Beruflich Dokumente
Kultur Dokumente
With any Huawei Career Certification, you have the privilege on http://learning.huawei.com/en to enjoy:
n
1e-Learning Courses Logon http://learning.huawei.com/en and enter Huawei Training/e-Learning
/e
o m
If you have the HCNA/HCNP certificateYou can access Huawei Career Certification and Basic Technology e-Learning
courses.
e i .c
If you have the HCIE certificate: You can access all the e-Learning courses which marked for HCIE Certification Users.
aw
Methods to get the HCIE e-Learning privilege : Please associate HCIE certificate information with your Huawei account, and
hu
arn
Content: Huawei product training material and Huawei career certification training material.
//le
MethodLogon http://learning.huawei.com/en and enter Huawei Training/Classroom Training ,then you can download
training material in the specific training introduction page.
p :
3 Priority to participate in Huawei Online Open Class (LVC)
t t
s :h
The Huawei career certification training and product training covering all ICT technical domains like R&S, UC&C, Security,
4Learning Tools: rc e
Storage and so on, which are conducted by Huawei professional instructors.
s o
eNSP Simulate single Router&Switch device and large network.
R e
WLAN Planner Network planning tools for WLAN AP products.
n g
In addition, Huawei has built up Huawei Technical Forum which allows candidates to discuss technical issues with Huawei experts ,
ni
share exam experiences with others or be acquainted with Huawei Products.
a r
Statement:
L e
r e
This material is for personal use only, and can not be used by any individual or organization for any commercial purposes.
o
M
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 1
e n
/
o m
ei.c
aw
u
g.h
ni n
r
//lea
p :
t t
: h
e s
HCNA-WALN Courseur
c
Experiment Guidesfor o WLAN Engineers(CLI)
Re
i n g
a rn
Le
r e
o
Issue 1.60
M Date 2014-12-20
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
e n
/
Notice
o m
e i.c
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
aw
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees or
u
.h
representations of any kind, either express or implied.
g
The information in this document is subject to change without notice. Every effort has been made in the
i n
preparation of this document to ensure accuracy of the contents, but all statements, information, and
n
recommendations in this document do not constitute a warranty of any kind, express or implied.
r
//lea
p :
t t
: h
e s
r c
Huawei Technologiesso
u
Co., Ltd.
Re
Address:
i n g
Huawei Industrial Base
rn
Bantian, Longgang
e a Shenzhen 518129
L
People's Republic of China
r e
Website: http://support.huawei.com/learning/Index!toTrainIndex
o
Email: certification@huawei.com
M
e n
/
m
Relying on the strong technical strength and professional training system, Huawei provides a
o
practical and professional four-level certificate system to meet various customer requirements
i.c
on different WLAN technologies.
w e
Huawei Certified Network Associate-Wireless Local Area Network (HCNA-WLAN) is
designed for Huawei local offices, online engineers in representative offices, and readers who
u a
want to understand Huawei WLAN products and technology. HCNA-WLAN covers WLAN
.h
basics, Control and Provisioning of Wireless Access Points (CAPWAP) protocol, WLAN
g
networking, Huawei WLAN product features, security configuration, WLAN advanced
n
technology, antennas, WLAN network planning and optimization, and WLAN fault
troubleshooting.
ni
r
lea
The HCNA-WLAN certificate system introduces you to the industry and market, helps you in
//
innovation, and enables you to stand atop the WLAN frontiers.
p :
t t
: h
e s
r c
o u
es
R
i n g
r n
e a
e L
or
M
e n
Overview /
o m
e i.c
This document is applicable to the candidates who are preparing for the HCNA-WLAN exam
and the readers who want to understand the WLAN basics, the CAPWAP protocol, WLAN
aw
networking, Huawei WLAN product features, security configuration, WLAN advanced
technology, antennas, WLAN network planning and optimization, and WLAN fault
u
.h
troubleshooting.
i n g
Description
r n
//lea
This experiment guide introduces the following seven experiments, covering basic
:
configurations, and configurations and implementation of Layer 2 networking, security, Layer
p
t
3 networking, and the network management software eSight:
h t
Experiment 1: Experiment environment preparations
s :
This experiment includes checking whether all required devices are ready, connecting
r ce
devices on the network, and clearing AC configurations. This experiment helps you
know about HCNA-WLAN devices and network construction.
o u
Experiment 2: AC configuration initialization
es
This experiment involves basis operations and configurations on an AC, helping you
R
know the AC6605 and its basic functions.
i n g
Experiment 3: AP authentication and WLAN configuration process
This experiment lets you know basic WLAN network capabilities through basic WLAN
r n configurations.
e L This experiment mainly introduces 802.1x authentication, helping you know WLAN
or
security and the configuration process.
Experiment 5: Bypass Layer 3 networking
M This experiment uses the AC6605 and Layer 3 networking. The Layer 3 network
configuration helps you comprehensively know WLAN networking modes.
Experiment 6: WLAN configuration on eSight
This experiment involves how to add WLAN devices to the eSight and deliver WLAN
services using the configuration wizard.
Experiment 7: Configuration file backup and AC configuration clearance
This experiment describes how to back up configuration files through File Transfer
Protocol (FTP).
e n
/
o m
e i.c
aw
u
g .h
ni n
r
//lea
p :
t t
: h
e s
r c
o u
es
R
i n g
r n
e a
e L
or
M
Common Icons
e n
/
o m
e i.c
aw
Switch hu
AC AP
g .
nin
ar
//le
p :
t t
: h
s
eSight Server eRADIUS Server
r c STA
o u
e s
R
ning
a r
Le
e
or
M
e n
Networking Introduction /
o m
i .c
This experiment environment is prepared for WLAN engineers who are preparing for the
HCNA-WLAN exam.
e
aw
Each suite of experiment environment includes 2-9 ACs, 2-9 APs, 1 core switch, and 1
u
Remote Authentication Dial In User Service (RADIUS) or eSight server. Each suite of
experiment environment is applicable to 4 to 16 candidates.
g .h
ni n
Device Introduction r
// lea
:
The following table lists devices recommended for HCNA-WLAN experiments and the
p
mappings between the device name, model, and software version.
t t
:h
Device Model Software Version
Name
e s
c
Version 5.70 (S3700 V100R005C01SPC100)
r
Core switch S3700-28TP-PWR-EI
ou
AC AC6605-26-PWR AC6605 V200R005C00SPC200
AP
es AP6010DN-AGN AP6010DN-AGN:V200R005C00SPC600
R
i n g
r n
e a
e L
or
M
HCNA-WLAN Contents
Contents
e
Common Icons .............................................................................................................................
w
a
Experiment Environment Overview ......................................................................................... 1
. hu
1 Practice 1: Preparing the Lab Environment ........................................................................... 5
i n g
1.1 About This Course ..................................................................................................................................... 5
r n
1.2 Confirming the Readiness of the Devices ................................................................................................... 5
e a
1.2.1 Confirming the Readiness of the Devices .......................................................................................... 5
l
//
1.3 Network Topology Description 1: Chain Networking ................................................................................. 6
:
tp
1.4 Network Topology Description 2: Branched Networking ............................................................................ 7
h t
1.5 Description the Connection of Console Cable............................................................................................. 8
:
1.6 Reset the Configuration of AC .................................................................................................................. 11
s
r c e
2 Basic Configuration of AC .................................................................................................... 12
u
2.1 Objectives ................................................................................................................................................12
o
s
2.2 Networking Deployment Description ........................................................................................................12
Re
2.3 Configuration Procedure ...........................................................................................................................13
g
2.3.1 Configuring Initialization Password .................................................................................................13
i n
2.3.2 Configuring the Basic Information of AC .........................................................................................13
a rn
2.3.3 Confirming and Testing the Telnet/SSH Service (AAA Authentication) .............................................16
.c
4.3.1 Configuring WEP Authentication .....................................................................................................34
e i
4.3.2 Configuring WPA PSK Authentication .............................................................................................36
aw
4.3.3 Configuring WPA EAP Authentication .............................................................................................39
u
4.3.4 Configuring EAP Client ...................................................................................................................41
.h
4.4 Security Policies Configuration Precautions ..............................................................................................44
g
i n
4.5 Configuration Reference ...........................................................................................................................45
n
4.5.1 ACs configuration ...........................................................................................................................45
a r
e
5 eSight Management for WLAN (Optional) ........................................................................ 49
/: /l
5.1 Objectives ................................................................................................................................................49
tp
5.2 Networking Deployment Description ........................................................................................................49
ht
5.3 Configuration Procedure ...........................................................................................................................49
s :
5.3.1 Configuring AC SNMP Community .................................................................................................49
c e
5.3.2 Configuring AC Discover AP ...........................................................................................................50
r
u
5.3.3 Configuring Service-set by eSight Wizard ........................................................................................51
s o
5.3.4 Checking the Configuration by eSight ..............................................................................................57
e
5.4 Configuration Reference ...........................................................................................................................58
6 Branched NetworkingR
arn
6.2 Networking Deployment Description ........................................................................................................59
L e
6.3 Configuration Procedure ...........................................................................................................................60
e
6.3.1 Re-connecting AP to Switch .............................................................................................................60
M
6.3.3 AP Online Configuration ..................................................................................................................61
6.3.4 Changing the Forwarding Mode to Tunnel Forwarding .....................................................................61
6.4 Configuration Reference ...........................................................................................................................63
e n
/
Figure 1-1 Devices List................................................................................................................................... 5
m
Figure 1-2 Chain networking Topology ........................................................................................................... 6
o
i .c
Figure 1-3 Branched networking topology ...................................................................................................... 7
e
Figure 1-4 Network connection of console cable ............................................................................................. 8
aw
Figure 1-5 Creating a connection .................................................................................................................... 9
u
.h
Figure 1-6 Configuring the connection port ....................................................................................................10
g
i n
Figure 1-7 Setting the communication parameters ..........................................................................................10
n
r
Figure 2-1 Networking deployment information .............................................................................................12
lea
Figure 3-1 AP Authentication and WLAN configuration roadmap parameters description ...............................20
: //
Figure 3-2 WLAN configuration roadmap......................................................................................................21
t t p
Figure 4-1 WLAN security configuration parameters description ....................................................................33
s :h
Figure 5-1 eSight network deployment ...........................................................................................................49
c e
Figure 6-1 Branched networking topology .....................................................................................................59
r
s ou
Re
i n g
r n
e a
e L
o r
M
HCNA-WLAN Contents
//
Understanding the topology of the practice
Reset the configuration of the devices
p :
t t
: h of the Devices
1.2 Confirming the Readiness
e s
r
1.2.1 Confirming the Readiness c of the Devices
o u
es
The following figure shows the devices which need to be used in this practice, please confirm
R
it before the practice begin.
L e
e
Huawei Quidway S3700 1 SW for all groups All practice groups share the
e i .c
1.3 Network Topology Description 1: Chain Networking aw
. hu
Figure 1-2 Chain networking Topology
i n g
r n
l e a
Radius Server
: // eSight Server
10.254.1.100
t tp 10.254.1.200
: h
e s
r c GE0/0/23 GE0/0/24
o u
es Core Switch
R GE0/0/1 GE0/0/10
arn AC1
GE0/0/24
L e AC2
AC10 GE0/0/1
r e GE0/0/1
o
M AP1
GE0/0/1
AP10
AP2
For group 1: The 24th port of AC1 connect to switch port 1, the 1st port of AC connect to
the AP1
For group 2: The 24th port of AC2 connect to switch port 2, the 1st port of AC connect to
the AP2
For group 3: The 24th port of AC3 connect to switch port 3, the 1st port of AC connect to
the AP3
And so on
For group 10: The 24th port of AC10 connect to switch port 10, the 1st port of AC connect
e n
/
to the AP10
The configuration of the switch was ready and the students no need to configure it (You
o m
.c
can reference it in the reference configuration part)
e i
The radius server and eSight server was ready for using, no need to configure it
aw
1.4 Network Topology Description 2: Branched
. hu
Networking
i n g
r n
e a
Figure 1-3 Branched networking topology
l
: //
t tp
: h
Radius Server eSight Server
e s
10.254.1.100 10.254.1.200
r c
o u
es GE0/0/23 GE0/0/24
R
i n g AC1 GE0/0/24 GE0/0/1
Core Switch
GE0/0/20 GE0/0/24
rn
AP10
a
GE0/0/11 GE0/0/10
L e
r e AP1
GE0/0/2 GE0/0/12
o AC10
M GE0/0/24
AC2 AP2
HCNA-WLAN 1Practice 1: Preparing the Lab Environment
e n
/
to the AP3
And so on
o m
connect to the AP10
e i .c
For group 10: The 24th port of AC10 connect to switch port 10, the 20th port of SW
aw
The configuration of the switch was ready and the students no need to configure it (You
can reference it in the reference configuration part)
u
g .h
The radius server and eSight server was ready for using, no need to configure it
i n
n Cable
1.5 Description the Connection of Console ar
l e
: //
tp
Figure 1-4 Network connection of console cable
ht
s :
r c e
o u
es
R
i n g
arn
L e
r e
o
M
HCNA-WLAN 1Practice 1: Preparing the Lab Environment
As show in figure 1-4, please connect the console cable to the AC, and power on the devices,
plug in the console cable to the laptop.
This course takes the HyperTerminal of Windows XP as an example to explain how to log in
to the AC6605 command line interface through the HyperTerminal. If other similar software
such as the PuTTy and SecureCRT is used, refer to the user guide of related software.
1. Enable the HyperTerminal on the PC
Choose Start > Programs > Accessories > Communications > HyperTerminal to start the
HyperTerminal in Windows XP.
e n
/
2. Create a connection
As shown in Figure 1-5, enter the name of the new connection in the Name text box and
o m
.c
choose a nicon, then click OK.
e L
o r
M
HCNA-WLAN 1Practice 1: Preparing the Lab Environment
e n
/
o m
e i .c
aw
u
g .h
4. Set the communication parameter
ni n
r
lea
After the COM1 Properties dialog box displayed, set the COM1 properties as shown in
Figure 1-7, or use the default settings by clicking Restore Defaults.
: //
p
Figure 1-7 Setting the communication parameters
t t
s :h
r c e
s ou
Re
i n g
r n
e a
e L
o r
M
HCNA-WLAN 1Practice 1: Preparing the Lab Environment
After the preceding settings are complete, press Enter. Wait until the following message is
displayed prompting you to set a login password. The system automatically saves the
password setting.
An initial password is required for the first login via the console.
Set a password and keep it safe! Otherwise you will not be able to login via the
console.
e n
/
1.6 Reset the Configuration of AC
o m
i .c
We need to reset the configuration of the devices before the practice, so as to avoid the
e
impacting to the practice, please following below procedures to reset the configuration and
reboot the device.
aw
u
.h
The login password is huawei123 in this exercise:
Login authentication
Password:huawei123
i n g
<AC6605>reset saved-configuration
r n
lea
This will delete the configuration in the flash memory.
//
The device configurations will be erased to reconfigure.
:
Are you sure? (y/n)[n]:y
t t p
Clear the configuration in the device successfully.
s
Warning: All the configuration will be saved to the next startup configuration.
Re
Continue ? [y/n]:n
System will reboot! Continue ? [y/n]:y
g
Info: system is rebooting ,please wait...
n i n
ar You have finished practice 1!
Le
r e
o
M
HCNA-WLAN 2Basic Configuration of AC
2 Basic Configuration of AC
2.1 Objectives
e n
/
Upon completion of this task, you will be able to:
o m
.c
Configure the initialization password
Configure VLAN and routing in the AC
e i
Configure telnet service of the AC
aw
u
.h
Save the configuration in the AC
i n g
2.2 Networking Deployment Description r n
l e a
//
We need to configure the devices vlan, trunk and ip address in this exercise, after the students
:
tp
get the group number, please following below network development requires to configure the
t
device.
: h
Suppose the student belongs to group X (X=0, 1, 2, 3 10), please get the information as
s
shown in Figure 2-1.
e
r c
u
Figure 2-1 Networking deployment information
s o
e
Student belongs to Group X (X=1, 2, AC Parameters
R 3 10)
i n g Name ACX
arn
e
Initialization Password huawei123
e L
r
AP Management VLAN VLAN: X0
o IP: 10.1.X0.100
e
aw
Network topology: Chain Networking + Layer 2 Networking
u
.h
In this practice, PC configured with IP 192.168.100.10, and test the telnet function of AC.
g
ni n
r
lea
2.3 Configuration Procedure
2.3.1 Configuring Initialization Password : //
t t p
:h
Press Enter and Wait until the following message is displayed prompting you to set a login
s
password.
NOTE:
r c e
The password value is a string of 6 to 16 case-sensitive characters. It must contain at
ou
least two types of characters, including upper-case and lower-case letters, digits, and
s
e
special characters. The special characters cannot contain space or question mark (?).
R
Password entered in interactive mode is not displayed on the terminal screen.
When you log in to the AC using the password, you must enter the password set during
i n g
your first login.
r n
e a Please configure the login password (maximum length 16)
eL
Enter password:huawei123
or
Confirm password:huawei123
<AC6605>
[AC1]interface g0/0/1
[AC1-GigabitEthernet0/0/1]port link-type trunk
[AC1-GigabitEthernet0/0/1]port trunk pvid vlan 10
[AC1-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 to 13
[AC1-GigabitEthernet0/0/1]quit
n
[AC1-GigabitEthernet0/0/24]port trunk allow-pass vlan 10 to 12
[AC1-GigabitEthernet0/0/24]quit
/ e
Use command dis port vlan to check configure result.
o m
.c
[AC1]dis port vlan
Port Link Type PVID Trunk VLAN List
e i
-------------------------------------------------------------------------------
GigabitEthernet0/0/1 trunk 10 1 10-13
aw
GigabitEthernet0/0/2 hybrid 1 -
u
.h
GigabitEthernet0/0/3 hybrid 1 -
GigabitEthernet0/0/4
GigabitEthernet0/0/5
hybrid
hybrid
1
1
-
-
i n g
GigabitEthernet0/0/6 hybrid 1 -
r n
lea
GigabitEthernet0/0/7 hybrid 1 -
GigabitEthernet0/0/8 hybrid 1 -
//
GigabitEthernet0/0/9 hybrid 1 -
GigabitEthernet0/0/10 hybrid
p
1
: -
GigabitEthernet0/0/11 hybrid
t t 1 -
:h
GigabitEthernet0/0/12 hybrid 1 -
GigabitEthernet0/0/13 hybrid 1 -
es
GigabitEthernet0/0/14 hybrid 1 -
GigabitEthernet0/0/15
r c hybrid 1 -
ou
GigabitEthernet0/0/16 hybrid 1 -
GigabitEthernet0/0/17 hybrid 1 -
es
GigabitEthernet0/0/18 hybrid 1 -
R
GigabitEthernet0/0/19 hybrid 1 -
GigabitEthernet0/0/20 hybrid 1 -
i n g
GigabitEthernet0/0/21 hybrid 1 -
n
GigabitEthernet0/0/22 hybrid 1 -
ar GigabitEthernet0/0/23 hybrid 1 -
e
GigabitEthernet0/0/24 trunk 1 1 10-12
eL
XGigabitEthernet0/0/1 hybrid 1 -
XGigabitEthernet0/0/2 hybrid 1 -
M [AC1]interface vlan 10
[AC1-Vlanif10]ip address 10.1.10.100 24
[AC1-Vlanif10]quit
[AC1]interface vlan 11
[AC1-Vlanif11]ip address 10.1.11.100 24
[AC1-Vlanif11]quit
[AC1]interface vlan 12
[AC1-Vlanif11]ip address 10.1.12.100 24
[AC1-Vlanif11]quit
HCNA-WLAN 2Basic Configuration of AC
Enable the DHCP service, and configure the DHCP pool for WLAN guest VLAN (Notice: If
you configure the AC as the service VLAN gateway, WLAN service-set must be configured
to tunnel forwarding mode, but in direct forwarding mode, the gateway of the service VLAN
can be configured in external switch).
[AC1]dhcp enable
[AC1]interface Vlanif 13
[AC1-Vlanif12]ip address 192.168.1.1 24
[AC1-Vlanif12]dhcp select interface
[AC1-Vlanif13]dhcp server dns-list 8.8.8.8
e n
Conform the status of the interfaces:
/
[AC1]display ip interface brief
o m
Interface IP Address/Mask Physical
e i
Protocol .c
w
MEth0/0/1 192.168.100.200/24 down down
NULL0
Vlanif10
unassigned
10.1.10.100/24
up
up
u a
up(s)
up
Vlanif11
Vlanif12
10.1.11.100/24
10.1.12.100/24
up
up
g .h up
up
Vlanif13 192.168.1.1/24
ni n
up up
r
lea
Checking the reachablility from AC to the Layer 3 switch, the IP address 100.100.100.100 is a
loopback interface IP address, simulated to the public network, the destination should be
//
unreachable right now.
p :
t
[AC1]ping -a 192.168.1.1 10.1.10.1
PING 10.1.10.1: 56
t
data bytes, press CTRL_C to break
:h
Reply from 10.1.10.1: bytes=56 Sequence=1 ttl=255 time=11 ms
s
Reply from 10.1.10.1: bytes=56 Sequence=2 ttl=255 time=11 ms
e
c
Reply from 10.1.10.1: bytes=56 Sequence=3 ttl=255 time=10 ms
r
Reply from 10.1.10.1: bytes=56 Sequence=4 ttl=255 time=11 ms
ou
Reply from 10.1.10.1: bytes=56 Sequence=5 ttl=255 time=20 ms
es
--- 10.1.10.1 ping statistics ---
R
5 packet(s) transmitted
i n g
5 packet(s) received
0.00% packet loss
e a
eL
[AC1]ping -a 192.168.1.1 100.100.100.100
PING 100.100.100.100: 56 data bytes, press CTRL_C to break
or
Request time out
Request time out
e n
2.3.3 Confirming and Testing the Telnet/SSH Service (AAA /
Authentication) o m
e i .c
Enable and configure telnet service in the AC, add account huawei for AAA authentication.
[AC1]telnet server enable
aw
Info: TELNET server has been enabled.
u
[AC1]stelnet server enable
Info: Succeeded in starting the STELNET server.
g .h
[AC1]aaa
ni n
r
[AC1-aaa] local-user huawei password cipher huawei123
lea
[AC1-aaa] local-user huawei service-type telnet ssh
//
[AC1-aaa]local-user huawei privilege level 15
:
[AC1-aaa]quit
[AC1]user-interface vty 0 4
t t
[AC1-ui-vty0-4]authentication-mode aaa p
:h
Configure the management interface MEth0/0/1:
s
c e
[AC1]interface MEth 0/0/1
r
[AC1-MEth0/0/1]ip address 192.168.100.200 24
s ou
Connect the interface from PC to the AC management port(in left of the console port),
e
configure PCs IP address 192.168.100.10 255.255.255.0 and test the telnet service.
R
g
C:\Users\zWX>ping 192.168.100.200
n i n
Pinging 192.168.100.200 with 32 bytes of data:
e
Reply from 192.168.100.200:bytes=32 time=1ms TTL=255
eL
Reply from 192.168.100.200:bytes=32 time=7ms TTL=255
Reply from 192.168.100.200:bytes=32 time=4ms TTL=255
C:\Users\zWX>telnet 192.168.100.200
Login authentication
Username:huawei
Password:huawei123
Info: The max number of VTY users is 10, and the number
of current VTY users on line is 1.
<AC1>sys
HCNA-WLAN 2Basic Configuration of AC
o m
.c
Are you sure to continue? (y/n)[n]:y
.
e i
It will take several minutes to save configuration file, please wait..........
aw
u
Note: The configuration file will take effect after being activated
g .h
2.4 Configuration Reference
ni n
r
lea
Take group 1 for example:
#
: //
sysname AC1
#
t t p
:h
snmp-agent local-engineid 800007DB03FC48EFC76DB7
s
undo snmp-agent community complexity-check disable
snmp-agent
#
r c e
ou
http server enable
s
http secure-server ssl-policy default_policy
#
Re
http secure-server enable
#
i n g
vlan batch 10 to 13
r n
dhcp enable
a
#
eL
#
or
pki realm default
enrollment self-signed
M
#
ssl policy default_policy type server
pki-realm default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher admin@huawei.com
HCNA-WLAN 2Basic Configuration of AC
e n
#
/
interface Vlanif12
ip address 10.1.12.100 255.255.255.0
o m
#
interface Vlanif13
e i .c
w
ip address 192.168.1.1 255.255.255.0
dhcp select interface
dhcp server dns-list 8.8.8.8
u a
#
interface MEth0/0/1
g .h
ip address 192.168.100.200 255.255.255.0
ni n
r
#
lea
interface GigabitEthernet0/0/1
//
port link-type trunk
:
port trunk pvid vlan 10
port trunk allow-pass vlan 10 to 13
#
t t p
:h
interface GigabitEthernet0/0/2
s
#
#
r c e
interface GigabitEthernet0/0/3
ou
s
#
e
interface GigabitEthernet0/0/24
R
port link-type trunk
g
port trunk allow-pass vlan 10 to 12
#
n i n
interface XGigabitEthernet0/0/1
ar #
e interface XGigabitEthernet0/0/2
eL
#
or
interface NULL0
#
stelnet server enable
M #
ip route-static 0.0.0.0 0.0.0.0 10.1.10.1
#
user-interface con 0
authentication-mode password
set authentication password cipher huawei123
user-interface vty 0 4
authentication-mode aaa
user privilege level 15
protocol inbound all
HCNA-WLAN 2Basic Configuration of AC
user-interface vty 16 20
#
wlan
#
return
e n
/
o m
e i .c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
r n
e a
e L
o r
M
HCNA-WLAN 3AP Authentication and WLAN Configuration Roadmap
e n
/
3.1 Objectives
o m
Upon completion of this task, you will be able to:
e i .c
w
Configure AP authentication
Understand WLAN configuration profile
u a
Understand WLAN configuration roadmap
g .h
Configure open system authentication
ni n
ar
l e
3.2 Networking Deployment Description
: //
t tp
h
Figure 3-1 AP Authentication and WLAN configuration roadmap parameters description
s :
Suppose the student belongs to group X (X=1, 2, 3 10), for example the WMM
c e
profile name of group 1 is wmm-prof-guest1
r
o u
Network topology Chain Network + Layer 2 networking
es
R
AC Global Information Country code: CN
arn
e
WLAN source: VLAN X0
e L
r
AP Authentication AP authentication mode: mac-auth
o
M AP MAC address
Service VLAN:vlan13
Wlan-ess interface 0
e n
/
User isolation: closed
o m
e i .c
3.3 Configuration Procedure aw
u
3.3.1 Configuring Roadmap
g .h
ni n
Figure 3-2 WLAN configuration roadmap
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
r n
e a
e L
o r
M
By default, the country-code parameter is CN, carrier IDs have four types and for enterprise is
other:
cmcc China Mobile
e n
ctc China Telecom
/
cuc China Unicom
o m
other other service provider (default value)
e i .c
3.3.4 Configuring AP Authentication and Connection with AC
aw
u
.h
Configure the DHCP pool of AP and the AP authtication mode, address discoverying use
option 43 method.
[AC1]ip pool vlan10
i n g
[AC1-ip-pool-vlan10]network 10.1.10.0 mask 255.255.255.0
r n
lea
[AC1-ip-pool-vlan10]excluded-ip-address 10.1.10.100
[AC1-ip-pool-vlan10]gateway-list 10.1.10.1
[AC1-ip-pool-vlan10]dns-list 10.254.1.100
: //
p
[AC1-ip-pool-vlan10]option 43 sub-option 3 ascii 10.1.10.100
t t
:h
[AC1]interface vlan 10
s
[AC1-Vlanif10]dhcp select global
[AC1-Vlanif10]quit
r c e
ou
Then the AP will get the ip address: 10.1.X0.254, run ping command to test the connection
between AP and AC.
es
[AC1]ping 10.1.10.254
R
PING 10.1.10.254: 56 data bytes, press CTRL_C to break
i n g
Reply from 10.1.10.254: bytes=56 Sequence=1 ttl=64 time=2 ms
Reply from 10.1.10.254: bytes=56 Sequence=2 ttl=64 time=11 ms
L
Reply from 10.1.10.254: bytes=56 Sequence=5 ttl=64 time=11 ms
r e But we have not configured the AP authentication list yet, so run command display ap all
o
there will be no AP displayed.
M [AC1-wlan-view]display ap all
All AP information(Normal-0,UnNormal-0):
------------------------------------------------------------------------------
AP AP AP Profile Region AP
ID Type MAC ID ID State
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Total number: 0
HCNA-WLAN 3AP Authentication and WLAN Configuration Roadmap
AP support three types authentication mode, by default, the AP authentication mode is MAC
n
address authentication. But before we add the AP to the authentication list manually, we need
to know the AP type and MAC address of the AP, V2R5 can support 12 types of AP currently,
we can run command display ap-type all to view it:
/ e
[AC1-wlan-view]dis ap-type all
o m
All AP types information:
e i
------------------------------------------------------------------------------ .c
w
ID Type
a
------------------------------------------------------------------------------
u
.h
17 AP6010SN-GN
g
19 AP6010DN-AGN
21 AP6310SN-GN
ni n
r
23 AP6510DN-AGN
lea
25 AP6610DN-AGN
//
27 AP7110SN-GN
28 AP7110DN-AGN
p :
29 AP5010SN-GN
t t
:h
30 AP5010DN-AGN
31 AP3010DN-AGN
e s
33
r c
AP6510DN-AGN-US
ou
34 AP6610DN-AGN-US
35
s
AP5030DN
e
R
36 AP5130DN
g
38 AP2010DN
n i n
------------------------------------------------------------------------------
r
Total number: 15
e a
eL
For our practice, the AP type is 6010DN, type ID is 19, the MAC address of AP for group 1 is
or
cccc-8110-2260, so the command should be:
[AC1-wlan-view]ap id 0 type-id 19 mac cccc-8110-2260
M After we add the AP to the MAC address authentication list, the status of the AP will change
from fault to config and final to the normal status, we need to wait for several minutes, if the
status could not change to normal status, pls re-check your configuration.
[AC1]dis ap all
All AP information(Normal-1,UnNormal-0):
------------------------------------------------------------------------------
AP AP AP Profile AP AP
/Region
ID Type MAC ID State Sysname
HCNA-WLAN 3AP Authentication and WLAN Configuration Roadmap
------------------------------------------------------------------------------
0 AP6010DN-AGN cccc-8110-2260 0/0 normal ap-0
------------------------------------------------------------------------------
e n
[AC1-wlan-view]radio-profile name radio2-prof-1
/
m
[AC1-wlan-radio-prof-radio2-prof-1]wmm-profile name wmm-prof-1
aw
Run command display radio-profile all to check the radio ID:
u
[AC1]display radio-profile all
g .h
----------------------------------------------------
ID Name
ni n
r
lea
----------------------------------------------------
0 radio2-prof-1
//
1 radio5-prof-1
:
----------------------------------------------------
p
Total: 2
t t
:h
Binding the radio profile to the AP:
e s
[AC1-wlan-view]ap 0 radio 0
r c
[AC1-wlan-radio-0/0]radio-profile id 0
ou
[AC1-wlan-view]ap 0 radio 1
s
e
[AC1-wlan-radio-0/1]radio-profile id 1
R
3.3.6 Configuring WLAN-ESS Interface
i n g
The WLAN-ESS interface cant be configured to trunk mode:
r n
e a [AC1]interface Wlan-Ess 0
[AC1-Wlan-Ess0]port hybrid pvid vlan 13
eL
[AC1-Wlan-Ess0]port hybrid untagged vlan 13
or
3.3.7 Configuring Security Profile/Traffic Profile/WLAN
M
Service-set
[AC1-wlan-view]traffic-profile id 0 name traffic-prof-1
[AC1-wlan-traffic-prof-traffic-prof-1]quit
[AC1-wlan-view]security-profile id 0 name security-prof-1
[AC1-wlan-sec-prof-security-prof-1]quit
[AC1-wlan-service-set-Huawei-guest1]security-profile id 0
[AC1-wlan-service-set-Huawei-guest1]traffic-profile id 0
[AC1-wlan-service-set-Huawei-guest1]forward-mode direct
[AC1-wlan-service-set-Huawei-guest1]undo user-isolate
[AC1-wlan-service-set-Huawei-guest1]quit
e n
[AC1-wlan-radio-0/1]service-set id 0
/
m
[AC1-wlan-radio-0/1]quit
[AC1-wlan-view]commit ap 0
.c o
e i
Warning: Committing configuration may cause service interruption,continue?[Y/N
w
]Y
u a
After commit the AP, AP will emit singal for service-set huawei-guestX, the authentication
.h
mode is open system authentication, the wireless station, for example PC and mobile phone,
g
will detect the signal and get IP address 192.168.X.0/24, and can ping to the AC and Switch.
Take laptop for example to connect to the AP:
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
r n
e a
e L
o r
M
HCNA-WLAN 3AP Authentication and WLAN Configuration Roadmap
e n
/
o m
e i .c
aw
u
g .h
ni n
r
// lea
p :
t t
:h
C:\Users\zWX>ping 100.100.100.100
e s
c
Pinging 100.100.100.100 with 32 bytes of data:
r
Reply from 100.100.100.100: bytes=32 time=57ms TTL=255
ou
Reply from 100.100.100.100: bytes=32 time=169ms TTL=255
es
Reply from 100.100.100.100: bytes=32 time=7ms TTL=255
Reply from 100.100.100.100: bytes=32 time=9ms TTL=255
R
i n g
Ping statistics for 100.100.100.100:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
rn
Approximate round trip times in milli-seconds:
e the Configuration
L
3.3.9 Verify
e
o r Checking the service-set:
e n
Service-vlan : 13
/
DHCP snooping
IPSG switch
: disable
: disable
o m
DHCP trust port
DAI switch
: disable
: disable
e i .c
w
ARP attack threshold(pps) : 15
Protocol flag
Offline-management switch
: all
: disable
u a
Sta access-mode
Sta blacklist profile
: disable
: -
g .h
Sta whitelist profile : -
ni n
r
Dhcp option82 Insert : Disable
lea
Dhcp option82 Format : Insert Ap-mac
//
Broadcast suppression(pps) : -
:
Multicast suppression(pps) : -
Unicast suppression(pps)
Traffic-filter inbound
: -
acl : -
t t p
:h
Traffic-filter outbound acl : -
s
Service mode status : enable
r c e
AutoOff service ess status
AutoOff service starttime
: disable
: 00:00:00
ou
AutoOff service endtime : 00:00:00
s
----------------------------------------------------------------------------
Re
Run command display ap all to view the information of APs:
i n g
<AC1>dis ap all
All AP information(Normal-1,UnNormal-0):
r n------------------------------------------------------------------------------
e a
L
AP AP AP Profile AP AP
/Region
o ------------------------------------------------------------------------------
[AC1]dis ap-run-info id 0
AP 0 run information:
------------------------------------------------------------------------------
Software version: V200R003C00SPC200
Hardware version: Ver.C
BIOS version: 078
Domain: CN
CPU type: AR9344
HCNA-WLAN 3AP Authentication and WLAN Configuration Roadmap
e n
Gateway ip: 0.0.0.0
/
DNS server: 10.254.1.100
Memory size: 128 MB
o m
Flash size: 32 MB
Run time: 22606 S
e i .c
w
Up ethernet port speed: 1000 Mbps
Up ethernet port speed mode: auto
Up ethernet port duplex: full
u a
Up ethernet port duplex mode: auto
g .h
------------------------------------------------------------------------------
ni n
Using the display access-user command, you can view information about the sessions that
r
lea
meet the specified conditions:
//
<AC1>display access-user
:
------------------------------------------------------------------------------
p
t
UserID Username IP address MAC
t
------------------------------------------------------------------------------
:h
1171 74e50bd553b4 192.168.1.254 74e5-0bd5-53b4
e s
c
1172 f83dffb5a4f2 192.168.1.248 f83d-ffb5-a4f2
r
ou
------------------------------------------------------------------------------
s
Total 2,2 printed
e
R
<AC1>display station assoc-info ap 0
i n g
------------------------------------------------------------------------------
e a ------------------------------------------------------------------------------
eL
f83d-ffb5-a4f2 0 0 0 Huawei-guest1
or
74e5-0bd5-53b4 0 0 0 Huawei-guest1
------------------------------------------------------------------------------
M Total stations: 2
The display station assoc-info command displays status of an STA, including the SSID of the
WLAN to which the STA connects, online duration, uplink signal noise ratio, and uplink
receiving power of the STA.
[AC1]dis station assoc-info sta 5c0a-5b36-4a71
------------------------------------------------------------------------------
e n
ERP enabled : No
/
HT rates enabled
Power save mode enabled
: YES
: YES
o m
Auth reference held
uAPSD enabled
: No
: No
e i .c
w
uAPSD triggerable : No
uAPSD SP in progress
This is an ATH node
: No
: No
u a
WDS workaround req
WDS link
: No
: No
g .h
Station's HT capability : AWP
ni n
r
Station ERP element(dBm) : 0
lea
Station capabilities : E
://
Station's RSSI(dB) : 33
Station's Noise(dBm) : -113
tp
Station's radio mode : 11n
Station's AP ID
t : 0
:h
Station's Radio ID : 1
s
Station's Authentication Method : OPEN
Station's Cipher Type
r
Station's User Name
c e : NO CIPHER
: 5c0a5b364a71
ou
Station's Vlan ID : 13
s
Station's Channel Band-width : 20MHz
e
Station's asso BSSID : cccc-8110-2270
R
Station's state : Asso with auth
g
Station's Qos Mode : NULL
n i n
Station's HT Mode
Station's MCS value
: HT40
: 7
r e
o
M3.4 Configuration Reference
3.4.1 Configuration of AC
#
sysname AC1
#
http server enable
http secure-server ssl-policy default_policy
http secure-server enable
HCNA-WLAN 3AP Authentication and WLAN Configuration Roadmap
#
vlan batch 10 to 13
#
dhcp enable
#
diffserv domain default
#
pki realm default
enrollment self-signed
#
ssl policy default_policy type server
e n
pki-realm default
/
#
ip pool vlan10
o m
gateway-list 10.1.10.1
network 10.1.10.0 mask 255.255.255.0
e i .c
w
excluded-ip-address 10.1.10.100
dns-list 10.254.1.100
option 43 sub-option 3 ascii 10.1.10.100
u a
#
aaa
g .h
authentication-scheme default
ni n
r
authorization-scheme default
lea
accounting-scheme default
//
domain default
:
domain default_admin
t t
local-user admin privilege level 15 p
local-user admin password cipher admin@huawei.com
:h
local-user admin service-type telnet http
s
local-user huawei password cipher huawei123
r c e
local-user huawei privilege level 15
local-user huawei service-type telnet ssh
ou
#
s
interface Vlanif10
e
ip address 10.1.10.100 255.255.255.0
R
dhcp select global
g
#
i n
interface Vlanif11
n
ip address 10.1.11.100 255.255.255.0
ar #
e interface Vlanif12
eL
ip address 10.1.12.100 255.255.255.0
or
#
interface Vlanif13
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
port link-type trunk
port trunk allow-pass vlan 10 to 12
e n
#
/
interface XGigabitEthernet0/0/1
#
o m
interface XGigabitEthernet0/0/2
#
e i .c
w
interface Wlan-Ess0
port hybrid pvid vlan 13
port hybrid untagged vlan 13
u a
#
interface NULL0
g .h
#
ni n
r
stelnet server enable
lea
#
//
ip route-static 0.0.0.0 0.0.0.0 10.1.10.1
:
#
user-interface con 0
authentication-mode password
t t p
:h
set authentication password cipher huawei123
s
user-interface vty 0 4
authentication-mode aaa
r c
user privilege level 15 e
ou
protocol inbound all
s
user-interface vty 16 20
e
#
wlan
R
g
wlan ac source interface vlanif10
i n
ap id 0 type-id 19 mac cccc-8110-2260 sn 210235448310C9000012
n
wmm-profile name radio-prof-1 id 0
eL
service-set name Huawei-guest1 id 0
or
wlan-ess 0
ssid Huawei-guest1
traffic-profile id 0
M security-profile id 0
service-vlan 13
radio-profile name radio2-prof-1 id 0
wmm-profile id 0
radio-profile name radio5-prof-1 id 1
radio-type 80211an
wmm-profile id 0
ap 0 radio 0
radio-profile id 0
service-set id 0 wlan 1
HCNA-WLAN 3AP Authentication and WLAN Configuration Roadmap
ap 0 radio 1
radio-profile id 1
service-set id 0 wlan 1
#
return
e n
/
o m
e i .c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
r n
e a
e L
o r
M
HCNA-WLAN 4WLAN Security Configuration
4.1 Objectives
e n
/
Upon completion of this task, you will be able to:
o m
.c
Configure WLAN security profile
Configure WEP authentication
e i
Configure WPA/WPA2 PSK authentication
aw
u
.h
Configure WPA/WPA2 EAP authentication
Configure VAP
i n g
r n
4.2 Networking Deployment Description l e a
: //
t tp
Figure 4-1 WLAN security configuration parameters description
: h
Suppose the student belongs to group X (X=1, 2, 3 10)
e s
Network
r c Chain Networking + Layer 2 Networking
Topology
o u
es
Security Security-prof-wepX ID:1 WEP password: guest
R
Profile
rn
Security-prof-wpaeapX ID:3 Account: huawei, password: huawei
e a
L
Service-set Huawei-guestX Security profile: Security-prof-wepX
r e Huawei-voiceX SSIDHuawei-voiceX
o
M Service VLAN:vlan12
Wlan-ess interface 1
HCNA-WLAN 4WLAN Security Configuration
Huawei-employeeX SSIDHuawei-employeeX
Service VLAN:vlan11
e n
Security profile: Security-prof-wpaeapX
/
Wlan-ess interface 2
o m
e i
User isolate: closed .c
aw
u
4.3 Configuration Procedure
g .h
4.3.1 Configuring WEP Authentication ni n
ar
l e
The AC6605 supports five access security policies: Wired Equivalent Privacy (WEP), Wi-Fi
: //
Protected Access (WPA), WPA2,WPA-WPA2, and WLAN Authentication and Privacy
tp
Infrastructure (WAPI).
ht
[AC1-wlan-view]security-profile id 5 name test
:
[AC1-wlan-sec-prof-security-prof-1]security-policy ?
s
e
wapi WLAN authentication and privacy infrastructure
wep
c
Wired equivalent privacy
r
u
wpa Wi-Fi protected access
o
wpa-wpa2 Wi-Fi protected access version 1&2
wpa2
R
The service-set Huawei-guestX used open system authentication, in this practice will change
i n g
the authentication type to WEP share-key, set WEP key to WEP-40, password: guest.
rn
Create security profile Security-prof-wep1, encrypt key: guest.
------------------------------------------------------------
ID Name
0 security-prof-1
1 Security-prof-wep1
------------------------------------------------------------
[AC1-wlan-view]dis service-set all
----------------------------------------------------------------------------
ID Name SSID
0 Huawei-guest1 Huawei-guest1
----------------------------------------------------------------------------
Total: 1
e n
/
[AC1-wlan-view]service-set id 0
[AC1-wlan-service-set-Huawei-guest1]security-profile id 1
o m
[AC1-wlan-service-set-Huawei-guest1]quit
e i .c
w
[AC1-wlan-view]commit ap 0
]Y
u a
Warning: Committing configuration may cause service interruption,continue?[Y/N
g .h
Using the display security-profile command, you can view configurations of security
profiles.
ni n
[AC1]display security-profile id 1
r
lea
------------------------------------------------------------
//
Profile name : Security-prof-wep1
Profile ID : 1
p :
t
Authentication : Share key
Encryption
t : WEP-40
:h
------------------------------------------------------------
es
Service-set ID SSID
c
0 Huawei-guest1
r
------------------------------------------------------------
ou
Bridge-profile ID Bridge Name
s
------------------------------------------------------------
e
R
Run command display access-user ssid xxxx to check the users with specified SSID.
ing
[AC1]display access-user ssid Huawei-guest1
rn
------------------------------------------------------------------------------
UserID Username IP address MAC
e a ------------------------------------------------------------------------------
o r ------------------------------------------------------------------------------
Total 1,1 printed
M The display station assoc-info command displays status of an STA, including the SSID of the
WLAN to which the STA connects, online duration, uplink signal noise ratio, and uplink
receiving power of the STA.
Below display result shows the STA 5c0a-5b36-4a71 cipher type is WEP-40:
[AC1-wlan-view]dis station assoc-info sta 5c0a-5b36-4a71
------------------------------------------------------------------------------
Station mac-address : 5c0a-5b36-4a71
Station ip-address : 0.0.0.0
Station gateway : 0.0.0.0
HCNA-WLAN 4WLAN Security Configuration
e n
HT rates enabled : No
/
Power save mode enabled
Auth reference held
: YES
: No
o m
uAPSD enabled
uAPSD triggerable
: No
: No
e i .c
w
uAPSD SP in progress : No
This is an ATH node
WDS workaround req
: No
: No
u a
WDS link
Station's HT capability
: No
: Q
g .h
Station ERP element(dBm) : 0
ni n
r
Station capabilities : EP
lea
Station's RSSI(dB) : 36
://
Station's Noise(dBm) : -113
Station's radio mode : 11a
tp
Station's AP ID : 0
Station's Radio ID
t : 1
:h
Station's Authentication Method : SHARE-KEY
s
Station's Cipher Type : WEP-40
Station's User Name
Station's Vlan ID
r c e : 5c0a5b364a71
: 13
ou
Station's Channel Band-width : 20MHz
s
Station's asso BSSID : cccc-8110-2270
e
Station's state : Asso with auth
R
Station's Qos Mode : NULL
g
Station's HT Mode : -
n i n
Station's MCS value
Station's Short GI
: 0
: nonsupport
Le ------------------------------------------------------------------------------
r e
4.3.2 Configuring WPA PSK Authentication
o
M Configure the authentication type for service-set Huawei-voiceX to WPA1-PSK. Huawei AC
supports below WPA configuration option:
n
Configure WLAN-ESS interface which need to be used by service-set Huawei-voiceX:
[AC1]interface Wlan-Ess 1
/ e
[AC1-Wlan-Ess1]port hybrid pvid vlan 12
[AC1-Wlan-Ess1]port hybrid untagged vlan 12
o m
[AC1-Wlan-Ess1]quit
e i
Create service-set Huawei-voiceX, set the parameters and binding the profiles:
.c
aw
u
[AC1]wlan
.h
[AC1-wlan-view]service-set id 1 name Huawei-voice1
g
[AC1-wlan-service-set-Huawei-voice1]ssid Huawei-voice1
n
[AC1-wlan-service-set-Huawei-voice1]service-vlan 12
[AC1-wlan-service-set-Huawei-voice1]wlan-ess 1
ni
r
[AC1-wlan-service-set-Huawei-voice1]security-profile id 2
lea
[AC1-wlan-service-set-Huawei-voice1]traffic-profile id 0
//
[AC1-wlan-service-set-Huawei-voice1]forward-mode direct-forward
:
[AC1-wlan-service-set-Huawei-voice1]undo user-isolate
p
t
[AC1-wlan-service-set-Huawei-voice1]quit
t
:h
Using the batch command, you can create multiple virtual access points (VAPs) at a time.
e s
[AC1-wlan-view]batch ap 0 to 0 radio 0 to 1 service-set 1
c
Info: Command is being executed, please wait.
r
ou
Success: 2
Failure: 0
es
Using the commit command, you can commit configurations of one or all access points (APs).
R
g
[AC1-wlan-view]commit all
n i n
Warning: Committing configuration may cause service interruption,continue?[Y/N
]Y
ar
e
Then the configuration of WPA-PSK has been finished, we can test the connection:
e L
o r
M
HCNA-WLAN 4WLAN Security Configuration
e n
/
o m
e i .c
aw
u
g .h
n
C:\Users\zWX>ipconfig
ni
r
Wireless LAN adapter Wireless Network Connection:
//
. :
lea
:
Link-local IPv6 Address . . . . . : fe80::2c32:9714:1276:b45b%14
p
t
IPv4 Address. . . . . . . . . . . : 10.1.12.253
t
Subnet Mask . . . . . . . . . . . : 255.255.255.0
:h
Default Gateway . . . . . . . . . : 10.1.12.1
e s
C:\Users\zWX>ping 100.100.100.100
r c
ou
Pinging 100.100.100.100 with 32 bytes of data:
s
Reply from 100.100.100.100: bytes=32 time=36ms TTL=255
Re
Reply from 100.100.100.100: bytes=32 time=6ms TTL=255
Reply from 100.100.100.100: bytes=32 time=7ms TTL=255
i n g
Reply from 100.100.100.100: bytes=32 time=6ms TTL=255
a
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
eL
Minimum = 6ms, Maximum = 36ms, Average = 13ms
or
Run command display station assoc-info sta to check the STA status:
o
authentication server.
e i .c
aw
u
g .h
ni n
r
// lea
p :
The authentication server of this practice had set an IP address 10.254.1.100, password:
t t
huawei, the authentication server was ready and test account: huawei, password: huawei.
s :h
c e
Configure radius service in the AC:
r
ou
[AC] radius-server template radius_huawei
s
[AC-radius-radius_huawei] radius-server authentication 10.254.1.100 1812
Re
[AC-radius-radius_huawei] radius-server shared-key cipher huawei
[AC1-radius-radius_huawei]undo radius-server user-name domain-included
i n g
[AC-radius-radius_huawei] quit
n
Configure AAA:
ar [AC] aaa
e
eL
[AC-aaa] authentication-scheme radius_huawei
[AC-aaa-authen-radius_huawei] authentication-mode radius local
or
[AC-aaa-authen-radius_huawei] quit
M [AC1-aaa]domain default
[AC1-aaa-domain-default]authentication-scheme radius_huawei
[AC1-aaa-domain-default]radius-server radius_huawei
If the account test failed please ignore it first, and keep on configuring it.
Configure security profile Security-prof-wpaeap1, encryption mode CCMP, authentication
mode Dot1x PEAP:
HCNA-WLAN 4WLAN Security Configuration
n
[AC1-Wlan-Ess2]port hybrid untagged vlan 11
[AC1-Wlan-Ess2]dot1x enable
[AC1-Wlan-Ess2]dot1x authentication-method eap
/ e
[AC1-Wlan-Ess2]quit
o m
i .c
Create service-set Huawei-employeeX, set the parameters and binding the profiles.
[AC1-wlan-view]service-set id 2 name Huawei-employee1
e
[AC1-wlan-service-set-Huawei-employee1]ssid Huawei-employee1
aw
[AC1-wlan-service-set-Huawei-employee1]service-vlan 11
u
.h
[AC1-wlan-service-set-Huawei-employee1]wlan-ess 2
i n g
[AC1-wlan-service-set-Huawei-employee1]security-profile id 3
[AC1-wlan-service-set-Huawei-employee1]traffic-profile id 0
n
[AC1-wlan-service-set-Huawei-employee1]forward-mode direct-forward
r
lea
[AC1-wlan-service-set-Huawei-employee1]tunnel-forward protocol dot1x
[AC1-wlan-service-set-Huawei-employee1]undo user-isolate
//
[AC1-wlan-service-set-Huawei-employee1]quit
p :
t
Using the batch command, you can create multiple virtual access points (VAPs) at a time.
t
:h
[AC1-wlan-view]batch ap 0 to 0 radio 0 to 1 service-set 2
s
Info: Command is being executed, please wait.
Success: 2
Failure: 0
r c e
ou
Using the commit command, you can commit configurations of one or all access points (APs).
es
[AC1-wlan-view]commit all
R
Warning: Committing configuration may cause service interruption,continue?[Y/N
]Y
i n g
n
Right now, the WPA-PSK configuration has been finshed, run command display
e
eL
[AC1]display current-configuration interface Wlan-Ess 2
#
or
interface Wlan-Ess2
port hybrid pvid vlan 11
Service-set ID SSID
1 Huawei-voice1
------------------------------------------------------------
Bridge-profile ID Bridge Name
------------------------------------------------------------
Mesh-profile ID Mesh Id
------------------------------------------------------------
e n
0 Huawei-guest1 Huawei-guest1
/
1
2
Huawei-voice1
Huawei-employee1
Huawei-voice1
Huawei-employee1
o m
i
----------------------------------------------------------------------------
e .c
w
[AC1]display access-user
u
1593 huawei 10.1.11.254 5c0a-5b36-4a71 .h
------------------------------------------------------------------------------
g
ni n
r
------------------------------------------------------------------------------
lea
Total 1,1 printed
i n g
r n
e a
e L
o r
M
HCNA-WLAN 4WLAN Security Configuration
e n
/
o m
e i .c
aw
u
g .h
ni n
r
// lea
6.
:
Then clickchange connection settings, change the setting.
p
t t
s :h
r c e
s ou
Re
i n g
r n
e a
e L
o r
M
7. Then the authentication window will popup, enter account: huawei and password:
huawei.
HCNA-WLAN 4WLAN Security Configuration
e n
/
o m
e i .c
aw
u
g .h
ni n
r
lea
8. Then the user authenticate is successed, and will obtain the IP address.
: //
t t p
s :h
r c e
s ou
Re
i n g
r n
e a
e L
o r
M
9. Then the PC can get the IP address, can ping to the switch
C:\Users\zWX> ipconfig
C:\Users\mWX64837>ping 100.100.100.100
e n
Reply from 100.100.100.100: bytes=32 time=177ms TTL=255
/
Ping statistics for 100.100.100.100:
o m
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
e i .c
w
Minimum = 10ms, Maximum = 177ms, Average = 59ms
u a
.h
ng
4.4 Security Policies Configuration Precautions
ni
ar
The following lists precautions for configuring security policies:
// le
If the security policy uses 802.1x authentication, run the dot1x enable and dot1x
:
authentication-method { chap | pap | eap } commands to enable 802.1x authentication
p
t
on the WLAN-ESS interface and set the 802.1x authentication method for WLAN users.
t
:h
If the security policy uses MAC address authentication, run the mac-authentication
s
enable command in the WLAN-ESS interface view to set the authentication method on
e
c
the WLAN-ESS interface to MAC address authentication.
r
ou
If the security policy uses Portal authentication, run the web-authentication enable
s
command in the WLAN-ESS interface view to set the authentication method on the
e
WLAN-ESS interface to Portal authentication.
R
When 802.1x authentication and direct forwarding is used on a network, use either of the
i n g
following methods to configure the switch between an AC and AP to transparently
transmit Layer 2 protocol packets.
r n
e a If a chassis switch is deployed between the AC and AP, run the bpdu bridge enable
L
command in the interface view.
o
l2protocol-tunnel user-defined-protocol protocol-name protocol-mac
protocol-mac group-mac group-mac command in the system view. Then run the
M l2protocol-tunnel user-defined-protocol protocol-name enable and bpdu enable
commands in the interface view.
In a Layer 3 networking where traffic is directly forwarded and 802.1 authentication is
configured, traffic cannot be forwarded at Layer 3 because EAP packets used in 802.1x
authentication are Layer 3 packets. Run the tunnel-forward protocol dot1x command
to forward EAP packets tunnels, and the AP forwards EAP packets over tunnels to the
AC, implementing authentication packet exchange with the AC.
Pay attention to the following points when configuring direct forwarding and tunnel
forwarding mode:
HCNA-WLAN 4WLAN Security Configuration
When tunnel forwarding is used and the AC allocates IP addresses to users, run the
dhcp enable command in the WLAN-ESS interface view to enable DHCP on the
WLAN-ESS interface.
When tunnel forwarding is used, run the port hybrid pvid vlan vlan-id command
in the WLAN-ESS interface view to configure the PVID.
When tunnel forwarding is used, the switch interface that directly connects to the
AP cannot be added to the service VLAN, which prevents MAC address flapping.
When direct forwarding is used, add the switch interface that directly connects to
the AP to the service VLAN.
e n
/
o m
4.5 Configuration Reference
e i .c
4.5.1 ACs configuration
aw
u
.h
#
g
sysname AC1
n
#
snmp-agent local-engineid 800007DB03FC48EFC76DB7
ni
undo snmp-agent community complexity-check disable
r
lea
snmp-agent
//
#
http server enable
p :
t
http secure-server ssl-policy default_policy
http secure-server enable
t
:h
#
vlan batch 10 to 13
e s
c
#
dot1x enable
r
ou
#
dhcp enable
#
es
R
diffserv domain default
#
i n g
radius-server template radius_huawei
r n
radius-server authentication 10.254.1.100 1812 weight 80
eL
#
pki realm default
or
enrollment self-signed
#
M
ssl policy default_policy type server
pki-realm default
#
ip pool vlan10
gateway-list 10.1.10.1
network 10.1.10.0 mask 255.255.255.0
excluded-ip-address 10.1.10.100
dns-list 10.254.1.100
option 43 sub-option 3 ascii 10.1.10.100
#
aaa
HCNA-WLAN 4WLAN Security Configuration
authentication-scheme default
authentication-scheme radius_huawei
authentication-mode radius local
authorization-scheme default
accounting-scheme default
domain default
authentication-scheme radius_huawei
radius-server radius_huawei
domain default_admin
local-user admin password cipher admin@huawei.com
local-user admin privilege level 15
e n
local-user admin service-type telnet http
/
local-user huawei password cipher huawei123
local-user huawei privilege level 15
o m
local-user huawei service-type telnet ssh
#
e i .c
w
interface Vlanif10
ip address 10.1.10.100 255.255.255.0
dhcp select global
u a
#
interface Vlanif11
g .h
ip address 10.1.11.100 255.255.255.0
ni n
r
#
lea
interface Vlanif12
//
ip address 10.1.12.100 255.255.255.0
:
#
interface Vlanif13
t t
ip address 192.168.1.1 255.255.255.0 p
:h
dhcp select interface
s
dhcp server dns-list 8.8.8.8
#
interface MEth0/0/1
r c e
ou
ip address 192.168.100.200 255.255.255.0
s
#
e
interface GigabitEthernet0/0/1
R
port link-type trunk
g
port trunk pvid vlan 10
i n
port trunk allow-pass vlan 10 to 13
n
#
ar interface GigabitEthernet0/0/2
e #
eL
interface GigabitEthernet0/0/3
or
#
#
M interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
port link-type trunk
port trunk allow-pass vlan 10 to 12
#
interface XGigabitEthernet0/0/1
#
interface XGigabitEthernet0/0/2
#
HCNA-WLAN 4WLAN Security Configuration
interface Wlan-Ess0
port hybrid pvid vlan 13
port hybrid untagged vlan 13
#
interface Wlan-Ess1
port hybrid pvid vlan 12
port hybrid untagged vlan 12
#
interface Wlan-Ess2
port hybrid pvid vlan 11
port hybrid untagged vlan 11
e n
dot1x enable
/
dot1x authentication-method eap
#
o m
interface NULL0
#
e i .c
w
stelnet server enable
#
ip route-static 0.0.0.0 0.0.0.0 10.1.10.1
u a
#
user-interface con 0
g .h
authentication-mode password
ni n
r
set authentication password cipher huawei123
lea
user-interface vty 0 4
//
authentication-mode aaa
:
user privilege level 15
protocol inbound all
user-interface vty 16 20
t t p
:h
#
s
wlan
r c e
wlan ac source interface vlanif10
ap id 0 type-id 19 mac cccc-8110-2260 sn 210235448310C9000012
ou
wmm-profile name radio-prof-1 id 0
s
traffic-profile name traffic-prof-1 id 0
e
security-profile name security-prof-1 id 0
R
security-profile name Security-prof-wep1 id 1
g
wep authentication-method share-key
n i n
wep key wep-40 pass-phrase 0 cipher guest
security-profile name Security-prof-wpapsk1 id 2
ar security-policy wpa
r e security-policy wpa2
o
service-set name Huawei-guest1 id 0
wlan-ess 0
M ssid Huawei-guest1
traffic-profile id 0
security-profile id 1
service-vlan 13
service-set name Huawei-voice1 id 1
wlan-ess 1
ssid Huawei-voice1
traffic-profile id 0
security-profile id 2
service-vlan 12
HCNA-WLAN 4WLAN Security Configuration
e n
ap 0 radio 0
/
radio-profile id 0
service-set id 0 wlan 1
o m
service-set id 1 wlan 2
service-set id 2 wlan 3
e i .c
w
ap 0 radio 1
radio-profile id 1
service-set id 0 wlan 1
u a
service-set id 1 wlan 2
service-set id 2 wlan 3
g .h
#
ni n
r
return
5.1 Objectives
e n
/
Upon completion of this task, you will be able to:
o m
.c
Configure SNMP in AC
Understand the method of eSight discover AC
e i
Configure WLAN with eSight wizard
aw
u
.h
Check the WLAN status by eSight
i n g
5.2 Networking Deployment Description r n
l e a
: //
Figure 5-1 eSight network deployment
eSight Server IP
t tp 10.254.1.100
: h
e s
eSight Server password User name: huawei Password: Abcd@1234
r c
SNMP read only community huaweiRO
o u
es
SNMP read and write
community
huaweiRW
R
i n g
Configure service-set by
wizard
huawei-esithtX, PSK password: Huaweipsk
arn
L e
r e
o
5.3 Configuration Procedure
M5.3.1 Configuring AC SNMP Community
[AC1]snmp-agent community read huaweiRO
[AC1]snmp-agent community write huaweiRW
[AC1]snmp-agent sys-info version v2c
HCNA-WLAN 5eSight Management for WLAN (Optional)
e n
/
o m
e i .c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
r n
e a
e L
o r and click Add Device,
After login in to eSight, select the pull-down menuResource
reference below parameters:
M IP Address 10.1.X0.100
Name ACX
e n
/
o m
e i .c
w
ClickOK when you finished, if displayed Successthen means the configuring is
a
u
successed.
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
e
RService-set by eSight Wizard
5.3.3 Configuring
i n g
arn
SelectBusinessand clickWLAN Management, as shown in below figure, select
L e Configuration Wizard:
e
1. Selecting AC
o r First finish ssh client first-time enable configuration in AC, and click synchronize,
synchronize all information about AC:
M [AC1]ssh client first-time enable
HCNA-WLAN 5eSight Management for WLAN (Optional)
e n
/
o m
e i .c
to select a certain AC which needs to be configured, and click Next
w
Click the icon
u a
g .h
ni n
r
// lea
p :
2.
t t
Configuring the attributes of AC
:h
The attributes of the AC had been configured in the past practices, so no need to configure it
and click Next:
e s
r c
s ou
Re
i n g
r n
e a
e L
o r
M
3. Selecting AP
Click Add AP and select the AP you want to configure it, then click OK:
HCNA-WLAN 5eSight Management for WLAN (Optional)
e n
/
o m
e i .c
aw
u
g .h
ni n
r
// lea
p :
t t
:h
If the AP is online, click Next:
e s
r c
s ou
Re
i n g
r n
4. Configuring the profiles
e L
o r
M
HCNA-WLAN 5eSight Management for WLAN (Optional)
e n
/
o m
e i .c
aw
u
g .h
ni n
r
// lea
p :
t t
s:h
r c e
s ou
Re
i n g
r n
e a
eL
Then Bind ESS profile:
or
M
HCNA-WLAN 5eSight Management for WLAN (Optional)
e n
/
o m
e i .c
aw
u
g .h
ni n
Click Create, to create an ESS service-set, configure it as below (The password of WPA:
r
lea
Huaweipsk), and click OK:
: //
t t p
s :h
r c e
s ou
Re
i n g
r n
e a
e L
o r
M
HCNA-WLAN 5eSight Management for WLAN (Optional)
e n
/
o m
e i .c
Configure the parameters as below, and click Next:
aw
u
g .h
ni n
r
// lea
p :
t t
s:h
r c e
s ou
Re
i n g
r n
e a
e L
o r
M
5. Apply to AP
Click Deploy:
HCNA-WLAN 5eSight Management for WLAN (Optional)
e n
/
o m
e i .c
aw
u
5.3.4 Checking the Configuration by eSight
g .h
1.
i n
Click Overview you can view all WLAN devices information:
n
r
// lea
p :
t t
s :h
r c e
s ou
2.
Re
Click Resource Management and click SSID, can check the service-set and VAP:
i n g
r n
e a
e L
o r
M 3. Click Local topologyto view the topology:
HCNA-WLAN 5eSight Management for WLAN (Optional)
4. Click Resource Management and select Client can view the connected user
e n
information, click to see the details of the STA:
/
o m
e i .c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
g
in Reference
5.4 Configuration
arn
e
eL
snmp-agent
snmp-agent community read huaweiRO
or
snmp-agent community write huaweiRW
snmp-agent sys-info version v2c v3
M
ssh client first-time enable
6.1 Objectives
e n
/
Upon completion of this task, you will be able to:
o m
.c
Understand the branched networking structure
Configure branched networking device
e i
Configure tunnel forwarding
aw
u
.h
Verify the configuration
i n g
6.2 Networking Deployment Description r n
l e a
: //
Figure 6-1 Branched networking topology
t tp
: h
e s
Radius Server eSight Server
r c
10.25 4.1.100 10.254.1.200
o u
es
R GE0/0/23 GE0/0/24
i n g Core Switch
rn
AC1 GE0/0/24 GE0/0/1 GE0/0/20 GE0/0/24
AP10
a
GE0/0/11 GE0/0/10
L e
e
GE0/0/2 GE0/0/12
o r AP1
AC10
M
GE0/0/24
AC2 AP2
HCNA-WLAN 6Branched Networking + Layer 3 Networking Practice
.c o
e i
6.3 Configuration Procedure
aw
u
6.3.1 Re-connecting AP to Switch
g .h
i n
Connect APX to number 1X interface in the switch, the configuration of switch was ready.
n
r
<CoreSW3700>dis current-configuration interface Ethernet 0/0/11
lea
#
//
interface Ethernet0/0/11
port link-type access
p :
t
port default vlan 10
t
:h
stp edged-port enable
#
s
[AC1]interface GigabitEthernet 0/0/24
Re
[AC1-XGigabitEthernet0/0/1]port trunk allow-pass vlan 801
[AC1-XGigabitEthernet0/0/1]quit
i n g
[AC1]interface Vlanif 801
r n
[AC1-Vlanif801]ip address 10.1.201.100 24
a
[AC1-Vlanif801]quit
Le
r e Change the next-hop of default route:
o m
.c
[AC1-ip-pool-vlan10]dis this
#
ip pool vlan10
e i
gateway-list 10.1.10.1
aw
u
network 10.1.10.0 mask 255.255.255.0
.h
excluded-ip-address 10.1.10.100
g
dns-list 10.254.1.100
option 43 sub-option 3 ascii 10.1.10.100
#
ni n
return
r
[AC1-ip-pool-vlan10]undo option 43
// lea
:
[AC1-ip-pool-vlan10]option 43 sub-option 3 ascii 10.1.201.100
p
t
[AC1-ip-pool-vlan10]quit
t
:h
[AC1]wlan
s
[AC1]undo wlan ac source interface
e
c Mode to Tunnel Forwarding
[AC1-wlan-view]wlan ac source interface Vlanif 801
u
6.3.4 Changing the Forwardingr
s o
[AC1]wlan
Re
[AC1-wlan-view]service-set id 0
i n g
[AC1-wlan-service-set-Huawei-voice1]forward-mode tunnel
[AC1-wlan-view]service-set id 1
rn
[AC1-wlan-service-set-Huawei-voice1]forward-mode tunnel
e a[AC1-wlan-service-set-Huawei-voice1]quit
[AC1-wlan-view]service-set id 2
e L [AC1-wlan-service-set-Huawei-employee1]forward-mode tunnel
r
[AC1-wlan-service-set-Huawei-employee1]quit
o [AC1-wlan-view]commit all
M
Warning: Committing configuration may cause service interruption,continue?[Y/N
]Y
Right now, the configuration has been finished, wait for the status changing to normal:
[AC1]dis ap all
All AP information(Normal-1,UnNormal-0):
------------------------------------------------------------------------------
AP AP AP Profile AP AP
/Region
ID Type MAC ID State Sysname
------------------------------------------------------------------------------
HCNA-WLAN 6Branched Networking + Layer 3 Networking Practice
74e5-0bd5-53b4 0 0 2 Huawei-employee1
e n
5c0a-5b36-4a71 0 0 0 huawei-guest1
/
-----------------------------------------------------------------------------
o m
[AC1]dis service-set id 2
e i
---------------------------------------------------------------------------- .c
w
Service-set ID : 2
Service-Set name
SSID
: Huawei-employee1
: Huawei-employee1
u a
Hide SSID
User isolate
: disable
: disable
g .h
Type : service
ni n
r
Maximum number of user : 32
lea
Association timeout(min) : 5
//
Traffic profile name : traffic-prof-1
:
Security profile name : Security-prof-wpaeap1
User profile name
Wlan-ess interface
: -
t t
: Wlan-ess2 p
:h
Igmp mode : off
s
Forward mode : tunnel
Service-vlan
DHCP snooping
r c e : 11
: disable
ou
IPSG switch : disable
s
DHCP trust port : disable
e
DAI switch : disable
R
ARP attack threshold(pps) : 15
g
Protocol flag : all
n i n
Offline-management switch
Sta access-mode
: disable
: disable
o
Broadcast suppression(pps) : -
Multicast suppression(pps) : -
M Unicast suppression(pps)
Traffic-filter inbound
: -
acl : -
Traffic-filter outbound acl : -
Service mode status : enable
AutoOff service ess status : disable
AutoOff service starttime : 00:00:00
AutoOff service endtime : 00:00:00
-----------------------------------------------------------------------------
HCNA-WLAN 6Branched Networking + Layer 3 Networking Practice
n
snmp-agent sys-info version v2c v3
snmp-agent
#
/ e
http server enable
o m
.c
http secure-server ssl-policy default_policy
http secure-server enable
#
e i
vlan batch 10 to 13 801
aw
u
#
.h
dot1x enable
g
#
dhcp enable
#
ni n
r
lea
diffserv domain default
#
//
radius-server template radius_huawei
:
radius-server authentication 10.254.1.100 1812 weight 80
p
t
undo radius-server user-name domain-included
t
:h
#
pki realm default
enrollment self-signed
e s
c
#
r
ssl policy default_policy type server
ou
pki-realm default
#
es
R
ip pool vlan10
gateway-list 10.1.10.1
i n g
network 10.1.10.0 mask 255.255.255.0
dns-list 10.254.1.100
r n
option 43 sub-option 3 ascii 10.1.201.100
e a #
eL
aaa
authentication-scheme default
or
authentication-scheme radius_huawei
authentication-mode radius local
M authorization-scheme default
accounting-scheme default
domain default
authentication-scheme radius_huawei
radius-server radius_huawei
domain default_admin
local-user admin password cipher admin@huawei.com
local-user admin privilege level 15
local-user admin service-type telnet http
local-user huawei password cipher huawei123
local-user huawei privilege level 15
HCNA-WLAN 6Branched Networking + Layer 3 Networking Practice
e n
#
/
interface Vlanif13
ip address 192.168.1.1 255.255.255.0
o m
dhcp select interface
dhcp server dns-list 8.8.8.8
e i .c
w
#
interface Vlanif801
ip address 10.1.201.100 255.255.255.0
u a
#
interface MEth0/0/1
g .h
ip address 192.168.100.200 255.255.255.0
ni n
r
#
lea
interface GigabitEthernet0/0/1
//
port link-type trunk
:
port trunk pvid vlan 10
port trunk allow-pass vlan 10 to 13
#
t t p
:h
interface GigabitEthernet0/0/2
s
#
#
r c e
ou
interface GigabitEthernet0/0/23
s
#
e
interface GigabitEthernet0/0/24
R
port link-type trunk
g
port trunk allow-pass vlan 10 to 12 801
#
n i n
interface XGigabitEthernet0/0/1
ar #
e interface XGigabitEthernet0/0/2
eL
#
or
interface Wlan-Ess0
port hybrid pvid vlan 13
port hybrid untagged vlan 13
M #
interface Wlan-Ess1
port hybrid pvid vlan 12
port hybrid untagged vlan 12
#
interface Wlan-Ess2
port hybrid pvid vlan 11
port hybrid untagged vlan 11
dot1x enable
dot1x authentication-method eap
HCNA-WLAN 6Branched Networking + Layer 3 Networking Practice
#
interface NULL0
#
stelnet server enable
#
ip route-static 0.0.0.0 0.0.0.0 10.1.201.1
#
user-interface con 0
authentication-mode password
set authentication password cipher huawei123
user-interface vty 0 4
e n
authentication-mode aaa
/
user privilege level 15
protocol inbound all
o m
user-interface vty 16 20
#
e i .c
w
wlan
wlan ac source interface vlanif801
ap id 0 type-id 19 mac cccc-8110-2260 sn 210235448310C9000012
u a
wmm-profile name radio-prof-1 id 0
traffic-profile name traffic-prof-1 id 0
g .h
security-profile name security-prof-1 id 0
ni n
r
security-profile name Security-prof-wep1 id 1
lea
wep authentication-method share-key
//
wep key wep-40 pass-phrase 0 cipher guest
:
security-profile name Security-prof-wpapsk1 id 2
security-policy wpa
t t p
wpa authentication-method psk pass-phrase cipher Huaweipsk encryption-method tkip
:h
security-profile name Security-prof-wpaeap1 id 3
s
security-policy wpa2
r c
forward-mode tunnel e
service-set name Huawei-guest1 id 0
ou
wlan-ess 0
s
ssid Huawei-guest1
e
traffic-profile id 0
R
security-profile id 1
g
service-vlan 13
i n
service-set name Huawei-voice1 id 1
n forward-mode tunnel
ar wlan-ess 1
e ssid Huawei-voice1
eL
traffic-profile id 0
or
security-profile id 2
service-vlan 12
service-set name Huawei-employee1 id 2
M forward-mode tunnel
wlan-ess 2
ssid Huawei-employee1
traffic-profile id 0
security-profile id 3
service-vlan 11
radio-profile name radio2-prof-1 id 0
wmm-profile id 0
radio-profile name radio5-prof-1 id 1
radio-type 80211an
HCNA-WLAN 6Branched Networking + Layer 3 Networking Practice
wmm-profile id 0
ap 0 radio 0
radio-profile id 0
service-set id 0 wlan 1
service-set id 1 wlan 2
service-set id 2 wlan 3
ap 0 radio 1
radio-profile id 1
service-set id 0 wlan 1
service-set id 1 wlan 2
service-set id 2 wlan 3
e n
#
/
o m
e i .c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
r n
e a
e L
o r
M
HCNA-WLAN 7Backup the Configuration and Reset the Device
e n
/
7.1 Objectives
o m
Upon completion of this task, you will be able to:
e i .c
w
Save the configuration of AC
Configure FTP service in AC
u a
Backup the configuration of AC
g .h
Reset the configuration of AC
ni n
ar
l e
7.2 Network Deployment Description
: //
t tp
h
Ietm Parameter
s :
e
IP of management interface 192.168.100.200
r c
u
File name of backup configuration acvrpcfg.zip
s o
e
FTP account Account: ftp Password: huawei123
R
g
FTP path Flash:/
n i n
ar
e
7.3 Configuration Procedure
L the Configuration
e
or
7.3.1 Save
M We can use save command to save the current configuration to the storage device.
<AC1>save acvrpcfg.zip
Are you sure to save the configuration to flash:/acvrpcfg.zip?[Y/N]:Y
Info: Save the configuration successfully.
Using the dir command, you can view information about the files and directories on the
storage device.
<AC1>dir
Directory of flash:/
HCNA-WLAN 7Backup the Configuration and Reset the Device
e n
10 -rw- 1,314 Oct 29 2013 07:52:55 private-data.txt
/
11
12
-rw-
-rw-
633 Oct 29 2013 05:02:21
146 Oct 21 2013 10:02:34
daemon.log
portal_page.txt
o m
13
14
-rw-
-rw-
1,970 Oct 29 2013 08:31:09
45,075,085 Sep 18 2013 17:58:36
acvrpcfg.zip
e i
AC6605V200R003C00SPC200.cc .c
w
15 -rw- 1,260 Sep 18 2013 15:26:50 rsa_host_key.efs
16 -rw- 259,755 Oct 29 2013 05:03:15 mon_file.txt
u a
206,324 KB total (144,204 KB free)
g .h
7.3.2 Configuring FTP Service onAC
ni n
r
lea
[AC1]ftp server enable
[AC1]aaa
//
[AC1-aaa]local-user ftp password cipher huawei123 directory flash:/
:
p
[AC1-aaa]local-user ftp service-type ftp
t t
[AC1-aaa]local-user ftp privilege level 15
s
D:\>ftp 192.168.100.200
Re
connect 192.168.100.200
220 FTP service ready.
i n g
User(192.168.100.200:(none)): ftp
331 Password required for ftp.
r n
password:ftp001
eL
200 Port command okay.
or
150 Opening ASCII mode data connection for acvrpcfg.zip.
226 Transfer complete.
M
ftp: 1373 bytes received in 0.00Seconds 1373000.00Kbytes/sec.
ftp>
Then the configuration file is backuped in the PC, find the file in D:/ and then can opent it by
notepad or wordpad:
HCNA-WLAN 7Backup the Configuration and Reset the Device
e n
/
o m
e i .c
aw
u
g .h
7.3.4 Reset the Configuration ni n
r
// lea
After your practice finished, below steps helps you to reset the configuration of the device:
<AC>reset saved-configuration
p :
t t
The configuration will be erased to reconfigure. Continue? [Y/N]:Y
<AC>reboot
s :h
e
<AC>Otherwise, unsaved configuration will be lost. Continue?[Y/N]:Y
r c
<AC>Warning: All the configuration will be saved to the configuration file for the n
ou
ext startup:, Continue?[Y/N]:N
<AC>System will reboot! Continue?[Y/N]:Y
es
R Reference
7.4 Configuration
i n g
arn
7.4.1 Configuration of AC
L e ftp server enable
r e aaa
M
local-user ftp ftp-directory flash:/
local-user ftp service-type ftp
local-user ftp privilege level 15
Here, you have finshed all the practices of this exercise guide. Congratulation!
HCNA-WLAN 8Appendix: Configuration of the SW
<CoreSW3700>dis current-configuration
e n
/
#
m
!Software Version V100R005C01SPC100
o
sysname CoreSW3700
.c
#
e i
vlan batch 10 to 12 20 to 22 30 to 32 40 to 42 50 to 52 60 to 62 70 to 72 80 to
82 90 to 92 100 to 102
vlan batch 800 to 810 900
aw
#
u
.h
dhcp enable
#
undo http server enable
i n g
#
r n
lea
drop illegal-mac alarm
#
//
aaa
authentication-scheme default
p :
authorization-scheme default
t t
:h
accounting-scheme default
domain default
domain default_admin
e s
c
local-user admin password simple admin
r
ou
local-user admin service-type http
#
es
interface Vlanif10
R
ip address 10.1.10.1 255.255.255.0
#
n g
interface Vlanif11
i
n
ip address 10.1.11.1 255.255.255.0
e
#
eL
interface Vlanif12
ip address 10.1.12.1 255.255.255.0
or
dhcp select interface
#
M interface Vlanif20
ip address 10.1.20.1 255.255.255.0
#
interface Vlanif21
ip address 10.1.21.1 255.255.255.0
dhcp select interface
#
interface Vlanif22
ip address 10.1.22.1 255.255.255.0
dhcp select interface
#
HCNA-WLAN 8Appendix: Configuration of the SW
interface Vlanif30
ip address 10.1.30.1 255.255.255.0
#
interface Vlanif31
ip address 10.1.31.1 255.255.255.0
dhcp select interface
#
interface Vlanif32
ip address 10.1.32.1 255.255.255.0
dhcp select interface
#
e n
interface Vlanif40
/
ip address 10.1.40.1 255.255.255.0
#
o m
interface Vlanif41
ip address 10.1.41.1 255.255.255.0
e i .c
w
dhcp select interface
#
interface Vlanif42
u a
ip address 10.1.42.1 255.255.255.0
dhcp select interface
g .h
#
ni n
r
interface Vlanif50
lea
ip address 10.1.50.1 255.255.255.0
//
#
:
interface Vlanif51
ip address 10.1.51.1 255.255.255.0
dhcp select interface
t t p
:h
#
s
interface Vlanif52
r c
dhcp select interfacee
ip address 10.1.52.1 255.255.255.0
ou
#
s
interface Vlanif60
e
ip address 10.1.60.1 255.255.255.0
#
R
g
interface Vlanif61
i n
ip address 10.1.61.1 255.255.255.0
n
dhcp select interface
ar #
e interface Vlanif62
eL
ip address 10.1.62.1 255.255.255.0
or
dhcp select interface
#
interface Vlanif70
interface Vlanif80
ip address 10.1.80.1 255.255.255.0
#
interface Vlanif81
ip address 10.1.81.1 255.255.255.0
dhcp select interface
#
interface Vlanif82
ip address 10.1.82.1 255.255.255.0
dhcp select interface
#
e n
interface Vlanif90
/
ip address 10.1.90.1 255.255.255.0
#
o m
interface Vlanif91
ip address 10.1.91.1 255.255.255.0
e i .c
w
dhcp select interface
#
interface Vlanif92
u a
ip address 10.1.92.1 255.255.255.0
dhcp select interface
g .h
#
ni n
r
interface Vlanif100
lea
ip address 10.1.100.1 255.255.255.0
//
#
:
interface Vlanif101
ip address 10.1.101.1 255.255.255.0
dhcp select interface
t t p
:h
#
s
interface Vlanif102
r c
dhcp select interfacee
ip address 10.1.102.1 255.255.255.0
ou
#
s
interface Vlanif801
e
ip address 10.1.201.1 255.255.255.0
#
R
g
interface Vlanif802
i n
ip address 10.1.202.1 255.255.255.0
n
#
ar interface Vlanif803
r e interface Vlanif804
o
ip address 10.1.204.1 255.255.255.0
#
M interface Vlanif805
ip address 10.1.205.1 255.255.255.0
#
interface Vlanif806
ip address 10.1.206.1 255.255.255.0
#
interface Vlanif807
ip address 10.1.207.1 255.255.255.0
#
interface Vlanif808
HCNA-WLAN 8Appendix: Configuration of the SW
e n
interface Ethernet0/0/1
/
port link-type trunk
port trunk allow-pass vlan 10 to 12 801
o m
#
interface Ethernet0/0/2
e i .c
w
port link-type trunk
port trunk allow-pass vlan 10 20 to 22 801 to 802
#
u a
interface Ethernet0/0/3
port link-type trunk
g .h
port trunk allow-pass vlan 30 to 32 803
ni n
r
#
lea
interface Ethernet0/0/4
//
port link-type trunk
:
port trunk allow-pass vlan 30 40 to 42 803 to 804
#
interface Ethernet0/0/5
t t p
:h
port link-type trunk
s
port trunk allow-pass vlan 50 to 52 805
#
r c e
interface Ethernet0/0/6
ou
port link-type trunk
s
port trunk allow-pass vlan 50 60 to 62 805 to 806
e
#
R
interface Ethernet0/0/7
g
port link-type trunk
i n
port trunk allow-pass vlan 70 to 72 807
n
#
ar interface Ethernet0/0/8
eL
port trunk allow-pass vlan 70 80 to 82 807 to 808
or
#
interface Ethernet0/0/9
port link-type trunk
#
interface Ethernet0/0/12
port link-type access
port default vlan 20
stp edged-port enable
#
interface Ethernet0/0/13
port link-type access
port default vlan 30
stp edged-port enable
#
e n
interface Ethernet0/0/14
/
port link-type access
port default vlan 40
o m
stp edged-port enable
#
e i .c
w
interface Ethernet0/0/15
port link-type access
port default vlan 50
u a
stp edged-port enable
#
g .h
interface Ethernet0/0/16
ni n
r
port link-type access
lea
port default vlan 60
//
stp edged-port enable
:
#
interface Ethernet0/0/17
port link-type access
t t p
:h
port default vlan 70
s
stp edged-port enable
#
r c e
interface Ethernet0/0/18
ou
port link-type access
s
port default vlan 80
e
stp edged-port enable
#
R
g
interface Ethernet0/0/19
i n
port link-type access
n
port default vlan 90
e #
eL
interface Ethernet0/0/20
or
port link-type access
port default vlan 100
stp edged-port enable
M #
interface Ethernet0/0/21
port link-type access
port default vlan 900
stp edged-port enable
#
interface Ethernet0/0/22
port link-type access
port default vlan 900
stp edged-port enable
HCNA-WLAN 8Appendix: Configuration of the SW
#
interface Ethernet0/0/23
port link-type access
port default vlan 900
stp edged-port enable
#
interface Ethernet0/0/24
port link-type access
port default vlan 900
stp edged-port enable
#
e n
interface GigabitEthernet0/0/1
/
#
interface GigabitEthernet0/0/2
o m
#
interface GigabitEthernet0/0/3
e i .c
w
#
interface GigabitEthernet0/0/4
#
u a
interface NULL0
#
g .h
interface LoopBack100
ni n
r
ip address 100.100.100.100 255.255.255.255
lea
#
//
interface LoopBack200
:
ip address 200.200.200.200 255.255.255.255
#
t t p
ip route-static 172.16.1.0 255.255.255.0 10.1.201.100
:h
ip route-static 172.16.2.0 255.255.255.0 10.1.202.100
s
ip route-static 172.16.3.0 255.255.255.0 10.1.203.100
r c e
ip route-static 172.16.4.0 255.255.255.0 10.1.204.100
ip route-static 172.16.5.0 255.255.255.0 10.1.205.100
ou
ip route-static 172.16.6.0 255.255.255.0 10.1.206.100
s
ip route-static 172.16.7.0 255.255.255.0 10.1.207.100
e
ip route-static 172.16.8.0 255.255.255.0 10.1.208.100
R
ip route-static 172.16.9.0 255.255.255.0 10.1.209.100
g
ip route-static 172.16.10.0 255.255.255.0 10.1.210.100
i n
ip route-static 192.168.1.0 255.255.255.0 10.1.10.100
n
ip route-static 192.168.2.0 255.255.255.0 10.1.20.100
eL
ip route-static 192.168.5.0 255.255.255.0 10.1.50.100
or
ip route-static 192.168.6.0 255.255.255.0 10.1.60.100
ip route-static 192.168.7.0 255.255.255.0 10.1.70.100
ip route-static 192.168.8.0 255.255.255.0 10.1.80.100
e n
/
o m
e i .c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
r n
e a
e L
o r
M
The privilege of HCNA/HCNP/HCIE:
With any Huawei Career Certification, you have the privilege on http://learning.huawei.com/en to enjoy:
n
1e-Learning Courses Logon http://learning.huawei.com/en and enter Huawei Training/e-Learning
/e
o m
If you have the HCNA/HCNP certificateYou can access Huawei Career Certification and Basic Technology e-Learning
courses.
e i .c
If you have the HCIE certificate: You can access all the e-Learning courses which marked for HCIE Certification Users.
aw
Methods to get the HCIE e-Learning privilege : Please associate HCIE certificate information with your Huawei account, and
hu
arn
Content: Huawei product training material and Huawei career certification training material.
//le
MethodLogon http://learning.huawei.com/en and enter Huawei Training/Classroom Training ,then you can download
training material in the specific training introduction page.
p :
3 Priority to participate in Huawei Online Open Class (LVC)
t t
s :h
The Huawei career certification training and product training covering all ICT technical domains like R&S, UC&C, Security,
4Learning Tools: rc e
Storage and so on, which are conducted by Huawei professional instructors.
s o
eNSP Simulate single Router&Switch device and large network.
R e
WLAN Planner Network planning tools for WLAN AP products.
n g
In addition, Huawei has built up Huawei Technical Forum which allows candidates to discuss technical issues with Huawei experts ,
ni
share exam experiences with others or be acquainted with Huawei Products.
a r
Statement:
L e
r e
This material is for personal use only, and can not be used by any individual or organization for any commercial purposes.
o
M
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 1