Beruflich Dokumente
Kultur Dokumente
V200R006(C00&C10)
Issue 03
Date 2014-08-25
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Website: http://enterprise.huawei.com
Intended Audience
This document describes how to use the web network management system to configure and
maintain the switches. The web network management system provides the functions of viewing
device information, configuring the wizard, saving the configurations, and managing the entire
system, interfaces, services, ACLs, QoS, routes, security, and tools.
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Symbol Description
Security Conventions
l Password setting
When configuring a password, the cipher text is recommended. To ensure device
security, change the password periodically.
When you configure a password in cipher text that starts and ends with %@%@ or @
%@% (the password can be decrypted by the device), the password is displayed in the
same manner as the configured one in the configuration file. Do not use this setting.
l Encryption algorithm
Currently, the device uses the following encryption algorithms: 3DES, AES, RSA, SHA1,
SHA2, and MD5. DES, 3DES, RSA and AES are reversible, and SHA1, SHA2, and MD5
are irreversible. The encryption algorithm depends on actual networking. The irreversible
encryption algorithm must be used for the administrator password.
l Personal data
Some personal data may be obtained or used during operation or fault location of your
purchased products, services, features, so you have an obligation to make privacy policies
and take measures according to the applicable law of the country to protect personal data.
l The terms mirrored port, port mirroring, traffic mirroring, and mirroing in this manual are
mentioned only to describe the product's function of communication error or failure
detection, and do not involve collection or processing of any personal information or
communication data of users.
Change History
Changes between document issues are cumulative. Therefore, the latest document version
contains all updates made to previous versions.
Contents
2 EasyOperation Edition...............................................................................................................21
2.1 Client Configuration.....................................................................................................................................................22
2.1.1 Understanding the Web System Client User Interface..............................................................................................22
2.1.1.1 Window Layout......................................................................................................................................................22
2.1.1.2 Navigation Tree......................................................................................................................................................23
2.1.1.3 Buttons....................................................................................................................................................................25
2.1.1.4 GUI Elements.........................................................................................................................................................26
2.1.2 Web User Management.............................................................................................................................................27
2.1.2.1 Creating a User Account.........................................................................................................................................27
2.1.2.2 Changing User Attribute.........................................................................................................................................28
2.1.2.3 Deleting a User Account.........................................................................................................................................29
2.1.3 User Timeout.............................................................................................................................................................29
2.1.4 Switching to the Classics Edition..............................................................................................................................30
2.1.5 Saving Configuration.................................................................................................................................................30
2.1.6 Logging Out of the Web System...............................................................................................................................30
2.2 Monitor.........................................................................................................................................................................31
2.2.1 Panel..........................................................................................................................................................................31
2.2.2 System Description....................................................................................................................................................31
2.2.3 Switch Status.............................................................................................................................................................32
2.2.4 TOP5 Bandwidth Utilization.....................................................................................................................................36
2.2.5 Log.............................................................................................................................................................................38
2.2.6 Online User Information............................................................................................................................................39
2.2.7 Power status...............................................................................................................................................................41
2.3 Configuration................................................................................................................................................................41
2.3.1 Interface Setting.........................................................................................................................................................42
3 Classics Edition..........................................................................................................................123
3.1 Client Configuration...................................................................................................................................................125
3.1.1 Understanding the Web System Client User Interface............................................................................................125
3.1.1.1 Window Layout....................................................................................................................................................125
3.1.1.2 Navigation Tree....................................................................................................................................................125
3.1.1.3 Buttons..................................................................................................................................................................130
3.1.1.4 GUI Elements.......................................................................................................................................................130
3.1.2 Web User Management...........................................................................................................................................132
3.1.2.1 Create User...........................................................................................................................................................132
3.1.2.2 Changing Password..............................................................................................................................................132
3.1.2.3 Deleting a User Account.......................................................................................................................................133
3.1.3 Processing the Timeout of a Web User...................................................................................................................133
3.1.4 Switching to the EasyOperation Edition.................................................................................................................134
3.1.5 Saving Configuration...............................................................................................................................................134
3.1.6 Logging Out of the Web System.............................................................................................................................134
3.2 Device Summary (S5720HI)......................................................................................................................................134
3.2.1 Lineate.....................................................................................................................................................................135
3.2.1.1 Panel.....................................................................................................................................................................135
3.2.1.2 System Description...............................................................................................................................................136
3.2.1.3 Switch Status........................................................................................................................................................137
3.2.1.4 Bandwidth Utilization...........................................................................................................................................137
3.2.1.5 System Log...........................................................................................................................................................138
3.2.1.6 Trends...................................................................................................................................................................139
3.2.2 Wireless...................................................................................................................................................................141
3.3 Device Summary (for Switch Models Except S5720H).............................................................................................143
3.3.1 Panel........................................................................................................................................................................144
3.3.2 System Description..................................................................................................................................................145
3.3.3 Switch Status...........................................................................................................................................................146
3.3.4 Bandwidth Utilization..............................................................................................................................................152
3.3.5 System Log..............................................................................................................................................................153
3.3.6 Trends......................................................................................................................................................................154
3.4 Config Wizard............................................................................................................................................................155
3.4.1 EasyOperation.........................................................................................................................................................157
3.4.2 AP Wizard...............................................................................................................................................................162
3.4.3 WLAN Wizard........................................................................................................................................................168
3.4.4 WDS Wizard............................................................................................................................................................176
3.4.5 Mesh Wizard............................................................................................................................................................196
3.8.2.1 AP Information.....................................................................................................................................................350
3.8.2.2 AP Region.............................................................................................................................................................358
3.8.2.3 AP Profile.............................................................................................................................................................359
3.8.2.4 AP Whitelist.........................................................................................................................................................363
3.8.2.5 AP Blacklist..........................................................................................................................................................365
3.8.3 WLAN Configuration..............................................................................................................................................367
3.8.3.1 WLAN Configuration...........................................................................................................................................367
3.8.4 Radio Profile............................................................................................................................................................373
3.8.4.1 Radio Profile.........................................................................................................................................................373
3.8.4.2 WMM Profile.......................................................................................................................................................384
3.8.5 Service Set...............................................................................................................................................................387
3.8.5.1 Service Set............................................................................................................................................................387
3.8.5.2 Traffic Profile.......................................................................................................................................................390
3.8.5.3 Security Profile.....................................................................................................................................................394
3.8.5.4 ESS Interface........................................................................................................................................................397
3.8.5.5 STA Blacklist/Whitelist Profile............................................................................................................................399
3.8.6 WDS Profile............................................................................................................................................................403
3.8.6.1 Bridge Profile.......................................................................................................................................................407
3.8.6.2 Bridge Whitelist....................................................................................................................................................410
3.8.6.3 WVL Information.................................................................................................................................................412
3.8.7 Mesh Profile............................................................................................................................................................413
3.8.7.1 Mesh Profile.........................................................................................................................................................413
3.8.7.2 Mesh WhiteList....................................................................................................................................................416
3.8.7.3 WVL Information.................................................................................................................................................418
3.8.8 Load Balancing........................................................................................................................................................419
3.8.8.1 Static Load Balancing Group...............................................................................................................................419
3.8.8.2 Dynamic Load Balancing Group..........................................................................................................................424
3.8.9 WIDS Configuration................................................................................................................................................426
3.8.9.1 WIDS Configuration.............................................................................................................................................426
3.8.9.2 SSID Whitelist......................................................................................................................................................429
3.8.9.3 Rogue Device.......................................................................................................................................................430
3.8.9.4 Attack Statistics....................................................................................................................................................431
3.8.9.5 Attack Records.....................................................................................................................................................433
3.8.9.6 Dynamic Blacklist................................................................................................................................................435
3.8.10 Backup Configuration............................................................................................................................................436
3.8.10.1 Backup Configuration.........................................................................................................................................436
3.8.11 Terminal Management...........................................................................................................................................438
3.8.11.1 STA Management...............................................................................................................................................438
3.8.11.2 STA Statistics.....................................................................................................................................................440
3.8.11.3 Offline User Information....................................................................................................................................441
3.8.11.4 STA Blacklist/Whitelist......................................................................................................................................442
Users can log in to a device using the Web system for device management.
NOTE
When an S1720 or S2720 series switch is equipped with the factory settings, users can log in to the switch
using the Web system for the first time. For the detailed configuration method, see 1.1 Logging In to the
Device Through the Web System for the First Time (S1720) and 1.2 Logging In to the Device Through
the Web System for the First Time (S2720). When a device has been configured, uses can configure the
login to the device using the Web system. For the detailed configuration method, see 1.3 Configuring
Login Through the Web System .
Switches excluding S1720 and S2720 series switches do not support the first login to a device using the
Web system. Users can configure the login to these switches using the Web system. For the detailed
configuration method, see 1.3 Configuring Login Through the Web System .
1.1 Logging In to the Device Through the Web System for the First Time (S1720)
When logging in to the S1720 with the factory settings for the first time, users can log in only
through the Web system on the PC.
1.2 Logging In to the Device Through the Web System for the First Time (S2720)
When logging in to the S2720 with the factory settings for the first time, users can log in only
through the Web system on the PC and then configure the login mode (Web system, Telnet, or
STelnet).
Context
To facilitate device maintenance and use, S1720 switches allow for the first login using the Web
system.
Pre-configuration Tasks
Before logging in to a device through the Web system, complete the following tasks:
Default Configuration
Password admin@huawei.com
User level 15
Procedure
Step 1 Connect the PC to the device.
To ensure that the PC and device have reachable routes to each other, configure an IP address
on the same network segment with the device IP address for the PC.
Open the browser on the PC and access https://192.168.1.253. On the displayed Web system
login page shown in Figure 1-1, enter the default user name admin and default password
admin@huawei.com, and select the system language. Click GO or press Enter. The Web
system configuration page is displayed.
NOTE
The login to the device through the Web system requires that the browser on the PC must be IE 8.0, Firefox
12.0, or Chrome 23.0 and later versions. If the browser version is early, the display may be incorrect.
If the default password is used to log in to the device, a message is displayed prompting users
to change the password, as shown in Figure 1-2. Click Confirm. Change the login password
on the User Management page. To ensure security, users are advised to change the Web login
password upon the first login to the device.
NOTE
A secure password should contain at least two types of the following: lowercase letters, uppercase letters,
numerals, special characters (such as ! $ # %). In addition, the password cannot contain spaces or single
quotation marks (').
----End
Context
When a PC has no available serial interface or does not carry any console cable, users can log
in to the device with the factory settings using the Web system for the first time. After the login,
users can conveniently configure the login mode (Web system, Telnet, or STelnet). After the
login mode is configured, users can log in to the device using the Web system, Telnet, or STelnet
for device maintenance.
Pre-configuration Tasks
Before logging in to a device through the Web system, complete the following tasks:
Default Configuration
Password admin@huawei.com
User level 15
Procedure
Step 1 Connect the PC to the device.
NOTE
Users can log in to a device for the first time using the Web system only when the device is in factory
default state. In this case, do not log in to the device through the console interface, because any operation
on the console interface leads to the failure of the first login using the Web system.
Press and hold the MODE button for 6s. When all indicators are steady green, the device enters
the initial configuration state.
The system sets the switch IP address to 192.168.1.253/24 and the user level to 15 by default.
NOTE
The device automatically exits the initial configuration state and restores the factory settings if users have
not saved the settings after 10 minutes.
To ensure that the PC and device have reachable routes to each other, configure an IP address
on the same network segment with the device IP address for the PC.
Open the browser on the PC and access https://192.168.1.253. On the displayed Web system
login page shown in Figure 1-3, enter the default user name admin and default password
admin@huawei.com, and select the system language. Click GO or press Enter. The Web
system configuration page is displayed.
NOTE
The login to the device through the Web system requires that the browser on the PC must be IE 8.0, Firefox
12.0, or Chrome 23.0 and later versions. If the browser version is early, the display may be incorrect.
As shown in Figure 1-4, the Web system configuration page allows users to perform the basic
and optional configurations. Table 1-3 describes parameters for the basic configuration. After
the basic configuration is complete, users can log in to the device through the Web system.
Table 1-4 describes parameters for the optional configuration. After the optional configuration
is complete, users can log in to the device through Telnet or STelnet.
NOTE
A login user can create users for logging in to the device through Telnet or STelnet. The parameter Create
User is valid only when Telnet Server or Stelnet Server is On.
Item Description
WEB User Password Indicates the new Web login password. This
parameter is mandatory.
A secure password should contain at least two
types of the following: lowercase letters,
uppercase letters, numerals, special
characters (such as ! $ # %). In addition, the
password cannot contain spaces or single
quotation marks (').
Item Description
WEB User Level Indicates the Web user level. Select a user
level from the drop-down list box. This
parameter is optional.
NOTE
Only users of level 3 or higher have the
management rights.
Item Description
Click Apply. The configuration is saved. When logging out of the Web system for the first time,
the following situations may occur based on the configured management IP address:
l When the management IP address is on the same network segment as 192.168.1.253/24, the
Web system login page is displayed.
l When the management IP address is not on the same network segment as 192.168.1.253/24,
users cannot log in to device through the Web system. In this case, configure an IP address
on the same network segment as the management IP address for the PC so that the PC and
device have reachable routes to each other.
Users can log in to the device through the Web system, Telnet, or STelnet for device
maintenance.
----End
Configuration Process
If a web page file is integrated in the device's system software and has been loaded, you do not
need to load and configure a web page file when using the device for the first time after its
delivery. To upgrade the device or load an independent web page file, perform the following
operations.
Table 1-5 describes the tasks in the configuration process for login through HTTPS.
Table 1-5 Tasks in the configuration process for login through HTTPS
Default Configuration
Table 1-6 Default settings of the parameters for logging in to another device through HTTPS
Procedure
l Uploading and loading the web page file
NOTE
To obtain the Web page file of the device, log in to http://support.huawei.com/enterprise and
download the software package based on the product name and version. The Web page file is
contained in the software package. The file name is Product Name - the Version of Software.the
Version of Web page file.web.7z.
l (Optional) Uploading the server digital certificate file and private key file
The device provides a default SSL policy, and the web page file contains the randomly
generated self-signed SSL certificate. Therefore, you do not need to upload the certificate
or configure the SSL policy. To ensure security, it is recommended that you obtain the
officially authorized digital certificate from the certificate authority (CA) and manually
configure an SSL policy.
NOTE
The device does not support life-cycle management on the self-signed certificate generated by the
device, such as updating the certificate or revoking the certificate. You are advised to use your own
certificate to ensure device and certificate security.
You are advised to use the tool specified in the Software digital signature (OpenPGP) validation
guide to check validity of the certificate before uploading the certificate. To obtain the tool, log in
to http://enterprise.huawei.com/en/, choose Support > Tools, search for Software digital signature
(OpenPGP), and then download the tool.
Upload the server digital certificate and private key file to the security directory on the
device in SFTP or SCP mode. If no security directory exists on the device, run the
mkdir directory command to create one.
A PEM digital certificate has a file name extension .pem and is applicable to text
transmission between systems.
An ASN1 digital certificate has a file name extension .der and is the default format for
most browsers.
A PFX digital certificate has a file name extension .pfx and is a binary format that can
be converted into the PEM or ASN1 format.
For details, see the file uploading methods in the reference manual.
l (Optional) Configuring the SSL policy and loading the digital certificate
Table 1-8 Configuring the SSL policy and loading the digital certificate
Load the digital certificate load asn1-cert Load the digital certificate in the
certificate in the cert-filename key-pair { dsa PEM, ASN1, or PFX format.
ASN1 format. | rsa } key-file key-filename NOTE
You can load a certificate or
certificate load pfx-cert certificate chain for only one SSL
Load the digital cert-filename key-pair { dsa policy. Before loading a certificate
certificate in the | rsa } { mac cipher mac- or certificate chain, you must
PFX format. code | key-file key-filename } unload the existing certificate or
auth-code cipher auth-code certificate chain.
local-user user-name
Configure the local user
password irreversible- -
name and password.
cipher password
NOTE
Configure the level for the local-user user-name
Only users of level 3 or higher
local user. privilege level level have the management rights.
An ACL is composed of a list of rules such as the source address, destination address, and
port number of packets. ACL rules are used to classify packets. After these rules are applied
to devices, the devices determine the packets to be received and rejected.
Users can configure a basic ACL to allow only specified clients to connect to the HTTP
server.
NOTE
ACL rule:
l The device with the specified source IP address can establish an HTTP connection with the local
device only when permit is used in the ACL rule.
l When deny is used in the ACL rule, other devices cannot establish HTTP connections with the
local device.
l When the ACL rule is configured but packets from other devices do not match the rule, other
devices cannot establish HTTP connections with the local device.
l When the ACL contains no rule, any other devices can establish HTTP connections with the local
device.
Configure HTTP
http acl acl-number -
ACLs.
1. Open the web browser on the PC, enter https://IP address in the address box, and
press Enter. The Login dialog box is displayed. Enter the web user name and
password, and select a language for the web system, as shown in Figure 1-5.
2. Select the web system edition. The web system supports the EasyOperation edition
and Classics edition. The EasyOperation edition uses abundant graphs and
personalized UIs to provide monitoring, configuration, maintenance and network
functions. The Classics edition complies with the common web page style of switches
and provides comprehensive configuration and management functions. By default,
you log in to the device through the web system of the EasyOperation edition.
3. Click GO or press Enter. The web system home page is displayed.
You can manage and maintain the device after logging in to the web system.
NOTE
l The web system identifies information about a board using the Item value in electronic labels carried
in the device. In comparison, the hardware drive enables or disables the device by judging the BarCode
value. The Web system may fail to read and display information about the board because the Item
value may be different from the BarCode value.
l To log in to the web system of the EasyOperation edition, your web browser must be Internet Explorer
8.0 (or later), Firefox 12.0 (or late) or Google 23.0 (or later). To log in to the web system of the Classics
edition, your web browser must be IE 8.0 (or later) or Firefox 12.0 (or later). If an earlier version
browser is used, the web page display may be abnormal. The web browser is required to support
Javascript.
l After the device software version changes (for example, the software version is upgraded or rolled
back), clear the browser cache before using the web system client. Otherwise, web pages may be
incorrectly displayed.
l The Web system client does not support the back button on the browser when you log in to the web
page and do not perform any operation.
l When you log in to the web system on multiple pages using the same browser, the browser only records
the account information of the last login and the accounts used on all the pages after page refresh
change to the last login account.
----End
1.4.1 Example for Logging In to the Device Through the Web System
Networking Requirements
HTTP enables the device supporting the web system to function as a web server. You can log
in to this device using HTTP and manage the device on web pages. HTTP cannot authenticate
web servers or encrypt data, so it cannot protect data privacy or security. HTTPS is used on
devices to provide encrypted communication and secure identification of web servers.
As shown in Figure 1-6, an SSL policy is configured on the device that works as an HTTPS
server. There are reachable routes between the PC and HTTPS server, and the IP address of the
HTTPS server is 192.168.0.1/24. After the digital certificate is loaded and the HTTPS service
is enabled on the device, you can log in to the device through HTTPS and manage the device
on web pages.(Use the certificate form the CA and manually configure an SSL policy.)
192.168.0.1/24
Network
PC HTTPS Server
Configuration Roadmap
The configuration roadmap is as follows:
1. Upload the digital certificate and web page file saved in the PC to the device that works as
the HTTPS server.
2. Copy the digital certificate from the root directory on the HTTPS server to the security
subdirectory, configure the SSL policy, and load the digital certificate.
3. Load the web page file.
4. Enable the HTTPS service and configure an HTTP user.
5. Log in to the web system.
Procedure
Step 1 Generate a local key pair on the HTTPS server, and enable the SFTP server.
<HUAWEI> system-view
[HUAWEI] sysname HTTPS-Server
[HTTPS-Server] rsa local-key-pair create
The key name will be: HTTPS-Server_Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
it will take a few minutes.
Input the bits in the modulus[default = 2048]:2048
Generating keys...
...........++++++++++++
..................++++++++++++
...++++++++
...........++++++++
[HTTPS-Server] sftp server enable
Step 3 Configure SSH user information including the authentication mode, service type, authorized
directory, user name, and password.
[HTTPS-Server] ssh user client001 authentication-type password
[HTTPS-Server] ssh user client001 service-type sftp
[HTTPS-Server] ssh user client001 sftp-directory flash:
[HTTPS-Server] aaa
[HTTPS-Server-aaa] local-user client001 password irreversible-cipher
Helloworld@6789
[HTTPS-Server-aaa] local-user client001 privilege level 15
[HTTPS-Server-aaa] local-user client001 service-type ssh
[HTTPS-Server-aaa] quit
[HTTPS-Server] quit
Step 4 Connect to the HTTPS server using the third-party software OpenSSH on the PC.
The SSH client software supporting SFTP must be installed on the terminal to ensure that the
terminal can connect to the device using SFTP to manage files. The following describes how to
connect to the device using the OpenSSH and the Windows CLI.
NOTE
l For details how to install the OpenSSH, see the OpenSSH installation description.
l To use the OpenSSH to connect to the device using SFTP, run the OpenSSH commands. For details
about OpenSSH commands, see OpenSSH help.
l Windows command prompt can identify commands supported by the OpenSSH only when the
OpenSSH is installed on the terminal.
Access the Windows CLI and run the commands supported by the OpenSSH to connect to the
device using SFTP to manage files.
If command prompt sftp> is displayed in the SFTP client view, the user accesses the working
directory on the SFTP server. (The following information is only for reference.)
C:\Documents and Settings\Administrator> sftp client001@192.168.0.1
Connecting to 192.168.0.1...
The authenticity of host '192.168.0.1 (192.168.0.1)' can't be established.
RSA key fingerprint is 46:b2:8a:52:88:42:41:d4:af:8f:4a:41:d9:b8:4f:ee.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.0.1' (RSA) to the list of known hosts.
User Authentication
Password:
sftp>
Step 5 Upload the digital certificate and web page file to the server from the user terminal.
sftp> put webtest.7z
Uploading webtest.7z to /webtest.7z
webtest.7z 100% 1308478 4.6KB/s 00:11
sftp> put 1_servercert_pem_rsa.pem
Uploading 1_servercert_pem_rsa.pem to /1_servercert_pem_rsa.pem
1_servercert_pem_rsa.pem 100% 1302 4.6KB/s 00:02
sftp> put 1_serverkey_pem_rsa.pem
Uploading 1_serverkey_pem_rsa.pem to /1_serverkey_pem_rsa.pem
1_serverkey_pem_rsa.pem 100% 951 4.6KB/s 00:01
Step 6 On the switch, run the dir command to check the existence of the digital certificate and web
page file in the current storage directory.
NOTE
If the size of the digital certificate and web page file on the switch is different from that on the file server,
a transmission exception may occur. Upload the digital certificate and web page files again.
Step 7 Configure the SSL policy and load the digital certificate.
# Create the security subdirectory and copy the certificates from the CA to the subdirectory.
<HTTPS-Server> mkdir security/
<HTTPS-Server> copy 1_servercert_pem_rsa.pem security/
<HTTPS-Server> copy 1_serverkey_pem_rsa.pem security/
You can run the dir command in the security subdirectory to check the digital certificate.
<HTTPS-Server> cd security/
<HTTPS-Server> dir
Directory of flash:/security/
# Create the SSL policy and load the digital certificate in the PEM format.
<HTTPS-Server> system-view
[HTTPS-Server] ssl policy http_server
[HTTPS-Server-ssl-policy-http_server] certificate load pem-cert
1_servercert_pem_rsa.pem key-pair rsa key-file 1_serverkey_pem_rsa.pem auth-code
cipher 123456
[HTTPS-Server-ssl-policy-http_server] quit
You can run the display ssl policy command on the HTTPS server to check the details about
the digital certificate that has been loaded.
[HTTPS-Server] display ssl policy
SSL Policy Name: http_server
Policy Applicants:
Key-pair Type: RSA
Certificate File Type: PEM
Certificate Type: certificate
Certificate Filename: 1_servercert_pem_rsa.pem
Key-file Filename: 1_serverkey_pem_rsa.pem
Auth-code: ******
MAC:
CRL File:
Trusted-CA File:
Open the web browser on the PC, enter https://192.168.0.1 in the address box, and press
Enter. The Login dialog box is displayed, as shown in Figure 1-7.
Enter the correct HTTPS user name and password, and click GO or press Enter. The home page
of the web system is displayed.
# Run the display http server command on the HTTPS server to check the SSL policy name
and HTTPS server status.
[HTTPS-Server] display http server
HTTP Server Status : enabled
HTTP Server Port : 80(80)
HTTP Timeout Interval : 20
Current Online Users : 1
Maximum Users Allowed : 5
HTTP Secure-server Status : enabled
----End
Configuration Files
#
sysname HTTPS-Server
#
http server load webtest.7z
http secure-server ssl-policy http_server
#
aaa
local-user admin password irreversible-cipher %@%@HW=5%Mr;:2)/RX$FnU1HLO%-TBMp4wn
%;~\#%iAut}_~O%0L%@%@
local-user admin privilege level 15
local-user admin service-type http
local-user client001 password irreversible-cipher %@%@*~Br";[g6Pv5Zf>$~{hY+N!`{$<
[Y{;l02P)B,EBz\1FN!c+%@%@
local-user client001 privilege level 15
local-user client001 service-type ssh
#
sftp server enable
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type sftp
ssh user client001 sftp-directory flash:
#
ssl policy http_server
certificate load pem-cert 1_servercert_pem_rsa.pem key-pair rsa key-file
1_serverkey_pem_rsa.pem auth-code cipher %@%@"DlqKik*GE*~`u4H+LFJ(K-=%@%@
#
user-interface vty 0 4
authentication-mode aaa
user privilege level 15
protocol inbound ssh
#
return
2 EasyOperation Edition
The web system of the EasyOperation edition allows for common operations related to the
monitor, configuration, maintenance, and network functions.
2.2 Monitor
You can monitor device status information in the web system.
2.3 Configuration
You can configure the following items on the GUI: Interface Setting, VLAN, DHCP, MAC
management, LBDT, ACL, AAA & NAC, and STP.
2.4 Maintenance
This section describes common device maintenance, for example, system setting, system
maintenance, file management, log management, SNMP, diagnosis tool and user management.
2.5 Network
The EasyDeploy function simplifies network configuration and implements remote deployment
and centralized management of network devices.
A typical operation user interface of the web system is shown in the following figure. Figure
2-1 shows the operation user interface.
Number Description
Number Description
4 CLI switching area. The CLI window can be invoked in this area
and users can manage and maintain devices by running commands
in the window.
The web system of the EasyOperation edition consists of four areas: monitor, configuration,
maintenance, and network, and provides the following functions: device status overview,
interface management, VLAN, DHCP, system management, service management, diagnosis
tool, network deployment, and batch configuration.
Table 2-2 lists submenus in the four areas and describes their functions.
NOTE
The menus and submenus described in this section are used for reference only because the menus of
different switch models have slight differences.
Monitor Panel The panel of a switch displays the panel of the switch.
Log Displays the latest five logs, including the time when
logs are generated, log level, and log content.
Maintenanc System Setting Set system information such as system time and
e system information.
File Management Upload files to the device, download files from the
device, and restore or permanently delete files from
the recycle bin.
Log Management Query and process the latest 300 logs by type.
2.1.1.3 Buttons
This section describes common buttons on the web system that can be used to facilitate
operations on the web.
Button Function
Button Function
Table 2-4 lists the elements that you usually use on the web system GUI.
NOTE
The GUI elements described in this section are used for reference only because the GUI elements of
different switch models have slight differences.
Name Element
Button
On/off
switch
Option
button
Check box
Tab
Text box
Browse box
Group box
Name Element
Drop-down
list box
Menu
Time setting
Mandatory
option
Interface
panel
CLI
switching
The following sections describe user management operations. Choose Maintenance > User
Management to configure user management.
Context
Only administrative users can add user accounts.
NOTE
Procedure
Step 1 Choose Maintenance > User Management. The User Management page is displayed.
Step 3 In the Create User dialog box, set User Name, Password, Confirm Password, and Level.
Figure 2-2 shows the Create User dialog box.
----End
Context
Only administrative users can change the password and user level.
Procedure
Step 1 Choose Maintenance > User Management. The User Management page is displayed.
Step 2 Click Modify next to a user account. The Modify User dialog box is displayed.
Step 3 In the Modify User dialog box, set Password, Confirm Password, and Level.
Step 4 Click Confirm.
----End
Context
Only administrative users can delete user accounts.
NOTE
You can delete a user account of the same or a lower level, not including your own user account.
Procedure
Step 1 Choose Maintenance > User Management. The User Management page is displayed.
Step 2 Click Delete next to a user account. The system asks whether you want to delete the user account.
Step 3 Click Confirm.
----End
By default, the timeout period for a login user is 20 minutes. You can change the timeout period
on the System Setting page.
A button is available on the EasyOperation edition for you to switch to the classics edition. Click
Classics at the upper right corner of the page to switch to the classics edition. Figure 2-5 shows
the Classics button.
l Click at the upper right corner to save all the configuration data to the
configuration file.
You can log out of the web system in either of the following ways:
l Click on the upper right corner of the page to close the browser.
NOTE
If you use the first method, save the configurations before you close the browser. Otherwise, the
configurations will be lost. If you use the second method, a message is displayed on the web system, asking
whether you want to save the current configuration.
2.2 Monitor
You can monitor device status information in the web system.
2.2.1 Panel
The panel of a switch displays the panel of the switch.
Context
The panel section displays information about interfaces on a switch panel, including the number
of interfaces and status of each interface. When you move the mouse to an interface, the interface
number and status are displayed.
Procedure
Step 1 Click Monitor in the function area to display the Monitor page. The panel diagram is
displayed, as shown in Figure 2-6.
----End
Procedure
Step 1 Click Monitor in the function area to display the Monitor page. The system description of the
switch is displayed, as shown in Figure 2-7.
----End
Context
To view the real-time status of a switch, refresh the page.
Procedure
Step 1 Click Monitor in the function area to display the Monitor page. The switch status is
displayed, as shown in Figure 2-8.
Step 2 Click the CPU Usage, Memory Usage, and Temperature tabs to view detailed status
information, as shown in Figure 2-9.
Step 3 For a battery switch, the battery status is also displayed, as shown in Figure 2-10. When you
move the mouse to a battery status icon, the battery status represent by the icon is displayed.
Table 2-5 shows the status of different batteries and the corresponding icons.
NOTE
Lead- Absent
acid
battery Charging
Full power
Discharging
Abnormal
Lithium Absent
battery
Charging
Full power
Discharging
The remaining power is
normal (higher than or
equal to 20%).
Discharging
The remaining power is too
low (lower than 20%).
Abnormal
Upgrading NOTE
A lithium battery is discharging, the displayed status icon
depends on the remaining power of the battery. If the
remaining power is less than 20% of the full power, the
red discharging icon is displayed, indicating that the
power is too low. If the remaining power is more than
20% of the full power, the green discharging icon is
displayed.
When a lithium battery is charging or discharging, the
current power percentage is displayed above the status
icon. For example, if a lithium battery is fully charged,
"Lithium battery 100%" is displayed. If the remaining
power of a discharging lithium battery is too low,
"Lithium battery 18%" is displayed.
----End
Procedure
Step 1 Click Monitor in the function area. The TOP5 Bandwidth Utilization is displayed, as shown
in Figure 2-11.
Step 2 If you want to view the bandwidth utilization of a specific interface, click the interface below
Port name. The Bandwidth Utilization is displayed. On the page, you can view the real-time
bandwidth utilization of this interface, as shown in Figure 2-12.
Step 3 If you want to view the bandwidth utilization of other interfaces, click More in the lower right
corner of the TOP5 Bandwidth Utilization. The portList is displayed. You can view detailed
information about other interfaces on the portList, as shown in Figure 2-13.
You can use the following method to search and view detailed information about a specific
interface on the PortList.
1. Select an interface name from the drop-down list box next to Port type to determine the
type of interface you want to view.
2. Enter the interface number in the second search box next to Port type.
3. Click Search.
On the PortList, you can perform refresh, clear, and clear all operations.
l Click Refresh to obtain the latest bandwidth utilization.
l Click Clear to clear the bandwidth utilization of a specified interface and refresh the page.
l Click Clear All to clear the bandwidth utilization of all interfaces and refresh the page.
Item Description
----End
2.2.5 Log
The Log section displays five latest logs with highest severities, providing the generation time
and contents of each log.
Context
You can click More to view more logs.
Procedure
Step 1 Click Monitor in the function area to display the Monitor page. Logs are displayed in the
Log section, as shown in Figure 2-14.
Step 2 Click More to display the Log Management page. You can view latest 300 logs with highest
severities on this page.
----End
Context
Brief information about the latest five online users on the current device is displayed in the
Online User Information area. The information includes online time, authentication mode,
MAC address, and IP address. You can check detailed information about each online user,
including user name, domain name, access port, online duration, access type, outer/user VLAN,
and user ID. You can also force the user offline based on the current network status.
Procedure
Step 1 Click Monitor to display the Monitor page. You can view information in the Online User
Information area, as shown in Figure 2-15.
NOTE
l Click More to display the Online User List page, and click Disconnect next to a user
record.
l Click More to display the Online User List page. Select the records of the users to be
forced offline, and click Disconnect next to Refresh to force the users offline in batches.
After you click Disconnect, the system prompts you to confirm the operation of forcing
users offline.
2. Click Confirm.
----End
Context
For a non-PoE device that provides only internal power modules, the Power status section is
not displayed on the Monitor page. If the device does not support PoE power supply, total
available PoE power and total PoE output power are not displayed in the Power status section.
Procedure
Step 1 Click Monitor in the function area to display the Monitor page. The power status is
displayed, as shown in Figure 2-18.
----End
2.3 Configuration
You can configure the following items on the GUI: Interface Setting, VLAN, DHCP, MAC
management, LBDT, ACL, AAA & NAC, and STP.
NOTE
A combo interface is a logical interface, which corresponds to a GE electrical interface and a GE optical interface
on the device panel. The electrical interface is used with the optical interface as a combo interface. When the
device supports electrical interfaces, you do not need to use the GE copper module to convert an optical interface
to an electrical interface.
Context
You can view interface related functions on this page.
Procedure
Step 1 Click Configuration in the function area and choose Interface Setting from the navigation tree
in the left. The Interface Setting page is displayed. Click View Configuration, as shown in
Figure 2-20.
Step 2 Click an interface icon to select an interface. You can select only one interface at one time.
Step 3 View interface related functions on the View Interface Attribute. Figure 2-21 shows the View
Interface Attribute.
Step 4 If you want to delete all configurations on the interface to restore the default settings, click Clear
Configuration. After configurations are deleted, the interface is disabled.
----End
2.3.1.2 Connecting a PC
Context
After a switch is connected to a PC, you can configure functions such as the default VLAN, port
security, and port isolation based on service requirements.
Procedure
Step 1 Click Configuration in the function area and choose Interface Setting from the navigation tree
in the left. The Interface Setting page is displayed. Click Connect PC, as shown in Figure
2-22.
NOTE
Step 2 Select a port to be configured. Perform the following operations as required in the port area:
l Click a port icon. To deselect the port, click the port icon again.
l Drag the cursor to select consecutive ports in a batch.
l Click multiple port icons to select these ports, and click a port icon again to deselect the port.
l Select a slot where a panel is located. All ports on the panel are selected.
Parameter Description
Default VLAN Adds the interface to the default VLAN. The VLAN ID ranges from 1
to 4094.
MAC Address Sets the maximum number of secure MAC addresses. The value ranges
Limit from 1 to 1024.
Parameter Description
Trust Priority Configure trust priority on the port. The values are as follows:
l none: No packet priority is trusted.
l 8021p-inner: The 802.1p priority in the inner VLAN tag is trusted.
l 8021p-outer: The 802.1p priority in the outer VLAN tag is trusted.
l DSCP: The DSCP priority of packets is trusted.
l none: No packet priority is trusted.
l 8021p-inner: The 802.1p priority in the inner VLAN tag is trusted.
l 8021p-outer: The 802.1p priority in the outer VLAN tag is trusted.
l DSCP: The DSCP priority of packets is trusted.
----End
Context
After a switch is connected to an IP phone, you can configure functions such as the default
VLAN, voice VLAN, port security, and port isolation based on service requirements.
Procedure
Step 1 Click Configuration in the function area and choose Interface Setting from the navigation tree
in the left. The Interface Setting page is displayed. Click Connect IP Phone, as shown in
Figure 2-23.
NOTE
Step 2 Select a port to be configured. Perform the following operations as required in the port area:
l Click a port icon. To deselect the port, click the port icon again.
l Drag the cursor to select consecutive ports in a batch.
l Click multiple port icons to select these ports, and click a port icon again to deselect the port.
l Select a slot where a panel is located. All ports on the panel are selected.
Parameter Description
Default VLAN Adds the interface to the default VLAN. The VLAN ID ranges from 1
to 4094.
Voice VLAN Enables voice VLAN on the interface. The voice VLAN ID ranges from
2 to 4094.
MAC Address Sets the maximum number of secure MAC addresses. The value ranges
Limit from 1 to 1024.
----End
Context
After a switch is connected to another switch, you can configure the switch port to allow packets
from a specified VLAN based on service requirements.
Procedure
Step 1 Click Configuration in the function area and choose Interface Setting from the navigation tree
in the left. The Interface Setting page is displayed. Click Connect Switch, as shown in Figure
2-24.
NOTE
Step 2 Select a port to be configured. Perform the following operations as required in the port area:
l Click a port icon. To deselect the port, click the port icon again.
l Drag the cursor to select consecutive ports in a batch.
l Click multiple port icons to select these ports, and click a port icon again to deselect the port.
l Select a slot where a panel is located. All ports on the panel are selected.
Parameter Description
Eth-Trunk ID of the Eth-Trunk to which the port is added. This parameter can be
set only after Enable Link Aggregation is selected.
Allow VLAN ID of a VLAN whose packets can pass through the port.The VLAN ID
ranges from 1 to 4094.
----End
Context
You can configure functions of interfaces on switches that are connected to routers on the
GUI. Figure 2-25 shows interface status and optical/electrical interfaces.
NOTE
Procedure
Step 1 Click Configuration in the function area and choose Interface Setting from the navigation tree
in the left. The Interface Setting page is displayed. Click Connect Router, as shown in Figure
2-26.
Step 2 Click an interface icon to select an interface. You can select only one interface at one time.
Step 3 Set parameters on the Configure Interface. Figure 2-27 shows the Configure Interface.
Item Description
----End
Context
You can disable an idle interface that is not connected to a cable or an optical fiber on the GUI
to prevent the idle interface from interfering other interfaces in working state.
Procedure
Step 1 Click Configuration in the function area and choose Interface Setting from the navigation tree
in the left. The Interface Setting page is displayed. Click Enable/Disable Interface, as shown
in Figure 2-29.
Step 2 Select the interface that you want to configure. Perform either of the following operations as
required.
l Click an interface icon to select an interface.
l Drag the mouse to select multiple consecutive interfaces in a batch.
l Click multiple port icons to select these ports, and click a port icon again to deselect the port.
l Select an interface card name to select all the interfaces on the interface card.
Step 3 Set parameters on the Configure Interface. Figure 2-30 shows the Configure Interface.
----End
Context
Virtual cable test (VCT) technology uses time domain reflectometry (TDR) to detect the cable
status. When a pulse is transmitted to the end of a cable or a failure point in the cable, some
pulse energies are reflected to the transmitting end. The VCT algorithm measures the time spent
on transmitting pulses over a cable, reaching a failure point, and returning the pulses. The
measured time is converted to the distance.
VCT can detect the fault type of a network cable and identify failure points to help locate network
cable faults.
The VCT test result is only for reference and may be inaccurate for cables of some vendors.
VCT takes effect only on optical interfaces that have GE copper modules installed or GE
electrical interfaces on the device.
Figure 2-31 shows interface status and optical/electrical interfaces.
Procedure
Step 1 Click Configuration in the function area and choose Interface Setting from the navigation tree
in the left. The Interface Setting page is displayed. Click Detect Link, as shown in Figure
2-32.
Step 2 Select the interface that you want to configure. Perform either of the following operations as
required.
l Click an interface icon to select an interface.
l Drag the mouse to select multiple consecutive interfaces in a batch.
l Click multiple port icons to select these ports, and click a port icon again to deselect the port.
l Select an interface card name to select all the interfaces on the interface card.
Step 4 You can view check results on the Configure Interface. Figure 2-33 shows the Configure
Interface.
Item Description
----End
2.3.2 VLAN
You can create, query, modify, or delete a single VLAN or create VLANs in a batch.
Context
l A switch supports 4094 VLANs from VLAN 1 to VLAN 4094.
l VLANs can isolate the hosts that require no communication with each other, reducing
broadcast traffic and improving network security.
Procedure
l Creating a VLAN
1. Click Configuration in the function area and choose VLAN from the navigation tree
in the left. The VLAN page is displayed.
2. Click Create. The Create VLAN dialog box is displayed, as shown in Figure 2-34.
Parameter Description
3. Set parameters.
4. Click Add Interface. The Add Interface area is unfolded, as shown in Figure
2-35.
5. Click Select Interface. The Add Interface page is displayed, as shown in Figure
2-36.
1. Click Configuration in the function area and choose VLAN from the navigation tree
in the left. The VLAN page is displayed.
2. Click Batch Create. The Create VLAN dialog box is displayed, as shown in Figure
2-37. Set parameters.
3. Click Confirm.
l Querying a VLAN
1. Click Configuration in the function area and choose VLAN from the navigation tree
in the left. The VLAN page is displayed.
2. Enter a VLAN ID. If you do not enter any VLAN ID, all created VLANs are displayed.
3. Click Search. The VLAN is displayed, as shown in Figure 2-38.
4. Click View Interface, The interfaces added to VLANs are displayed, as shown in
Figure 2-39.
l Modifying a VLAN
1. Click Configuration in the function area and choose VLAN from the navigation tree
in the left. The VLAN page is displayed.
2. Click Modify. The Modify VLAN dialog box is displayed, as shown in Figure
2-40. Table 2-14 describes parameters in the Modify VLAN dialog box.
2.3.3 DHCP
Context
Dynamic Host Configuration Protocol (DHCP) is used to dynamically manage and configure
the IP addresses for users in a centralized manner. DHCP adopts the client/server mode for
communication. The client applies to the server for configurations (including IP address, subnet
mask, and default gateway), and the server replies with corresponding configuration information
based on policies.
Procedure
l Global configuration
1. Click Configuration in the function area to display the Configuration page.
2. Choose DHCP in the navigation tree to display the Global Setting page.
3. Set DHCP status to ON in the Global Setting area to enable the DHCP function
globally.
l Address pool list
1. Click Configuration in the function area to display the Configuration page.
2. Choose DHCP in the navigation tree to display the Address Pool List page.
3. Click Create in the Address Pool List area. The Create IP Pool page is displayed,
as shown in Figure 2-41.
Parameter Description
Parameter Description
By clicking an interface address pool (the DHCP mode of the mapping interface is
local allocation) in Address Pool Information, you can check the detailed address
pool information., as shown in Figure 2-42.
Table 2-16 describes the parameters on the Address Pool Information page.
Parameter Description
----End
Context
Each switch maintains a MAC address table. A MAC table records learned MAC addresses,
VLAN IDs, and outbound interfaces. To forward data, the switch searches the MAC table based
on destination MAC addresses and VLAN IDs carried in packets to determine the outbound
interfaces for the packets. Therefore, broadcast traffic is reduced. Configure the following MAC
address types and functions:
l The interface obtains dynamic entries based on the learning of source MAC addresses. The
dynamic entries can be aged.
l Static MAC entries are manually configured and never age. For details, see Configuring
a static user.
l Blackhole MAC entries are used to discard data frames with the specified source or
destination MAC addresses. Blackhole MAC entries are manually configured and never
age. For details, see Configuring a blackhole MAC address entry.
l ARP entry fixing can be configured to defend against ARP address spoofing attacks. For
details, see Configuring ARP entry fixing.
l Port security makes MAC addresses learned on an interface become secure MAC addresses
to allow only hosts with secure MAC addresses and static MAC addresses to communicate
with the switch through the interface, improving switch security. For details, see
Configuring port security.
Procedure
l Configuring MAC/IP address security
1. Click Configuration in the function area and choose MAC Management from the
navigation tree in the left. The MAC Management page is displayed.
2. Click the icon next to MAC/IP Address Security to enable or disable MAC/IP
address security.
l Querying MAC/IP address entries
1. Click Configuration in the function area and choose MAC Management from the
navigation tree in the left. The MAC Management page is displayed.
2. Click the MAC/IP Address tab. The MAC/IP Address tab page is displayed, as
shown in Figure 2-43.
5. Set parameters.
6. Click Confirm.
l Creating a static secure MAC address
1. Click Configuration in the function area and choose MAC Management from the
navigation tree in the left. The MAC Management page is displayed.
2. Click the MAC/IP Address tab. The MAC/IP Address tab page is displayed, as
shown in Figure 2-43.
3. Select interfaces to be queried.
NOTE
Before creating a static secure MAC address, enable port security by referring to Configuring
port security.
After port security is enabled, a yellow shield identifier next to the interface is displayed.
4. Click Create Secure MAC. The Create Secure MAC page is displayed, as shown
in Figure 2-45.
5. Set parameters.
6. Click Confirm.
l Deleting MAC address entries
1. Click Configuration in the function area and choose MAC Management from the
navigation tree in the left. The MAC Management page is displayed.
2. Click the MAC/IP Address tab. The MAC/IP Address tab page is displayed, as
shown in Figure 2-43.
3. Select interfaces to be queried.
4. Select an entry and click Delete. The system asks you whether to delete the entry.
5. Click Confirm.
l Configuring a blackhole MAC address entry
1. Click Configuration in the function area and choose MAC Management from the
navigation tree in the left. The MAC Management page is displayed.
2. Click the MAC/IP Address tab. The MAC/IP Address tab page is displayed, as
shown in Figure 2-43.
3. Select interfaces to be queried.
4. Select an entry and click Convert to Blackhole MAC. The system asks you whether
to configure the entry as a blackhole MAC address entry.
NOTE
Only dynamic MAC address entries can be configured as blackhole MAC address entries.
After dynamic MAC address entries are configured as blackhole MAC address entries, select View
all interfaces so that they can be displayed in the MAC/IP address list.
5. Click Confirm.
l Configure fixing of ARP entries
1. Click Configuration in the function area and choose MAC Management from the
navigation tree in the left. The MAC Management page is displayed.
2. Click the MAC/IP Address tab. The MAC/IP Address tab page is displayed, as
shown in Figure 2-43.
3. Select interfaces to be queried.
4. Select an entry and click Fixing. The system asks you whether to fix the MAC address
entry.
NOTE
Interface Name - -
4. Set parameters.
5. Click Apply.
----End
Context
When a loop occurs on a network, broadcast, multicast, and unknown unicast packets are
repeatedly transmitted on the network. This wastes network resources or even causes service
interruption on the entire network. To allow the device to detect loops on a Layer 2 network in
a timely manner and prevent the network from being severely affected by loops, configure
loopback detection. Loopback detection enables the device to periodically send loopback
detection packets to detect loops. When a loop is detected on an interface, the device shuts down
or blocks the interface to eliminate the loop. The interface can be restored when the device detects
that the loop on the interface is eliminated.
Procedure
Step 1 Click Configuration in the function area and choose LBDT from the navigation tree in the left.
The LBDT page is displayed, as shown in Figure 2-47.
Parameter Description
Step 3 Click Enable (Blocking Interface) or Enable (Shutdown Interface) to enable loopback
detection on an interface and set the action taken when a loop is detected.
NOTE
If Enable (Shutdown Interface) is selected, the interface is shut down when a loop is detected. The
shutdown interface can be restarted in Interface Setting > Enable/Disable Interface. For details, see
Enable/Disable Interface.
The loopback detection status is displayed on all interfaces that need to be enabled with loopback
detection, as shown in Figure 2-48, the configuration is successful. Otherwise, the configuration
fails.
NOTE
After line loopback detection is enabled, the system detects loops after about 5s. After 5s, click to view
the interface status.
----End
2.3.6 ACL
Access control lists (ACLs) are used to identify flows. A network device filters packets according
to certain rules. It must identify packets first, and then permits or denies the packets according
to the configured policy.
Context
You can configure ACL rules and apply the ACL to an interface to filter the packets received
by the interface. The ACL rule configuration includes source and destination IP addresses,
protocol type, source and destination port numbers.
Procedure
l Query the ACL rules applied to interfaces.
1. Click Configuration to display the Configuration page.
2. Choose ACL in the navigation tree to display the ACL page.
3. Click the Interface ACL tab to display the Interface ACL page, as shown in Figure
2-49.
4. Click the icon of the interface to which the ACL rules are applied. The ACL rule record
is displayed in the ACL Rules area, as shown in Figure 2-50.
l Copy the ACL rules that have been applied to an interface to another interface.
1. Click Configuration to display the Configuration page.
2. Choose ACL in the navigation tree to display the ACL page.
3. Click the Interface ACL tab to display the Interface ACL page.
4. Click the icon of the interface to which the ACL rules have been applied. Click Copy
To to display the Copy To page, as shown in Figure 2-51.
5. Select the target interface to which the ACL rules are copied. You can perform the
following operations as required:
Click the icon of a single interface. Re-click the icon to deselect the interface.
Click the icons of multiple interfaces.
Drag the mouse to select multiple neighboring interfaces.
Click a device panel name and select all interfaces.
6. Click Confirm.
l Create ACL rules.
1. Click Configuration to display the Configuration page.
2. Choose ACL in the navigation tree to display the ACL page.
3. Click the Interface ACL tab to display the Interface ACL page.
4. Click the icon of the interface to which the ACL rules need to be applied and create
ACL rules.
If no record is displayed in the ACL Rules area, click or Add on the left of
Ascend. A record of ACL Rules is displayed in the ACL Rules area. Set the ACL
rule parameters.
If the existing ACL rule records are displayed in the ACL Rules area, click
or Add on the left of Ascend or on the right of Delete. A new record of ACL
Rules is displayed in the ACL Rules area. Set the ACL rule parameters, as shown
in Figure 2-52.
NOTE
If you click or Add on the left of Ascend, a new record of ACL Rules is inserted to the
first line in the ACL Rules area. If you click Add on the right of Delete, a new record of ACL
Rules is inserted below the current line in the ACL Rules area.
Parameter Description
5. Click Apply.
l Edit ACL rules.
----End
Context
You can configure ACL rules and apply the ACL to a VLAN to filter the VLAN packets. The
ACL rule configuration includes source and destination IP addresses, protocol type, source and
destination port numbers.
Procedure
l Query the ACL rules applied to VLANs.
1. Click Configuration to display the Configuration page.
2. Choose ACL in the navigation tree to display the ACL page.
3. Click the VLAN ACL tab to display the VLAN ACL page, as shown in Figure
2-53.
4. Select the ID of the VLAN to which the ACL rules are applied. The record is displayed
in the ACL Rules area, as shown in Figure 2-54.
l Copy the ACL rules that have been applied to a VLAN to another VLAN.
1. Click Configuration to display the Configuration page.
2. Choose ACL in the navigation tree to display the ACL page.
3. Click the VLAN ACL tab to display the VLAN ACL page.
4. Select the ID of the VLAN to which the ACL rules have been applied. Click Copy
To to display the Copy To page, as shown in Figure 2-55.
5. Enter the ID of the destination VLAN to which the ACL rules are applied, and click
Confirm.
l Create ACL rules.
1. Click Configuration to display the Configuration page.
If no record is displayed in the ACL Rules area, click or Add on the left of
Ascend. A record of ACL Rules is displayed in the ACL Rules area. Set the ACL
rule parameters.
If the existing ACL rule records are displayed in the ACL Rules area, click
or Add on the left of Ascend or on the right of Delete. A new record of ACL
Rules is displayed in the ACL Rules area. Set the ACL rule parameters, as shown
in Figure 2-56.
NOTE
If you click or Add on the left of Ascend, a new record of ACL Rules is inserted to the
first line in the ACL Rules area. If you click Add on the right of Delete, a new record of ACL
Rules is inserted below the current line in the ACL Rules area.
Parameter Description
Parameter Description
5. Click Apply.
l Edit ACL rules.
1. Click Configuration to display the Configuration page.
2. Choose ACL in the navigation tree to display the ACL page.
3. Click the VLAN ACL tab to display the VLAN ACL page.
4. Select the ID of the VLAN to which ACL rules have been applied, and edit the ACL
rules.
Edit ACL rule entries.
Modify the ACL rule parameters in the ACL Rules area.
Adjust the ACL rule entry sequence.
Select a record of ACL Rules in the ACL Rules area. Click Ascend or Descend
to adjust the ACL rule entry sequence.
5. Click Apply.
l Delete ACL rules.
1. Click Configuration to display the Configuration page.
----End
Context
Authentication configuration includes configurations of the local and RADIUS authentication
modes. If the local authentication mode is used, you must create a user account on the switch
and set a password. If the RADIUS authentication mode is used, you must configure the IP
address, port number, and shared key of the RADIUS server.
Procedure
l Configuring local authentication
1. Click Configuration to display the Configuration page.
2. Choose AAA & NAC in the navigation tree to display the AAA & NAC page.
3. Click the Authentication Configuration tab to display the Authentication
Configuration page.
4. Select an option from the User domain name drop-down list box in the
Authentication Configuration area.
5. Select Local authentication for Authentication mode, as shown in Figure 2-57.
6. Click Apply.
7. Configure the user account information for local authentication in the Account
Management area.
Create a user account.
a. Click Create to display the Create User page, as shown in Figure 2-58.
Parameter Description
Parameter Description
NOTE
Parameter Description
7. Click Apply.
----End
Context
To ensure the communication between the switch and Portal server, you must configure the
Portal server IP address and parameters (including the port number and shared key of the Portal
server) about information exchange between the switch and Portal server, and bind interfaces
to the Portal server.
The device supports two configuration modes. By default, the unified mode is used. You can
run the undo authentication unified-mode command to switch the configuration mode to
traditional mode.
NOTE
After configuring Portal authentication, perform the Authentication Configuration. The two functions
implement user authentication together.
The web system supports only one Portal server, and this Portal server can only be modified but cannot be deleted
through the web system. To delete the Portal server, run the undo web-auth-server command in the system
view.
Procedure
l The traditional mode.
1. Click Configuration to display the Configuration page.
2. Choose AAA & NAC in the navigation tree to display the AAA & NAC page.
3. Click the Portal Server tab to display the Portal Server page, as shown in Figure
2-61.
Parameter Description
VLANIF interface
Select an interface and click to bind
the interface to the Portal server.
You can select multiple interfaces to
bind them to the Portal server.
To unbind an interface from the Portal
server, select the interface and click
.
NOTE
The S2720 and S2750 do not support this
function.
Parameter Description
----End
Context
The device supports two configuration modes. By default, the unified mode is used. You can
run the undo authentication unified-mode command to switch the configuration mode to
traditional mode.
When performing access configuration, you must enable the authentication function first, and
then select the interface to which the access configuration applies and select an authentication
mode.
NOTE
After performing access configuration, perform the Authentication Configuration. The two functions
implement user authentication together.
Procedure
l The traditional mode.
1. Click Configuration to display the Configuration page.
2. Choose AAA & NAC in the navigation tree to display the AAA & NAC page.
3. Click the Access Configuration tab to display the Access Configuration page, as
shown in Figure 2-63.
NOTE
7. Click Apply.
In the dialog box, Success indicates the number of interfaces for which the interface
authentication function is successfully applied; Failure indicates the number of
interfaces for which the interface authentication function fails to be applied.
l The unified mode.
1. Click Configuration to display the Configuration page.
2. Choose AAA & NAC in the navigation tree to display the AAA & NAC page.
3. Click the Access Configuration tab to display the Access Configuration page, as
shown in Figure 2-66.
4. Select interfaces for which the authentication function needs to be enabled. You can
perform the following operations as required:
Click the icon of a single interface or icons of multiple interfaces.
Drag the mouse to select multiple neighboring interfaces.
Click a device panel name and select all interfaces.
5. Select an interface authentication method, as shown in Figure 2-67.
NOTE
6. Click Apply.
----End
Context
A loop can easily occur on a complex network. To implement redundancy, network designers
tend to deploy multiple physical links between two devices, one of which is the master and the
others are the backup. Loops may occur. A loop causes broadcast storms. Consequently, network
resources are exhausted and the network breaks down. In addition, a loop causes MAC address
table flapping. As a result, MAC address entries are damaged.
You can deploy a spanning tree protocol to trim a network with loops into a loop-free tree
network. The spanning tree protocol prevents infinite looping of packets to ensure packet
processing capabilities of devices.
Procedure
Step 1 Choose Configuration to open the Configuration page. Click STP to open the STP page, as
shown in Figure 2-68.
If the STP status and port roles are displayed on all ports that need to be enabled with STP, the
configuration is successful and STP takes effect, as shown in Figure 2-69.
NOTE
l If the interface is shut down or goes Down, after STP is successfully configured, the information that
STP has been enabled and is invalid is displayed on the interface icon.
l If STP is configured on an Eth-Trunk, STP takes effect only on the Eth-Trunk. However, the STP
status, port roles, and Eth-Trunk ID are displayed on its member interfaces.
----End
2.4 Maintenance
This section describes common device maintenance, for example, system setting, system
maintenance, file management, log management, SNMP, diagnosis tool and user management.
Context
You can set an accurate system time for a switch on the System Setting page to ensure that the
switch can work with other network devices normally. You can also set other system information
on this page, including the device name and HTTP timeout interval, to facilitate device
maintenance.
Procedure
Step 1 Choose Maintenance > System Setting. The System Setting page is displayed.
Step 2 Set the parameters in the System Time section, as shown in Figure 2-70.
Item Description
Time zone Mandatory option. Indicates the time zone. Select the
time zone based on the device location.
Set time and date Mandatory option. Indicates the date and time that you
want to set. You need to click to set the date and
time.
Step 3 Set the parameters in the System Info section, as shown in Figure 2-71.
Item Description
l If the system time is changed to no more than 10 minutes later than the scheduled restart
time, the system will display a message as shown in Figure 2-73, asking whether you want
to restart the device immediately.
----End
2.4.2.1 Reboot
This section describes related operations for restarting a device.
Context
After you specify the system software, configuration file, and patch file for next startup, you
must restart the device to make the files take effect. The web system provides two restart modes:
immediate restart and timed restart. After you restart a device, services will be interrupted;
therefore, you need to restart the device when the device is idle. If the device is idle currently,
restart the device immediately. If the device is busy processing services, restart the device at a
scheduled time when the device is idle.
NOTICE
You are advised to save the current configuration before you restart a device. Otherwise, the
configuration may be lost.
Procedure
Step 1 Choose Maintenance > System Maintenance > Reboot. The Reboot page is displayed. Figure
2-74 shows the Reboot page.
Item Description
Step 2 In the Current System Information section, click Save to prevent configuration loss after the
restart. In the confirm dialog box that is displayed, click Confirm to save the current
configuration.
Step 3 In the Configuration File section, select the files for the system to use at the next startup from
the drop-down list boxes and click Apply to save the configuration.
Step 4 In the Restart Mode section, select a restart mode and click Apply. If you select Immediate,
a message is displayed, asking whether you want to save the configurations. After you click
Save, the device restarts immediately and terminates the web connection. If you select Timed,
enter a specific restart time. The device will restart at the specified time.
----End
2.4.2.2 Upgrade
This section describes how to upgrade the system software through the web system.
Context
To upgrade the system software of a device, you need to upload upgrade files to the device,
specify files for next startup, restart the device to make the upgrade files to take effect. The web
system allows you to upgrade the system software on the GUI, simplifying the upgrade
operations and improving efficiency.
NOTICE
l Ensure that the configurations are saved before you upgrade the system software.
l Do not power off the device during the upgrade.
l It takes a long time to upload system software to the device; therefore, before upgrading the
system software, choose Maintenance > System Setting > System info and set HTTP
timeout interval to 60 minutes.
Procedure
Step 1 Choose Maintenance > System Maintenance > Upgrade. The Upgrade page is displayed.
Figure 2-75 shows the Upgrade page.
Item Description
System file information Displays the system file and patch file used by the
device currently and the device current system
software version.
Locally upload system file Select files to be uploaded. You can upload files
saved locally to the device. This option allows you to
upload the system software and patch file only.
Upgrade system System File Select the system software for upgrade from a drop-
file down list box.
Patch File Select the patch file for upgrade from a drop-down
list box.
Step 2 Upload the upgrade file. Click Browse, select the corresponding upgrade file, and then click
Upload.
Step 3 Select files to be upgraded. Select the uploaded system file or patch file from the drop-down list
box and click Upgrade. A dialog box is displayed indicating that the device will restart and
asking whether you want to save the configuration.
Step 4 Click Save and the device automatically restarts. The web system cannot be used during the
device restart. You need to log in to the web system again after the upgrade process is complete.
----End
2.4.2.3 Patch
This section describes how to upload, load, and uninstall patches.
Context
There are two types of patches: cold patch and hot patch. A cold patch takes effect only after
the switch restarts and a hot patch takes effect immediately after it is loaded to the switch. On
the Patch page, you can load or uninstall hot patches only. You can load or uninstall cold patches
on the Upgrade page.
l A patch is a kind of software compatible with the system software. It is used to remove
critical bugs of the system software. The extension name of the patch file is .pat.
l Before loading patches, you need to save patch files to the storage device of the switch.
Patch files are uploaded to the switch using HTTP.
l After a patch is uninstalled, delete the patch from the memory.
Procedure
Step 1 Choose Maintenance > System Maintenance > Patch. The Patch page is displayed. Figure
2-76 shows the Patch page.
Item Description
Item Description
Step 2 Click Browse under Upload Patch, select the patch file to be uploaded, and click Upload.
Step 3 Select the patch that you want to load from the Load patch drop-down list box and click Load
patch. The currently loaded patch file is displayed under Patch Information.
----End
2.4.2.4 Initialize
You can restore the factory settings of a switch on this page.
Context
If improper configurations have been performed on the switch, you can restore the factory
settings of the switch.
NOTICE
After you restore the factory settings of the switch, all the configurations that you have made on
the switch will be deleted and cannot be restored. The original management IP address becomes
invalid and the web system is unavailable. Use a serial cable to connect to console interface of
the switch and your PC to reconfigure the switch.
Procedure
Step 1 Choose Maintenance > System Maintenance > Initialize. The Initialize page is displayed.
----End
Context
The web system provides file management functions to facilitate user operations. Figure 2-77
shows the File Management page.
Procedure
l Uploading Files
1. Choose Maintenance > File Management. The File Management page is displayed.
2. Click Upload. The Upload a file page is displayed. Figure 2-78 shows the Upload
a file page.
3. Select local files to be uploaded and click Confirm. After the files are uploaded, the
system displays a message indicating the successful upload.
NOTE
You can only upload files with the following file name extensions: .cc, .pat, .zip, .
7z, .txt, .log, .dblg, .cfg, .bat, and .xml.
l Downloading Files
1. Choose Maintenance > File Management. The File Management page is displayed.
2. Click Download next to the file name and select a path to save the file.
NOTE
You can only download files with the following file name extensions: .cc, .pat, .zip, .
7z, .txt, .log, .dblg, .cfg, .bat, and .xml.
l Moving Files to the Recycle Bin
After files are moved to the recycle bin, they still exist on the switch. You can restore the
files in the recycle bin.
1. Choose Maintenance > File Management. The File Management page is displayed.
2. Select the file you want to delete.
3. Click Move to Recycle Bin. The message "Are you sure to delete?" is displayed on
the system.
4. Click Confirm to complete the configuration.
l Deleting Files Permanently
NOTICE
The files deleted permanently cannot be restored.
1. Choose Maintenance > File Management. The File Management page is displayed.
2. Select the file you want to delete.
3. Click Permanently Delete. The message "Are you sure to delete?" is displayed on
the system.
4. Click Confirm to complete the configuration.
l Restoring Files
You can restore the files in the recycle bin to the storage device.
1. Choose Maintenance > File Management. The File Management page is displayed.
2. Select the file to be restored.
3. Click Restore to restore the file. The restored file is no longer saved in the recycle
bin.
l Deleting Files from the Recycle Bin
The files in the recycle bin still occupy storage space. You can delete useless files
permanently from the recycle bin to save the storage space.
1. Choose Maintenance > File Management. The File Management page is displayed.
2. Select the file you want to delete permanently.
3. Click Delete. The message "Are you sure to delete?" is displayed on the system.
4. Click Confirm to complete the configuration.
----End
Context
The log management function records user actions, helps monitor system security, and provides
information for system diagnosis and maintenance.
Procedure
Step 1 Click Maintenance in the function area, and then click Log Management in the navigation tree
to display the Log Management page, as shown in Figure 2-79.
Step 2 You can enter a log level and time range to search for specified logs.
----End
2.4.5 SNMP
Simple Network Management Protocol (SNMP) is a standard network management protocol
widely used on TCP/IP networks. SNMP uses a central computer (a network management
station) that runs network management software to manage network elements.
Context
SNMP agent is an agent program on the managed device. The SNMP agent maintains
information for the managed device, responds to the requests from the NMS, and sends
management data to the NMS. Before the NMS manages a device through SNMP, the SNMP
agent must be enabled on the device and a proper SNMP version needs to be selected.
A web system supports SNMPv1 and SNMPv2c. The device and NMS must use the same SNMP
version.
NOTE
If a device is managed by multiple NMSs running different SNMP versions, all the SNMP versions need to be
set on the device so that the device can communicate with these NMSs.
Procedure
Step 1 Click Maintenance to open the maintenance page.
Step 2 Click SNMP in the left navigation tree to open the SNMP Agent configuration page, as shown
in Figure 2-80.
Step 3 Set the SNMP Agent parameters, including SNMP Agent status, SNMP Agent version,
community name, and access rights. For description of the parameters, see Table 2-31.
Parameter Description
----End
2.4.6.1 Ping
The ping command is used to check network connectivity and host reachability.
Procedure
Step 1 Click Maintenance to open the maintenance page.
Step 2 Click Diagnosis Tool in the navigation tree to open the Diagnosis Tool page.
Step 4 Enter the IP address in the ping text box and click Start. The network connection information
is displayed, as shown in Figure 2-81.
NOTE
If no response packets are received within the timeout interval, the following information is displayed:
Request time out. The preceding information shows that a link is faulty.
----End
2.4.6.2 Tracert
You can use the tracert command to test the gateways that packets pass through from the source
host to the destination host. The tracert command is used to check network connectivity and
locate network faults.
Context
The Tracert command, also called Trace Route helps you check the IP addresses and the
number of gateways between the source and the destination. Tracert is used to check network
connectivity and locate network faults.
Procedure
Step 1 Click Maintenance to open the maintenance page.
Step 2 Click Diagnosis Tool in the navigation tree to open the Diagnosis Tool page.
Step 4 Enter the IP address in the tracert text box and click Start. The Layer 3 devices where packets
pass through between the source host and the destination host are displayed, as shown in Figure
2-82.
NOTE
l The output of the tracert command includes IP addresses of all the gateways through which the packet
reaches the destination. If one gateway sends back a packet indicating TTL timeout, * is displayed.
l The tracert test may takes a long time.
----End
2.4.6.3 VCT
The VCT function controls the hardware interfaces and displays the cable status on the GUI so
that you can conveniently and quickly locate faults and check lengths of cables.
Context
The VCT function helps to detect the type of a network cable fault and locate the faulty point.
In this manner, network cable faults can be conveniently located.
l If the cable works properly, the total length of the cable is displayed.
l If the cable cannot work properly, the distance between the interface and the fault point is
displayed.
The VCT test result is only for reference and may be inaccurate for cables of some vendors.
VCT takes effect only on optical interfaces that have GE copper modules installed or GE
electrical interfaces on the device.
Procedure
Step 1 Click Maintenance in the function area and choose Diagnosis Tool from the navigation tree in
the left. The Diagnosis Tool page is displayed. Click VCT, as shown in Figure 2-83.
Step 2 Select the interface that you want to configure. Perform either of the following operations as
required.
l Click an interface icon to select an interface.
NOTICE
After you click Start, the message "The operation may cause Web NMS disconnected from the
server. Continue?" is displayed on the system. Exercise caution when you perform this operation.
Step 4 Click Confirm. The check result is displayed. Figure 2-84 shows the check result.
----End
Context
User management includes creating a local user account (web platform user with the access type
HTTP) and modifying or deleting existing user accounts.
By default, a local user named admin exists in the system. The user password is
admin@huawei.com, and access type is HTTP.
NOTE
A simple password brings security risks. It is recommended that you change the password to a complicated one
after logging in to the web network management system using the default account. A password should consist
of at least 8 characters, and contain at least two types of the following: lowercase letters, uppercase letters,
numerals, special characters (such as ! $ # %). The password cannot contain spaces and single quotation marks
('). In addition, the password cannot be the same as the user name or the mirror user name.
To ensure device security, change the password periodically.
Procedure
l Create a user account.
1. Click Maintenance to display the Maintenance page.
2. Click User Management in the navigation tree to display the User Management
page, as shown in Figure 2-85.
3. Click Create to display the Create User page, as shown in Figure 2-86.
Parameter Description
NOTE
2. Click User Management in the navigation tree to display the User Management
page.
3. You can delete a user account using either of the following methods:
Click Delete next to the user account to be deleted.
Select the records of the user accounts to be deleted, and click Delete next to
Create to delete the user accounts in batches.
After you click Delete, the system prompts you to confirm the deletion operation.
4. Click Confirm.
----End
2.5 Network
The EasyDeploy function simplifies network configuration and implements remote deployment
and centralized management of network devices.
To configure the EasyDeploy function, determine roles of devices first. After a device is
configured as the Commander, you can view client information, configure and upgrade clients,
and view power consumption of the device and the entire network on the Commander.
NOTE
The devices that cannot work as the Commander can only be configured as the client, and the Summary,
Deployment, Batch Configuration, and Power Consumption menus are not available.
If the topology function is not enabled on the Commander, the Summary, Deployment, and Batch
Configuration menus are not available.
Summary, Deployment, and Batch Configuration functions are implemented based on the topology and
supported only by the Firefox browser or Microsoft Internet Explorer browser later than 9.0.
Table 2-34 lists the device models and versions that support the EasyDeploy function.
2.5.1.1 Commander
You can configure global parameters for the Commander, including the role, Commander IP
address and port, file server, and default files to be downloaded.
Procedure
Step 1 Click Network in the function area to display the Network page.
Step 2 Click Role Configuration in the navigation tree to display the Role page.
Parameter Description
Port If you keep this field blank, the default UDP port is used.
Parameter Description
Automatically discover clients If you select ON, the Commander automatically learns
client information, including each client's MAC address,
ESN, IP address, device type, device model, system
software name, configuration file name, and patch file
name. This function enables the Commander to monitor
and manage basic information and version files for
clients on the network.
Aging time of offline clients If you select ON, set an aging time.
If the Commander does not receive status information
from a client in 2 minutes, the Commanders considers
the client offline. When the number of clients managed
by a Commander reaches the upper limit, new client
information cannot be added to the Commander. To
release the space occupied by offline clients in the client
database, configure an aging time for offline clients.
When the aging time expires, the Commander deletes the
offline client.
File Server Server type Options are FTP, SFTP, and TFTP.
Configuration NOTE
FTP and TFTP cannot ensure secure file transfer. SFTP is
recommended on networks that require high security.
User name Set the user name used to log in to the file server.
Download File File activation Options are Default mode and Reset mode.
Configuration mode By default, if downloaded files include a software
package (*.cc), clients activate all the downloaded files
by resetting. In a batch upgrade, if downloaded files
include a configuration file, clients activate all the
downloaded files by resetting.
Parameter Description
Automatic Backup Configuration Options are Non-backup, Save backup file as new
file, and Overwrite original file.
Default File System file If you do not specify any file information, the default file
Setting name information is used.
You can specify a maximum of three self-defined files.
System version
Configuration
file name
License file
name
User-defined
file name
----End
2.5.1.2 Client
To enable the Commander to manage clients, specify the Commander IP address and port number
on the clients.
Procedure
Step 1 Click Network in the function area to display the Network page.
Step 2 Click Role Configuration in the navigation tree to display the Role page.
Step 4 Enter the Commander IP address and UDP port and select whether to enable the network
topology collection function. The Commander IP address you enter here must be the same as
that configured on the Commander. If you keep the UDP port blank, the default UDP port is
used.
After you click Apply, the Summary, Deployment, Batch Configuration, and Power
Consumption nodes disappear from the navigation tree. These functions are supported only on
the Commander and are hidden for clients.
NOTE
After completing the client configuration, you can click Go to Commander web NMS to view Commander
information or configure the Commander.
----End
2.5.2 Summary
On the Summary page, you can view the network topology and device information, and save
topology information on the device.
Context
To view network topology information, you must enable topology discovery on the Commander.
For details, see (Optional) Configuring Network Topology Collection.
Procedure
l View the network topology.
1. Click Network in the function area to display the Network page.
2. Click Summary in the navigation tree to display the Summary page. The network
topology is displayed, as shown in Figure 2-91.
----End
2.5.3 Deployment
On the Commander, you can perform unconfigured client deployment, faulty client replacement,
and batch client configuration based on topology information.
Procedure
Step 1 Click Network in the function area to display the Network page.
Step 2 Click Deployment in the navigation tree to display the Deployment page.
Step 3 Select an unconfigured device. The device information is displayed, as shown in Figure 2-93.
Step 4 Click Set Running File to display the Set Running File page, as shown in Figure 2-94.
----End
Procedure
Step 1 Click Network in the function area to display the Network page.
Step 2 Click Deployment in the navigation tree to display the Deployment page.
Step 3 Select the faulty device to be replaced. The device information is displayed, as shown in Figure
2-95.
Step 4 Click Replace Running File and enter the file information in the displayed page.
----End
Procedure
Step 1 Click Network in the function area to display the Network page.
Step 2 Click Deployment in the navigation tree to display the Deployment page.
Step 3 Select the device to be upgraded and click Upgrade. Enter information about the upgrade system
software and patch file on the displayed page.
----End
Procedure
l Configure clients in a batch.
1. Click Network in the function area to display the Network page.
2. Click Batch Configuration in the navigation tree to display the Batch
Configuration page.
3. Select the device to be configured and click Batch Configuration, as shown in Figure
2-96. Import the script file.
----End
Procedure
l View the power consumption trend on the network.
1. Click Network in the function area to display the Network page.
2. Click Power Consumption in the function area to display the Power
Consumption page.
3. Select a time period from the drop-down list box to view the power consumption trend
of the network in one day, three days, or a week. By default, the system displays the
power consumption trend in one day, as shown in Figure 2-97.
----End
3 Classics Edition
The windows layout of the web system of the classics edition is based on the refined and
comprehensive web network management functions it provides.
This chapter describes service management for the switch. The Web system provides
management functions for VLAN, MAC, STP, Voice VLAN, DHCP, ARP, VRRP, and IGMP
Snooping services. You can query and configure the required services.
3.8 WLAN(S5720HI)
This chapter describes WLAN AC configuration for the switch. You can query and configure
the WLAN AC. Only the S5720HI supports WLAN AC.
3.9 ACL
The following sections describe how to view, add, modify, delete ACLs and ACL effective
period, and configure the ACL function.
3.10 QoS
This chapter describes the implementation principle of class-based QoS, and configuration
methods of traffic management, interface-based rate limit, traffic shaping, priority mapping, and
congestion management.
3.11 IP Routing
This document describes the configurations of IP routing.
3.12 Security
This chapter describes concepts and configurations of security management, including Port
isolation, Static user binding, AAA, 802.1x, and MAC Authen.
3.13 Tools
This document describes the commands for maintaining and diagnosing the switch, that is, ping,
tracert, VCT, AAA Test, and RF-Ping.
No. Description
1 Navigation tree
2 Your Position
3 Tabs
4 Configuration area
NOTE
WDS Wizard The WDS Wizard helps you quickly complete WDS
configurations step by step, allowing APs to set up
WDS connections.
Mesh Wizard The Mesh Wizard helps you quickly complete Mesh
configurations step by step, allowing APs to set up
Mesh connections.
Radio Profile Configures and queries the radio and WMM profiles.
Service Set Configures and queries the service set, traffic profile,
security profile, ESS interface, and STA whitelist
and blacklist.
WDS Profile Configures and queries the WDS bridge profile and
whitelist, and wireless virtual connections.
Mesh Profile Configures and queries the Mesh bridge profile and
whitelist, and wireless virtual connections.
Load Balancing Configures and queries the static and dynamic load
balancing groups.
ACL Effective Period Configures and queries the ACL effective period.
IP Routing IPv4 Route Configures and queries IPv4 routes, including IPv4
static routes and global IPv4 routing information.
Security Port isolation Configures and queries isolation mode and isolation
directions.
3.1.1.3 Buttons
The buttons that you usually use on the Web system GUI are described in this section.
Button Function
Table 3-3 describes the elements that you usually use on the Web system GUI.
NOTE
The GUI elements described in this section are used for reference only because the GUI elements of
different switch models have slight differences.
Name Element
Button
Move button
Option button
Check box
Tab
Text box
Browse box
Group box
Drop-down
list box
Menu
Navigation
tree
Time setting
Name Element
Mandatory
option
Interface
panel
The following sections describe the operations of user management. To configure user
management, choose Security > AAA > User Management.
Context
You can add user accounts only when your user level is greater than 2.
NOTE
You can create a user account at the same or lower level.
Procedure
Step 1 Choose Security > AAA > User Management in the navigation tree to open the User
Management page.
Step 3 Enter User Name, Password, Confirm Password, set User Level, and set the access type to
HTTP. Retain the default values of other parameters.
----End
Context
You can change the passwords only when your user level is greater than 2.
Procedure
Step 1 Choose Security > AAA > User Management in the navigation tree to open the User
Management page.
Step 2 Select a record that you want to modify and click to open the Modify User page.
----End
Context
You can delete user accounts only when your user level is greater than 2.
NOTE
You can delete a user account at the same or lower level but not your own account.
Procedure
Step 1 Choose Security > AAA > User Management in the navigation tree to open the User
Management page.
Step 2 Select a record that you want to delete and click Delete. The system asks you whether to delete
the record.
----End
NOTE
A button is available on the Classics edition for you to switch to the EasyOperation edition.
Click EasyOperation at the upper right corner as shown in Figure 3-2 to switch to the
EasyOperation edition.
NOTICE
Click Save after the preceding configuration; otherwise, the configuration that has not been
saved will be lost upon reboot.
l Click in the navigation tree to save all the configuration data to the configuration
file.
You can log out of the Web system in either of the following ways:
l Click on the top right corner of the page to close the browser.
NOTE
3.2.1 Lineate
The Lineate window provides wired-side summary information for you to query.
3.2.1.1 Panel
This subnode provides information about the device panel.
Context
The panel area on the Web system page displays information about each port of the selected
switch, including:
l Number of ports
l Operating mode of each port
NOTE
You can place the cursor on a port to view the type, rate, and status of the port.
Procedure
Step 1 Click Device Summary > Lineate in the navigation tree to open the Lineate page.
Step 2 Select a refresh interval from the drop-down list before Refresh. The value Manual indicates
not refresh. The default interval is 60 seconds.
Step 3 Click Refresh. Then the Web system synchronizes data with the switch and refreshes the
information on the page.
Step 4 If you click a port icon, the configuration information of each port is displayed, as shown in
Figure 3-4.
----End
Procedure
Step 1 Click Device Summary > Lineate in the navigation tree to open the Lineate page.
The System Description and Board Information sections are displayed on the Device
Summary page, as shown in Figure 3-5 and Figure 3-6.
----End
Context
The switch status area displays the current CPU usage, memory usage, temperature, and fan
status of the switch. When you place the mouse to the image of the CPU usage, memory usage,
or temperature status, the current value and threshold value are popped up for each item.
Procedure
l Click Device Summary > Lineate in the navigation tree to open the Lineate page. The
Switch Status section is displayed on the Device Summary page, as shown in Figure
3-7.
----End
Context
You can learn about the interface utilization from this subnode. You can view the bandwidth
utilization trend and configure relevant parameters. The contents consist of:
l Interface Name
l Input
l Output
Procedure
Step 1 Click Device Summary > Lineate in the navigation tree to open the Lineate page. For a stacked
device, click the slot ID of the device to open the Board Information page.
----End
Context
The system log information area displays the latest five logs. You can view more logs. The
contents consist of:
l Time
l Level
l Log Content
Procedure
Step 1 Click Device Summary > Lineate in the navigation tree to open the Lineate page. You can
view the System Log tab page, as shown in Figure 3-9.
Step 2 Select a refresh interval from the drop-down list next to Refresh. The value Manual indicates
not refresh. The default refresh interval is 60 seconds. The system refreshes the page when the
time reaches. The latest five log information is displayed.
Step 3 Click Refresh, the Web system synchronizes data with the switch and refreshes the information
on the page to display the latest five logs.
Step 4 Click More Logs to enter the Log Management page, and you can view the latest 300 logs.
The log information includes time, module, level, mnemonic, and log content.
----End
3.2.1.6 Trends
This subnode displays the CPU usage, memory usage, temperature, and port usage of the
switch according to your selection.
Procedure
Step 1 Click Device Summary > Lineate in the navigation tree to open the Lineate page. For a stacked
device, click the slot ID of the device to open the Board Information page.
Step 2 Click a port in the Bandwidth Utilization section to open the Trends page.
1. Click the unfold button on the right of CPU Usage, and the CPU usage trend is
displayed, as shown in Figure 3-10.
2. Click the unfold button on the right of Memory Usage, and the memory usage trend is
displayed, as shown in Figure 3-11.
3. Click the unfold button on the right of Temperature, and the temperature trend is
displayed, as shown in Figure 3-12.
4. Select an interface name from the drop-down list. Click the unfold button on the right of
Bandwidth Utilization, and the bandwidth utilization trend of this interface is displayed,
as shown in Figure 3-13.
Step 3 Click Back on the upper right corner of the page, and the Device Summary page is displayed.
----End
3.2.2 Wireless
The Wireless window provides wireless side summary information for you to query.
Background
You can view device information to verify that a device runs properly.
Device Information
Top10 AP Statistics
You can view statistics on the top ten APs that have most users connected.
You can view statistics on the top ten APs that have the highest association failure rate.
You can view information about the detected Rogue client, Rouge AP, and Adhoc rogue.
Statistics Details
You can view information about AP Statistics and User Statistics, including the number of all
APs, number of online APs, number of unauthenticated APs, number of other APs, number of
access users, and number of users connected to the 2.4 GHz and 5 GHz radios in the AP
Details window.
You can view statistics on the top ten SSIDs that have most users connected.
You can view statistics on the top ten APs that have the highest uplink traffic and channel usage.
Click . The displayed results are arranged based on AP name, AP traffic(KB), 2.4 GHz
channel usage(%), and 5 GHz channel usage(%).
3.3.1 Panel
This subnode provides information about the device panel.
Context
The panel area on the Web system page displays information about each port of the selected
switch, including:
l Number of ports
l Operating mode of each port
NOTE
You can place the cursor on a port to view the type, rate, and status of the port.
Procedure
Step 1 To view the panel of a non-stacked device, click Device Summary in the navigation tree to open
the Device Summary page.
Step 2 To view the panel of a stacked device, click Device Summary in the navigation tree to open the
Device Summary page. The stack topology is displayed on the page, as shown in Figure
3-16. Click the slot ID of a device to display the Board Information, as shown in Figure
3-15.
Step 3 Select a refresh interval from the drop-down list before Refresh. The value Manual indicates
not refresh. The default interval is 60 seconds.
Step 4 Click Refresh. Then the Web system synchronizes data with the switch and refreshes the
information on the page.
Step 5 If you click a port icon, the configuration information of each port is displayed, as shown in
Figure 3-17.
----End
Procedure
Step 1 To view the system description of a non-stacked device, click Device Summary in the navigation
tree to open the Device Summary page.
The System Description and Board Information sections are displayed on the Device
Summary page, as shown in Figure 3-18 and Figure 3-19.
Step 2 To view the system description of a stacked device, click Device Summary in the navigation
tree to open the Device Summary page. The system description is displayed on this page, as
shown in Figure 3-18. Click the slot ID of a device to display the Board Information page, as
shown in Figure 3-19.
----End
Context
The switch status area displays the current CPU usage, memory usage, temperature, and fan
status of the switch. When you place the mouse to the image of the CPU usage, memory usage,
or temperature status, the current value and threshold value are popped up for each item.
Procedure
l To view the status of a non-stacked device, click Device Summary in the navigation tree
to open the Device Summary page. The Switch Status section is displayed on the Device
Summary page, as shown in Figure 3-20.
l To view the status of a stacked device, click Device Summary in the navigation tree to
open the Device Summary page. Click the slot ID of a device to display the Board
Information page. The Slot Status section is displayed on the Board Information page,
as shown in Figure 3-21.
l To view the status of a device that supports batteries, click Device Summary in the
navigation tree to open the Device Summary page. The Device Status section displays
differently when no battery is available, a lead-acid battery is available, or a lithium battery
is available.
NOTE
l The following product models support the use of batteries: S5700-28P-LI-BAT and S5700-28P-
LI-24S-BAT.
l The preceding product models support the following batteries: lead-acid battery (used with the
PBB-12AHA lead-acid battery charger module), 4AHA lithium battery, and 8AHA lithium
battery.
If no battery is available, the Switch Status section displays as shown in Figure 3-22.
If a lead-acid battery is installed on the device, the Switch Status section displays as
shown in Figure 3-23. For the meaning of each field for the battery, see Table 3-4.
Field Description
2 Battery status:
l Charge: The battery is charging.
l Discharge: The battery is discharging.
l Full: The battery is fully charged.
l Abnormal: The battery becomes faulty.
If a lithium battery is installed on the device, the Switch Status section displays as
shown in Figure 3-24. For the meaning of each field for the battery, see Table 3-5.
Field Description
1 Battery type:
l Lithium battery (4AHA)
l Lithium battery (8AHA)
----End
Context
You can learn about the interface utilization from this subnode. You can view the bandwidth
utilization trend and configure relevant parameters. The contents consist of:
l Interface Name
l Input
l Output
Procedure
Step 1 Click Device Summary in the navigation tree to open the Device Summary page. For a stacked
device, click the slot ID of the device to open the Board Information page.
----End
Context
The system log information area displays the latest five logs. You can view more logs. The
contents consist of:
l Time
l Level
l Log Content
Procedure
Step 1 Click Device Summary in the navigation tree to open the Device Summary page. You can view
the System Log tab page, as shown in Figure 3-26.
Step 2 Select a refresh interval from the drop-down list next to Refresh. The value Manual indicates
not refresh. The default refresh interval is 60 seconds. The system refreshes the page when the
time reaches. The latest five log information is displayed.
Step 3 Click Refresh, the Web system synchronizes data with the switch and refreshes the information
on the page to display the latest five logs.
Step 4 Click More Logs to enter the Log Management page, and you can view the latest 300 logs.
The log information includes time, module, level, mnemonic, and log content.
----End
3.3.6 Trends
This subnode displays the CPU usage, memory usage, temperature, and port usage of the
switch according to your selection.
Procedure
Step 1 Click Device Summary in the navigation tree to open the Device Summary page. For a stacked
device, click the slot ID of the device to open the Board Information page.
Step 2 Click a port in the Bandwidth Utilization section to open the Trends page.
1. Click the unfold button on the right of CPU Usage, and the CPU usage trend is
displayed, as shown in Figure 3-27.
2. Click the unfold button on the right of Memory Usage, and the memory usage trend is
displayed, as shown in Figure 3-28.
3. Click the unfold button on the right of Temperature, and the temperature trend is
displayed, as shown in Figure 3-29.
4. Select an interface name from the drop-down list. Click the unfold button on the right of
Bandwidth Utilization, and the bandwidth utilization trend of this interface is displayed,
as shown in Figure 3-30.
Step 3 Click Back on the upper right corner of the page, and the Device Summary page is displayed.
----End
The Easy-Operation feature implements automatic version file loading on newly delivered or
unconfigured devices and batch upgrades of devices on a campus network. Table 3-6 lists the
device models and versions that support the Easy-Operation feature.
NOTE
3.4.2 AP Wizard, 3.4.3 WLAN Wizard, 3.4.4 WDS Wizard and 3.4.5 Mesh Wizard are only available in the
NAC unified mode, and only the S5720HI supports.
3.4.1 EasyOperation
On the EasyOperation page, you can configure global Easy-Operation parameters for a
device, including the role, Commander IP address and port, and file server.
Context
Before configuring Easy-Operation on a device, determine the role of the device.
Parameters configured here are global parameters. To configure parameters for a group, choose
System Management > EasyOperation.
NOTE
If a device does not support the Commander function, its role can only be set to Client.
Procedure
Configuring a device as a client
1. Choose Config Wizard > EasyOperation in the navigation tree to display the
EasyOperation page, as shown in Figure 3-31.
Click Finish.
You can import information about unconfigured devices to the Commander using the
configuration wizard to deploy unconfigured devices.
1. Choose Config Wizard > EasyOperation in the navigation tree to display the
EasyOperation page, as shown in Figure 3-34.
Parameter Description
Server type This parameter is mandatory. Options are FTP, SFTP, and
TFTP.
NOTE
FTP and TFTP cannot ensure secure file transfer. SFTP is recommended
on networks that require high security.
User Name Enter the user name used to log in to the file server.
Time interval Set the interval at which you want the Commander to back up
configuration files.
Parameter Description
File activation Options are Active now, Active delay, and Active in time. If you
time select Active delay or Active in time, the related parameter is
displayed for you to configure.
Parameter Description
Client auto clear If you select Yes, clients will delete non-startup system software
packages if they do not have sufficient space for downloaded files.
NOTE
Whether clients can automatically clear their storage medium depends on
the file server type. If clients download files from a TFTP server, they cannot
automatically clear their storage medium because they cannot obtain the
sizes of downloaded files. If an FTP or SFTP server is used but the server
cannot return the file sizes, clients cannot automatically clear their storage
medium.
a. Click template.zip to download this template to your computer, and then enter client
information in the template.
b. Click Browse and select the template.
7. Click Finish.
3.4.2 AP Wizard
This section describes how to configure an AP to go online using the AP wizard.
Context
The configuration wizard allows an AP to go online properly on the AC and the AC to
successfully deliver WLAN services to the AP.
Procedure
Step 1 Configure Ethernet Interface.
1. Choose Config Wizard > AP Wizard.
2. Select a search item and search interfaces based on the search item. For description of the
parameters, see Table 3-9.
Parameter Description
3. In the Interface area, click on the right side of the Ethernet Interface entry to modify
Ethernet interface configurations. For description of the parameters, see Table 3-10.
4. Click Next.
Parameter Description
Parameter Description
2. In the Virtual Interface area, click on the right side of the virtual interface to modify
its configurations. For description of the parameters, see Table 3-11.
3. Click Next.
Parameter Description
Parameter Description
2. In the IP Pool List area, click on the right side of the IP address pool to modify its
configurations. For description of the parameters, see Table 3-12.
3. Click Next.
Parameter Description
Parameter Description
Parameter Description
2. Click Next.
Parameter Description
Parameter Description
----End
Context
The WLAN wizard allows you to configure only common wireless services. Other
configurations (for example, configuring an AC or creating a VLAN) must be performed in
corresponding service modules.
Procedure
Step 1 Configure APs.
1. Choose Config Wizard > WLAN Wizard.
2. On the Configure AP tab page that is displayed, set Search and click Go. The AP matching
the search criteria is displayed. Table 3-14 describes the parameters for searching for APs.
Alternatively, you can click Create or Batch Add, set parameters in the Create AP dialog
box, and click OK. An AP is created. Table 3-15 describes the parameters.
3. Select the APs to configure. APs on different pages can be selected simultaneously.
4. Click Next.
Parameter Description
Parameter Description
Parameter Description
AP ID ID of a new AP.
Parameter Description
SN SN of the AP.
NOTE
When the authentication mode is non-
authentication on the AC, you must set MAC
address or SN. When the authentication mode is
SN authentication on the AC, you must set SN.
1. On the Configure Radio tab page that is displayed, Set parameters described in Table
3-16.
2. Click Next.
Parameter Description
2. Click Next.
Parameter Description
1. On the Configure WLAN Service tab page that is displayed, set Search and click Go. The
service set matching the search criteria is displayed. Alternatively, you can click Create,
set parameters in the Create Service Set dialog box that is displayed, and click OK.
2. Set service set parameters. For details about the parameters, see Table 3-18 and Table
3-19.
3. Click Next.
Parameter Description
Service Set Name Search for the service set based on the service
set name.
Service VLAN Search for the service set based on the bound
service VLAN.
Security Profile Search for the service set based on the bound
security profile.
Traffic Profile Search for the service set based on the bound
traffic profile.
ESS Interface Search for the service set based on the bound
ESS interface.
Parameter Description
Parameter Description
2. Click Finish.
----End
Procedure
Step 1 Select AP
1. Choose Config Wizard > WDS Wizard. The WDS Wizard page is displayed.
2. Add APs.
l Click Create. One AP is created.
l Click Batch Add and select Manual or Batch import from a local file. One or more
APs are added.
Parameter Description
AP ID ID of a new AP.
SN SN of the AP.
NOTE
When the authentication mode is non-
authentication on the AC, you must set MAC
address or SN. When the authentication mode
is SN authentication on the AC, you must set
SN.
Parameter Description
3. Set the search criteria and click Go. All APs matching the search conditions are displayed.
For details, see Table 3-21. Select APs to be configured and click Next.
NOTE
This section provides the procedure for configuring root APs. The procedures for configuring middle and
leaf APs are similar as that of root APs.
Parameter Description
Parameter Description
b. Click Create. A radio profile is created. See Table 3-22 for description of radio profile
parameters.
Paramete Description
r
Paramete Description
r
Probe Probe interval for radio calibration. The AP detects the radio
interval environment at regular probe intervals.
Basic Rate Configure the basic rate set of the 802.11bg protocol or the 802.11a
Set protocol in the radio profile.
All rates specified in the basic rate set must be supported by both the
AP and STA; otherwise, the STA cannot associate with the AP.
Support Configure the supported rate set of the 802.11bg protocol or the
Rate Set 802.11a protocol in the radio profile.
The supported rate set contains rates supported by the AP, except the
basic rates. The AP and STA can transmit data at all rates specified
by the supported rate set.
Paramete Description
r
l Maxim Configure the maximum MCS value for the 802.11ac protocol in the
um radio profile.
MCS A larger MCS value indicates a higher transmission rate.
for
spatial
stream
1
l Maxim
um
MCS
for
spatial
stream
2
l Maxim
um
MCS
for
spatial
stream
3
STA STA access control. This feature allows an AP to control user access
access based on the thresholds specified according to the radio channel usage
control and number of online users, which enables provision of quality
network access services.
l By STA quantity: STA access control by STA quantity is less
accurate but uses a simple algorithm. This implementation mode
is recommended when most users have the same type of services
and similar service traffic volumes.
l By channel usage: STA access control by channel usage uses a
complex algorithm but is accurately implemented to ensure
service quality. This implementation mode is recommended when
service types and traffic volumes differ greatly among users.
l Disable: STA access control is disabled.
NOTE
If the radio bound to the current radio profile is only used for WDS or Mesh
links, STA access control can be disabled.
Paramete Description
r
Hide SSID Automatic SSID hiding. To prevent new users from discovering the
when SSID of the AP to send association requests, configure automatic
reaching SSID hiding to disable the AP radio from advertising SSIDs.
threshold
Paramete Description
r
Paramete Description
r
Paramete Description
r
Threshold Alarm threshold for STAs not managed by the local AP.
for STA If there are too many STAs that are managed by other APs around
interferenc the local AP, services of the STAs managed by the local AP may be
e affected. After interference detection is enabled, the AP can detect
STAs managed by other APs. When the STAs detected exceeds the
specified alarm threshold, the AP reports alarms to the AC.
Paramete Description
r
802.11n A- Enable the 802.11n MAC Protocol Data Unit (MPDU) aggregation
MPDU function.
status An 802.11 packet is sent as an MPDU, requiring channel competition
and backoff and consuming channel resources. The 802.11n MPDU
aggregation function aggregates multiple MPDUs into an aggregate
MAC Protocol Data Unit (A-MPDU), so that N MPDUs can be
transmitted through one channel competition and backoff. This
function saves the channel resources to be consumed for sending N-1
MPDUs. The MPDU aggregation function improves channel
efficiency and 802.11 network performance.
NOTE
It is recommended that you enable MPDU aggregation when configuring
WDS or Mesh services.
Paramete Description
r
Paramete Description
r
Backgroun Background neighbor probing helps you learn status of all channels
d neighbor on the WLAN network.
probing If background neighbor probing is enabled, an AP determines
whether to switch to another channel for neighbor probing every
10s based on the service traffic volume and threshold of user quantity.
If the channel switching condition is met (the number of users or
traffic on the channel does not exceed the threshold), the AP switches
to the new channel. The AP then listens on Beacon frames on the new
channel and saves the probing result. After 60 ms, the AP switches
back to the original channel.
NOTE
If the radio bound to the current radio profile is only used for WDS or Mesh
links, STA access control can be disabled.
Paramete Description
r
Paramete Description
r
c. Set the search criteria and click Go. All radio profiles matching the search conditions
are displayed. Select the radio profiles required for WDS bridges and click OK.
3. Select or enter other required parameters. For description of the parameters, see Table
3-23.
Parameter Description
Parameter Description
4. Click Next.
about the the bridge profile are displayed. You can also click to edit the profile.
Parameter Description
Parameter Description
2. Click Bridge Mode. A drop-down list box is displayed. Select a bridge role. See 3.8.6.1
Bridge Profile for description of bridge roles.
3. Click Bridge Whitelist. A drop-down list box is displayed. Select Create to create a bridge
whitelist or select an existing bridge whitelist. See Table 3-25 for description of bridge
whitelist parameters.
NOTE
If a bridge whitelist already exists, click View All on the Create Bridge Whitelist page. Detailed
parameters about the the bridge whitelist are displayed. You can also click to edit the bridge whitelist.
Leaf APs require no bridge whitelist.
Parameter Description
MAC MAC addresses of the neighboring APs that are allowed to access the
address bridge.
To add a MAC address to the bridge whitelist, enter a MAC address in
the MAC Address text box, and click . If the MAC address is
displayed in the text box below the MAC Address text box, the MAC
address is added to the bridge whitelist.
To delete a MAC address from the bridge whitelist, enter a MAC address
in the MAC Address text box, and click . If the MAC address is
removed from the text box below the MAC Address text box, the MAC
address is deleted from the bridge whitelist.
Parameter Description
Parameter Description
5. Click Next.
Step 4 Confirm the configuration and click Finish. The WDS configuration is complete.
Step 5 Complete configurations of middle and leaf APs according to the preceding steps.
----End
Procedure
Step 1 Select AP
1. Choose Config Wizard > Mesh Wizard. The Mesh Wizard page is displayed.
2. Add APs.
l Click Create. One AP is created.
l Click Batch Add and select Manual or Batch import from a local file. One or more
APs are added.
Parameter Description
AP ID ID of a new AP.
Parameter Description
SN SN of the AP.
NOTE
When the authentication mode is non-
authentication on the AC, you must set MAC
address or SN. When the authentication mode
is SN authentication on the AC, you must set
SN.
3. Set the search criteria and click Go. All APs matching the search conditions are displayed.
For details, see Table 3-28. Select APs to be configured and click Next.
NOTE
This section provides the procedure for configuring MPPs. The procedure for configuring MPs is similar
as that of MPPs.
Parameter Description
b. Click Create. A radio profile is created. See Table 3-29 for description of radio profile
parameters.
Paramete Description
r
Paramete Description
r
Probe Probe interval for radio calibration. The AP detects the radio
interval environment at regular probe intervals.
Basic Rate Configure the basic rate set of the 802.11bg protocol or the 802.11a
Set protocol in the radio profile.
All rates specified in the basic rate set must be supported by both the
AP and STA; otherwise, the STA cannot associate with the AP.
Support Configure the supported rate set of the 802.11bg protocol or the
Rate Set 802.11a protocol in the radio profile.
The supported rate set contains rates supported by the AP, except the
basic rates. The AP and STA can transmit data at all rates specified
by the supported rate set.
Paramete Description
r
l Maxim Configure the maximum MCS value for the 802.11ac protocol in the
um radio profile.
MCS A larger MCS value indicates a higher transmission rate.
for
spatial
stream
1
l Maxim
um
MCS
for
spatial
stream
2
l Maxim
um
MCS
for
spatial
stream
3
STA STA access control. This feature allows an AP to control user access
access based on the thresholds specified according to the radio channel usage
control and number of online users, which enables provision of quality
network access services.
l By STA quantity: STA access control by STA quantity is less
accurate but uses a simple algorithm. This implementation mode
is recommended when most users have the same type of services
and similar service traffic volumes.
l By channel usage: STA access control by channel usage uses a
complex algorithm but is accurately implemented to ensure
service quality. This implementation mode is recommended when
service types and traffic volumes differ greatly among users.
l Disable: STA access control is disabled.
NOTE
If the radio bound to the current radio profile is only used for WDS or Mesh
links, STA access control can be disabled.
Paramete Description
r
Hide SSID Automatic SSID hiding. To prevent new users from discovering the
when SSID of the AP to send association requests, configure automatic
reaching SSID hiding to disable the AP radio from advertising SSIDs.
threshold
Paramete Description
r
Paramete Description
r
Paramete Description
r
Threshold Alarm threshold for STAs not managed by the local AP.
for STA If there are too many STAs that are managed by other APs around
interferenc the local AP, services of the STAs managed by the local AP may be
e affected. After interference detection is enabled, the AP can detect
STAs managed by other APs. When the STAs detected exceeds the
specified alarm threshold, the AP reports alarms to the AC.
Paramete Description
r
802.11n A- Enable the 802.11n MAC Protocol Data Unit (MPDU) aggregation
MPDU function.
status An 802.11 packet is sent as an MPDU, requiring channel competition
and backoff and consuming channel resources. The 802.11n MPDU
aggregation function aggregates multiple MPDUs into an aggregate
MAC Protocol Data Unit (A-MPDU), so that N MPDUs can be
transmitted through one channel competition and backoff. This
function saves the channel resources to be consumed for sending N-1
MPDUs. The MPDU aggregation function improves channel
efficiency and 802.11 network performance.
NOTE
It is recommended that you enable MPDU aggregation when configuring
WDS or Mesh services.
Paramete Description
r
Paramete Description
r
Backgroun Background neighbor probing helps you learn status of all channels
d neighbor on the WLAN network.
probing If background neighbor probing is enabled, an AP determines
whether to switch to another channel for neighbor probing every
10s based on the service traffic volume and threshold of user quantity.
If the channel switching condition is met (the number of users or
traffic on the channel does not exceed the threshold), the AP switches
to the new channel. The AP then listens on Beacon frames on the new
channel and saves the probing result. After 60 ms, the AP switches
back to the original channel.
NOTE
If the radio bound to the current radio profile is only used for WDS or Mesh
links, STA access control can be disabled.
Paramete Description
r
Paramete Description
r
c. Set the search criteria and click Go. All radio profiles matching the search conditions
are displayed. Select the radio profiles required for Mesh links and click OK.
3. Select or enter other required parameters. See Table 3-30 for description of the parameters.
Parameter Description
Parameter Description
4. Click Next.
about the the Mesh profile are displayed. You can also click to edit the profile.
Parameter Description
Parameter Description
2. Click Mesh Role. A drop-down list box is displayed. Select a Mesh role. See 3.8.7.1 Mesh
Profile for description of Mesh roles.
3. Click Mesh Whitelist. A drop-down list box is displayed. Select Create to create a Mesh
whitelist or select an existing Mesh whitelist. See Table 3-32 for description of Mesh
whitelist parameters.
NOTE
If a Mesh whitelist already exists, click View All on the Create Mesh Whitelist page. Detailed parameters
about the the Mesh whitelist are displayed. You can also click to edit the whitelist.
Parameter Description
Parameter Description
Parameter Description
5. Click Next.
Step 4 Confirm the configuration and click Finish. The Mesh configuration is complete.
Step 5 Configure the Mesh node according to the preceding steps.
----End
3.5.1 Initialize
You can restore the factory settings of the system if necessary.
Context
If improper configurations have been performed on the switch, you can restore the factory
settings of the switch.
CAUTION
After you restore the factory settings of the switch, all the configurations that you have made on
the switch will be deleted and cannot be restored.
Procedure
Step 1 Choose System Management > Initialize in the navigation tree to open the Initialize page.
Step 2 Click Initialize. A confirm dialog box is displayed.
Step 3 Click OK.
----End
3.5.2 Reboot
You can specify the system software, configuration file, and patch file loaded to the switch at
next startup.
Context
The specified configuration file takes effect at next startup. Ensure that the configuration data
is saved on the device before the reboot.
NOTICE
During the reboot, you are disconnected from the switch. If you have not saved the configuration
data, the configuration data is lost after the reboot. Therefore, save the configuration before you
reboot the system.
Procedure
Step 1 Choose System Management > Reboot in the navigation tree to open the Reboot page, as
shown in Figure 3-40.
Parameter Description
Step 2 Select desired options from the drop-down lists and click Reboot. A pop-up dialog box is
displayed, notifying you that communication between the system and the device will be
interrupted during the reboot.
Step 3 Click Yes in the displayed dialog box.A dialog box is displayed to prompt you to save the
configuration.
Step 4 Click Save. The system will reboot and save the configurations.
CAUTION
If you click Ignore, the switch will reboot, but unsaved configurations will be lost.When
switching the device's configuration file, click Ignore; otherwise, configuration file switching
fails.
----End
Context
The Web system allows you to upgrade the system software, simplifying the upgrade operations.
NOTICE
l Ensure that configurations are saved before upgrading software.
l Do not power off the switch during the upgrade.
l Software upgrade requires a long time; therefore, before upgrading the software, choose
System Management > System Configuration > System Settings and set Http Timeout
Interval to 60 minutes.
Procedure
Step 1 Choose System Management > Software Upgrade in the navigation tree to open the Software
Upgrade page, as shown in Figure 3-41.
Step 3 After the upgrade, the system displays the login page.
Step 4 Enter the user name and password to log in to the Web system.
----End
3.5.4 Patch
The following sections describe how to run and uninstall patches.
Context
l A patch is a kind of software compatible with the system software. It is used to remove
critical bugs of the system software. The extension name of the patch file is .pat.
l Before installing patches, you need to save patch files to the flash memory of the switch.
Patch files are loaded to the switch using HTTP.
l After the patch is uninstalled, the patch is deleted from the memory.
Procedure
Step 1 Choose System Management > Patch to open the Patch page, as shown in Figure 3-42.
Parameter Description
Parameter Description
Step 2 In Upload Patch, click Browse and select the patch to the loaded, and click Upload Patch.
Step 3 Select the patch that you want to load from the Load Patch drop-down list box. Click Load
Patch. The system displays a message in Patch Information, showing the loaded patch files.
Step 4 Click Uninstall Patch. The system asks you whether to uninstall the patch.
Step 5 After the patch is deleted, The system displays a message indicating whether the patch is
uninstalled successfully.
----End
Context
The File System Management module helps you upload, download, and delete files
conveniently.
Procedure
l Upload files.
1. Choose System Management > File System Management > File System
Management in the navigation tree to open the File System Management page.
2. Click Upload to open the Upload file page, as shown in Figure 3-43.
3. Select the file to upload and click Upload. The system displays the upload process
page. After the file is uploaded, the system displays a message indicating the
successful upload.
NOTE
l If you do not want to close the page after uploading a file, click Apply. You can upload
other files.
l Only files in the following formats can be uploaded: cc, pat, zip, 7z, txt, log, dblg, cfg, bat,
xml, and dat.
l Download files.
1. Choose System Management > File System Management > File System
Management in the navigation tree to open the File System Management page.
2. Click Download next to the file name and select a path to save the file.
NOTE
Only files in the following formats can be downloaded: cc, pat, zip, 7z, txt, log, dblg, cfg, bat, xml,
and dat.
l Move files to the recycle bin.
After files are moved to the recycle bin, they still exist on the switch. You can restore the
files in the recycle bin.
CAUTION
l The version_web.zip(7z) file is the Web system file and cannot be deleted. If this file
is deleted, the Web system becomes unavailable. In the file name, version indicates the
version of the Web system software.
l The version.cc file is the device software package and cannot be deleted. If this file is
deleted, the Web system becomes unavailable. In the file name, version indicates the
device software version to which the Web system is applied.
l The name.cfg file is the Web system configuration file and cannot be deleted. If this
file is deleted, the Web system becomes unavailable. In the file name, name indicates
the configuration file name.
l The name.pat file is the Web system patch file and cannot be deleted. If this file is
deleted, the Web system becomes unavailable. In the file name, name indicates the patch
file name.
1. Choose System Management > File System Management > File System
Management in the navigation tree to open the File System Management page.
2. Select the file you want to move to the recycle bin.
3. Click Move to Recycle Bin, and the system asks you whether to move the file to the
recycle bin.
4. Click OK.
l Delete files permanently.
NOTICE
The files deleted permanently cannot be restored.
1. Choose System Management > File System Management > File System
Management in the navigation tree to open the File System Management page.
2. Select the file you want to delete.
3. Click Delete Permanently, and the system asks you whether to delete the file.
4. Click OK.
----End
Context
The files in the recycle bin can be restored or deleted permanently.
CAUTION
The files deleted from the recycle bin cannot be restored.
Procedure
Step 1 Choose System Management > File System Management > Recycle Bin in the navigation
tree to open the Recycle Bin page, as shown in Figure 3-44.
Step 2 Select the file that you want to restore and click Restore.
Step 3 Select the file that you want to delete and click Delete Permanently.
NOTE
If an error occurs during file restoration or deletion, the system displays an error message.
----End
Context
To ensure effective communication between the switch and other devices, set the system time
correctly.
Procedure
Step 1 Choose System Management > System Configuration > System Time in the navigation tree
to open the System Time page, as shown in Figure 3-45.
Parameter Description
Set Date and Time Indicates the date and time that you want to specify.
Select the Set Date and Time check box, and then
click to set the date and time.
Step 3 Click Apply, and then the new date and time is displayed.
----End
Procedure
Step 1 Choose System Management > System Configuration > System Settings in the navigation
tree to open the System Settings page, as shown in Figure 3-46.
Parameter Description
----End
3.5.7 PoE
The PoE configurations include global parameters, interface parameters, and PoE device
information.
The switch supports the Power Over Ethernet (PoE) function. After being configured with the
PoE power supply and the boards that support the PoE function, the switch can provide 48 V
DC power for the remote powered device (PD) such as the IP phone, WLAN AP, and network
camera through the twisted pair.
Only the product models with "PWR" in the product names support the PoE function.
Context
Currently, the network devices are deployed flexibly; therefore, the cabling of power supply is
complicated. To simplify cabling, you can configure the PoE function on the switch.
Procedure
Step 1 Choose System Management > PoE > Global Parameter Settings in the navigation tree to
open the Global Parameter Settings page, as shown in Figure 3-47.
Table 3-38 describes the parameters on the Global Parameter Settings page.
Parameter Description
----End
Context
l Currently, the network devices are deployed flexibly; therefore, the cabling of power supply
is complicated. To simplify cabling, you can configure the PoE function on the switch.
l By default, the PoE function is enabled on all interfaces.
Procedure
l Query power supply information on interfaces.
1. Choose System Management > PoE > Interface Parameter Settings in the
navigation tree to open the Interface Parameter Settings page.
2. Select an interface type from the drop-down list box.
3. Enter the interface number, for example, 0/0/1 (stack ID/sub-card ID/port
number).
4. Click Query to display all matching records.
l Set power parameters on an interface.
1. Choose System Management > PoE > Interface Parameter Settings in the
navigation tree to open the Interface Parameter Settings page.
2. Select a record and click Configure. The Configure Power Parameters on
Interface page is displayed, as shown in Figure 3-48.
Parameter Description
----End
Context
None.
Procedure
Step 1 Choose System Management > PoE > PoE Power Supply Information in the navigation tree
to open the PoE Power Supply Information page, as shown in Figure 3-49. The PoE
information is displayed.
NOTE
----End
3.5.8 DNS
The following sections describe the configurations of dynamic DNS entries, domain name
server, domain name suffix, and enabling dynamic domain name resolution.
In addition to distinguishing devices by IP addresses, TCP/IP provides the Domain Name System
(DNS) to name hosts by using character strings. DNS uses a hierarchical naming method to
specify a meaningful name for a device on the network. In addition, a DNS server is required
on the network to bind IP addresses to domain names. The DNS server enables users to use
simple domain names instead of complex IP addresses.
Context
NOTICE
The deleted dynamic DNS entries cannot be restored; therefore, perform the deletion operation
with caution.
Procedure
Step 1 Choose System Management > DNS > Dynamic DNS Entry Table in the navigation tree to
open the Dynamic DNS Entry Table page, as shown in Figure 3-50.
Step 2 View dynamic DNS entries. To delete all dynamic DNS entries, click Clear All. The system
asks you whether to delete all dynamic DNS entries. The deleted dynamic DNS entries cannot
be restored.
----End
Context
After receiving a resolution request, the DNS server checks whether the domain name belongs
to its authorized sub-domain. If yes, the server translates the domain name into an IP address
according to the database, and then sends the result to the client. If the server cannot resolve the
domain name, it performs the resolution operation specified in the request sent by the client.
Procedure
l Create a DNS server.
1. Choose System Management > DNS > DNS Settings in the navigation tree to open
the DNS Settings page.
2. Click New to open the Create a DNS Server page, as shown in Figure 3-51.
3. Set parameters.
4. Click OK.
l Delete a DNS server.
1. Choose System Management > DNS > DNS Settings in the navigation tree to open
the DNS Settings page.
2. Select a record that you want to delete and click Delete. The system asks you whether
to delete the record.
3. Click OK.
----End
Context
l Users only need to enter partial content of a domain name, and then the system adds a suffix
to the domain name for resolution.
l For example, you have set the domain name suffix com in the suffix list. If a user wants to
visit huawei.com, the user only needs to enter huawei. Then the system adds the suffix
com to huawei.com.
Procedure
l Create a domain name suffix.
1. Choose System Management > DNS > Domain Name Settings in the navigation
tree to open the Domain Name Settings page.
2. Click New to open the Create a Domain Name Suffix page, as shown in Figure
3-52.
Table 3-40 describes the parameters on the Create a Domain Name Suffix page.
Parameter Description
3. Set parameters.
4. Click OK.
l Delete a domain name suffix.
1. Choose System Management > DNS > Domain Name Settings in the navigation
tree to open the Domain Name Settings page.
2. Select a record that you want to delete and click Delete. The system asks you whether
to delete the record.
3. Click OK
----End
Context
Dynamic domain name resolution requires a special DNS server. This server maps domain
names to IP addresses and processes the resolution requirement of clients.
Procedure
Step 1 Choose System Management > DNS > Enable Dynamic Domain Name Resolution in the
navigation tree to open the Enable Dynamic Domain Name Resolution page, as shown in
Figure 3-53.
Table 3-41 describes the parameters on the Enable Dynamic Domain Name Resolution page.
Parameter Description
Enable Dynamic Domain Name Resolution Indicates whether to enable the resolution
function. You can set the DNS parameters
before enabling the resolution function, but
the DNS parameters take effect only after you
enable the resolution function.
----End
3.5.9 Stacking
The stacking function connects multiple stacking-capable devices together to logically function
as one device. Up to five , S2750EIs, and S2720s can be connected through stack cables in a
ring or chain topology. Up to nine devices of other models can be connected through stack cables
in a ring or chain topology. All stacked devices logically function as one device to forward
packets. There are three roles of devices in a stack: master switch, standby switch, and slave
switch. All of the three types of switches are called member switches. The Ethernet switches in
a stack function as one device. You can manage all the switches in a stack by using the master
switch.
Context
l The following models support stacking function: S2720, S2750, S5700-P-LI (with GE
uplink interfaces), S5700-TP-LI (with GE uplink interfaces), S5700-X-LI (with 10GE
uplink interfaces). The stacking function is not supported on the S5700-10P-LI-AC and
S5700-10P-PWR-LI-AC in the S5700-P-LI series (with GE uplink interfaces).
NOTE
A stack of S5700-52X-LI-48CS-AC switches cannot be managed by the web-based network
management system.
l When a switch attempts to set up a stack with a switch enabled with the stacking function
but the stacking-enabled switch has some configurations that the stack does not support,
the new switch cannot join the stack and the system displays a message indicating that some
configurations are not supported by the stack. As a result, the new switch cannot be added
to the stack. The new switch can be added to the stack only after these configurations are
deleted.
l Before the stack is established, each switch is an independent entity. Each switch has its
own IP address and functions individually. Therefore, you need to manage each switch
separately. After the stack is established, all the member switches are presented as one
unified logical entity. In this manner, you can manage and maintain all the member switches
in a stack by using one IP address. The stacking protocol elects the master switch, standby
switch, and slave switch in a stack. Then, data can be backed up and the active/standby
switchover can be implemented.
Procedure
l Configure the stack.
1. Choose System Management > Stacking in the navigation tree to open the
Stacking page, as shown in Figure 3-54.
NOTE
Parameter Description
Parameter Description
Parameter Description
2. Click the icon, the Configure Stack Interface page is displayed, as shown in
Figure 3-57.
Table 3-44 describes the parameters on the Configure Stack Interface page.
Parameter Description
Parameter Description
Context
Logs provide information for system diagnosis and maintenance.
Procedure
Step 1 Choose System Management > Log Management to open the Log Management page.
Step 2 Set parameters.
Step 3 Click Query to view the logs that meet the search criteria.
Step 4 Click Reset to restore the default log query range.
Step 5 Click Clear to determine whether to clear all logs.
----End
3.5.11 SNMP
Simple Network Management Protocol (SNMP) is a standard network management protocol
widely used on TCP/IP networks. SNMP uses a central computer (a network management
station) that runs network management software to manage network elements.
Context
SNMP agent is an agent program on the managed device. The SNMP agent maintains
information for the managed device, responds to the requests from the NMS, and sends
management data to the NMS. Before the NMS manages a device through SNMP, the SNMP
agent must be enabled on the device and a proper SNMP version needs to be selected.
A web system supports SNMPv1, SNMPv2c, and SNMPv3. The device and NMS must use the
same SNMP version.
NOTE
If a device is managed by multiple NMSs running different SNMP versions, all the SNMP versions need to be
set on the device so that the device can communicate with these NMSs.
Procedure
Step 1 Choose System Management > SNMP in the navigation tree to open the SNMP Global
Settings page, as shown in Figure 3-58.
Parameter Description
----End
Context
The community/group management configurations vary with SNMP versions. After global
SNMP settings are complete, configure the communities/groups. Table 3-47 lists the mappings
between SNMP versions and configurations.
Version Configuration
Version Configuration
Procedure
l Configure community management.
Create a community.
1. Choose System Management > SNMP > Community/Group Management in the
navigation tree to open the Community/Group Management page.
2. Click New in Community to open the Create Community page, as shown in Figure
3-59.
Parameter Description
3. Set parameters.
4. Click OK. The configuration is complete.
If the operation is successful, Community is displayed and a new item is added to the
list. The community name is displayed in cipher text. To add multiple communities,
repeat the preceding operations.
Delete a community.
1. Choose System Management > SNMP > Community/Group Management in the
navigation tree to open the Community/Group Management page.
2. Select the items that you want to delete in Community, or select all items.
3. Click Delete. The system asks you whether to delete the items.
4. Click OK. The configuration is complete.
l Configure group management.
Create a group.
1. Choose System Management > SNMP > Community/Group Management in the
navigation tree to open the Community/Group Management page.
2. Click New in Group to open the Create Group page, as shown in Figure 3-60.
Parameter Description
Read-only MIB view Indicates the MIB object that can only
be read by the NMS.
Read-write MIB view Indicates the MIB object that can be read
and written by the NMS.
Notification MIB view Indicates the MIB object that only sends
notifications to the NMS.
3. Set parameters.
NOTE
2. Click New in User to open the Create User page, as shown in Figure 3-62.
Parameter Description
3. Set parameters.
Parameter Description
Parameter Description
NOTE
The parameters for modifying a user vary with the security level of the user. The parameters listed
here may be different from the parameters displayed for you.
The User name and Security level parameters cannot be modified.
3. Set parameters.
4. Click OK. The configuration is complete.
Delete a user.
1. Choose System Management > SNMP > Community/Group Management in the
navigation tree to open the Community/Group Management page.
2. Select a user that you want to delete in User and click Delete. The system asks you
whether to delete the user.
3. Click OK. The configuration is complete.
----End
Context
A MIB view is a collection of all managed objects. The NMS manages devices by reading
information from and writing information to the managed objects in the MIB. A MIB view
defines the management information included in or excluded from the MIB view. Two
implementation methods are available for the MIB view:
l When the NMS manages most MIB objects on the managed device or some objects in the
MIB view do not need to be managed by the NMS, the unmanaged objectives can be
configured.
l When the NMS manages a few MIB objects on the managed device or some objects in the
MIB view are managed by the NMS with access restrictions, the objectives can be
configured.
Procedure
l Create a MIB view.
1. Choose System Management > SNMP > MIB View in the navigation tree to open
the MIB View page.
2. Click New to enter the Create MIB View page, as shown in Figure 3-64.
Parameter Description
Create rules.
Delete rules.
a. Click of the rules that you want to delete in Added Rule List.
If the operation is successful, the deleted rules are not displayed in Added Rule
List. To delete multiple rules, repeat the preceding operations.
4. Click OK.
If the operation is successful, MIB View is displayed and the new MIB view is added.
To add multiple MIB views, repeat the preceding operations.
l Modify MIB view.
1. Choose System Management > SNMP > MIB View in the navigation tree to open
the MIB View page.
2. Click of the MIB view that you want to modify to open the Modify MIB View
view, as shown in Figure 3-65.
Delete rules.
a. Click of the rules that you want to delete in Added Rule List.
If the operation is successful, the deleted rules are not displayed in Added Rule
List. To delete multiple rules, repeat the preceding operations.
4. Click OK. The configuration is complete.
l Delete a MIB view.
1. Choose System Management > SNMP > MIB View in the navigation tree to open
the MIB View page.
2. Select the items that you want to delete, or select all items.
3. Click Delete. The system asks you whether to delete the items.
4. Click OK. The configuration is complete.
----End
Context
A trap is an alarm message sent from the managed device to the NMS to notify administrators
of the network faults. After receiving a trap from a managed device, the NMS does not need to
reply.
NOTE
The web management system supports a maximum of 20 trap target hosts. When the number of trap target hosts
to be configured exceeds the limit, the system displays a prompt message.
Procedure
l Configure trap.
1. Choose System Management > SNMP > Trap Setting in the navigation tree to open
the Trap Setting page, as shown in Figure 3-66.
Parameter Description
Source Interface That Sends Trap Indicates the source interface that sends
Messages trap messages. Click Select to select a
source interface.
2. Set parameters.
3. Click Apply to complete the configuration.
l Configure the trap target host.
Create a trap target host.
1. Choose System Management > SNMP > Trap Setting in the navigation tree to open
the Trap Setting page.
2. Click New in Trap Target Host to open the Create Trap Target Host page, as shown
in Figure 3-67.
Table 3-55 describes parameters on the Create Trap Target Host page.
Parameter Description
3. Set parameters.
4. Click OK. The configuration is complete.
Delete the trap target host.
1. Choose System Management > SNMP > Trap Setting in the navigation tree to open
the Trap Setting page.
2. Select the items that you want to delete in Trap Target Host, or select all items.
3. Click Delete. The system asks you whether to delete the items.
4. Click OK. The configuration is complete.
----End
3.5.12 EasyOperation
This chapter describes how to configure roles, groups, and clients to implement Easy-Operation.
The Easy-Operation feature implements automatic version file loading on newly delivered or
unconfigured devices and batch upgrades of devices on a campus network. Table 3-56 lists the
device models and versions that support the Easy-Operation feature.
NOTE
Only Role configuration option is available for the devices that do not support the Commander role.
Additionally, such devices can only be configured as clients.
The Group configuration and Client configuration options are not available to the devices that function as
clients.
Context
Before configuring EasyOperation on a device, determine the role of the device.
Procedure
Configuring a device as a client
1. Choose System Management > EasyOperation > Role configuration in the navigation
tree to display the Role configuration page.
2. Set Role type to Client, as shown in Figure 3-68.
3. Enter the Commander IP address and UDP port. The Commander IP address you enter here
must be the same as that configured on the Commander. If you keep the UDP port field
blank, the default UDP port is used.
4. Click Apply.
After you click Apply, the Group configuration and Client configuration tabs become
unavailable.
1. Choose System Management > EasyOperation > Role configuration in the navigation
tree to display the Role configuration page.
Table 3-57 describes the parameters on the Role configuration page. If some areas are
folded, click to expand the areas.
Parameter Description
UDP port If you keep this field blank, the default UDP port is
used.
Server type Server type Options are FTP, SFTP, and TFTP.
configure NOTE
FTP and TFTP cannot ensure secure file transfer. SFTP is
recommended on networks that require high security.
Parameter Description
User name Enter the user name used to log in to the file server.
Time interval Set the interval at which you want the Commander to
back up configuration files.
Download file File activation Options are Default type and Reload type.
configuration method By default, if downloaded files include a software
package (*.cc), clients activate all the downloaded
files by restarting. In a batch upgrade, if downloaded
files include a configuration file, clients activate all
the downloaded files by restarting.
File activation Options are Active now, Active delay, and Active in
time time. If you select Active delay or Active in time,
the related parameter is displayed for you to
configure.
Default download file The files specified here are default files to be
information downloaded to clients. You can specify a maximum
of three self-defined files.
If no file is specified in role configuration or group
configuration, the default file information is used.
Context
You can configure a group to:
Procedure
l Query group information.
1. Choose System Management > EasyOperation > Group configuration in the
navigation tree to display the Group configuration page, as shown in Figure 3-70.
Parameter Description
Group name Enter the name of the group you want to query.
Group type Enter the type of the groups you want to query.
File activation The system displays the groups that use the specified file
method activation method.
File activation The system displays the groups that have the specified file
time activation time configured.
Parameter Description
File download Set the file activation method, time, and information about files
settings to be downloaded.
Parameter Description
Group name This parameter is mandatory. The name must start with a letter
(lowercase a to z or uppercase A to Z).
Parameter Description
File download Set the file activation method, time, and information about files
settings to be downloaded.
1. Select the groups that you want to upgrade, as shown in Figure 3-73.
2. Click Upgrade.
Context
You can perform the following operations on the Client configuration page:
l Add new or unconfigured devices to the client list to deploy the devices.
l Configure client replacement information to implement faulty device replacement.
Procedure
l Query client information.
1. Choose System Management > EasyOperation > Client configuration in the
navigation tree to display the Client configuration page, as shown in Figure 3-74.
Parameter Description
MAC Enter the MAC address of the client you want to query.
Parameter Description
Device MAC Enter the client's MAC address or ESN. Only one of the two
parameters can be configured.
Device ESN
2. Click template.zip to download this template to your computer, and then enter client
information in the template.
3. Click Browse and select the template.
Information about new clients is displayed in the client listas shown in Figure 3-77. If
Client auto join is enabled on the Commander and the Commander IP address has been
configured on the clients, the client list displays client information learned by the
Commander. Besides, the current operating method, phase, and state of each client are also
displayed. The following are the examples of information that may be displayed:
Method: Normal running, Proactively upgrades, Empty configuration upgrade, usb
upgrade, Unknown method
Stage: Initialization, Applicate IP, Access to download the file information, Download,
Active file, Normal running, Unknown stage
State: Finish, Download system-software file, Download configuration file, Download
patch file, Download web file, Download license file, Download custom file1,
Download custom file2, Download custom file3, Unknown state
l Configure client replacement information.
1. In the client list shown in Figure 3-77, click next to the record of the faulty client
to display the Replacement information page, as shown in Figure 3-78.
Parameter Description
Device MAC Enter the new client's MAC address or ESN. Only one of the
two parameters can be configured.
Device ESN
Context
You need to activate licenses in either of the following situations:
l Purchasing a license to obtain permissions on related functions after you purchase a new
device.
l Applying for a new license file, and upgrade and load the license file when the license file
is loaded on the device and a new feature is required.
NOTE
Procedure
Step 1 Choose System Management > License Management.
Step 2 Click System Management in the License Loading area and select the license file to upload.
If you need to adjust a license file between devices (for example, move a license file from device A to
device B) without changing the license authorization certificate or an upgraded license file is incompatible
with the original one, click Uninstall in the License Information area to obtain a license revocation code.
Use the license revocation code to obtain a new license file, and activate the license file.
You can view the license status, and authorization information in the License Information area.
Table 3-64 describes license parameters.
Parameter Description
License status not loaded: default status. By default, a license is not loaded after the
system starts or when it is invalid.
Normal: A commercial license enters the Normal state after it is loaded.
Trial: A license enters the Trial state when the loaded ESN does not match
the license or after the license expires.
Demo: A temporary license enters the Demo state after it is loaded.
Emergency: When a license enters the Emergency state, dynamic
resources on the device are free from the license controls. That is, the
device runs with the maximum configurations of dynamic resources. A
license can remain in Emergency state for at most seven days. After seven
days, the license enters the original state.
----End
3.6.1 Ethernet
Configure these interfaces as required.
Context
To identify an interface, you can set the description of the interface. You can query and configure
Ethernet interfaces as required.
Procedure
l Query basic attributes.
1. Choose Interface Management > Ethernet > Basic Attributes in the navigation tree
to open the Basic Attributes page.
2. Select an interface type from the drop-down list box.
3. Enter the interface number, for example, 0/0/1 (slot ID/subcard ID/interface
number).
Table 3-65 describes the parameters on the Configure Basic Attributes page.
Parameter Description
Parameter Description
Parameter Description
3. Set parameters.
4. Click OK.
----End
Context
NOTICE
The cleared traffic statistics cannot be restored; therefore, confirm the operation before clearing
the traffic statistics.
Procedure
Step 1 Choose Interface Management > Ethernet > Statistics on Interface in the navigation tree to
open the Statistics on Interface page, as shown in Figure 3-81.
Step 2 Select a record and click Details to view details about the record.
NOTE
On the Details page, you can refresh ,clear and close the traffic statistics.
----End
3.6.2 Eth-Trunk
An Eth-Trunk is composed of Ethernet links. The Eth-Trunk interface does not exist physically.
Context
You can configure Eth-Trunks in the following scenarios:
l The bandwidth is insufficient when two switches are connected through only one link.
l The connection reliability cannot meet requirement when two switches are connected
through only one link.
Procedure
l Query Eth-Trunk information.
1. Choose Interface Management > Eth-Trunk > Eth-Trunkport in the navigation
tree, and the Eth-Trunkport page is displayed, as shown in Figure 3-82.
Parameter Description
Parameter Description
Parameter Description
Parameter Description
3. Set parameters.
4. Click OK.
l Modify Eth-Trunk
NOTE
4. Click OK.
l Delete Eth-Trunks.
1. Choose Interface Management > Eth-Trunk > Eth-Trunkport in the navigation
tree to open the Eth-Trunkport page.
2. Select a record that you want to delete and click Delete. The system asks you whether
to delete the record.
3. Click OK.
NOTE
----End
Context
Only the Eth-Trunk in static LACP mode needs to be configured with the LACP priority. The
default LACP priority is 32768.
Procedure
Step 1 Choose Interface Management > Eth-Trunk > System LACP Priority in the navigation tree
to open the System LACP Priority page, as shown in Figure 3-87.
Table 3-67 describes the parameters on the System LACP Priority page.
Parameter Description
----End
3.6.3 VLANIF
When a switch needs to communicate with the devices at the network layer, you can create a
logical interface based on a VLAN on the switch, namely, a Vlanif interface. The VLANIF
interface does not exist physically.
Context
A Vlanif interface is a Layer 3 interface and can be configured with an IP address. Before creating
a Vlanif interface, you must create a VLAN. With a Vlanif interface, the switch can communicate
with the devices at the network layer.
NOTICE
If a Vlanif interface whose IP address is the same as the switch address is deleted or shut down,
you cannot log in to the Web system. In this case, you need to change the IP address of the Vlanif
interface. After changing the Vlanif address, you must log in to the switch with the new address.
Procedure
l Query VLANIF interface information.
1. Choose Interface Management > VLANIF in the navigation tree to open the
VLANIFport page.
2. Enter the number of the interface that you want to query, for example, 10. If you do
not enter any interface number, all Vlanif interfaces are displayed.
3. Click Query to display all matching records.
4. Select a record and click Details to view details about the record.
NOTE
To view real-time interface information, click the VLANIF tab on the left to refresh the page.
l Create a VLANIF interface.
1. Choose Interface Management > VLANIF in the navigation tree to open the
VLANIFport page.
2. Click New to open the Create VLANIF page, as shown in Figure 3-88.
Parameter Description
Parameter Description
Portal Server Indicates the name of the Portal server from the
drop-down list box.
NOTE
The S1720, S2720 and S2750EI do not support this
parameter.
3. Set parameters.
4. Click OK.
l Modify the VLANIF interface configuration.
1. Choose Interface Management > VLANIF in the navigation tree to open the
VLANIFport page.
2. Select a record that you want to modify and click to open the Modify VLANIF
page, as shown in Figure 3-89.
NOTE
----End
3.6.4 LoopBack
A LoopBack interface is a logical interface. It is always Up. The LoopBack interface is usually
used in LoopBack test.
Context
According to the TCP/IP protocol suite, the IP addresses in the network segment 127.0.0.0 are
LoopBack addresses. The system automatically creates an interface using loopback address
127.0.0.1. This interface is used to receive datagrams sent to the local device.
Procedure
l Query LoopBack interface information.
1. Choose Interface Management > LoopBack in the navigation tree to open the
LoopBackport page.
2. Enter the number of the interface that you want to query, for example, 12.
3. Click Query to display all matching records.
NOTE
If you do not enter any interface number, the system displays all loopback interfaces.
l Create a LoopBack interface.
1. Choose Interface Management > LoopBack in the navigation tree to open the
LoopBackport page.
2. Click New to open the Create LoopBack page, as shown in Figure 3-90.
Parameter Description
Parameter Description
3. Set parameters.
4. Click OK.
l Modify the LoopBack interface configuration.
1. Choose Interface Management > LoopBack in the navigation tree to open the
LoopBackport page.
2. Select a record that you want to modify and click to open the Modify LoopBack
page, as shown in Figure 3-91.
NOTE
2. Select a record that you want to delete and click Delete. The system asks you whether
to delete the record.
3. Click OK.
----End
3.7.1 VLAN
The following sections describe how to configure and query VLANs, hybrid interfaces, access
interfaces, trunk interfaces, and VLANIF interfaces.
A local area network (LAN) can be divided into several logical LANs. Each logical LAN is a
broadcast domain, which is called a virtual LAN (VLAN). To put it simply, devices on a LAN
are logically grouped into different LAN segments, regardless of their physical locations.
VLANs isolate broadcast domains on a LAN.
3.7.1.1 VLAN
You can create, query, modify, and delete VLANs. In addition, you can create VLANs in a batch.
Context
l The switch supports 4094 VLANs from VLAN 1 to VLAN 4094.
l VLANs can isolate the hosts that require no communication with each other, which
improves network security, reduces broadcast traffic, and suppresses broadcast storms.
Procedure
l Query VLAN information.
1. Choose Service Management > VLAN > VLAN in the navigation tree to open the
VLAN page.
2. Enter a VLAN ID. If you do not enter any VLAN ID, all VLANs are displayed.
3. Click Query to display all matching records.
l Create a VLAN.
1. Choose Service Management > VLAN > VLAN in the navigation tree to open the
VLAN page.
2. Click New to open the Create VLAN page, as shown in Figure 3-92.
Parameter Description
3. Set parameters.
4. Click OK.
l Modify VLAN
1. Choose Service Management > VLAN > VLAN in the navigation tree to open the
VLAN page.
2. Click the icon to open the Modify VLAN page, as shown in Figure 3-93.
NOTE
----End
Context
A hybrid interface can connect to either a user host or a switch, and it can connect to an access
link or a trunk link. A hybrid interface permits frames from multiple VLANs to pass and can
remove VLAN tags of outgoing frames.
Procedure
l Query a hybrid interface.
1. Choose Service Management > VLAN > Hybrid port in the navigation tree to open
the Hybrid port page.
2. Select an interface type from the drop-down list box.
3. Enter the interface number, for example, 0/0/1 (slot ID/subcard ID/interface
number).
4. Click Query to display all matching records.
l Modify the link type.
1. Choose Service Management > VLAN > Hybrid port in the navigation tree to open
the Hybrid port page.
2. Select the interface whose link type you want to change.
3. Click Change Link Type. A dialog box is displayed asking "Modifying the link type
will clear VLANs on the selected interface. Conitnue?"
4. Click OK. The Change Link Type window is displayed, as shown in Figure 3-94.
Parameter Description
NOTE
----End
Context
An access interface is connected to user hosts. It is mainly used to connect to access links, and
the Ethernet frames transmitted on the access link do not contain VLAN tags. If an access
interface is configured with a default VLAN, the access interface adds a VLAN tag to packets
and sets the VID field in the VLAN tag to the default VLAN ID. The access link transmits only
the Ethernet frames with the default VLAN ID.
Procedure
l Query an access interface.
1. Choose Service Management > VLAN > Access Port in the navigation tree to open
the Access Port page.
2. Select an interface type from the drop-down list box.
3. Enter the interface number, for example, 0/0/1 (slot ID/subcard ID/interface
number).
4. Click Query to display all matching records.
l Modify the link type.
1. Choose Service Management > VLAN > Access Port in the navigation tree to open
the Access Port page.
2. Select the interface whose link type you want to change.
3. Click Change Link Type. A dialog box is displayed asking "Modifying the link type
will clear VLANs on the selected interface. Conitnue?"
4. Click OK. The Change Link Type window is displayed, as shown in Figure 3-96.
3. Click Clear VLANs. A dialog box is displayed asking "Are you sure you want to
clear all VLANs and restore the default VLAN ?"
4. Click OK.
l Add to a VLAN.
1. Choose Service Management > VLAN > Access Port in the navigation tree to open
the Access Port page.
2. Select an interface to be added to the VLAN.
3. Enter the ID of the VLAN to which you want to add the interface.
4. Click Add.
----End
Context
A trunk interface connects to a packet switching device and serves a trunk link. A trunk interface
allows frames from multiple VLANs to pass.
Procedure
l Query a trunk interface.
1. Choose Service Management > VLAN > Trunk port in the navigation tree to open
the Trunk port page.
2. Select an interface type from the drop-down list box.
3. Enter the interface number, for example, 0/0/1 (slot ID/subcard ID/interface
number).
4. Click Query to display all matching records.
l Modify the link type.
1. Choose Service Management > VLAN > Trunk port in the navigation tree to open
the Trunk port page.
2. Select the interface whose link type you want to change.
3. Click Change Link Type. A dialog box is displayed asking "Modifying the link type
will clear VLANs on the selected interface. Conitnue?"
4. Click OK. The Change Link Type window is displayed, as shown in Figure 3-97.
Parameter Description
3. Set parameters.
4. Click OK.
----End
Context
A VLANIF interface is an interface at the network layer and can be configured with an IP address.
Before configuring a VLANIF interface, you must create the corresponding VLAN. The
switch then uses the VLANIF interface to communicate with the devices at the network layer.
NOTICE
l You can also access this page by choosing Interface Management > VLANIF page. The
navigation path provided here enables you to configure VLANIF interfaces directly after
configuring VLANs.
Procedure
l Query VLANIF interface information.
1. Choose Service Management > VLAN > VLANIF port in the navigation tree to
open the VLANIF port page.
2. Enter the number of the interface that you want to query, for example, 10. If you do
not enter any interface number, all VLANIF interfaces are displayed.
3. Click Query to display all matching records.
4. Select a record and click Details to view details about the record.
NOTE
To view real-time interface information, click on the VLANIF port tag page to refresh the
page.
l Create a VLANIF interface.
1. Choose Service Management > VLAN > VLANIF port in the navigation tree to
open the VLANIF port page.
2. Click New to open the Create VLANIF page, as shown in Figure 3-99.
Parameter Description
Portal Server Indicates the name of the Portal server from the
drop-down list box.
NOTE
The S1720, S2720 and S2750EI do not support this
parameter.
Parameter Description
3. Set parameters.
4. Click OK.
l Modify the VLANIF interface configuration.
1. Choose Service Management > VLAN > VLANIF port in the navigation tree to
open the VLANIF port page.
2. Select a record that you want to modify and click to open the Modify VLANIF
page, as shown in Figure 3-100.
NOTE
----End
3.7.2 MAC
Each switch maintains a MAC address table (MAC table for short). The MAC table records
MAC addresses of all the devices connected to interfaces of the switch. When forwarding a data
frame, the switch searches the MAC table for the outbound interface according to the destination
MAC address of the frame. This reduces the number of broadcast frames.
Context
The MAC table stores MAC addresses, VLAN IDs, and outbound interfaces learned by a
switch. When forwarding an Ethernet frame, the switch searches the MAC table for the outbound
interface according to the destination MAC address and VLAN ID in the Ethernet frame.
Procedure
Step 1 Choose Service Management > MAC > MAC Table in the navigation tree to open the MAC
Table page, as shown in Figure 3-101.
Parameter Description
----End
lifecycle. If an entry is not updated within the lifecycle, it is deleted. This lifecycle is called the
aging time. If an entry is updated before its lifecycle ends, the aging timer of the entry is reset.
Context
You need to set the aging time properly. If the aging time is excessively short, the switch may
broadcast a large number of data frames because their destination MAC addresses cannot be
found in the MAC table. This degrades the performance of the switch.
l If the aging time is excessively long, the switch may save a large number of useless MAC
entries, and new MAC entries cannot be added because the number of MAC entries is
limited. As a result, the switch cannot update the MAC table according to network changes.
l If the aging time is excessively short, the switch may delete valid MAC entries, and
therefore the forwarding performance is degraded.
Generally, the default aging time (300s) is recommended.
Procedure
Step 1 Choose Service Management > MAC > MAC Aging Time in the navigation tree to open the
MAC Aging Time page, as shown in Figure 3-102.
Table 3-75 describes the parameters on the MAC Aging Time page.
Parameter Description
----End
Context
By learning MAC addresses, a switch can obtain MAC addresses of devices on the network
connected to an interface.
Procedure
l Query MAC address learning on an interface.
1. Choose Service Management > MAC > MAC Learning in the navigation tree to
open the MAC Learning page.
2. Set the search criteria.
3. Click Query. The search results are displayed.
l Configure MAC address learning on an interface.
1. Choose Service Management > MAC > MAC Learning in the navigation tree to
open the MAC Learning page.
2. In the Configure MAC Learning on Interface group box, select a record and click
Configure. The Configure Dynamic MAC Learning page is displayed, as shown in
Figure 3-103.
Table 3-76 describes the parameters on the Configure Dynamic MAC Learning
page.
Parameter Description
Parameter Description
To cancel the MAC address learning limit on an interface, select the corresponding record on
the MAC Learning page and click Cancel Limit.
l Query MAC address learning on a VLAN.
1. Choose Service Management > MAC > MAC Learning in the navigation tree to
open the MAC Learning page.
2. Set the search criteria.
3. Click Query. The search results are displayed.
l Configure MAC address learning on a VLAN.
1. Choose Service Management > MAC > MAC Learning in the navigation tree to
open the MAC Learning page.
2. In the Configure MAC Learning on VLAN group box, select a record and click
Configure. The Configure Dynamic MAC Learning page is displayed, as shown in
Figure 3-104.
Table 3-77 describes the parameters on the Configure Dynamic MAC Learning
page.
Parameter Description
To cancel the MAC address learning limit in a VLAN, select the corresponding record on the
MAC Learning page and click Cancel Limit.
----End
Procedure
l Search static MAC entries.
1. Choose Service Management > MAC > Static MAC Table in the navigation tree to
open the Static MAC Table page.
2. Set the search criteria.
3. Click Query to display all matching records.
l Create a static MAC entry.
1. Choose Service Management > MAC > Static MAC Table in the navigation tree to
open the Static MAC Table page.
2. Click New to open the Create Static MAC Entry page, as shown in Figure 3-105.
Table 3-78 describes the parameters on the Create Static MAC Entry page.
Parameter Description
3. Set parameters.
4. Click OK.
l Modify a static MAC entry.
1. Choose Service Management > MAC > Static MAC Table in the navigation tree to
open the Static MAC Table page.
2. Click to open the Modify Static MAC Entry page, as shown in Figure 3-106.
NOTE
l Table 3-78 describes the parameters on the Modify Static MAC Entry page.
l The VLAN ID and MAC address cannot be modified.
3. Set parameters.
4. Click OK.
l Delete a static MAC entry.
1. Choose Service Management > MAC > Static MAC Table in the navigation tree to
open the Static MAC Table page.
2. Select a record that you want to delete and click Delete. The system asks you whether
to delete the record.
3. Click OK.
----End
Context
Blackhole MAC entries are used to discard data frames with the specified source or destination
MAC addresses.
Procedure
l Create a blackhole MAC entry.
1. Choose Service Management > MAC > Blackhole MAC Table in the navigation
tree to open the Blackhole MAC Table page.
2. Click New to open the Create Blackhole MAC Entry page, as shown in Figure
3-107.
Table 3-79 describes the parameters on the Create Blackhole MAC Entry page.
Parameter Description
3. Set parameters.
4. Click OK.
l Delete a blackhole MAC entry.
1. Choose Service Management > MAC > Blackhole MAC Table in the navigation
tree to open the Blackhole MAC Table page.
2. Select a record that you want to delete and click Delete. The system asks you whether
to delete the record.
3. Click OK.
----End
Context
After the sticky MAC function is enabled on an interface, the dynamic MAC addresses learned
by the interface change to Sticky MAC addresses.
Procedure
l Enable the sticky MAC function.
1. Choose Service Management > MAC > Sticky MAC in the navigation tree to open
the Sticky MAC page.as shown in Figure 3-108.
Table 3-80 describes the parameters in the Sticky MAC Enable group box on this
page.
Parameter Description
Parameter Description
----End
3.7.3 STP
The following sections describe how to query the STP information and set the global STP
parameters, STP parameters on an interface, and parameters of an MST region.
The Spanning Tree Protocol (STP) is applicable to ring networks. It uses certain algorithms to
implement path redundancy and prune a ring network into a tree-type network. This prevents
increase and infinite circulation of packets in the ring network.
Procedure
Step 1 Choose Service Management > STP > STP Information in the navigation tree to open the
STP Information page.
----End
Context
On certain networks, you need to modify STP parameters of some switches to optimize their
performance.
Procedure
Step 1 Choose Service Management > STP > STP Global in the navigation tree to open the STP
Global page, as shown in Figure 3-110.
Parameter Description
Root Type Indicates the root type of the switch. The options are:
l Not set
The root type is not set.
l Primary
The switch is configured as root switch of the
MSTI.
l Secondary
The switch is configured as the backup root
switch of the MSTI.
By default, the Not set option is selected.
Parameter Description
Working Mode Indicates the working mode of STP. The options are:
l MSTP
The switch sends MSTP BPDUs in this mode.
l STP
The switch sends STP BPDUs in this mode.
l RSTP
The switch sends RSTP BPDUs in this mode.
The default mode is MSTP.
Max Hops Indicates the maximum hop count of the spanning tree
in an MST region. The default value is 20.
This parameter limits the network scale of the
spanning tree in the MST region. A configuration
message has the maximum hop count on the root
bridge. The hop count decreases by 1 every time the
configuration message passes a switch. When the hop
count decreases to 0, the configuration message is
discarded; therefore, switches with larger hop count
from the root bridge cannot participate in the spanning
tree calculation. This limits the network scale in an
MST region.
Parameter Description
STP Converge Indicates the STP convergence mode. The options are:
Mode l Fast
In this mode, the switch deletes the useless MAC
address entries and ARP entries directly.
l Normal
In this mode, the switch sets the remaining aging
time of the MAC address entries and the ARP
entries to 0 and ages them. If the number of ARP
aging detection times is greater than 0, the switch
carries out aging detection of the ARP entries.
The default mode is Normal.
Set Bridge forward-delay Indicates the delay of port status transition. The
Diameter and default value is 1500 centiseconds.
Timer
hello time Indicates the interval for sending hello packets. The
root bridge sends hello packets at this interval to check
whether faulty links exist. The default value is 200
centiseconds.
----End
Context
On certain networks, you need to modify STP parameters of some switches to optimize their
performance.
Procedure
Step 1 Choose Service Management > STP > STP Interface in the navigation tree, and the STP
Interface page is displayed.
Step 2 Select an interface and click Configure, and the STP Interface Settings page is displayed, as
shown in Figure 3-111.
Table 3-82 describes the parameters on the STP Interface Settings page.
Parameter Description
Path Cost Indicates the path cost of the interface. The value
range varies according to the calculation algorithm
of path costs. The value ranges from 1 to 200000
when Huawei algorithm is used; the value ranges
from 1 to 65535 when the algorithm defined in
IEEE 802.1D is used; the value ranges from 1 to
200000000 when the algorithm defined in IEEE
802.1t is used.
The path cost is the basis for calculating the
spanning tree. If you set different path costs for an
interface in different MSTIs, traffic of different
VLANs is load balanced among multiple physical
links.
NOTE
When the path cost of an interface changes, the MSTP
recalculates the spanning tree based on the new path cost.
Parameter Description
Advanced Edge port When the spanning tree is recalculated, edge ports
transit to the Forwarding state directly, which
reduces the status transition time. If an Ethernet
port is not connected to any Ethernet port of
theswitch, you need to configure the Ethernet port
as an edge port. There are three statuses: enable,
disable, none. The default value is none.
Parameter Description
Select a record on the STP Interface Settings page and click Details. Detailed STP settings of the interface
are displayed.
----End
Context
You need to modify the configuration of an MST region when you want to add a switch that is
not enabled with STP to the MST region or move a switch enabled with STP from one MST
region to another.
Procedure
Step 1 Choose Service Management > STP > MST Region in the navigation tree to open the MST
Region page.
Step 2 Click Modify to open the Modify Revision level page, as shown in Figure 3-112.
Table 3-83 describes the parameters on the Modify Revision level page.
Parameter Description
----End
By configuring a voice VLAN, you can set quality of service (QoS) parameters for voice data
flows to increase the priority of the voice service and improve the quality of calls.
Context
l A voice VLAN is assigned to voice data flows. You can create a voice VLAN and add the
interface connected to a voice device to the voice VLAN. Then voice data flows can be
transmitted in the voice VLAN.
l After a voice VLAN is configured, interfaces connected to IP voice devices can be added
to or deleted from the voice VLAN automatically or manually and voice data flows can be
transmitted in the voice VLAN.
Procedure
l Query voice VLAN information.
1. Choose Service Management > Voice VLAN > Voice VLAN in the navigation tree
to open the Voice VLAN page.
2. Set the search criteria.
3. Click Query to display all the matching records.
l Configure a voice VLAN.
1. Choose Service Management > Voice VLAN > Voice VLAN in the navigation tree
to open the Voice VLAN page.
2. Select an interface and click Configure to open the Configure Voice VLAN page,
as shown in Figure 3-113.
Table 3-84 describes the parameters on the Configure Voice VLAN page.
Parameter Description
Parameter Description
----End
Context
You can set an OUI address. The OUI is the first 24 bits of a MAC address. The institute of
Electrical and Electronics Engineers (IEEE) assigns an OUI to each vendor and you can identify
the vendor of a device according to the OUI. You can set the mask of the OUI on the switch to
adjust the length of the MAC address that the switch matches with the OUI.
Procedure
l Create a voice VLAN OUI.
1. Choose Service Management > Voice VLAN > Voice VLAN OUI in the navigation
tree to open the Voice VLAN OUI page.
2. Click New to open the Create a Voice VLAN OUI page, as shown in Figure
3-114.
Table 3-85 describes the parameters on the Create a Voice VLAN OUI page.
Parameter Description
3. Set parameters.
4. Click OK.
l Delete a voice VLAN OUI.
1. Choose Service Management > Voice VLAN > Voice VLAN OUI in the navigation
tree to open the Voice VLAN OUI page.
2. Select a record that you want to delete and click Delete. The system asks you whether
to delete the record.
3. Click OK.
----End
3.7.5 DHCP
The switch supports Dynamic Host Configuration Protocol (DHCP) applications based on the
global address pool or an address pool configured on a VLANIF interface. The switch also
provides security guarantee for DHCP services and supports DHCP relay.
3.7.5.1 DHCP
Context
You must enable DHCP before configuring the DHCP server and DHCP relay.
Procedure
Step 1 Choose Service Management > DHCP > DHCP in the navigation tree to open the DHCP
page, as shown in Figure 3-115.
Parameter Description
----End
Context
You need to configure a DHCP server based on the global address pool to enable computers to
obtain IP addresses from the global address pool dynamically.
Procedure
l Query information about a global address pool.
1. Choose Service Management > DHCP > Configure Global Address Pool in the
navigation tree to display the Configure Global Address Pool page.
2. Set the search criteria.
3. Click Query to display all the matching records, as shown in Figure 3-116.
Table 3-87 describes the parameters for querying information about a global address
pool.
Table 3-87 Parameters for querying information about a global address pool
Parameter Description
Parameter Description
Table 3-88 describes the parameters on the Create a Global Address Pool page.
Parameter Description
Basic Settings Address Pool Name Indicates the name of an address pool.
Configure DNS Client Domain Name Indicates the domain name allocated
for the Address by the DHCP server to the client.
Pool
DNS Server IP Indicates the IP address of a DNS
server. You can configure a maximum
of eight DNS server addresses.
Parameter Description
3. Set parameters.
4. Click OK.
l Modify a global address pool.
1. Choose Service Management > DHCP > Configure Global Address Pool in the
navigation tree to display the Configure Global Address Pool page.
2. Click to display the Modify Global Address Pool page, as shown in Figure
3-118.
NOTE
l Table 3-88 describes the parameters on the Modify Global Address Pool page.
l Address Pool Name, Subnet Address and Subnet Mask cannot be modified.
3. Set parameters.
4. Click OK.
l Delete a global address pool.
1. Choose Service Management > DHCP > Configure Global Address Pool in the
navigation tree to display the Configure Global Address Pool page.
2. Select a record that you want to delete and click Delete. The system asks you whether
to delete the record.
3. Click OK.
----End
Context
Enable the DHCP service before configuring an address pool on a VLANIF interface.
Procedure
l Query information about a VLANIF interface address pool.
1. Choose Service Management > DHCP > Configure VLANIF Interface Address
Pool in the navigation tree to display the Configure VLANIF Interface Address
Pool page.
2. Set the search criteria.
3. Click Query to display all the matching records, as shown in Figure 3-119.
Table 3-89 describes the parameters for querying information about a VLANIF
interface address pool.
Table 3-89 Parameters for querying information about a VLANIF interface address
pool
Parameter Description
2. Click New to display the Create a VLANIF Address Pool page, as shown in Figure
3-120.
Table 3-90 describes the parameters on the Create a VLANIF Address Pool page.
Parameter Description
Parameter Description
Configure DNS Client Domain Name Indicates the domain name allocated
for the Address by the DHCP server to the client.
Pool NOTE
This parameter can be configured only
when the address pool type is interface.
Parameter Description
NOTE
l Table 3-90 describes the parameters on the Modify VLANIF Address Pool page.
l VLANIF Name, Interface IP and Mask cannot be modified.
3. Set the parameters.
4. Click OK.
l Delete a VLANIF Address Pool
1. Choose Service Management > DHCP > Configure VLANIF Interface Address
Pool in the navigation tree to display the Configure VLANIF Interface Address
Pool page.
2. Select a record that you want to delete and click Delete. The system asks you whether
to delete the record.
3. Click OK.
----End
Context
l Before configuring the DHCP relay function, you must configure DHCP servers.
l DHCP relay is introduced to transmit packets between DHCP clients and a DHCP server
that are on different network segments. A DHCP relay agent can transparently transmit
DHCP broadcast packets between DHCP clients and a DHCP server that are on different
network segments.
l In applications, the DHCP relay function is generally implemented on a VLANIF interface
of a switch. This interface needs to be configured with an IP relay address to specify the
DHCP server. An IP relay address refers to the IP address of the DHCP server specified
on the DHCP relay agent. After the DHCP relay function is enabled on an interface, the
DHCP broadcast packets received on the interface are sent to the specified server.
l If DHCP server is configured on a network, the DHCP relay function can be enabled on a
switch. In this manner, the DHCP Request packet from clients can be transmitted to the
DHCP server on another network through the DHCP relay agent. To enable clients to obtain
IP addresses, the DHCP server must use a global address pool. That is, the interface of the
server connected to the DHCP relay agent cannot be configured with any address pool.
Procedure
l Create a DHCP server group.
1. Choose Service Management > DHCP > Configure DHCP Relay in the navigation
tree to open the Configure DHCP Relay page.
2. Click New to open the Create a DHCP Server Group page, as shown in Figure
3-122.
3. Set parameters.
4. Click OK.
l Delete a DHCP server group.
1. Choose Service Management > DHCP > Configure DHCP Relay in the navigation
tree to open the Configure DHCP Relay page.
2. Select a record that you want to delete and click Delete. The system asks you whether
to delete the record.
3. Click OK.
l Query DHCP relay information.
1. Choose Service Management > DHCP > Configure DHCP Relay in the navigation
tree to open the Configure DHCP Relay page.
2. Set the search criteria.
3. Click Query to display all matching records.
l Configure DHCP relay.
1. Choose Service Management > DHCP > Configure DHCP Relay in the navigation
tree to open the Configure DHCP Relay page.
2. Select a record and click Configure to open the Configure DHCP Relay page, as
shown in Figure 3-123.
Table 3-91 describes the parameters on the Configure DHCP Relay page.
Parameter Description
3. Set parameters.
4. Click OK.
l Delete the DHCP relay configuration.
1. Choose Service Management > DHCP > Configure DHCP Relay in the navigation
tree to open the Configure DHCP Relay page.
2. Select a record and click Clear Configuration. The system asks you whether to delete
the record.
3. Click OK.
----End
3.7.6 ARP
The following sections describe configurations of static ARP and dynamic ARP.
On a LAN, a host or a network device must know the logical address (IP address) of another
host or network device to send data to it. Only the logical address, however, is not enough. Since
IP packets are encapsulated in frames for transmission across a physical network, the physical
address of the destination device must also be known. Therefore, the mapping from a logical
address to a physical address is required. The Address Resolution Protocol (ARP) is introduced
to map IP addresses to physical addresses (Ethernet MAC addresses).
Context
l If two devices on an Ethernet network need to communicate with each other, they must
know MAC addresses of each other. Each device maintains a table of mappings from IP
addresses to MAC addresses, that is, an ARP table.
l The ARP table of a switch contains static and dynamic ARP entries. Static ARP entries are
maintained manually, and dynamic ARP entries age based on the aging timer.
Procedure
l Query the ARP table.
1. Choose Service Management > ARP > ARP Table in the navigation tree to open
the ARP Table page, as shown in Figure 3-124.
Parameter Description
You can click Refresh to display new ARP entries after deleting the original dynamic entries.
----End
Context
ARP entries can be maintained dynamically or manually. Manually configured mappings from
IP addresses to MAC addresses are static ARP entries. You can query, add, modify, and delete
ARP entries manually.
NOTICE
Static ARP entries are always valid when a switch works normally. When a VLAN is deleted,
the ARP entries of the VLAN are also deleted.
Procedure
l Query static ARP entries.
1. Choose Service Management > ARP > Static ARP Table in the navigation tree to
open the Static ARP Table page.
2. Set the search criteria.
3. Click Query to display all matching records.
NOTE
The Static ARP Table page does not contain the ARP Type drop-down list box.
l Create a static ARP entry.
1. Choose Service Management > ARP > Static ARP Table in the navigation tree to
open the Static ARP Table page.
2. Click New to open the Create Static ARP page, as shown in Figure 3-125.
NOTE
l Table 3-93 describes the parameters on the Create Static ARP page.
Parameter Description
Parameter Description
3. Set parameters.
NOTE
The destination IP address and the IP address of the outbound interface must be in the same
network segment.
4. Click OK.
l Modify a static ARP entry.
1. Choose Service Management > ARP > Static ARP Table in the navigation tree to
open the Static ARP Table page.
2. Click to open the Modify Static ARP page, as shown in Figure 3-126.
NOTE
l Table 3-93 describes the parameters on the Modify Static ARP page.
l The destination IP address and destination MAC address cannot be changed.
3. Set parameters.
4. Click OK.
l Delete Static ARP
1. Choose Service Management > ARP > Static ARP Table in the navigation tree to
open the Static ARP Table page.
2. Select a record that you want to delete and click Delete. The system asks you whether
to delete the record.
NOTE
Context
You can set ARP parameters to use ARP entries flexibly.
Procedure
Step 1 Choose Service Management > ARP > ARP Attribute in the navigation tree to open the ARP
Attribute page, as shown in Figure 3-127.
Parameter Description
----End
3.7.7 VRRP
The following sections describe configurations of VRRP groups and VRRP parameters. The
S1720, S2720, S2750, S5700LI, and S5700S-LI switches do not support the VRRP function.
The Virtual Router Redundancy Protocol (VRRP) is a fault-tolerant protocol. VRRP integrates
multiple routing devices into a virtual router and uses certain mechanisms to switch services to
other routers when the next hop router fails, ensuring continuous and reliable communication.
3.7.7.1 VRRP
VRRP switches services from the master to the backup when the gateway becomes faulty,
providing continuous and reliable communication services.
Procedure
l Query VRRP group information.
1. Choose Service Management > VRRP > VRRP in the navigation tree to open the
VRRP page.
2. Set the search criteria.
Table 3-95 describes the parameters on the Create VRRP Group page.
Parameter Description
Parameter Description
Track Interface Name Indicates the number and type of the tracked
Interface interface, for example,
GigabitEthernet0/0/1.
3. Set parameters.
4. Click OK.
l Modify the configuration of a VRRP group.
1. Choose Service Management > VRRP > VRRP in the navigation tree to open the
VRRP page.
2. Click to open the Modify VRRP Group page, as shown in Figure 3-129.
NOTE
l Table 3-95 describes the parameters on the Modify VRRP Group page.
l The VRID and VLANIF interface name cannot be changed.
3. Set parameters.
4. Click OK.
l Delete a VRRP group.
1. Choose Service Management > VRRP > VRRP in the navigation tree to open the
VRRP page.
2. Select a record that you want to delete and click Delete. The system asks you whether
to delete the record.
3. Click OK.
----End
Procedure
Step 1 Choose Service Management > VRRP > VRRP Attribute in the navigation tree to open the
VRRP Attribute page, as shown in Figure 3-130.
Parameter Description
----End
Layer 2 multicast forwarding table to manage and control forwarding of multicast packets,
implementing Layer 2 multicast.
Context
By default, IGMP snooping is disabled on a switch. You need to enable global IGMP snooping
on the switch before using this function.
Procedure
Step 1 Choose Service Management > IGMP Snooping > Global IGMP Snooping in the navigation
tree to open the Global IGMP Snooping page, as shown in Figure 3-131.
Table 3-97 describes the parameters on the Global IGMP Snooping page.
Parameter Description
----End
Context
By default, IGMP snooping is disabled on a switch. You need to enable global IGMP snooping
on the switch before using this function. By default, IGMP snooping is disabled in a VLAN after
global IGMP snooping is enabled. Therefore, you need to enable IGMP snooping in the VLAN.
Procedure
l Query IGMP snooping information.
1. Choose Service Management > IGMP Snooping > Configure IGMP Snooping in
VLAN in the navigation tree to open the Configure IGMP Snooping in VLAN page.
2. Set the search criteria.
3. Click Query to display all the matching records.
l Configure IGMP snooping in a VLAN.
1. Choose Service Management > IGMP Snooping > Configure IGMP Snooping in
VLAN in the navigation tree to open the Configure IGMP Snooping in VLAN page.
2. Select a record and click Configure to open the Configure IGMP Snooping page,
as shown in Figure 3-132.
Table 3-98 describes the parameters on the Configure IGMP Snooping page.
Parameter Description
Parameter Description
----End
3.8 WLAN(S5720HI)
This chapter describes WLAN AC configuration for the switch. You can query and configure
the WLAN AC. Only the S5720HI supports WLAN AC.
NOTE
3.8.1 AC Configuration
This section describes basic paramter settings of an AC.
3.8.1.1 AC Configuration
This section describes how to configure basic AC functions. Before an AP goes online on the
AC, the basic function configuration must be complete.
Context
An AC manages APs, controls WLAN user access, and guarantees security. APs can
communicate with the AC only after the basic AC attributes are configured.
Procedure
Step 1 Choose WLAN > AC Configuration > AC Configuration.
Step 2 On the AC Configuration tab page, set parameters described in Table 3-99.
NOTICE
When the country code is changed on an AC, information about APs connected to the AC is
deleted and the APs are reset.
Parameter Description
ID AC ID.
Parameter Description
Buffer duration (min) Sets the period during which the AC buffers
AP data.
----End
3.8.2 AP Info
This section describes parameter and function settings of an AP.
3.8.2.1 AP Information
This section describes how to add, modify, and delete an AP in AP Info.
Context
You can view information about the AP only after an AP goes online or add an AP offline.
NOTICE
l If the status of an AP is fault, the AP cannot be restarted.
l During the restart, you are disconnected from the AP.
Procedure
l Available APs
Adding an AP
1. Choose WLAN > AP Info > AP Info.
2. In the Available APs area, click Create. In the Create AP dialog box that is displayed,
set parameters. Or, in the Available APs area, click Batch Add. In the Add APs
dialog box that is displayed, set parameters. See Table 3-100 for description of the
parameters.
Parameter Description
ID ID of an AP to be added.
SN SN of an AP to be added.
NOTE
When the authentication mode is non-
authentication on the AC, you must set
MAC address or SN. When the
authentication mode is SN authentication on
the AC, you must set SN.
Parameter Description
Modifying an AP
1. Choose WLAN > AP Info > AP Info.
4. Click OK.
Parameter Description
ID ID of an AP.
Type AP type.
SN AP SN.
Parameter Description
Parameter Description
Parameter Description
Deleting an AP
1. Choose WLAN > AP Info > AP Info.
2. In the Available APs area, select an AP and click Delete. In the Information dialog
box that is displayed, click OK.
Restarting an AP
1. Choose WLAN > AP Info > AP Info.
2. In the Available APs area, select an AP to be restarted and click Restart. In the
Information dialog box that is displayed, click OK.
Restarting all APs
1. Choose WLAN > AP Info > AP Info.
2. In the Available APs area, click Restart All APs. In the Information dialog box that
is displayed, click OK.
Adding an AP to a specified AP region
1. Choose WLAN > AP Info > AP Info.
2. In the Available APs area, select an AP and click Add to Region. In the AP
Region dialog box that is displayed, select a region and click OK.
Delivering configurations to an AP
1. Choose WLAN > AP Info > AP Info.
2. In the Available APs area, select an AP and click Commit Configuration. In the
Information dialog box that is displayed, click OK.
Adding APs to the whitelist
1. Choose WLAN > AP Info > AP Info.
2. In the Available APs area, select the APs to be added to the whitelist. Then, click
Add to Whitelist in the Available APs area. On the displayed Add to Whitelist page,
set the whitelist mode to MAC address whitelist or SN whitelist, and click OK. The
specified APs are added to the whitelist.
Adding APs to the blacklist
1. Choose WLAN > AP Info > AP Info.
2. In the Available APs area, select the APs to be added to the blacklist. Then, click
Add to Blacklist in the Available APs area. On the displayed Information page,
click OK. The specified APs are added to the blacklist.
2. In the Unauthorized APs area, click located at the right of an AP. In the Add
To Whitelist dialog box that is displayed, enter the MAC address and SN and click
OK. Or, in the Unauthorized APs area, select the APs to be added to the whitelist.
Then, click Add to Whitelist in the Unauthorized APs area. On the displayed Add
to Whitelist page, set the whitelist mode to MAC address whitelist or SN whitelist
and click OK. The specified APs are added to the whitelist.
NOTE
If the AP authentication mode is set to non-authentication, either the MAC address or the SN must
be entered; if the AP authentication mode is set to MAC authentication, the MAC address must be
entered; if the AP authentication mode is set to SN authentication, the SN must be entered.
Adding unauthorized APs to the blacklist
1. Choose WLAN > AP Info > AP Info.
2. In the Unauthorized APs area, select the APs to be added to the blacklist. Then, click
Add to Blacklist in the Unauthorized APs area. On the displayed Information page,
click OK. The specified APs are added to the blacklist.
----End
3.8.2.2 AP Region
This section describes how to add, modify, and delete an AP region in AP Region.
Context
Adjusting the radio channel and power of an AP may lead to adjustment of another AP. To
quicken adjustment, minimize the impact, and reduce the workload, all the APs accessing the
same AC can be divided into several regions. The impact of adjustment on an AP is limited
within the local region. An AP region can also be used for batch AP upgrade. You can upgrade
APs of the same type in the same region in batches.
Procedure
l Creating an AP region
1. Choose WLAN > AP Info > AP Region.
2. In the AP Region, click Create. In the Create AP Region dialog box that is displayed,
set parameters described in Table 3-102.
Parameter Description
l Modifying an AP region
1. Choose WLAN > AP Info > AP Region.
4. Click OK.
l Deleting an AP region
1. Choose WLAN > AP Info > AP Region.
2. In the AP Region, select an AP region and click Delete. In the Information dialog
box that is displayed, click OK.
NOTICE
The configured default AP region, system default AP region, and AP regions contains
any AP cannot be deleted.
----End
3.8.2.3 AP Profile
This section describes how to add, modify, and delete an AP profile in AP Profile.
Procedure
l Creating an AP profile
1. Choose WLAN > AP Info > AP Profile.
2. In the AP Profile area, click Create. In the Create AP Profile dialog box that is
displayed, set parameters described in Table 3-103.
Parameter Description
Parameter Description
Parameter Description
l Modifying an AP profile
1. Choose WLAN > AP Info > AP Profile.
3. In the Modify AP Profile dialog box that is displayed, set parameters described in
Table 3-103. Parameter Profile Name cannot be modified.
4. Click OK.
l Deleting an AP profile
1. Choose WLAN > AP Info > AP Profile.
2. In the AP Profile area, select an AP profile and click Delete. In the Information
dialog box that is displayed, click OK.
NOTICE
The configured default AP profile, system default AP profile, and bound AP profiles
cannot be deleted.
----End
3.8.2.4 AP Whitelist
This section describes how to add or delete an AP whitelist in AP Whitelist.
Procedure
l Adding an AP MAC address to the AP whitelist
1. Choose WLAN > AP Info > AP Whitelist.
2. In the MAC Whitelist area, click Add. In the Add to MAC Whitelist dialog box that
is displayed, set parameters described in Table 3-104.
Parameter Description
Table 3-105 Parameters for adding AP MAC addresses to the AP whitelist in batches
Parameter Description
l When adding SNs to the whitelist in batches, ensure that the end SN is larger than or equal to the
start SN and the two SNs are of the same length.
l A maximum of 4096 SNs can be deleted in batches.
----End
3.8.2.5 AP Blacklist
This section describes how to add or delete an AP blacklist in AP Blacklist.
Procedure
l Adding an AP MAC address to the AP blacklist
1. Choose WLAN > AP Info > AP Blacklist.
2. In the MAC Blacklist area, click Add. In the Add to MAC Blacklist dialog box that
is displayed, set parameters described in Table 3-106.
Parameter Description
Table 3-107 Parameters for adding AP MAC addresses to the AP blacklist in batches
Parameter Description
Parameter Description
----End
Context
On the web platform, you can create, modify, and query a WLAN.
Procedure
l Creating a common WLAN service
1. Choose WLAN > WLAN Configuration > WLAN Configuration.
3. In the Configure AP area, click Add. In the AP dialog box, select an AP, and click
OK.
Parameter Description
Parameter Description
5. In the Configure WLAN Service area, click Add. In the Service Set dialog box,
select a service set, and click OK.
6. Click OK. The common WLAN service is added to the WLAN list.
l Creating a WDS
1. Choose WLAN > WLAN Configuration > WLAN Configuration.
2. In the WLAN area, click Create, click Wireless Distribution System(WDS).
NOTE
NOTE
Middle and leaf APs must be added to the AC in offline mode. Otherwise, they cannot go
online.
4. Set parameters described in Table 3-109.
Parameter Description
Parameter Description
3. In the Configure AP area, click Add. In the AP dialog box, select an AP, and click
OK.
NOTE
Parameter Description
5. Click OK. The wireless mesh network is added to the WLAN list.
l Modifying a wireless network configuration
1. Choose WLAN > WLAN Configuration > WLAN Configuration.
3. In the Modify WLAN Configuration dialog box that is displayed, set parameters
described in Table 3-108, Table 3-109, or Table 3-110.
4. Click OK.
l Deleting a wireless network configuration
1. Choose WLAN > WLAN Configuration > WLAN Configuration.
2. In the WLAN area, select a configuration record and click Delete. In the
Information dialog box that is displayed, click OK.
l Delivering a wireless network configuration.
1. Choose WLAN > WLAN Configuration > WLAN Configuration.
2. In the WLAN area, select the configuration to be delivered and click Commit
Configuration. In the dialog box that is displayed, click OK.
----End
Context
A radio profile is a set of commonly-used basic radio parameters, including channel mode, power
mode, calibration switch, and calibration interval. If a radio is bound to a radio profile, the radio
has all parameters configured on the radio profile. Since one radio profile can be bound with
multiple radios, the radio profile can simplify radio configuration.
Procedure
l Creating a radio profile
1. Choose WLAN > Radio Profile to display the Radio Profile page.
2. On the Radio Profile page, click Create to display the Create Radio Profile page.
3. On the Create Radio Profile page, select or enter each parameter based on actual
requirements. For description of the parameters, see Table 3-111.
4. Click OK to save the parameter settings.
Paramete Description
r
Paramete Description
r
Basic Rate Configure the basic rate set of the 802.11bg protocol or the 802.11a
Set protocol in the radio profile.
All rates specified in the basic rate set must be supported by both the
AP and STA; otherwise, the STA cannot associate with the AP.
Support Configure the supported rate set of the 802.11bg protocol or the
Rate Set 802.11a protocol in the radio profile.
The supported rate set contains rates supported by the AP, except the
basic rates. The AP and STA can transmit data at all rates specified
by the supported rate set.
l Maxim Configure the maximum MCS value for the 802.11ac protocol in the
um radio profile.
MCS A larger MCS value indicates a higher transmission rate.
for
spatial
stream
1
l Maxim
um
MCS
for
spatial
stream
2
l Maxim
um
MCS
for
spatial
stream
3
Paramete Description
r
STA STA access control. This feature allows an AP to control user access
access based on the thresholds specified according to the radio channel usage
control and number of online users, which enables provision of quality
network access services.
l By STA quantity: STA access control by STA quantity is less
accurate but uses a simple algorithm. This implementation mode
is recommended when most users have the same type of services
and similar service traffic volumes.
l By channel usage: STA access control by channel usage uses a
complex algorithm but is accurately implemented to ensure
service quality. This implementation mode is recommended when
service types and traffic volumes differ greatly among users.
l Disable: STA access control is disabled.
Hide SSID Automatic SSID hiding. To prevent new users from discovering the
when SSID of the AP to send association requests, configure automatic
reaching SSID hiding to disable the AP radio from advertising SSIDs.
threshold
Paramete Description
r
Paramete Description
r
Paramete Description
r
Threshold Alarm threshold for STAs not managed by the local AP.
for STA If there are too many STAs that are managed by other APs around
interferenc the local AP, services of the STAs managed by the local AP may be
e affected. After interference detection is enabled, the AP can detect
STAs managed by other APs. When the STAs detected exceeds the
specified alarm threshold, the AP reports alarms to the AC.
Paramete Description
r
802.11n A- Enable the MAC Protocol Data Unit (MPDU) aggregation function.
MPDU An 802.11 packet is sent as an MPDU, requiring channel competition
status and backoff and consuming channel resources. The 802.11n MPDU
aggregation function aggregates multiple MPDUs into an aggregate
MAC Protocol Data Unit (A-MPDU), so that N MPDUs can be
transmitted through one channel competition and backoff. This
function saves the channel resources to be consumed for sending N-1
MPDUs. The MPDU aggregation function improves channel
efficiency and 802.11 network performance.
Paramete Description
r
Paramete Description
r
Backgroun Background neighbor probing helps you learn status of all channels
d neighbor on the WLAN network.
probing If background neighbor probing is enabled, an AP determines
whether to switch to another channel for neighbor probing every
10s based on the service traffic volume and threshold of user quantity.
If the channel switching condition is met (the number of users or
traffic on the channel does not exceed the threshold), the AP switches
to the new channel. The AP then listens on Beacon frames on the new
channel and saves the probing result. After 60 ms, the AP switches
back to the original channel.
Paramete Description
r
Paramete Description
r
----End
Context
802.11 provides services of the same quality for all applications. Different applications, however,
have different requirements for wireless networks. 802.11 cannot provide services of different
qualities for different applications.
To provide services of different qualities for different applications, the Wi-Fi Alliance defines
the Wi-Fi Multimedia (WMM) standard, which classifies data packets into four access categories
(ACs) in descending order of priorities, that is, AC-voice (AC-VO), AC-video (AC-VI), AC-
best effort (AC-BE), and AC-background (AC-BK). This standard ensures that high-priority
packets preempt channels.
A WMM profile is created to implement the WMM protocol. After a WMM profile is created,
packets with higher AP or STA priority preempt a wireless channel first, ensuring better quality
for voice and video services on WLANs.
You can configure WMM profiles to provide different services on STAs or APs with different
channel preemption capabilities and implement different QoS.
Procedure
l Creating a WMM profile
1. Choose WLAN > Radio Profile > WMM Profile to display the WMM Profile page.
2. On the WMM Profile page, click Create to display the Create WMM Profile page.
3. On the Create WMM Profile page, select or enter each parameter based on actual
requirements. For description of the parameters, see Table 3-112.
4. Click OK to save the parameter settings.
Parameter Description
Parameter Description
Mandatory If the WMM mandatory switch is enabled, STAs that do not support
control WMM cannot connect to a WMM-enabled AP.
status If the WMM mandatory switch is disabled, STAs that do not support
WMM are allowed to connect to a WMM-enabled AP.
NOTE
On a WLAN, wireless channels are open and all STAs have the same chance
to occupy a channel. You can configure WMM to distinguish high-priority
packets and enable the high-priority packets to preempt channels. You can
also disable STAs that do not support WMM from connecting to a WMM-
enabled AP, which prevents those STAs from preempting channels of WMM-
capable STAs.
Parameter Description
----End
Context
You must deliver service parameters to APs so that STAs can associate with APs to access the
network. A service set is a collection of service parameters. You can set the SSID, service VLAN,
maximum number of access STAs, and association aging time of STAs, and determine whether
to hide the SSID in a service set. Manually configure a service set and bind it to AP radios. All
service parameters in the service set then apply to the VAPs, and the APs can provide
differentiated WLAN services using these service parameters.
Procedure
l Creating a service set
1. Choose WLAN > Service Set > Service Set. The Service Set tab page is displayed.
2. In the Service Set area, click Create. In the Create Service Set dialog box that is
displayed, set parameters described in Table 3-113.
3. Click OK.
Parameter Description
Parameter Description
Service set type Type of the service set. The default value
is Service.
4. Click OK.
l Deleting a service set
1. Choose WLAN > Service Set > Service Set. The Service Set tab page is displayed.
2. In the Service Set area, select a service set and click Delete. In the Information dialog
box that is displayed, click OK.
l Searching for service sets
1. Choose WLAN > Service Set > Service Set. The Service Set tab page is displayed.
2. In the Service Set area, set Search and click Go. Service sets matching the search
criteria are displayed. You can view, modify, and delete the service sets.
----End
Context
To apply priority mapping and traffic policing functions to a WLAN network, create a traffic
profile.
l Priority mapping: If Wi-Fi Multimedia (WMM) is enabled on both a STA and an AP, the
STA sends packets carrying a priority field. After receiving an 802.11 packet, the AP
converts it to an 802.3 packet. If the packet needs to be sent to the AC, the AP encapsulates
the 802.3 packet with a CAPWAP header. Priority mapping must be configured to retain
priorities of packets during the entire transmission process, ensuring end-to-end QoS.
After receiving an 802.11 packet from the STA, the AP maps the 802.1p priority or
priority in the Precedence field to the 802.11 user priority.
In tunnel forwarding mode, the 802.1p or Precedence field must be mapped to a tunnel
priority.
The AC forwards the 802.3 packets received from the Internet to the AP directly or
through a tunnel. After receiving the 802.3 packets, the AP maps the 802.1p or
Precedence field to the 802.11 user priority.
l Traffic policing: To protect network resources, the AC needs to limit the rate of packets
sent from STAs to a WLAN network.
Procedure
l Creating a traffic profile
1. Choose WLAN > Service Set > Traffic Profile. The Traffic Profile tab page is
displayed.
2. In the Traffic Profile area, click Create. In the Create Traffic Profile dialog box
that is displayed, set parameters described in Table 3-114.
3. Click OK.
Parameter Description
Parameter Description
Parameter Description
VAP upstream rate limit(kbit/s) Upstream rate limit for all terminals
associating with a VAP. The value must
be larger than the upstream rate limit for
a STA.
VAP downstream rate limit(kbit/s) Downstream rate limit for all terminals
associating with a VAP. The value must
be larger than the downstream rate limit
for a STA.
3. In the Modify Traffic Profile dialog box that is displayed, modify parameters
described in Table 3-114.
4. Click OK.
l Deleting a traffic profile
1. Choose WLAN > Service Set > Traffic Profile. The Traffic Profile tab page is
displayed.
2. In the Traffic Profile area, select a traffic profile and click Delete.
3. In the Information dialog box that is displayed, click OK.
l Searching for traffic profiles
1. Choose WLAN > Service Set > Traffic Profile. The Traffic Profile tab page is
displayed.
2. In the Traffic Profile area, click Search. Traffic profiles matching the search criteria
are displayed. You can view, modify, and delete the traffic profiles.
----End
Context
When configuring WLAN services, the administrator needs to bind the security profile to the
service set. This ensures secure access of STAs. You can query, create, modify, and delete a
security profile.
NOTE
If Authentication policy, Authentication mode, and Encryption mode are set to WEP, OPEN-SYSTEM, and
NONE respectively, users can access the WLAN without authentication. The settings bring security risks, and
therefore are not recommended. If the settings are required, configure the Portal security policy to enhance
security.
Procedure
l Querying a security profile
1. Choose WLAN > Service Set > Security Profile.
2. In the Security Profile area, view all existing security profiles. You can set Search,
enter a keyword, and click Go to search for a security profile.
l Creating a security profile
1. Choose WLAN > Service Set > Security Profile.
2. In the Security Profile area, click Create. In the Create Security Profile dialog box
that is displayed, set parameters described in Table 3-115.
3. Click OK.
If the security profile is displayed in the security profile list, the profile is created.
Parameter Description
Parameter Description
If the security profile is removed from the security profile list, the profile is deleted.
----End
Context
A VAP is a functional entity on an AP. Multiple VAPs can be created on an AP to provide access
services for different STAs. To differentiate VAPs that different STAs associate with, you must
create a dynamic interface for each VAP. Additionally, to speed up the configuration, you need
to use a profile to create multiple dynamic interfaces simultaneously. WLAN-DBSS interfaces
and WLAN-ESS interfaces are developed to solve the preceding problems.
You can create, modify, delete, and query extended service set (ESS) interfaces using the web
platform.
Procedure
l Creating an ESS interface
1. Choose WLAN > Service Set > ESS Interface. The ESS Interface tab page is
displayed.
2. In the ESS Interface area, click Create. In the Create ESS Interface dialog box that
is displayed, set parameters described in Table 3-116.
3. Click OK.
Parameter Description
Parameter Description
4. Click OK.
l Deleting an ESS interface
1. Choose WLAN > Service Set > ESS Interface. The ESS Interface tab page is
displayed.
2. In the ESS Interface area, select an ESS interface and click Delete. In the
Information dialog box that is displayed, click OK.
l Searching for ESS interfaces
1. Choose WLAN > Service Set > ESS Interface. The ESS Interface tab page is
displayed.
2. In the ESS Interface area, set Search and click Go. ESS interfaces matching the
search criteria are displayed. You can view, modify, and delete the ESS interfaces.
----End
Context
STA blacklist and whitelist functions allow authorized STAs to connect to the WLAN and reject
access from unauthorized STAs.
l A whitelist contains MAC addresses of STAs that are allowed to connect to a WLAN. After
the whitelist function is enabled, only the STAs in the whitelist can connect to the WLAN,
and access from other STAs is rejected.
l A blacklist contains MAC addresses of STAs that are not allowed to connect to a WLAN.
After the blacklist function is enabled, STAs in the blacklist cannot connect to the WLAN,
and other STAs can connect to the WLAN.
When the blacklist or whitelist function is configured on a VAP, you must bind the STA blacklist
or whitelist profile to the service set after you configure the blacklist or whitelist in the profile.
The device supports the configuration of STA blacklist or whitelist function for an AP or a VAP.
If an AP and a VAP are configured with the blacklist or whitelist function, a STA can connect
to the WLAN only when it is permitted by both the configuration on the AP and VAP. To
configure a blacklist or whitelist based on an AP, see 3.8.11.4 STA Blacklist/Whitelist.
If the whitelist or blacklist is empty, all STAs can connect to the WLAN.
The configurations of STA blacklist and whitelist profiles are the same. The following describes
the configuration of STA whitelist profile as an example.
Procedure
l Querying a STA whitelist profile
1. Choose WLAN > Service Set > STA Blacklist/Whitelist Profile.
2. In the STA Whitelist Profile area, view all existing STA whitelist profiles. You can
enter a keyword, and click Search to search for a STA whitelist profile.
l Creating a STA whitelist profile
1. Choose WLAN > Service Set > STA Blacklist/Whitelist Profile.
2. In the STA Whitelist Profile area, click Create. In the Create STA Whitelist
Profile dialog box that is displayed, set parameters described in Table 3-117.
3. Click OK.
If the STA whitelist profile is displayed in the STA whitelist profile list, the profile is
created.
Parameter Description
Parameter Description
2. In the STA Whitelist Profile area, click corresponding to a STA whitelist profile
to be modified.
3. In the Modify STA Whitelist Profile dialog box that is displayed, set parameters
described in Table 3-117.
4. Click OK.
l Deleting a STA whitelist profile
1. Choose WLAN > Service Set > STA Blacklist/Whitelist Profile.
2. In the STA Whitelist Profile area, select a STA whitelist profile, and click Delete.
In the Information dialog box that is displayed, click OK.
If the STA whitelist profile is removed from the STA whitelist profile list, the profile
is deleted.
----End
WDS Introduction
A WDS connects two or more wired or wireless LANs wirelessly to establish a large network.
On a traditional WLAN, APs exchange data with STAs using wireless channels and connect to
a wired network through uplinks. To expand the coverage area of a wireless network, APs need
to be connected by switches. This deployment requires high costs and takes a long time. In some
places, such as subways, tunnels, and docks, it is difficult to connect APs to the Internet through
wired links. WDS technology can connect APs wirelessly in these places, which reduces network
deployment costs, makes the network easy to expand, and allows flexible networking.
WDS Concepts
WDS network
STA Internet
STA
Switch
Endpoint STA
wired interface
LAN
l Working mode of an AP's wired interface: On a WDS network, an AP's wired interface can
connect to either an upstream wired network or a downstream user host or LAN. Depending
on an AP's location, a wired interface works in root or endpoint mode.
Root: The wired interface connects to an upstream wired network.
endpoint: The wired interface connects to a downstream user host or LAN.
NOTE
On a WDS network, one wired interface must work in root mode to connect to the wired network.
AP1
STA Internet
AP2 Switch AC
STA
LAN
PC PC
: Wireless virtual link
l Point-to-multipoint deployment
As shown in Figure 3-146, AP1, AP2, and AP3 set up wireless virtual links with AP4. Data
from all STAs associating with AP1, AP2, and AP3 is forwarded by AP4.
LAN
STA
AP1
STA
Internet
STA
AP2 AP4 AC
STA
AP3
STA
LAN
Configure a
radio
Context
A bridge profile contains the parameters of WVLs between APs. After a bridge profile is bound
to a radio, the radio has all attributes of the bridge profile and a bridge VAP is automatically
created. The radio uses different VAP parameters to set up and maintain WVLs between APs.
A bridge profile in the WDS has the same function as a service set in traditional WLAN services.
A bridge profile is bound to a specified AP radio to create a bridge VAP. Bridge VAPs include
AP VAPs and STA VAPs.
As shown in Figure 3-148, when a bridge VAP is created, VAPs 12, 13, 14, and 15 are generated.
Among these VAPs, VAP 14 and VAP 15 are reserved. VAP 12 is an AP VAP and VAP 13 is
a STA VAP.
Procedure
l Creating a bridge profile
1. Choose WLAN > WDS Profile > Bridge Profile.
3. In the Create Bridge Profile dialog box that is displayed, set parameters described
in Table 3-118.
4. Click OK.
Parameter Description
Parameter Description
3. In the Modify Bridge dialog box that is displayed, set parameters described in Table
3-118.
4. Click OK.
l Deleting a bridge profile
1. Choose WLAN > WDS Profile > Bridge Profile.
2. In the WDS Profile area, select a bridge profile, and click Delete. In the
Information dialog box that is displayed, click OK.
l Refreshing bridge profile information
1. Choose WLAN > WDS Profile > Bridge Profile.
2. In the WDS Profile area, click Refresh.
l Searching for a bridge profile
1. Choose WLAN > WDS Profile > Bridge Profile.
2. In the WDS Profile area, set Search, enter a keyword, and click Go.
NOTE
Fuzzy match is supported. Assume that you enter the keyword P, all profile names with the
keyword P are displayed.
----End
Context
A bridge whitelist contains MAC addresses of neighboring APs that can connect to a bridge. If
the whitelist is used, only neighboring APs with MAC addresses in the whitelist can connect to
the bridge. On WDS networks, the whitelist can be configured only on root APs or middle APs.
NOTE
l WVLs can be established only when neighboring APs with MAC addresses in the whitelist succeed in
authentication.
l If the bridge uses no whitelist, all the neighboring APs can connect to the bridge.
Procedure
l Creating a bridge whitelist
1. Choose WLAN > WDS Profile > Bridge Whitelist.
3. In the Create Bridge Whitelist dialog box that is displayed, set parameters described
in Table 3-119.
4. Click OK.
Parameter Description
MAC MAC addresses of the neighboring APs that are allowed to access
address the bridge.
To add a MAC address to the bridge whitelist, enter a MAC address
in the MAC Address text box, and click . If the MAC address is
displayed in the text box below the MAC Address text box, the MAC
address is added to the bridge whitelist.
To delete a MAC address from the bridge whitelist, enter a MAC
address in the MAC Address text box, and click . If the MAC
address is removed from the text box below the MAC Address text
box, the MAC address is deleted from the bridge whitelist.
3. In the Modify Bridge Whitelist dialog box that is displayed, set parameters described
in Table 3-119.
4. Click OK.
l Deleting a bridge whitelist
1. Choose WLAN > WDS Profile > Bridge Whitelist.
2. In the Bridge Whitelist area, select a bridge profile, and click Delete. In the
Information dialog box that is displayed, click OK.
l Refreshing a bridge whitelist
1. Choose WLAN > WDS Profile > Bridge Whitelist.
2. In the Bridge Whitelist area, click Refresh.
l Searching for a bridge whitelist
1. Choose WLAN > WDS Profile > Bridge Whitelist.
2. In the Bridge Whitelist area, set Search, enter a keyword, and click Go.
NOTE
Fuzzy match is supported. Assume that you enter the keyword P, all whitelist names with the
keyword P are displayed.
----End
Context
After configuring the WDS, choose WLAN > AP Info and restart the root AP. Root AP restarting
takes about 10 minutes. After the root AP restarts, you can view wireless virtual link (WVL)
information.
Procedure
l Searching for WVL information
1. Choose WLAN > WDS Profile > WVL Information.
2. In the Wireless Virtual Link area, set Search, enter a keyword, and click Go. Table
3-120 describes WVL parameters.
NOTE
Fuzzy match is supported. Assume that you enter the keyword P, all AP IDs with the keyword
P are displayed.
Paramete Description
r
Peer MAC MAC address of the AP that connects to the local bridge AP through
a WVL.
Context
On a traditional WLAN, APs exchange data with STAs using wireless channels and connect to
a wired network through uplinks. If no wired network is available for WLAN construction, a
wired network must be constructed first, which is both time- and money- consuming. If the
positions of some APs on a WLAN need to be adjusted, the wired network must be adjusted
accordingly, increasing the difficulty in network adjustment. With Mesh technology, APs can
connect each other wirelessly, which allows flexible networking and quick network deployment
and facilitates dynamic expansion of network coverage.
As shown in Figure 3-152, APs on a Mesh network can be sorted into the following types based
on functions:
l Mesh Point (MP): It is a mesh-capable node that uses IEEE 802.11 MAC and physical layer
protocols for wireless communication. This node supports automatic topology discovery,
automatic route discovery, and data packet forwarding. MPs can provide both mesh service
and user access service.
l Mesh Portal Point (MPP): It is an MP that connects the Mesh network to networks of other
types. This node has the portal function and can help mesh nodes communicate with
external networks.
AC
MP4 MP3
STA3
STA1 STA2
Mesh link
User
access
A Mesh profile contains the attributes of Mesh links set up between MPs. After a Mesh profile
is bound to a radio, the radio has all attributes of the Mesh profile and automatically creates a
Mesh VAP. The radio uses different VAP parameters to set up and maintain the Mesh links
between MPs.
A Mesh profile has the similar function with the service set in the traditional WLAN service. It
can be bound to the specified AP radio to create a Mesh VAP.
Procedure
l Creating a Mesh profile
1. Choose WLAN > Mesh Profile > Mesh Profile to display the Mesh Profile page.
2. On the Mesh Profile page, click Create. On the Create Mesh Profile page that is
displayed, set the parameters. For description of the parameters, see Table 3-121.
Parameter Description
2. Click the icon next to the Mesh profile details on the Mesh Profile page.
3. On the Modify Mesh Profile page, re-enter or reselect the parameters. For description
of the parameters, see Table 3-121.
----End
Context
A Mesh whitelist contains MAC addresses of neighboring MPs that are allowed to connect to
an MP. After a Mesh whitelist is bound to an MP radio, only neighboring MPs with the MAC
addresses in the whitelist can connect to the MP.
NOTE
If the Mesh whitelist contains no entry, no neighboring MPs can connect to the MP.
Procedure
l Creating a Mesh whitelist
1. Choose WLAN > Mesh Profile > Mesh Whitelist to display the Mesh Whitelist
page.
2. On the Mesh Whitelist page, click Create. On the Create Mesh Whitelist page that
is displayed, set the parameters. For description of the parameters, see Table 3-122.
2. Click the icon next to the Mesh profile details in Mesh Whitelist.
3. On the Modify Mesh Whitelist page, re-enter or reselect the parameters. For
description of the parameters, see Table 3-122.
----End
Procedure
l Viewing WVL information
1. Choose WLAN > Mesh Profile > WVL Information to display the Wireless Virtual
Link page.
2. Select AP ID, AP name, or MAC address in Search, enter the search keywords, and
click Go to search for the WVL information matching the selected search item and
entered keywords. For description of the parameters, see Table 3-123.
NOTE
The WVL information search function supports fuzzy match based on keywords. For example, if
AP ID is selected as the search item and the search keyword is P, all AP IDs that contain the letter
"P" can be found.
AP ID ID of an AP on a Mesh network.
Context
The capabilities of an AP are limited. If a large number of STAs exist in a hotspot area, the
carrier deploys multiple APs in this area to meet requirements of the STAs. To prevent uneven
loads on APs, add these APs to a load balancing group. Pay attention to the following
information:
l A radio can join only one load balancing group.
l AP radios in a load balancing group work in different channels.
l Member radios in a load balancing group must be of the same type.
l Each load balancing group supports a maximum of three APs.
Procedure
l Creating a static load balancing group
1. Log in to the web platform, and choose WLAN > Load Balancing > Static Load
Balancing Group.
2. In the Load Balancing Group area, click Create. In the Create Load Balancing
Group dialog box that is displayed, set parameters described in Table 3-124.
3. Click OK.
Parameter Description
Parameter Description
Parameter Description
Parameter Description
2. In the Load Balancing Group area, select a static load balancing group and click
Delete.
3. In the dialog box that is displayed, click OK.
l Updating static load balancing groups
1. Log in to the web platform, and choose WLAN > Load Balancing > Static Load
Balancing Group.
2. In the Load Balancing Group area, click Refresh. Information about static load
balancing groups is updated.
l Searching for static load balancing groups
1. Log in to the web platform, and choose WLAN > Load Balancing > Static Load
Balancing Group.
2. In the Load Balancing Group area, set Search and click Go. Static load balancing
groups matching the search criteria are displayed. You can view, modify, and delete
the static load balancing groups.
----End
Context
Static load balancing limits the maximum number of AP radios to 3 and allows only radios in
the same frequency band to join a load balancing group. Additionally, a load balancing group
needs to be manually specified. Dynamic load balancing is used to overcome the limitations of
static load balancing.
In dynamic load balancing mode, the AP determines whether a STA can be associated based on
the load of the dynamic load balancing group. Dynamic load balancing: A STA sends a broadcast
Probe Request frame to scan available APs. The APs that receive the Probe Request frame report
STA information to the AC. The AC adds these APs to a load balancing group, and then uses a
load balancing algorithm to determine whether to allow access from the STA.
Procedure
l Configuring dynamic load balancing
1. Log in to the web platform, and choose WLAN > Load Balancing > Dynamic Load
Balancing Group.
2. On the Dynamic Load Balancing Group area, set parameters described in Table
3-125.
3. Click Apply.
Parameter Description
Parameter Description
----End
Context
WLAN networks are vulnerable to threats from rouge APs and users, ad-hoc networks, and so
on. The device supports the following mechanisms:
l WIDS: detects rouge APs, bridges, STAs, ad-hoc networks, and APs using the same
working channel.
l WIPS: disconnects authorized users from bogus APs and disconnects unauthorized STAs
and ad-hoc networks from APs.
Wireless Intrusion Detection System (WIDS) supports attack detection and can detect flood
attacks, weak IV attacks, spoofing attacks, and brude force cracking of the WPA/WPA2/WAPI
pre-shared key and the WEP shared key, and notify the network administrator of insecurity
factors using logs, statistics, and alarms. When detecting a device that initiates flood attacks or
brude force cracking, the AC adds the device to the blacklist and rejects packets from the device
within the blacklist timeout period.
Procedure
l Querying the status of an AP configured with WIDS
1. Choose WLAN > WIDS Configuration > WIDS Configuration.
2. In the WIDS Configuration, view the status of an AP configured with WIDS. You
can set Search, enter a keyword, and click Go to search for an AP.
l Configuring WIDS for an AP
1. Choose WLAN > WIDS Configuration > WIDS Configuration.
2. In the WIDS Configuration area, click Create. The page for setting parameters is
displayed. Table 3-126 describes the parameters.
3. In the Select AP area, click Add. In the AP List dialog box that is displayed, select
an AP and click OK.
6. In the Radio Configuration area. you can configure attack detection, device
detection, and countermeasure. To configure these functions for multiple radios, click
New. Table 3-126 describes parameters of these functions.
7. Click OK. The AP configured with WIDS is displayed in the WIDS configuration
list.
Parameter Description
Brude force cracking detection interval Interval for detecting brude force
(s) cracking of the PSK key.
Parameter Description
----End
Context
SSIDs in the whitelist can be used only by the AC. If the rouge AP uses the SSIDs, the monitor
AP does not counter the AP although SSIDs are countered.
Procedure
l Querying an SSID whitelist
1. Choose WLAN > WIDS Configuration > SSID Whitelist.
2. In the SSID Whitelist area, enter a keyword or an SSID, and click Search.
l Creating an SSID whitelist
1. Choose WLAN > WIDS Configuration > SSID Whitelist.
2. In the SSID Whitelist area, click Create. In the Create SSID Whitelist dialog box
that is displayed, set SSID.
3. Click OK. If the SSID is displayed in the SSID whitelist, the SSID whitelist is created.
l Modifying an SSID whitelist
1. Choose WLAN > WIDS Configuration > SSID Whitelist.
If the SSID is removed from the SSID whitelist, the SSID is deleted.
----End
Context
After device detection is enabled, you can view information about rogue devices and historical
records. All rouge devices are recorded in the historical records.
Procedure
l Viewing information about a rouge device
1. Choose WLAN > WIDS Configuration > Rogue Device.
2. In the Rogue Device area, set Search, enter a keyword, and click Go. Table 3-127
describes search items of a rouge device.
----End
Context
After attack detection is enabled, you can view or delete statistics on attacks of different types.
Procedure
l Viewing statistics on attacks
1. Choose WLAN > WIDS Configuration > Attack Statistics.
2. In the Attack Statistics area, view statistics on attacks of different types. Table
3-128 describes different types of attacks.
Probe Request Frame Flood Attack Flood attack caused by Probe Request
frames
Null Data Frame Flood Attack Flood attack caused by null data frames
Null Qos Frame Flood Attack Flood attack caused by null QoS frames
EAPOL Start Frame Flood Attack Flood attack caused by EAPOL start
frames
EAPOL Logoff Frame Flood Attack Flood attack caused by EAPOL logoff
frames
----End
Context
After attack detection is enabled, information about a detected attack device will be saved in the
attack detection list. If the attack device starts no more attacks, the device is removed from the
attack detection list. This attack is added to the attack record list. You can check or delete entries
in the attack detection list and attack record list.
Procedure
l Querying attack detection list
1. Choose WLAN > WIDS Configuration > Attack Records.
2. In the Attack Detection List area, set Search, enter a keyword, and click Go. Table
3-129 describes search items.
----End
Context
After attack detection and dynamic blacklist are enabled, an AP adds devices that initiate attacks
to the dynamic blacklist and rejects packets from these devices within the blacklist timeout
period.
Devices that initiate flood attacks and brute force cracking of the WPA/WPA2/WAPI pre-shared
key and the WEP shared key can be added to the dynamic blacklist.
Procedure
l Viewing the dynamic blacklist
1. Choose WLAN > WIDS Configuration > Dynamic Blacklist.
2. In the Dynamic Blacklist area, set Search, enter a keyword, and click Go. Table
3-130 describes search items.
----End
Context
In the AC + Fit AP networking, the AC manages and controls WLAN services of users. An AC
may control hundreds of APs and thousands of STAs; therefore, the AC must be highly reliable.
If the AC is faulty, the services of all users connected to the AC are interrupted. An AC can
perform dual-link cold backup.
l Dual-Link Cold Backup
As shown in Figure 3-162, an active AC and a standby AC are deployed on the WLAN.
The AP establishes CAPWAP tunnels with the two ACs, and periodically exchanges
CAPWAP packets with the ACs to monitor link status. The active AC controls access of
STAs. If the AP detects a fault on the link between the AP and active AC, the AP requests
the standby AC to trigger an active/standby switchover, that is, the standby AC becomes
the active AC to control access of STAs. This mechanism improves WLAN reliability.
After the original active AC is restored, the AP requests the active and standby ACs to
perform revertive switchover. The restored AC becomes the active AC again.
Active Standby
AC AC
CA
l
Switch
ne
PW
tun
AP
p
ku
pr i
ac
ma
b
AP
ry
PW
t
un
CA
ne
AP l
STA STA
Procedure
l Configuring device backup
1. Log in to the web platform and choose WLAN > Backup Configuration > Backup
Configuration.
2. Enable or disable AC dual-link cold backup, as shown in Figure 3-163. Set or enter
corresponding backup parameters. For description of the parameters, see Table
3-131.
3. Click Apply to complete the backup configuration.
Parameter Description
----End
Context
On the STA Management tab page, you can view information about STAs such as the MAC
addresses, IP addresses, and radio modes.
Procedure
l Check STA information.
1. Choose WLAN > Terminal Management > STA Management.
2. Set Search and the query criteria, and click Go. You can view information about found
STAs. Click details on the right of the STA's MAC address to check STA information.
Table 3-132 describes STA parameters.
Parameter Description
Parameter Description
STAs. Click on the right of the STA's MAC address to force the STA to log out.
----End
Context
This page displays STA statistics.
Procedure
Step 1 Choose WLAN > Terminal Management > STA Statistics.
Step 2 Enter the ID of the AP you want to query in AP ID and click Search to search STAs. For
description of the parameters, see Table 3-133.
Item Description
----End
Context
This page displays information about offline users.
Procedure
Step 1 Choose WLAN > Terminal Management > Offline User Information.
Step 2 Set Search and the query criteria, and click Go. You can view information about found STAs.
Table 3-134 describes STA parameters.
Parameter Description
----End
Context
STA blacklist and whitelist functions allow authorized STAs to connect to the WLAN and reject
access from unauthorized STAs.
l A whitelist contains MAC addresses of STAs that are allowed to connect to a WLAN. After
the whitelist function is enabled, only the STAs in the whitelist can connect to the WLAN,
and access from other STAs is rejected.
l A blacklist contains MAC addresses of STAs that are not allowed to connect to a WLAN.
After the blacklist function is enabled, STAs in the blacklist cannot connect to the WLAN,
and other STAs can connect to the WLAN.
If the blacklist or whitelist function is configured on an AP, the configured blacklist or whitelist
takes effect on all STAs connecting to the AP. The device supports the configuration of STA
blacklist or whitelist function for an AP or a VAP. If an AP and a VAP are configured with the
blacklist or whitelist function, a STA can connect to the WLAN only when it is permitted by
both the configuration on the AP and VAP. To configure a blacklist or whitelist based on a VAP,
see 3.8.5.5 STA Blacklist/Whitelist Profile.
If the whitelist or blacklist is empty, all STAs can connect to the WLAN.
The configurations of STA blacklist and whitelists are the same. The following describes the
configuration of STA whitelist as an example.
Procedure
l Querying a STA whitelist
1. Choose WLAN > Terminal Management > STA Blacklist/Whitelist.
2. In the STA Whitelist area, view all existing STA whitelists. You can enter a keyword,
and click Search to search for a STA whitelist.
l Creating a STA whitelist
1. Choose WLAN > Terminal Management > STA Blacklist/Whitelist.
2. In the STA Whitelist area, click Create. In the Create STA Whitelist dialog box
that is displayed, set MAC address or import the local file.
Manually create: enter the MAC address of a STA and add it to the list.
Import from local file: configure STAs' MAC addresses in a local file and import
the local file to the web page. Then, add the MAC addresses to the list in a batch.
NOTE
If the message "Your browser's security settings are too high to complete this process. See the
help menu for instructions on adjusting your security settings." is displayed during file upload,
configure the Internet Explorer as follow:
l Versions earlier than IE10: choose Tools > Internet Options > Security > Custom Level
and click Enable or Prompt next to Initialize and script ActiveX controls not marked
as safe for scripting. If you click Enable, the file can be uploaded directly. If you click
Prompt, the message "An ActiveX control on this page might be unsafe to interact with
other parts of the page. Do you want to allow this interaction?" is displayed. If you click
Yes, the file can be uploaded.
l IE10 and later versions: choose Tools > Internet Options > Security > Custom Level and
click Enable next to Include local directory path when uploading files to a server.
The file is in .txt format. Each row provides one MAC address. For example:
60de-4474-9640
60de-4474-9680
dcd2-fc9a-2110
3. Click OK.
If the STA whitelist is displayed in the STA whitelist list, the STA whitelist is created.
l Deleting a STA whitelist
1. Choose WLAN > Terminal Management > STA Blacklist/Whitelist.
2. In the STA Whitelist area, select a STA whitelist, and click Delete.
If the STA whitelist is removed from the STA whitelist list, the STA whitelist is
deleted.
----End
Context
The STA blacklist or whitelist takes effect only when the blacklist or whitelist function is enabled
on the AP.
An AP or a VAP can be configured with only the blacklist or whitelist function.
Procedure
l Viewing the blacklist or whitelist status
1. Choose WLAN > Terminal Management > Blacklist/Whitelist Status.
2. In the AP area, view the blacklist or whitelist status of all APs. You can set Search,
enter a keyword, and click Go to search for an AP.
l Configuring the blacklist or whitelist status for an AP
1. Choose WLAN > Terminal Management > Blacklist/Whitelist Status.
2. In the AP area, select an AP, and click any button described as follows, and click
OK.
Enable Whitelist: The STA whitelist takes effect. Only STAs in the whitelist can
associate with the AP.
Enable Blacklist: The STA blacklist takes effect. STAs in the blacklist cannot
associate with the AP.
Disable Blacklist/Whitelist: Neither the blacklist nor whitelist takes effect.
----End
Procedure
l Configure manual calibration.
1. Click WLAN > Radio Calibration. The Radio Calibration page is displayed.
Item Description
Item Description
3. Click Advanced to set the calibration policy and sensitivity. See Table 3-136 for
description of the parameters.
Item Description
Item Description
Item Description
3. Click Advanced to set the calibration policy and sensitivity. See Table 3-137 for
description of the parameters.
Item Description
Item Description
Item Description
3. Set search criteria in Search and click Go. Channel and power of the APs matching
the search conditions are displayed. You can check the channel and power of specified
APs.
----End
Context
APs can be upgraded in batches.
l You can upgrade APs of the same type in batches.
l You can upgrade APs of the same type in a region in batches.
l You can upgrade APs of a specific type based on AP IDs.
NOTE
To upgrade APs in batches through the WLAN web platform, the APs must go online first.
Procedure
l Upgrading APs in batches
1. Choose WLAN > System Maintenance > AP Batch Upgrade. The AP Batch
Upgrade tab page is displayed.
2. Set parameters in AP Batch Upgrade. The AP upgrade mode can be AC, FTP, or
SFTP. Table 3-138, Table 3-139, and Table 3-140 describe the parameters.
Parameter Description
AP ID ID of APs to be upgraded. If no ID is
specified, APs are upgraded in batches
based on the specified AP region.
Parameter Description
Parameter Description
Parameter Description
----End
Context
Before upgrading APs in batches, upgrade an AP to check whether the upgrade version is normal,
ensuring subsequent upgrade success.
NOTE
To upgrade a single AP through the WLAN web platform, the AP must go online first.
Procedure
Step 1 Choose WLAN > System Maintenance > Single AP Upgrade. The Single AP Upgrade tab
page is displayed.
Step 2 Set parameters described in Table 3-141, Table 3-142, and Table 3-143.
Parameter Description
Select an AP AP to be upgraded.
Parameter Description
Parameter Description
FTP User name User name for logging in to the FTP server.
Parameter Description
SFTP User name User name for logging in to the SFTP server.
----End
3.9 ACL
The following sections describe how to view, add, modify, delete ACLs and ACL effective
period, and configure the ACL function.
The access control list (ACL) is used to identify flows. A network device filters packets
according to certain rules. It must identify packets first, and then permits or denies the packets
according to the policy that you have configured.
Context
l An effective period describes a special period of time. In practice, users may want certain
ACL rules to be valid during a certain period but be invalid out of the period. That is, the
ACL rules are used to filter packets based on the period of time. To implement this function,
users can set one or multiple periods, and apply the periods to a rule. Then, packets are
filtered based on the set periods.
l An effective period can contain periodic time ranges and absolute time ranges. A periodic
time range takes effect on a certain day in a week. An absolute time range contains the start
time and the end time.
Procedure
l Query the time range.
1. Choose ACL > Effective Period to open the Effective Period page.
2. Enter the name of the time range in the text box, for example, test.
3. Click Query to display all matching records.
l Add a time range.
1. Choose ACL > Effective Period to open the Effective Period page.
2. Click New to open the Add Time Range page, as shown in Figure 3-171.
Table 3-144 describes the parameters on the Add Time Range page.
Parameter Description
Parameter Description
3. Set parameters.
NOTE
l If an effective period contains an absolute time range and a periodic time range, the effective
period takes effect only when the current time is within the absolute time range and the
periodic time range.
l The start time and end time of the absolute time range can be earlier than the current time.
l The Periodic Time Range and Absolute Time Range parameters cannot be kept blank
simultaneously.
4. Click OK.
l Modify a time range.
1. Choose ACL > Effective Period to open the Effective Period page.
2. Click to open the Modify Time Range page, as shown in Figure 3-172.
NOTE
l Table 3-144 describes the parameters on the Modify Time Range page.
l The effective period name cannot be modified.
l The periodic time range and absolute time range can only be deleted, but cannot be
modified.
3. Set parameters.
4. Click OK.
l Delete a time range.
1. Choose ACL > Effective Period to open the Effective Period page.
2. Select a record that you want to delete and click Delete. The system asks you whether
to delete the record.
NOTE
----End
3.9.2 ACL
An ACL classifies packets according to matching rules. The rules can be source addresses,
destination addresses, or the port numbers of the packets.
Context
ACLs are classified into the following types:
NOTE
Procedure
l Query an ACL.
1. Choose ACL > ACL in the navigation tree to open the ACL Configuration page.
2. Set the search criteria.
3. Click Query to display all matching records.
l Create an ACL.
1. Choose ACL > ACL in the navigation tree to open the ACL Configuration page.
2. Click New to open the Create ACL page.
3. Click the ACL tab, as shown in Figure 3-173.
Parameter Description
Parameter Description
4. Click Apply.
5. Click the Rules tab.
If the ACL is a basic ACL, the rule page is displayed, as shown in Figure 3-174.
Parameter Description
Parameter Description
Match IP All Source IP Indicates that packets from any source IP address
are permitted.
Time Range Name Click Select to set the time range name.
NOTE
The time range name is displayed on the configuration
result page.
NOTE
l The rule page displays all the rules of the ACL. Click a record to view the details about the
record or modify the record. To deselect a record, click it again. You can add rules on the
rule page.
l When you modify the ACL rule, the ACL ID and rule number cannot be modified.
If the ACL is an advanced ACL, the rule page is displayed, as shown in Figure
3-175.
Parameter Description
Parameter Description
Match Port Source Port This parameter is valid only when the protocol
type is TCP or UDP. If this parameter is not
specified, TCP or UDP packets with any source
port are matched.
Select a matching source port from the drop-
down list box. The value can be equal, greater,
smaller, or in the range. Enter the TCP or UDP
port number in the text box.
Parameter Description
Time Range Name Click Select to set the time range name.
NOTE
The time range name is displayed on the
configuration result page.
NOTE
l The rule page displays all the rules of the ACL. Click a record to view the details about the
record or modify the record. To deselect a record, click it again. You can add rules on the
rule page.
l When you modify the ACL rule, the ACL ID and rule number cannot be modified.
If the ACL is a Layer 2 ACL, the rule page is displayed, as shown in Figure 3-176.
Parameter Description
Match MAC Source MAC Indicates the source MAC address used by
the ACL rule. The value is in H-H-H format.
Parameter Description
Source VLAN ID Mask Indicates the mask of the source VLAN ID.
The value is in hexadecimal notation. It
ranges from 0 to 0xFFF. The default value is
0xFFF.
Time Range Name Click Select to set the time range name.
NOTE
The time range name is displayed on the
configuration result page.
NOTE
l The rule page displays all the rules of the ACL. Click a record to view the details about the
record or modify the record. To deselect a record, click it again. You can add rules on the
rule page.
l When you modify the ACL rule, the ACL ID and rule number cannot be modified.
If the ACL is a user ACL, the rule page is displayed, as shown in Figure 3-177.
Parameter Description
Parameter Description
ICMP Parameters (Type/Code) Indicates the type and code of ICMP packets,
which are valid only when the protocol of
packets is ICMP. If this parameter is not
specified, all types of ICMP packets are
matched. The IGMP packets can be matched
based on:
l Type: filters packets based on ICMP
message type.
l Code: indicates the message code of the
ICMP message type.
Parameter Description
Match Port Source Port This parameter is valid only when the
protocol type is TCP or UDP. If this
parameter is not specified, TCP or UDP
packets with any source port are matched.
Select a matching source port from the drop-
down list box. The value can be equal,
greater, smaller, or in the range. Enter the
TCP or UDP port number in the text box.
Time Range Name Click Select to set the time range name.
NOTE
The time range name is displayed on the
configuration result page.
NOTE
l The rule page displays all the rules of the ACL. Click a record to view the details about the
record or modify the record. To deselect a record, click it again. You can add rules on the
rule page.
l When you modify the ACL rule, the ACL ID and rule number cannot be modified.
6. Click the Action tab, as shown in Figure 3-178.
NOTE
When creating a user ACL, you do not need to configure the actions.
The appearance of the S1720, S2720, S2750, S5700LI, and S5700S-LI is as follows:
Parameter Description
Parameter Description
Parameter Description
Parameter Description
Inbound l You can select all ACLs. You can specify all
inbound interfaces by clicking the check
boxes of all inbound interfaces.
l You can select an ACL. You can specify an
inbound interface by clicking the check box
of an inbound interface.
l You can select multiple interfaces. You can
specify multiple inbound interfaces by
clicking the check boxes of multiple inbound
interfaces.
Parameter Description
Outbound l You can select all ACLs. You can select all
outbound interfaces by clicking the check
box of all outbound interfaces.
l You can select an ACL. You can specify an
outbound interface by clicking the check box
of an outbound interface.
l You can select multiple interfaces. You can
specify multiple outbound interfaces by
clicking the check boxes of multiple
outbound interfaces.
NOTE
You can select the inbound and outbound interfaces
or one of them at one time.
Parameter Description
Direction NOTE
You can select the inbound and outbound interfaces
or one of them at one time.
NOTE
l After the ACL is created, ACL rules are configured, and the action has been applied by
clicking Apply on the Action tab page, the ACL can be successfully applied to an interface
or globally.
l If the ACL is not created, the system prompts you to create the ACL when you click
Apply on the Rules tab page.
l If the ACL is not created, the system prompts you to create the ACL when you click
Apply on the Apply tab page.
l The Action and Apply tabs are unavailable for configuring user ACLs.
l Edit an ACL.
1. Choose ACL > ACL in the navigation tree to open the ACL Configuration page.
2. Click the icon to open the Edit ACL page.
3. Click the ACL tab, as shown in Figure 3-181.
NOTE
l The Apply tab page displays the object to which the ACL is applied.
l If an action is created, the new action will replace the original action and be delivered to
objects when you click the Apply tab.
7. Modify the configuration parameter on the tab page.
8. Click OK.
l Delete an ACL.
1. Choose ACL > ACL in the navigation tree to open the ACL Configuration page.
2. Select a record that you want to delete and click Delete. The system asks you whether
to delete the record.
NOTE
The basic ACL object list does not contain user ACLs.
Parameter Description
3. Select the object name and click Delete. The system asks you whether to delete the
record.
4. Click OK.
----End
3.10 QoS
This chapter describes the implementation principle of class-based QoS, and configuration
methods of traffic management, interface-based rate limit, traffic shaping, priority mapping, and
congestion management.
By matching packets with the rules, the class-based QoS technology groups the packets sharing
common features into one class and provides the same QoS level for traffic of the same type. In
this manner, the class-based QoS technology provides differentiated services.
Context
By matching packets with the rules, the class-based QoS technology classifies packets according
to certain rules and provides the same QoS level for traffic of the same type. In this manner, the
class-based QoS technology provides differentiated services. A traffic classifier matches the
packet header information with certain rules so that the packets sharing common features are
grouped into one class.
Procedure
l Create a traffic classifier.
1. Choose QoS > Traffic Management > Traffic Classifier in the navigation tree to
open the Traffic Classifier page.
2. Click New to open the Create Traffic Classifier page, as shown in Figure 3-183.
Table 3-154 describes the parameters on the Create Traffic Classifier page.
Parameter Description
3. Set parameters.
4. Click OK.
l Modify Traffic Classifier
1. Choose QoS > Traffic Management > Traffic Classifier in the navigation tree to
open the Traffic Classifier page.
2. Click to open the Modify Traffic Classifier page, as shown in Figure 3-184.
NOTE
l Table 3-154 describes the parameters on the Modify Traffic Classifier page.
l The traffic classifier name cannot be modified.
3. Set parameters.
4. Click OK.
l Delete a traffic classifier.
1. Choose QoS > Traffic Management > Traffic Classifier in the navigation tree to
open the Traffic Classifier page.
2. Select a record that you want to delete and click Delete. The system asks you whether
to delete the record.
NOTE
When you delete a traffic classifier, the matching rule in the traffic classifier is also deleted.
3. Click OK.
l Add rules to the traffic classifier.
1. Choose QoS > Traffic Management > Traffic Classifier in the navigation tree to
open the Traffic Classifier page.
2. Select the traffic classifier in which rules need to be added and click New to open the
Add Rules of Classifier page, as shown in Figure 3-185.
Table 3-155 describes the parameters on the Add Rules of Classifier page.
Parameter Description
Match all packets Indicates that all the packets are matched.
Parameter Description
Match Source MAC Indicates the matching rule based on source MAC
MAC addresses.
The value is in the format H-H-H. Each H
represents four hexadecimal digits.
Parameter Description
Match ACL ACL IPv4 Indicates the matching rule based on IPv4 ACLs.
Click Select ACL to select ACLs. You can select
multiple ACLs.
NOTE
The sequence of matching rules in a traffic classifier affects the flow matching sequence.
For example, if the matching rules based on 802.1p priorities of VLAN packets and inner
VLAN tags are set, the system first matches flows with 802.1p priorities of VLAN packets and
then inner VLAN tags. If multiple matching rules are configured, the system matches flows
according to the matching rules one by one.
3. Set parameters.
4. Click OK.
l Delete rules.
1. Choose QoS > Traffic Management > Traffic Classifier in the navigation tree to
open the Traffic Classifier page.
2. Select a record that you want to delete and click Delete. The system asks you whether
to delete the record.
3. Click OK.
----End
Context
The switch supports traffic behaviors of traffic policing, re-marking, redirection, and traffic
statistics.
Procedure
l Create a traffic behavior.
1. Choose QoS > Traffic Management > Traffic Behavior in the navigation tree to
open the Traffic Behavior page.
2. Click New to open the Create Traffic Behavior page, as shown in Figure 3-186.
Table 3-156 describes the parameters on the Create Traffic Behavior page.
Parameter Description
Parameter Description
Parameter Description
NOTE cpu Indicates that packets are redirected to the CPU.
The
S1720,
S2720,
S2750,
S5700
LI and
S5700
S-LI
switch
es do
not
suppor
t this
3. Set param
parameters.
eter.
NOTE
NOTE
3. Set parameters.
4. Click OK.
l Delete a traffic behavior.
1. Choose QoS > Traffic Management > Traffic Behavior in the navigation tree to
open the Traffic Behavior page.
2. Select a record that you want to delete and click Delete. The system asks you whether
to delete the record.
3. Click OK.
----End
Procedure
l Create a traffic policy.
1. Choose QoS > Traffic Management > Traffic Policy in the navigation tree to open
the Traffic Policy page.
2. Click New to open the Create Traffic Policy page, as shown in Figure 3-188.
Table 3-157 describes the parameters on the Create Traffic Policy page.
Parameter Description
Parameter Description
3. Set parameters.
4. Click OK.
l Modify a traffic policy.
1. Choose QoS > Traffic Management > Traffic Policy in the navigation tree to open
the Traffic Policy page.
2. Click to open the Modify Traffic Policy page, as shown in Figure 3-189.
NOTE
l Table 3-157 describes the parameters on the Modify Traffic Policy page.
l The traffic policy name cannot be modified.
3. Set parameters.
4. Click OK.
l Delete a traffic policy.
1. Choose QoS > Traffic Management > Traffic Policy in the navigation tree to open
the Traffic Policy page.
2. Select a record that you want to delete and click Delete. The system asks you whether
to delete the record.
NOTE
----End
Context
A traffic policy can be used on an interface, globally, or in a VLAN so that traffic classifiers
bound to traffic behaviors in the traffic policy are used on the interface, globally, or in the VLAN.
Procedure
l Query information about the traffic policy application.
1. Choose QoS > Traffic Management > Apply Traffic Policy in the navigation tree
to open the Apply Traffic Policy page.
2. Set the search criteria.
3. Click Query to display all matching records.
l Add a traffic policy application.
1. Choose QoS > Traffic Management > Apply Traffic Policy in the navigation tree
to open the Apply Traffic Policy page.
2. Click New to open the Add Traffic Policy Application page, as shown in Figure
3-190.
Table 3-158 describes the parameters on the Add Traffic Policy Application page.
Parameter Description
3. Set parameters.
4. Click OK.
l Delete a traffic policy application.
1. Choose QoS > Traffic Management > Apply Traffic Policy in the navigation tree
to open the Apply Traffic Policy page.
2. Select a record that you want to delete and click Delete. The system asks you whether
to delete the record.
NOTE
----End
Context
You can select an interface to view the rate limiting information.
Procedure
Step 1 Choose QoS > Limit Rate. The Limit Rate page is displayed, as shown in Figure 3-193.
Step 2 Select one or all interfaces and click Query. Rate limit information is displayed.
NOTE
You can select only one interface to query its rate limit.
----End
Context
Before sending traffic from an interface, you can configure rate limit on the interface in the
outbound direction. This function controls all outgoing packets.
Before sending traffic from an interface, you can configure rate limit on the interface in the
inbound direction. This function controls all incoming packets.
Procedure
Step 1 Choose QoS > Limit Rate. The Limit Rate page is displayed.
Step 2 Select the interface on which the rate limit needs to be set and click Configure. The Configure
Rate Limit page is displayed, as shown in Figure 3-194.
Table 3-159 describes the parameters on the Configure Rate Limit page.
Parameter Description
Step 3 Click Inbound or Outbound and set the values of CIR and CBS.
Step 5 Select an interface where rate limiting needs to be deleted and click Cancel Limit to delete the
rate limiting configuration.
----End
Context
l The switch supports queue shaping and interface shaping.
l You can select an interface to view the traffic shaping information. You can select only
one interface.
Procedure
Step 1 Choose QoS > Traffic Shaping > View Traffic Shaping in the navigation tree to open the
View Traffic Shaping page.
Step 3 The traffic shaping information about the interface is displayed, as shown in Figure 3-195.
NOTE
----End
Context
When the rate of an interface on a downstream device is smaller than the rate of an interface on
an upstream device or the burst traffic occurs, traffic congestion may occur on the interface of
the downstream device. In this case, you can configure traffic shaping on the interface of the
upstream device in the outbound direction so that traffic is sent at an even rate and the congestion
problem of the downstream device is solved.
Procedure
Step 1 Choose QoS > Traffic Shaping > Configure Traffic Shaping in the navigation tree to open
the Configure Traffic Shaping page, as shown in Figure 3-196.
Table 3-160 describes the parameters on the Configure Traffic Shaping page.
Parameter Description
Step 3 Select the queue that you want to configure and set the values of CIR, PIR.
NOTE
If you do not select the queue, the configurations of the queue are deleted.
----End
Context
Queue scheduling technologies include PQ scheduling, DRR scheduling and WRR scheduling.
Procedure
Step 1 Choose QoS > Congestion Management > View Scheduling in the navigation tree to open the
View Scheduling page.
Step 3 The scheduling configuration on the interface is displayed, as shown in Figure 3-197.
NOTE
----End
Context
l Congestion management technology prevents intermittent congestion on networks by using
queue scheduling technologies.
l Queue scheduling technologies include PQ scheduling, DRR scheduling and WRR
scheduling.
Procedure
Step 1 Choose QoS > Congestion Management > Configure Scheduling in the navigation tree to
open the Configure Scheduling page, as shown in Figure 3-198.
Parameter Description
Select Interface Indicates the interface where scheduling needs to be configured. You
can select multiple interfaces.
Parameter Description
Weight Indicates the weight used to schedule packet flows in queues. When the
scheduling mode is set to WRR or DRR, the weight can be configured.
Step 3 Set the scheduling mode and weight for the queue.
----End
Context
When packets are sent to the inbound or outbound interface of a device, the device determines
the queues and priorities of packets according to 802.1p, DSCP or the IP precedence field. The
S1720, S2720, S2750, S5700LI, and S5700S-LI switches support priority mappings for
incoming packets. The S5720H supports priority mappings for incoming packets and outgoing
packets.
Procedure
l Create a Diff-Serv domain name.
NOTE
1. Choose QoS > Priority Mapping to open the Priority Mapping in Inbound
Direction page.
NOTE
Parameter Description
Parameter Description
Start 802.1p Priority of Indicates the start 802.1p priority ranging from 0 to
Incoming Packets 7. This parameter is mandatory.
End 802.1p Priority of Indicates the end 802.1p priority ranging from 0 to
Incoming Packets 7.
NOTE
Parameter Description
Parameter Description
NOTE
Parameter Description
Parameter Description
NOTE
Parameter Description
Start Input Specifies the start DSCP value of the incoming packets. The
DSCP Value value ranges from 0 to 63. This parameter is mandatory.
Specifies the start IP precedence value of the incoming
packets. The value ranges from 0 to 7.
End Input Specifies the end DSCP value of the incoming packets. The
DSCP Value value ranges from 0 to 63.
Specifies the end IP precedence value of the incoming
packets. The value ranges from 0 to 7.
Output 802.1P Specifies the 802.1p priority of the outgoing packets. The
Priority value is an integer that ranges from 0 to 7. This parameter is
mandatory.
Specifies the discard priority of the outgoing packets. The
value is an integer that ranges from 0 to 2.
Specifies the DSCP priority of the outgoing packets. The
value is an integer that ranges from 0 to 63.
NOTE
NOTE
The S5720HI switch can delete priority mapping on the Priority Mapping in Inbound
Direction or Priority Mapping in Outbound Direction page.
2. Select a record that you want to delete and click Delete. The system asks you whether
to delete the record.
NOTE
l You can delete a Diff-Serv domain name in the same way on the Priority Mapping in
Outbound Direction page.
l By default, the Diff-Serv domain name is default. You cannot delete the default name.
3. Click OK.
----End
Context
You can select the type of a trusted priority.
Procedure
l Query a trust relation.
1. Choose QoS > Priority Mapping > Trust Priority to open the Trust Priority page.
2. Set the search criteria.
3. Click Query to display all matching records.
l Add a trust relation.
This function is only supported byS1720, S2720, S2750, S5700S-LI, and S5700LI
series switches.
1. Choose QoS > Priority Mapping > Trust Priority to open the Trust Priority
page.
2. Click New to open the Add Trust Relation page, as shown in Figure 3-203.
Parameter Description
3. Set parameters.
4. Click OK.
This function is only supported by series switches.
1. Choose QoS > Priority Mapping > Trust Priority to open the Trust Priority
page.
2. Click New to open the Add Trust Relation page, as shown in Figure 3-204.
Parameter Description
3. Set parameters.
4. Click OK.
Parameter Description
Parameter Description
3. Click OK.
l Delete a trusted priority.
1. Choose QoS > Priority Mapping > Trust Priority to open the Trust Priority page.
2. Select a record that you want to delete and click Delete. The system asks you whether
to delete the record.
NOTE
----End
3.11 IP Routing
This document describes the configurations of IP routing.
Switches are used to select routes for packets on the Internet. A Switch selects a proper route
for a received packet according to the destination address and sends the packet to the next hop
Switch. The last-hop device on the route sends the packet to the destination host.
Context
You can query information about all routing tables through the Web system, including
information about dynamic and static routing tables.
Procedure
Step 1 Choose IP Routing > IPv4 Route in the navigation tree to display the IPv4 Route page. Then
click the IPv4 Routing Tables tab.
----End
Context
It is recommended that you specify the next hop address when configuring a static route on the
switch. You need to specify the next hop; otherwise, the next hop cannot be determined because
most physical interfaces of the switch are Ethernet interfaces of the broadcast type and one
outbound interface can be associated with multiple next hop addresses. If the outbound interface
is specified, you must specify the next hop address of the interface.
Procedure
l Create an IPv4 static route.
1. Choose IP Routing > IPv4 Route in the navigation tree to display the IPv4 Route
page. Then click the IPv4 Routing Tables .
2. Click New to open the Create an IPv4 Static Route page, as shown in Figure
3-206.
Table 3-169 describes the parameters on the Create an IPv4 Static Route page.
Parameter Description
3. Set parameters.
4. Click OK.
l Modify an IPv4 static route.
1. Choose IP Routing > IPv4 Route in the navigation tree to display the IPv4 Route
page. Then click the IPv4 Static Route tab.
2. Click to open the Modify IPv4 Static Route page, as shown in Figure 3-207.
NOTE
l Table 3-169 describes the parameters on the Modify IPv4 Static Route page.
l The destination IP address and subnet mask cannot be changed.
3. Set parameters.
4. Click OK.
l Delete an IPv4 static route.
1. Choose IP Routing > IPv4 Route in the navigation tree to display the IPv4 Route
page. Then click the IPv4 Static Route tab.
2. Select a record that you want to delete and click Delete.
NOTE
----End
Context
NOTE
By default, the priority of an IPv4 static route is 60. If the priority of an IPv4 static route is not specified,
the default priority is used. If you change the default priority, the new default priority is valid for only new
IPv4 static routes.
Procedure
Step 1 Choose IP Routing > IPv4 Route in the navigation tree to display the IPv4 Route page. Then
click the Global Parameters tab, as shown in Figure 3-208.
Parameter Description
----End
3.12 Security
This chapter describes concepts and configurations of security management, including Port
isolation, Static user binding, AAA, 802.1x, and MAC Authen.
If you want to prevent members in a group from communicating with each other but allow them
to access the public devices, such as the printer and the server, you can set the port isolation
mode to isolation at both Layer 2 and Layer 3 or Layer 2 isolation and Layer 3 communication.
Context
l Interfaces in a port isolation group are isolated from each other, but interfaces in different
port isolation groups can communicate.
l The switch supports a maximum of 64 port isolation groups, numbered from 1 to 64.
Procedure
l Configure an isolation mode.
NOTE
l The default mode is L2, namely, ports are isolated at Layer 2 but can communicate at Layer 3.
l After the isolation mode is selected, the bidirectional isolation and unidirectional isolation
configurations are applied to this mode.
l The S2750, S5700LI , S5700S-LI , S1720, S2720 support only Layer 2 isolation and Layer 3
communication.
l Configuring the isolation mode is not affected by switching the bidirectional isolation and
unidirectional isolation labels.
1. Choose Security > Port isolation in the navigation tree to open the Port isolation
page.
2. Choose the isolation mode. The isolation can be L2 or ALL. L2 is Layer 2 isolation
and Layer 3 communication. ALL is the isolation at both Layer 2 and Layer 3.
3. Click Apply.
l Query an isolation group.
1. Choose Security > Port isolation in the navigation tree to display the Port
isolation page. Then click the Bidirectional isolation tab.
2. Enter a number in the text box of Isolation Group Number.
3. Click Query to display all matching records.
l Create an isolation group.
1. Choose Security > Port isolation in the navigation tree to display the Port
isolation page. Then click the Bidirectional isolation tab.
2. Click New to open the Create an isolation group page, as shown in Figure 3-209.
Parameter Description
3. Select an interface.
4. Click OK.
l Modify an isolation group.
1. Choose Security > Port isolation in the navigation tree to display the Port
isolation page. Then click the Bidirectional isolation tab.
2. Click the corresponding icon to open the Modify isolation group page, as shown
in Figure 3-210.
----End
Context
You can configure or delete the unidirectional isolation between the current interface and a
specified interface. If interface A is isolated from interface B, packets sent from interface A
cannot reach interface B, but packets sent from interface B can reach interface A.
NOTE
Interfaces can be isolated from one another. But an interface cannot be isolated from itself or from the
management interface unidirectionally. In addition, an Eth-Trunk cannot be isolated unidirectionally from
its member interfaces.
Procedure
l Query a unidirectional isolation.
1. Choose Security > Port isolation in the navigation tree to display the Port
isolation page. Then click the Unidirectional isolation tab.
2. Select an interface type from the drop-down list box.
3. Enter the interface number, for example, 0/0/1 (stack ID/subcard ID/interface
number).
4. Click Query to display all matching records.
l Configure a unidirectional port isolation.
NOTE
You can configure and modify unidirectional isolation in the same method.
1. Choose Security > Port isolation in the navigation tree to display the Port
isolation page. Then click the Unidirectional isolation tab.
2. Click the corresponding icon to open the Modify isolation port list page, as shown
in Figure 3-211.
Parameter Description
3. Select an interface.
4. Click OK.
l Clear a unidirectional isolation.
1. Choose Security > Port isolation in the navigation tree to display the Port
isolation page. Then click the Unidirectional isolation tab.
2. Select the interface configured with unidirectional isolation that you want to delete.
You can delete an interface or multiple interfaces.
3. Click Clear. The system asks you whether to delete the record.
4. Click OK on the dialog box.
----End
Procedure
Step 1 Choose Security > Static User Binding in the navigation tree to open the Static User
Binding page, as shown in Figure 3-212.
Parameter Description
----End
Procedure
l Create a binding.
1. Choose Security > Static user binding in the navigation tree to open the Static user
binding page.
2. Click New to open the Create a static user binding page, as shown in Figure
3-213.
Parameter Description
Interface Name Indicates the type and number of the interface that you want to
bind.
Binding mode The binding modes in the drop-down list box include:
l MAC+port
l IP+port
l IP+MAC
l IP+MAC+port
Select one binding mode from the modes above. This parameter
is mandatory.
3. Set parameters.
4. Click OK.
l Delete a binding.
1. Choose Security > Static user binding in the navigation tree to open the Static user
binding page.
2. Select a record that you want to delete and click Delete. The system asks you whether
to delete the record.
3. Click OK.
----End
Context
Authentication, Authorization, and Accounting are three independent service processes.
l In the authentication process, a device authenticates the user name, password, or user
information of an access request or a service request. The device, however, neither delivers
authorization information to the user nor triggers the accounting process. In AAA, a device
can adopt only authentication.
l In the authorization process, a device sends authorization requests to the authorization
server. After users pass authorization, the device sends authorization information to users.
If the authorization scheme is none, users do not need to be authorized. In this case, users
passing authentication have the default authority granted by the system.
l In the accounting process, a device sends accounting-start packets, accounting-update
packets, or accounting-stop packets to the accounting server. In AAA, an accounting
scheme is optional.
Procedure
l Create an authentication scheme.
NOTE
You can create an authentication scheme, authorization scheme, or accounting scheme. Here the
authentication scheme is used as an example.
1. Choose Security > AAA > AAA Scheme in the navigation tree to open the AAA
Scheme page.
2. Click New to open the Create Authentication Scheme page, as shown in Figure
3-214.
Table 3-175 describes the parameters on the Create Authentication Scheme page.
Item Description
Item Description
3. Set parameters.
4. Click OK.
l Modify an authentication scheme.
NOTE
You can modify an authentication scheme, authorization scheme, or accounting scheme. Here the
authentication scheme is used as an example.
1. Choose Security > AAA > AAA Scheme in the navigation tree to open the AAA
Scheme page.
2. Click to open the Modify Authentication Scheme page, as shown in Figure
3-215.
NOTE
l Table 3-175 describes the parameters on the Modify Authentication Scheme page.
l The authentication scheme name cannot be changed.
3. Set the authentication type as required.
4. Click OK.
----End
Context
A service scheme is a set of authorization information about users. After a service scheme is
created, you can set attributes of users in the service scheme view.
Procedure
l Create a service scheme.
1. Choose Security > AAA > Service Scheme in the navigation tree to open the Service
Scheme page.
2. Click New to open the Create Service Scheme page, as shown in Figure 3-216.
Table 3-176 describes the parameters on the Create Service Scheme page.
Parameter Description
Parameter Description
NOTE
Only the S5720HI supports User Vlan, Ucl Group and QoS Profile, and these node are only available
in the NAC unified mode.
3. Set parameters.
4. Click OK.
l Modify a service scheme.
1. Choose Security > AAA > Service Scheme in the navigation tree to open the Service
Scheme page.
2. Click to open the Modify Service Scheme page, as shown in Figure 3-217.
NOTE
l Table 3-176 describes the parameters on the Modify Service Scheme page.
l The service scheme name cannot be modified.
3. Set parameters.
4. Click OK.
l Delete a service scheme.
1. Choose Security > AAA > Service Scheme in the navigation tree to open the Service
Scheme page.
2. Select a record that you want to delete and click Delete. The system asks you whether
to delete the record.
NOTE
----End
Context
When a user logs in to a network device such as a switch or a network access server (NAS), the
user name and password are sent to the network device. After the RADIUS client (an NAS
server) on the network receives the user name and password, it sends an authentication request
to the RADIUS server. If the request is valid, the RADIUS server completes authentication and
sends the required authorization information to the RADIUS client. If the request is invalid, the
RADIUS server sends the authorization failure information to the RADIUS client.
NOTE
Most RADIUS configurations have default values. You can perform configurations according to
networking requirements. You can modify the RADIUS configuration only when the RADIUS server
template is not in use.
The RADIUS authorization server is mainly used to authorize users when users select services
dynamically.
Procedure
l Create a RADIUS server template.
1. Choose Security > AAA > RADIUS Config in the navigation tree to open the
RADIUS Config page.
2. Click New, and the Create RADIUS Template page is displayed, as shown in Figure
3-218.
Parameter Description
3. Set parameters.
4. Click OK.
l Modify a RADIUS server template.
1. Choose Security > AAA > RADIUS Config in the navigation tree to open the
RADIUS Config page.
2. Click , and the Modify RADIUS Template page is displayed, as shown in Figure
3-219.
NOTE
Parameter Description
3. Set parameters.
NOTE
The device supports more than one servers. To add servers, click Add and set parameters.
When multiple servers are available, the device uses the server with the highest weight to perform
authentication and accounting. If the servers have the same weights, the device uses the server
configured first to perform authentication and accounting.
4. Click OK.
l Modify a RADIUS authentication/accounting server.
1. Choose Security > AAA > RADIUS Config in the navigation tree to open the
RADIUS Config page.
2. Click , and the Modify RADIUS Authentication/Accounting Server page is
displayed, as shown in Figure 3-221.
NOTE
1. Choose Security > AAA > RADIUS Config in the navigation tree to open the
RADIUS Config page.
2. Select a record that you want to delete and click Delete. The system asks you whether
to delete the record.
3. Click OK.
l Create a RADIUS authorization server.
1. Choose Security > AAA > RADIUS Config in the navigation tree to open the
RADIUS Config page.
2. Click New, and the Create RADIUS Authorization Server page is displayed, as
shown in Figure 3-222.
Parameter Description
3. Set parameters.
4. Click OK.
l Modify a RADIUS authorization server.
1. Choose Security > AAA > RADIUS Config in the navigation tree to open the
RADIUS Config page.
2. Click , and the Modify RADIUS Authorization Server page is displayed, as shown
in Figure 3-223.
NOTE
----End
Context
If no AAA schemes are applied to a new domain, the default authentication scheme and
accounting scheme are adopted. By default, the new domain is not bound to any authorization
scheme.
Procedure
l Create a domain.
1. Choose Security > AAA > Domain in the navigation tree to open the Domain page.
2. Click New to open the Create Domain page, as shown in Figure 3-224.
Parameter Description
3. Set parameters.
4. Click OK.
l Modify a domain.
1. Choose Security > AAA > Domain in the navigation tree to open the Domain page.
2. Click to open the Modify Domain page, as shown in Figure 3-225.
NOTE
----End
Context
You need to create a local user account and configure attributes of the local user so that the
switch can authenticate and authorize the local user that logs in according to the local user
information.
By default, a local user named admin exists in the system. The user password is
admin@huawei.com, and access type is HTTP.
NOTE
Security risks exist if the user access type is set to Telnet or FTP. It is recommended that you set the uesr access
type to SSH.
A simple password brings security risks. It is recommended that you change the password to a complicated one
after logging in to the web network management system using the default account. A password should consist
of at least 8 characters, and contain at least two types of the following: lowercase letters, uppercase letters,
numerals, special characters (such as ! $ # %). The password cannot contain spaces and single quotation marks
('). In addition, the password cannot be the same as the user name or the mirror user name.
The new user supports all access modes. The management user access modes such as Telnet, SSH, FTP, HTTP,
and Terminal have security risks. You are advised to configure the required access modes only.
Procedure
l Create a user.
1. Choose Security > AAA > User Management in the navigation tree to open the
User page.
2. Click New to open the Create User page, as shown in Figure 3-226.
Parameter Description
Parameter Description
3. Set parameters.
4. Click OK.
l Modify a user.
1. Choose Security > AAA > User Management in the navigation tree to open the User
Management page.
2. Click to open the Modify User page, as shown in Figure 3-227.
NOTE
When changing your password, enter the old password in Confirm Old Password, as shown in
Figure 3-228.
l Delete a user.
1. Choose Security > AAA > User Management in the navigation tree to open the User
Management page.
2. Select a record that you want to delete and click Delete. The system asks you whether
to delete the record.
NOTE
----End
Context
NAC only provides a user authentication solution. To implement this solution, the AAA function
must also be configured.
NOTE
The device supports NAC. NAC controls a user's network access permission that involves personal
communication information collection or storage. Huawei will not collect or save user communication
information independently. You must use the features in compliance with applicable laws and regulations.
Ensure that your customers' privacy is protected when you are collecting or saving communication information.
Procedure
Step 1 Config Next Start Mode: Choose Security > AAA > Change Mode in the navigation tree to
open the Change Mode page, as shown in Figure 3-229.
After the common mode and unified mode are switched, you must save configuration and restart the device to
make each function in the new configuration mode take effect. By default, the unified NAC configuration mode
is used.
----End
3.12.4 802.1x
You can configure 802.1x parameters globally or on an interface.
IEEE 802.1x, or 802.1x in brief, is a port-based network access control protocol. 802.1x was
originated from IEEE 802.11 for wireless local area network (WLAN) access and was first
introduced to solve the problem of access authentication of WLAN users. Later, the 802.1x
protocol was applied on the Ethernet as a common access control mechanism on LAN interfaces
to solve problems of authentication and security on the Ethernet.
Port-based network access control indicates that authentication and control are implemented for
access devices on an interface of a LAN access control device. A user device can access LAN
resources only after it passes authentication.
NOTE
Context
You can configure 802.1x authentication to authenticate and control access devices connected
to an interface of a LAN access control device.
Procedure
Step 1 Choose Security > 802.1X > 802.1X Global Settings in the navigation tree, and the 802.1X
Global Settings page is displayed, as shown in Figure 3-230.
Table 3-182 describes the parameters on the 802.1X Global Settings page.
Parameter Description
Parameter Description
Parameter Description
----End
Context
You can configure 802.1x authentication to authenticate and control access devices connected
to an interface of a LAN access control device.
Procedure
l Query information about 802.1x parameters on an interface.
1. Choose Security > 802.1X > 802.1X Interface Settings in the navigation tree to open
the 802.1X Interface Settings page.
2. Set the search criteria.
3. Click Query to display all matching records.
l Set 802.1x parameters on an interface.
1. Choose Security > 802.1X > 802.1X Interface Settings in the navigation tree to open
the 802.1X Interface Settings page.
2. Select a record and click Configure. The Configure 802.1X Interface Parameters
page is displayed, as shown in Figure 3-231.
Parameter Description
Parameter Description
3. Set parameters.
4. Click OK.
l Clear the configuration of 802.1x parameters on an interface.
1. Choose Security > 802.1X > 802.1X Interface Settings in the navigation tree to open
the 802.1X Interface Settings page.
2. Select a record and click Clear Configuration. The system asks you whether to delete
the record.
3. Click OK.
----End
You can configure the following authentication methods for MAC address authentication on the
switch:
l Remote Authentication Dial-In User Service (RADIUS) authentication
l Local authentication
Context
MAC address authentication can be configured on an interface before global MAC address
authentication is configured, but does not take effect on the interface. After global MAC address
authentication is enabled, MAC address authentication enabled on an interface takes effect
immediately.
Procedure
Step 1 Choose Security > MAC Authen > Global Configuration in the navigation tree to open the
Global Configuration page, as shown in Figure 3-232.
Parameter Description
User Name Format Indicates the user name format. The options
are as follows:
l MAC
l Fixed user name
By default, the MAC address format is used.
Parameter Description
----End
Context
MAC address authentication can be configured on an interface before global MAC address
authentication is configured, but does not take effect on the interface. After global MAC address
authentication is enabled, MAC address authentication configured on an interface takes effect
immediately.
Procedure
l Query the configuration of MAC address authentication on an interface.
1. Choose Security > MAC Authen > MAC Authentication on Interface in the
navigation tree to open the MAC Authentication on Interface page.
2. Set the search criteria.
3. Click Query to display all matching records.
l Configure Interface
1. Choose Security > MAC Authen > MAC Authentication on Interface in the
navigation tree to open the MAC Authentication on Interface page.
2. Select a record and click Configure. The Configure Interface page is displayed, as
shown in Figure 3-233.
Parameter Description
3. Set parameters.
4. Click OK.
l Clear the configuration of MAC address authentication parameters on an interface.
1. Choose Security > MAC Authen > MAC Authentication on Interface in the
navigation tree to open the MAC Authentication on Interface page.
2. Select a record that you want to clear and click Clear Configuration.
NOTE
----End
Context
A UCL group identifies a user type that has the same network access rights. The UCL group is
used to classify users of a type and ACLs are deployed for these users, greatly simplifying
network deployment.
In an enterprise network, a server that provides resources has a fixed IP address. The
administrator can identify this server using a UCL group and associate the server IP address with
the UCL group to form a static UCL group. After a static UCL group is created for a resource
server, the user access policies can be managed based on the UCL group to simplify network
deployment.
NOTE
Procedure
l Creating a UCL group
1. Choose Security > Ucl Group to display the Ucl Group page.
2. Click New in Ucl Group to display the Create Ucl Group page, as shown in Figure
3-234.
Parameter Description
Table 3-187 describes the parameters for creating a static resource group.
Parameter Description
----End
Context
NOTE
Context
You can configure inbound/outbound traffic policy, 802.1p priority re-marking, and DSCP
priority re-marking in a QoS profile.
Procedure
l Query a QoS profile.
1. Choose Security > QoS Profile > QoS Profile to open the QoS Profile page.
2. Enter the name of the QoS profile in the text box, for example, test.
3. Click Query to display all matching records, as shown in Figure 3-236.
NOTE
If no QoS profile name is entered, when you click Query, information about all QoS profiles
is displayed.
Table 3-188 describes the parameters on the Create QoS Profile page, as shown in
Figure 3-237.
Parameter Description
Parameter Description
3. Set parameters.
4. Click OK.
l Modify a QoS profile.
1. Choose Security > QoS Profile > QoS Profile to open the QoS Profile page.
2. Click next to a record to open the Modify QoS Profile page.
NOTE
l Table 3-188 describes the parameters on the Modify QoS Profile page.
l The QoS profile name cannot be modified.
3. Set parameters.
4. Click OK.
l Delete a QoS profile.
1. Choose Security > QoS Profile > QoS Profile to open the QoS Profile page.
2. Select a record that you want to delete and click Delete. The system asks you whether
to delete the record.
NOTE
----End
Context
You can configure inbound/outbound traffic policing in a CAR profile.
Procedure
l Query a CAR profile.
1. Choose Security > QoS Profile > CAR Profile to open the CAR Profile page.
2. Enter the name of the CAR profile in the text box, for example, test.
3. Click Query to display all matching records, as shown in Figure 3-238.
NOTE
If no QoS profile name is entered, when you click Query, information about all CAR profiles
is displayed.
Table 3-189 describes the parameters on the Create CAR Profile page, as shown in
Figure 3-239.
Parameter Description
Parameter Description
3. Set parameters.
4. Click OK.
l Modify a CAR profile.
1. Choose Security > QoS Profile > CAR Profile to open the CAR Profile page.
2. Click next to a record to open the Modify CAR Profile page.
NOTE
l Table 3-189 describes the parameters on the Modify CAR Profile page.
l The CAR profile name cannot be modified.
3. Set parameters.
4. Click OK.
l Delete a CAR profile.
1. Choose Security > QoS Profile > CAR Profile to open the CAR Profile page.
2. Select a record that you want to delete and click Delete. The system asks you whether
to delete the record.
NOTE
----End
NOTE
3.12.8.1 Pre-authentication
Context
Users in pre-authentication state have no network access policy.
To meet their network access requirements (for example, update the virus library and download
client software), service schemes can be used to assign certain network access rights to the users
in pre-authentication state.
Procedure
l Applying a service scheme to users in pre-authentication state
1. Choose Security > Authentication Event > Pre-Authentication to display the Pre-
Authentication page.
2. Select a service scheme and click Apply, as shown in Figure 3-240.
Table 3-190 describes the parameters for applying a service scheme to users in pre-
authentication state.
Parameter Description
2. Click Clear Configuration. The system asks you whether to delete the service
scheme.
3. Click OK to complete the configuration.
----End
3.12.8.2 Authentication-Failed
Context
Users do not have any network access policies when they fail to be authenticated because of
some reasons (for example, the users enter incorrect user names or passwords, or the
authentication server is Down).
To meet their network access requirements (for example, update the virus library and download
client software), service schemes can be used to assign certain network access rights to the users
who fail to be authenticated.
NOTE
There are four scenarios for applying and deleting service scheme for users who fail to be authenticated.
This section uses the scenario Apply to Authentication Server response fail to users as an example. The
operations for other scenarios are similar and not mentioned here.
Procedure
l Applying a service scheme to users who fail to be authenticated
1. Choose Security > Authentication Event > Authentication-Failed to display the
Authentication-Failed page.
2. Select a service scheme in Apply to Authentication Server response fail to users
and click Apply, as shown in Figure 3-241.
Table 3-191 describes the parameters for applying a service scheme to users who fail
to be authenticated.
Table 3-191 Parameters for applying a service scheme to users who fail to be
authenticated
Parameter Description
----End
3.12.9 SSL
You can create, modify, and delete SSL policys.
Context
The Secure Sockets Layer (SSL) protocol uses data encryption, identity authentication, and
message integrity check to ensure security of Transmission Control Protocol (TCP)-based
application layer protocols. An SSL policy can be applied to application layer protocols to
provide secure connections.
NOTE
Procedure
l Create an SSL policy.
1. Choose Security > SSL in the navigation tree to open the SSL configuration page.
2. Click Create to open the Create SSL Policy page, as shown in Figure 3-242.
Parameter Description
SSL policy name Indicates the name of the SSL policy. The value
is case insensitive.
Key pair file Indicates the name of the key pair file. The file
is saved in the sub-directory security of the
system directory.
This parameter is inavailable when the
certificate type is PFX and verification mode is
MAC code.
Parameter Description
----End
In Portal authentication, users do not need a specific client. The Portal server provides users with
free portal services and a Portal authentication page.
NOTE
Context
The Portal server is classified as either the external Portal server or the built-in Portal server.
The external Portal server has independent hardware, while the built-in Portal server is an entity
embedded in the access device (that is, functions of the Portal server are implemented by the
access device).
During external Portal authentication, you must configure parameters for the Portal server (for
example, the IP address for the Portal server) to ensure smooth communication between the
device and the Portal server.
Procedure
l Setting the maximum number users
1. Choose Security > Portal Authentication > External Portal Server.
2. In the Maximum number of users area, set the maximum number of Portal
authentication users and then click Apply.
l Querying an authentication server
1. Choose Security > Portal Authentication > External Portal Server.
2. In the Portal Servers area, view all authentication servers. You can set Search, enter
a keyword, and click Go to search for an authentication server.
l Creating an authentication server
1. Choose Security > Portal Authentication > External Portal Server.
2. In the Portal Servers area, click Create. In the Create Portal Server dialog box that
is displayed, as shown in Figure 3-244.
Parameter Description
Parameter Description
Click User-defined in URL Option to display the page for customizing the URL, as
shown in Figure 3-245.
Parameter Description
AC-IP AC IP address carried in the URL and sets the parameter name.
AC-MAC AC MAC address carried in the URL and sets the parameter
name.
AP-IP AP IP address carried in the URL and sets the parameter name.
AP-MAC AP MAC address carried in the URL and sets the parameter
name.
Redirect-to URL Original URL that a user accesses carried in the URL and sets
the parameter name.
SSID SSID associated that users associate with carried in the URL
and sets the parameter name.
User IP address User IP address carried in the URL and sets the parameter
name.
User MAC User MAC address carried in the URL and sets the parameter
address name.
System name Device system name carried in the URL and sets the parameter
name.
3. Click OK.
l Modifying an authentication server
1. Choose Security > Portal Authentication > External Portal Server.
4. Click OK.
l Deleting an authentication server
1. Choose Security > Portal Authentication > External Portal Server.
2. In the Portal Servers area, select an authentication server and click Delete. The
system asks you whether to delete the policy.
3. Click OK to complete the configuration.
----End
Context
The Portal server is classified as either the external Portal server or the built-in Portal server.
The external Portal server has independent hardware, while the built-in Portal server is an entity
embedded in the access device (that is, functions of the Portal server are implemented by the
access device).
During the built-in Portal server configuration process, to ensure that the server can provide the
web authentication service, set parameters such as SSL policy, Port, and Web page file.
Procedure
Step 1 Choose Security > Portal Authentication > Built-in Portal Server.
Step 2 On the Built-in Portal Server tab page, set parameters and click Apply, as shown in Figure
3-247.
Table 3-195 describes the parameters for configuring the built-in Portal server.
Parameter Description
Parameter Description
Web page file File in .zip format. The file contains web
pages that users access during authentication.
----End
Context
When using built-in Portal authentication, you can customize the web authentication page to
meet requirements of different enterprises. You can design the page background, company logo,
and advertisement to customize the page.
Procedure
Step 1 Choose Security > Portal Authentication > Customized Page. The Customized Page is
displayed.
Step 2 Click Page Style. Three page styles are displayed. The first two are default styles and the last
one is a customized style.
l Default style: use the default background and user-defined logo and advertisement images.
The logo and advertisement image are displayed in preconfigured areas.
l Customized style: use a user-defined image as the background.
Step 3 Set page parameters described in Table 3-196, as shown in Figure 3-248.
Item Description
Item Description
Acceptable Use Policy(in HTML format) The administrator can edit the login page used
for user authentication to customize a
disclaimer page. The hyperlink Acceptable
Use Policy will be displayed on the login
page. You can click the link to visit the
disclaimer page.
Portal usage guideline (in HTML format) This area is displayed on the right of the Portal
login page. You can customize the display
contents in the area.
----End
Context
You can set portal free rules for portal authentication users so that the users can access specified
network resources without being authenticated or when the users fail authentication.
Procedure
l Searching a portal free rule
1. Choose Security > Portal Authentication > Portal Free Rule.
2. In the Portal Free Rule area, view all portal free rules. You can enter a rule ID, and
click Search to search for a portal free rule.
l Creating a portal free rule
Table 3-197 describes the parameters for creating a portal free rule.
Parameter Description
Parameter Description
3. Click OK. The portal free rule is displayed in the portal free rule list.
l Modifying a portal free rule
1. Choose Security > Portal Authentication > Portal Free Rule.
2. In the Portal Free Rule area, click corresponding to a portal free rule.
3. In the Modify Portal Free Rule dialog box that is displayed, as shown in Figure
3-250.
4. Click OK.
l Deleting a portal free rule
1. Choose Security > Portal Authentication > Portal Free Rule.
2. In the Portal Free Rule area, select a portal free rule and click Delete. The system
asks you whether to delete the policy.
----End
Context
An ACL is a set of rules that can only differentiate packets.
After ACLs are configured, you can configure ACL filtering to apply the ACLs so that packets
are filtered.
NOTE
Procedure
l Creating an ACL filtering rule
1. Choose Security > Security Protection > ACL Filtering.
2. Click Create and set parameters in the Create ACL Filtering dialog box that is
displayed, as shown in Figure 3-251. Table 3-198 describes the parameters.
Parameter Description
3. Click OK. An ACL filtering rule is added to the ACL filtering list.
l Modifying an ACL filtering rule
1. Choose Security > Security Protection > ACL Filtering.
----End
3.13 Tools
This document describes the commands for maintaining and diagnosing the switch, that is, ping,
tracert, VCT, AAA Test, and RF-Ping.
3.13.1 Ping
The ping command is used to check network connectivity and host reachability.
Context
The ping command is used to check network connectivity and host reachability.
Procedure
Step 1 Choose Tools > Ping in the navigation tree to open the Ping page.
Step 2 Enter the IP address in the ping text box and click Start. The network connection information
is displayed, as shown in Figure 3-252.
NOTE
If no response packets are received within the timeout interval, the following information is displayed:
Request time out
The preceding information shows that a link is faulty.
----End
3.13.2 Tracert
You can use the tracert command to test the gateways that packets pass through from the source
host to the destination host. The tracert command is used to check network connectivity and
locate network faults.
Context
The Tracert command, also called Trace Route helps you check the IP addresses and the
number of gateways between the source and the destination. Tracert is used to check network
connectivity and locate network faults.
Procedure
Step 1 Choose Tools > Tracert in the navigation tree to open the Tracert page.
Step 2 Enter the IP address in the tracert text box and click Start. The Layer 3 devices where packets
pass through between the source host and the destination host are displayed, as shown in Figure
3-253.
NOTE
l The output of the tracert command includes IP addresses of all the gateways through which the packet
reaches the destination. If one gateway sends back a packet indicating TTL timeout, * is displayed.
l The tracert test may takes a long time.
----End
3.13.3 VCT
The VCT function controls the hardware interfaces and displays the cable status on the GUI so
that you can conveniently and quickly locate faults and check lengths of cables.
Context
The VCT function helps to detect the type of a network cable fault and locate the faulty point.
In this manner, network cable faults can be conveniently located.
Procedure
Step 1 Choose Tools > VCT in the navigation tree, the VCT page is displayed.
Step 2 Select an interface. You can select only one interface each time.
NOTICE
The system displays a message requesting you to confirm the operation.The operation may
cause Web NMS disconnected from the server. Continue?
Step 4 Click OK. The returned information is displayed, as shown in Figure 3-254.
----End
Context
The AAA test tool checks whether a specified user can pass the RADIUS authentication.
NOTE
Procedure
Step 1 Choose Tools > AAA Test in the navigation tree.
Step 2 Enter parameters such as the RADIUS server template, authentication mode, user name, and
password. For parameter information, see Table 3-199.
Parameter Description
----End
3.13.5 RF-Ping
After the RF-Ping function is enabled, the device can automatically detect quality of wireless
links.
Context
The RF-Ping tool checks the quality of the link between the AP and STA.
NOTE
Procedure
Step 1 Choose Tools > RF-Ping.
Step 2 In the MAC address text box, enter the MAC address of the STA.
----End
Networking Requirements
As shown in Figure 3-255, an enterprise has four departments. Department 1 is connected to
GE0/0/1 of Switch through Switch. Department 2 is connected GE0/0/2 of Switch through LSW-
A. Department 3 is connected to GE0/0/3 of Switch through LSW-B. Department 4 is connected
to GE0/0/4 of Switch through Switch2. The requirements are as follows:
l Department 1 and department 2 in VLAN 2 are separated from department 3 and department
4 in VLAN 3.
l Department 1 and department 2 in VLAN 2 can communicate with each other.
l Department 3 and department 4 in VLAN 3 can communicate with each other.
Networking Diagram
Network
Switch
GE0/0/1 GE0/0/4
Switch1 GE0/0/3 Switch2
GE0/0/2
LSW-A LSW-B
Procedure
l Add GE0/0/1 to VLAN 2 on Switch.
1. Choose Service Management > VLAN > Hybrid port in the navigation tree to open
the Hybrid port page.
2. On the Hybrid port page, click the icon indicating the GigabitEthernet0/0/1
interface to open the Modify VLAN configuration on interface page.
3. Enter 2 in the Tagged VLAN text box.
4. Click OK.
NOTE
If the link type of the interface is not hybrid, please convert it to hybrid port before the
configuration.
l Add GE0/0/2 to VLAN 2 on Switch.
1. Choose Service Management > VLAN > Hybrid port in the navigation tree to open
the Hybrid port page.
2. On the Hybrid port page, click the icon indicating the GigabitEthernet0/0/2
interface to open the Modify VLAN configuration on interface page.
3. Enter 2 in the Tagged VLAN text box.
4. Click OK.
----End
Result
On the Hybrid port page, you can view the configurations of GE0/0/1, GE0/0/2, GE0/0/3 and
GE0/0/4.