAN are not isolated)
from a wireless client to another wireless client or a wired PC in the same VLAN, or from a wired PC to
a wireless client in the same VLAN, the AC determines whether to isolate the two devices according to
the configured list of permitted MAC addresses.
To avoid user isolation from affecting communications between users and the gateway, you can add the
MAC address of the gateway to the list of permitted MAC addresses.
User isolation both provides network services for users and isolates users, disabling them from
communication at Layer-2 and thus ensuring service security.
Before user isolation is enabled

As shown in Figure 526, before user isolation is enabled in VLAN 2 on the AC, wireless terminals Client
A and Client B and wired terminal Host A in the VLAN can communicate with each other and access the
Internet.
Figure 526 User communication
487
After user isolation is enabled

As shown in Figure 526, user isolation is enabled on the AC. Client A and Client B, and Host A in VLAN
2 access the Internet through the gateway.
If you add the MAC address of the gateway to the permitted MAC address list, Client A, Client B,
and Host A in the same VLAN are isolated, but they can access the Internet.
If you add the MAC address of a user (Client A, for example) to the permitted MAC address list,
Client A and Client B, and Client A and Host A can access each other directly, but Client B and Host
A cannot.
To enable all the users in the VLAN to access one another and the Internet, you need to add the MAC
address of the gateway and the MAC addresses of the users to the permitted MAC address list.
Configuring user isolation

Configuring user isolation
1.
Select Security > User Isolation from the navigation tree.
2.
Click Add .
The page for configuring user isolation appears.
Figure 527 Configuring user isolation
3.
Configure user isolation as described in Table 161.
4.
Click Apply.

Item
Description
VLAN ID
Specify the VLAN in which user isolation is enabled.
488
Item
Description
Specify the MAC addresses to be permitted by the AC. For more information, see
"After user isolation is enabled."
AccessMAC
Enter a MAC address in the field next to the Add button.

Click Add to add the MAC address to the permitted MAC list.
To delete a MAC address from the list, select an entry and click Delete.
IMPORTANT:
Broadcast or multicast MAC addresses cannot be specified as permitted MAC

addresses.
Up to 16 permitted MAC addresses can be configured for one VLAN.
To avoid network disruption caused by user isolation, add the MAC address of the gateway to the
permitted MAC address list and then enable user isolation.
If you configure user isolation for a super VLAN, the configuration does not take effect on the sub-VLANs
in the super VLAN, and you must configure user isolation on the sub-VLANs if needed.
Displaying user isolation information

Select Security > User Isolation from the navigation tree to enter the page displaying user isolation
configuration summary.
Figure 528 Displaying user isolation summary
User isolation configuration example

As shown in Figure 529, isolate Client A, Client B, and Host A in VLAN 2 from one another while
allowing them to access the Internet. The MAC address of the gateway is 000f-e212-7788.
489
1.

For how to configure wireless service, see "Access service configuration. "
2.
Configure user isolation:

a. Select Security > User Isolation from the navigation tree.
b. Click Add to enter the page for configuring user isolation.
c.
On the page that appears, enter the VLAN ID 2, add MAC address 000f-e212-7788 to the
permitted MAC address list, and click Apply.
Figure 530 Configuring user isolation
490
Authorized IP
Overview
The authorized IP function is to associate the HTTP or Telnet service with an ACL to filter the requests of
clients. Only clients that pass the ACL filtering can access the device.
Configuring authorized IP
Before you configure authorized IP, you must create and configure the ACL. For ACL configuration, see
"QoS configuration."
1.
Select Security > Authorized IP from the navigation tree.
2.
Click the Setup tab to enter the authorized IP configuration page.
Figure 531 Configuration page
3.
Configure an authorized IP as described in Table 162.
4.
Click Apply.
491

Item
Description
Select the IPv4 to be associated with the Telnet service.
IPv4 ACL
Telnet
Select the IPv6 to be associated with the Telnet service.

IPv6 ACL
Web
(HTTP)
Available IPv4 ACLs are those configured on the page you enter by selecting
QoS > ACL IPv4.
QoS > ACL IPv6.
Select the IPv4 ACL to be associated with the HTTP service.
IPv4 ACL
QoS > ACL IPv4.
492
Configuring ACL and QoS

NOTE:
Unless otherwise stated, ACLs refer to both IPv4 and IPv6 ACLs throughout this document.
ACL overview
An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based on
criteria such as source IP address, destination IP address, and port number.
ACLs are essentially used for packet filtering. A packet filter drops packets that match a deny rule and
permits packets that match a permit rule. ACLs are also widely used by many modules, for example, QoS
and IP routing, for traffic identification.
ACLs fall into the following categories.
Category
ACL number
Basic ACLs
2000 to 2999
Advanced ACLs
Ethernet frame
header ACLs
IP version
Match criteria
IPv4
Source IPv4 address
IPv6
Source IPv6 address
IPv4
Source/destination IPv4 address, protocols over

IPv4, and other Layer 3 and Layer 4 header fields
IPv6
Source/destination IPv6 address, protocols over

IPv6, and other Layer 3 and Layer 4 header fields
IPv4 and IPv6
Layer 2 header fields, such as source and

destination MAC addresses, 802.1p priority, and
link layer protocol type
3000 to 3999
4000 to 4999
NOTE:
For more information about ACL, see ACL and QoS Configuration Guide.
QoS overview
Quality of Service (QoS) is a concept concerning service demand and supply. It reflects the ability to
meet customer needs. Generally, QoS does not focus on grading services precisely, but on improving
services under certain conditions.
In the internet, QoS refers to the ability of the network to forward packets. The evaluation on QoS of a
network can be based on different aspects because the network may provide various services. Generally,
QoS refers to the ability to provide improved service by solving the core issues such as delay, jitter, and
packet loss ratio in the packet forwarding process.
Traditional packet forwarding services

On traditional IP networks, devices treat all packets equally and handle them using the first in first out
(FIFO) policy. All packets share the resources of the network and devices. How many resources the
493
packets can obtain completely depends on the time they arrive. This service is called "best-effort". It
delivers packets to their destinations as possibly as it can, without any guarantee for delay, jitter, packet
loss ratio, reliability and so on.
This service policy is only suitable for applications insensitive to bandwidth and delay, such as WWW,
file transfer and email.
New requirements from new applications

The Internet has been growing along with the fast development of networking technologies. More and
more users take the Internet as their data transmission platform to implement various applications.
Besides traditional applications such as WWW, email and FTP, network users are experiencing new
services, such as tele-education, telemedicine, video telephone, videoconference and Video-on-Demand
(VoD). The enterprise users expect to connect their regional branches together through VPN technologies
to carry out operational applications, for instance, to access the database of the company or to monitor
remote devices through Telnet.
These new applications have one thing in common, and they all have special requirements for
bandwidth, delay, and jitter. For instance, videoconference and VoD need large bandwidth, low delay
and jitter. As for mission-critical applications, such as transactions and Telnet, they may not require large
bandwidth but do require low delay and preferential service during congestion.
The new emerging applications demand higher service performance of IP networks. Better network
services during packets forwarding are required, such as providing dedicated bandwidth, reducing
packet loss ratio, managing and avoiding congestion, regulating network traffic, and setting the
precedence of packets. To meet these requirements, networks must provide more improved services.
NOTE:
For more information about QoS, see ACL and QoS Configuration Guide.
Configuring an ACL
Recommend configuration procedures
Recommended IPv4 ACL configuration procedure
Step
Remarks
Optional.
1.
Adding a time range
2.
Adding an IPv4 ACL
The category of the added ACL depends on the

ACL number that you specify.
3.
Configuring a rule for a basic IPv4 ACL
Required.
4.
Configuring a rule for an advanced IPv4 ACL
5.
Configuring a rule for an Ethernet frame header ACL
Complete one of the three steps according to the

ACL category.
A rule referencing a time range takes effect only

during the specified time range.
Required.
494
Recommended IPv6 ACL configuration procedure

Step
Remarks
Optional.
1.
Adding a time range
2.
Adding an IPv6 ACL
The category of the added IPv6 ACL depends on the

ACL number that you specify.
3.
Required.
4.
Complete one of the steps according to the ACL

category.
A rule referencing a time range takes effect only

during the specified time range.
Required.
Adding a time range

1.
Select QoS > Time Range from the navigation tree.
2.
Click the Add tab to enter the time range adding page.
Figure 532 Adding a time range
3.
Configure the time range information, as described in Table 163.
4.
Click Apply.

Item
Description
Time Range Name
Set the name for the time range.

495
Item
Periodic
Time
Range
Absolute
Time
Range
Description
Start Time
Set the start time of the periodic time range.
End Time
Set the end time of the periodic time range. The end time must
be greater than the start time.
Sun, Mon,
Tue, Wed,
Thu, Fri, and
Sat.
Select the day or days of the week on which the periodic time
range is valid. You can select any combination of the days of
the week.
From
Set the start time of the absolute time range. The time of the
day is in the hh:mm format (24-hour clock), and the date is in
the MM/DD/YYYY format.
To
Set the end time of the absolute time range. The time of the
day is in the hh:mm format (24-hour clock), and the date is in
the MM/DD/YYYY format. The end time must be greater
than the start time.
Adding an IPv4 ACL

1.
Select QoS > ACL IPv4 from the navigation tree.
2.
Click the Add tab to enter the IPv4 ACL adding page, as shown in Figure 533.
Figure 533 Adding an IPv4 ACL
3.
Configure the IPv4 ACL information, as described in Table 164.
4.
Click Apply.
496
These items are

available after
you select the
Periodic Time
Range option.
These items are

available after
you select the
Absolute Time
Range option.

Item
Description
ACL Number
Set the number of the IPv4 ACL.

Set the match order of the ACL. Available values are:
Match Order
ConfigPackets are compared against ACL rules in the order that the rules are
configured.
AutoPackets are compared against ACL rules in the depth-first match order.
Description
Set the description for the ACL.

1.
2.
Click the Basic Setup tab to enter the rule configuration page for a basic IPv4 ACL, as shown
in Figure 534.
Figure 534 Configuring an basic IPv4 ACL
3.
Configure a basic IPv4 ACL, as described in Table 165.
4.
Click Add.
497

Item
ACL
Description
Select the basic IPv4 ACL for which you want to configure rules.
Available ACLs are basic IPv4 ACLs.
Select the Rule ID option and enter a number for the rule.
If you do not specify the rule number, the system will assign one automatically.
Rule ID
IMPORTANT:
If the rule number you specify already exists, the following operations modify the
configuration of the rule.
Select the action to be performed for IPv4 packets matching the rule.
Action
Check Fragment
PermitAllows matched packets to pass.

DenyDrops matched packets.
Select this option to apply the rule to only non-first fragments.
If you do no select this option, the rule applies to all fragments and non-fragments.
Select this option to keep a log of matched IPv4 packets.
Check Logging
A log entry contains the ACL rule number, operation for the matched packets,
protocol that IP carries, source/destination address, source/destination port
number, and number of matched packets.
Source IP Address
Source Wildcard
Select the Source IP Address option and enter a source IPv4 address and source
wildcard, in dotted decimal notation.
Time Range
Select the time range during which the rule takes effect.

1.
2.
Click the Advanced Setup tab to enter the rule configuration page for an advanced IPv4 ACL, as
498
Figure 535 Configuring an advanced IPv4 ACL
3.
Configure an advanced IPv4 ACL rule, as described in Table 166.
4.
Click Add.

Item
Description
ACL
Select the advanced IPv4 ACL for which you want to

configure rules.
Available ACLs are advanced IPv4 ACLs.
499
Item
Description
If you do not specify the rule number, the system will assign
one automatically.
Rule ID
IMPORTANT:
If the rule number you specify already exists, the following
operations modify the configuration of the rule.
Select the action to be performed for IPv4 packets matching
the rule.
Action

Non-First Fragments Only
If you do no select this option, the rule applies to all fragments

and non-fragments.
A log entry contains the ACL rule number, operation for the
matched packets, protocol that IP carries, source/destination
address, source/destination port number, and number of
matched packets.
Logging
Source IP Address
IP Address Filter
Source Wildcard
Destination Wildcard
Select the Source IP Address option and enter a source IPv4

address and source wildcard, in dotted decimal notation.
Select the Source IP Address option and enter a source IP
address and source wildcard, in dotted decimal notation.
Select the protocol to be carried by IP.
If you select 1 ICMP, you can configure the ICMP message
type and code; if you select 6 TCP or 17 UDP, you can
configure the TCP or UDP specific items.
Protocol
ICMP Type
ICMP Message
Specify the ICMP message type and code.
ICMP Type
These items are available only when you select 1 ICMP from
the Protocol list.
ICMP Code
If you select Other from the ICMP Message list, you must enter
values in the ICMP Type and ICMP Code fields. Otherwise, the
two fields will take the default values, which cannot be
changed.
500
Item
Description
TCP Connection
Established
Operator
Source
Port
-
TCP/UDP Port
Operator
Port
Select this option to make the rule match packets used for
establishing and maintaining TCP connections.
These items are available only when you select 6 TCP from the
Protocol list.
Select the operators and enter the source port numbers and
destination port numbers as required.
These items are available only when you select 6 TCP or 17
UDP from the Protocol list.
Different operators have different configuration requirements
for the port number fields:
Not CheckThe following port number fields cannot be

configured.
Destination
-
RangeThe following port number fields must be

configured to define a port range.
Other valuesThe first port number field must be

configured and the second must not.
Precedence
Filter
Time Range
DSCP
Specify the DSCP value.
TOS
Specify the ToS preference.
Precedence
Specify the IP precedence.

Configuring a rule for an Ethernet frame header ACL

1.
2.
Click the Link Setup tab to enter the rule configuration page for an Ethernet frame header IPv4 ACL,
as shown in Figure 536.
501
Figure 536 Configuring a rule for an Ethernet frame header ACL
3.
Configure an Ethernet frame header IPv4 ACL rule, as described in Table 167.
4.
Click Add.

Item
Description
ACL
Select the Ethernet frame header IPv4 ACL for which you want to configure
rules.
Available ACLs are Ethernet frame header IPv4 ACLs.
Rule ID
If you do not specify the rule number, the system will assign one
automatically.
IMPORTANT:
If the rule number you specify already exists, the following operations modify
the configuration of the rule.
502
Item
Description
Select the action to be performed for IPv4 packets matching the rule.

Action
Source MAC
Address
MAC
Address
Filter
Source Mask
Destination MAC
Address
Destination Mask
COS(802.1p priority)
LSAP Type
Select the Source MAC Address option and enter a source MAC address
and wildcard.
Select the Destination MAC Address option and enter a destination MAC
address and wildcard.
Specify the 802.1p priority for the rule.
Select the LSAP Type option and specify the DSAP and SSAP fields in the LLC
encapsulation by configuring the following items:
LSAP TypeIndicates the frame encapsulation format.

LSAP MaskIndicates the LSAP wildcard.
LSAP Mask
TIP:
You can select only one of the LSAP Type option and the Protocol Type option.
Type Filter
Protocol Type
Select the Protocol Type option and specify the link layer protocol type by
configuring the following items:
Protocol TypeIndicates the frame type. It corresponds to the type-code

field of Ethernet_II and Ethernet_SNAP frames.
Protocol Mask
Protocol MaskIndicates the wildcard.

TIP:
You can select only one of the LSAP Type option and the Protocol Type option.
Time Range
Adding an IPv6 ACL

1.
2.
Click the Add tab to enter the IPv6 ACL adding page, as shown in Figure 537.
503
Figure 537 Adding an IPv6 ACL
3.
Configure the IPv6 ACL information, as described in Table 168.
4.
Click Apply.

Item
Description
ACL Number
Enter a number for the IPv6 ACL.

Select a match order for the ACL. Available values are:
Match Order
ConfigPackets are compared against ACL rules in the order the rules are
configured.
AutoPackets are compared against ACL rules in the depth-first match order.
Description
Set the description for the ACL.

1.
Select QoS > ACL IPv6 from the navigation tree
2.
Click the Basic Setup tab to enter the rule configuration page for a basic IPv6 ACL, as shown
in Figure 538.
504
Figure 538 Configuring a rule for a basic IPv6 ACL
3.
Configure the basic IPv6 ACL rule information, as described in Table 169.
4.
Click Add.

Item
Description
Select Access Control List

(ACL)
Select the basic IPv6 ACL for which you want to configure rules.
Available ACLs are basic IPv6 ACLs.
If you do not specify the rule number, the system will assign one automatically.
Rule ID
IMPORTANT:
If the rule number you specify already exists, the following operations modify the
configuration of the rule.
Select the operation to be performed for IPv6 packets matching the rule.
Operation
Check Fragment

If you do no select this option, the rule applies to all fragments and non-fragments.
Check Logging
A log entry contains the ACL rule number, operation for the matched packets,
protocol that IP carries, source/destination address, source/destination port
number, and number of matched packets.
505
Item
Description
Source IP Address
Select the Source IP Address option and enter a source IPv6 address and prefix
length.
Source Prefix
Time Range
The IPv6 address must be in a format like X:X::X:X. An IPv6 address consists of eight
16-bit long fields, each of which is expressed with two hexadecimal numbers and
separated from its neighboring fields by colon (:).

1.
Select QoS > ACL IPv6 from the navigation tree
2.
Click the Advanced Setup tab to enter the rule configuration page for an advanced IPv6 ACL.
Figure 539 Configuring a rule for an advanced IPv6 ACL
3.
Configure the advanced IPv6 ACL rule information, as described in Table 170.
4.
Click Add.
506

Item
Description
Select Access Control List (ACL)
Select the advanced IPv6 ACL for which you want to configure
rules.
Available ACLs are advanced IPv6 ACLs.
If you do not specify the rule number, the system will assign one
automatically.
Rule ID
IMPORTANT:
If the rule number you specify already exists, the following operations
modify the configuration of the rule.
Select the operation to be performed for IPv6 packets matching the
rule.
Operation

Check Fragment
If you do no select this option, the rule applies to all fragments and
non-fragments.
A log entry contains the ACL rule number, operation for the
matched packets, protocol that IP carries, source/destination
address, source/destination port number, and number of matched
packets.
Check Logging
Source IP Address
The IPv6 address must be in a format like X:X::X:X. An IPv6 address

consists of eight 16-bit long fields, each of which is expressed with
two hexadecimal numbers and separated from its neighboring
fields by colon (:).
Source Prefix
IP Address
Filter
Select the Source IP Address option and enter a source IPv6 address
and prefix length.
Destination Prefix
Select the Destination IP Address option and enter a destination

IPv6 address and prefix length.
The IPv6 address must be in a format like X:X::X:X. An IPv6 address
consists of eight 16-bit long fields, each of which is expressed with
two hexadecimal numbers and separated from its neighboring
fields by colon (:).
Select the protocol to be carried by IP.
If you select 58 ICMPv6, you can configure the ICMP message type
and code; if you select 6 TCP or 17 UDP, you can configure the TCP
or UDP specific items.
Protocol
ICMPv6
Type
Named ICMPv6 Type
Specify the ICMPv6 message type and code.
ICMPv6 Type
These items are available only when you select 58 ICMPv6 from the
Protocol list.
If you select Other from the Named ICMPv6 Type list, you must enter
values in the ICMPv6 Type and ICMPv6 Code fields. Otherwise, the
two fields will take the default values, which cannot be changed.
ICMPv6 Code
TCP/UDP
Source
Operator
Select the operators and enter the source port numbers and
d
b
d
507
Item
Description
Port
To Port
Operator
Destination
Port
Port
Time Range
Configuring line rate

Line rate uses token buckets to control traffic. The line rate of a physical interface specifies the maximum
rate for forwarding packets (including critical packets). Line rate can limit all the packets passing a
physical interface.
To configure line rate:
1.
Select QoS > Line rate from the navigation tree.
2.
Click the Setup tab to enter the line rate configuration page, as shown in Figure 540.
Figure 540 Configuring line rate on a port
3.
Configure line rate, as described in Table 171.
4.
Click Apply.
508

Item
Please select an interface type
Rate Limit
Description
Select the types of interfaces to be configured with line rate.
The interface types available for selection depend on your device model.
Select Enable or Disable to enable or disable line rate on the specified port.
Select a direction in which the line rate is to be applied.
Direction
InboundLimits the rate of packets received on the specified port.

OutboundLimits the rate of packets sent by the specified port.
CIR
Set the committed information rate (CIR), the average traffic rate.
CBS
Set the committed burst size (CBS), number of bits that can be sent in each
interval.
Set the excess burst size (EBS).
EBS
This configuration item is not supported.

Specify the ports to be configured with line rate.
Please select port(s)
Click the ports to be configured with line rate in the port list. You can select
one or more ports.
Configuring the priority trust mode of a port

Priority mapping overview
When a packet enters a device, the device assigns a set of QoS priority parameters to the packet based
on a certain priority field carried in the packet and sometimes may modify its priority, according to
certain rules depending on device status. This process is called "priority mapping". The set of QoS
priority parameters decides the scheduling priority and forwarding priority of the packet.
The device provides various types of priority mapping tables, or rather, priority mappings. By looking up
a priority mapping table, the device decides which priority value is to assign to a packet for subsequent
packet processing.
You can configure priority mapping by configuring trusting packet priority or trusting port priority.
If packet priority is trusted, the device uses the specified priority field of the incoming packet to look
up the priority mapping tables for the set of QoS priority parameters to assign to the packet. Note
that, if a received packet does not carry the specified priority field, the device uses the port priority
to look up the priority mapping tables for the set of QoS priority parameters to assign to the packet.
If port priority is trusted, the device uses the port priority rather than packet priority to look up the
priority mapping tables for the set of QoS priority parameters to assign to the packet.
Configuring priority mapping

Two approaches are available for you to configure the priority trust mode on a port for priority mapping:
In the first approach, you can configure a port to use the 802.1p or 802.11e priority carried in
received packets for priority mapping. This approach is supported for the WLAN-ESS interface in
addition to other types of interface.
509
In the second approach, more options are available. In addition, you can change port priority
(local precedence) of a port for priority mapping. This approach is not supported on the
WLAN-ESS interface.
Approach 1
1.
Select QoS > Trust Mode from the navigation tree to enter the priority trust mode configuration
page, as shown in Figure 541.
Figure 541 Configuring priority trust mode
2.
Configure the priority trust mode of the interfaces, as described in Table 172.
3.
Click Apply.
510

Item
Description
Select the type of the ports to be configured. The interface types available for
selection depend on your device model.
Please select the interface type
IMPORTANT:
If a WLAN-ESS interface in use has WLAN-DBSS interfaces created on it, its
priority cannot be modified. To modify the priority of the WLAN-ESS interface,
you must stop the service the interface provides (make the current users on the
interface offline).
Select the priority trust mode:
Trust Mode
Dot1pUses the 802.1p priority of received packets for mapping.

DscpUses the DSCP value of received packets for mapping.
Dot11eUses the 802.11e priority of received packets for mapping. This
option is applicable to only WLAN-ESS interfaces.
IMPORTANT:
Support for priority trust modes depends on the interface type. The supported
priority trust modes are shown in the Trust Mode list.
Specify the ports to be configured.
(Select the ports)
Click the ports to be configured in the port list. You can select one or more
ports.
Approach 2
1.
Select QoS > Port Priority from the navigation tree to enter the page shown in Figure 542.
Figure 542 Port priority
2.
Click the
icon for a port to enter the page for configuring the priority and priority trust mode of
the port, as shown in Figure 543.
511
Figure 543 Modify the port priority
3.
Set the port priority, as described in Table 173.
4.
Click Apply.

Item
Remarks
Interface Name
Name of the interface to be configured.

Set the local precedence value for the port.
Priority
Local precedence is allocated by the device and has only local significance. A local
precedence value corresponds to an output queue. A packet with higher local
precedence is assigned to a higher priority output queue to be preferentially
scheduled.
Set the priority trust mode of the port:
UntrustUses the port priority rather than a packet priority value for priority
mapping.
Trust Mode
Dot1pUses the 802.1p priority of received packets for priority mapping.

DSCPUses the DSCP value of received packets for priority mapping.
IMPORTANT:
Support for priority trust modes depends on the interface type.
Configuring a QoS policy

Recommended QoS policy configuration procedure
A QoS policy defines what QoS actions to take on what class of traffic for purposes such as traffic
shaping or traffic policing. Before configuring a QoS policy, be familiar with these concepts: class, traffic
behavior, and policy.
Class
Classes identify traffic.
A class is identified by a class name and contains some match criteria for identifying traffic. The
relationship between the criteria can be:
ANDA packet is considered belonging to a class only when the packet matches all the criteria in
the class.
ORA packet is considered belonging to a class if it matches any of the criteria in the class.
512
Traffic behavior
A traffic behavior, identified by a name, defines a set of QoS actions for packets.
Policy
A policy associates a class with a traffic behavior to define what actions to take on which class of traffic.
You can define multiple class-traffic behavior associations in a policy.
You can apply a policy to a port to regulate traffic sent or received on the port. A QoS policy can be
applied to multiple ports, but in one direction (inbound or outbound) of a port, only one QoS policy can
be applied.
Step
Remarks
1.
Adding a class
2.
Configuring classification rules
3.
Adding a traffic behavior
4.
Configuring actions for a traffic behavior
5.
Adding a policy
Required.
Add a class and specify the operator of the class.
Required.
Configure match criteria for the class.
Required.
Add a traffic behavior.
Configure various actions for the traffic behavior.
Required.
Add a policy.
Required.
6.
Configuring classifier-behavior associations for

the policy
7.
Apply the policy
Associate a traffic behavior with a class in the QoS

policy.
You can associate a class with only one traffic
behavior in a QoS policy. If a class is associated with
multiple traffic behaviors, the last associated one takes
effect.
Applying a policy to a port

Applying a QoS policy to a WLAN service
Apply the QoS policy to a port or a WLAN service.
Adding a class
1.
Select QoS > Classifier from the navigation tree.
2.
Click the Add tab to enter the page for adding a class, as shown in Figure 544.
513
Figure 544 Adding a class
3.
Configure the class information, as described in Table 174.
4.
Click Add.

Item
Description
Classifier Name
Specify a name for the classifier to be added.

Specify the logical relationship between rules of the classifier.
AndSpecifies the relationship between the rules in a class as logic AND. The
Operator
device considers a packet belongs to a class only when the packet matches all the
rules in the class.
OrSpecifies the relationship between the rules in a class as logic OR. The device
considers a packet belongs to a class as long as the packet matches one of the
rules in the class.
Configuring classification rules

1.
Select QoS > Classifier from the navigation tree.
2.
Click the Setup tab to enter the page for setting a class, as shown in Figure 545.
514
Figure 545 Configuring classification rules
3.
Configuration classification rules, as described in Table 175.
4.
Click Apply.
5.
Click Close on the progress dialog box when the progress dialog box prompts that the
configuration succeeds.

Item
Description
Please select a classifier
Select an existing classifier in the list.
Any
Define a rule to match all packets.

Select the option to match all packets.
515
Item
Description
Define a rule to match DSCP values.
If multiple such rules are configured for a class, the new configuration does not
overwrite the previous one.
DSCP
You can configure up to eight DSCP values each time. If multiple identical DSCP
values are specified, the system considers them as one. The relationship
between different DSCP values is OR. After such configurations, all the DSCP
values are arranged in ascending order automatically.
Define a rule to match IP precedence values.
IP Precedence
You can configure up to eight IP precedence values each time. If multiple

identical IP precedence values are specified, the system considers them as one.
The relationship between different IP precedence values is OR. After such
configurations, all the IP precedence values are arranged in ascending order
automatically.
Define a rule to match a QoS class.
Classifier
TIP:
Define a rule to match inbound interfaces.
Inbound Interface
TIP:
Define a rule to match a range of RTP ports.
Specify the start port in the from field and the end port in the to field.
RTP Port
TIP:
Define a rule to match the service 802.1p precedence values.
Service 802.1p
You can configure up to eight Dot1p values each time. If multiple identical
Dot1p values are specified, the system considers them as one. The relationship
between different Dot1p values is OR. After such configurations, all the Dot1p
TIP:
Dot1p

Define a rule to match the customer 802.1p precedence values.
Customer
802.1p
You can configure up to eight Dot1p values each time. If multiple identical
Dot1p values are specified, the system considers them as one. The relationship
between different Dot1p values is OR. After such configurations, all the Dot1p
516
Item
Description
Define a rule to match a source MAC address.
Source MAC
A rule to match a source MAC address is significant only to Ethernet interfaces.
MAC
Define a rule to match a destination MAC address.

Destination MAC
A rule to match a destination MAC address is significant only to Ethernet
interfaces.
Define a rule to match service VLAN IDs.
Service VLAN
You can configure multiple VLAN IDs each time. If the same VLAN ID is
specified multiple times, the system considers them as one. The relationship
between different VLAN IDs is logical OR. After such a configuration. You can
specify VLAN IDs in two ways:
Enter a range of VLAN IDs, such as 10-500. The number of VLAN IDs in the
range is not limited.
Specify a combination of individual VLAN IDs and VLAN ID ranges, such as

3, 5-7, 10. You can specify up to eight VLAN IDs in this way.
TIP:
VLAN

Define a rule to match customer VLAN IDs.
Customer VLAN
You can configure multiple VLAN IDs each time. If the same VLAN ID is
specified multiple times, the system considers them as one. The relationship
between different VLAN IDs is logical OR. You can specify VLAN IDs in two
ways:
Enter a range of VLAN IDs, such as 10-500. The number of VLAN IDs in the
range is not limited.
Specify a combination of individual VLAN IDs and VLAN ID ranges, such as

3, 5-7, 10. You can specify up to eight VLAN IDs in this way.
ACL
ACL IPv4
Define an IPv4 ACL-based rule.
ACL IPv6
Define an IPv6 ACL-based rule.
Adding a traffic behavior

1.
Select QoS > Behavior from the navigation tree.
2.
Click the Add tab to enter the page for adding a traffic behavior, as shown in Figure 546.
3.
Set the traffic behavior name.
4.
Click Add.
517
Figure 546 Adding a traffic behavior
Configuring actions for a traffic behavior

1.
Select QoS > Behavior from the navigation tree.
2.
Click the Setup tab to enter the page for setting a traffic behavior, as shown in Figure 547.
518
Figure 547 Setting a traffic behavior
3.
Configure the traffic behavior actions, as described in Table 176.
4.
Click Apply.
5.
Click Close on the progress dialog box when the progress dialog box prompts that the

Item
Description
Please select a behavior
Select an existing behavior in the list.
519
Item
Description
Enable/Disable
Enable or disable CAR
CIR
Set the committed information rate (CIR), the average traffic rate.
CBS
Set the committed burst size (CBS), number of bits that can be sent
in each interval.
CAR
Discard
Red
Pass
Set the action to perform for exceeding packets.

After selecting the Red option, you can select one of the following
options:
DiscardDrops the exceeding packet.

PassPermits the exceeding packet to pass through.
Configure the action of marking IP precedence for packets.
IP Precedence
Select the IP Precedence option and then select the IP precedence

value to be marked for packets in the following list. Select Not Set to
cancel the action of marking IP precedence.
TIP:
Configure the action of marking 802.1p precedence for packets.
Select the Dot1p option and then select the 802.1p precedence
value to be marked for packets in the following list. Select Not Set to
cancel the action of marking 802.1p precedence.
Dot1p
Remark
Configure the action of marking local precedence for packets.

Local Precedence
Select the Local Precedence option and then select the local
precedence value to be marked for packets in the following list.
Select Not Set to cancel the action of marking local precedence.
Configure the action of marking DSCP values for packets.
Select the DSCP option and then select the DSCP value to be marked
for packets in the following list. Select Not Set to cancel the action of
marking DSCP values.
DSCP
TIP:
EF
Queue
Max Bandwidth
Configure the maximum bandwidth for

expedited forwarding (EF).
CBS
Configure the CBS for EF.
Percent
Configure the percent of available bandwidth

for EF.
CBS-Ratio
Configure the ratio of CBS to CIR for EF.
Min Bandwidth
Configure the minimum guaranteed bandwidth

for assured forwarding (AF).
Percent
Configure the percent of available bandwidth

for AF.
AF
WFQ
Configure WFQ for the default class by

entering the total number of fair queues, which
must be the power of two.
520
TIP:
These
configuration
items are not
supported.
Item
Description
Configure the packet filtering action.
After selecting the Filter option, select one item in the following list:
Filter
PermitForwards the packet.

DenyDrops the packet.
Not SetCancels the packet filtering action.
Configure the traffic accounting action.
Accounting
Select the Accounting option and select Enable or Disable in the

following list to enable/disable the traffic accounting action.
TIP:
Adding a policy
1.
Select QoS > QoS Policy from the navigation tree.
2.
Click the Add tab to enter the page for adding a policy, as shown in Figure 548.
3.
Set the policy name.
4.
Click Add.
Figure 548 Adding a policy
Configuring classifier-behavior associations for the policy

1.
Select QoS > QoS Policy from the navigation tree.
2.
Click the Setup tab to enter the page for setting a policy, as shown in Figure 549.
521
Figure 549 Setting a policy
3.
Configure classifier-behavior associations, as described in Table 177.
4.
Click Apply.

Item
Description
Please select a policy
Select an existing policy in the list.
Classifier Name
Select an existing classifier in the list.
Behavior Name
Select an existing behavior in the list.
Applying a policy to a port

1.
Select QoS > Port Policy from the navigation tree.
2.
Click the Setup tab to enter the page for applying a policy to a port, as shown in Figure 550.
522
Figure 550 Applying a policy to a port
3.
Select a policy and apply the policy to the specified ports, as described in Table 178.
4.
Click Apply.

Item
Description
Please select a policy
Select an existing policy in the list.

Set the direction in which you want to apply the policy.
Direction
Please select port(s)
InboundApplies the policy to the incoming packets of the specified ports.

OutboundApplies the policy to the outgoing packets of the specified ports.
Click the ports to which the QoS policy is to be applied in the port list. You can select
one or more ports.
Applying a QoS policy to a WLAN service

1.
Select QoS > Service Policy from the navigation tree to enter the service policy page shown
in Figure 551.
523
Figure 551 Service policy
2.
Click the
icon for a wireless service to enter the service policy setup page shown in Figure 551.
Figure 552 Service policy setup
3.
Apply the policy to the wireless service, as described in Table 179.
4.
Click Apply.
524

Item
Remarks
Wlan Service
Display the specified WLAN service to which you want to apply a QoS policy.
Inbound Policy
Apply the QoS policy to the packets received by the wireless service.
Outbound Policy
Apply the QoS policy to the packets sent by the wireless service.
Set the priority trust mode:
UntrustTrusts the port priority.

DscpUses the DSCP values of received packets for mapping.
802.11eUses the 802.11e priority of received 802.11 packets for mapping.
Trust Mode
QoS Priority
Set the local precedence value.
ACL and QoS configuration example

As shown in Figure 553, in the WLAN, the FTP server (10.1.1.1/24) is connected to the AC (SSID:
service1), and the wireless clients are connected to the AC through APs and a Layer 2 switch and access
the network resources.
Configure an ACL and a QoS policy on the AC to prohibit the wireless clients from accessing the FTP
server from 8:00 to 18:00 every day:
1.
Add an ACL to prohibit the hosts from accessing the FTP server from 8:00 to 18:00 every day.
2.
Configure a QoS policy to drop the packets matching the ACL.
3.
Apply the QoS policy in the inbound direction of the wireless service named service1.
10.1.1.1/24
Client 1
AP 1
L2 switch
Client 2
AC
FTP server
AP 2
NOTE:
Before performing the following configurations, make sure the AC has been configured with wireless
service service1. For more information about the wireless service configuration, see "Configuring access
services."
1.
Define a time range to cover the time range from 8:00 to 18:00 every day:
525
a. Select QoS > Time Range from the navigation tree.

b. Click the Add tab.
c.
On the page as shown in Figure 554, enter the time range name test-time, select the Periodic
Time Range option, set the Start Time to 8:00 and the End Time to 18:00, and select the
options Sun through Sat.
d. Click Apply.
Figure 554 Defining a time range covering 8:00 to 18:00 every day
2.
Add an advanced IPv4 ACL:

a. Select QoS > ACL IPv4 from the navigation tree.
c.
Enter the ACL number 3000.
d. Click Apply.
526
Figure 555 Adding an advanced IPv4 ACL
3.
Define an ACL rule for traffic to the FTP server:

a. Click the Advanced Setup tab.
b. On the page as shown in Figure 556, select 3000 in the ACL list, select the Rule ID option, and
enter rule ID 2.
c.
Select Permit in the Action list.
d. Select the Destination IP Address option, and enter IP address 10.1.1.1 and destination
wildcard 0.0.0.0.
e. Select test-time in the Time Range list.
f.
Click Add.
527
Figure 556 Defining an ACL rule for traffic to the FTP server
4.
Add a class:
a. Select QoS > Classifier from the navigation tree.
c.
On the page as shown in Figure 557, enter the class name class1.
d. Click Add.
528
Figure 557 Adding a class
5.
Define classification rules:

a. Click the Setup tab.
b. On the page as shown in Figure 558, select the class name class1 in the list, select the ACL IPv4
option, and select ACL 3000 in the following list.

c.
Click Apply.
d. Click Close on the progress dialog box when the progress dialog box prompts that the
529
Figure 558 Defining classification rules
6.
Add a traffic behavior:

a. Select QoS > Behavior from the navigation tree.
c.
On the page as shown in Figure 559, enter the behavior name behavior1.
d. Click Add.
530
Figure 559 Adding a traffic behavior
7.
Configure actions for the traffic behavior:

b. On the page as shown in Figure 560, select behavior1 in the list, select the Filter option, and
then select Deny in the following list.

c.
Click Apply.
d. Click Close when the progress dialog box prompts that the configuration succeeds.
531
Figure 560 Configuring actions for the behavior
8.
Add a policy:
a. Select QoS > QoS Policy from the navigation tree.
c.
On the page as shown in Figure 561, enter the policy name policy1.
d. Click Add.
532
Figure 561 Adding a policy
9.
Configure classifier-behavior associations for the policy:

b. On the page as shown in Figure 562, select policy1, select class1 in the Classifier Name list,
and select behavior1 in the Behavior Name list.

c.
Click Apply.
Figure 562 Configuring classifier-behavior associations for the policy
10.
Apply the QoS policy in the inbound direction of the wireless service named service1:
a. Select QoS > Service Policy from the navigation tree.
b. Click the
c.
icon for wireless service service1.
On the page as shown in Figure 563, select the Inbound Policy option, and select policy1 from
the following list.
d. Click Apply.
533
Figure 563 Applying the QoS policy in the inbound direction of WLAN service service1

After you complete these configurations, the QoS policy is successfully applied to the wireless service
named service1, and the wireless clients cannot access the FTP server at IP address 10.1.1.1/24 from
8:00 to 18:00 every day, but they can do that at any other time.
When you configure an ACL and QoS, follow these guidelines:
You cannot add a ACL rule with, or modify a rule to have, the same permit/deny statement as an
existing rule in the ACL.
You can only modify the existing rules of an ACL that uses the match order of config. When
modifying a rule of such an ACL, you may choose to change just some of the settings, in which case
the other settings remain the same.
When you configure line rate and traffic policing for a behavior, make sure the ratio of CBS to CIR
is more than 100:16. Otherwise, the handling for bursty traffic may be affected.
If an ACL is referenced by a QoS policy for defining traffic classification rules, the operation of the
QoS policy varies by interface (the definition of software/hardware interface varies with device
models). The specific process is as follows:
If the QoS policy is applied to a software interface and the referenced ACL rule is a deny
clause, the ACL rule does not take effect and packets go to the next classification rule.
If the QoS policy is applied to a hardware interface, packets matching the referenced ACL rule
are organized as a class and the behavior defined in the QoS policy applies to the class
regardless of whether the referenced ACL rule is a deny or permit clause.
If a QoS policy is applied in the outbound direction of a port, the QoS policy cannot influence local
packets. Local packets refer to the important protocol packets that maintain the normal operation of
the device. QoS must not process such packets to avoid packet drop. Commonly used local packets
are: link maintenance packets, ISIS packets, OSPF packets, RIP packets, BGP packets, LDP packets,
RSVP packets, and SSH packets and so on.
When you configure queuing for a traffic behavior:

534
In a policy, a traffic behavior with EF configured cannot be associated with the default class,
and a traffic behavior with WFQ configured can only be associated with the default class.
In a policy, the total bandwidth assigned to the AF and EF classes cannot be greater than the
available bandwidth of the interface to which the policy applies; the total bandwidth
percentage assigned to the AF and EF classes cannot be greater than 100%.
In the same policy, the same bandwidth unit must be used to configure bandwidth for AF
classes and EF classes, either absolute bandwidth value or percent.
535
Configuring wireless QoS

Overview
An 802.11 network offers wireless access based on the carrier sense multiple access with collision
avoidance (CSMA/CA) channel contention. All clients accessing the WLAN have equal channel
contention opportunities, and all applications carried on the WLAN use the same channel contention
parameters. A live WLAN, however, is required to provide differentiated access services to address
diversified requirements of applications for bandwidth, delay, and jitter.
When IEEE 802.11e was being standardized, Wi-Fi Alliance defined the Wi-Fi Multimedia (WMM)
standard to allow QoS provision devices of different vendors to interoperate. WMM makes a WLAN
network capable of providing QoS services.
Terminology
WMM
WMM is a wireless QoS protocol designed to preferentially transmit packets with high priority, and
guarantees better QoS services for voice and video applications in a wireless network.
EDCA
Enhanced distributed channel access (EDCA) is a channel contention mechanism designed by WMM to
preferentially transmit packets with high priority and allocate more bandwidth to such packets.
AC
WMM uses access categories (ACs) for handling channel contentions. WMM assigns WLAN data into
four access categories: AC-VO (voice), AC-VI (video), AC-BE (best-effort), and AC-BK (background), in
the descending order of priority. Each access category uses an independent priority queue for
transmitting data. When contention occurs, WMM guarantees that a high-priority access category
preempts a low-priority access category.
CAC
Connection admission control (CAC) limits the number of clients that are using high-priority access
categories (AC-VO and AC-VI) to guarantee sufficient bandwidth for existing high-priority traffic.
U-APSD
Unscheduled automatic power-save delivery (U-APSD) is a new power saving mechanism defined by
WMM to enhance the power saving capability of clients.
SVP
SpectraLink voice priority (SVP) is a voice priority protocol designed by the Spectralink company to
guarantee QoS for voice traffic.
WMM protocol overview

The distributed coordination function (DCF) in 802.11 stipulates that access points (APs) and clients use
the CSMA/CA access mechanism. APs or clients listen to the channel before they hold the channel for
536
data transmission. When the specified idle duration of the channel times out, APs or clients randomly
select a backoff slot within the contention window to perform backoff. The device that finishes backoff first
gets the channel. With 802.11, all devices have the same idle duration and contention window. They are
equal when contending for a channel. In WMM, this fair contention mechanism is changed.
EDCA parameters
WMM assigns data packets to four access categories. By allowing a high-priority access category to
have more channel contention opportunities than a low-priority access category, WMM offers different
service levels to access categories.
WMM define a set of EDCA parameters for each access category, covering the following:
Arbitration inter-frame spacing number (AIFSN)Different from the 802.11 protocol where the idle
duration (set using DIFS) is a constant value, WMM can define an idle duration per access category.
The idle duration increases as the AIFSN value increases (see Figure 564 for the AIFS durations).
Exponent of CWmin (ECWmin) and exponent of CWmax (ECWmax)Determine the average

backoff slots, which increases as the two values increase (see Figure 564 for the backoff slots).
Transmission opportunity limit (TXOPLimit)Indicates the maximum time for which a user can hold
a channel after a successful contention. The greater the TXOPLimit is, the longer the user can hold
the channel. The value 0 indicates that the user can send only one packet each time it holds the
channel.
Figure 564 Per-AC channel contention parameters in WMM
CAC admission policies

CAC requires that a client obtain permission of the AP before it can use a high-priority access category
for transmission, and guarantees bandwidth to the clients that have gained access. CAC controls real
time traffic (AC-VO and AC-VI traffic) but not common data traffic (AC-BE and AC-BK traffic).
To use a high-priority access category, a client must send a request to the AP. The AP returns a positive
or negative response based on either of the following admission control policy:
Channel utilization-based admission policyThe AP calculates the total time that the existing
high-priority access categories occupy the channel in one second, and then calculates the time that
the requesting traffic will occupy the channel in one second. If the sum of the two values is smaller
537
than or equal to the maximum hold time of the channel, the client can use the requested access
category. Otherwise, the request is rejected.
Users-based admission policyIf the number of clients using high-priority access categories plus
the requesting clients is smaller than or equal to the maximum number of high-priority access
category clients, the request is accepted. Otherwise, the request is rejected. During calculation, a
client is counted once even if it is using both AC-VO and AC-VI.
U-APSD power-save mechanism

U-APSD improves the 802.11 APSD power saving mechanism. When associating clients with access
categories, specify some access categories as trigger-enabled, some access categories as
delivery-enabled, and the maximum number of data packets that can be delivered after receiving a
trigger packet. Both the trigger attribute and the delivery attribute can be modified when flows are
established using CAC. When a client sleeps, the delivery-enabled AC packets destined for the client are
buffered. The client needs to send a trigger-enabled AC packet to get the buffered packets. After the AP
receives the trigger packet, packets in the transmit queue are sent. The number of sent packets depends
on the agreement made when the client was admitted. Access categories without the delivery attribute
store and transmit packets as defined in the 802.11 protocol.
SVP service
SVP service implements differentiated treatment of SVP packets by mapping each SVP packet (IP protocol
number 119) to an access category, which corresponds to a transmit queue with certain priority.
ACK policy
WMM defines the following ACK policies:
No ACKWhen the no acknowledgement (No ACK) policy is used, the recipient does not
acknowledge received packets during wireless packet exchange. This policy can improve
transmission efficiency in the environment where communication quality is fine and interference is
weak. However, in the environment where communication quality is poor, it can cause increased
packet loss and deteriorated communication quality.
Normal ACKWhen the Normal ACK policy is used, the recipient acknowledges each received
unicast packet.
Enabling wireless QoS

1.
Select QoS > Wireless QoS from the navigation tree.

By default, the Wireless QoS tab is displayed, as shown in Figure 565.
Figure 565 Wireless QoS
2.
Select the option in front of the radio unit to be configured.
3.
Click Enable.
538
By default, wireless QoS is enabled.

NOTE:
The WMM protocol is the foundation of the 802.11n protocol. When the radio works in 802.11n (5 GHz)
or 802.11n (2.4 GHz) radio mode, you must enable WMM. Otherwise, the associated 802.11n clients
may fail to communicate.
Setting the SVP service

NOTE:
SVP mapping is applicable only to non-WMM clients.
1.

By default, the Wireless QoS tab is displayed, as shown in Figure 566.
Figure 566 Mapping SVP service to an access category
2.
Click the
icon in the Operation column for the desired AP to enter the page for mapping SVP
service to an access category, as shown in Figure 567.
Figure 567 Mapping SVP service to an access category
3.
Configure SVP mapping, as described in Table 180.
4.
Click Apply.

Item
Description
AP Name
Displays the selected AP.

539
Item
Description
Radio
Displays the selected AP's radio.

Select the option before SVP Mapping, and then select an access category for SVP
service:
SVP Mapping
AC-VO.
AC-VI.
AC-BE.
AC-BK.
Setting CAC admission policy

1.

By default, the Wireless QoS tab is displayed.
2.
Click the
icon in the Operation column for the desired AP to enter the page for setting CAC
admission policy, as shown in Figure 568.
Figure 568 Setting CAC admission policy
3.
Configure the CAC admission policy, as described in Table 181.
4.
Click Apply.

Item
Client Number
Channel Utilization
Description
Users-based admission policy, or the maximum number of clients allowed to be
connected. A client is counted only once, even if it is using both AC-VO and AC-VI.
By default, the users-based admission policy applies, with the maximum number of
users being 20.
Channel utilization-based admission policy, or the rate of the medium time of the
accepted AC-VO and AC-VI traffic to the valid time during the unit time. The valid
time is the total time during which data is transmitted.
Setting radio EDCA parameters for APs

1.

540
2.
Click the
icon in the Operation column for the desired AP to enter the page for configuring
wireless QoS.
3.
On the radio EDCA list, click the

icon in the Operation column for the desired priority type
(AC_BK, for example) to enter the page for setting radio EDCA parameters.
Figure 569 Setting radio EDCA parameters
4.
Configure the radio EDCA parameters, as described in Table 182.
5.
Click Apply.

Item
Description
AP Name
Radio
Priority type
Displays the priority type.
AIFSN
Arbitration inter-frame spacing number used by the AP.
TXOP Limit
Transmission opportunity limit used by the AP.
ECWmin
Exponent of CWmin used by the AP.
ECWmax
Exponent of CWmax used by the AP.

If you select the option before No ACK, the No ACK policy is used by the AP.
No ACK
By default, the normal ACK policy is used by the AP.
Table 183 Default radio EDCA parameters

Access category
TXOP Limit
AIFSN
ECWmin
ECWmax
AC-BK
10
AC-BE
AC-VI
94
AC-VO
47
NOTE:
ECWmin cannot be greater than ECWmax.
On an AP operating in 802.11b radio mode, H3C recommends that you set the TXOP-Limit to 0, 0, 188,
and 102 for AC-BK, AC-BE, AC-VI, and AC-VO.
541
Setting client EDCA parameters for wireless clients

1.

2.
Click the
wireless QoS.
3.
On the client EDCA list, click the

icon in the Operation column for the desired priority type
(AC_BK, for example) to enter the page for setting client EDCA parameters.
Figure 570 Setting client EDCA parameters
4.
Configure the client EDCA parameters, as described in Table 184.
5.
Click Apply.

Item
Description
AP Name
Radio
Priority type
Displays the priority type.
AIFSN
Arbitration inter-frame spacing number used by clients.
TXOP Limit
Transmission opportunity limit used by clients.
ECWmin
Exponent of CWmin used by clients.
ECWmax
Exponent of CWmax used by clients.

Enable CAC:
EnableEnable CAC.
DisableDisable CAC.
CAC
AC-VO and AC-VI support CAC, which is disabled by default. This item is not
available for AC-BE or AC-BK, because they do not support CAC.
Table 185 Default EDCA parameters for clients

Access category
TXOP Limit
AIFSN
ECWmin
ECWmax
AC-BK
10
AC-BE
10
AC-VI
94
542
Access category
TXOP Limit
AIFSN
ECWmin
ECWmax
AC-VO
47
NOTE:
ECWmin cannot be greater than ECWmax.
If all clients operate in 802.11b radio mode, set TXOPLimit to 188 and 102 for AC-VI and AC-VO.
If some clients operate in 802.11b radio mode and some clients operate in 802.11g radio mode in the
network, H3C recommends the TXOPLimit parameters in Table 185.
Once you enable CAC for an access category, it is enabled automatically for all higher priority access
categories. For example, if you enable CAC for AC-VI, CAC is also enabled for AC-VO. However,
enabling CAC for AC-VO does not enable CAC for AC-VI.
Displaying the radio statistics

1.
2.
Click the Radio Statistics tab to enter the page displaying radio statistics.
3.
Click an AP to see its details.
Figure 571 Displaying the radio statistics
Table 186 Filed description

Field
Description
AP ID
AP ID.
AP Name
AP name.
Radio
Radio ID.
Client EDCA update count
Number of client EDCA parameter updates.
543
Field
Description
QoS mode:
QoS mode
WMMIndicates that the client is a QoS client.

NoneIndicates that the client is a non-QoS client.
Radio chip QoS mode
Radio chip's support for the QoS mode.
Radio chip max AIFSN
Maximum AIFSN allowed by the radio chip.
Radio chip max ECWmin
Maximum ECWmin allowed by the radio chip.
Radio chip max TXOPLimit
Maximum TXOPLimit allowed by the radio chip.
Radio chip max ECWmax
Maximum ECWmax allowed by the radio chip.
Client accepted
Number of clients that have been admitted to access the radio, including the
number of clients that have been admitted to access the AC-VO and the AC-VI
queues.
Total request
mediumtime(us)
Total requested medium time, including that of the AC-VO and the AC-VI
queues.
Calls rejected due to

insufficient resource
Number of requests rejected due to insufficient resources.
Calls rejected due to invalid

parameters
Number of requests rejected due to invalid parameters.

mediumtime
Number of requests rejected due to invalid medium time.

delaybound
Number of requests rejected due to invalid delay bound.
Displaying the client statistics

1.
2.
Click the Client Statistics tab to enter the page displaying client statistics.
3.
Click a client name to see its details.
544
Figure 572 Displaying the client statistics

Field
Description
MAC address
MAC address of the client.
SSID
Service set ID (SSID)

QoS mode:
QoS Mode
WMMIndicates that QoS mode is enabled.

NoneIndicates that QoS mode is not enabled.
Max SP length
Maximum service period.
AC
Access category.
APSD attribute of an access category:
State
TThe access category is trigger-enabled.

DThe access category is delivery-enabled.
T | DThe access category is both trigger-enabled and delivery-enabled.
LThe access category is of legacy attributes.
Assoc State
APSD attribute of the four access categories when a client accesses the AP.
Uplink CAC packets
Number of uplink CAC packets.
Uplink CAC bytes
Number of uplink CAC bytes.
Downlink CAC packets
Number of downlink CAC packets.
Downlink CAC bytes
Number of downlink CAC bytes.
Downgrade packets
Number of downgraded packets.
Downgrade bytes
Number of downgraded bytes.
Discard packets
Number of dropped packets.
Discard bytes
Number of dropped bytes.
545
Setting rate limiting

The WLAN provides limited bandwidth for each AP. Because the bandwidth is shared by wireless clients
attached to the AP, aggressive use of bandwidth by a client will affect other clients. To ensure fair use of
bandwidth, rate limit traffic of clients in either of the following approaches:
Configure the total bandwidth shared by all clients in the same BSS. This is called "dynamic mode".
The rate limit of a client is the configured total rate/the number of online clients. For example, if the
configure total rate is 10 Mbps and five clients are online, the rate of each client is 2 Mbps.
Configure the maximum bandwidth that can be used by each client in the BSS. This is called "static
mode". For example, if the configured rate is 1 Mbps, the rate limit of each user online is 1 Mbps.
When the set rate limit multiplied by the number of access clients exceeds the available bandwidth
provided by the AP, no clients can get the guaranteed bandwidth.
Setting wireless service-based client rate limiting

You can configure the access controller to limit client rates for a service within a BSS.
To set wireless service-based client rate limiting:
1.
Select QoS > Wireless QoS from the navigation tree on the left.
2.
Click the Client Rate Limit tab.
3.
Click Add in the Service-Based Configuration area to enter the page for setting wireless
service-based client rate limits, as shown in Figure 573.
Figure 573 Setting wireless service-based client rate limiting
4.
Configure service-based client rate limiting, as described in Table 188.
5.
Click Apply.

Item
Description
Wireless Service
Select an existing wireless service.

Set the traffic direction:
Direction
InboundTraffic from client to AP.

OutboundTraffic from AP to client.
BothBoth inbound and outbound traffic.
546
Item
Description
Set a rate limiting mode:
Mode
StaticLimits the rate of each client to a fixed value.

DynamicLimits the total rate of all clients to a fixed value.
Set the rate of the clients.
Rate
If you select the static mode, Per-Client Rate is displayed, and the rate is the rate
of each client.
If you select the dynamic mode, Total Rate is displayed, and the rate is the total
rate of all clients.
Setting radio-based client rate limiting

You can configure the access controller to limit client rates for a radio.
To set radio-based client rate limiting:
1.
2.
Click the Client Rate Limit tab.
3.
Click Add in the Radio-Based Configuration area to enter the page for setting radio-based client
rate limiting, as shown in Figure 573.
Figure 574 Setting radio-based client rate limiting
4.
Configure radio-based client rate limiting, as described in Table 189.
5.
Click Apply.
547

Item
Description
Radio List
List of radios available. You can create the rate limiting rules for one or multiple
radios.
Traffic direction:
Direction
InboundTraffic from clients to the AP.

OutboundTraffic from the AP to clients.
BothIncludes inbound traffic (traffic from clients to the AP) and outbound traffic
(traffic from the AP to clients)
Rate limiting mode:

Mode
StaticLimits the rate of each client to a fixed value.

DynamicLimits the total rate of all clients to a fixed value.
Set the rate of the clients:
If you select the static mode, Per-Client Rate is displayed, and the rate is the rate
of each client.
Rate
If you select the dynamic mode, Total Rate is displayed, and the rate is the total
rate of all clients.
Configuring the bandwidth guarantee function

When traffic is heavy, a BSS without any rate limitation may aggressively occupy the available
bandwidth for other BSSs. If you limit the rate of the BSS, it cannot use the idle bandwidth of other BSSs.
To improve bandwidth use efficiency when ensuring bandwidth use fairness among wireless services, use
the bandwidth guarantee function. Bandwidth guarantee makes sure all traffic from each BSS can pass
through freely when the network is not congested, and each BSS can get the guaranteed bandwidth
when the network is congested.
For example, suppose you guarantee SSID1, SSID2, and SSID3 25%, 25%, and 50% of the bandwidth.
When the network is not congested, SSID1 can use all idle bandwidth in addition to its guaranteed
bandwidth. When the network is congested, SSID1 can use at least its guaranteed bandwidth, 25% of
the bandwidth.
NOTE:
Bandwidth guarantees apply only to the traffic from AP to client.
Setting the reference radio bandwidth

1.
2.
Click the Bandwidth Guarantee tab to enter the page for configuring bandwidth guarantees, as
548
Figure 575 Setting the reference radio bandwidth
3.
Set the reference radio bandwidth, as described in Table 190.
4.
Click Apply.
NOTE:
The reference radio bandwidth modification does not immediately take effect on the radios with the
bandwidth guarantee function enabled. To make the modification take effect, disable and then enable the
radios.
Item
802.11a Mode
802.11b Mode
802.11g Mode
802.11n Mode
Description
Set the reference radio bandwidth.
IMPORTANT:
Set the reference radio bandwidth slightly lower than the maximum available bandwidth..
Setting guaranteed bandwidth percents

1.
Select a radio from the radio list, and click the

icon for the radio in the Operation column to
enter the page for setting guaranteed bandwidth, as shown in Figure 576.
549
Figure 576 Setting guaranteed bandwidth
2.
Set the guaranteed bandwidth, as described in Table 191.
3.
Click Apply.

Item
Description
Guaranteed Bandwidth
Percent (%)
Allocate guaranteed bandwidth as a percentage of the radio bandwidth to each

wireless service. The total guaranteed bandwidth cannot exceed 100% of the ratio
bandwidth.
Enabling bandwidth guaranteeing

To validate the bandwidth guarantee settings for a radio unit, enable its bandwidth guarantee function.
To enable the bandwidth guarantee function:
1.
2.
Click the Bandwidth Guarantee tab to enter the page for configuring bandwidth guarantee.
3.
Select the AP and the corresponding radio mode for which you want to enable bandwidth
guarantee on the list under the Bandwidth Guarantee title bar.
4.
Click Enable.
Figure 577 Enabling the bandwidth guarantee function
550
Displaying guaranteed bandwidth settings

1.
2.
Click Bandwidth Guarantee.
3.
Click the specified radio unit of the AP on the list under the Bandwidth Guarantee title bar to view
the wireless services bound to the radio unit and the guaranteed bandwidth setting for each
wireless service.
Figure 578 Displaying guaranteed bandwidth settings
CAC service configuration example

As shown in Figure 579, a WMM-enabled AP accesses the Ethernet.
Enable CAC for AC-VO and AC-VI on the AP. To guarantee high priority clients (AC-VO and AC-VI clients)
sufficient bandwidth, use the user number-based admission policy to limit the number of access users to
10.
Configuring the wireless service

1.
Configure the AP, and establish a connection between the AC and the AP.
For related configurations, see "Configuring access services." Follow the steps in the related
configuration example to establish a connection between the AC and the AP.
Configuring wireless QoS

1.

551
2.
Make sure WMM is enabled.
Figure 580 Wireless QoS configuration page (1)
3.
As shown in Figure 580, select the AP to be configured on the list and click the
in the Operation column to enter the page for configuring wireless QoS.
icon for the AP
4.
On the Client EDCA list, select the priority type (AC_VO, for example) to be modified, and click the
icon for the priority type in the Operation column to enter the page for setting client EDCA
parameters.
5.
Select Enable from the CAC list.
6.
Click Apply.
Figure 581 Enabling CAC
7.
Enable CAC for AC_VI in the same way. (Details not shown.)
8.

9.
Click the
wireless QoS.
10.
Select the Client Number option, and then enter 10.
11.
Click Apply.
552
Figure 582 Setting CAC client number

If the number of existing clients in the high-priority access categories plus the number of clients requesting
for high-priority access categories is smaller than or equal to the user-defined maximum number of users
allowed in high-priority access categories, which is 10 in this example, the request is allowed. Otherwise,
the request is rejected.
Wireless service-based static rate limiting

As shown in Figure 583, two wireless clients access the WLAN through a SSID named service1.
Limit the maximum bandwidth per wireless client to 128 kbps for traffic from the wireless clients to the AP.

For the configuration procedure, see "Configuring access services."
Configuring static rate limiting

1.
2.
Click Client Rate Limit.

553
3.
Click Add in the Service-Based Configuration area to enter the page for configuring wireless
service-based rate limit settings for clients, as shown in Figure 584.
4.
Configure static rate limiting:

a. Select service1 from the Wireless Service list.
b. Select Inbound from the Direction list.
c.
Select Static from the Mode list.
d. Enter 128 in the Per-Client Rate field.

5.
Click Apply.
Figure 584 Configuring static rate limiting

1.
Client1 and Client2 access the WLAN through the SSID named service1.
2.
Check that traffic from Client1 is rate limited to around 128 kbps, so is traffic from Client2.
Wireless service-based dynamic rate limiting

As shown in Figure 585, wireless clients access the WLAN through a SSID named service2.
Configure all wireless clients to share 8000 kbps of bandwidth in any direction.
554

For the configuration procedure, see "Configuring access services."
Configuring dynamic rate limiting

1.
2.
Click Client Rate Limit.
3.
Click Add in the Service-Based Configuration area to enter the page for configuring wireless
service-based rate limit settings for clients, as shown in Figure 586.
4.
Configure dynamic rate limiting:

a. Select service2 from the Wireless Service list.
b. Select Both from the Direction list.
c.
Select Dynamic from the Mode list.
d. Enter 8000 in the Total Rate field.

5.
Click Apply.
Figure 586 Configuring dynamic rate limiting

Check that:
1.
When only Client1 accesses the WLAN through SSID service2, its traffic can pass through at a rate
as high as 8000 kbps.
2.
When both Client1 and Client2 access the WLAN through SSID service2, their traffic flows can
each pass through at a rate as high as 4000 kbps.
Bandwidth guarantee configuration example

As shown in Figure 587, three wireless clients use wireless services research, office, and entertain to
access the wireless network.
To make sure the enterprise network works properly, guarantee the office service 20% of the bandwidth,
the research service 80%, and the entertain service none.
555
Configuring the wireless services

For the configuration procedure, see "Configuring access services." Follow the related configuration
example to configure the wireless services.
Configuring bandwidth guaranteeing

1.
2.
Click Bandwidth Guarantee to enter the page for configuring bandwidth guarantee, as shown
in Figure 588.
3.
Use the default reference radio bandwidth for 802.11a.
4.
Click Apply.
556
Figure 588 Setting the reference radio bandwidth
5.
Click the
icon in the Operation column for 802.11a to enter the page for setting guaranteed
bandwidth, as shown in Figure 589.
6.
Set the guaranteed bandwidth:

a. Set the guaranteed bandwidth percent to 80 for wireless service research.
b. Set the guaranteed bandwidth percent to 20 for wireless service office.
c.
7.
Set the guaranteed bandwidth percent to 0 for wireless service entertain.
Click Apply.
After you apply the guaranteed bandwidth settings, the page for enabling bandwidth guarantee
appears, as shown in Figure 590.
557
Figure 589 Setting guaranteed bandwidth
8.
Select the option specific to 802.11a.
9.
Click Enable.
558
Figure 590 Enabling bandwidth guarantee
Send traffic from the AP to the three wireless clients at a rate lower than 30000 kbps. The rate of
traffic from the AP to the three wireless clients is not limited.
Send traffic at a rate higher than 6000 kbps from the AP to Client 1 and at a rate higher than
24000 kbps from the AP to Client 2. The total rate of traffic rate from the AP to the two wireless
clients exceeds 30000 kbps. Because you have enabled bandwidth guarantee for wireless services
research and office, the AP forwards traffic to Client 1 and Client 2 respectively at 6000 kbps and
24000 kbps, and limits the traffic to Client 3.
NOTE:
Guaranteed bandwidth in kbps = reference radio bandwidth guaranteed bandwidth percent.
Set the reference radio bandwidth slightly lower than the available maximum bandwidth.
The guaranteed bandwidth configuration applies to only the traffic from the AP to clients.
559
Advanced settings
Advanced settings overview
Country/Region code
Radio frequencies for countries and regions vary based on country regulations. A country/region code
determines characteristics such as frequency range, channel, and transmit power level. Configure the
valid country/region code for a WLAN device to meet the specific country regulations.
1+1 AC backup
NOTE:
Support for the 1+1 backup feature may vary depending on your device model. For more information, see
"Feature matrixes."
Dual-link backup
1.
Dual links
Dual links allow for AC backup. An AP establishes links with two different ACs. The active AC
provides services for APs in the network and the standby AC provides backup service for the active
AC. If the active AC fails, the standby AC takes over to provide services for the APs.
Figure 591 Dual link topology
AC 1 is operating in active mode and providing services to AP 1, AP 2, AP 3, and AP 4. AC 2 is

operating in standby mode. APs are connected to AC 2 through backup links. When AC 1 is down,
AC 2 converts to operate in active mode even when AC 1 is up again, in which case, AC 1 is in
standby mode. However, this is not so if an AC is configured as the primary AC. For more
information about primary AC, see "Primary AC recovery."
560
2.
Using fast link fault detection, you can configure 1+1 fast backup (see "1+1 fast backup") to
provide uninterrupted services.
3.
Primary AC recovery
Primary AC provides a mechanism to make sure the primary AC is chosen in precedence by APs
as an active AC. When the primary AC goes down, the APs switch to connect to the standby AC.
As soon as the active AC recovers, the APs automatically connect to the primary AC again.
Figure 592 Primary AC recovery
AC 1 is the primary AC with the connection priority of 7, and it establishes a connection with the
AP. AC 2 acts as the secondary AC. If AC 1 goes down, AC 2 takes over to provide services to
AP until AC 1 recovers. Once the primary AC is reachable again, the AP automatically establishes
a connection with the primary AC. For more information about priority configuration, see
"Configuring AP connection priority."
1+1 fast backup

Fast link fault detection allows two ACs in 1+1 backup to detect the failure of each other in time. To
achieve this, a heartbeat detection mechanism is used. When the active AC goes down, the standby AC
can quickly detect the faults and become the new active AC.
NOTE:
Support for the 1+1 fast backup feature may vary depending on your device model. For more
information, see "Feature matrixes."
1+N AC backup
1+N AC backup allows an AC to operate as a backup for multiple ACs. The active ACs independently
provide services for APs that connect to them, and the only one standby AC provides backup service for
the active ACs. If an active AC goes down, the APs connecting to it can detect the failure quickly and
make connections to the standby AC. As soon as the active AC recovers, the APs automatically connect
to the original active AC again. This makes sure the standby AC operates as a dedicated backup for the
active ACs. 1+N AC backup delivers high reliability and saves network construction cost greatly.
561
Continuous transmitting mode

The continuous transmitting mode is used for test only. Do not use the function unless necessary.
Channel busy test

The channel busy test is a tool to test how busy a channel is. It tests channels supported by the
country/region code one by one, and provides a busy rate for each channel. This avoids the situation
that some channels are heavily loaded and some are idle.
During a channel busy test, APs do not provide any WLAN services. All the connected clients are
disconnected and WLAN packets are discarded.
WLAN load balancing

WLAN load balancing dynamically adjusts loads among APs to ensure adequate bandwidth for clients.
It is mainly used in high-density WLAN networks.
Requirement of WLAN load-balancing implementation

As shown in Figure 593, Client 6 wants to associate with AP 3. AP 3 has reached its maximum load, so
it rejects the association request. Then, Client 6 tries to associate with AP 1 or AP 2, but it cannot receive
signals from these two APs, so it has to resend an association request to AP 3.
Therefore, to implement load-balancing, the APs must be managed by the same AC, and the clients can
find the APs.
Figure 593 Requirement of WLAN load-balancing implementation
Load-balancing modes
The AC supports two load balancing modes, session mode and traffic mode.
Session mode load-balancing

Session-mode load balancing is based on the number of clients associated with the AP/radio.
As shown in Figure 594, Client 1 is associated with AP 1, and Client 2 through Client 6 are
associated with AP 2. The AC has session-mode load balancing configured: the maximum number
562
of sessions is 5 and the maximum session gap is 4. Then, Client 7 sends an association request to
AP 2. The maximum session threshold and session gap have been reached on AP 2, so it rejects
the request. At last, Client 7 associates with AP 1.
Figure 594 Network diagram for session-mode load balancing
Traffic mode load-balancing

Traffic snapshot is considered for traffic mode load balancing.
As shown in Figure 595, Client 1 and Client 2 that run 802.11g are associated with AP 1. The AC
has traffic-mode load balancing configured: the maximum traffic threshold is 10% and the
maximum traffic gap is 20%. Then, Client 3 wants to access the WLAN through AP 1. The
maximum traffic threshold and traffic gap (between AP 1 and AP 2) have been reached on AP 1,
so it rejects the request. At last, Client 3 associates with AP 2.
Figure 595 Network diagram for traffic-mode load balancing
563
Load-balancing methods
The AC supports AP-based load balancing and group-based load balancing.
1.
AP-based load balancing

AP-based load balancing can be either implemented among APs or among the radios of an AP.
AP-based load balancingAPs can carry out either session-mode or traffic-mode load
balancing as configured. An AP starts load balancing when the maximum threshold and gap
are reached, and does not accept any association requests unless the load decreases below
the maximum threshold or the gap is less than the maximum gap. However, if a client has been
denied more than the specified maximum times, the AP considers that the client is unable to
associate to any other AP and accepts the association request from the client.
Radio-based load balancingThe radios of an AP that is balanced can carry out either
session-mode or traffic-mode load balancing as configured. A radio starts load balancing
when the maximum threshold and gap are reached and will reject any association requests
unless the load decreases below the maximum threshold or the gap is less than the maximum
gap. However, if a client has been denied more than the specified maximum times, the AP
considers that the client is unable to associate to any other AP and accepts the association
request from the client.
2.
Group-based load balancing

To balance loads among the radios of different APs, you can add them to the same load balancing
group.
The radios in a load balancing group can carry out either session-mode or traffic-mode load
balancing as configured. The radios that are not added to any load balancing group do not carry
out load balancing. A radio in a load balancing group starts load balancing when the maximum
threshold and gap are reached on it, and the radio does not accept any association requests
unless the load decreases below the maximum threshold or the gap is less than the maximum gap.
However, if a client has been denied more than the specified maximum times, the AP considers
that the client is unable to associate to any other AP and accepts the association request from the
client.
AP version setting
A fit AP is a zero-configuration device. It can automatically discover an AC after power-on. To make sure
a fit AP can associate with an AC, their software versions must be consistent by default, which
complicates maintenance. This task allows you to designate the software version of an AP on the AC, so
that they can associate with each other even if their software versions are inconsistent.
Switching to fat AP
You can switch the working mode of an AP between the fit mode and the fat mode.
Wireless location
Wireless location is a technology to locate, track and monitor specified devices by using WiFi-based
Radio Frequency Identification (RFID) and sensors. With this function enabled, APs send Tag or MU
messages to an AeroScout Engine (referred to as AE hereinafter), which performs location calculation
and then sends the data to the graphics software. You can get the location information of the assets by
maps, forms, or reports. Meanwhile, the graphics software provides the search, alert and query functions
to facilitate your operations.
564
Wireless location can be applied to medical monitoring, asset management, and logistics, helping users
effectively manage and monitor assets.
Architecture of the wireless location system

A wireless location system is composed of three parts: devices or sources to be located, location
information receivers and location systems.
Devices or sources to be located, which can be Tags (small, portable RFIDs, which are usually
placed or glued to the assets to be located) of Aero Scout or Mobile Units (MU). The MUs are
wireless terminals or devices running 802.11. The tags and MUs can send wireless messages
periodically.
Location information receivers, for example, 802.11 APs, and AeroScout Exciters that are standard
compliant Tags to send wireless messages but do not collect location information.
Location systems, including location server, AE calculation software, and different types of graphics
software.
Wireless locating process

A wireless location system can locate wireless clients, APs, rogue APs, rogue clients, Tags and other
devices supporting WLAN protocols. Except Tags, all wireless devices will be identified as MUs by the
wireless location system.
1.
Send Tag and MU messages

A Tag message is a message sent by an RFID. A Tag message contains the channel number so that
an AP can filter Tag messages whose channel numbers are not consistent with the AP's operating
channel. To make sure more Tags can be detected by the AP, a Tag sends messages on different
channels. A Tag periodically sends messages on one or multiple pre-configured channels, and
then sends location messages on channels 1, 6, and 11 in turn periodically.
MU messages are sent by standard wireless devices. An MU message does not contain the
channel number, so an AP cannot filter MU messages whose channel numbers are not consistent
with the AP's operating channel or illegal packets, which is done by the location server according
to a certain algorithm and rules.
2.
Collect Tag and MU messages

The working mode of an AP determines how it collects Tag and MU messages:
When the AP operates in monitor mode or hybrid mode, it can locate wireless clients or other
wireless devices that are not associated with it.
When the AP operates in normal mode, it can only locate wireless clients associated with it.
The wireless location system considers wireless clients associated with the AP as wireless clients,
and considers wireless clients or other wireless devices not associated with the AP as unknown
devices.
NOTE:
For more information about monitor mode and hybrid mode, see "WLAN security configuration."
An AP operates in normal mode when it functions as a WLAN access point. For more information, see
"Configuring access services."
After the processes, the AP begins to collect Tag and MU messages.
Upon receiving Tag messages (suppose that the Tags mode has been configured on the AC, and
the location server has notified the AP to report Tag messages), the AP checks the Tag messages,
encapsulates those passing the check and reports them to the location server. The AP encapsulates
565
Tag messages by copying all the information (message header and payload inclusive) except the
multicast address, and adding the BSSID, channel, timestamp, data rate, RSSI, SNR and radio
mode of the radio on which the relevant Tag messages were received.
Upon receiving MU messages (suppose that the MUs mode has been configured on the AC, and
the location server has notified the AP to report MU messages), the AP checks the messages,
encapsulates those that pass the check and reports the messages to the location server. The AP
encapsulates an MU message by copying its source address, Frame Control field and Sequence
Control field, and adding the BSSID, channel, timestamp, data rate, RSSI, SNR and radio mode of
the radio on which the relevant Tag messages were received.
3.
Calculate the locations of Tags or MUs

After receiving Tag and MU messages from APs, the location server uses an algorithm to calculate
the locations of the Tag and MU devices according to the RSSI, SNR, radio mode and data rate
carried in the messages, and displays the locations on the imported map. Typically, a location
server can calculate the locations as long as more than 3 APs operating in monitor or hybrid report
Tag or MU messages.
Wireless sniffer
In a wireless network, it is difficult to locate signal interference or packet collision by debugging
information or terminal display information of WLAN devices. To facilitate the troubleshooting, configure
an AP as a packet sniffer to listen to, capture, and record wireless packets. The sniffed packets are
recorded in the .dmp file for troubleshooting.
As shown in Figure 596, enable wireless sniffer on the Capture AP. The Capture AP is able to listen to the
wireless packets in the network, including the packets from other APs, rouge APs, and clients.
Administrators can download the .dmp file to the PC and make further analysis.
Client
AP 1
Switch
Capture AP
AC
Rogue AP
AP 2
PDA
PC
Band navigation
The 2.4 GHz band is often congested. Band navigation enables APs to accept dual-band (2.4 GHz and
5 GHz) clients on their 5 GHz radio, increasing overall network performance.
When band navigation is enabled, the AP directs clients to its 2.4 GHz or 5 GHz radio by following
these principles:
For a 2.4 GHz client, the AP associates to the client after rejecting it several times.
566
For a dual-band client, the AP directs the client to its 5 GHz radio.
For a 5 GHz- client, the AP associates to the client on its 5 GHz radio.
The AP checks the RSSI of a dual-band client before directing the client to the 5 GHz radio. If the RSSI is
lower than the value, the AP does not direct the client to the 5 GHz band.
If the number of clients on the 5 GHz radio reaches the upper limit, and the gap between the number of
clients on the 5 GHz radio and that on the 2.4 GHz radio reaches the upper limit, the AP denies the
clients association to the 5 GHz radio, and allows new clients to associate to the 2.4 GHz radio. If a
client has been denied more than the maximum times on the 5 GHz radio, the AP considers that the client
is unable to associate to any other AP, and allows the 5 GHz radio to accept the client.
Configuring WLAN advanced settings

Setting a country/region code
1.
Select Advanced > Country/Region Code from the navigation tree to enter the page for setting a
country/region code.
Figure 597 Setting a country/region code
2.
Configure a country/region code as described in Table 192.
3.
Click Apply.

Item
Description
Select a country/region code.
Country/Region Code
Configure the valid country/region code for a WLAN device to meet the
country regulations.
If the list is grayed out, the setting is preconfigured to meet the
requirements of the target market and is locked. It cannot be changed.
If you do not specify a country/region code for an AP, the AP uses the global country/region code
configured on this page. For how to specify the country/region code for an AP, see "Quick start." If an
AP is configured with a country/region code, the AP uses its own country code.
Some ACs and fit APs have fixed country/region codes, whichever is used is determined as follows: An
AC's fixed country/region code cannot be changed, and all managed fit APs whose country/region
codes are not fixed must use the AC's fixed country/region code. A fit AP's fixed country/region code
cannot be changed and the fit AP can only use the country/region code. If an AC and a managed fit AP
use different fixed country/region codes, the fit AP uses its own fixed country/region code.
567
Configuring 1+1 AC backup

Configuring AP connection priority
1.
2.
Click the icon
3.
Expand the Advanced Setup area.
corresponding to the target AP to enter the configuration page.
Figure 598 Configuring connection priority
4.
Configure an AP connection priority as described in Table 193.
5.
Click Apply.

Item
Description
AP Connection Priority
Set the priority for the AP connection to the AC.
Configure 1+1 AC backup

1.
Select Advanced > AC Backup from the navigation tree.
568
Figure 599 Configuring AC backup
2.
Configure an IP address and switch delay time for the backup AC as described in Table 194.
3.
Click Apply.

Item
Description
IPv4
Select IPv4, and enter the IPv4

address of the backup AC.
IPv6
Select IPv6, and enter the IPv6

address of the backup AC.
If the backup AC is configured on

the page you enter by selecting
AP > AP Setup, the configuration is
used in precedence. For more
information, see "AP
configuration."
The access mode configuration on
the two ACs should be the same.
Specify the IP address of one AC on
the other AC in an AC backup.
Switch Delay Time
Delay time for the AP to switch from the primary AC to the backup AC.
Configuring 1+1 fast backup

1.
569
Figure 600 Configuring fast backup
2.
Configure fast backup as described in Table 195.
3.
Click Apply.

Item
Description
Fast Backup Mode
disableDisable fast backup.

enableEnable fast backup.
By default, fast backup is disabled.
Hello Interval
Heartbeat interval for an AC connection. If no heartbeat is received during the

continuous three intervals, the device considers the peer is down.
The value range varies with devices. For more information, see "Feature matrixes."
VLAN ID
ID of the VLAN to which the port where the backup is performed belongs.
Backup Domain ID
ID of the domain to which the AC belongs.
Displaying status information of 1+1 fast backup

1.
2.
Click the Status tab to enter the page as shown in Figure 601.
570
Figure 601 Status information

Field
Description
AP Name
Select to display the AP connecting to the AC.
Status
Current status of the current AC.
Vlan ID
ID of the VLAN to which the port belongs.
Domain ID
Domain to which the AC belongs.

Link status of the AC connection:
CloseNo connection is established.

InitThe connection is being set up.
ConnectThe connection has been established.
Link State
Peer Board MAC
MAC address of the peer AC.

Status of the peer AC.
NormalThe peer AC is normal.

AbnormalThe peer AC is malfunctioning.
UnknownNo connection is present.
Peer Board State
Hello Interval
Heartbeat interval for an AC connection.
Configuring 1+N AC backup

Configuring AP connection priority
1.
2.
Click the icon
3.
571
Figure 602 Configuring connection priority
4.
Configure a connection priority as described in Table 197.
5.
Click Apply.

Item
Description
AP Connection Priority
Set the priority for the AP connection to the AC.
Configuring 1+N AC backup

1.
2.
Click the
3.
icon corresponding to the target AP to enter the configuration page.
572
Figure 603 Configuring 1+N AC backup
4.
Configure 1+N back as described in Table 198.
5.
Click Apply.

Item
Description
Backup AC IPv4 Address
Set the IPv4 address of the backup

AC.
Backup AC IPv6 Address
Set the IPv6 address of the backup

AC.
If the global backup AC is also

configured on the page you enter by
selecting Advanced > AC Backup, this
configuration is used in precedence.
Configuring continuous transmitting mode

1.
Select Advanced > Continuous Transmit from the navigation tree to enter the continuous
transmitting mode configuration page.
573
Figure 604 Configuring continuous transmitting mode
2.
Click the
icon corresponding to the target radio to enter the page for configuring transmission
rate. The transmission rate varies with radio mode.
When the radio mode is 802.11a/b/g, the page as shown in Figure 605 appears. Select a
transmission rate from the list.
Figure 605 Selecting a transmission rate (802.11b/g)
When the radio mode is 802.11n, the page as shown in Figure 606 appears. Select an MCS
index value to specify the 802.11n transmission rate. For more information about MCS, see
"Radio configuration."
Figure 606 Selecting an MCS index (802.11n)
3.
Click Apply.
To stop the continuous transmitting mode, click the

icon of the target radio. After the continuous
transmit is stopped, the transmission rate value on the page as shown in Figure 605 displays as 0.
NOTE:
When the continuous transmit is enabled, do not make any operations other than transmission rate
configuration.
Configuring a channel busy test

1.
Select Advanced > Channel Busy Test from the navigation tree to enter the channel busy test
configuration page.
574
Figure 607 Configuring channel busy test
2.
Click the
icon corresponding to a target AP to enter channel busy testing page.
Figure 608 Test busy rate of channels
3.
Configure channel busy test as described in Table 199.
4.
Click Start to start the testing.

Item
Description
AP Name
Display the AP name.
Radio Unit
Display the radio unit of the AP.
Radio Mode
Display the radio mode of the AP.
Test time per channel
Set a time period in seconds within which a channel is tested.

It defaults to 3 seconds.
NOTE:
During a channel busy test, the AP does not provide any WLAN services. All the connected clients are
disconnected.
Before the channel busy test completes, do not start another test for the same channel.
575
Configuring load balancing

Band navigation and load balancing can be used simultaneously.
Before you configure load balancing, make sure:
The target APs are associated with the same AC.
The clients can find the APs.
The fast association function is disabled. By default, the fast association function is disabled. For
more information about fast association, see "Configuring access services."

Task
Remarks
1.
Configuring a load balancing mode
Required.
2.
Configuring AP-based load balancing
Required.
AP-based load balancingAfter you complete Configuring a

3.
Configuring group-based load

balancing
load balancing mode, the AC adopts AP-based load

balancing by default.
Group-based load balancingH3C recommends that you
complete Configuring a load balancing mode first. A load

balancing group takes effect only when a load balancing
mode is configured.
4.
Configuring parameters that affect

load balancing
Optional.
This configuration takes effect for both AP-based load balancing
and radio group based load balancing.
Configuring a load balancing mode

NOTE:
If the AC has a load balancing mode configured but has no load balancing group created, it uses
AP-based load balancing by default.
1.
Configure session-mode load balancing

a. Select Advanced > Load Balance from the navigation tree to enter the page for setting load
balancing.
b. Select Session from the Loadbalance Mode list.
c.
Click Apply.
576
Figure 609 Setting session-mode load balancing

Item
Description
Loadbalance Mode
Select Session.
The function is disabled by default.
Threshold
Load balancing is carried out for a radio when the session threshold
and session gap threshold are reached.
Gap
Load balancing is carried out for a radio when the session threshold
and session gap threshold are reached.
2.
Configure traffic-mode load balancing

a. Select Advanced > Load Balance from the navigation tree to enter the page for setting load
balancing.
b. Select Traffic from the Loadbalance Mode list.
c.
Click Apply.
Figure 610 Setting traffic-mode load balancing
577

Item
Loadbalance Mode
Description
Select Traffic.
The function is disabled by default.
Traffic
Load balancing is carried out for a radio when the traffic threshold
and traffic gap threshold are reached.
Gap
Load balancing is carried out for a radio when the traffic threshold
and traffic gap threshold (the traffic gap between the two APs) are
reached.
NOTE:
If you select the traffic-mode load balancing, the maximum throughput of 802.11g/802.11a is 30 Mbps.
Configuring group-based load balancing

NOTE:
H3C recommends you to complete Configuring a load balancing mode on the Load Balance tab page.
A load balancing group takes effect only when a load balancing mode is configured.
1.
Select Advanced > Load Balance from the navigation tree.
2.
Click the Load Balance Group tab to enter the page for configuring a load balancing group.
3.
Click Add.
Figure 611 Configuring a load balancing group
4.
Configure a load balancing group as described in Table 202.
5.
Click Apply.
578

Item
Remarks
Group ID
Display the ID of the load balancing group
Description
Configure a description for the load balancing group.

By default, the load balancing group has no description.
In the Radios Available area, select the target radios, and then click << to add them into
Radio List
the Radios Selected area.
In the Radios Selected area, select the radios to be removed, and then click >> to remove
them from the load balancing group.
Configuring parameters that affect load balancing

1.
Select Advanced > Load Balance from the navigation tree. See Figure 609.
2.
Configure parameters that affect load balancing as described in Table 203.
3.
Click Apply.

Item
Remarks
Maximum denial count of client association requests.
Max Denial Count
If a client has been denied more than the specified maximum times, the AP
considers that the client is unable to associate to any other AP and accepts the
association request from the client.
Load balancing RSSI threshold.
RSSI Threshold
A client may be detected by multiple APs. An AP considers a client whose RSSI

is lower than the load balancing RSSI threshold as not detected. If only one AP
can detect the client, the AP increases the access probability for the client even
if it is over-loaded.
Configuring AP
Upgrading AP version
1.
Select Advanced > AP from the navigation tree.
2.
On the AP Module tab, select the desired AP.
3.
Click Version Update to enter the page for AP version upgrade.
Figure 612 AP version update
4.
Configure AP upgrade as described in Table 204.

579
5.
Click Apply.

Item
Description
AP Model
Display the selected AP model.
Software Version
Enter the software version of the AC in a correct format.
Switching to fat AP
1.
Select Advanced > AP Setup from the navigation tree.
2.
Click the Switch to Fat AP tab.
3.
Select the desired AP.
4.
Click Switch to Fat AP to perform AP working mode switchover.
Figure 613 Switching to fat AP
NOTE:
Before you switch the work mode, you must download the fat AP software to the AP.
Configuring wireless location

1.
Select Advanced > Wireless Location from the navigation tree to enter the page for displaying and
configuring wireless location on an AC.
580
Figure 614 Configuring wireless location
2.
Configure wireless location as described in Table 205.
3.
Click Apply.

Item
Description
EnableEnables the wireless location function globally. The device begins to
listen to packets when wireless location is enabled.
DisableDisables wireless location globally.

To ensure the location function, complete the configuration on the location server
and AC:
On the location serverConfigure whether to locate Tags or MUs, Tag

Location Function
message multicast address, and dilution factor on the location server. These
settings will be notified to the APs through the configuration message. For more
information about location server and configuration parameters, see the
location server manuals.
On the ACConfigure the AP mode settings, and enable the wireless location
function.
When configurations are correctly made, APs wait for the configuration message
sent by the location server, and after receiving that message, start to receive and
report Tag and MU messages.
Vendor Port
Set listening port number for vendors. The port number must be the same as that
defined in AE.
Tag Mode
Select this option to enable the Tag report function on the radio (you also need to
enable Tags mode on the AE).
MU Mode
Select this option to enable the MU report function on the radio (you also need to
enable the MUs mode on the AE).
581
An AP reports IP address change and device reboot events to the location server so that the location
server is able to respond in time. The AP reports a reboot message according to the IP address and port
information of the location server recorded in its flash.
The AP updates the data in the flash after receiving a configuration message. To protect the flash,
the AP does not update the flash immediately after receiving a configuration message, but waits for
10 minutes. If receiving another configuration message within 10 minutes, the AP only updates the
configuration information in the cache, and when the 10-minute timer is reached, saves the cache
information in the flash.
If the AP reboots within 10 minutes after receiving the first configuration message, and no
configuration is saved in the flash, it does not send a reboot message to the location server.
Configuring wireless sniffer

1.
Select Advanced > Wireless Sniffer from the navigation tree to enter the wireless sniffer
configuration page.
Figure 615 Configuring wireless sniffer
2.
To enable the wireless sniffer function for a specified radio, click the
icon of the radio.
Before you enable wireless sniffer, make sure the AP operates in normal mode and in run state.
Wireless sniffer can be enabled for only one radio configured with a fixed channel.
When you configure wireless sniffer, follow these guidelines:
Auto APs do not support wireless sniffer.
Wireless sniffer can be enabled for one radio at one time.
When the Capture AP is capturing packets, if the radio for which the wireless sniffer is disabled, the
Capture AP is deleted, the Capture AP is disconnected from the AC, or the number of captured
packets reaches the upper limit, the sniffer operation is stopped and the packets are saved to the
specified .dmp file. The default storage medium varies with device models.
You can click Stop to stop the wireless sniffer, and choose whether to save the packets to a CAP file.
If not, no CAP file is generated.
582
The working mode of the AP cannot be changed when it is capturing packets.
NOTE:
Do not enable or run wireless services for the radio with wireless sniffer enabled. Disable all wireless
services before enabling wireless sniffer.
3.
Configure wireless sniffer as described in Table 206.
4.
Click Apply.

Item
Capture Limit
Description
The maximum number of packets that can be captured. Once the limit is exceeded, the
device stops capturing packets.
IMPORTANT:
You cannot change the value when the device is capturing packets.
Name of the CAP file to which the packets are saved.
Filename
By default, the name is SnifferRecord.

IMPORTANT:
You cannot change the fine name when the device is capturing packets.
Configuring band navigation

When band navigation is enabled, the client association efficiency is affected, so this feature is not
recommended in a scenario where most clients use 2.4 GHz.
Band navigation is not recommended in a delay-sensitive network.
Band navigation and load balancing can be used simultaneously.
To enable band navigation to operate properly, make sure of the following:
The fast association function is disabled. By default, the fast association function is disabled. For
more information about fast association, see "Configuring access services."
Band navigation is enabled for the AP. By default, band navigation is enabled for the AP.
The SSID is bound to the 2.4 GHz and 5 GHz radios of the AP.
Configuring band navigation

1.
Select Advance > Band Navigation from the navigation tree.
583
Figure 616 Configuring band navigation
2.
Configure band navigation as described in Table 207.
3.
Click Apply.

Item
Description
Band Navigation
EnableEnable band navigation.

DisableDisable band navigation.
By default, band navigation is disabled globally.
Session Threshold
Session ThresholdSession threshold for clients on the 5 GHz band.

GapSession gap, which is the number of clients on the 5 GHz band minus the
number of clients on the 2.4 GHz band.
Gap
If the number of clients on the 5 GHz radio has reached the upper limit, and the gap
between the number of clients on the 5 GHz radio and that on the 2.4 GHz radio has
reached the upper limit, the AP denies the clients association to the 5 GHz radio, and
allows new clients to associate to the 2.4 GHz radio.
When band navigation is enabled, the value is 0 by default. To restore the default value
0, delete the configured number.
Maximum denial count of client association requests.
Max Denial Count
If a client has been denied more than the maximum times on the 5 GHz radio, the AP
considers that the client is unable to associate to any other AP, and allows the 5 GHz
radio to accept the client.
When band navigation is enabled, the value is 0 by default. To restore the default value
0, delete the configured number.
Band navigation RSSI threshold.
RSSI Threshold
The AP checks the RSSI of a dual-band client before directing the client to the 5 GHz
radio. If the RSSI is lower than the value, the AP does not direct the client to the 5 GHz
band.
584
Item
Description
Client information aging time.
Aging Time
The AP records the client information when a client tries to associate to it. If the AP
receives the probe request or association request sent by the client before the aging time
expires, the AP refreshes the client information and restarts the aging timer. If not, the AP
removes the client information, and does not count the client during band navigation.
Advanced settings configuration examples

1+1 fast backup configuration example
As shown in Figure 617, AC 1 and AC 2 backing up each other, with AC 1 acting as the active AC.
When the active AC fails, the standby AC takes over to provide services, ensuring no service interruption.
Assign a higher priority to the AP connection to AC 1, 6 in this example, to make sure AP will first
establish a connection with AC 1. In this way, AC 1 acts as the active AC.
When AC 1 is down, AC 2 becomes the new active AC.
When the AC 1 recovers, no switchover to AC 1 occurs, in which case AC 2 remains the active and
AC 1 acts as the standby AC. This is because the AP connection priority on AC 1 is not the highest.
Configuring AC 1
1.
Configure AP to establish a connection between AC 1 and AP. For more information about
configurations, see "Configuring access services."
2.
3.
Click the icon
4.
5.
Set the connection priority to 6.
6.
Click Apply.
585
Figure 618 Configuring the AP connection priority
7.
Select Advance > AC Backup from the navigation tree.
8.
On the page that appears, set the IP address of the backup AC to 1.1.1.5 and select enable to
enable the fast backup mode.
9.
Click Apply.
Figure 619 Configuring the IP address of the backup AC
586
Configuring AC 2
1.
Configure AP to establish a connection between AC 2 and AP.

For more information about configurations, see "Configuring access services."
2.
Leave the default value of the AP connection priority unchanged. (Details not shown.)
3.
4.
On the page that appears, set the address of the backup AC to 1.1.1.4 and select enable to
enable the fast backup mode.
5.
Click Apply.
Figure 620 Configuring the address of the backup AC

1.
When AC 1 operates properly, view the AP status on AC 1 and AC 2 respectively. The AP

connection priority on AC 1 is set to 6, the higher one, so AC 1 become the active AC. The AP
establishes a connection to AC 1 in precedence.
a. On AC 1, select Advanced > AC Backup from the navigation tree.
b. Click the Status tab to enter the page as shown in Figure 621.
The status information shows that AC 1 is the active AC.
587
Figure 621 Displaying the AP status on AC 1
c.
On AC 2, select Advanced > AC Backup from the navigation tree.
d. Click the Status tab.
The information shows that AC 1 is acting as the standby AC.

Figure 622 Displaying the AP status on AC 2
2.
When AC 1 operates properly, display the client status on AC 1 and AC 2. Client establish
connections with the AP through AC 1 and AC 2 has backed up the client status.
a. On AC 1, select Summary > Client from the navigation tree.
b. Click the Detail Information tab.
c.
Click the name of the specified client to view the detailed information of the client.
The information shows that Client is running and is connecting to AC 1 through an active link.
588
Figure 623 Displaying the client information on AC 1
d. On AC 2, select Summary > Client from the navigation tree.

e. Click the Detail Information tab.
f.
Click the name of the specified client to view the detailed information of the client.
The information shows that Client is running and is connecting to AC 2 through a standby link.
Figure 624 Displaying the client information on AC 2
3.
When AC 1 goes down, the standby AC, AC 2 detects the failure immediately through the
heartbeat detection mechanism. Then AC 2 takes over to become the new active AC, providing
services to AP.
On AC 2 (the new active AC), display the AP status. (Details not shown.)
The information shows that AC 2 has become the active AC.
On AC 2, display the client information. (Details not shown.)
589
The value for the State field becomes Running, which indicates that Client is connecting to AC
2 through an active link.
4.
When AC 1 recovers, AC 2 still acts as the active AC and AC 1 becomes the standby AC. AC 1
establishes a backup link with the AP and backs up the client status.
The wireless services configured on the two ACs should be consistent.
Specify the IP address of the backup AC on each AC.
AC backup has no relation with the access authentication method; however, the authentication
method of the two ACs must be the same.
1+N backup configuration example

As shown in Figure 625, AC 1 and AC 2 are active ACs and AC 3 acts as the standby AC. When an
active AC fails, AC 3, the standby AC, takes over to provide services. As soon as the active AC recovers,
the AP connects to the original active AC again.
AP connects to AC 1, AC 2, and AC 3 through a Layer 2 switch. The IP addresses of AC 1, AC 2 and

AC 3 are 1.1.1.3, 1.1.1.4, and 1.1.1.5 respectively.
Assign the highest AP connection priority of 7 on AC 1 and AC 2, to make sure AP 1 establishes

a connection with AC 1, and AP 2 establishes a connection with AC 2.
If any of the two active AC is down, AC 3 becomes the new active AC.
When the faulty AC recovers, AP that connects to AC 3 automatically connects to the original active
AC. This is because the AP connection priority on the active AC is the highest. In this way, AC 3 can
always act as a dedicated standby AC to provide backup services for AC 1 and AC 2.
Configuring AC 1
1.
Configure AC 1 so that a connection is set up between AC 1 and AP 1.

2.
3.
Click the icon
4.
5.
Set the connection priority to 7.
6.
Click Apply.
590
Figure 626 Configuring the AP connection priority for AP 1
Configuring AC 2
1.
Configure AC 2 so that a connection is set up between AC 2 and AP 2.

2.
Set the AP connection priority to 7.

The configuration steps are the same as those on AC 1 (Details not shown.).
3.
Configure AC 3 (the backup AC)

a. Configure the related information of AP 1 and AP 2.

b. Select AP > AP Setup from the navigation tree.
c.
Click the
icon corresponding to the target AP to enter the configuration page.
d. Expand Advanced Setup.

e. Enter 1.1.1.3 in the Backup AC IPv4 Address field.
f.
Click Apply.
591
Figure 627 Backing up the IP address of AC 1
g. Select AP > AP Setup from the navigation tree.

h. Click the icon
i.
j.
Enter 1.1.1.4 in the Backup AC IPv4 Address field.
k. Click Apply.
592
Figure 628 Backing up the IP address of AC 2

1.
When AC 1 goes down, AC 3 becomes the new active AC.
2.
When AC 1 recovers, the AP connecting to AC 3 connects to AC 1 again. This is because the

highest AP connection priority of 7 on AC 1 ensures an automatic switchover.
AP-based session-mode load balancing configuration example

As shown in Figure 629, all APs operate in 802.11g mode. Client 1 is associated with AP 1. Client
2 through Client 6 are associated with AP 2.
Configure session-mode load balancing on the AC. The threshold, that is, the maximum number of
sessions, is 5, and the session gap is 4.
593
1.
Before you configure load balancing, configure AP 1 and AP 2 on the AC to establish a

For the related configuration, see "Configuring access services."
2.
Configure session-mode load balancing:

a. Select Advanced > Load Balance from the navigation tree.
b. On the Load Balance tab, select the Session mode, enter the threshold 5, and use the default
value for the gap.

c.
Use the default values for Max Denial Count and RSSI Threshold.
d. Click Apply.
Figure 630 Setting session-mode load balancing
594

Client 1 is associated with AP 1, and Client 2 through Client 6 are associated with AP 2. Because the
number of clients associated with AP 1 reaches 5, and the session gap between AP 2 and AP 1 reaches
4, Client 7 is associated with AP 1.
An AP starts session-mode load balancing only when both the maximum sessions and maximum session
gap are reached.
AP-based traffic-mode load balancing configuration example

As shown in Figure 631, all APs operate in 802.11g mode. Client 1 and Client 2 are associated with
AP 1, and no client is associated with AP 2.
Configure traffic-mode load balancing on the AC. The traffic threshold is 3 Mbps that corresponds
to the threshold value of 10 in percentage, and the traffic gap is 12 Mbps that corresponds to the
traffic gap value 40 in percentage.
1.

2.
Configure traffic-mode load balancing:

b. On the Load Balance tab, select the Traffic mode, enter the threshold 10, and the traffic gap
40.
c.
d. Click Apply.
595
Figure 632 Setting traffic-mode load balancing

Client 1 and Client 2 are associated with AP 1. Add Client 3 to the network. When the maximum traffic
threshold and traffic gap are reached on AP 1, Client 3 is associated with AP 2.
An AP starts traffic-mode load balancing only when both the maximum traffic threshold and maximum
traffic gap are reached.
Group-based session-mode load balancing configuration

example
As shown in Figure 633, all APs operate in 802.11g mode. Client 1 is associated with AP 1. Client
2 through Client 6 are associated with AP 2, and no client is associated with AP 3.
Configure session-mode load balancing on the AC. The maximum number of sessions is 5 and the
maximum session gap is 4.
Session-mode load balancing is required on only radio 2 of AP 1 and radio 2 of AP 2. Therefore,

add them into a load balancing group.
596

AC
L2 Switch
AP 1
Client 1
AP 3
AP 2
Client 2
Client 7
Client 5
Client 3
Client 4
1.

2.
Configure load balancing:

b. On the Load Balance tab, select Session from the Loadbalance Mode list, enter the threshold 5,
and use the default value for the gap.

c.
d. Click Apply..
Figure 634 Configuring session-mode load balancing
3.
Configure a load balancing group:

597

b. Click the Load Balance Group tab to enter the load balancing group configuration page.
c.
Click Add.
d. On the page that appears, select ap1. radio 2 and ap2. radio 2 in the Radios Available area,
and click << to add them into the Radios Selected area and click Apply.
Radio 2 of AP 1 and radio 2 of AP 2 are in the same load balancing group, and the radio of AP
3 does not belong to any load balancing group. Because load balancing takes effect on only
radios in a load balancing group, AP 3 does not take part in load balancing.
Assume Client 7 wants to associate with AP 2. The number of clients associated with radio 2 of AP
2 reaches 5 and the session gap between radio 2 of AP 2 and AP 1 reaches 4, so Client 7 is
associated with AP 1.
Group-based traffic-mode load balancing configuration

example
As shown in Figure 636, all APs operate in 802.11g mode. Client 1 and Client 2 are associated with
AP 1, and no client is associated with AP 2 and AP 3.
Configure traffic-mode load balancing on the AC. The maximum traffic threshold is 10% and the
maximum traffic gap is 20%.
Traffic-mode load balancing is required on only radio 2 of AP 1 and radio 2 of AP 2. Therefore, add
them to a load balancing group.
598
1.

2.
Configure load balancing:

b. On the Load Balance tab, select Traffic from the Loadbalance Mode list, enter the threshold 10
and the gap 40.
c.
d. Click Apply.
599
Figure 637 Configuring traffic load balancing
3.
Configure a load balancing group:

b. Click the Load Balance Group tab to enter the load balancing group configuration page.
c.
Click Add.
d. On the page that appears, select ap1. radio 2 and ap2. radio 2 in the Radios Available area,
click << to add them into the Radios Selected area, and click Apply.
Radio 2 of AP 1 and radio 2 of AP 2 are in the same load balancing group, and the radio of AP
3 does not belong to any load balancing group. Because load balancing takes effect on only
radios in a load balancing group, AP 3 does not take part in load balancing.
600
Assume Client 3 wants to associate with AP 1. Because the maximum traffic threshold and traffic
gap have been reached on radio 2 of AP 1, Client 3 is associated with AP 2.
Wireless location configuration example

As shown in Figure 639, AP 1, AP 2, and AP 3 operate in monitor mode, and send the collected tag and
MU messages to an AE (the location server), which performs location calculation and then sends the
data to the graphics software. You can get the location information of the rogue AP, APs, and clients by
maps, forms or reports.
AE (location server)
Client
AP 1
AC
Switch
Rogue AP
AP 2
AP 3
AP
Configuring the AE
1.
Configure the IP addresses of AP 1, AP 2, and AP 3 on the AE, or select broadcast for the AE to
discover APs.
2.
Perform configuration related to wireless location on the AE.
Configuring AP 1 to operate in monitor mode

AP 1, AP 2, and AP 3 are configured similarly, and the following only describes how to configure AP 1
for illustration.
1.
2.
Click Add.
3.
On the page that appears, enter the AP name ap1, select the model WA2620-AGN, select manual
from the Serial ID list, enter the AP serial ID in the field, and click Apply.
601
4.
5.
On the AP Monitor tab, click the icon

configuring the work mode.
6.
Select the work mode Monitor.
7.
Click Apply.
corresponding to the target AP to enter the page for
Figure 641 Setting the work mode
Enabling 802.11n
1.
Select Radio > Radio from the navigation tree to enter the page for configuring radio.
2.
Select the target AP.
3.
Click Enable.
Figure 642 Enabling 802.11n (2.4 GHz)
602
Enabling wireless location.

1.
Select Advanced > Wireless Location from the navigation tree.
2.
On the page that appears, select Enable, select the tag mode and MU mode for 802.11n (2.4
GHz).
3.
Click Apply.
Figure 643 Enabling wireless location

You can display the location information of the rogue AP, APs, and clients by maps, forms or reports.
Before you enable the wireless location function, make sure at least three APs operate in monitor or
hybrid mode so that the APs can detect Tags and clients not associated with them, and the AE can
implement location calculation.
An AP monitors clients on different channels periodically, so if the Tag message sending interval is
configured as 1 second, the AP scans and reports Tag messages every half a minute. If higher
location efficiency is required, you can set the Tag sending interval to the smallest value, 124
milliseconds.
Wireless sniffer configuration example

As shown in Figure 644, configure a Capture AP, and enable wireless sniffer on this AP to capture
wireless packets. The captured packets are then saved in a .dmp file for troubleshooting.
603
Client
AP 1
Switch
Capture AP
AC
Rogue AP
AP 2
PDA
PC
Configuring Capture_AP
1.
2.
Click Add.
3.
On the page that appears, enter the AP name capture_ap, select the model WA2620-AGN., select
manual from the Serial ID list, enter the AP serial ID in the field, and click Apply.
Figure 645 Creating a Capture AP
4.
5.
Click the
6.
Select 6 from the Channel list.
7.
Click Apply.
icon of the Capture_AP to enter the radio configuration page.
604
Figure 646 Setting the channel
8.
9.
Select the target AP.
10.
Click Enable.
Figure 647 Enabling 802.11n (2.4 GHz)
Configuring and enabling wireless sniffer

1.
Select Advanced > Wireless Sniffer from the navigation tree.
2.
On the page that appears, enter the capture limit 5000, enter the file name CapFile, and click
Apply.
3.
Click the
icon corresponding to the target radio to enable wireless sniffer for the radio.
605
Figure 648 Configuring and enabling wireless sniffer
Capture AP captures wireless packets and saves the packets to a CAP file in the default storage
medium. Administrators can download the file to the PC and get the packet information by using
tools like Ethereal.
When the total number of captured packets reaches the upper limit, Capture AP stops capturing
packets.
Band navigation configuration example

As shown in Figure 649, Client 1 through Client 4 try to associate to AP 1, and the two radios of AP 1
operate at 5 GHz and 2.4 GHz. Client 1, Client 2, and Client 3 are dual-band clients, and Client 4 is
a single-band (2.4 GHz) client. Configure band navigation to direct clients to different radios of the AP.
606
Configuring the AC
To enable band navigation to operate properly, make sure of the following:
The fast association function is disabled. By default, the fast association function is disabled.
Band navigation is enabled for the AP. By default, band navigation is enabled for the AP.
1.
Create an AP:
b. Click New.
c.
On the page that appears, enter the AP name ap 1, select the model WA2620E-AGN, select
manual from the Serial ID list, and enter the AP serial ID in the field.
d. Click Apply.
2.

b. Click Add.
c.
3.
On the page that appears, set the service name to band-navigation, select the wireless service
type Clear, and click Apply.

b. Set the band-navigation box.
c.
4.
Click Enable.
Bind an AP radio to the wireless service:

b. Click the
icon for the wireless service band-navigation to enter the page for binding an AP
radio.
c.
Select the boxes before ap1 with radio types 802.11n(2.4GHz) and 802.11n(5GHz).
d. Click Bind.
607
5.
Enable 802.11n(2.4GHz) and 802.11n(5GHz) radios:

a. Select Radio > Radio Setup from the navigation tree.
b. Select the boxes before ap1 with the radio mode 802.11n(2.4GHz) and 802.11n(5GHz).
c.
6.
Click Enable.
Configure band navigation:

a. Select Advance > Band Navigation from the navigation tree.
b. On the page that appears, click Enable, and type the Session Threshold 2 and Gap 1. Use the
default values for other options.

c.
Click Apply.
Figure 651 Configuring band navigation

Client 1 and Client 2 are associated to the 5 GHz radio of AP 1, and Client 4 can only be associated to
the 2.4 GHz radio of AP 1. Because the number of clients on the 5 GHz radio has reached the upper limit
2, and the gap between the number of clients on the 5 GHz radio and 2.4 GHz radio has reached the
session gap 1, Client 3 will be associated to the 2.4 GHz radio of AP 1.
608
Configuring stateful failover

NOTE:
Support for the stateful failover feature may vary depending on your device model. For more information,
see "Feature matrixes."
Overview
Introduction to stateful failover
Some customers require their wireless networks to be highly reliable to ensure continuous data
transmission. In Figure 652, deploying only one AC (even with high reliability) risks a single point of
failure and therefore cannot meet the requirement.
Figure 652 Network with one AC deployed
The stateful failover feature (supporting portal service) was introduced to meet the requirement. In Figure
653, two ACs that are enabled with stateful failover are deployed in the network. You need to specify a
VLAN on the two ACs as the backup VLAN, and add the interfaces between the ACs to the backup
VLAN. The backup VLAN is like a failover link, through which the two ACs exchange state negotiation
messages periodically. After the two ACs enter the synchronization state, they back up the service entries
of each other to make sure that the service entries on them are consistent. If one AC fails, the other AC,
which has already backed up the service information, can take over the services, thus avoiding service
interruption.
609
Figure 653 Network diagram for stateful failover
Introduction to stateful failover states

The stateful failover states include:
Silence: Indicates that the device has just started, or is transiting from synchronization state to
independence state.
Independence: Indicates that the silence timer has expired, but no failover link is established.
Synchronization: Indicates that the device has completed state negotiation with the other device
and is ready for data backup.
The following figure shows state relations.

Figure 654 Stateful failover state diagram
Configuring stateful failover

1.
Select High reliability > Stateful Failover from the navigation tree to enter the stateful failover
configuration page, as shown in Figure 655.
2.
View the current stateful failover state at the lower part of the page as described in Table 209.
610
Figure 655 Stateful failover configuration page
3.
Configure stateful failover parameters at the upper part of the page as described in Table 208.
4.
Click Apply.

Item
Description
Enable Stateful Failover
Enable/disable the stateful failover feature.

Select whether to support asymmetric path.
Unsupport Asymmetric Path. In this mode, sessions enter and leave the internal
Backup Type
network through one device. The two devices work in the active/standby mode.
Support Asymmetric Path. In this mode, sessions enter and leave the internal
network through different devices to achieve load sharing. The two devices
work in the active/active mode.
Set the backup VLAN.

After a VLAN is configured as a backup VLAN, the interface(s) in the VLAN is used
to transmit stateful failover packets.
IMPORTANT:
Backup VLAN
A device uses VLAN tag+protocol number to identify stateful failover packets,

and broadcasts stateful failover packets to the peer within the backup VLAN.
Therefore, H3C does not recommend that you configure other services (such as
voice VLAN) for a backup VLAN to avoid impact on the operation of stateful
failover.
An interface added to the backup VLAN can transmit other packets besides
stateful failover packets.

Field
Description
Current Status
Displays the failover state of the device.
Stateful failover configuration example

In Figure 656, the IP address of VLAN-interface 1 on AC 1 is 8.190.1.60/16, and that on AC 2 is
8.190.1.61/16. The client and AP each obtain an IP address from the DHCP server at 8.190.0.13/16, and
611
the ACs perform portal authentication through the IMC server. Configure stateful failover on AC 1 and
AC 2 so that when one AC fails, the other AC can take over portal and other services.
NOTE:
The portal group configuration on the two ACs must be consistent.
Configuring AC 1
1.
Configure the backup AC and enable fast backup:

a. Select Advanced > AC Backup from the navigation tree to enter the default Setup page, as

b. Select the IPv4 box and type the IP address of AC 2 (8.190.1.61) as the backup AC address,
and select enable from the Fast Backup Mode list.

c.
Click Apply.
612
Figure 657 Setup page
2.
Configure stateful failover:

a. Select High reliability > Stateful Failover from the navigation tree, as shown in Figure 658.
b. Select the Enable Stateful Failover box, select Unsupport Asymmetric Path from the Backup
Type list, and Type 2 for Backup VLAN.

c.
Click Apply.
Figure 658 Configuring stateful failover
3.
Configure RADIUS scheme system:

b. Click Add to enter the RADIUS scheme configuration page.
c.
Type system for Scheme Name, select Extended for Server Type, and select Without domain
name for Username Format.
d. Click Add in the RADIUS Server Configuration field to enter the page as shown in Figure 659.
e. Select Primary Authentication for Server Type, specify an IPv4 address 8.1.1.16 and 1812 as
the port number.

f.
Type expert for Key and expert for Confirm Key.
g. Click Apply.
613
Figure 659 Configuring a primary RADIUS authentication server
h. Click Add in the RADIUS Server Configuration field to enter the page as shown in Figure 660.
i.
Select Primary Accounting for Server Type, and specify an IPv4 address 8.1.1.16 and 1813 as
the port number.
j.
Type expert for Key and expert for Confirm Key.
k. Click Apply.
Figure 660 Configuring a RADIUS accounting server
l.
After the configurations are complete, the RADIUS scheme configuration page is as shown
in Figure 661. Click Apply.
614
Figure 661 RADIUS scheme configuration page
4.
Configure AAA authentication scheme for ISP domain system:

b. Select system from the Select an ISP domain list, and select the Default AuthN box.
c.
Select RADIUS from the list, and system from the Name list.
d. Click Apply.
A dialog box appears, showing the configuration progress.

e. After the configuration is successfully applied, click Close.
Figure 662 Configuring AAA authentication scheme for the ISP domain
615
5.
Configure AAA authorization scheme for ISP domain system:

b. Select system from the Select an ISP domain list, and select the Default AuthZ box.
c.
Select RADIUS from the list and system from the Name list.
d. Click Apply.

e. After the configuration is successfully applied, click Close.
Figure 663 Configuring AAA authorization scheme for the ISP domain
6.
Configure AAA accounting scheme for ISP domain system:

b. Select system from the Select an ISP domain list, and select the Accounting Optional box.
c.
Select Enable from the list, and select the Default Accounting box.
d. Select RADIUS from the list and system from the Name list.
e. Click Apply.

f.
After the configuration is successfully applied, click Close.
616
Figure 664 Configuring AAA accounting scheme for the ISP domain
7.
Configure portal authentication:

a. Select Authentication > Portal from the navigation tree to enter the default Portal Server
configuration page as shown in Figure 665.
b. Click Add.
c.
Select Vlan-interface1 from the Interface list, Add from the Portal Server list, and Direct from the
Method list, and select system for Authentication Domain.
d. Type newpt for Server Name, 8.1.1.16 for IP, expert for Key, 50100 for Port, and
http://8.1.1.16:8080/portal for URL.

e. Click Apply.
617
Figure 665 Configuring a portal server
8.
Add a portal-free rule:

a. Click the Free Rule tab.
b. Click Add.
c.
Type 0 for Number, and select GigabitEthernet1/0/1 as the source interface.
d. Click Apply.
618
Figure 666 Adding a portal-free rule
9.
Configure portal to support stateful failover at the command line interface (CLI):
# Specify AC 1's device ID to be used in stateful failover mode as 1, and specify portal group 2
for interface VLAN-interface 1.
<AC1>system-view
[AC1]nas device-id 1
[AC1]interface Vlan-interface 1
[AC1-Vlan-interface1]portal backup-group 2
# Configure the virtual IP address of VRRP group 1 as 8.190.1.100, and specify the priority of AC
1 as 200. AC 2 uses the default priority.
[AC1-Vlan-interface1]vrrp vrid 1 virtual-ip 8.190.1.100
[AC1-Vlan-interface1]vrrp vrid 1 priority 200
[AC1-Vlan-interface1]quit
# Configure the source IP address for RADIUS packets as 8.190.1.100.

[AC1]radius nas-ip 8.190.1.100
# Configure the source IP address for portal packets as 8.190.1.100 (same as the AC's IP address
configured on the IMC server for portal authentication).
[AC1-Vlan-interface1]portal nas-ip 8.190.1.100
Configuring AC 2.
The configuration on AC 2 is similar to that on AC 1 except that:
When you configure AC backup, specify AC 1's IP address as the backup AC address.
Specify the device ID to be used in stateful failover mode as 2.
For more information, see the configuration on AC 1.
When you configure stateful failover, follow these guidelines:
You must configure the 1+1 AC backup function to make sure that the traffic can automatically
switch to the other device if one device fails. For more information, see "Advanced settings."
619
To back up portal related information from the active device to the standby device, you must
configure portal to support stateful failover besides the configurations described in this chapter. For
more information, see WX Series Access Controllers Security Configuration Guide.
Stateful failover can be implemented only between two devices rather than among more than two
devices.
620
Index
ABCDEFGILMNOPQRSTUVW
Configuration guidelines,127
AAA configuration example,414
AAA overview,406
AC-AP connection,213
Access control methods,377
Access controller module network scenario,2
Access controller network scenario,2
Configuration procedure,432
Access service overview,223
Configuration summary,19
ACL and QoS configuration example,525
Configuring 802.1X,378
ACL overview,493
Configuring a guest,444
Adding a DNS server address,198
Configuring a local user,441
Adding a domain name suffix,199
Configuring a MAC address entry,129
Adding a license,64
Configuring a QoS policy,512
Admin configuration,10
Configuring a RADIUS scheme,419
Advanced settings configuration examples,585
Configuring a user group,443
Advanced settings overview,560
Configuring a user profile,447
Antenna,369
Configuring AAA,406
AP configuration,17
Configuring access service,230
AP connection priority configuration example,221
Configuring an ACL,494
AP group,213
Configuring an AP,214
Auto AP,213
Configuring an AP group,220
Auto AP configuration example,256
Configuring an SNMP view,111
Automatic power adjustment configuration

example,372
Configuring and displaying clients' IP-to-MAC

bindings,184
Configuring ARP detection,149
Backing up the configuration,82
Configuring authorized IP,491
Bandwidth guarantee configuration example,555
Configuring auto AP,218
Basic configuration,9
Configuring calibration,361
Configuring channel scanning,360
Configuring data transmit rates,356
CAC service configuration example,551
Configuring DHCP snooping functions on an

interface,186
Certificate management configuration example,461

Clearing dynamic DNS cache,199
Configuring DNS proxy,198
Common Web interface elements,35
Configuring dynamic domain name resolution,197
Configuration examples,102
Configuring enhanced licenses,65
Configuring gratuitous ARP,143
Configuring IGMP snooping on a port,155
621
Configuring IGMP snooping on a VLAN,154
Displaying SNMP packet statistics,119
Configuring licenses,64
Displaying syslog,78
Configuring line rate,508
Displaying the client statistics,544
Configuring mesh service,311
Displaying the IPv4 active route table,163
Configuring other ARP attack protection functions,150
Displaying the IPv6 active route table,165
Configuring PKI,450
Displaying the radio statistics,543
Configuring portal authentication,386
Displaying the system time,73
Configuring rogue device detection,471
Displaying WLAN service,45
Configuring service management,205
DNS configuration example,199
Configuring stateful failover,610
Downloading a file,86
Configuring static name resolution table,196

Configuring system name,67
Dynamic WEP encryption-802.1X authentication

configuration example,297
Configuring the bandwidth guarantee function,548
Configuring the blacklist and white list functions,480
Enabling DHCP,174
Configuring the priority trust mode of a port,509
Enabling DHCP and configuring advanced

parameters for the DHCP relay agent,180
Configuring user isolation,488

Configuring Web idle timeout period,67
Enabling DHCP snooping,185
Configuring WIDS,479
Enabling IGMP snooping globally,153
Configuring WLAN advanced settings,567
Enabling the DHCP relay agent on an interface,183
Configuring WLAN roaming,336
Enabling the DHCP server on an interface,178
Creating a DHCP server group,182
Enabling wireless QoS,538

server,176
Encryption configuration,16
F
Creating a static address pool for the DHCP server,175

Creating a static ARP entry,142
Feature matrix for the WX3024E,8
Creating a user,105
Feature matrix for the WX5000 series,4
Creating a VLAN,133
Feature matrix for the WX6000 series,5
Creating an interface,89
Creating an IPv4 static route,164
Generating the diagnostic information file,71
Creating an IPv6 static route,166
IGMP snooping configuration examples,158
Device information,43
Initializing the configuration,84
DHCP relay agent configuration example,190
Inter-AC roaming configuration example,342
DHCP server configuration example,188
Interface management configuration example,97
DHCP snooping configuration example,192
Interface management overview,87
Displaying AP,49
Intra-AC roaming configuration example,338
Displaying ARP entries,141
Introduction to port mirroring,99
Displaying clients,57
Introduction to portal authentication,385
Displaying clients' IP-to-MAC bindings,187
Introduction to the Web interface,21
Displaying file list,85
Introduction to the Web-based NM functions,23
Displaying IGMP snooping multicast entry

information,157
IP configuration,11
IPv4 static route configuration example,167

addresses,178
IPv6 static route configuration example,168

L
Displaying interface information and statistics,87

622
Local EAP service configuration example,433
Radio setup,350
Local MAC authentication configuration example,268
RADIUS configuration,13
Logging in to the Web interface,20
RADIUS configuration example,425
Logging out of the Web interface,21
RADIUS overview,419
Loopback operation,126
Rebooting the device,70
Recommended configuration procedure,133

MAC address configuration example,131
Manual channel adjustment configuration

example,370

relay agent),179
Mesh DFS configuration example,333

server),173
Mesh overview,304
Mesh point-to-multipoint configuration example,331

snooping),185
Modifying a Layer 2 interface,92

Modifying a Layer 3 interface,95
Remote 802.1X authentication configuration

example,284
Modifying a port,135
Modifying a VLAN,134
Remote MAC authentication configuration

example,273
Removing a file,86
Normal WLAN mesh configuration example,326
Removing ARP entries,143
Restoring the configuration,82
Overview,133
Rogue detection configuration example,484
Overview,491
Overview,440
Saving the configuration,83
Overview,128
Setting buffer capacity and refresh interval,80
Overview,195
Setting CAC admission policy,540
Overview,609
Setting client EDCA parameters for wireless clients,542
Overview,163
Setting radio EDCA parameters for APs,540
Overview,536
Setting rate limiting,546
Overview,152
Setting the log host,79
Overview,204
Setting the super password,106
Overview,141
Setting the SVP service,539
SNMP configuration example,120
Ping operation,208
SNMP configuration task list,108
PKI overview,450
SNMP overview,108
Port mirroring configuration task list,100
Software upgrade,69
Portal authentication configuration example,397
Specifying the main boot file,86
Portal configuration,15
Stateful failover configuration example,611

Static ARP configuration example,144
Subway WLAN mesh configuration example,330
QoS overview,493
Quick start wizard home page,9
Switching the user access level to the management

level,107
System time configuration example,76
Radio group configuration example,373
Radio overview,347
623
Web user level,22
Trace route operation,211

Tri-radio mesh configuration example,332
Wireless configuration,12
Troubleshooting Web browser,40
Wireless service configuration example,253
Wireless service-based dynamic rate limiting

Uploading a file,86
Wireless service-based static rate limiting

User isolation configuration example,489

User isolation overview,487
Wireless switch network scenario,3
WLAN roaming configuration examples,338
VLAN configuration examples,137
WLAN RRM overview,347

WLAN security overview,467
WPA-PSK authentication configuration example,263
624

H3C WX Series Access Controllers Web-Based Configuration Guide (R3308 - R2308) - 6W106-Book

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

H3C WX Series Access Controllers Web-Based Configuration Guide (R3308 - R2308) - 6W106-Book

Hochgeladen von

Copyright:

Verfügbare Formate

H3C WX Series Access Controllers

Web-Based Configuration Guide

Hangzhou H3C Technologies Co., Ltd.

All rights reserved

About the H3C WX Series documentation set

Field technical support and servicing engineers

Network administrators working with the WX series

An alert that calls attention to essential information.

An alert that provides helpful information.

Network topology icons

Represents a mesh access point.

Represents omnidirectional signals.

Port numbering in examples

About the H3C WX Series documentation set

Describe product specifications and benefits.

Technology white papers

Provide an in-depth description of software features

Provide the hardware specifications of cards and

Provides a complete guide to hardware installation

Getting started guide

Guides you through the main functions of your

Describe software features and configuration

Provide a quick reference to all available

Describes configuration procedures through the web

Provide information about the product release,

client detailed information 57

Adding a mirroring group 100

User management 105

ARP packet source MAC address consistency check 149

IGMP snooping configuration 152

Adding a DNS server address 198

Service management 204

Local MAC authentication configuration example 268

Configuring mesh services 304

Manual channel adjustment configuration example 370

Configuring 802.1X 377

Configuring a guest 444

Managing certificates 450

Configuring an ACL 494

Configuring wireless QoS 536

Network requirements 553

Advanced settings 560

Stateful failover configuration example 611

Models of WX series access controllers

WX3000E series wireless switches

WX3024E wireless switch

WX5000 series access controllers

WX6103 access controller

WX6000 series access controllers

WX5004 access controller

Typical network scenarios

Access controller module network scenario

Figure 2 Access controller module networking

Wireless switch network scenario

Feature matrix for the WX5000 series

Internal loopback testing

Internal loopback testing

The maximum number of

The maximum number of

The maximum number of

The maximum number of

AP group (Licenses must

The number of group IDs