S1720&S2700EI&S5700 Series Ethernet Switches Web User Manual

S1720&S2700EI&S5700 Series Ethernet Switches
V200R006(C00&C10)
Web System Guide
Issue 03
Date 2014-08-25
HUAWEI TECHNOLOGIES CO., LTD.

Copyright Huawei Technologies Co., Ltd. 2014. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://enterprise.huawei.com
Issue 03 (2014-08-25) Huawei Proprietary and Confidential i

Copyright Huawei Technologies Co., Ltd.
Web System Guide About This Document
About This Document
Intended Audience
This document describes how to use the web network management system to configure and
maintain the switches. The web network management system provides the functions of viewing
device information, configuring the wizard, saving the configurations, and managing the entire
system, interfaces, services, ACLs, QoS, routes, security, and tools.
This document is intended for:
l Data configuration engineers

l Commissioning engineers
l Network monitoring engineers
l System maintenance engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Indicates an imminently hazardous situation

which, if not avoided, will result in death or
serious injury.
Indicates a potentially hazardous situation

which, if not avoided, could result in death or
serious injury.

which, if not avoided, may result in minor or
moderate injury.

which, if not avoided, could result in
equipment damage, data loss, performance
deterioration, or unanticipated results.
NOTICE is used to address practices not
related to personal injury.
Issue 03 (2014-08-25) Huawei Proprietary and Confidential ii

Symbol Description
NOTE Calls attention to important information, best

practices and tips.
NOTE is used to address information not
related to personal injury, equipment damage,
and environment deterioration.
Security Conventions
l Password setting
When configuring a password, the cipher text is recommended. To ensure device
security, change the password periodically.
When you configure a password in cipher text that starts and ends with %@%@ or @
%@% (the password can be decrypted by the device), the password is displayed in the
same manner as the configured one in the configuration file. Do not use this setting.
l Encryption algorithm
Currently, the device uses the following encryption algorithms: 3DES, AES, RSA, SHA1,
SHA2, and MD5. DES, 3DES, RSA and AES are reversible, and SHA1, SHA2, and MD5
are irreversible. The encryption algorithm depends on actual networking. The irreversible
encryption algorithm must be used for the administrator password.
l Personal data
Some personal data may be obtained or used during operation or fault location of your
purchased products, services, features, so you have an obligation to make privacy policies
and take measures according to the applicable law of the country to protect personal data.
l The terms mirrored port, port mirroring, traffic mirroring, and mirroing in this manual are
mentioned only to describe the product's function of communication error or failure
detection, and do not involve collection or processing of any personal information or
communication data of users.
Change History
Changes between document issues are cumulative. Therefore, the latest document version
contains all updates made to previous versions.
Changes in Issue 03 (2014-08-25) V200R006(C00&C10)

This version has the following updates:
Some contents are modified according to updates in the product.
Changes in Issue 02 (2014-06-10) V200R006C00

This version has the following updates:
Issue 03 (2014-08-25) Huawei Proprietary and Confidential iii

Some contents are modified according to updates in the product.
Changes in Issue 01 (2014-04-30) V200R006C00

Initial commercial release.
Issue 03 (2014-08-25) Huawei Proprietary and Confidential iv

Web System Guide Contents
Contents
About This Document.....................................................................................................................ii

1 Logging In to the Web System....................................................................................................1
1.1 Logging In to the Device Through the Web System for the First Time (S1720)...........................................................2
1.2 Logging In to the Device Through the Web System for the First Time (S2720)...........................................................4
1.3 Configuring Login Through the Web System ...............................................................................................................8
1.4 Configuration Examples...............................................................................................................................................16
1.4.1 Example for Logging In to the Device Through the Web System............................................................................16
2 EasyOperation Edition...............................................................................................................21
2.1 Client Configuration.....................................................................................................................................................22
2.1.1 Understanding the Web System Client User Interface..............................................................................................22
2.1.1.1 Window Layout......................................................................................................................................................22
2.1.1.2 Navigation Tree......................................................................................................................................................23
2.1.1.3 Buttons....................................................................................................................................................................25
2.1.1.4 GUI Elements.........................................................................................................................................................26
2.1.2 Web User Management.............................................................................................................................................27
2.1.2.1 Creating a User Account.........................................................................................................................................27
2.1.2.2 Changing User Attribute.........................................................................................................................................28
2.1.2.3 Deleting a User Account.........................................................................................................................................29
2.1.3 User Timeout.............................................................................................................................................................29
2.1.4 Switching to the Classics Edition..............................................................................................................................30
2.1.5 Saving Configuration.................................................................................................................................................30
2.1.6 Logging Out of the Web System...............................................................................................................................30
2.2 Monitor.........................................................................................................................................................................31
2.2.1 Panel..........................................................................................................................................................................31
2.2.2 System Description....................................................................................................................................................31
2.2.3 Switch Status.............................................................................................................................................................32
2.2.4 TOP5 Bandwidth Utilization.....................................................................................................................................36
2.2.5 Log.............................................................................................................................................................................38
2.2.6 Online User Information............................................................................................................................................39
2.2.7 Power status...............................................................................................................................................................41
2.3 Configuration................................................................................................................................................................41
2.3.1 Interface Setting.........................................................................................................................................................42
Issue 03 (2014-08-25) Huawei Proprietary and Confidential v

2.3.1.1 View Configuration................................................................................................................................................42

2.3.1.2 Connecting a PC.....................................................................................................................................................43
2.3.1.3 Connecting an IP Phone.........................................................................................................................................45
2.3.1.4 Connecting the Switch............................................................................................................................................47
2.3.1.5 Connect Router.......................................................................................................................................................48
2.3.1.6 Enable/Disable Interface.........................................................................................................................................50
2.3.1.7 Detect Link.............................................................................................................................................................51
2.3.2 VLAN........................................................................................................................................................................54
2.3.3 DHCP.........................................................................................................................................................................58
2.3.4 MAC Address Management......................................................................................................................................62
2.3.5 Line Loopback Detection..........................................................................................................................................66
2.3.6 ACL...........................................................................................................................................................................68
2.3.6.1 Interface ACL.........................................................................................................................................................68
2.3.6.2 VLAN ACL............................................................................................................................................................72
2.3.7 AAA & NAC.............................................................................................................................................................76
2.3.7.1 Authentication Configuration.................................................................................................................................76
2.3.7.2 Portal Server...........................................................................................................................................................81
2.3.7.3 Access Configuration.............................................................................................................................................83
2.3.8 Spanning Tree Protocol.............................................................................................................................................87
2.4 Maintenance..................................................................................................................................................................89
2.4.1 System Setting...........................................................................................................................................................89
2.4.2 System Maintenance..................................................................................................................................................91
2.4.2.1 Reboot.....................................................................................................................................................................91
2.4.2.2 Upgrade..................................................................................................................................................................93
2.4.2.3 Patch.......................................................................................................................................................................95
2.4.2.4 Initialize..................................................................................................................................................................97
2.4.3 File Management.......................................................................................................................................................97
2.4.4 Log Management.....................................................................................................................................................100
2.4.5 SNMP......................................................................................................................................................................100
2.4.6 Diagnosis Tools.......................................................................................................................................................102
2.4.6.1 Ping.......................................................................................................................................................................102
2.4.6.2 Tracert...................................................................................................................................................................103
2.4.6.3 VCT......................................................................................................................................................................105
2.4.7 User Management....................................................................................................................................................106
2.5 Network......................................................................................................................................................................110
2.5.1 Role Configuration..................................................................................................................................................111
2.5.1.1 Commander..........................................................................................................................................................111
2.5.1.2 Client....................................................................................................................................................................115
2.5.2 Summary..................................................................................................................................................................116
2.5.3 Deployment.............................................................................................................................................................118
2.5.3.1 Unconfigured Device Deployment.......................................................................................................................118
Issue 03 (2014-08-25) Huawei Proprietary and Confidential vi

2.5.3.2 Faulty Device Replacement..................................................................................................................................120

2.5.3.3 Batch Upgrade......................................................................................................................................................121
2.5.4 Batch Configuration................................................................................................................................................121
2.5.5 Power Consumption................................................................................................................................................122
3 Classics Edition..........................................................................................................................123
3.1 Client Configuration...................................................................................................................................................125
3.1.1 Understanding the Web System Client User Interface............................................................................................125
3.1.1.1 Window Layout....................................................................................................................................................125
3.1.1.2 Navigation Tree....................................................................................................................................................125
3.1.1.3 Buttons..................................................................................................................................................................130
3.1.1.4 GUI Elements.......................................................................................................................................................130
3.1.2 Web User Management...........................................................................................................................................132
3.1.2.1 Create User...........................................................................................................................................................132
3.1.2.2 Changing Password..............................................................................................................................................132
3.1.2.3 Deleting a User Account.......................................................................................................................................133
3.1.3 Processing the Timeout of a Web User...................................................................................................................133
3.1.4 Switching to the EasyOperation Edition.................................................................................................................134
3.1.5 Saving Configuration...............................................................................................................................................134
3.1.6 Logging Out of the Web System.............................................................................................................................134
3.2 Device Summary (S5720HI)......................................................................................................................................134
3.2.1 Lineate.....................................................................................................................................................................135
3.2.1.1 Panel.....................................................................................................................................................................135
3.2.1.2 System Description...............................................................................................................................................136
3.2.1.3 Switch Status........................................................................................................................................................137
3.2.1.4 Bandwidth Utilization...........................................................................................................................................137
3.2.1.5 System Log...........................................................................................................................................................138
3.2.1.6 Trends...................................................................................................................................................................139
3.2.2 Wireless...................................................................................................................................................................141
3.3 Device Summary (for Switch Models Except S5720H).............................................................................................143
3.3.1 Panel........................................................................................................................................................................144
3.3.2 System Description..................................................................................................................................................145
3.3.3 Switch Status...........................................................................................................................................................146
3.3.4 Bandwidth Utilization..............................................................................................................................................152
3.3.5 System Log..............................................................................................................................................................153
3.3.6 Trends......................................................................................................................................................................154
3.4 Config Wizard............................................................................................................................................................155
3.4.1 EasyOperation.........................................................................................................................................................157
3.4.2 AP Wizard...............................................................................................................................................................162
3.4.3 WLAN Wizard........................................................................................................................................................168
3.4.4 WDS Wizard............................................................................................................................................................176
3.4.5 Mesh Wizard............................................................................................................................................................196
Issue 03 (2014-08-25) Huawei Proprietary and Confidential vii

3.5 System Management...................................................................................................................................................216

3.5.1 Initialize...................................................................................................................................................................216
3.5.2 Reboot......................................................................................................................................................................216
3.5.3 Software Upgrade....................................................................................................................................................218
3.5.4 Patch........................................................................................................................................................................219
3.5.5 File System Management........................................................................................................................................221
3.5.5.1 File Management..................................................................................................................................................221
3.5.5.2 Recycle Bin...........................................................................................................................................................223
3.5.6 System Configuration..............................................................................................................................................224
3.5.6.1 System Time.........................................................................................................................................................224
3.5.6.2 System Settings.....................................................................................................................................................225
3.5.7 PoE...........................................................................................................................................................................226
3.5.7.1 Global Parameter Settings....................................................................................................................................226
3.5.7.2 Interface Parameter Settings.................................................................................................................................228
3.5.7.3 PoE Power Supply Information............................................................................................................................230
3.5.8 DNS.........................................................................................................................................................................230
3.5.8.1 Dynamic DNS Entry Table...................................................................................................................................231
3.5.8.2 DNS Settings........................................................................................................................................................231
3.5.8.3 Domain Name Settings.........................................................................................................................................232
3.5.8.4 Enable Dynamic Domain Name Resolution.........................................................................................................233
3.5.9 Stacking...................................................................................................................................................................234
3.5.10 Log Management...................................................................................................................................................239
3.5.11 SNMP....................................................................................................................................................................239
3.5.11.1 SNMP Global Settings........................................................................................................................................239
3.5.11.2 Community/Group Management........................................................................................................................241
3.5.11.3 MIB View...........................................................................................................................................................248
3.5.11.4 Trap Setting........................................................................................................................................................252
3.5.12 EasyOperation.......................................................................................................................................................254
3.5.12.1 Role Configuration.............................................................................................................................................256
3.5.12.2 Group Configuration...........................................................................................................................................258
3.5.12.3 Client Configuration...........................................................................................................................................262
3.5.13 License Management.............................................................................................................................................267
3.6 Interface Management................................................................................................................................................268
3.6.1 Ethernet....................................................................................................................................................................268
3.6.1.1 Configuring Basic Attributes................................................................................................................................268
3.6.1.2 Statistics on Interface............................................................................................................................................271
3.6.2 Eth-Trunk.................................................................................................................................................................272
3.6.2.1 Eth-Trunk Port......................................................................................................................................................272
3.6.2.2 System LACP Priority..........................................................................................................................................278
3.6.3 VLANIF...................................................................................................................................................................279
3.6.4 LoopBack.................................................................................................................................................................282
Issue 03 (2014-08-25) Huawei Proprietary and Confidential viii

3.7 Service Management..................................................................................................................................................285

3.7.1 VLAN......................................................................................................................................................................285
3.7.1.1 VLAN...................................................................................................................................................................285
3.7.1.2 Hybrid Port...........................................................................................................................................................287
3.7.1.3 Access Port...........................................................................................................................................................289
3.7.1.4 Trunk Port.............................................................................................................................................................291
3.7.1.5 VLANIF Port........................................................................................................................................................293
3.7.2 MAC........................................................................................................................................................................296
3.7.2.1 MAC Table...........................................................................................................................................................296
3.7.2.2 MAC Aging Time.................................................................................................................................................297
3.7.2.3 MAC Learning......................................................................................................................................................298
3.7.2.4 Static MAC Table.................................................................................................................................................301
3.7.2.5 Blackhole MAC Table..........................................................................................................................................303
3.7.2.6 Sticky MAC..........................................................................................................................................................304
3.7.3 STP..........................................................................................................................................................................307
3.7.3.1 STP Information...................................................................................................................................................307
3.7.3.2 STP Global...........................................................................................................................................................308
3.7.3.3 STP Interface........................................................................................................................................................312
3.7.3.4 MST Region.........................................................................................................................................................315
3.7.4 Voice VLAN............................................................................................................................................................317
3.7.4.1 Voice VLAN.........................................................................................................................................................317
3.7.4.2 Voice VLAN OUI................................................................................................................................................319
3.7.5 DHCP.......................................................................................................................................................................321
3.7.5.1 DHCP....................................................................................................................................................................321
3.7.5.2 Configuring a Global Address Pool......................................................................................................................322
3.7.5.3 Configuring a VLANIF Interface Address Pool...................................................................................................326
3.7.5.4 Configure DHCP Relay........................................................................................................................................331
3.7.6 ARP.........................................................................................................................................................................334
3.7.6.1 ARP Table............................................................................................................................................................334
3.7.6.2 Static ARP Table..................................................................................................................................................336
3.7.6.3 ARP Attribute.......................................................................................................................................................339
3.7.7 VRRP.......................................................................................................................................................................340
3.7.7.1 VRRP....................................................................................................................................................................340
3.7.7.2 VRRP Attribute....................................................................................................................................................343
3.7.8 IGMP Snooping.......................................................................................................................................................344
3.7.8.1 Global IGMP Snooping........................................................................................................................................345
3.7.8.2 Configure IGMP Snooping in VLAN..................................................................................................................346
3.8 WLAN(S5720HI).......................................................................................................................................................348
3.8.1 AC Configuration....................................................................................................................................................348
3.8.1.1 AC Configuration.................................................................................................................................................348
3.8.2 AP Info....................................................................................................................................................................350
Issue 03 (2014-08-25) Huawei Proprietary and Confidential ix

3.8.2.1 AP Information.....................................................................................................................................................350
3.8.2.2 AP Region.............................................................................................................................................................358
3.8.2.3 AP Profile.............................................................................................................................................................359
3.8.2.4 AP Whitelist.........................................................................................................................................................363
3.8.2.5 AP Blacklist..........................................................................................................................................................365
3.8.3 WLAN Configuration..............................................................................................................................................367
3.8.3.1 WLAN Configuration...........................................................................................................................................367
3.8.4 Radio Profile............................................................................................................................................................373
3.8.4.1 Radio Profile.........................................................................................................................................................373
3.8.4.2 WMM Profile.......................................................................................................................................................384
3.8.5 Service Set...............................................................................................................................................................387
3.8.5.1 Service Set............................................................................................................................................................387
3.8.5.2 Traffic Profile.......................................................................................................................................................390
3.8.5.3 Security Profile.....................................................................................................................................................394
3.8.5.4 ESS Interface........................................................................................................................................................397
3.8.5.5 STA Blacklist/Whitelist Profile............................................................................................................................399
3.8.6 WDS Profile............................................................................................................................................................403
3.8.6.1 Bridge Profile.......................................................................................................................................................407
3.8.6.2 Bridge Whitelist....................................................................................................................................................410
3.8.6.3 WVL Information.................................................................................................................................................412
3.8.7 Mesh Profile............................................................................................................................................................413
3.8.7.1 Mesh Profile.........................................................................................................................................................413
3.8.7.2 Mesh WhiteList....................................................................................................................................................416
3.8.7.3 WVL Information.................................................................................................................................................418
3.8.8 Load Balancing........................................................................................................................................................419
3.8.8.1 Static Load Balancing Group...............................................................................................................................419
3.8.8.2 Dynamic Load Balancing Group..........................................................................................................................424
3.8.9 WIDS Configuration................................................................................................................................................426
3.8.9.1 WIDS Configuration.............................................................................................................................................426
3.8.9.2 SSID Whitelist......................................................................................................................................................429
3.8.9.3 Rogue Device.......................................................................................................................................................430
3.8.9.4 Attack Statistics....................................................................................................................................................431
3.8.9.5 Attack Records.....................................................................................................................................................433
3.8.9.6 Dynamic Blacklist................................................................................................................................................435
3.8.10 Backup Configuration............................................................................................................................................436
3.8.10.1 Backup Configuration.........................................................................................................................................436
3.8.11 Terminal Management...........................................................................................................................................438
3.8.11.1 STA Management...............................................................................................................................................438
3.8.11.2 STA Statistics.....................................................................................................................................................440
3.8.11.3 Offline User Information....................................................................................................................................441
3.8.11.4 STA Blacklist/Whitelist......................................................................................................................................442
Issue 03 (2014-08-25) Huawei Proprietary and Confidential x

3.8.11.5 Blacklist/Whitelist Status...................................................................................................................................444

3.8.12 Radio Calibration...................................................................................................................................................445
3.8.12.1 Radio Calibration................................................................................................................................................445
3.8.13 System Maintenance..............................................................................................................................................454
3.8.13.1 AP Batch Upgrade..............................................................................................................................................454
3.8.13.2 Single AP Upgrade.............................................................................................................................................456
3.9 ACL............................................................................................................................................................................458
3.9.1 Effective Period.......................................................................................................................................................458
3.9.2 ACL.........................................................................................................................................................................461
3.10 QoS...........................................................................................................................................................................482
3.10.1 Traffic Management..............................................................................................................................................482
3.10.1.1 Traffic Classifier.................................................................................................................................................482
3.10.1.2 Traffic Behavior.................................................................................................................................................488
3.10.1.3 Traffic Policy......................................................................................................................................................492
3.10.1.4 Apply Traffic Policy...........................................................................................................................................494
3.10.2 Interface-based Rate Limit....................................................................................................................................497
3.10.2.1 View Rate Limit.................................................................................................................................................497
3.10.2.2 Configure Rate Limit..........................................................................................................................................498
3.10.3 Traffic Shaping......................................................................................................................................................499
3.10.3.1 View Traffic Shaping.........................................................................................................................................499
3.10.3.2 Configure Traffic Shaping..................................................................................................................................500
3.10.4 Congestion Management.......................................................................................................................................502
3.10.4.1 View Scheduling.................................................................................................................................................502
3.10.4.2 Configure Scheduling.........................................................................................................................................503
3.10.5 Priority Mapping....................................................................................................................................................504
3.10.5.1 Priority Mapping.................................................................................................................................................504
3.10.5.2 Trust Priority.......................................................................................................................................................512
3.11 IP Routing.................................................................................................................................................................516
3.11.1 IPv4 Route.............................................................................................................................................................516
3.11.1.1 IPv4 Routing Tables...........................................................................................................................................516
3.11.1.2 IPv4 Static Route................................................................................................................................................517
3.11.1.3 Global Parameters Setting..................................................................................................................................519
3.12 Security.....................................................................................................................................................................520
3.12.1 Port Isolation..........................................................................................................................................................521
3.12.1.1 Bidirectional Isolation........................................................................................................................................521
3.12.1.2 Unidirectional Isolation......................................................................................................................................523
3.12.2 Static User Binding................................................................................................................................................525
3.12.2.1 View Static User Binding...................................................................................................................................525
3.12.2.2 Configure Static User Binding...........................................................................................................................526
3.12.3 AAA Configurations..............................................................................................................................................527
3.12.3.1 AAA Scheme......................................................................................................................................................527
Issue 03 (2014-08-25) Huawei Proprietary and Confidential xi

3.12.3.2 Service Scheme...................................................................................................................................................530

3.12.3.3 RADIUS Configurations....................................................................................................................................533
3.12.3.4 Domain Management.........................................................................................................................................538
3.12.3.5 User Management...............................................................................................................................................540
3.12.3.6 Change Mode......................................................................................................................................................545
3.12.4 802.1x....................................................................................................................................................................546
3.12.4.1 802.1X Global Settings.......................................................................................................................................546
3.12.4.2 802.1X Interface Settings...................................................................................................................................549
3.12.5 MAC Authen.........................................................................................................................................................551
3.12.5.1 Global Configuration..........................................................................................................................................552
3.12.5.2 MAC Authentication on Interface......................................................................................................................554
3.12.6 Ucl Group..............................................................................................................................................................556
3.12.7 QoS Profile............................................................................................................................................................558
3.12.7.1 QoS Profile.........................................................................................................................................................558
3.12.7.2 CAR Profile........................................................................................................................................................561
3.12.8 Authentication Event.............................................................................................................................................563
3.12.8.1 Pre-authentication...............................................................................................................................................564
3.12.8.2 Authentication-Failed.........................................................................................................................................565
3.12.9 SSL........................................................................................................................................................................567
3.12.10 Portal Authentication...........................................................................................................................................570
3.12.10.1 External Portal Server.......................................................................................................................................570
3.12.10.2 Built-in Portal Server........................................................................................................................................574
3.12.10.3 Customized Page..............................................................................................................................................576
3.12.10.4 Portal Free Rule................................................................................................................................................578
3.12.11 Security Protection..............................................................................................................................................581
3.13 Tools.........................................................................................................................................................................583
3.13.1 Ping........................................................................................................................................................................583
3.13.2 Tracert....................................................................................................................................................................584
3.13.3 VCT.......................................................................................................................................................................585
3.13.4 AAA Test...............................................................................................................................................................585
3.13.5 RF-Ping..................................................................................................................................................................586
3.14 Configuration Examples...........................................................................................................................................587
3.14.1 Example of Configuring VLANs..........................................................................................................................587
Issue 03 (2014-08-25) Huawei Proprietary and Confidential xii

Web System Guide 1 Logging In to the Web System
1 Logging In to the Web System
About This Chapter
Users can log in to a device using the Web system for device management.
NOTE
When an S1720 or S2720 series switch is equipped with the factory settings, users can log in to the switch
using the Web system for the first time. For the detailed configuration method, see 1.1 Logging In to the
Device Through the Web System for the First Time (S1720) and 1.2 Logging In to the Device Through
the Web System for the First Time (S2720). When a device has been configured, uses can configure the
login to the device using the Web system. For the detailed configuration method, see 1.3 Configuring
Login Through the Web System .
Switches excluding S1720 and S2720 series switches do not support the first login to a device using the
Web system. Users can configure the login to these switches using the Web system. For the detailed
configuration method, see 1.3 Configuring Login Through the Web System .
1.1 Logging In to the Device Through the Web System for the First Time (S1720)
When logging in to the S1720 with the factory settings for the first time, users can log in only
through the Web system on the PC.
1.2 Logging In to the Device Through the Web System for the First Time (S2720)
through the Web system on the PC and then configure the login mode (Web system, Telnet, or
STelnet).
1.3 Configuring Login Through the Web System
1.4 Configuration Examples
Issue 03 (2014-08-25) Huawei Proprietary and Confidential 1

1.1 Logging In to the Device Through the Web System for

the First Time (S1720)
through the Web system on the PC.
Context
To facilitate device maintenance and use, S1720 switches allow for the first login using the Web
system.
Pre-configuration Tasks
Before logging in to a device through the Web system, complete the following tasks:
l Powering on the device

l Ensuring that the device has only the factory settings
Default Configuration
Table 1-1 Default configuration of the device
Parameter Default Setting
User name admin
Password admin@huawei.com
User level 15
Login IP address 192.168.1.253

NOTE
With the factory settings on an S1720, the default
IP address of VLANIF 1 is 192.168.1.253. To
prevent IP address conflict on the local network,
users are advised to change the IP address of
VLANIF 1 on the S1720 before constructing the
network.
Procedure
Step 1 Connect the PC to the device.
Connect the PC to any Ethernet interface on the device.
Step 2 Configure an IP addresses for the PC.
To ensure that the PC and device have reachable routes to each other, configure an IP address
on the same network segment with the device IP address for the PC.

Step 3 Log in to the device through Web system.
Open the browser on the PC and access https://192.168.1.253. On the displayed Web system
login page shown in Figure 1-1, enter the default user name admin and default password
admin@huawei.com, and select the system language. Click GO or press Enter. The Web
system configuration page is displayed.
Figure 1-1 First login page in the Web system
NOTE
The login to the device through the Web system requires that the browser on the PC must be IE 8.0, Firefox
12.0, or Chrome 23.0 and later versions. If the browser version is early, the display may be incorrect.
Step 4 (Optional) Changing the Web login password.
If the default password is used to log in to the device, a message is displayed prompting users
to change the password, as shown in Figure 1-2. Click Confirm. Change the login password
on the User Management page. To ensure security, users are advised to change the Web login
password upon the first login to the device.
Figure 1-2 Page prompting users to change the login password
NOTE
A secure password should contain at least two types of the following: lowercase letters, uppercase letters,
numerals, special characters (such as ! $ # %). In addition, the password cannot contain spaces or single
quotation marks (').
----End

1.2 Logging In to the Device Through the Web System for

the First Time (S2720)
through the Web system on the PC and then configure the login mode (Web system, Telnet, or
STelnet).
Context
When a PC has no available serial interface or does not carry any console cable, users can log
in to the device with the factory settings using the Web system for the first time. After the login,
users can conveniently configure the login mode (Web system, Telnet, or STelnet). After the
login mode is configured, users can log in to the device using the Web system, Telnet, or STelnet
for device maintenance.
Before logging in to a device through the Web system, complete the following tasks:
l Powering on the device

l Ensuring that the device has only the factory settings
Table 1-2 Default configuration of the device
User name admin
Password admin@huawei.com
User level 15
Login IP address 192.168.1.253
Procedure
Step 1 Connect the PC to the device.
Connect the PC to any Ethernet interface on the device.
NOTE
Users can log in to a device for the first time using the Web system only when the device is in factory
default state. In this case, do not log in to the device through the console interface, because any operation
on the console interface leads to the failure of the first login using the Web system.
Step 2 Enter the initial configuration state.

Press and hold the MODE button for 6s. When all indicators are steady green, the device enters
the initial configuration state.
The system sets the switch IP address to 192.168.1.253/24 and the user level to 15 by default.
NOTE
The device automatically exits the initial configuration state and restores the factory settings if users have
not saved the settings after 10 minutes.
Step 3 Configure an IP addresses for the PC.
To ensure that the PC and device have reachable routes to each other, configure an IP address
on the same network segment with the device IP address for the PC.
Step 4 Log in to the device through Web system.
Open the browser on the PC and access https://192.168.1.253. On the displayed Web system
login page shown in Figure 1-3, enter the default user name admin and default password
admin@huawei.com, and select the system language. Click GO or press Enter. The Web
system configuration page is displayed.
Figure 1-3 First login page in the Web system
NOTE
The login to the device through the Web system requires that the browser on the PC must be IE 8.0, Firefox
12.0, or Chrome 23.0 and later versions. If the browser version is early, the display may be incorrect.
Step 5 Configure the device.
As shown in Figure 1-4, the Web system configuration page allows users to perform the basic
and optional configurations. Table 1-3 describes parameters for the basic configuration. After
the basic configuration is complete, users can log in to the device through the Web system.
Table 1-4 describes parameters for the optional configuration. After the optional configuration
is complete, users can log in to the device through Telnet or STelnet.
NOTE
A login user can create users for logging in to the device through Telnet or STelnet. The parameter Create
User is valid only when Telnet Server or Stelnet Server is On.

Figure 1-4 Web system configuration page
Table 1-3 Basic configuration
Item Description
Management IP Address Indicates the management IP address of the

device. The value is in dotted decimal
notation.
Mask Indicates the mask of the IP address. Select a

subnet mask from the drop-down list box.
Old Password Indicates the default Web login password.

This parameter is mandatory.
WEB User Password Indicates the new Web login password. This
parameter is mandatory.
A secure password should contain at least two
types of the following: lowercase letters,
uppercase letters, numerals, special
characters (such as ! $ # %). In addition, the
password cannot contain spaces or single
Confirm Password Confirms the new Web login password. This

The format is the same as that of WEB User
Password.

Item Description
WEB User Level Indicates the Web user level. Select a user
level from the drop-down list box. This
parameter is optional.
NOTE
Only users of level 3 or higher have the
management rights.
Table 1-4 Optional configuration
Item Description
Device Name Specifies the device name.

The device name cannot contain question
marks (?) and cannot start with spaces.
Telnet Server Configures the Telnet function.

l On: enables Telnet.
l Off: disables Telnet.
Stelnet Server Configures the STelnet function.

l On: enables STelnet.
l Off: disables STelnet.
User Name Specifies the Telnet or STelnet login user

name.
The user name cannot contain / : * ? " < > | '
or %, and cannot start with @.
Password Specifies the password.

A secure password should contain at least two
types of the following: lowercase letters,
uppercase letters, numerals, special
characters (such as ! $ # %). In addition, the
password cannot contain spaces or single
Confirm Password Confirms the password.

The format is the same as that of Password.
User Level Indicates the Telnet or STelnet user level.

Select a user level from the drop-down list
box.
NOTE
Only users of level 3 or higher have the
management rights.

Step 6 Save configuration.
Click Apply. The configuration is saved. When logging out of the Web system for the first time,
the following situations may occur based on the configured management IP address:
l When the management IP address is on the same network segment as 192.168.1.253/24, the
Web system login page is displayed.
l When the management IP address is not on the same network segment as 192.168.1.253/24,
users cannot log in to device through the Web system. In this case, configure an IP address
on the same network segment as the management IP address for the PC so that the PC and
device have reachable routes to each other.
Users can log in to the device through the Web system, Telnet, or STelnet for device
maintenance.
----End
1.3 Configuring Login Through the Web System

Before logging in to the device through HTTPS, complete the following task:
l Configuring routes between a terminal and the device
Configuration Process
If a web page file is integrated in the device's system software and has been loaded, you do not
need to load and configure a web page file when using the device for the first time after its
delivery. To upgrade the device or load an independent web page file, perform the following
operations.
Table 1-5 describes the tasks in the configuration process for login through HTTPS.
Table 1-5 Tasks in the configuration process for login through HTTPS
No. Task Description Remarks
Uploading and loading Before enabling the

1 -
the web page file HTTPS service, make
(Optional) Uploading the Upload the digital certificate sure that the web page
2 server digital certificate file and private key file to the file are loaded on the
file and private key file device. Configure an SSL device.
policy and load the digital To reload the
(Optional) Configuring certificate on the server. certificate, complete
the SSL policy and Perform this step when you steps 2 and 3 before
3
loading the digital need to reload the SSL enabling the HTTPs
certificate certificate. service.

No. Task Description Remarks
Enable the HTTPS service,

Configuring the HTTPS
4 and set the port number and
service
session timeout interval.
Set the HTTP user name,

Configuring an HTTP
5 password, user level, and
user
access type.
Configure the ACL rule and

(Optional) Configure the
6 HTTP basic ACL, improving
HTTP ACL
HTTP access security.
Logging in to the device Log in to the device through

7
through HTTPS HTTPS.
Table 1-6 Default settings of the parameters for logging in to another device through HTTPS
SSL policy A default SSL policy provided
HTTPS service enabled
Listening port number of the HTTPS server 443
HTTPS session timeout interval 20 minutes
User name: admin

Password: admin@huawei.com
User level: visit level
You are advised to change the password after
login through the web system and
HTTP user
periodically update the password to enhance
device security.
NOTE
The default password is admin for the device that
is upgraded from V200R002 and earlier versions
to this version.
Procedure
l Uploading and loading the web page file

NOTE
To obtain the Web page file of the device, log in to http://support.huawei.com/enterprise and
download the software package based on the product name and version. The Web page file is
contained in the software package. The file name is Product Name - the Version of Software.the
Version of Web page file.web.7z.
Table 1-7 Uploading and loading the web page file
Operation Command Description
You can use SFTP to upload

the web page file. For details,
see File Management.
Upload the web page A web page file is integrated in
-
file. the device's system software
and has been uploaded to the
device together with the
system software.
Enter the system

system-view -
view.
You can use the default

parameter to specify the web
page file in the system
Load the web page http server load { file-name |
software to be loaded, and use
file. default }
the file-name parameter to
specify the specified web page
file to be loaded.
l (Optional) Uploading the server digital certificate file and private key file
The device provides a default SSL policy, and the web page file contains the randomly
generated self-signed SSL certificate. Therefore, you do not need to upload the certificate
or configure the SSL policy. To ensure security, it is recommended that you obtain the
officially authorized digital certificate from the certificate authority (CA) and manually
configure an SSL policy.
NOTE
The device does not support life-cycle management on the self-signed certificate generated by the
device, such as updating the certificate or revoking the certificate. You are advised to use your own
certificate to ensure device and certificate security.
You are advised to use the tool specified in the Software digital signature (OpenPGP) validation
guide to check validity of the certificate before uploading the certificate. To obtain the tool, log in
to http://enterprise.huawei.com/en/, choose Support > Tools, search for Software digital signature
(OpenPGP), and then download the tool.
Upload the server digital certificate and private key file to the security directory on the
device in SFTP or SCP mode. If no security directory exists on the device, run the
mkdir directory command to create one.
Digital certificates support the PEM, ASN1, and PFX formats.

A PEM digital certificate has a file name extension .pem and is applicable to text
transmission between systems.
An ASN1 digital certificate has a file name extension .der and is the default format for
most browsers.
A PFX digital certificate has a file name extension .pfx and is a binary format that can
be converted into the PEM or ASN1 format.
For details, see the file uploading methods in the reference manual.
l (Optional) Configuring the SSL policy and loading the digital certificate
Load the digital certificate and specify the private key.
Table 1-8 Configuring the SSL policy and loading the digital certificate
Enter the system

system-view -
view.
Create the SSL

policy and enter the ssl policy policy-name -
SSL policy view.
certificate load pem-cert

Load the digital
cert-filename key-pair { dsa
certificate in the
| rsa } key-file key-filename
PEM format.
auth-code cipher auth-code
Load the digital certificate load asn1-cert Load the digital certificate in the
certificate in the cert-filename key-pair { dsa PEM, ASN1, or PFX format.
ASN1 format. | rsa } key-file key-filename NOTE
You can load a certificate or
certificate load pfx-cert certificate chain for only one SSL
Load the digital cert-filename key-pair { dsa policy. Before loading a certificate
certificate in the | rsa } { mac cipher mac- or certificate chain, you must
PFX format. code | key-file key-filename } unload the existing certificate or
auth-code cipher auth-code certificate chain.
certificate load pem-chain

Load the digital
cert-filename key-pair { dsa
certificate chain in
| rsa } key-file key-filename
the PEM format.
auth-code cipher auth-code
l Actions for configuring the HTTPS service
Table 1-9 Configuring the HTTPS service
Enter the system view. system-view -

Perform this step when you

have manually configured
an SSL policy for the
HTTPS server.
NOTE
(Optional) Configure the
http secure-server ssl- l If no SSL policy is
SSL policy for the HTTPS
policy policy-name manually configured, the
server.
system uses the default
SSL policy. In this case,
ensure that the system has
loaded the correct web
page file with the
certificate.
Enable the HTTPS service. http secure-server enable -
The default listening port

number of the HTTPS
server is 443.
(Optional) Set the listening
http secure-server port The listening port number is
port number of the HTTPS
port-number set to prevent attackers
server.
from accessing the standard
HTTPS service port and
ensure device security.
(Optional) Set the HTTPS The default timeout interval

http timeout timeout
session timeout interval. is 20 minutes.
A maximum number of five

(Optional) Release the
HTTP users can log in to the
HTTP user for whom the
free http user-id user-id device. You can run this
web page number is
command to manually
specified.
release users.
l Configuring an HTTP user
Table 1-10 Configuring an HTTP user
Enter the system view. system-view -
Enter the AAA view. aaa -
local-user user-name
Configure the local user
password irreversible- -
name and password.
cipher password
NOTE
Configure the level for the local-user user-name
Only users of level 3 or higher
local user. privilege level level have the management rights.

Configure the HTTP access local-user user-name

-
type for the user. service-type http
Return to the system view. quit -
l (Optional) Configure the HTTP ACL.
An ACL is composed of a list of rules such as the source address, destination address, and
port number of packets. ACL rules are used to classify packets. After these rules are applied
to devices, the devices determine the packets to be received and rejected.
Users can configure a basic ACL to allow only specified clients to connect to the HTTP
server.
NOTE
ACL rule:
l The device with the specified source IP address can establish an HTTP connection with the local
device only when permit is used in the ACL rule.
l When deny is used in the ACL rule, other devices cannot establish HTTP connections with the
local device.
l When the ACL rule is configured but packets from other devices do not match the rule, other
devices cannot establish HTTP connections with the local device.
l When the ACL contains no rule, any other devices can establish HTTP connections with the local
device.
Table 1-11 (Optional) Configuring the HTTP ACL
Enter the system

system-view -
view.
NOTE
HTTP supports basic and
advanced ACLs (2000 to
3999).
Enter the ACL view. acl [ number ] acl-number l Basic ACLs range from
2000 to 2999.
l Advanced ACLs range
from 3000 to 3999.

Commands for configuring

rules of basic and advanced
ACLs are different.
l For basic ACLs:
rule [ rule-id ] { deny |
permit } [ source { source-
address source-wildcard |
any } | fragment | logging |
time-range time-name |
vpn-instance vpn-instance-
name ] *(The S1720, S2720,
S2750, S5700LI, and
S5700S-LI do not support
vpn-instance vpn-instance-
name.)
l For advanced ACLs:
rule [ rule-id ] { deny |
permit } { protocol-
Configure the ACL
number | tcp } -
rule.
[ destination { destination-
address destination-
wildcard | any } |
destination-port { eq port |
gt port | lt port | range port-
start port-end } | { {
precedence precedence |
tos tos } * | dscp dscp } |
fragment | logging |
source { source-address
source-wildcard | any } |
source-port { eq port | gt
port | lt port | range port-
start port-end } | tcp-flag
{ ack | established | fin |
psh | rst | syn | urg }* | time-
range time-name | vpn-
instance vpn-instance-
name ]*
Return to the system

quit -
view.
Configure HTTP
http acl acl-number -
ACLs.
l Logging in to the device through HTTPS

1. Open the web browser on the PC, enter https://IP address in the address box, and
press Enter. The Login dialog box is displayed. Enter the web user name and
password, and select a language for the web system, as shown in Figure 1-5.
Figure 1-5 Login page
2. Select the web system edition. The web system supports the EasyOperation edition
and Classics edition. The EasyOperation edition uses abundant graphs and
personalized UIs to provide monitoring, configuration, maintenance and network
functions. The Classics edition complies with the common web page style of switches
and provides comprehensive configuration and management functions. By default,
you log in to the device through the web system of the EasyOperation edition.
3. Click GO or press Enter. The web system home page is displayed.
You can manage and maintain the device after logging in to the web system.
NOTE
l The web system identifies information about a board using the Item value in electronic labels carried
in the device. In comparison, the hardware drive enables or disables the device by judging the BarCode
value. The Web system may fail to read and display information about the board because the Item
value may be different from the BarCode value.
l To log in to the web system of the EasyOperation edition, your web browser must be Internet Explorer
8.0 (or later), Firefox 12.0 (or late) or Google 23.0 (or later). To log in to the web system of the Classics
edition, your web browser must be IE 8.0 (or later) or Firefox 12.0 (or later). If an earlier version
browser is used, the web page display may be abnormal. The web browser is required to support
Javascript.
l After the device software version changes (for example, the software version is upgraded or rolled
back), clear the browser cache before using the web system client. Otherwise, web pages may be
incorrectly displayed.
l The Web system client does not support the back button on the browser when you log in to the web
page and do not perform any operation.
l When you log in to the web system on multiple pages using the same browser, the browser only records
the account information of the last login and the accounts used on all the pages after page refresh
change to the last login account.
----End

Checking the Configuration

l Run the display ssl policy command to check the configured SSL policy and loaded digital
certificate.
l Run the display http user command to check the online user information.
l Run the display http server command to check the current HTTPS server information.
1.4.1 Example for Logging In to the Device Through the Web System
Networking Requirements
HTTP enables the device supporting the web system to function as a web server. You can log
in to this device using HTTP and manage the device on web pages. HTTP cannot authenticate
web servers or encrypt data, so it cannot protect data privacy or security. HTTPS is used on
devices to provide encrypted communication and secure identification of web servers.
As shown in Figure 1-6, an SSL policy is configured on the device that works as an HTTPS
server. There are reachable routes between the PC and HTTPS server, and the IP address of the
HTTPS server is 192.168.0.1/24. After the digital certificate is loaded and the HTTPS service
is enabled on the device, you can log in to the device through HTTPS and manage the device
on web pages.(Use the certificate form the CA and manually configure an SSL policy.)
Figure 1-6 Networking diagram of logging in to the device through HTTPS
192.168.0.1/24
Network
PC HTTPS Server
Configuration Roadmap
The configuration roadmap is as follows:
1. Upload the digital certificate and web page file saved in the PC to the device that works as
the HTTPS server.
2. Copy the digital certificate from the root directory on the HTTPS server to the security
subdirectory, configure the SSL policy, and load the digital certificate.
3. Load the web page file.
4. Enable the HTTPS service and configure an HTTP user.
5. Log in to the web system.

Procedure
Step 1 Generate a local key pair on the HTTPS server, and enable the SFTP server.
<HUAWEI> system-view
[HUAWEI] sysname HTTPS-Server
[HTTPS-Server] rsa local-key-pair create
The key name will be: HTTPS-Server_Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
it will take a few minutes.
Input the bits in the modulus[default = 2048]:2048
Generating keys...
...........++++++++++++
..................++++++++++++
...++++++++
...........++++++++
[HTTPS-Server] sftp server enable
Step 2 Configure the VTY user interface on the HTTPS server.

[HTTPS-Server] user-interface vty 0 4
[HTTPS-Server-ui-vty0-4] authentication-mode aaa
[HTTPS-Server-ui-vty0-4] protocol inbound ssh
[HTTPS-Server-ui-vty0-4] quit
Step 3 Configure SSH user information including the authentication mode, service type, authorized
directory, user name, and password.
[HTTPS-Server] ssh user client001 authentication-type password
[HTTPS-Server] ssh user client001 service-type sftp
[HTTPS-Server] ssh user client001 sftp-directory flash:
[HTTPS-Server] aaa
[HTTPS-Server-aaa] local-user client001 password irreversible-cipher
Helloworld@6789
[HTTPS-Server-aaa] local-user client001 privilege level 15
[HTTPS-Server-aaa] local-user client001 service-type ssh
[HTTPS-Server-aaa] quit
[HTTPS-Server] quit
Step 4 Connect to the HTTPS server using the third-party software OpenSSH on the PC.
The SSH client software supporting SFTP must be installed on the terminal to ensure that the
terminal can connect to the device using SFTP to manage files. The following describes how to
connect to the device using the OpenSSH and the Windows CLI.
NOTE
l For details how to install the OpenSSH, see the OpenSSH installation description.
l To use the OpenSSH to connect to the device using SFTP, run the OpenSSH commands. For details
about OpenSSH commands, see OpenSSH help.
l Windows command prompt can identify commands supported by the OpenSSH only when the
OpenSSH is installed on the terminal.
Access the Windows CLI and run the commands supported by the OpenSSH to connect to the
device using SFTP to manage files.
If command prompt sftp> is displayed in the SFTP client view, the user accesses the working
directory on the SFTP server. (The following information is only for reference.)
C:\Documents and Settings\Administrator> sftp client001@192.168.0.1
Connecting to 192.168.0.1...
The authenticity of host '192.168.0.1 (192.168.0.1)' can't be established.
RSA key fingerprint is 46:b2:8a:52:88:42:41:d4:af:8f:4a:41:d9:b8:4f:ee.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.0.1' (RSA) to the list of known hosts.

User Authentication
Password:
sftp>
Step 5 Upload the digital certificate and web page file to the server from the user terminal.
sftp> put webtest.7z
Uploading webtest.7z to /webtest.7z
webtest.7z 100% 1308478 4.6KB/s 00:11
sftp> put 1_servercert_pem_rsa.pem
Uploading 1_servercert_pem_rsa.pem to /1_servercert_pem_rsa.pem
1_servercert_pem_rsa.pem 100% 1302 4.6KB/s 00:02
sftp> put 1_serverkey_pem_rsa.pem
Uploading 1_serverkey_pem_rsa.pem to /1_serverkey_pem_rsa.pem
1_serverkey_pem_rsa.pem 100% 951 4.6KB/s 00:01
Step 6 On the switch, run the dir command to check the existence of the digital certificate and web
page file in the current storage directory.
NOTE
If the size of the digital certificate and web page file on the switch is different from that on the file server,
a transmission exception may occur. Upload the digital certificate and web page files again.
Step 7 Configure the SSL policy and load the digital certificate.
# Create the security subdirectory and copy the certificates from the CA to the subdirectory.
<HTTPS-Server> mkdir security/
<HTTPS-Server> copy 1_servercert_pem_rsa.pem security/
<HTTPS-Server> copy 1_serverkey_pem_rsa.pem security/
You can run the dir command in the security subdirectory to check the digital certificate.
<HTTPS-Server> cd security/
<HTTPS-Server> dir
Directory of flash:/security/
Idx Attr Size(Byte) Date Time FileName

0 -rw- 1,302 Apr 13 2011 14:29:31 1_servercert_pem_rsa.pem
1 -rw- 951 Apr 13 2011 14:29:49 1_serverkey_pem_rsa.pem
65,233 KB total (7,287 KB free)
# Create the SSL policy and load the digital certificate in the PEM format.
<HTTPS-Server> system-view
[HTTPS-Server] ssl policy http_server
[HTTPS-Server-ssl-policy-http_server] certificate load pem-cert
1_servercert_pem_rsa.pem key-pair rsa key-file 1_serverkey_pem_rsa.pem auth-code
cipher 123456
[HTTPS-Server-ssl-policy-http_server] quit
You can run the display ssl policy command on the HTTPS server to check the details about
the digital certificate that has been loaded.
[HTTPS-Server] display ssl policy
SSL Policy Name: http_server
Policy Applicants:
Key-pair Type: RSA
Certificate File Type: PEM
Certificate Type: certificate
Certificate Filename: 1_servercert_pem_rsa.pem
Key-file Filename: 1_serverkey_pem_rsa.pem
Auth-code: ******
MAC:
CRL File:
Trusted-CA File:

Step 8 Load the web page file.

[HTTPS-Server] http server load webtest.7z
Step 9 Enable the HTTPS service and configure an HTTPS user.
# Enable the HTTPS service.

[HTTPS-Server] http secure-server ssl-policy http_server
[HTTPS-Server] http secure-server enable
# Configure an HTTPS user.

[HTTPS-Server] aaa
[HTTPS-Server-aaa] local-user admin password irreversible-cipher Helloworld@6789
[HTTPS-Server-aaa] local-user admin privilege level 15
[HTTPS-Server-aaa] local-user admin service-type http
[HTTPS-Server-aaa] quit
Step 10 Log in to the web system.
Open the web browser on the PC, enter https://192.168.0.1 in the address box, and press
Enter. The Login dialog box is displayed, as shown in Figure 1-7.
Enter the correct HTTPS user name and password, and click GO or press Enter. The home page
of the web system is displayed.
Step 11 Verify the configuration.
# Run the display http server command on the HTTPS server to check the SSL policy name
and HTTPS server status.
[HTTPS-Server] display http server
HTTP Server Status : enabled
HTTP Server Port : 80(80)
HTTP Timeout Interval : 20
Current Online Users : 1
Maximum Users Allowed : 5
HTTP Secure-server Status : enabled

HTTP Secure-server Port : 443(443)

HTTP SSL Policy : http_server
----End
Configuration Files
#
sysname HTTPS-Server
#
http server load webtest.7z
http secure-server ssl-policy http_server
#
aaa
local-user admin password irreversible-cipher %@%@HW=5%Mr;:2)/RX$FnU1HLO%-TBMp4wn
%;~\#%iAut}_~O%0L%@%@
local-user admin privilege level 15
local-user admin service-type http
local-user client001 password irreversible-cipher %@%@*~Br";[g6Pv5Zf>$~{hY+N!`{$<
[Y{;l02P)B,EBz\1FN!c+%@%@
local-user client001 privilege level 15
local-user client001 service-type ssh
#
sftp server enable
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type sftp
ssh user client001 sftp-directory flash:
#
ssl policy http_server
certificate load pem-cert 1_servercert_pem_rsa.pem key-pair rsa key-file
1_serverkey_pem_rsa.pem auth-code cipher %@%@"DlqKik*GE*~`u4H+LFJ(K-=%@%@
#
user-interface vty 0 4
authentication-mode aaa
user privilege level 15
protocol inbound ssh
#
return

Web System Guide 2 EasyOperation Edition
2 EasyOperation Edition
About This Chapter
The web system of the EasyOperation edition allows for common operations related to the
monitor, configuration, maintenance, and network functions.
2.1 Client Configuration

This section describes the window layout of and basic operations on the web system of the
EasyOperation edition to facilitate user usage.
2.2 Monitor
You can monitor device status information in the web system.
2.3 Configuration
You can configure the following items on the GUI: Interface Setting, VLAN, DHCP, MAC
management, LBDT, ACL, AAA & NAC, and STP.
2.4 Maintenance
This section describes common device maintenance, for example, system setting, system
maintenance, file management, log management, SNMP, diagnosis tool and user management.
2.5 Network
The EasyDeploy function simplifies network configuration and implements remote deployment
and centralized management of network devices.


This section describes the window layout of and basic operations on the web system of the
EasyOperation edition to facilitate user usage.
2.1.1 Understanding the Web System Client User Interface

The following sections help you understand the web system client user interface and improve
your operation efficiency.
2.1.1.1 Window Layout

This section describes the window layout of and basic operations on the web system.
A typical operation user interface of the web system is shown in the following figure. Figure
2-1 shows the operation user interface.
Figure 2-1 Operation user interface
Table 2-1 Window layout
Number Description
1 Function area. The web system of the EasyOperation edition

provides four functions: monitor, configuration, maintenance, and
network.

Number Description
2 Navigation tree. The navigation tree lists available configuration

items.
3 Status display and operation area. The current status of devices is

displayed in this area, and you can perform the operations such as
creation, deletion, modification, loading, and searching in this area.
4 CLI switching area. The CLI window can be invoked in this area
and users can manage and maintain devices by running commands
in the window.
2.1.1.2 Navigation Tree

This section describes submenus and their functions provided by the web system of the
EasyOperation edition.
The web system of the EasyOperation edition consists of four areas: monitor, configuration,
maintenance, and network, and provides the following functions: device status overview,
interface management, VLAN, DHCP, system management, service management, diagnosis
tool, network deployment, and batch configuration.
Table 2-2 lists submenus in the four areas and describes their functions.
NOTE
The menus and submenus described in this section are used for reference only because the menus of
different switch models have slight differences.
Table 2-2 Description of the web system menus
Menu Submenu Description
Monitor Panel The panel of a switch displays the panel of the switch.
System Description Displays the product model, device name, device

running time, and serial number.
Switch Status Displays the CPU usage, memory usage, temperature,

and fan status.
TOP5 Bandwidth Displays top 5 interface bandwidth utilization,

Utilization including bandwidth utilization in the incoming and
outgoing directions, the number of error packets in the
incoming and outgoing directions, and the number of
broadcast packets in the incoming and outgoing
directions.
Log Displays the latest five logs, including the time when
logs are generated, log level, and log content.

Online User Displays the latest five authentication users.

Information
Power Status Displays power module presence information and

working status, total power of PoE powers, and
available PoE power.
Configurati Interface Setting Interface configuration includes the following

on configuration pages:View Configuration, Connect
PC, Connect IP Phone, Connect Switch, Connect
Router, Enable/Disable Interface, and Detect Link.
VLAN Configure and query VLANs, Modify VLANs , and

Delete VLANs.
DHCP Configure and query DHCP address pool on VLANIF

interface, and DHCP relay.
MAC Management Query MAC/IP address table, Configure static MAC

address entries, Configure static secure MAC address,
Configure blackhole MAC address entries, and Delete
MAC address entries function.
LBDT Configure the loopback detection function.
ACL Configure interface ACLs and VLAN ACLs to filter

packets.
AAA&NAC Configure AAA authentication, Portal

authentication, and interface-based authentication to
provide security management on the network.
STP Configure the STP function.
Maintenanc System Setting Set system information such as system time and
e system information.
System Maintenance Supports device reboot, upgrade, patch installation,

and factory settings restoration.
File Management Upload files to the device, download files from the
device, and restore or permanently delete files from
the recycle bin.
Log Management Query and process the latest 300 logs by type.
SNMP Configure the SNMP agent function.
Diagnosis Tool Provides three diagnosis tools: Ping, Tracert, and

VCT.
User Management Query and maintain local user information database to

manage web users.

Network Role Configuration Determine the role of a device before configuring

EasyDeploy on the device.
Summary Displays network topology information and saves the

network topology on the device.
Deployment Deploy unconfigured devices, replace faulty devices,

and perform batch upgrade based on the network
topology.
Batch Configuration Perform batch configuration on the devices by

delivering command line scripts to the specified
devices.
Power Consumption Displays power consumption of all the devices on the

entire network and of each device.
2.1.1.3 Buttons
This section describes common buttons on the web system that can be used to facilitate
operations on the web.
Table 2-3 lists the buttons and describes their functions.
Table 2-3 Button description
Button Function
Save the configuration.
Delete a selected data record.
Indicates whether a function is enabled. ON indicates enabled

and OFF indicates disabled. You can switch this button to change
the status.
Submit the entered configurations and confirm system display

information.
NOTE
If you click Apply on a pop-up dialog box, the dialog box is not closed.
Create an item on the current page.
Create items in a batch on the current page.
Search for a value of the current item.

Button Function
Refresh the current page.
Clear the current configuration.
Copy all the selected items.
2.1.1.4 GUI Elements

This section describes the elements that you usually use on the web system GUI.
Table 2-4 lists the elements that you usually use on the web system GUI.
NOTE
The GUI elements described in this section are used for reference only because the GUI elements of
Table 2-4 GUI elements
Name Element
Button
On/off
switch
Option
button
Check box
Tab
Text box
Browse box
Group box

Name Element
Drop-down
list box
Menu
Sort button Default:

Descending:
Ascending:
Time setting
Mandatory
option
Interface
panel
CLI
switching
2.1.2 Web User Management

The switch provides a default user name and password for your first login. To facilitate user
management, the web system enables you to add user accounts, change password, and delete
user accounts.
The following sections describe user management operations. Choose Maintenance > User
Management to configure user management.
2.1.2.1 Creating a User Account

You can add user accounts to a switch to allow it to authenticate and authorize login users based
on the local user information. You can also create multiple user accounts and assign different
user levels and passwords for them to refine user management.
Context
Only administrative users can add user accounts.

NOTE
You can create a user account of the same or a lower level.
Procedure
Step 1 Choose Maintenance > User Management. The User Management page is displayed.
Step 2 Click Create. The Create User dialog box is displayed.
Step 3 In the Create User dialog box, set User Name, Password, Confirm Password, and Level.
Figure 2-2 shows the Create User dialog box.
Figure 2-2 Create User dialog box
Step 4 Click Confirm.
----End
2.1.2.2 Changing User Attribute

You can change the password and user level on the web system GUI.
Context
Only administrative users can change the password and user level.

Procedure
Step 2 Click Modify next to a user account. The Modify User dialog box is displayed.
Step 3 In the Modify User dialog box, set Password, Confirm Password, and Level.
----End
2.1.2.3 Deleting a User Account

You can delete user accounts from the web system.
Context
Only administrative users can delete user accounts.
NOTE
You can delete a user account of the same or a lower level, not including your own user account.
Procedure
Step 2 Click Delete next to a user account. The system asks whether you want to delete the user account.
----End
2.1.3 User Timeout

The web system assigns each user a timeout period to prevent idle users from occupying system
resources.
If you do not perform any operations on the web system GUI for a long time, you are logged
out and the login page is displayed. Figure 2-3 shows the login page. If you need to continue
operations, log in again.

By default, the timeout period for a login user is 20 minutes. You can change the timeout period
on the System Setting page.
Changing the Timeout Period

Choose Maintenance > System Setting and enter a new timeout period in System info menu.
Figure 2-4 shows the System Setting page. Click Apply.
Figure 2-4 Setting system information
2.1.4 Switching to the Classics Edition

The web system of the EasyOperation edition provides only the frequently used management
functions. If you want to use more management functions, you need to switch to the classics
edition.
A button is available on the EasyOperation edition for you to switch to the classics edition. Click
Classics at the upper right corner of the page to switch to the classics edition. Figure 2-5 shows
the Classics button.
Figure 2-5 Switching to the classics edition
2.1.5 Saving Configuration

After performing configuration, you need to save the configuration data. Otherwise, the
configurations will be lost after the device restarts.
To save configurations, you can:

l Click Confirm or Apply to save the configuration data to memory.
l Click at the upper right corner to save all the configuration data to the
configuration file.
2.1.6 Logging Out of the Web System

To protect security of your account and the switch, log out of the web system immediately after
you finish the configurations.

You can log out of the web system in either of the following ways:
l Click on the upper right corner of the page to close the browser.
l Click on any page of the browser.
NOTE
If you use the first method, save the configurations before you close the browser. Otherwise, the
configurations will be lost. If you use the second method, a message is displayed on the web system, asking
whether you want to save the current configuration.
2.2 Monitor
You can monitor device status information in the web system.
2.2.1 Panel
The panel of a switch displays the panel of the switch.
Context
The panel section displays information about interfaces on a switch panel, including the number
of interfaces and status of each interface. When you move the mouse to an interface, the interface
number and status are displayed.
Procedure
Step 1 Click Monitor in the function area to display the Monitor page. The panel diagram is
displayed, as shown in Figure 2-6.
Figure 2-6 Panel diagram
----End
2.2.2 System Description

The System Description page displays information about a switch, such as the product model,
device name, running time, and serial number of the switch.

Procedure
Step 1 Click Monitor in the function area to display the Monitor page. The system description of the
switch is displayed, as shown in Figure 2-7.
Figure 2-7 System Description section
----End
2.2.3 Switch Status

The Switch Status section display status monitoring information of a switch.
Context
To view the real-time status of a switch, refresh the page.
Procedure
Step 1 Click Monitor in the function area to display the Monitor page. The switch status is

Figure 2-8 Switch Status section
Step 2 Click the CPU Usage, Memory Usage, and Temperature tabs to view detailed status
information, as shown in Figure 2-9.
Figure 2-9 Detailed status information
You can click to switch between different status information.
Step 3 For a battery switch, the battery status is also displayed, as shown in Figure 2-10. When you
move the mouse to a battery status icon, the battery status represent by the icon is displayed.
Table 2-5 shows the status of different batteries and the corresponding icons.

NOTE
l Battery switches include S5700-28P-LI-BAT and S5700-28P-LI-24S-BAT.

l The preceding product models support the following batteries: lead-acid battery (used with the
PBB-12AHA lead-acid battery charger module), 4AHA lithium battery, and 8AHA lithium battery.
Figure 2-10 Switch Status section

Table 2-5 Battery status and status icons
Battery Battery Status Icon

Type
Lead- Absent
acid
battery Charging
Full power
Discharging
Abnormal
Lithium Absent
battery
Charging
Full power
Discharging
The remaining power is
normal (higher than or
equal to 20%).
Discharging
The remaining power is too
low (lower than 20%).
Abnormal

Battery Battery Status Icon

Type
Upgrading NOTE
A lithium battery is discharging, the displayed status icon
depends on the remaining power of the battery. If the
remaining power is less than 20% of the full power, the
red discharging icon is displayed, indicating that the
power is too low. If the remaining power is more than
20% of the full power, the green discharging icon is
displayed.
When a lithium battery is charging or discharging, the
current power percentage is displayed above the status
icon. For example, if a lithium battery is fully charged,
"Lithium battery 100%" is displayed. If the remaining
power of a discharging lithium battery is too low,
"Lithium battery 18%" is displayed.
----End
2.2.4 TOP5 Bandwidth Utilization

This section describes operations you can perform on the TOP5 Bandwidth Utilization.
Procedure
Step 1 Click Monitor in the function area. The TOP5 Bandwidth Utilization is displayed, as shown
in Figure 2-11.
Figure 2-11 TOP5 Bandwidth Utilization
Step 2 If you want to view the bandwidth utilization of a specific interface, click the interface below
Port name. The Bandwidth Utilization is displayed. On the page, you can view the real-time
bandwidth utilization of this interface, as shown in Figure 2-12.

Figure 2-12 Bandwidth Utilization
Step 3 If you want to view the bandwidth utilization of other interfaces, click More in the lower right
corner of the TOP5 Bandwidth Utilization. The portList is displayed. You can view detailed
information about other interfaces on the portList, as shown in Figure 2-13.
Figure 2-13 portList
You can use the following method to search and view detailed information about a specific
interface on the PortList.
1. Select an interface name from the drop-down list box next to Port type to determine the
type of interface you want to view.
2. Enter the interface number in the second search box next to Port type.
3. Click Search.
On the PortList, you can perform refresh, clear, and clear all operations.
l Click Refresh to obtain the latest bandwidth utilization.
l Click Clear to clear the bandwidth utilization of a specified interface and refresh the page.
l Click Clear All to clear the bandwidth utilization of all interfaces and refresh the page.
Table 2-6 describes the parameters on the portList.

Table 2-6 portList
Item Description
Interface Name Bandwidth utilization of an interface with a

specified type and number.
Inbound Bandwidth Use Efficiency Bandwidth utilization of the incoming traffic.
Outbound Bandwidth Use Efficiency Bandwidth utilization of the outgoing traffic.
Inbound Error Packets Number of error packets received by an

interface.
Outbound Error Packets Number of error packets sent by an interface.
Inbound Broadcast Packets Number of broadcast packets received by an

interface.
Outbound Broadcast Packets Number of broadcast packets sent by an

interface.
Operation Click Details to obtain the running status of

the interface and interface statistics.
----End
2.2.5 Log
The Log section displays five latest logs with highest severities, providing the generation time
and contents of each log.
Context
You can click More to view more logs.
Procedure
Step 1 Click Monitor in the function area to display the Monitor page. Logs are displayed in the
Log section, as shown in Figure 2-14.

Figure 2-14 Log section
Step 2 Click More to display the Log Management page. You can view latest 300 logs with highest
severities on this page.
----End
2.2.6 Online User Information

You can view information about the latest five online users on the device.
Context
Brief information about the latest five online users on the current device is displayed in the
Online User Information area. The information includes online time, authentication mode,
MAC address, and IP address. You can check detailed information about each online user,
including user name, domain name, access port, online duration, access type, outer/user VLAN,
and user ID. You can also force the user offline based on the current network status.
Procedure
Step 1 Click Monitor to display the Monitor page. You can view information in the Online User
Information area, as shown in Figure 2-15.
Figure 2-15 Online User Information

Step 2 Check detailed information about online users.

1. Click More to display the Online User List page, as shown in Figure 2-16.
Figure 2-16 Online User List
NOTE
l Click Refresh to display the latest online user information.

l Select an option from the Search Criteria drop-down list box (the search criteria includes user name,
authentication mode, MAC address, and IP address). Enter the detailed search criteria and click
Search. The corresponding online user information is displayed. For example, select User Name and
enter admin for Search Criteria.
l If the system time has been modified, the actual online duration of a user may be different from that
displayed on Web page.
2. Click Details to display the Details page, as shown in Figure 2-17.
Figure 2-17 Details about an online user
3. Click Cancel to return to the Online User List page.
Step 3 Force users offline.

1. You can force users offline using either of the following methods:

l Click More to display the Online User List page, and click Disconnect next to a user
record.
l Click More to display the Online User List page. Select the records of the users to be
forced offline, and click Disconnect next to Refresh to force the users offline in batches.
After you click Disconnect, the system prompts you to confirm the operation of forcing
users offline.
2. Click Confirm.
----End
2.2.7 Power status

The Power status section displays power module presence information and working status, total
power of PoE powers, and available PoE power.
Context
For a non-PoE device that provides only internal power modules, the Power status section is
not displayed on the Monitor page. If the device does not support PoE power supply, total
available PoE power and total PoE output power are not displayed in the Power status section.
Procedure
Step 1 Click Monitor in the function area to display the Monitor page. The power status is
Figure 2-18 Power status section
----End
2.3 Configuration
You can configure the following items on the GUI: Interface Setting, VLAN, DHCP, MAC
management, LBDT, ACL, AAA & NAC, and STP.

2.3.1 Interface Setting

This chapter describes common interface configurations.
NOTE
A combo interface is a logical interface, which corresponds to a GE electrical interface and a GE optical interface
on the device panel. The electrical interface is used with the optical interface as a combo interface. When the
device supports electrical interfaces, you do not need to use the GE copper module to convert an optical interface
to an electrical interface.
2.3.1.1 View Configuration
Context
You can view interface related functions on this page.
Figure 2-19 shows interface status and optical/electrical interfaces.
Figure 2-19 Interface status and optical/electrical interfaces
Procedure
Step 1 Click Configuration in the function area and choose Interface Setting from the navigation tree
in the left. The Interface Setting page is displayed. Click View Configuration, as shown in
Figure 2-20.
Figure 2-20 View Configuration
Step 2 Click an interface icon to select an interface. You can select only one interface at one time.
Step 3 View interface related functions on the View Interface Attribute. Figure 2-21 shows the View
Interface Attribute.

Figure 2-21 View Interface Attribute
Table 2-7 describes the parameters on the View Interface Attribute.
Table 2-7 Parameters on the View Interface Attribute

Item Description
Interface Status l Enable: The current interface is enabled.

l Disable: The current interface is disabled.
Step 4 If you want to delete all configurations on the interface to restore the default settings, click Clear
Configuration. After configurations are deleted, the interface is disabled.
----End
2.3.1.2 Connecting a PC
Context
After a switch is connected to a PC, you can configure functions such as the default VLAN, port
security, and port isolation based on service requirements.
Procedure
in the left. The Interface Setting page is displayed. Click Connect PC, as shown in Figure
2-22.
Figure 2-22 Configuring the port connected to a PC

NOTE
On the S1720 and S2720, you cannot select Connect Router.
Step 2 Select a port to be configured. Perform the following operations as required in the port area:
l Click a port icon. To deselect the port, click the port icon again.
l Drag the cursor to select consecutive ports in a batch.
l Click multiple port icons to select these ports, and click a port icon again to deselect the port.
l Select a slot where a panel is located. All ports on the panel are selected.
Step 3 Configure the port.

Table 2-8 describes parameters and their values.
Table 2-8 Parameters and their values
Parameter Description
Interface Status Enables or disables the interface:

l Enable
l Disable
Default VLAN Adds the interface to the default VLAN. The VLAN ID ranges from 1
to 4094.
Interface Isolation Enables or disables port isolation:

l Enable
l Disable
Interface Security Enables or disables interface security:

l Enable
l Disable
MAC Address Sets the maximum number of secure MAC addresses. The value ranges
Limit from 1 to 1024.
Loopback- Enables or disables loopback detection:

detection l Enable
l Disable

Trust Priority Configure trust priority on the port. The values are as follows:
l none: No packet priority is trusted.
l 8021p-inner: The 802.1p priority in the inner VLAN tag is trusted.
l 8021p-outer: The 802.1p priority in the outer VLAN tag is trusted.
l DSCP: The DSCP priority of packets is trusted.
l none: No packet priority is trusted.
l 8021p-inner: The 802.1p priority in the inner VLAN tag is trusted.
l 8021p-outer: The 802.1p priority in the outer VLAN tag is trusted.
l DSCP: The DSCP priority of packets is trusted.
Step 4 Click Apply to make the configuration take effect.
----End
2.3.1.3 Connecting an IP Phone
Context
After a switch is connected to an IP phone, you can configure functions such as the default
VLAN, voice VLAN, port security, and port isolation based on service requirements.
Procedure
in the left. The Interface Setting page is displayed. Click Connect IP Phone, as shown in
Figure 2-23.
Figure 2-23 Configuring the port connected to an IP phone

NOTE

Table 2-9 Parameters of a port and their values

l Enable
l Disable
Default VLAN Adds the interface to the default VLAN. The VLAN ID ranges from 1
to 4094.
Voice VLAN Enables voice VLAN on the interface. The voice VLAN ID ranges from
2 to 4094.
Interface Isolation Enables or disables port isolation:

l Enable
l Disable
Interface Security Enables or disables interface security:

l Enable
l Disable
MAC Address Sets the maximum number of secure MAC addresses. The value ranges
Limit from 1 to 1024.
Loopback- Enables or disables loopback detection:

detection l Enable
l Disable
----End

2.3.1.4 Connecting the Switch
Context
After a switch is connected to another switch, you can configure the switch port to allow packets
from a specified VLAN based on service requirements.
Procedure
in the left. The Interface Setting page is displayed. Click Connect Switch, as shown in Figure
2-24.
Figure 2-24 Configuring the port connected to a switch
NOTE


Table 2-10 Parameters of a port and their values

l Enable
l Disable
Eth-Trunk ID of the Eth-Trunk to which the port is added. This parameter can be
set only after Enable Link Aggregation is selected.
Allow VLAN ID of a VLAN whose packets can pass through the port.The VLAN ID
ranges from 1 to 4094.
Automatically Configures whether the system creates allowed VLANs:

Create VLAN l Yes
l No
----End
2.3.1.5 Connect Router
Context
You can configure functions of interfaces on switches that are connected to routers on the
GUI. Figure 2-25 shows interface status and optical/electrical interfaces.
NOTE
S5700LI,S1720 and S2720 do not support this functions.

If the device cannot be connected to a router, this page is hidden.
Procedure
in the left. The Interface Setting page is displayed. Click Connect Router, as shown in Figure
2-26.

Figure 2-26 Connect Router
Step 2 Click an interface icon to select an interface. You can select only one interface at one time.
Step 3 Set parameters on the Configure Interface. Figure 2-27 shows the Configure Interface.
Figure 2-27 Configure Interface
Table 2-11 describes the parameters on the Configure Interface.
Table 2-11 Parameters on the Configure Interface
Item Description
Inteface Status Select the interface status from the drop-

down list box.
l Enable: The current interface is enabled.
l Disable: The current interface is disabled.
IP Address Configure an IP address for the current

interface.
Mask Select a subnet mask from the drop-down list

box, for example, 24 (255.255.255.0).
Step 4 Click Apply to complete the configuration.
----End

2.3.1.6 Enable/Disable Interface
Context
You can disable an idle interface that is not connected to a cable or an optical fiber on the GUI
to prevent the idle interface from interfering other interfaces in working state.
Procedure
in the left. The Interface Setting page is displayed. Click Enable/Disable Interface, as shown
in Figure 2-29.
Figure 2-29 Enable/Disable Interface
Step 2 Select the interface that you want to configure. Perform either of the following operations as
required.
l Click an interface icon to select an interface.
l Drag the mouse to select multiple consecutive interfaces in a batch.
l Select an interface card name to select all the interfaces on the interface card.
Step 3 Set parameters on the Configure Interface. Figure 2-30 shows the Configure Interface.


Item Description
Interface Status Select the interface status from the drop-

down list box.
l Enable: The current interface is not shut
down.
l Disable: The current interface is shut
down.
----End
2.3.1.7 Detect Link
Context
Virtual cable test (VCT) technology uses time domain reflectometry (TDR) to detect the cable
status. When a pulse is transmitted to the end of a cable or a failure point in the cable, some
pulse energies are reflected to the transmitting end. The VCT algorithm measures the time spent
on transmitting pulses over a cable, reaching a failure point, and returning the pulses. The
measured time is converted to the distance.
VCT can detect the fault type of a network cable and identify failure points to help locate network
cable faults.
The VCT test result is only for reference and may be inaccurate for cables of some vendors.
VCT takes effect only on optical interfaces that have GE copper modules installed or GE
electrical interfaces on the device.

Procedure
in the left. The Interface Setting page is displayed. Click Detect Link, as shown in Figure
2-32.
Figure 2-32 Detect Link
required.
l Drag the mouse to select multiple consecutive interfaces in a batch.
l Select an interface card name to select all the interfaces on the interface card.
Step 3 Click Start Detection to complete the configuration.
Step 4 You can view check results on the Configure Interface. Figure 2-33 shows the Configure
Interface.

Item Description
Interface Type and number of the interface on which

link detection is performed.
Management Status Management status of the interface.

l down: The interface is disabled.
l up: The interface is enabled.
l administratively down: indicates that the
administrator has run the shutdown
command on the interface.
Detection Result Detection result. Possible results are as

follows:
l The network cable is faulty. You can click
Details to view the detailed detection
result. The Details contains the following
fields:
Pair A/B/C/D: Four pairs of circuits in
a network cable.
Pair A length: Length of a network
cable.
The length is the distance between
the interface and the fault point if a
fault occurs.
The length is the actual length of
the cable when the cable works
properly.
The default length is 0 m if the
interface is not connected to any
network cable.
Pair A state: Network cable status.
Ok: The circuit pair is terminated
properly.
Open: The circuit pair is not
terminated.
Short: The circuit pair is short-
circuited.
Crosstalk: The cable sequence is
incorrect.
Unknown: An unknown fault
occurs on the circuit pair.
l The interface works normally.

----End
2.3.2 VLAN
You can create, query, modify, or delete a single VLAN or create VLANs in a batch.
Context
l A switch supports 4094 VLANs from VLAN 1 to VLAN 4094.
l VLANs can isolate the hosts that require no communication with each other, reducing
broadcast traffic and improving network security.
Procedure
l Creating a VLAN
1. Click Configuration in the function area and choose VLAN from the navigation tree
in the left. The VLAN page is displayed.
2. Click Create. The Create VLAN dialog box is displayed, as shown in Figure 2-34.
Figure 2-34 Creating a VLAN
Table 2-14 describes parameters in the Create VLAN dialog box.

Table 2-14 Parameters for creating a VLAN
VLAN ID ID of the VLAN. This parameter is

mandatory, and its value ranges from 1
to 4094. You can enter multiple VLAN
IDs, for example, 5, 7, or 9. VLAN 1 is
the default VLAN, and the system will
not re-create it.
Description Description of the VLAN. This

parameter is optional. If VLANs are
created in a batch, leave the description
empty.
IP Address IPv4 address of a VLANIF interface,

such as 10.10.10.1. This parameter is
optional and can be configured only for
a VLANIF interface.
Mask Subnet mask of the IP address. This

3. Set parameters.
4. Click Add Interface. The Add Interface area is unfolded, as shown in Figure
2-35.

Figure 2-35 Adding ports to the VLAN
5. Click Select Interface. The Add Interface page is displayed, as shown in Figure
2-36.
Figure 2-36 Selecting ports to be added to the VLAN
6. Click Confirm. The Create VLAN dialog box is displayed.

7. Click Confirm.
l Creating VLANs in a batch

2. Click Batch Create. The Create VLAN dialog box is displayed, as shown in Figure
2-37. Set parameters.
Figure 2-37 Creating VLANs in a batch
3. Click Confirm.
l Querying a VLAN
2. Enter a VLAN ID. If you do not enter any VLAN ID, all created VLANs are displayed.
3. Click Search. The VLAN is displayed, as shown in Figure 2-38.
Figure 2-38 VLAN list
4. Click View Interface, The interfaces added to VLANs are displayed, as shown in
Figure 2-39.
Figure 2-39 View Interface

l Modifying a VLAN
2. Click Modify. The Modify VLAN dialog box is displayed, as shown in Figure
2-40. Table 2-14 describes parameters in the Modify VLAN dialog box.
Figure 2-40 Modifying a VLAN
3. Change the values of parameters as required.

4. Click Confirm.
l Deleting a VLAN
2. Select a VLAN to be deleted and click Delete. The system asks you whether to delete
the VLAN.
NOTE
l VLAN 1 is the default VLAN and cannot be deleted.

3. Click Confirm.
----End
2.3.3 DHCP
Context
Dynamic Host Configuration Protocol (DHCP) is used to dynamically manage and configure
the IP addresses for users in a centralized manner. DHCP adopts the client/server mode for
communication. The client applies to the server for configurations (including IP address, subnet

mask, and default gateway), and the server replies with corresponding configuration information
based on policies.
Procedure
l Global configuration
1. Click Configuration in the function area to display the Configuration page.
2. Choose DHCP in the navigation tree to display the Global Setting page.
3. Set DHCP status to ON in the Global Setting area to enable the DHCP function
globally.
l Address pool list
2. Choose DHCP in the navigation tree to display the Address Pool List page.
3. Click Create in the Address Pool List area. The Create IP Pool page is displayed,
as shown in Figure 2-41.
Figure 2-41 Description of the parameters for creating a DHCP entry
Table 2-15 describes the parameters on the Create IP Pool page.
Table 2-15 Create IP Pool
VLANIF interface Indicates the VLANIF interface name.

Select a name from the drop-down list
box.
IP/Mask Indicates the IP address and mask of the

VLANIF interface.

DHCP mode Indicates the DHCP mode. You can

select the local allocation or external
server allocation mode. In local
allocation mode, the device functions as
a DHCP server to assign IP addresses to
clients. In external server allocation
mode, the device functions as a DHCP
relay to assign IP addresses to clients
through a DHCP server whose address
is specified.
Primary DNS server Indicates the primary DNS server

address assigned to a client. This
parameter is configured when the DHCP
mode is local allocation.
Secondary DNS server Indicates the secondary DNS server

address assigned to a client. This
parameter is configured when the DHCP
mode is local allocation.
Server IP Indicates the DHCP server IP address.

This parameter is configured when the
DHCP mode is external server
allocation.
4. Set the parameters.

5. Click Confirm.
l Address pool information
2. Choose DHCP in the navigation tree to display the Address Pool Information page.
By clicking an interface address pool (the DHCP mode of the mapping interface is
local allocation) in Address Pool Information, you can check the detailed address
pool information., as shown in Figure 2-42.
Figure 2-42 Address Pool Information

Table 2-16 describes the parameters on the Address Pool Information page.
Table 2-16 Parameters in address pool information
Sum of Addresses Indicates the total number of IP

addresses in the address pool.
Allocated Indicates the number of IP addresses

assigned to clients.
Search item Indicates that the IP address usage in the

address pool can be checked using IP
address, MAC address, or status.
Bound IP Indicates that an IP address in the

address pool is bound to a fixed MAC
address.
Fixed IP Indicates that an IP address being used

or an expired in the address pool is
bound to the corresponding MAC
address and will be assigned directly to
the client when it goes online next time.
Unbound Indicates that a bound IP address is

unbound.
Reserved IP Indicates that an IP address in the

address pool is reserved and not
assigned.
Idle Indicates that a reserved IP address is

released and can be assigned.
Reclaimed IP Indicates that an IP address being used

or an expired or conflicted IP address in
the address pool is reclaimed. The
reclaimed IP address becomes idle again
and can be re-assigned to clients.
3. Configure IP addresses in the address pool.

a. Select the IP addresses to be configured on the Address Pool Information page.
b. Click Bound IP, Fixed IP, Unbound, Reserved IP, Idle, or Reclaimed IP.
If you click Bound IP, enter the bound MAC address and click Confirm.
----End

2.3.4 MAC Address Management
Context
Each switch maintains a MAC address table. A MAC table records learned MAC addresses,
VLAN IDs, and outbound interfaces. To forward data, the switch searches the MAC table based
on destination MAC addresses and VLAN IDs carried in packets to determine the outbound
interfaces for the packets. Therefore, broadcast traffic is reduced. Configure the following MAC
address types and functions:
l The interface obtains dynamic entries based on the learning of source MAC addresses. The
dynamic entries can be aged.
l Static MAC entries are manually configured and never age. For details, see Configuring
a static user.
l Blackhole MAC entries are used to discard data frames with the specified source or
destination MAC addresses. Blackhole MAC entries are manually configured and never
age. For details, see Configuring a blackhole MAC address entry.
l ARP entry fixing can be configured to defend against ARP address spoofing attacks. For
details, see Configuring ARP entry fixing.
l Port security makes MAC addresses learned on an interface become secure MAC addresses
to allow only hosts with secure MAC addresses and static MAC addresses to communicate
with the switch through the interface, improving switch security. For details, see
Configuring port security.
Procedure
l Configuring MAC/IP address security
1. Click Configuration in the function area and choose MAC Management from the
navigation tree in the left. The MAC Management page is displayed.
2. Click the icon next to MAC/IP Address Security to enable or disable MAC/IP
address security.
l Querying MAC/IP address entries
2. Click the MAC/IP Address tab. The MAC/IP Address tab page is displayed, as
shown in Figure 2-43.
Figure 2-43 Querying MAC/IP address entries
3. Select interfaces to be queried.

4. Click Refresh to refresh entries in the MAC/IP address list.

5. Set Search item for querying MAC/IP address entries based on the MAC address, IP
address, type, outbound interface, and VLAN ID.
6. Click Search. The search result is displayed.
l Configuring a static user
4. Click Create Static User. The Create Static User page is displayed, as shown in
Figure 2-44.
Figure 2-44 Creating a static user
5. Set parameters.
6. Click Confirm.
l Creating a static secure MAC address
NOTE
Before creating a static secure MAC address, enable port security by referring to Configuring
port security.
After port security is enabled, a yellow shield identifier next to the interface is displayed.
4. Click Create Secure MAC. The Create Secure MAC page is displayed, as shown
in Figure 2-45.

Figure 2-45 Creating a secure MAC address
5. Set parameters.
6. Click Confirm.
l Deleting MAC address entries
4. Select an entry and click Delete. The system asks you whether to delete the entry.
5. Click Confirm.
l Configuring a blackhole MAC address entry
4. Select an entry and click Convert to Blackhole MAC. The system asks you whether
to configure the entry as a blackhole MAC address entry.
NOTE
Only dynamic MAC address entries can be configured as blackhole MAC address entries.
After dynamic MAC address entries are configured as blackhole MAC address entries, select View
all interfaces so that they can be displayed in the MAC/IP address list.
5. Click Confirm.
l Configure fixing of ARP entries
4. Select an entry and click Fixing. The system asks you whether to fix the MAC address
entry.

NOTE
Only dynamic MAC address entries can be fixed.

5. Click Confirm.
l Configuring port security
2. Click the MAC Security tab. The MAC Security tab page is displayed.
3. Select a port, as shown in Figure 2-46.
Figure 2-46 Configuring port security
Table 2-17 describes parameters on the MAC Security tab page.
Table 2-17 Configuring port security
Parameter Description Value
Interface Name - -
Interface Security If a network requires high The value can be Enable

access security, you can or Disable.
configure port security on
specified ports. MAC
addresses learned by
these ports are changed to
dynamic secure MAC
addresses or sticky MAC
addresses. When the
number of learned MAC
addresses reaches the
limit, the ports do not
learn new MAC
addresses. This prevents
devices with untrusted
MAC addresses from
connecting to these ports,
improving security of the
devices and the network.
MAC Address Limit Maximum number of The value ranges from 1

MAC addresses that can to 1024.
be learned by a port.

Parameter Description Value
Sticky MAC Sticky MAC addresses The value can be Enable

will not be aged out and or Disable.
will exist after the device
restarts.
4. Set parameters.
5. Click Apply.
----End
2.3.5 Line Loopback Detection

This section describes how to configure line loopback detection.
Context
When a loop occurs on a network, broadcast, multicast, and unknown unicast packets are
repeatedly transmitted on the network. This wastes network resources or even causes service
interruption on the entire network. To allow the device to detect loops on a Layer 2 network in
a timely manner and prevent the network from being severely affected by loops, configure
loopback detection. Loopback detection enables the device to periodically send loopback
detection packets to detect loops. When a loop is detected on an interface, the device shuts down
or blocks the interface to eliminate the loop. The interface can be restored when the device detects
that the loop on the interface is eliminated.
Procedure
Step 1 Click Configuration in the function area and choose LBDT from the navigation tree in the left.
The LBDT page is displayed, as shown in Figure 2-47.
Figure 2-47 Loopback detection configuration page
Table 2-18 describes parameters on the loopback detection configuration page.

Table 2-18 Parameters on the loopback detection configuration page
Enable (Blocking Interface) Enable loopback detection on an interface and set

the action to block.
When a loop is detected, the device blocks the
interface and forwards only BPDUs.
Enable (Shutdown Interface) Enable loopback detection on an interface and set

the action to shutdown.
When a loop is detected, the device shuts down the
interface.
Disable Disable loopback detection on the interface.
Step 2 Select an interface that you want to configure.
Perform either of the following operations:
l Click the interface icon to select one or more interfaces.

l Drag the mouse to select consecutive interfaces in a batch.
l Select a device panel and all interfaces.
Step 3 Click Enable (Blocking Interface) or Enable (Shutdown Interface) to enable loopback
detection on an interface and set the action taken when a loop is detected.
By default, loopback detection is disabled on an interface.
NOTE
If Enable (Shutdown Interface) is selected, the interface is shut down when a loop is detected. The
shutdown interface can be restarted in Interface Setting > Enable/Disable Interface. For details, see
Enable/Disable Interface.
Step 4 Check the configuration.
The loopback detection status is displayed on all interfaces that need to be enabled with loopback
detection, as shown in Figure 2-48, the configuration is successful. Otherwise, the configuration
fails.
NOTE
After line loopback detection is enabled, the system detects loops after about 5s. After 5s, click to view
the interface status.

Figure 2-48 Loopback detection configuration result
----End
2.3.6 ACL
Access control lists (ACLs) are used to identify flows. A network device filters packets according
to certain rules. It must identify packets first, and then permits or denies the packets according
to the configured policy.
2.3.6.1 Interface ACL

You can apply an ACL to an interface to filter the packets received by the interface.
Context
You can configure ACL rules and apply the ACL to an interface to filter the packets received
by the interface. The ACL rule configuration includes source and destination IP addresses,
protocol type, source and destination port numbers.
Procedure
l Query the ACL rules applied to interfaces.
1. Click Configuration to display the Configuration page.
2. Choose ACL in the navigation tree to display the ACL page.
3. Click the Interface ACL tab to display the Interface ACL page, as shown in Figure
2-49.

Figure 2-49 Interface ACL
4. Click the icon of the interface to which the ACL rules are applied. The ACL rule record
is displayed in the ACL Rules area, as shown in Figure 2-50.
Figure 2-50 Querying ACL rules
l Copy the ACL rules that have been applied to an interface to another interface.
3. Click the Interface ACL tab to display the Interface ACL page.
4. Click the icon of the interface to which the ACL rules have been applied. Click Copy
To to display the Copy To page, as shown in Figure 2-51.

Figure 2-51 Copying ACL rules
5. Select the target interface to which the ACL rules are copied. You can perform the
following operations as required:
Click the icon of a single interface. Re-click the icon to deselect the interface.
Click the icons of multiple interfaces.
Drag the mouse to select multiple neighboring interfaces.
Click a device panel name and select all interfaces.
6. Click Confirm.
l Create ACL rules.
4. Click the icon of the interface to which the ACL rules need to be applied and create
ACL rules.
If no record is displayed in the ACL Rules area, click or Add on the left of
Ascend. A record of ACL Rules is displayed in the ACL Rules area. Set the ACL
rule parameters.
If the existing ACL rule records are displayed in the ACL Rules area, click
or Add on the left of Ascend or on the right of Delete. A new record of ACL
Rules is displayed in the ACL Rules area. Set the ACL rule parameters, as shown
in Figure 2-52.
NOTE
If you click or Add on the left of Ascend, a new record of ACL Rules is inserted to the
first line in the ACL Rules area. If you click Add on the right of Delete, a new record of ACL
Rules is inserted below the current line in the ACL Rules area.
Figure 2-52 Creating ACL rules

Table 2-19 describes the parameters for creating ACL rules.
Table 2-19 Parameters for creating ACL rules
Source IP Indicates the source IP address. The

default value is any, indicating that any
source IP address can be specified.
Mask of Source IP Indicates the mask of the source IP

address. The default value is 0
(0.0.0.0).
Destination IP Indicates the destination IP address.

The default value is any, indicating
that any destination IP address can be
specified.
Mask of Destination IP Indicates the mask of the destination

IP address. The default value is 0
(0.0.0.0).
Protocol Type Indicates the protocol type, including:

l ip
l tcp
l udp
l icmp
The default protocol type is IP.
Source Port Number Indicates the source port number.

This parameter is valid only when the
protocol type is TCP or UDP. If this
parameter is not specified, TCP or
UDP packets with any source port are
matched.
Destination Port Number Indicates the destination port number.

UDP packets with any destination port
are matched.
Action Indicating the action matching a

packet, including:
l permit
l deny
The default action is permit.

5. Click Apply.
l Edit ACL rules.

4. Click the icon of the interface to which the ACL rules have been applied and edit ACL
rules.
Edit ACL rule entries.
Modify the ACL rule parameters in the ACL Rules area.
Adjust the ACL rule entry sequence.
Select a record of ACL Rules in the ACL Rules area. Click Ascend or Descend
to adjust the ACL rule entry sequence.
5. Click Apply.
l Delete ACL rules.

4. Click the icon of the interface to which the ACL rules have been applied. In the ACL
Rules area, click Delete next to the record to be deleted or select records and click
Delete next to Descend to delete the ACL rules in batches.
5. Click Apply.
----End
2.3.6.2 VLAN ACL

You can apply an ACL to a VLAN to filter the VLAN packets.
Context
You can configure ACL rules and apply the ACL to a VLAN to filter the VLAN packets. The
ACL rule configuration includes source and destination IP addresses, protocol type, source and
destination port numbers.
Procedure
l Query the ACL rules applied to VLANs.
3. Click the VLAN ACL tab to display the VLAN ACL page, as shown in Figure
2-53.

Figure 2-53 VLAN ACL
4. Select the ID of the VLAN to which the ACL rules are applied. The record is displayed
in the ACL Rules area, as shown in Figure 2-54.
Figure 2-54 Querying ACL rules
l Copy the ACL rules that have been applied to a VLAN to another VLAN.
3. Click the VLAN ACL tab to display the VLAN ACL page.
4. Select the ID of the VLAN to which the ACL rules have been applied. Click Copy
To to display the Copy To page, as shown in Figure 2-55.
Figure 2-55 Copying ACL rules
5. Enter the ID of the destination VLAN to which the ACL rules are applied, and click
Confirm.
l Create ACL rules.


4. Select the ID of the VLAN to which ACL rules need to be applied, and create the ACL
rules.
If no record is displayed in the ACL Rules area, click or Add on the left of
Ascend. A record of ACL Rules is displayed in the ACL Rules area. Set the ACL
rule parameters.
If the existing ACL rule records are displayed in the ACL Rules area, click
or Add on the left of Ascend or on the right of Delete. A new record of ACL
Rules is displayed in the ACL Rules area. Set the ACL rule parameters, as shown
in Figure 2-56.
NOTE
If you click or Add on the left of Ascend, a new record of ACL Rules is inserted to the
first line in the ACL Rules area. If you click Add on the right of Delete, a new record of ACL
Rules is inserted below the current line in the ACL Rules area.
Figure 2-56 Creating ACL rules
Table 2-20 describes the parameters for creating ACL rules.
Table 2-20 Parameters for creating ACL rules
Source IP Indicates the source IP address. The

default value is any, indicating that any
source IP address can be specified.
Mask of Source IP Indicates the mask of the source IP

address. The default value is 0
(0.0.0.0).
Destination IP Indicates the destination IP address.

The default value is any, indicating
that any destination IP address can be
specified.
Mask of Destination IP Indicates the mask of the destination

IP address. The default value is 0
(0.0.0.0).

Protocol Type Indicates the protocol type, including:

l ip
l tcp
l udp
l icmp
The default protocol type is IP.
Source Port Number Indicates the source port number.

UDP packets with any source port are
matched.
Destination Port Number Indicates the destination port number.

UDP packets with any destination port
are matched.
Action Indicating the action matching a

packet, including:
l permit
l deny
The default action is permit.
5. Click Apply.
l Edit ACL rules.
4. Select the ID of the VLAN to which ACL rules have been applied, and edit the ACL
rules.
Edit ACL rule entries.
Modify the ACL rule parameters in the ACL Rules area.
Adjust the ACL rule entry sequence.
Select a record of ACL Rules in the ACL Rules area. Click Ascend or Descend
to adjust the ACL rule entry sequence.
5. Click Apply.
l Delete ACL rules.


4. Select the ID of the VLAN to which the ACL rules have been applied. In the ACL
Rules area, click Delete next to the record to be deleted or select records and click
Delete next to Descend to delete the ACL rules in batches.
5. Click Apply.
----End
2.3.7 AAA & NAC

You can control user access to implement network security management.
2.3.7.1 Authentication Configuration

This section provides configuration steps and instructions on user authentication.
Context
Authentication configuration includes configurations of the local and RADIUS authentication
modes. If the local authentication mode is used, you must create a user account on the switch
and set a password. If the RADIUS authentication mode is used, you must configure the IP
address, port number, and shared key of the RADIUS server.
Procedure
l Configuring local authentication
2. Choose AAA & NAC in the navigation tree to display the AAA & NAC page.
3. Click the Authentication Configuration tab to display the Authentication
Configuration page.
4. Select an option from the User domain name drop-down list box in the
Authentication Configuration area.
5. Select Local authentication for Authentication mode, as shown in Figure 2-57.
Figure 2-57 Configuring local authentication

6. Click Apply.
7. Configure the user account information for local authentication in the Account
Management area.
Create a user account.
a. Click Create to display the Create User page, as shown in Figure 2-58.
Figure 2-58 Create User
Table 2-21 describes the parameters for creating a user.
Table 2-21 Create User/Modify User
User name Indicates the new user name.

The user name cannot contain \ / :
* ? " < > | ' or %, and cannot start
with @.
Password Indicates the user password.

A secure password should contain at
least two types of the following:
lowercase letters, uppercase letters,
numerals, special characters (such
as ! $ # %). In addition, the password
cannot contain spaces or single

Confirm password Indicates the confirm password.

The format is the same as that of
Password.
Status Sets the user status.

User status includes active and
block. If the status is set to block, the
device rejects the user's
authentication requests, and the user
cannot change the password.
NOTE
This parameter is only displayed on the
user modification page.
Forced offline Indicates whether a user is forcibly

disconnected from the network.
NOTE
This parameter is only displayed on the
user modification page.
b. Set the parameters.

c. Click Confirm.
Modify a user account.
a. Click Modify next to the AAA account to be modified to display the Modify
User page, as shown in Figure 2-59.

Figure 2-59 Modify User
NOTE
l For parameter description, see Table 2-21.

l The user name is fixed and cannot be changed.
b. Set the parameters.
c. Click Confirm.
Delete a user account.
a. You can delete a user account using either of the following methods:
Click Delete next to the AAA account to be deleted.
Select the records of the AAA accounts to be deleted, and click Delete
next to Create to delete the AAA accounts in batches.
After you click Delete, the system prompts you to confirm the deletion
operation.
b. Click Confirm.
l Configuring RADIUS authentication
3. Click the Authentication Configuration tab to display the Authentication
Configuration page.
4. Select an option from the User domain name drop-down list box in the
Authentication Configuration area.

5. Select RADIUS authentication for Authentication mode, as shown in Figure

2-60.
Figure 2-60 Configuring RADIUS authentication
Table 2-22 describes the parameters for RADIUS authentication.
Table 2-22 Parameters for configuring RADIUS authentication
Server IP address Indicates the IP address of the RADIUS

server, for example, 10.10.10.1.
The server IP address must have
reachable routes to the switch.
Port number Indicates the UDP port number of the

RADIUS server. The default value is
1812.
Shared key Indicates the shared key used for

communication between the switch and
RADIUS server.
When communicating with the
RADIUS server, the switch uses the
shared key to encrypt the user password
to ensure password security during data
transmission.
The value is a string of 1 to 16 case-
sensitive characters without spaces,
single quotes ('), and question mask (?).
Confirm shared key Indicates the confirm shared key.

The format is the same as that of the
shared key.

7. Click Apply.
----End
2.3.7.2 Portal Server

In Portal authentication, you can directly perform access authentication without using the
specified client software. The Portal server provides free portal services and Portal
authentication-based pages.
Context
To ensure the communication between the switch and Portal server, you must configure the
Portal server IP address and parameters (including the port number and shared key of the Portal
server) about information exchange between the switch and Portal server, and bind interfaces
to the Portal server.
The device supports two configuration modes. By default, the unified mode is used. You can
run the undo authentication unified-mode command to switch the configuration mode to
traditional mode.
NOTE
After configuring Portal authentication, perform the Authentication Configuration. The two functions
implement user authentication together.
The web system supports only one Portal server, and this Portal server can only be modified but cannot be deleted
through the web system. To delete the Portal server, run the undo web-auth-server command in the system
view.
Procedure
l The traditional mode.
3. Click the Portal Server tab to display the Portal Server page, as shown in Figure
2-61.
Figure 2-61 Portal Server Configuration

Table 2-23 describes the parameters for Portal authentication configuration.
Table 2-23 Parameters for Portal Server configuration
Server IP Address Indicates the IP address of the Portal

server.
Port Number Indicates the port number of the Portal

server.
Shared Key Indicates the shared key used for

Portal server.
The switch and Portal server use the
shared key to encrypt packets.
The value is a string of characters.
Confirm Shared Key Indicates the confirm shared key.

shared key.
VLANIF interface
Select an interface and click to bind
the interface to the Portal server.
You can select multiple interfaces to
bind them to the Portal server.
To unbind an interface from the Portal
server, select the interface and click
.
NOTE
The S2720 and S2750 do not support this
function.

5. Click Apply.
l The unified mode.
3. Click the Portal Server tab to display the Portal Server page, as shown in Figure
2-62.

Figure 2-62 Portal Server Configuration
Table 2-24 describes the parameters for Portal authentication configuration.
Table 2-24 Parameters for Portal Server configuration
Server IP Address Indicates the IP address of the Portal

server.
Port Number Indicates the port number of the Portal

server.
Shared Key Indicates the shared key used for

Portal server.
The switch and Portal server use the
shared key to encrypt packets.
The value is a string of characters.
Confirm Shared Key Indicates the confirm shared key.

shared key.

5. Click Apply.
----End
2.3.7.3 Access Configuration

Through access configuration, the switch can authenticate users and control user access through
interfaces to ensure enterprise network security.

Context
The device supports two configuration modes. By default, the unified mode is used. You can
run the undo authentication unified-mode command to switch the configuration mode to
traditional mode.
l In the traditional mode, access configuration includes No-authentication, 802.1x

authentication, MAC address authentication, MAC address bypass authentication. The last
authentication mode is combinations of 802.1X authentication and MAC address
authentication.
No-authentication: Users are allowed to access the network without authentication.
802.1x authentication: a Layer 2 authentication mode based on the 802.1x protocol. In
this mode, the 802.1x client software must be installed on user terminals, and user
identity authentication is performed between clients and servers using the Extensible
Authentication Protocol (EAP).
MAC address authentication: uses MAC addresses of users as identity information. In
this mode, the 802.1x client software does not need to be installed on user terminals.
MAC address bypass authentication: In this mode, 802.1x authentication is performed
first and the delay timer for MAC address bypass authentication is enabled at the same
time. If the 802.1x authentication still fails when the delay time expires, MAC address
authentication is triggered.
l In the unified mode, access configuration includes No-authentication, 802.1x
authentication, MAC address authentication, and Portal authentication.
When performing access configuration, you must enable the authentication function first, and
then select the interface to which the access configuration applies and select an authentication
mode.
NOTE
After performing access configuration, perform the Authentication Configuration. The two functions
implement user authentication together.
Procedure
l The traditional mode.
3. Click the Access Configuration tab to display the Access Configuration page, as

Figure 2-63 Access configuration
4. Set Authentication function to ON and click Confirm.

5. Select interfaces for which the authentication function needs to be enabled. You can
perform the following operations as required:
Click the icon of a single interface or icons of multiple interfaces.
6. Select an interface authentication method, as shown in Figure 2-64.
Figure 2-64 Interface authentication mode
NOTE
If 802.1X authentication is configured as authentication mode 1 and MAC address authentication

as authentication mode 2, the MAC address bypass authentication function is enabled.
If MAC address authentication is configured as authentication mode 1 and 802.1X authentication
as authentication mode 2, the MAC address authentication is performed first during MAC address
bypass authentication.
7. Click Apply.
If authentication on any interface fails, an error page is displayed, as shown in Figure

2-65.

Figure 2-65 Interface authentication enabling result
In the dialog box, Success indicates the number of interfaces for which the interface
authentication function is successfully applied; Failure indicates the number of
interfaces for which the interface authentication function fails to be applied.
l The unified mode.
3. Click the Access Configuration tab to display the Access Configuration page, as
Figure 2-66 Access configuration
4. Select interfaces for which the authentication function needs to be enabled. You can
perform the following operations as required:
Click the icon of a single interface or icons of multiple interfaces.
5. Select an interface authentication method, as shown in Figure 2-67.

Figure 2-67 Interface authentication mode
NOTE
If 802.1X authentication is configured as authentication mode 1 and MAC address authentication

as authentication mode 2, the MAC address bypass authentication function is enabled.
If MAC address authentication is configured as authentication mode 1 and 802.1X authentication
as authentication mode 2, the MAC address authentication is performed first during MAC address
bypass authentication.
6. Click Apply.
----End
2.3.8 Spanning Tree Protocol

This section describes how to configure a spanning tree protocol.
Context
A loop can easily occur on a complex network. To implement redundancy, network designers
tend to deploy multiple physical links between two devices, one of which is the master and the
others are the backup. Loops may occur. A loop causes broadcast storms. Consequently, network
resources are exhausted and the network breaks down. In addition, a loop causes MAC address
table flapping. As a result, MAC address entries are damaged.
You can deploy a spanning tree protocol to trim a network with loops into a loop-free tree
network. The spanning tree protocol prevents infinite looping of packets to ensure packet
processing capabilities of devices.
Procedure
Step 1 Choose Configuration to open the Configuration page. Click STP to open the STP page, as

Figure 2-68 STP configuration page
Step 2 Click STP status to enable STP globally.
Step 3 Select a port that you want to configure.
Perform either of the following operations.
l Click the port icon to select one or more ports.

l Drag the mouse to select consecutive ports in a batch.
l Select a device panel and all ports.
Step 4 Click Enable to enable STP on the port.
By default, STP is enabled on a port.
Step 5 Check the configuration.
If the STP status and port roles are displayed on all ports that need to be enabled with STP, the
configuration is successful and STP takes effect, as shown in Figure 2-69.
NOTE
l If the interface is shut down or goes Down, after STP is successfully configured, the information that
STP has been enabled and is invalid is displayed on the interface icon.
l If STP is configured on an Eth-Trunk, STP takes effect only on the Eth-Trunk. However, the STP
status, port roles, and Eth-Trunk ID are displayed on its member interfaces.

Figure 2-69 STP configuration result
----End
2.4 Maintenance
This section describes common device maintenance, for example, system setting, system
maintenance, file management, log management, SNMP, diagnosis tool and user management.
2.4.1 System Setting

The following sections describe the configurations of the system time and system information.
Context
You can set an accurate system time for a switch on the System Setting page to ensure that the
switch can work with other network devices normally. You can also set other system information
on this page, including the device name and HTTP timeout interval, to facilitate device
maintenance.
Procedure
Step 1 Choose Maintenance > System Setting. The System Setting page is displayed.
Step 2 Set the parameters in the System Time section, as shown in Figure 2-70.
Figure 2-70 System time page

Table 2-25 describes the parameters on the System time page.
Table 2-25 Parameters on the System time page
Item Description
Current time Indicates the current date and time.
Time zone Mandatory option. Indicates the time zone. Select the
time zone based on the device location.
Set time and date Mandatory option. Indicates the date and time that you
want to set. You need to click to set the date and
time.
Step 3 Set the parameters in the System Info section, as shown in Figure 2-71.
Figure 2-71 System info page
Table 2-26 describes the parameters on the System info page.
Table 2-26 Parameters on the System info page
Item Description
Device name Mandatory option. Indicates the device name.

You can click Restore Default Name to
restore the device name to the default value.
HTTP timeout interval Specifies the timeout interval of the HTTP

connection.

The new date and time is displayed in the Current time field.
l If the system time is changed to more than 10 minutes later or more than 720 hours earlier
than the timed restart time, the system displays a message as shown in Figure 2-72, asking
whether you want to disable the timed restart function.

Figure 2-72 Information page
l If the system time is changed to no more than 10 minutes later than the scheduled restart
time, the system will display a message as shown in Figure 2-73, asking whether you want
to restart the device immediately.
Figure 2-73 Warning page
----End
2.4.2 System Maintenance

This section describes system maintenance including reboot, upgrade, patch, and initialize.
2.4.2.1 Reboot
This section describes related operations for restarting a device.
Context
After you specify the system software, configuration file, and patch file for next startup, you
must restart the device to make the files take effect. The web system provides two restart modes:

immediate restart and timed restart. After you restart a device, services will be interrupted;
therefore, you need to restart the device when the device is idle. If the device is idle currently,
restart the device immediately. If the device is busy processing services, restart the device at a
scheduled time when the device is idle.
NOTICE
You are advised to save the current configuration before you restart a device. Otherwise, the
configuration may be lost.
Procedure
Step 1 Choose Maintenance > System Maintenance > Reboot. The Reboot page is displayed. Figure
2-74 shows the Reboot page.
Figure 2-74 Reboot page

Table 2-27 describes the parameters on the Reboot page.
Table 2-27 Parameters on the Reboot page
Item Description
Current system information Displays the system software, configuration

file, and patch file used by the device
currently.
Configuration File Select the system software, configuration file,

and patch file to be used at the next startup
from the drop-down list boxes.
Restart mode Select a restart mode. The device supports

immediate restart and timed restart.
NOTE
The time cannot be longer than 720 hours since the
current time.
Step 2 In the Current System Information section, click Save to prevent configuration loss after the
restart. In the confirm dialog box that is displayed, click Confirm to save the current
configuration.
Step 3 In the Configuration File section, select the files for the system to use at the next startup from
the drop-down list boxes and click Apply to save the configuration.
Step 4 In the Restart Mode section, select a restart mode and click Apply. If you select Immediate,
a message is displayed, asking whether you want to save the configurations. After you click
Save, the device restarts immediately and terminates the web connection. If you select Timed,
enter a specific restart time. The device will restart at the specified time.
----End
2.4.2.2 Upgrade
This section describes how to upgrade the system software through the web system.
Context
To upgrade the system software of a device, you need to upload upgrade files to the device,
specify files for next startup, restart the device to make the upgrade files to take effect. The web
system allows you to upgrade the system software on the GUI, simplifying the upgrade
operations and improving efficiency.

NOTICE
l Ensure that the configurations are saved before you upgrade the system software.
l Do not power off the device during the upgrade.
l It takes a long time to upload system software to the device; therefore, before upgrading the
system software, choose Maintenance > System Setting > System info and set HTTP
timeout interval to 60 minutes.
Procedure
Step 1 Choose Maintenance > System Maintenance > Upgrade. The Upgrade page is displayed.
Figure 2-75 shows the Upgrade page.
Figure 2-75 Upgrade page
Table 2-28 describes the parameters on the Upgrade page.

Table 2-28 Parameters on the Upgrade page
Item Description
System file information Displays the system file and patch file used by the
device currently and the device current system
software version.
Locally upload system file Select files to be uploaded. You can upload files
saved locally to the device. This option allows you to
upload the system software and patch file only.
Upgrade system System File Select the system software for upgrade from a drop-
file down list box.
Patch File Select the patch file for upgrade from a drop-down
list box.
Step 2 Upload the upgrade file. Click Browse, select the corresponding upgrade file, and then click
Upload.
Step 3 Select files to be upgraded. Select the uploaded system file or patch file from the drop-down list
box and click Upgrade. A dialog box is displayed indicating that the device will restart and
asking whether you want to save the configuration.
Step 4 Click Save and the device automatically restarts. The web system cannot be used during the
device restart. You need to log in to the web system again after the upgrade process is complete.
----End
2.4.2.3 Patch
This section describes how to upload, load, and uninstall patches.
Context
There are two types of patches: cold patch and hot patch. A cold patch takes effect only after
the switch restarts and a hot patch takes effect immediately after it is loaded to the switch. On
the Patch page, you can load or uninstall hot patches only. You can load or uninstall cold patches
on the Upgrade page.
l A patch is a kind of software compatible with the system software. It is used to remove
critical bugs of the system software. The extension name of the patch file is .pat.
l Before loading patches, you need to save patch files to the storage device of the switch.
Patch files are uploaded to the switch using HTTP.
l After a patch is uninstalled, delete the patch from the memory.
Procedure
Step 1 Choose Maintenance > System Maintenance > Patch. The Patch page is displayed. Figure
2-76 shows the Patch page.

Figure 2-76 Patch page
Table 2-29 describes the parameters on the Patch page.
Table 2-29 Parameters on the Patch page
Item Description
Patch Information Displays the following information about

patches:
l Patches that have been loaded
l Patch version
l Running status of the patch
Uninstall Uninstall the running patch.
Upload Patch Select the patch file to be uploaded. The file

name is a string of characters without spaces
and the file name extension is .pat.

Item Description
Load patch Select the patch file to be loaded.
Step 2 Click Browse under Upload Patch, select the patch file to be uploaded, and click Upload.
Step 3 Select the patch that you want to load from the Load patch drop-down list box and click Load
patch. The currently loaded patch file is displayed under Patch Information.
----End
2.4.2.4 Initialize
You can restore the factory settings of a switch on this page.
Context
If improper configurations have been performed on the switch, you can restore the factory
settings of the switch.
NOTICE
After you restore the factory settings of the switch, all the configurations that you have made on
the switch will be deleted and cannot be restored. The original management IP address becomes
invalid and the web system is unavailable. Use a serial cable to connect to console interface of
the switch and your PC to reconfigure the switch.
Procedure
Step 1 Choose Maintenance > System Maintenance > Initialize. The Initialize page is displayed.
Step 2 Click Initialize. A confirm dialog box is displayed.
----End
2.4.3 File Management

This section describes how to upload, download, and delete files.
Context
The web system provides file management functions to facilitate user operations. Figure 2-77
shows the File Management page.

Figure 2-77 File Management page
Procedure
l Uploading Files
You can upload local files to a switch.
1. Choose Maintenance > File Management. The File Management page is displayed.
2. Click Upload. The Upload a file page is displayed. Figure 2-78 shows the Upload
a file page.
Figure 2-78 Upload a file page
3. Select local files to be uploaded and click Confirm. After the files are uploaded, the
system displays a message indicating the successful upload.
NOTE
You can only upload files with the following file name extensions: .cc, .pat, .zip, .
7z, .txt, .log, .dblg, .cfg, .bat, and .xml.

l Downloading Files
You can download files from the switch to a local device.
2. Click Download next to the file name and select a path to save the file.
NOTE
You can only download files with the following file name extensions: .cc, .pat, .zip, .
7z, .txt, .log, .dblg, .cfg, .bat, and .xml.
l Moving Files to the Recycle Bin
After files are moved to the recycle bin, they still exist on the switch. You can restore the
files in the recycle bin.
2. Select the file you want to delete.
3. Click Move to Recycle Bin. The message "Are you sure to delete?" is displayed on
the system.
4. Click Confirm to complete the configuration.
l Deleting Files Permanently
You can permanently delete files from the switch.
NOTICE
The files deleted permanently cannot be restored.
3. Click Permanently Delete. The message "Are you sure to delete?" is displayed on
the system.
l Restoring Files
You can restore the files in the recycle bin to the storage device.
2. Select the file to be restored.
3. Click Restore to restore the file. The restored file is no longer saved in the recycle
bin.
l Deleting Files from the Recycle Bin
The files in the recycle bin still occupy storage space. You can delete useless files
permanently from the recycle bin to save the storage space.
2. Select the file you want to delete permanently.

3. Click Delete. The message "Are you sure to delete?" is displayed on the system.
----End
2.4.4 Log Management

The Log Management page provides the latest 300 logs. You can query and delete the logs on
this page.
Context
The log management function records user actions, helps monitor system security, and provides
information for system diagnosis and maintenance.
Procedure
Step 1 Click Maintenance in the function area, and then click Log Management in the navigation tree
to display the Log Management page, as shown in Figure 2-79.
Figure 2-79 Log Management page
Step 2 You can enter a log level and time range to search for specified logs.
Step 3 You can click Clear to clear all logs.
----End
2.4.5 SNMP
Simple Network Management Protocol (SNMP) is a standard network management protocol
widely used on TCP/IP networks. SNMP uses a central computer (a network management
station) that runs network management software to manage network elements.
Context
SNMP agent is an agent program on the managed device. The SNMP agent maintains
information for the managed device, responds to the requests from the NMS, and sends
management data to the NMS. Before the NMS manages a device through SNMP, the SNMP
agent must be enabled on the device and a proper SNMP version needs to be selected.

A web system supports SNMPv1 and SNMPv2c. The device and NMS must use the same SNMP
version.
NOTE
If a device is managed by multiple NMSs running different SNMP versions, all the SNMP versions need to be
set on the device so that the device can communicate with these NMSs.
Table 2-30 Usage scenarios of SNMP
Version Usage Scenario
SNMPv1 Applicable to small-sized networks (such as

campus networks and small-sized enterprise
networks), which have the following
characteristics:
l Low security requirements
l Simplified structure
l Have stable topology
SNMPv2c Applicable to medium- or large-sized

networks (such as VPNs), which have the
following characteristics:
l Low security requirements
l Not prone to attacks
l High service traffic volume
l Prone to traffic congestion
Procedure
Step 1 Click Maintenance to open the maintenance page.
Step 2 Click SNMP in the left navigation tree to open the SNMP Agent configuration page, as shown
in Figure 2-80.
Figure 2-80 SNMP configuration

Step 3 Set the SNMP Agent parameters, including SNMP Agent status, SNMP Agent version,
community name, and access rights. For description of the parameters, see Table 2-31.
Table 2-31 SNMP Agent configuration items
SNMP Indicates the SNMP Agent status:

l ON: SNMP Agent is enabled.
l OFF: SNMP Agent is disabled.
To manage devices using the NMS, enable
the SNMP Agent function.
Version number Indicates the SNMP version on the device.

SNMPv1 and SNMPv2c are supported.
Choose one or multiple versions. Ensure that
the SNMP versions on the device and on the
NMS are the same.
Community name Indicates the read/write community name of

SNMPv1 and SNMPv2c.
This is the password that the NMS uses to
perform the read and write operations on the
SNMP agent. The password configured on
the SNMP agent must be the same as that
configured on the NMS.
Confirm community name The confirm community name must be the

same as the community name.
Community right Indicates the access right of the community

name.
l Read-only: The NMS can only read data
on the device.
l Read-write: The NMS can read and write
data on the device.
----End
2.4.6 Diagnosis Tools

This document describes the tools for maintaining and diagnosing the switch, that is, ping,
tracert, and VCT.
2.4.6.1 Ping
The ping command is used to check network connectivity and host reachability.

Procedure
Step 2 Click Diagnosis Tool in the navigation tree to open the Diagnosis Tool page.
Step 3 Click the Ping tab.
Step 4 Enter the IP address in the ping text box and click Start. The network connection information
is displayed, as shown in Figure 2-81.
Figure 2-81 Ping
NOTE
If no response packets are received within the timeout interval, the following information is displayed:
Request time out. The preceding information shows that a link is faulty.
----End
2.4.6.2 Tracert
You can use the tracert command to test the gateways that packets pass through from the source
host to the destination host. The tracert command is used to check network connectivity and
locate network faults.

Context
The Tracert command, also called Trace Route helps you check the IP addresses and the
number of gateways between the source and the destination. Tracert is used to check network
connectivity and locate network faults.
Procedure
Step 2 Click Diagnosis Tool in the navigation tree to open the Diagnosis Tool page.
Step 3 Click the Tracert tab.
Step 4 Enter the IP address in the tracert text box and click Start. The Layer 3 devices where packets
pass through between the source host and the destination host are displayed, as shown in Figure
2-82.
Figure 2-82 Tracert
NOTE
l The output of the tracert command includes IP addresses of all the gateways through which the packet
reaches the destination. If one gateway sends back a packet indicating TTL timeout, * is displayed.
l The tracert test may takes a long time.
----End

2.4.6.3 VCT
The VCT function controls the hardware interfaces and displays the cable status on the GUI so
that you can conveniently and quickly locate faults and check lengths of cables.
Context
The VCT function helps to detect the type of a network cable fault and locate the faulty point.
In this manner, network cable faults can be conveniently located.
l If the cable works properly, the total length of the cable is displayed.
l If the cable cannot work properly, the distance between the interface and the fault point is
displayed.
The VCT test result is only for reference and may be inaccurate for cables of some vendors.
VCT takes effect only on optical interfaces that have GE copper modules installed or GE
electrical interfaces on the device.
Procedure
Step 1 Click Maintenance in the function area and choose Diagnosis Tool from the navigation tree in
the left. The Diagnosis Tool page is displayed. Click VCT, as shown in Figure 2-83.
Figure 2-83 VCT
required.
Step 3 Click Start.
NOTICE
After you click Start, the message "The operation may cause Web NMS disconnected from the
server. Continue?" is displayed on the system. Exercise caution when you perform this operation.
Step 4 Click Confirm. The check result is displayed. Figure 2-84 shows the check result.

Figure 2-84 VCT check result
Table 2-32 describes the parameters in the returned check result.
Table 2-32 Parameters in the returned check result

Item Description
Pair A/B/C/D Four pairs of circuits in a network cable.
Pair A length Length of a network cable:

l The length is the distance between the
interface and the fault point if a fault
occurs.
l The length is the actual length of the cable
when the cable works properly.
l The default length is 0 m if the interface
is not connected to any network cable.
Pair A state Network cable status:

l Ok: The circuit pair is terminated
properly.
l Open: The circuit pair is not terminated.
l Short: The circuit pair is short-circuited.
l Crosstalk: The cable sequence is
incorrect.
l Unknown: An unknown fault occurs on
the circuit pair.
----End
2.4.7 User Management

You can create and maintain a database on the switch to manage web platform users.
Context
User management includes creating a local user account (web platform user with the access type
HTTP) and modifying or deleting existing user accounts.

By default, a local user named admin exists in the system. The user password is
admin@huawei.com, and access type is HTTP.
NOTE
A simple password brings security risks. It is recommended that you change the password to a complicated one
after logging in to the web network management system using the default account. A password should consist
of at least 8 characters, and contain at least two types of the following: lowercase letters, uppercase letters,
numerals, special characters (such as ! $ # %). The password cannot contain spaces and single quotation marks
('). In addition, the password cannot be the same as the user name or the mirror user name.
To ensure device security, change the password periodically.
Procedure
l Create a user account.
1. Click Maintenance to display the Maintenance page.
2. Click User Management in the navigation tree to display the User Management
page, as shown in Figure 2-85.
Figure 2-85 User Management
3. Click Create to display the Create User page, as shown in Figure 2-86.

Figure 2-86 New User
Table 2-33 describes the parameters for creating a user.
User name Indicates the new user name.

The user name cannot contain \ / : * ? "
< > | ' or %, and cannot start with @.
Password Indicates the user password.
Confirm password Indicates the confirm password. The

format is the same as that of Password.
Level Indicates the user level.

There are two user levels in ascending
order: monitoring user and
administrator.

NOTE
This parameter is only displayed on the user
modification page.


5. Click Confirm.
l Modify user information.
page.
3. Click Modify on the right of the account you want to modify to display the Modify
User page, as shown in Figure 2-87.
NOTE
l Table 2-33 describes the parameters for modifying user information.

l After the user attribute is changed, the user level is 3 for a management-level user and 1 for a
monitoring-level user. In addition, the service type of the user is HTTP.
l After you modify the user attribute, you need to log out and then log in again to make the
modification take effect.
l The user name is fixed and cannot be changed.
5. Click Confirm.
l Delete a user account.

page.
3. You can delete a user account using either of the following methods:
Click Delete next to the user account to be deleted.
Select the records of the user accounts to be deleted, and click Delete next to
Create to delete the user accounts in batches.
After you click Delete, the system prompts you to confirm the deletion operation.
4. Click Confirm.
----End
2.5 Network
The EasyDeploy function simplifies network configuration and implements remote deployment
and centralized management of network devices.
To configure the EasyDeploy function, determine roles of devices first. After a device is
configured as the Commander, you can view client information, configure and upgrade clients,
and view power consumption of the device and the entire network on the Commander.
NOTE
The devices that cannot work as the Commander can only be configured as the client, and the Summary,
Deployment, Batch Configuration, and Power Consumption menus are not available.
If the topology function is not enabled on the Commander, the Summary, Deployment, and Batch
Configuration menus are not available.
Summary, Deployment, and Batch Configuration functions are implemented based on the topology and
supported only by the Firefox browser or Microsoft Internet Explorer browser later than 9.0.
Table 2-34 lists the device models and versions that support the EasyDeploy function.
Table 2-34 Supports for the EasyDeploy function
Role Version Product Maximum Description

Model Number of
Managed
Clients
Commander V200R003C00 S5700HI, 128 The S2720EI,

to S5710HI, S2750EI,
V200R005C00 S6700 S5700S-LI, and
S5700LI can
S5700EI, 64 only work as a
S5710EI, and client and
S5700SI cannot work as a
V200R006C00 S5720HI 128 Commander.
and later


Model Number of
Managed
Clients
Client V200R003C00 Fixed- - l If the clients

and later configuration are chassis
switches switches,
(S2700&S5700 EasyDeploy
&S6700) can only be
Chassis applied to
switches the batch
(S7700&S9700 upgrade and
&S12700) batch
configuratio
n scenarios.
l If the clients
are fixed-
configuratio
n switches,
EasyDeploy
applies to the
batch
upgrade,
batch
configuratio
n,
unconfigure
d device
deployment,
and faulty
device
replacement
scenarios.
2.5.1 Role Configuration

Before configuring EasyDeploy on a device, determine the role of the device.
2.5.1.1 Commander
You can configure global parameters for the Commander, including the role, Commander IP
address and port, file server, and default files to be downloaded.
Procedure
Step 1 Click Network in the function area to display the Network page.
Step 2 Click Role Configuration in the navigation tree to display the Role page.

Step 3 Click the Commander option button, as shown in Figure 2-88.
Figure 2-88 Role
Step 4 To perform advanced configurations, click , as shown in Figure 2-89.

Figure 2-89 Role configuration (advanced)
Table 2-35 describes the parameters for a Commander.
Table 2-35 Role parameters
IP address This parameter is mandatory. Select an existing IP

address from the drop-down list box.
Port If you keep this field blank, the default UDP port is used.
Topology function If you select ON, the Commander is enabled to collect

topology information so that you can deploy and
maintain the network based on the topology.

Automatically discover clients If you select ON, the Commander automatically learns
client information, including each client's MAC address,
ESN, IP address, device type, device model, system
software name, configuration file name, and patch file
name. This function enables the Commander to monitor
and manage basic information and version files for
clients on the network.
Aging time of offline clients If you select ON, set an aging time.
If the Commander does not receive status information
from a client in 2 minutes, the Commanders considers
the client offline. When the number of clients managed
by a Commander reaches the upper limit, new client
information cannot be added to the Commander. To
release the space occupied by offline clients in the client
database, configure an aging time for offline clients.
When the aging time expires, the Commander deletes the
offline client.
File Server Server type Options are FTP, SFTP, and TFTP.
Configuration NOTE
FTP and TFTP cannot ensure secure file transfer. SFTP is
recommended on networks that require high security.
IP address Enter the IP address of the file server.
User name Set the user name used to log in to the file server.
Password Set the password used to log in to the file server.
Download File File activation Options are Default mode and Reset mode.
Configuration mode By default, if downloaded files include a software
package (*.cc), clients activate all the downloaded files
by resetting. In a batch upgrade, if downloaded files
include a configuration file, clients activate all the
downloaded files by resetting.
File activation Options are Immediate file activation time, File

time activation delay, and Scheduled file activation time. If
you select File activation delay or Scheduled file
activation time, specify a time.
Automatically If you select yes, clients will delete non-startup system

clear storage software packages if they do not have sufficient space for
space downloaded files.
NOTE
This function is invalid for some types of file servers. If the file
server is a TFTP server, this function does not take effect
because the TFTP server does not return file size to clients. If
an FTP or SFTP server cannot return the file size, this function
does not take effect.

Automatic Backup Configuration Options are Non-backup, Save backup file as new
file, and Overwrite original file.
Default File System file If you do not specify any file information, the default file
Setting name information is used.
You can specify a maximum of three self-defined files.
System version
Configuration
file name
Patch file name
Web file name
License file
name
User-defined
file name
Step 5 Set parameters on the Role page.
Step 6 Click Apply.
----End
2.5.1.2 Client
To enable the Commander to manage clients, specify the Commander IP address and port number
on the clients.
Procedure
Step 2 Click Role Configuration in the navigation tree to display the Role page.
Step 3 Click the Client option button, as shown in Figure 2-90.

Figure 2-90 Role
Step 4 Enter the Commander IP address and UDP port and select whether to enable the network
topology collection function. The Commander IP address you enter here must be the same as
that configured on the Commander. If you keep the UDP port blank, the default UDP port is
used.
Step 5 Click Apply.
After you click Apply, the Summary, Deployment, Batch Configuration, and Power
Consumption nodes disappear from the navigation tree. These functions are supported only on
the Commander and are hidden for clients.
NOTE
After completing the client configuration, you can click Go to Commander web NMS to view Commander
information or configure the Commander.
----End
2.5.2 Summary
On the Summary page, you can view the network topology and device information, and save
topology information on the device.
Context
To view network topology information, you must enable topology discovery on the Commander.
For details, see (Optional) Configuring Network Topology Collection.
Procedure
l View the network topology.
1. Click Network in the function area to display the Network page.
2. Click Summary in the navigation tree to display the Summary page. The network
topology is displayed, as shown in Figure 2-91.

Figure 2-91 Topology
l Save the topology information.

2. Click Summary in the navigation tree to display the Summary page.
3. Click Save Topology. When the message "Are you sure you want to overwrite and
save the existing topology?" is displayed, determine whether to save the
configuration according to your needs. (The topology information is saved in the ezop-
topo.xml file on the Commander. You can compare this with the historical topology
file to check the changes in the network topology.)
l View device information.
2. Click Summary in the navigation tree to display the Summary page.
3. Click to view device information.

Figure 2-92 Device information
Click Log In to display the web page of the device.
----End
2.5.3 Deployment
On the Commander, you can perform unconfigured client deployment, faulty client replacement,
and batch client configuration based on topology information.
2.5.3.1 Unconfigured Device Deployment

An unconfigured client can automatically load the configuration file and other files after it is
powered on.
Procedure
Step 2 Click Deployment in the navigation tree to display the Deployment page.
Step 3 Select an unconfigured device. The device information is displayed, as shown in Figure 2-93.

Step 4 Click Set Running File to display the Set Running File page, as shown in Figure 2-94.
Figure 2-94 Set Running File

Step 5 Set file information and click Confirm.
----End
2.5.3.2 Faulty Device Replacement

When a client fails and needs to be replaced, specify file information of this client on the web
page. Then the new device can use the specified files to start.
Procedure
Step 3 Select the faulty device to be replaced. The device information is displayed, as shown in Figure
2-95.
Step 4 Click Replace Running File and enter the file information in the displayed page.
----End

2.5.3.3 Batch Upgrade

During routine network maintenance, you can update the software version and patch files of
specified clients.
Procedure
Step 3 Select the device to be upgraded and click Upgrade. Enter information about the upgrade system
software and patch file on the displayed page.
----End
2.5.4 Batch Configuration

On the Commander, you can issue a command script to specified clients to complete batch
configuration of the clients.
Procedure
l Configure clients in a batch.
2. Click Batch Configuration in the navigation tree to display the Batch
Configuration page.
3. Select the device to be configured and click Batch Configuration, as shown in Figure
2-96. Import the script file.
Figure 2-96 Batch Configuration
l Check the configuration.

2. Click Batch Configuration in the navigation tree to display the Batch
Configuration page.

3. Click Query Configuration Result. The configuration is displayed in the list.
----End
2.5.5 Power Consumption

On the Commanders, you can view the power consumption trend on the network and power
consumption of a specific device.
Procedure
l View the power consumption trend on the network.
2. Click Power Consumption in the function area to display the Power
Consumption page.
3. Select a time period from the drop-down list box to view the power consumption trend
of the network in one day, three days, or a week. By default, the system displays the
power consumption trend in one day, as shown in Figure 2-97.
Figure 2-97 Power consumption trend on the network
l View the power consumption of a device.

2. Click Power Consumption in the function area to display the Power
Consumption page.
3. Select a device from the device list to view its power consumption, as shown in Figure
2-98.
Figure 2-98 Power consumption of a device
----End

Web System Guide 3 Classics Edition
3 Classics Edition
About This Chapter
The windows layout of the web system of the classics edition is based on the refined and
comprehensive web network management functions it provides.

To facilitate the maintenance and configuration of the devices, Huawei provides the Web
network management system (short for Web system). You can log in to the Web system client
to maintain and configure devices through the graphic user interface (GUI).
3.2 Device Summary (S5720HI)

The following sections describe the subnodes under the Device Summary node, including
Panel, System Description, Switch Status, Bandwidth Utilization, System Log, and
Trends.
3.3 Device Summary (for Switch Models Except S5720H)

Trends.
3.4 Config Wizard

The web system provides an Easy-Operation configuration wizard, which helps you quickly
configure global Easy-Operation parameters to implement basic functions for Easy-Operation.
3.5 System Management

This chapter describes the functions of system Management. The system configuration manager
provides following functions:Initialize, Reboot, Software Upgrade, Patch,File System
Management, System Configuration, PoE, DNS, Stacking, Log Management and SNMP. You
can query and configure the required functions.
3.6 Interface Management

This chapter describes interface configurations. The interfaces that can be managed include
Ethernet interfaces, Eth-Trunk interfaces, VLANIF interfaces, and LoopBack interfaces. You
can configure the interfaces and view configuration information.
3.7 Service Management

This chapter describes service management for the switch. The Web system provides
management functions for VLAN, MAC, STP, Voice VLAN, DHCP, ARP, VRRP, and IGMP
Snooping services. You can query and configure the required services.
3.8 WLAN(S5720HI)
This chapter describes WLAN AC configuration for the switch. You can query and configure
the WLAN AC. Only the S5720HI supports WLAN AC.
3.9 ACL
The following sections describe how to view, add, modify, delete ACLs and ACL effective
period, and configure the ACL function.
3.10 QoS
This chapter describes the implementation principle of class-based QoS, and configuration
methods of traffic management, interface-based rate limit, traffic shaping, priority mapping, and
congestion management.
3.11 IP Routing
This document describes the configurations of IP routing.
3.12 Security
This chapter describes concepts and configurations of security management, including Port
isolation, Static user binding, AAA, 802.1x, and MAC Authen.
3.13 Tools
This document describes the commands for maintaining and diagnosing the switch, that is, ping,
tracert, VCT, AAA Test, and RF-Ping.

The following sections illustrate service configurations using several examples.


To facilitate the maintenance and configuration of the devices, Huawei provides the Web
network management system (short for Web system). You can log in to the Web system client
to maintain and configure devices through the graphic user interface (GUI).
This chapter describes basic operations that you can perform on the Web system. It helps you
quickly understand the operations and functions on the Web system.
3.1.1 Understanding the Web System Client User Interface

The following sections help you understand the Web system client user interface and improve
your operation efficiency.
3.1.1.1 Window Layout

The layout and style of the Web system client GUI are described in the section.
Figure 3-1 shows a typical operation user interface of the Web system.
Figure 3-1 Device Summary
No. Description
1 Navigation tree
2 Your Position
3 Tabs
4 Configuration area
3.1.1.2 Navigation Tree

The navigation tree consists of ten nodes: Device Summary, Config Wizard, System
Management, Interface Management, Service Management, ACL, QoS, IP Routing, Security
and Tools.

Each node has subnodes, as described in Table 3-1.
NOTE
The menus in the navigation tree vary depending on switch models.
Table 3-1 Description of the Web system navigation tree
Node Subnode Description
Device Lineate Displays summary information about the wired-side

Summary to enable you to know the running status of the
device.
Wireless Displays summary information about the wireless

side to enable you to know the running status of the
device.
Config EasyOperation Configuration wizard which helps you quickly

Wizard configure global Easy-Operation parameters to
implement basic functions for Easy-Operation.
AP Wizard The configuration wizard allows an AP to go online

properly on the AC and the AC to successfully
deliver WLAN services to the AP.
WLAN Wizard The WLAN wizard allows you to configure common

wireless services.
WDS Wizard The WDS Wizard helps you quickly complete WDS
configurations step by step, allowing APs to set up
WDS connections.
Mesh Wizard The Mesh Wizard helps you quickly complete Mesh
configurations step by step, allowing APs to set up
Mesh connections.
System Initialize Restores the factory settings of the switch.

Management
Reboot Chooses the system software, configuration file, and
patch file for next startup of the switch.
Software Upgrade Upgrades the software of the switch.
Patch Loads the patch file to the switch .
File System Manages files, including uploading files to the

Management switch, downloading files from the switch, and
restoring or permanently deleting files in the recycle
bin.
System Sets the system information such as system time and

Configuration maintenance information.
PoE Configures and queries global PoE information and

PoE on interfaces.

DNS Configures and queries dynamic DNS entries, DNS

server, domain name suffix, and dynamic domain
name resolution function.
Stacking Configures and queries the stacking function.
Log Management Allows you to view operation logs.
SNMP Configures the SNMP functions, including SNMP

global settings, community/group management,
MIB view, and trap setting.
EasyOperation Configures roles, groups, and clients to implement

Easy-Operation.
License Management This section describes the functions of loading

license files and displaying license status.
Interface Ethernet Configures and queries basic attributes of interfaces

Management and traffic statistics on the interfaces.
Eth-Trunk Configures and queries Eth-Trunk interfaces and

LACP priority.
VLANIF Configures and queries VLANIF interfaces.
LoopBack Configures and queries the LoopBack interfaces.
Service VLAN Configures and queries VLANs, interfaces, and

Management VLANIF interfaces.
MAC Configures and queries MAC address table, MAC

address aging time, MAC address learning function,
static MAC address entries, blackhole MAC address
entries, and sticky MAC function.
STP Configures and queries global STP information, STP

on interfaces, and domains.
Voice VLAN Configures and queries voice VLAN and OUI.
DHCP Configures and queries DHCP global address pool,

address pool on VLANIF interface, and DHCP relay.
ARP Configures and queries ARP entries, static ARP

entries, and ARP parameters.
VRRP Configures and queries VRRP information.
IGMP Snooping Configures and queries global IGMP information

and IGMP snooping of VLANs.
WLAN AC Configuration Configures and queries AC system parameters.

AP Info Configures and queries AP information, including

the AP region, profile, whitelist, and blacklist.
WLAN Configures and queries wireless network

Configuration configurations.
Radio Profile Configures and queries the radio and WMM profiles.
Service Set Configures and queries the service set, traffic profile,
security profile, ESS interface, and STA whitelist
and blacklist.
WDS Profile Configures and queries the WDS bridge profile and
whitelist, and wireless virtual connections.
Mesh Profile Configures and queries the Mesh bridge profile and
whitelist, and wireless virtual connections.
Load Balancing Configures and queries the static and dynamic load
balancing groups.
WIDS Configuration Configures and queries WIDS and SSID whitelist,

as well as information about the rogue devices,
attack statistics, attack detection, and dynamic
blacklist.
Backup Configures device backup.

Configuration
Terminal Configures and queries information and status of the

Management STA blacklist and whitelist, as well as information
about STA management and statistics.
Radio Calibration Configures and displays radio calibration

information.
System Maintenance Configures batch AP upgrade and single AP

upgrade.
ACL Effective Period Configures and queries the ACL effective period.
ACL Configures and queries ACL information.
QoS Traffic Management Configures and queries the traffic classifier-based

QoS function, including traffic classification, traffic
behavior, traffic policy, and application of traffic
policy.
Limit Rate Configures and queries the interface rate limiting

function.
Traffic Shaping Configures and queries the traffic shaping function.

Congestion Configures and queries congestion management on

Management interfaces.
Priority Mapping Configures and queries the priority mapping and

trusted interface functions.
IP Routing IPv4 Route Configures and queries IPv4 routes, including IPv4
static routes and global IPv4 routing information.
Security Port isolation Configures and queries isolation mode and isolation
directions.
Static user binding Configures and queries static user binding

information.
AAA Configures and queries the security functions,

including authentication, authorization, and
accounting (AAA), service templates, RADIUS
Configurations, domain management, and user
management and Change Mode.
802.1X Configures and queries global 802.1X parameters

and 802.1X parameters on interfaces.
MAC Authen Configures and queries global MAC address

authentication and MAC address authentication on
interfaces.
Ucl Group Configures and queries Ucl Group.
QoS Profile Configures QoS Profile.
Authentication Event Configures and queries pre-authentications and

authentication failures.
SSL Configures and queries SSL.
Portal Authentication Configures and queries External Portal Server, Built-

in Portal Server, Customized Page and Portal Free
Rule.
Security Protection Configures Security Protection.
Tools Ping The ping function.
Tracert The tracert function.
VCT The VCT function.
AAA Test The AAA Test function.
RF-Ping The RF-Ping function.

3.1.1.3 Buttons
The buttons that you usually use on the Web system GUI are described in this section.
Table 3-2 describes the buttons and functions.
Table 3-2 Button description
Button Function
Saves configurations or confirms the displayed information.

NOTE
If you click OK on a pop-up dialog box, the dialog box is closed.
Saves configurations or confirms the displayed information.

NOTE
If you click Apply on a pop-up dialog box, the dialog box is not closed.
Displays information that you queried.
Configures a selected record.
Cancels the current configuration.
Refreshes the current page.
Creates a record on the current page.
Deletes a selected record.
Modifies a selected record.
Displays details about a selected record.
Deletes the configuration data of a selected record.
Selects current all the data.
Cancels current all the selection.
3.1.1.4 GUI Elements

The elements that you usually use on the Web system GUI are described in this section.
Table 3-3 describes the elements that you usually use on the Web system GUI.
NOTE
The GUI elements described in this section are used for reference only because the GUI elements of

Table 3-3 GUI elements
Name Element
Button
Move button
Option button
Check box
Tab
Text box
Browse box
Group box
Drop-down
list box
Menu
Navigation
tree
Sort button Default:

Descending:
Ascending:
Time setting

Name Element
Mandatory
option
Interface
panel
3.1.2 Web User Management

The switch provides default user name and password for your first login. To facilitate user
management, the Web system enables you to add user accounts, change password, and delete
user accounts.
The following sections describe the operations of user management. To configure user
management, choose Security > AAA > User Management.
3.1.2.1 Create User

You can add user accounts. Then the switch can authenticate and authorize the users who log in
to the switch according to the user information you configured.
Context
You can add user accounts only when your user level is greater than 2.
NOTE
You can create a user account at the same or lower level.
Procedure
Step 1 Choose Security > AAA > User Management in the navigation tree to open the User
Management page.
Step 2 Click New to open the Create User page.
Step 3 Enter User Name, Password, Confirm Password, set User Level, and set the access type to
HTTP. Retain the default values of other parameters.
Step 4 Click OK.
----End
3.1.2.2 Changing Password

You can change passwords in the web system.

Context
You can change the passwords only when your user level is greater than 2.
Procedure
Management page.
Step 2 Select a record that you want to modify and click to open the Modify User page.
Step 3 Enter Password and Confirm Password.
Step 4 Click OK.
----End
3.1.2.3 Deleting a User Account

You can delete user accounts from the Web system.
Context
You can delete user accounts only when your user level is greater than 2.
NOTE
You can delete a user account at the same or lower level but not your own account.
Procedure
Management page.
Step 2 Select a record that you want to delete and click Delete. The system asks you whether to delete
the record.
Step 3 Click OK.
----End
3.1.3 Processing the Timeout of a Web User

If you do not perform any operations on the Web system GUI for a long time, you are logged
out and the login page is displayed.
If you need to continue operations, log in again.
NOTE
l By default, the timeout time of a login user is 20 minutes.

l The timeout time is set on the 3.5.6.2 System Settings page.

3.1.4 Switching to the EasyOperation Edition

The web system of the Classics edition provides more functions than the EasyOperation edition.
However, it is easier to perform operations on the EasyOperation edition. If you need to perform
basic device configurations only, you can switch to the EasyOperation edition.
A button is available on the Classics edition for you to switch to the EasyOperation edition.
Click EasyOperation at the upper right corner as shown in Figure 3-2 to switch to the
EasyOperation edition.
Figure 3-2 Switching to the EasyOperation edition
3.1.5 Saving Configuration

After performing configuration, you need to save the configuration data.
NOTICE
Click Save after the preceding configuration; otherwise, the configuration that has not been
saved will be lost upon reboot.
To save configurations, you can:

l Click OK or Apply to save the configuration data to memory.
l Click in the navigation tree to save all the configuration data to the configuration
file.
3.1.6 Logging Out of the Web System

To protect security of user accounts and switches, log out of the Web system immediately after
you finish the configurations.
You can log out of the Web system in either of the following ways:
l Click on the top right corner of the page to close the browser.
l Click on any page of the Web system.
3.2 Device Summary (S5720HI)

Trends.

NOTE
3.2.2 Wireless is only available in the NAC unified mode.

Only the S5720HI supports 3.2.2 Wireless.
3.2.1 Lineate
The Lineate window provides wired-side summary information for you to query.
3.2.1.1 Panel
This subnode provides information about the device panel.
Context
The panel area on the Web system page displays information about each port of the selected
switch, including:
l Number of ports
l Operating mode of each port
NOTE
You can place the cursor on a port to view the type, rate, and status of the port.
Procedure
Step 1 Click Device Summary > Lineate in the navigation tree to open the Lineate page.
The device panel is displayed on the page, as shown in Figure 3-3.
Figure 3-3 Panel
Step 2 Select a refresh interval from the drop-down list before Refresh. The value Manual indicates
not refresh. The default interval is 60 seconds.
Step 3 Click Refresh. Then the Web system synchronizes data with the switch and refreshes the
information on the page.
Step 4 If you click a port icon, the configuration information of each port is displayed, as shown in
Figure 3-4.

Figure 3-4 STP Information of an Interface
----End
3.2.1.2 System Description

This subnode displays the product type, MAC address, software version, and hardware version
of the switch.
Procedure
Step 1 Click Device Summary > Lineate in the navigation tree to open the Lineate page.
The System Description and Board Information sections are displayed on the Device
Summary page, as shown in Figure 3-5 and Figure 3-6.
Figure 3-5 System Description

Figure 3-6 Board Information
----End
3.2.1.3 Switch Status

This subnode displays the current CPU usage, memory usage, temperature, and fan status of the
switch.
Context
The switch status area displays the current CPU usage, memory usage, temperature, and fan
status of the switch. When you place the mouse to the image of the CPU usage, memory usage,
or temperature status, the current value and threshold value are popped up for each item.
Procedure
l Click Device Summary > Lineate in the navigation tree to open the Lineate page. The
Switch Status section is displayed on the Device Summary page, as shown in Figure
3-7.
Figure 3-7 Switch Status
----End
3.2.1.4 Bandwidth Utilization

This subnode displays the bandwidth utilization of the interface.

Context
You can learn about the interface utilization from this subnode. You can view the bandwidth
utilization trend and configure relevant parameters. The contents consist of:
l Interface Name
l Input
l Output
Procedure
Step 1 Click Device Summary > Lineate in the navigation tree to open the Lineate page. For a stacked
device, click the slot ID of the device to open the Board Information page.
The Bandwidth Utilization section is displayed, as shown in Figure 3-8.
----End
3.2.1.5 System Log

This subnode displays the latest five logs of the device.
Context
The system log information area displays the latest five logs. You can view more logs. The
contents consist of:
l Time
l Level
l Log Content
Procedure
Step 1 Click Device Summary > Lineate in the navigation tree to open the Lineate page. You can
view the System Log tab page, as shown in Figure 3-9.

Figure 3-9 System Log
Step 2 Select a refresh interval from the drop-down list next to Refresh. The value Manual indicates
not refresh. The default refresh interval is 60 seconds. The system refreshes the page when the
time reaches. The latest five log information is displayed.
Step 3 Click Refresh, the Web system synchronizes data with the switch and refreshes the information
on the page to display the latest five logs.
Step 4 Click More Logs to enter the Log Management page, and you can view the latest 300 logs.
The log information includes time, module, level, mnemonic, and log content.
----End
3.2.1.6 Trends
This subnode displays the CPU usage, memory usage, temperature, and port usage of the
switch according to your selection.
Procedure
Step 1 Click Device Summary > Lineate in the navigation tree to open the Lineate page. For a stacked
Step 2 Click a port in the Bandwidth Utilization section to open the Trends page.
1. Click the unfold button on the right of CPU Usage, and the CPU usage trend is
Figure 3-10 CPU Usage Trend

2. Click the unfold button on the right of Memory Usage, and the memory usage trend is
Figure 3-11 Memory Usage Trend
3. Click the unfold button on the right of Temperature, and the temperature trend is
Figure 3-12 Temperature Trend
4. Select an interface name from the drop-down list. Click the unfold button on the right of
Bandwidth Utilization, and the bandwidth utilization trend of this interface is displayed,

Figure 3-13 Bandwidth Utilization Trend
Step 3 Click Back on the upper right corner of the page, and the Device Summary page is displayed.
----End
3.2.2 Wireless
The Wireless window provides wireless side summary information for you to query.
Background
You can view device information to verify that a device runs properly.
Choose Device Summary > Wireless. The Wireless page is displayed.
Figure 3-14 Wireless
The Wireless page includes the following areas:

l Device Information
l Top10 AP Statistics
l Top10 AP Association Failure Rate

l Rogue Device Info

l Statistics Details
l Top10 SSID Statistics
l Top10 AP Uplink Traffic And Channel Usage
Device Information
You can view router information in the Device Information window.

l Online AP count / Max AP count: Number of online APs/Maximum number of supported
APs, which depends on the loaded license.
l Online STA count / Max STA count: Number of online STAs/Maximum number of
supported STAs.
Top10 AP Statistics
You can view statistics on the top ten APs that have most users connected.
Top10 AP Association Failure Rate
You can view statistics on the top ten APs that have the highest association failure rate.
Rogue Device Info
You can view information about the detected Rogue client, Rouge AP, and Adhoc rogue.

Statistics Details
You can view information about AP Statistics and User Statistics, including the number of all
APs, number of online APs, number of unauthenticated APs, number of other APs, number of
access users, and number of users connected to the 2.4 GHz and 5 GHz radios in the AP
Details window.
Top10 SSID Statistics
You can view statistics on the top ten SSIDs that have most users connected.
Top10 AP Uplink Traffic And Channel Usage
You can view statistics on the top ten APs that have the highest uplink traffic and channel usage.
Click . The displayed results are arranged based on AP name, AP traffic(KB), 2.4 GHz
channel usage(%), and 5 GHz channel usage(%).
3.3 Device Summary (for Switch Models Except S5720H)

Trends.

3.3.1 Panel
This subnode provides information about the device panel.
Context
The panel area on the Web system page displays information about each port of the selected
switch, including:
l Number of ports
l Operating mode of each port
NOTE
You can place the cursor on a port to view the type, rate, and status of the port.
Procedure
Step 1 To view the panel of a non-stacked device, click Device Summary in the navigation tree to open
the Device Summary page.
The device panel is displayed on the page, as shown in Figure 3-15.
Figure 3-15 Panel
Step 2 To view the panel of a stacked device, click Device Summary in the navigation tree to open the
Device Summary page. The stack topology is displayed on the page, as shown in Figure
3-16. Click the slot ID of a device to display the Board Information, as shown in Figure
3-15.
Figure 3-16 Stack topology
Step 3 Select a refresh interval from the drop-down list before Refresh. The value Manual indicates
not refresh. The default interval is 60 seconds.
Step 4 Click Refresh. Then the Web system synchronizes data with the switch and refreshes the
information on the page.
Step 5 If you click a port icon, the configuration information of each port is displayed, as shown in
Figure 3-17.

Figure 3-17 STP Information of an Interface
----End
3.3.2 System Description

This subnode displays the product type, MAC address, software version, and hardware version
of the switch.
Procedure
Step 1 To view the system description of a non-stacked device, click Device Summary in the navigation
tree to open the Device Summary page.
The System Description and Board Information sections are displayed on the Device
Summary page, as shown in Figure 3-18 and Figure 3-19.
Step 2 To view the system description of a stacked device, click Device Summary in the navigation
tree to open the Device Summary page. The system description is displayed on this page, as
shown in Figure 3-18. Click the slot ID of a device to display the Board Information page, as

Figure 3-18 System Description
Figure 3-19 Board Information
----End
3.3.3 Switch Status

The Switch Status section display status monitoring information of a switch.
Context
The switch status area displays the current CPU usage, memory usage, temperature, and fan
status of the switch. When you place the mouse to the image of the CPU usage, memory usage,
or temperature status, the current value and threshold value are popped up for each item.
Procedure
l To view the status of a non-stacked device, click Device Summary in the navigation tree
to open the Device Summary page. The Switch Status section is displayed on the Device
Summary page, as shown in Figure 3-20.
Figure 3-20 Switch Status

l To view the status of a stacked device, click Device Summary in the navigation tree to
open the Device Summary page. Click the slot ID of a device to display the Board
Information page. The Slot Status section is displayed on the Board Information page,
Figure 3-21 Slot Status
l To view the status of a device that supports batteries, click Device Summary in the
navigation tree to open the Device Summary page. The Device Status section displays
differently when no battery is available, a lead-acid battery is available, or a lithium battery
is available.
NOTE
l The following product models support the use of batteries: S5700-28P-LI-BAT and S5700-28P-
LI-24S-BAT.
l The preceding product models support the following batteries: lead-acid battery (used with the
PBB-12AHA lead-acid battery charger module), 4AHA lithium battery, and 8AHA lithium
battery.
If no battery is available, the Switch Status section displays as shown in Figure 3-22.

Figure 3-22 Device statusno battery is available
If a lead-acid battery is installed on the device, the Switch Status section displays as
shown in Figure 3-23. For the meaning of each field for the battery, see Table 3-4.

Figure 3-23 Device statusa lead-acid battery is available

Table 3-4 Description of fields for the lead-acid battery
Field Description
1 Battery type: lead-acid battery
2 Battery status:
l Charge: The battery is charging.
l Discharge: The battery is discharging.
l Full: The battery is fully charged.
l Abnormal: The battery becomes faulty.
3 Battery status icon:
If a lithium battery is installed on the device, the Switch Status section displays as
shown in Figure 3-24. For the meaning of each field for the battery, see Table 3-5.

Figure 3-24 Device statusa lithium battery is available

Table 3-5 Description of fields for the lithium batter
Field Description
1 Battery type:
l Lithium battery (4AHA)
l Lithium battery (8AHA)
2 Percentage of the current battery capacity to the full capacity of

the battery.
NOTE
If the battery is faulty, the current capacity is not displayed.
3 Battery status icon:
----End
3.3.4 Bandwidth Utilization

This subnode displays the bandwidth utilization of the interface.
Context
You can learn about the interface utilization from this subnode. You can view the bandwidth
utilization trend and configure relevant parameters. The contents consist of:
l Interface Name
l Input
l Output
Procedure
Step 1 Click Device Summary in the navigation tree to open the Device Summary page. For a stacked
The Bandwidth Utilization section is displayed, as shown in Figure 3-25.

----End
3.3.5 System Log

This subnode displays the latest five logs of the device.
Context
The system log information area displays the latest five logs. You can view more logs. The
contents consist of:
l Time
l Level
l Log Content
Procedure
Step 1 Click Device Summary in the navigation tree to open the Device Summary page. You can view
the System Log tab page, as shown in Figure 3-26.
Figure 3-26 System Log

Step 2 Select a refresh interval from the drop-down list next to Refresh. The value Manual indicates
not refresh. The default refresh interval is 60 seconds. The system refreshes the page when the
time reaches. The latest five log information is displayed.
Step 3 Click Refresh, the Web system synchronizes data with the switch and refreshes the information
on the page to display the latest five logs.
Step 4 Click More Logs to enter the Log Management page, and you can view the latest 300 logs.
The log information includes time, module, level, mnemonic, and log content.
----End
3.3.6 Trends
This subnode displays the CPU usage, memory usage, temperature, and port usage of the
switch according to your selection.
Procedure
Step 1 Click Device Summary in the navigation tree to open the Device Summary page. For a stacked
Step 2 Click a port in the Bandwidth Utilization section to open the Trends page.
1. Click the unfold button on the right of CPU Usage, and the CPU usage trend is
Figure 3-27 CPU Usage Trend
2. Click the unfold button on the right of Memory Usage, and the memory usage trend is
Figure 3-28 Memory Usage Trend

3. Click the unfold button on the right of Temperature, and the temperature trend is
Figure 3-29 Temperature Trend
4. Select an interface name from the drop-down list. Click the unfold button on the right of
Bandwidth Utilization, and the bandwidth utilization trend of this interface is displayed,
Figure 3-30 Bandwidth Utilization Trend
Step 3 Click Back on the upper right corner of the page, and the Device Summary page is displayed.
----End
3.4 Config Wizard

The web system provides an Easy-Operation configuration wizard, which helps you quickly
configure global Easy-Operation parameters to implement basic functions for Easy-Operation.
The Easy-Operation feature implements automatic version file loading on newly delivered or
unconfigured devices and batch upgrades of devices on a campus network. Table 3-6 lists the
device models and versions that support the Easy-Operation feature.

Table 3-6 Supports for the Easy-Operation feature

Model Number of
Managed
Clients

V200R005C00 S6700 S5700S-LI, and
S5700LI can
and later

switches switches,
&S6700) can only be
Chassis applied to
switches the batch
&S12700) batch
configuratio
n scenarios.
l If the clients
are fixed-
configuratio
n switches,
EasyDeploy
applies to the
batch
upgrade,
batch
configuratio
n,
unconfigure
d device
deployment,
and faulty
device
replacement
scenarios.
NOTE
3.4.2 AP Wizard, 3.4.3 WLAN Wizard, 3.4.4 WDS Wizard and 3.4.5 Mesh Wizard are only available in the
NAC unified mode, and only the S5720HI supports.

3.4.1 EasyOperation
On the EasyOperation page, you can configure global Easy-Operation parameters for a
device, including the role, Commander IP address and port, and file server.
Context
Before configuring Easy-Operation on a device, determine the role of the device.
Parameters configured here are global parameters. To configure parameters for a group, choose
System Management > EasyOperation.
NOTE
If a device does not support the Commander function, its role can only be set to Client.
Procedure
Configuring a device as a client
1. Choose Config Wizard > EasyOperation in the navigation tree to display the
EasyOperation page, as shown in Figure 3-31.
Figure 3-31 Select role
Select the Client option and click Next.

2. Enter the Commander IP address and UDP port. The Commander IP address you enter here
must be the same as that configured on the Commander. If you keep the UDP port field
blank, the default UDP port is used. See Figure 3-32.

Figure 3-32 IP address and port
Set the required parameters and click Next.

3. Check whether the configuration is correct on the page displayed, as shown in Figure
3-33.
Figure 3-33 Confirm result
Click Finish.
Configuring a device as a Commander
You can import information about unconfigured devices to the Commander using the
configuration wizard to deploy unconfigured devices.
1. Choose Config Wizard > EasyOperation in the navigation tree to display the
EasyOperation page, as shown in Figure 3-34.

Figure 3-34 Select role
Select the Commander option and click Next.

must exist on the device. If you keep the UDP port field blank, the default UDP port is
used. See Figure 3-35.
Figure 3-35 IP address and port

3. Configure file server information, as shown in Figure 3-36.
Figure 3-36 Server type configure
Table 3-7 describes the parameters for a file server.

Table 3-7 Server configuration parameters
Server type This parameter is mandatory. Options are FTP, SFTP, and
TFTP.
NOTE
FTP and TFTP cannot ensure secure file transfer. SFTP is recommended
on networks that require high security.
IP This parameter is mandatory. Enter the IP address of the file server.
User Name Enter the user name used to log in to the file server.
Password Enter the password used to log in to the file server.
Configuration file Options are No backup, Duplicate, and Overwrite.

backup method
Time interval Set the interval at which you want the Commander to back up
configuration files.

4. (Optional) Configure file activation method and time, as shown in Figure 3-37.
Figure 3-37 Download file configure
Table 3-8 describes the parameters for file activation.
Table 3-8 Download file configure
File activation Options are Default type and Reload type.

method By default, if downloaded files include a software package (*.cc),
clients activate all the downloaded files by restarting. In a batch
upgrade, if downloaded files include a configuration file, clients
activate all the downloaded files by restarting.
File activation Options are Active now, Active delay, and Active in time. If you
time select Active delay or Active in time, the related parameter is
displayed for you to configure.

Client auto clear If you select Yes, clients will delete non-startup system software
packages if they do not have sufficient space for downloaded files.
NOTE
Whether clients can automatically clear their storage medium depends on
the file server type. If clients download files from a TFTP server, they cannot
automatically clear their storage medium because they cannot obtain the
sizes of downloaded files. If an FTP or SFTP server is used but the server
cannot return the file sizes, clients cannot automatically clear their storage
medium.

5. (Optional) Configure client information, as shown in Figure 3-38.
Figure 3-38 Client configuration
a. Click template.zip to download this template to your computer, and then enter client
information in the template.
b. Click Browse and select the template.
c. Click to import client information from the template.

d. Check the imported client information in the Import result area, including client ID,
MAC address, and ESN of each client.
Click Next.
6. Confirm the result. Click the IP address and port, Server type configure, Download file
configure, and Client configuration tabs to check the configuration result, as shown in
Figure 3-39.
Figure 3-39 Confirm result

7. Click Finish.
3.4.2 AP Wizard
This section describes how to configure an AP to go online using the AP wizard.
Context
The configuration wizard allows an AP to go online properly on the AC and the AC to
successfully deliver WLAN services to the AP.
Procedure
Step 1 Configure Ethernet Interface.
1. Choose Config Wizard > AP Wizard.
2. Select a search item and search interfaces based on the search item. For description of the
parameters, see Table 3-9.
Table 3-9 Interface parameters
Interface name Name of the interface.
Default VLAN Default VLAN of the interface.
VLAN (Untagged) VLAN to which the interface is added in

untagged mode.
VLAN (Tagged) VLAN to which the interface is added in

tagged mode.
Connection Status Connection status of the interface.
Link type Link type of the interface.
Interface Rate Rate of the interface.
Description Description of the interface.

3. In the Interface area, click on the right side of the Ethernet Interface entry to modify
Ethernet interface configurations. For description of the parameters, see Table 3-10.
4. Click Next.
Table 3-10 Ethernet Interface parameters
Interface name Name of the Ethernet interface.
Default VLAN Default VLAN to which the interface is

added.
NOTE
The default VLAN must exist on the device.
Link type Link type of the interface.
VLAN ID VLAN IDs allowed on the interface.

l When Link type is Access, only packets
of the default VLAN are allowed to pass
through the interface.
l When Link type is Hybrid, packets of
VLANs are configured to pass through the
interface in tagged or untagged mode.
l When Link type is Trunk, packets of
VLANs are configured to pass through the
interface only in tagged mode.

Untagged VLANs VLAN to which the Ethernet interface is

added in untagged mode.
Tagged VLANs VLAN to which the Ethernet interface is

added in tagged mode.
Step 2 Configure the virtual interface.

1. Select the search criteria and search the items that meet requirements. Click Create to create
a virtual interface and set parameters described in Table 3-11.
2. In the Virtual Interface area, click on the right side of the virtual interface to modify
its configurations. For description of the parameters, see Table 3-11.
3. Click Next.
Table 3-11 Virtual interface parameters
Interface Name Name of the virtual interface.
Interface type Type of the virtual interface.
VLAN ID VLANIF interface ID.
Interface number Loopback interface ID.

Primary IP address/mask Primary IP address and subnet mask of the

virtual interface.
Step 3 Configure DHCP.

1. Select the search criteria and search the items that meet requirements. Click Create to create
an IP address pool and set parameters described in Table 3-12.
2. In the IP Pool List area, click on the right side of the IP address pool to modify its
configurations. For description of the parameters, see Table 3-12.
3. Click Next.
Table 3-12 IP address pool parameters
DHCP Whether DHCP is enabled. By default,

DHCP is disabled.
IP pool type IP address pool type.
IP pool name Name of a global IP pool. The value is a string

of 1 to 64 characters- without spaces. A
combination of digits, letters, underscores
(_), and dots (.) is allowed.
Subnet address Network segment that can be allocated in the

global IP pool.

Subnet mask Subnet mask of the IP address assigned to the

DHCP client, that is, subnet mask of the
selected interface. The gateway IP address
and the subnet mask identify an IP pool of the
interface.
Vendor-defined User-defined option for the global IP pool.

The options are as follows:
l none: The user-defined option is not
configured for the interface IP pool.
l hex: Specifies the user-defined option
code as a hexadecimal number.
l sub-option: Specifies the value of the
user-defined sub-options and configures
the parameter of the sub-options.
NOTE
l The vendor-defined option can only be set to
hex or sub-option.
l If the value of the sub-option is 1, the sub-
option can only be set to hex.
option can only be set to ip-address.
option can only be set to ascii and only an IP
address such as 10.1.1.1 can be entered.
Gateway IP Egress gateway address of the global IP pool.
Interface used by IP pool Interface used by the IP pool. Users who go

online from this interface can obtain
configuration information such as IP
addresses from the global IP pool.

Forbidden IP IP address that will not be dynamically

allocated to clients. When IP addresses are
assigned to other servers such as DNS
servers, the IP addresses cannot be assigned
to DHCP clients. Specify these IP addresses
as forbidden IP addresses. This operation
avoids IP address conflicts and shortens the
IP address detection time during IP address
assignment, which improves DHCP
efficiency. Perform the following operations
to add or delete forbidden IP addresses:
l Adding forbidden IP addresses: Set the
start and end IP addresses and click .
To add multiple forbidden IP addresses or
IP address segments, repeat this operation.
l Deleting forbidden IP addresses: Select
the check boxes of forbidden IP addresses
or select the check box next to Forbidden
IP, and click .
Step 4 Configure the AC.

1. On the Configure AC tab page, set parameters described in Table 3-13.
2. Click Next.
Table 3-13 AC configuration parameters
ID For details, see Table 3-99 in 3.8.1.1 AC

Configuration.
Country code For details, see Table 3-99 in 3.8.1.1 AC

Configuration.
AP authentication mode For details, see Table 3-99 in 3.8.1.1 AC

Configuration.

Add APs If the AP authentication mode is set to

MAC or SN authentication, you can add APs
offline.
l Manual: Enter the MAC address or SN of
an AP to add the AP offline.
l Batch import from a local file:
Configure an AP's MAC address or SN in
a local file and import the MAC address
or SN to the AC from the local file.
NOTE
The file is in .txt format and contains rows of
MAC addresses or SNs. Each row provides
one MAC address or SN. The following
example is a file containing rows of MAC
addresses.
60de-4474-9640
60de-4474-9680
dcd2-fc9a-2110
AC source address For details, see Table 3-99 in 3.8.1.1 AC

Configuration.
Forwarding mode Forwarding mode of the AC.
Step 5 Confirm the settings.

1. You can check the detailed information about AP login.
2. Click Finish. The AP Online Configuration Wizard configuration is complete.
----End
3.4.3 WLAN Wizard

This section describes how to configure wireless devices using the WLAN wizard.
Context
The WLAN wizard allows you to configure only common wireless services. Other
configurations (for example, configuring an AC or creating a VLAN) must be performed in
corresponding service modules.

Procedure
Step 1 Configure APs.
1. Choose Config Wizard > WLAN Wizard.
2. On the Configure AP tab page that is displayed, set Search and click Go. The AP matching
the search criteria is displayed. Table 3-14 describes the parameters for searching for APs.
Alternatively, you can click Create or Batch Add, set parameters in the Create AP dialog
box, and click OK. An AP is created. Table 3-15 describes the parameters.
3. Select the APs to configure. APs on different pages can be selected simultaneously.
4. Click Next.
Table 3-14 Parameters for searching for APs
AP ID Search for the AP based on the AP ID.
AP Name Search for the AP based on the AP name.

AP Status Search for the AP based on the AP status. The

options are as follows:
l autofind
l commitFailed: The WLAN service
configuration fails to be committed.
l committing: The WLAN service
configuration is being committed.
l config: The AP is initializing the
configuration.
l configFailed: The AP fails to initialize the
configuration.
l download: The AP is downloading the
upgrade software.
l fault: The AP is faulty.
l idle: The AP is idle.
l normal: The AP is functioning properly.
l standby: The AP is in standby state on the
standby AC.
l typeNotMatch: The AP type is not
supported by the AC.
l vermismatch: The AP's version does not
match the AC's.
AP Type Search for the AP based on the AP type.
MAC Address Search for the AP based on the AP MAC

address.
SN Search for the AP based on the AP SN.
AP Profile Name Search for the AP based on the AP profile

name.
AP Region ID Search for the AP based on the AP region ID.
Table 3-15 Parameters for creating an AP
AP ID ID of a new AP.
AP type Type of the AP.

MAC address MAC address of the AP, AP MAC address in

H-H-H format.
NOTE
When the authentication mode is non-
authentication on the AC, you must set MAC
address or SN. When the authentication mode is
MAC address authentication on the AC, you must
set MAC address.
SN SN of the AP.
NOTE
address or SN. When the authentication mode is
SN authentication on the AC, you must set SN.
Addition mode Modes of adding APs. APs can be added

manually or imported in batches from a local
file.
NOTE
addresses.
60de-4474-9640
60de-4474-9680
dcd2-fc9a-2110
File name Local file that contains the MAC address or

SN of an AP.
Step 2 Configure radios.
1. On the Configure Radio tab page that is displayed, Set parameters described in Table
3-16.
2. Click Next.

Table 3-16 Configuring radios for the WLAN Service
Radio Radio of the WLAN.
Radio profile Radio profile.
Channel bandwidth Channel bandwidth of the specified radio on

the AP. When multiple APs are selected, this
parameter is configurable only when the APs
are in the same AP region.
NOTE
By default, a radio channel works at 20 MHz.
Channel Channel of the specified radio on the AP.

NOTE
After an AP region is configured, this parameter
can be set to a channel supported by the AP region.
To avoid signal interference, ensure that
neighboring APs work on different channels.
Power level Power level of a specified radio on the AP.

By default, the power level of a radio is 0,
indicating full power. The power level
depends on the AP type. The power decreases
1 dBm each time when the power level value
increases one.
Step 3 Configure the security policy.

1. Select or enter parameters. For description of the parameters, see Table 3-17.
2. Click Next.

Table 3-17 Security policy parameters
Authentication method Authentication method. Five authentication

methods are available.
l No authentication: users are not
authenticated.
l MAC: MAC address authentication is
used.
l 802.1x: 802.1x authentication is used.
l External Portal server: external Portal
authentication is used.
l Built-in Portal server: built-in Portal
authentication is used.
Authentication mode Authentication mode. You can choose the

authentication mode after choosing the
authentication method.
l Local: Users' authentication information
is saved on the local device and needs to
be added manually. For description of the
parameters, see 3.12.3.1 AAA Scheme.
l RADIUS: Users' authentication
information is saved on the remote
RADIUS server. An independent
RADIUS server needs to be deployed. For
description of the parameters, see 3.12.3.3
RADIUS Configurations.
External Portal server If the authentication method is external Portal

server, configure parameters for the remote
Portal server. For description of the
parameters, see 3.12.10.1 External Portal
Server and 3.7.1.5 VLANIF Port.
Built-in Portal server If the authentication method is built-in Portal

server, configure parameters for the built-in
Portal server. For description of the
parameters, see 3.12.10.2 Built-in Portal
Server.
Step 4 Configure WLAN services.
1. On the Configure WLAN Service tab page that is displayed, set Search and click Go. The
service set matching the search criteria is displayed. Alternatively, you can click Create,
set parameters in the Create Service Set dialog box that is displayed, and click OK.
2. Set service set parameters. For details about the parameters, see Table 3-18 and Table
3-19.

3. Click Next.
Table 3-18 Parameters for searching for WLAN Service sets
Service Set Name Search for the service set based on the service
set name.
Associated SSID Search for the service set based on the

associated SSID.
Service VLAN Search for the service set based on the bound
service VLAN.
Security Profile Search for the service set based on the bound
security profile.
Traffic Profile Search for the service set based on the bound
traffic profile.
ESS Interface Search for the service set based on the bound
ESS interface.
Forwarding Mode Search for the service set based on the

forwarding mode.
Table 3-19 Parameters for creating a WLAN Service set
Service set name Name of a service set.
Associated SSID SSID of the service set.
Service VLAN Service VLAN bound to the service set.
Traffic profile Traffic profile bound to the service set. By

default, the service set is bound to the traffic
profile named default. For details about
traffic profile parameters, see Table 3-114 in
3.8.5.2 Traffic Profile.

Security profile Security profile bound to the service set. By

default, the service set is bound to the security
profile named default. For details about
security profile parameters, see Table 3-115
in 3.8.5.3 Security Profile.
NOTE
When PSK authentication is used, attackers may
use brute force method to decrypt the PSK. To
reduce security risks, you are advised to enable
detection of brute force PSK cracking and dynamic
blacklist on the WIDS configuration page.
Note the following when the radio type is set to
802.11n:
l The authentication mode cannot be set to WEP
in the security profile.
l The encryption mode cannot be TKIP if the
authentication mode is set to WPA or WPA2
in the security profile.
ESS interface ESS interface bound to the service set. For

details about ESS interface parameters, see
Table 3-116 in 3.8.5.4 ESS Interface.
Forwarding mode Data forwarding mode.
Tunnel forwarding protocol Protocol used for tunnel forwarding.
Address learning Whether to enable STA address learning.
Strict address learning Whether to enable strict STA IP address

learning through DHCP.
IPSG Whether to enable IP source guard.
SSID Hiding Whether to hide the SSID.
User isolation Whether to enable user isolation.
Offline management Whether to enable offline management.
Service set type Type of the service set.
Maximum user count Maximum number of access users.
Connection time-out Association aging time of STAs.
STA blacklist/whitelist profile Whether to enable the STA blacklist or

whitelist function.
STA whitelist profile Name of a STA whitelist profile.
STA blacklist profile Name of a STA blacklist profile.

Step 5 Confirm the settings.

1. On the Confirm Settings tab page that is displayed, confirm detailed settings for WLAN
config wizard.
2. Click Finish.
----End
3.4.4 WDS Wizard

The WDS Wizard helps you quickly complete WDS configurations step by step, allowing APs
to set up WDS connections.
Procedure
Step 1 Select AP
1. Choose Config Wizard > WDS Wizard. The WDS Wizard page is displayed.
2. Add APs.
l Click Create. One AP is created.
l Click Batch Add and select Manual or Batch import from a local file. One or more
APs are added.

MAC address MAC address of the AP, AP MAC address

in H-H-H format.
NOTE
address or SN. When the authentication mode
is MAC address authentication on the AC, you
must set MAC address.
SN SN of the AP.
NOTE
is SN authentication on the AC, you must set
SN.


manually or imported in batches from a
local file.
l Manual: Enter the MAC address or SN
of an AP to add the AP offline.
Configure an AP's MAC address or SN
in a local file and import the MAC
address or SN to the AC from the local
file.
NOTE
The file is in .txt format and contains rows
of MAC addresses or SNs. Each row
provides one MAC address or SN. The
following example is a file containing rows
of MAC addresses.
60de-4474-9640
60de-4474-9680
dcd2-fc9a-2110
File name Local file that contains the MAC address

or SN of an AP.
3. Set the search criteria and click Go. All APs matching the search conditions are displayed.
For details, see Table 3-21. Select APs to be configured and click Next.
NOTE
This section provides the procedure for configuring root APs. The procedures for configuring middle and
leaf APs are similar as that of root APs.

AP Status Search for the AP based on the AP status.

l autofind
configuration.
l configFailed: The AP fails to initialize
the configuration.
upgrade software.
l normal: The AP is functioning
properly.
l standby: The AP is in standby state on
the standby AC.
l vermismatch: The AP's version does
not match the AC's.

address.

name.
AP Region ID Search for the AP based on the AP region

ID.
Step 2 Configure Radio

1. To configure the frequency band for WDS bridges, set Radio to 2.4 GHz or 5 GHz.
2. Configure radio profiles for WDS bridges.
a. Click of Radio profile. The Radio Profile page is displayed.

b. Click Create. A radio profile is created. See Table 3-22 for description of radio profile
parameters.
Table 3-22 Description of radio profile configuration parameters
Paramete Description
r
Profile Name of a radio profile.

name
Channel Channel mode of the radio.

mode An AP supports the following channel modes:
l auto: Allows an AP to select a channel for a radio based on the
WLAN radio environment. In automatic mode, you do not need
to specify channels for radios.
l fixed: Provides users with an alternative way when they want to
specify channels by themselves or to avoid frequent channel
adjustment (this may cause intermittent service interruption).
l If the radio bound to the current radio profile is only used for WDS
or Mesh links, you are advised to use the fixed mode.

r
Power Power mode of the radio.

mode An AP supports the following power modes:
l auto: The AP selects the transmit power for a radio based on the
WLAN radio environment.
l fixed: The transmit power for a radio must be set by users.
Calibration Whether to enable radio calibration.

status A radio profile on which radio calibration is enabled can dynamically
adjust the channels and power of an AP, enabling the AP radios bound
to the radio profile to adjust automatically to ensure the AP works in
its best state.
NOTE
If the radio bound to the current radio profile is only used for WDS or Mesh
links, you are advised to disable radio calibration to prevent unstable WDS or
Mesh link status.
Calibration Calibration interval of the radio.

interval An AP checks the radio environment at the specified interval. If the
radio environment deteriorates, the AP calibrates radio parameters.
Probe Probe interval for radio calibration. The AP detects the radio
interval environment at regular probe intervals.
WMM WMM profile to which the radio profile is bound.

profile
Basic Rate Configure the basic rate set of the 802.11bg protocol or the 802.11a
Set protocol in the radio profile.
All rates specified in the basic rate set must be supported by both the
AP and STA; otherwise, the STA cannot associate with the AP.
Support Configure the supported rate set of the 802.11bg protocol or the
Rate Set 802.11a protocol in the radio profile.
The supported rate set contains rates supported by the AP, except the
basic rates. The AP and STA can transmit data at all rates specified
by the supported rate set.
Multicast Configure the radio multicast rate.

Rate If the configured multicast rate is not in the basic rate set and the STA
does not support this rate, the STA cannot receive multicast data.

r
l Maxim Configure the maximum MCS value for the 802.11ac protocol in the
um radio profile.
MCS A larger MCS value indicates a higher transmission rate.
for
spatial
stream
1
l Maxim
um
MCS
for
spatial
stream
2
l Maxim
um
MCS
for
spatial
stream
3
STA STA access control. This feature allows an AP to control user access
access based on the thresholds specified according to the radio channel usage
control and number of online users, which enables provision of quality
network access services.
l By STA quantity: STA access control by STA quantity is less
accurate but uses a simple algorithm. This implementation mode
is recommended when most users have the same type of services
and similar service traffic volumes.
l By channel usage: STA access control by channel usage uses a
complex algorithm but is accurately implemented to ensure
service quality. This implementation mode is recommended when
service types and traffic volumes differ greatly among users.
l Disable: STA access control is disabled.
NOTE
links, STA access control can be disabled.
Access Threshold for access of new users.

threshold When a new user connects to the AP, the AP checks whether the
current channel usage or the number of online users reaches the
threshold. If so, the AP denies access of the new user.

r
Roaming Threshold for access of roaming users.

threshold When a user roams to the AP, the AP checks whether the current
channel usage or the number of online users reaches the threshold. If
so, the AP denies access of the user.
Hide SSID Automatic SSID hiding. To prevent new users from discovering the
when SSID of the AP to send association requests, configure automatic
reaching SSID hiding to disable the AP radio from advertising SSIDs.
threshold
PER Packet loss rate threshold for radio calibration.

threshold When the packet loss rate of a radio reaches the threshold, the AP
considers that the radio environment deteriorates and it reports alarms
to the AC. If radio calibration is enabled, the AP calibrates radio
parameters.
Conflict Conflict rate threshold for radio calibration.

rate When the conflict rate of a radio reaches the threshold, the AP
threshold considers that the radio environment deteriorates and it reports alarms
parameters.
RTS/CTS Request To Send/Clear To Send (RTS/CTS) handshake protocol, that

mode is, RTS/CTS mode.
The RTS/CTS handshake protocol avoids data transmission failures
caused by channel conflicts. However, if STAs perform RTS/CTS
handshakes each time before sending data, there will be a large
number of RTS frames that consume the channel bandwidth.
Therefore, the cts-to-self mode is recommended.
l cts-to-self: Sets the RTS-CTS operation mode to cts-to-self.
l rts-cts: Sets the RTS-CTS operation mode to RTS-CTS.
l disable: Disables RTS-CTS.
RTS/CTS RTS/CTS threshold.

threshold NOTE
If STAs perform RTS/CTS handshakes each time before sending data, there
will be a large number of RTS frames that consume the channel bandwidth.
To prevent this problem, set the RTS threshold and maximum number of
retransmission attempts for frames. The RTS threshold specifies the length of
data frames. When the length of data frames sent by a STA is smaller than the
RTS threshold, no RST/CTS handshake is performed. The default RTS
threshold is recommended.

r
Fragmenta Fragment threshold. If the length of a frame to be sent by the 802.11

tion MAC layer exceeds this threshold, the frame is fragmented before
threshold being sent.
l When the packet fragmentation threshold is too small, packets are
fragmented into smaller frames. These frames are transmitted at
a high extra cost, resulting in low channel efficiency.
l When the packet fragmentation threshold is too large, long
packets are usually not fragmented, which increases the
transmission time and error probability. If an error occurs, packets
are retransmitted, resulting in a waste of channel bandwidth. A
large threshold is recommended.
Short Maximum number of retransmission attempts for frames smaller than

frame retry or equal to the RTS threshold.
count A short frame is a MAC-layer frame that is no longer than the RTS/
CTS threshold. If no ACK message is received after the maximum
number of retransmissions of a short frame exceeds the maximum
value, the short frame is discarded.
Long Maximum number of retransmission attempts for frames exceeding

frame retry the RTS threshold.
count A long frame is a MAC-layer frame that is longer than the RTS/CTS
threshold. If no ACK message is received after the number of
retransmissions of a long frame exceeds the maximum value, the long
frame is discarded.
Support Whether an AP supports short preamble.

short The preamble is a section of bits in the header of a data frame. It
preamble synchronizes signals transmitted between the sender and receiver and
can be either a short preamble or a long one.
l A short preamble ensures better synchronization performance and
therefore is recommended.
l A long preamble is usually used for compatibility with earlier
network adapters of clients.

r
DTIM Delivery traffic indication message (DTIM) interval in the radio

interval profile.
The DTIM interval specifies how many Beacon frames are sent by
an AP before the Beacon frame that contains the DTIM. The Beacon
frame carrying DTIM wakes an STA in power-saving mode, and
transmits the broadcast and multicast frames saved on the AP to the
STA.
l A short DTIM interval helps transmit data in a timely manner, but
the STA is waken frequently, causing high power consumption.
l A long DTIM interval lengthens the dormancy time of an STA
and saves power, but degrades the transmission capability of the
STA.
Beacon Interval at which an AP sends Beacon frames.

interval A Beacon frame is a broadcast frame sent at intervals. An AP sends
Beacon frames at intervals to notify STAs of an existing 802.11
network.
Interferenc Whether to enable interference detection.

e detect WLAN wireless channels are often affected by the radio
switch environment, and the service quality is therefore degraded. If
interference detection is configured, an AP can know the radio
environment in real time and report alarms to the AC.
Threshold Alarm threshold for co-channel interference.

for co- Two APs working in the same frequency band interfere with each
channel other. For example, on a large-scale WLAN (for example, a
interferenc university campus network), different APs often use the same
e channel. When there are overlapping areas among these APs, co-
channel interference exists, degrading network performance. After
interference detection is enabled, an AP can detect co-channel
interference. When the co-channel interference detected exceeds the
specified alarm threshold, the AP reports alarms to the AC.
Threshold Alarm threshold for adjacent-channel interference.

for Adjacent-channel interference occurs when two APs with different
adjacent- center frequencies have overlapping areas. Therefore, if APs are
channel placed too close to each other or they have strong signals, more noise
interferenc will be produced, degrading network performance. After interference
e detection is enabled, an AP can detect adjacent-channel interference.
When the adjacent-channel interference detected exceeds the

r
Threshold Alarm threshold for STAs not managed by the local AP.
for STA If there are too many STAs that are managed by other APs around
interferenc the local AP, services of the STAs managed by the local AP may be
e affected. After interference detection is enabled, the AP can detect
STAs managed by other APs. When the STAs detected exceeds the
Radio Interval at which an AP reports information about radio devices to

device the AC.
report An AP keeps detecting information about radio devices. At the report
duration interval, the AP reports the information detected to the AC, deletes
the information that has been reported, and starts the next round of
detection.
Wifi-light Status of the Wireless LED on the AP.

mode On a WDS network or a mesh network, you need to adjust AP
locations and antenna directions to obtain optimal signal strength
between WDS-capable or mesh-capable APs. The blinking frequency
of the Wireless LED shows the signal strength, so that the installation
personnel can know the current signal strength in real time.
NOTE
This command takes effect only when the AP has the WDS or mesh function
enabled. If the WDS and mesh functions are disabled on the AP, the Wireless
LED always shows service traffic volume.
Beamform Whether to enable the beamforming function.

ing status Beamforming can enhance signals at an angle (for target users),
attenuate signals at another angle (for non-target users or obstacles),
and extend the radio coverage area.
If nodes on the WDS or Mesh network are fixed and distant from each
other, enable Beamforming to increase WDS or Mesh link SNR.
Mobile nodes may cause low link SNR in WDS or Mesh scenarios,
for example, fast revertive switchover of Mesh links in train-ground
communication scenarios. To prevent this problem, disable
Beamforming.
NOTE
APs that support beamforming include the AP6x10SN/DN (excluding
AP6310SN-GN), AP5x10xN, and AP7x10xN series.
802.11n Configure the 802.11n guard interval (GI) mode.

guard There are two types of GI: short GI and normal GI. When configuring
interval 802.11n, you can configure the normal GI in 802.11a/g or short GI
mode in 802.11n. The short GI reduces the extra cost and improves the
transmission rate.

r
802.11n A- Enable the 802.11n MAC Protocol Data Unit (MPDU) aggregation
MPDU function.
status An 802.11 packet is sent as an MPDU, requiring channel competition
and backoff and consuming channel resources. The 802.11n MPDU
aggregation function aggregates multiple MPDUs into an aggregate
MAC Protocol Data Unit (A-MPDU), so that N MPDUs can be
transmitted through one channel competition and backoff. This
function saves the channel resources to be consumed for sending N-1
MPDUs. The MPDU aggregation function improves channel
efficiency and 802.11 network performance.
NOTE
It is recommended that you enable MPDU aggregation when configuring
WDS or Mesh services.
802.11n A- Configure the maximum length of an 802.11n A-MPDU.

MPDU
length
802.11ac Configure the 802.11ac guard interval (GI) mode.

interval 802.11ac, you can configure the normal GI or short GI in 802.11ac.
mode The short GI reduces the extra cost and improves the transmission
rate.
802.11ac Configure the maximum length of an 802.11ac A-MPDU.

A-MPDU
length
Channel Whether to enable channel switch announcement.

switch When the AP works on a Depth First Select (DFS) channel, a radar
announce detection is performed. The AP automatically switches to another
ment status channel because the DFS channel frequency may interfere with the
radar frequency. After channel switch announcement is enabled, if
an AP needs to switch the channel, the AP sends action frames to
instruct the STA to switch its channel after several Beacon intervals,
and the AP switches its channel after the same number of Beacon
intervals. The AP and STAs switch channels at the same time to
prevent STA reassociations and ensure rapid service recovery.
NOTE

r
Channel Channel switch announcement mode.

switch During channel switching, STA communication is interrupted. The
announce administrator can stop an associated STA sending data on the current
ment mode channel until channel switching is complete. Alternatively, data
transmission from STAs can be continued on the current channel
before channel switching is complete.
l continue-transmitting: Continues data transmission on the current
channel during channel switching.
l stop-transmitting: Stops data transmission from STAs on the
current channel during channel switching.
Signal Whether to enable signal strength detection for incoming STA

strength signals.
detection On a WLAN, an AP may receive weak radio signals from some STAs.
for After associating with the AP, these STAs work at a low rate,
incoming affecting the network throughput. The function that restricts access
signals of weak-signal STAs can prevent STAs, whose signal strength is
lower than the specified value, from accessing the WLAN, reducing
the impact of these STAs on others and improving WLAN
performance.
NOTE
In the case of good WLAN signal coverage, this function can be used to restrict
WLAN access of weak-signal STAs at the edge of the coverage area.
Signal Signal strength threshold to restrict access of weak-signal STAs.

strength In the case that signal strength detection for incoming STA signals is
threshold enabled, when an STA discovers an AP by scanning, the STA sends
a Probe Request frame containing Received Signal Strength Indicator
(RSSI) to an AP. After receiving the Probe Request frame, the AP
obtains the RSSI value. If the RSSI value is less than the threshold,
the AP does not respond to the request frame and the association
attempt of the STA fails, which restricts WLAN access of weak-
signal STAs.

r
Forced Whether to force weak-signal STAs to log out.

logout of On a traditional WLAN, when a STA is farther from an AP, the access
STAs rate of the STA becomes lower but the STA still associates with the
based on AP without reinitiating a connection with the AP or roaming to
the signal another AP. This degrades user experience.
strength
To solve this problem, configure the function that forces weak-signal
STAs to log out. When an AP detects that the signal strength of a
STA is lower than the configured lower threshold, the AP sends a
Disassociation packet to the STA so that the STA can reinitiate a
connection with the AP or roam to another AP.
In the case of good WLAN signal coverage, this function can force
weak-signal STAs at the edge of the coverage area to log out and
reconnect to the WLAN.
Threshold Lower threshold for the STA signal strength.

for forced After the function of forcing logout of weak-signal STAs is enabled,
logout of the AP forces STAs to log out based on the configured signal strength
STAs threshold. When an AP receives a STA's data packet, the AP learns
based on the STA's signal strength from the data packet. If the STA's signal
the signal strength is lower than the configured threshold, the AP sends a
strength Disassociation frame to the STA so that the STA can reinitiate a
connection with the AP or roam to another AP with strong signals.
Backgroun Background neighbor probing helps you learn status of all channels
d neighbor on the WLAN network.
probing If background neighbor probing is enabled, an AP determines
whether to switch to another channel for neighbor probing every
10s based on the service traffic volume and threshold of user quantity.
If the channel switching condition is met (the number of users or
traffic on the channel does not exceed the threshold), the AP switches
to the new channel. The AP then listens on Beacon frames on the new
channel and saves the probing result. After 60 ms, the AP switches
back to the original channel.
NOTE
Service Service threshold for background neighbor probing configured on an

threshold AP.
for After the background neighbor probing is enabled, an AP determines
backgroun whether the current service traffic volume exceeds the threshold
d neighbor during the background neighbor probing. If the volume does not
probing exceed the threshold, the AP automatically switches to a different
channel; otherwise, it does not switch its channel. Service traffic
volume = (Sum of bytes received and sent by an AP within a period)/
(Theoretical sending and receiving rate of the AP within a period) x
100%

r
User User threshold for background neighbor probing configured on an

threshold AP.
backgroun whether the current user number exceeds the threshold during the
d neighbor background neighbor probing. If the number does not exceed the
probing threshold, the AP automatically switches to a different channel;
otherwise, it does not switch its channel.
Radio Interval at which an AP reports all the radio device information to an

device AC.
synchroniz An AP reports the radio device information to the AC in two modes:
ation
duration l The AP immediately sends information about added, deleted, or
modified radio devices.
l The AP periodically sends all the radio device information.
To ensure that the detected device information saved on APs and the
AC is the same, you can configure a radio device synchronization
duration to periodically synchronize the detected radio device data
saved on them.
Forced Whether to force low-rate STAs to log out.

the rate another AP. This degrades user experience.
To solve this problem, configure the function that forces low-rate
STAs to log out. When an AP detects that the access rate of a STA is
lower than the specified access rate, the AP sends a Disassociation
packet to the STA so that the STA can reinitiate a connection with
the AP or roam to another AP.
When APs are densely deployed, the WLAN has good signal
coverage. In such as case, this function can be used to force logout
of low-rate STAs at the edge of AP's coverage area so that the STAs
can reassociate with APs with strong signals, which ensures good
service experience.
Threshold Lower threshold for the STA access rate.

for forced After the function of forcing logout of low-rate STAs is enabled, the
logout of AP forces STAs to log out based on the configured access rate
based on the STA's access rate from the data packet. If the STA's access rate
the rate is lower than the configured threshold, the AP sends a Disassociation
frame to the STA so that the STA can reinitiate a connection with the
AP or roam to another AP with strong signals.

r
Airtime Whether to enable airtime scheduling.

scheduling After airtime scheduling is enabled, the device collects statistics on
the channel occupation time used by users connected to the same
radio for sending packets, creates the mapping table for the channel
occupation time of each user in accumulated mode, and establishes
a sorted link table based on the time in an ascending order. Based on
the mapping table, an AP transmits data with the user who occupies
the channel for the shortest time, ensuring that each user can equally
occupy the wireless channels. The data packets of high-speed users
are transmitted quickly, which is not affected by the data transmission
time of low-speed users. This improves the overall user experience.
c. Set the search criteria and click Go. All radio profiles matching the search conditions
are displayed. Select the radio profiles required for WDS bridges and click OK.
3. Select or enter other required parameters. For description of the parameters, see Table
3-23.
Table 3-23 Description of radio configuration parameters
Radio Specifies the radio of the WDS links.
Radio profile Specifies the radio profile to which the

WDS link radio is bound.
Channel bandwidth Specifies the channel bandwidth of the

WDS link radio. You are advised to use
large channel bandwidth.
Channel Specifies the channel of the WDS link

radio.

Power level Specifies the power level of the WDS link

radio.
indicating full power. The actual power is
determined by the AP type. Each time the
AP's power level goes one level higher, its
power decreases by 1 dBm.
4. Click Next.
Step 3 Configure WDS Network

1. Click Bridge Profile. A drop-down list box is displayed. Select Create to create a bridge
profile or select an existing bridge profile. See Table 3-24 for description of bridge profile
parameters.
NOTE
If a bridge profile already exists, click View All on the Create Bridge Profile page. Detailed parameters
about the the bridge profile are displayed. You can also click to edit the profile.
Table 3-24 Parameters for creating a bridge profile
Bridge profile name Name of a bridge profile.
Bridge name Name of a bridge. On a WDS network,

connections between bridges are
established using the bridge name.

Security profile Security profile that a bridge profile is

bound to.
NOTE
The security profile bound to a bridge profile
must be WPA2+PSK+CCMP.
See 3.8.5.3 Security Profile for
description of security profile parameters.
Tagged VLAN A bridge is added to a VLAN or a group of

VLANs in tagged mode.
To add a bridge to a VLAN, enter a VLAN
ID in the Tagged VLAN text box, and
click . If the VLAN ID is displayed in
the text box below the Tagged VLAN text
box, the bridge is added to the VLAN.
To delete a VLAN, enter a VLAN ID in the
Tagged VLAN text box, and click . If
the VLAN ID is removed from the text box
below the Tagged VLAN text box, the
VLAN is deleted.
NOTE
In the example, 1-3,5,7,9 indicates VLANs 1,
2, 3, 5, 7, and 9. 1-3 indicates VLANs 1 to 3.
2. Click Bridge Mode. A drop-down list box is displayed. Select a bridge role. See 3.8.6.1
Bridge Profile for description of bridge roles.
3. Click Bridge Whitelist. A drop-down list box is displayed. Select Create to create a bridge
whitelist or select an existing bridge whitelist. See Table 3-25 for description of bridge
whitelist parameters.
NOTE
If a bridge whitelist already exists, click View All on the Create Bridge Whitelist page. Detailed
parameters about the the bridge whitelist are displayed. You can also click to edit the bridge whitelist.
Leaf APs require no bridge whitelist.

Table 3-25 Parameters for creating a bridge whitelist
Whitelist Name of a bridge whitelist.

name
MAC MAC addresses of the neighboring APs that are allowed to access the
address bridge.
To add a MAC address to the bridge whitelist, enter a MAC address in
the MAC Address text box, and click . If the MAC address is
displayed in the text box below the MAC Address text box, the MAC
address is added to the bridge whitelist.
To delete a MAC address from the bridge whitelist, enter a MAC address
in the MAC Address text box, and click . If the MAC address is
removed from the text box below the MAC Address text box, the MAC
address is deleted from the bridge whitelist.
4. Click of Wired Interface Parameters. On the displayed page, configure AP wired

interface parameters. See Table 3-26 for parameter descriptions.

Table 3-26 AP wired interface parameters
Join Eth-Trunk AP wired interfaces are added to an Eth-

Trunk.
NOTE
Only the AP5030DN, and AP5130DN support
this parameter.
Delete from Eth-Trunk AP wired interfaces are removed from an

Eth-Trunk.
NOTE
this parameter.
Working mode Working mode of an AP wired interface.

l root: The wired interface connects to
the AC.
l endpoint: The wired interface connects
to a host or Layer 2 network.

User isolation User isolation on an AP wired interface.

The user isolation function prevents STAs
associated with the same AP from
forwarding Layer 2 packets to each other.
This function ensures communication
security on wired interfaces and allows
uniform charging for users.
NOTE
Before you enable user isolation on an AP wired
interface, the AP wired interface must work in
endpoint mode.
STP STP function on an AP wired interface.

The STP function prevents loops on the
network.
NOTE
this parameter.
Default VLAN Default VLAN on an AP wired interface.
Untagged VLAN Wired interfaces are added to a VLAN in

untagged mode.
Tagged VLAN Wired interfaces are added to a VLAN in

tagged mode.
Outbound ACL number ACL number in the outbound direction of

the AP wired interface.
Inbound ACL number ACL number in the inbound direction of

5. Click Next.
Step 4 Confirm the configuration and click Finish. The WDS configuration is complete.
Step 5 Complete configurations of middle and leaf APs according to the preceding steps.
----End
3.4.5 Mesh Wizard

The Mesh Wizard helps you quickly complete Mesh configurations step by step, allowing APs
to set up Mesh connections.
Procedure
Step 1 Select AP

1. Choose Config Wizard > Mesh Wizard. The Mesh Wizard page is displayed.
2. Add APs.
l Click Create. One AP is created.
l Click Batch Add and select Manual or Batch import from a local file. One or more
APs are added.

MAC address MAC address of the AP, AP MAC address

in H-H-H format.
NOTE
is MAC address authentication on the AC, you
must set MAC address.
SN SN of the AP.
NOTE
is SN authentication on the AC, you must set
SN.

local file.
l Manual: Enter the MAC address or SN
of an AP to add the AP offline.
Configure an AP's MAC address or SN
in a local file and import the MAC
address or SN to the AC from the local
file.
NOTE
The file is in .txt format and contains rows
of MAC addresses or SNs. Each row
provides one MAC address or SN. The
following example is a file containing rows
of MAC addresses.
60de-4474-9640
60de-4474-9680
dcd2-fc9a-2110
File name Local file that contains the MAC address

or SN of an AP.
3. Set the search criteria and click Go. All APs matching the search conditions are displayed.
For details, see Table 3-28. Select APs to be configured and click Next.
NOTE
This section provides the procedure for configuring MPPs. The procedure for configuring MPs is similar
as that of MPPs.

AP Status Search for the AP based on the AP status.

l autofind
configuration.
l configFailed: The AP fails to initialize
the configuration.
upgrade software.
l normal: The AP is functioning
properly.
l standby: The AP is in standby state on
the standby AC.
l vermismatch: The AP's version does
not match the AC's.

address.

name.
AP Region ID Search for the AP based on the AP region

ID.
Step 2 Configure Radio

1. To configure the frequency band of Mesh links, set Radio to 2.4 GHz or 5 GHz.
2. Configure radio profiles for Mesh links.

a. Click of Radio profile. The Radio Profile page is displayed.
b. Click Create. A radio profile is created. See Table 3-29 for description of radio profile
parameters.
r

name

r

l auto: Allows an AP to select a channel for a radio based on the
WLAN radio environment. In automatic mode, you do not need
to specify channels for radios.
l fixed: Provides users with an alternative way when they want to
specify channels by themselves or to avoid frequent channel
adjustment (this may cause intermittent service interruption).
l If the radio bound to the current radio profile is only used for WDS
or Mesh links, you are advised to use the fixed mode.

l auto: The AP selects the transmit power for a radio based on the
WLAN radio environment.
l fixed: The transmit power for a radio must be set by users.

its best state.
NOTE
links, you are advised to disable radio calibration to prevent unstable WDS or
Mesh link status.

Probe Probe interval for radio calibration. The AP detects the radio
interval environment at regular probe intervals.

profile

r

um radio profile.
for
spatial
stream
1
l Maxim
um
MCS
for
spatial
stream
2
l Maxim
um
MCS
for
spatial
stream
3
NOTE


r

threshold

considers that the radio environment deteriorates and it reports alarms
parameters.

threshold considers that the radio environment deteriorates and it reports alarms
parameters.


threshold NOTE

r



frame is discarded.


r

interval profile.
STA.
STA.

network.




r

device the AC.
detection.

NOTE

If nodes on the WDS or Mesh network are fixed and distant from each
other, enable Beamforming to increase WDS or Mesh link SNR.
Mobile nodes may cause low link SNR in WDS or Mesh scenarios,
for example, fast revertive switchover of Mesh links in train-ground
communication scenarios. To prevent this problem, disable
Beamforming.
NOTE
APs that support beamforming include the AP6x10SN/DN (excluding
AP6310SN-GN), AP5x10xN, and AP7x10xN series.
802.11n Configure the 802.11n guard interval (GI) mode.

transmission rate.

r
802.11n A- Enable the 802.11n MAC Protocol Data Unit (MPDU) aggregation
MPDU function.
status An 802.11 packet is sent as an MPDU, requiring channel competition
and backoff and consuming channel resources. The 802.11n MPDU
NOTE
It is recommended that you enable MPDU aggregation when configuring
WDS or Mesh services.
802.11n A- Configure the maximum length of an 802.11n A-MPDU.

MPDU
length

rate.

A-MPDU
length

NOTE

r


strength signals.
performance.
NOTE

signal STAs.

r

strength

NOTE

threshold AP.
100%

r

threshold AP.

device AC.
ation
saved on them.

service experience.


r

c. Set the search criteria and click Go. All radio profiles matching the search conditions
are displayed. Select the radio profiles required for Mesh links and click OK.
3. Select or enter other required parameters. See Table 3-30 for description of the parameters.
Table 3-30 Description of radio configuration parameters
Radio Specifies the radio of the Mesh links.
Radio profile Specifies the radio profile to which the

Mesh link radio is bound.
Channel bandwidth Specifies the channel bandwidth of the

Mesh link radio. You are advised to use
large channel bandwidth.
Channel Specifies the channel of the Mesh link

radio.

Power level Specifies the power level of the Mesh link

radio.
indicating full power. The actual power is
determined by the AP type. Each time the
AP's power level goes one level higher, its
power decreases by 1 dBm.
4. Click Next.
Step 3 Configure Mesh Network

1. Click Mesh Profile. A drop-down list box is displayed. Select Create to create a Mesh
profile or select an existing Mesh profile. See Table 3-31 for description of Mesh
parameters.
NOTE
If a Mesh profile already exists, click View All on the Create Mesh Profile page. Detailed parameters
about the the Mesh profile are displayed. You can also click to edit the profile.
Table 3-31 Mesh profile parameters
Profile name Specifies the name of a Mesh profile.
Mesh ID Specifies the ID of a Mesh profile. By

default, the Mesh ID is configured as
huaweimesh.

Security profile Binds a security profile to the specified

Mesh profile.
NOTE
Currently, the security profile bound to a mesh
profile must be configured as WPA2+PSK
+CCMP.
description of security profile parameters.
Maximum connection count Specifies the maximum number of links

allowed by an MP.
RSSI threshold Specifies the threshold of signal strength

received by a Mesh link.
Link report interval Sets the interval at which an MP reports the

Mesh link information to the AC.
2. Click Mesh Role. A drop-down list box is displayed. Select a Mesh role. See 3.8.7.1 Mesh
Profile for description of Mesh roles.
3. Click Mesh Whitelist. A drop-down list box is displayed. Select Create to create a Mesh
whitelist or select an existing Mesh whitelist. See Table 3-32 for description of Mesh
whitelist parameters.
NOTE
If a Mesh whitelist already exists, click View All on the Create Mesh Whitelist page. Detailed parameters
about the the Mesh whitelist are displayed. You can also click to edit the whitelist.

Table 3-32 Parameters for creating a Mesh whitelist
Whitelist name Specifies the name of a Mesh whitelist.
Mac address Specifies the MAC addresses of

neighboring MPs to be added to the Mesh
whitelist.
4. Click of Wired Interface Parameters. On the displayed page, configure AP wired

interface parameters. See Table 3-33 for parameter descriptions.
Table 3-33 AP wired interface parameters

Trunk.
NOTE
this parameter.

Delete from Eth-Trunk AP wired interfaces are removed from an

Eth-Trunk.
NOTE
this parameter.

the AC.
l endpoint: The wired interface connects
to a host or Layer 2 network.
User isolation User isolation on an AP wired interface.

The user isolation function prevents STAs
associated with the same AP from
forwarding Layer 2 packets to each other.
This function ensures communication
security on wired interfaces and allows
uniform charging for users.
NOTE
Before you enable user isolation on an AP wired
interface, the AP wired interface must work in
endpoint mode.

network.
NOTE
this parameter.
Default VLAN Default VLAN on an AP wired interface.
Untagged VLAN Wired interfaces are added to a VLAN in

untagged mode.
Tagged VLAN Wired interfaces are added to a VLAN in

tagged mode.
Outbound ACL number ACL number in the outbound direction of


5. Click Next.
Step 4 Confirm the configuration and click Finish. The Mesh configuration is complete.
Step 5 Configure the Mesh node according to the preceding steps.
----End

3.5 System Management

This chapter describes the functions of system Management. The system configuration manager
provides following functions:Initialize, Reboot, Software Upgrade, Patch,File System
Management, System Configuration, PoE, DNS, Stacking, Log Management and SNMP. You
can query and configure the required functions.
3.5.1 Initialize
You can restore the factory settings of the system if necessary.
Context
If improper configurations have been performed on the switch, you can restore the factory
settings of the switch.
CAUTION
After you restore the factory settings of the switch, all the configurations that you have made on
the switch will be deleted and cannot be restored.
Procedure
Step 1 Choose System Management > Initialize in the navigation tree to open the Initialize page.
Step 2 Click Initialize. A confirm dialog box is displayed.
Step 3 Click OK.
----End
3.5.2 Reboot
You can specify the system software, configuration file, and patch file loaded to the switch at
next startup.
Context
The specified configuration file takes effect at next startup. Ensure that the configuration data
is saved on the device before the reboot.
NOTICE
During the reboot, you are disconnected from the switch. If you have not saved the configuration
data, the configuration data is lost after the reboot. Therefore, save the configuration before you
reboot the system.

Procedure
Step 1 Choose System Management > Reboot in the navigation tree to open the Reboot page, as
Figure 3-40 Reboot
Table 3-34 describes the parameters on the Reboot page.
Table 3-34 Reboot
System Software Specifies the system software for next startup.
Configuration File Specifies the configuration file for next

startup.
Patch File Specifies the patch file for next startup.
Step 2 Select desired options from the drop-down lists and click Reboot. A pop-up dialog box is
displayed, notifying you that communication between the system and the device will be
interrupted during the reboot.
Step 3 Click Yes in the displayed dialog box.A dialog box is displayed to prompt you to save the
configuration.
Step 4 Click Save. The system will reboot and save the configurations.

CAUTION
If you click Ignore, the switch will reboot, but unsaved configurations will be lost.When
switching the device's configuration file, click Ignore; otherwise, configuration file switching
fails.
----End
3.5.3 Software Upgrade

To upgrade the system software of a switch, upload the upgrade file to the switch. After the
upgrade is complete, the system restarts and uses the loaded file.
Context
The Web system allows you to upgrade the system software, simplifying the upgrade operations.
NOTICE
l Ensure that configurations are saved before upgrading software.
l Do not power off the switch during the upgrade.
l Software upgrade requires a long time; therefore, before upgrading the software, choose
System Management > System Configuration > System Settings and set Http Timeout
Interval to 60 minutes.
Procedure
Step 1 Choose System Management > Software Upgrade in the navigation tree to open the Software
Upgrade page, as shown in Figure 3-41.

Figure 3-41 Software Upgrade
Step 2 Select the upgrade software file and click Start.
Step 3 After the upgrade, the system displays the login page.
Step 4 Enter the user name and password to log in to the Web system.
----End
3.5.4 Patch
The following sections describe how to run and uninstall patches.
Context
l A patch is a kind of software compatible with the system software. It is used to remove
critical bugs of the system software. The extension name of the patch file is .pat.
l Before installing patches, you need to save patch files to the flash memory of the switch.
Patch files are loaded to the switch using HTTP.
l After the patch is uninstalled, the patch is deleted from the memory.
Procedure
Step 1 Choose System Management > Patch to open the Patch page, as shown in Figure 3-42.

Figure 3-42 Patch
Table 3-35 describes the parameters on the Patch page.
Table 3-35 Patch
Patch Information Information about patches is displayed on the

page, including:
l Patches that have been loaded
l Patch version
l Running status of the patch
Upload Patch Select patch file to upload. The file is a string

without spaces. The file name extension
is .pat.
Load Patch Select the patch file to load.

Uninstall Patch Click the button to uninstall the running patch

file.
Step 2 In Upload Patch, click Browse and select the patch to the loaded, and click Upload Patch.
Step 3 Select the patch that you want to load from the Load Patch drop-down list box. Click Load
Patch. The system displays a message in Patch Information, showing the loaded patch files.
Step 4 Click Uninstall Patch. The system asks you whether to uninstall the patch.
Step 5 After the patch is deleted, The system displays a message indicating whether the patch is
uninstalled successfully.
----End
3.5.5 File System Management

The following sections describe how to manage files, including uploading files to the switch,
downloading files from the switch, and restoring or permanently deleting files in the recycle bin.
3.5.5.1 File Management

You can upload, download, and delete files.
Context
The File System Management module helps you upload, download, and delete files
conveniently.
Procedure
l Upload files.
You can upload a file from your PC to the switch.
1. Choose System Management > File System Management > File System
Management in the navigation tree to open the File System Management page.
2. Click Upload to open the Upload file page, as shown in Figure 3-43.

Figure 3-43 Upload file
3. Select the file to upload and click Upload. The system displays the upload process
page. After the file is uploaded, the system displays a message indicating the
successful upload.
NOTE
l If you do not want to close the page after uploading a file, click Apply. You can upload
other files.
l Only files in the following formats can be uploaded: cc, pat, zip, 7z, txt, log, dblg, cfg, bat,
xml, and dat.
l Download files.
You can download files from the switch.
2. Click Download next to the file name and select a path to save the file.
NOTE
Only files in the following formats can be downloaded: cc, pat, zip, 7z, txt, log, dblg, cfg, bat, xml,
and dat.
l Move files to the recycle bin.
After files are moved to the recycle bin, they still exist on the switch. You can restore the
files in the recycle bin.

CAUTION
l The version_web.zip(7z) file is the Web system file and cannot be deleted. If this file
is deleted, the Web system becomes unavailable. In the file name, version indicates the
version of the Web system software.
l The version.cc file is the device software package and cannot be deleted. If this file is
deleted, the Web system becomes unavailable. In the file name, version indicates the
device software version to which the Web system is applied.
l The name.cfg file is the Web system configuration file and cannot be deleted. If this
file is deleted, the Web system becomes unavailable. In the file name, name indicates
the configuration file name.
l The name.pat file is the Web system patch file and cannot be deleted. If this file is
deleted, the Web system becomes unavailable. In the file name, name indicates the patch
file name.
2. Select the file you want to move to the recycle bin.
3. Click Move to Recycle Bin, and the system asks you whether to move the file to the
recycle bin.
4. Click OK.
l Delete files permanently.
You can permanently delete files from the switch.
NOTICE
The files deleted permanently cannot be restored.
3. Click Delete Permanently, and the system asks you whether to delete the file.
4. Click OK.
----End
3.5.5.2 Recycle Bin

You can restore or permanently delete the files in the recycle bin.
Context
The files in the recycle bin can be restored or deleted permanently.

CAUTION
The files deleted from the recycle bin cannot be restored.
Procedure
Step 1 Choose System Management > File System Management > Recycle Bin in the navigation
tree to open the Recycle Bin page, as shown in Figure 3-44.
Figure 3-44 Recycle Bin
Step 2 Select the file that you want to restore and click Restore.
Step 3 Select the file that you want to delete and click Delete Permanently.
NOTE
If an error occurs during file restoration or deletion, the system displays an error message.
----End
3.5.6 System Configuration

The following sections describe the configurations of the system time and system information.
3.5.6.1 System Time

You can set the local time zone manually.
Context
To ensure effective communication between the switch and other devices, set the system time
correctly.
Procedure
Step 1 Choose System Management > System Configuration > System Time in the navigation tree
to open the System Time page, as shown in Figure 3-45.

Figure 3-45 System Time
Table 3-36 describes the parameters on the System Time page.
Table 3-36 System Time
Current Time Indicates the current date and time.
Reset System Time Zone Name Indicates the name of timezone.

Time
Offset Indicates the difference between the current time and
Universal Time Coordinated (UTC). This parameter
is used to increase or decrease the time difference.
Set Date and Time Indicates the date and time that you want to specify.
Select the Set Date and Time check box, and then
click to set the date and time.
Step 2 Set the parameters.
Step 3 Click Apply, and then the new date and time is displayed.
----End
3.5.6.2 System Settings

This section describes how to configure basic information about the system, such as the device
name.
Procedure
Step 1 Choose System Management > System Configuration > System Settings in the navigation
tree to open the System Settings page, as shown in Figure 3-46.

Figure 3-46 System Settings
Table 3-37 describes the parameters on the System Settings page.
Table 3-37 System Settings
Device Name Indicates the device name.
HTTP Timeout Interval Specifies the timeout of the HTTP

connection.
----End
3.5.7 PoE
The PoE configurations include global parameters, interface parameters, and PoE device
information.
The switch supports the Power Over Ethernet (PoE) function. After being configured with the
PoE power supply and the boards that support the PoE function, the switch can provide 48 V
DC power for the remote powered device (PD) such as the IP phone, WLAN AP, and network
camera through the twisted pair.
Only the product models with "PWR" in the product names support the PoE function.
3.5.7.1 Global Parameter Settings

You can set global PoE parameters.
Context
Currently, the network devices are deployed flexibly; therefore, the cabling of power supply is
complicated. To simplify cabling, you can configure the PoE function on the switch.

Procedure
Step 1 Choose System Management > PoE > Global Parameter Settings in the navigation tree to
open the Global Parameter Settings page, as shown in Figure 3-47.
Figure 3-47 Global Parameter Settings
Table 3-38 describes the parameters on the Global Parameter Settings page.
Table 3-38 Global Parameter Settings
Power Supply Management Mode Indicates the mode of power supply

management:
l Auto
When providing power at almost full
capacity, the switch provides power first
for the PD connected to the interface of
the highest priority and powers off the PD
connected to the interface of the low
priority.
l Manual
When providing power at almost full
capacity, the switch keeps the original
power supply way, even if a new PD is
connected to an interface with high
priority.
By default, the power supply is in automatic
mode.
Max Output Power Indicates the maximum output power of an

interface.

----End

3.5.7.2 Interface Parameter Settings

You can set the PoE parameters on an interface.
Context
l Currently, the network devices are deployed flexibly; therefore, the cabling of power supply
is complicated. To simplify cabling, you can configure the PoE function on the switch.
l By default, the PoE function is enabled on all interfaces.
Procedure
l Query power supply information on interfaces.
1. Choose System Management > PoE > Interface Parameter Settings in the
navigation tree to open the Interface Parameter Settings page.
2. Select an interface type from the drop-down list box.
3. Enter the interface number, for example, 0/0/1 (stack ID/sub-card ID/port
number).
4. Click Query to display all matching records.
l Set power parameters on an interface.
1. Choose System Management > PoE > Interface Parameter Settings in the
navigation tree to open the Interface Parameter Settings page.
2. Select a record and click Configure. The Configure Power Parameters on
Interface page is displayed, as shown in Figure 3-48.
Figure 3-48 Configure Power Parameters on Interface

Table 3-39 describes the parameters on the Configure Power Parameters on

Interface page.
Table 3-39 Configure Power Parameters on Interface
Interface Name Indicates the name of an interface. The

interface name cannot be modified. You
can select multiple interfaces each time.
NOTE
If only one interface is selected, the
configuration of the interface is displayed on
the Configure Power Parameters on
Interface page. If multiple interfaces are
selected, the default settings of the interfaces
are displayed.
Enable POE on Interface Indicates whether to enable the PoE

function on the interface. The options
are Enable and Disable.
By default, the PoE function is enabled.
The PoE parameters take effect only
after the PoE function is enabled.
Max Output Power Indicates the maximum output power of

an interface.
Power Priority Indicates the power priority of an

interface. The options are Low, High,
and Critical.
By default, the power priority of a PoE
interface is low.
Manual Power Supply Indicates the manual power supply

mode. The options are power on and
power off.
You can manually power on and power
off the PD connected to an interface.
NOTE
Before powering on or off a PD, ensure that:
l The PD is connected to an interface.
l The PoE function is enabled on the
interface.
l If the PD on an interface has been
powered on, an error message is
displayed after you power on the PD
again.
l If the PD on an interface has been
powered off, an error message is
displayed after you power off the PD
again.


4. Click OK.
----End
3.5.7.3 PoE Power Supply Information

You can view PoE information.
Context
None.
Procedure
Step 1 Choose System Management > PoE > PoE Power Supply Information in the navigation tree
to open the PoE Power Supply Information page, as shown in Figure 3-49. The PoE
information is displayed.
Figure 3-49 PoE Power Supply Information
NOTE
If the PoE information is modified, the latest PoE information is displayed.
----End
3.5.8 DNS
The following sections describe the configurations of dynamic DNS entries, domain name
server, domain name suffix, and enabling dynamic domain name resolution.
In addition to distinguishing devices by IP addresses, TCP/IP provides the Domain Name System
(DNS) to name hosts by using character strings. DNS uses a hierarchical naming method to
specify a meaningful name for a device on the network. In addition, a DNS server is required
on the network to bind IP addresses to domain names. The DNS server enables users to use
simple domain names instead of complex IP addresses.

3.5.8.1 Dynamic DNS Entry Table

You can view the dynamic DNS entries.
Context
NOTICE
The deleted dynamic DNS entries cannot be restored; therefore, perform the deletion operation
with caution.
Procedure
Step 1 Choose System Management > DNS > Dynamic DNS Entry Table in the navigation tree to
open the Dynamic DNS Entry Table page, as shown in Figure 3-50.
Figure 3-50 Dynamic DNS Entry Table
Step 2 View dynamic DNS entries. To delete all dynamic DNS entries, click Clear All. The system
asks you whether to delete all dynamic DNS entries. The deleted dynamic DNS entries cannot
be restored.
Step 3 Click OK.
----End
3.5.8.2 DNS Settings

Dynamic domain name resolution requires a special DNS server. This server maps domain
names to IP addresses and processes the resolution requests of clients.
Context
After receiving a resolution request, the DNS server checks whether the domain name belongs
to its authorized sub-domain. If yes, the server translates the domain name into an IP address
according to the database, and then sends the result to the client. If the server cannot resolve the
domain name, it performs the resolution operation specified in the request sent by the client.

Procedure
l Create a DNS server.
1. Choose System Management > DNS > DNS Settings in the navigation tree to open
the DNS Settings page.
2. Click New to open the Create a DNS Server page, as shown in Figure 3-51.
Figure 3-51 Create a DNS Server
3. Set parameters.
4. Click OK.
l Delete a DNS server.
1. Choose System Management > DNS > DNS Settings in the navigation tree to open
the DNS Settings page.
2. Select a record that you want to delete and click Delete. The system asks you whether
to delete the record.
3. Click OK.
----End
3.5.8.3 Domain Name Settings

The system provides the domain name suffix list. You can preset domain name suffixes.
Context
l Users only need to enter partial content of a domain name, and then the system adds a suffix
to the domain name for resolution.
l For example, you have set the domain name suffix com in the suffix list. If a user wants to
visit huawei.com, the user only needs to enter huawei. Then the system adds the suffix
com to huawei.com.

Procedure
l Create a domain name suffix.
1. Choose System Management > DNS > Domain Name Settings in the navigation
tree to open the Domain Name Settings page.
2. Click New to open the Create a Domain Name Suffix page, as shown in Figure
3-52.
Figure 3-52 Create a Domain Name Suffix
Table 3-40 describes the parameters on the Create a Domain Name Suffix page.
Table 3-40 Create a Domain Name Suffix
Domain Name Suffix Indicates the new domain name suffix,

for example, com.
3. Set parameters.
4. Click OK.
l Delete a domain name suffix.
1. Choose System Management > DNS > Domain Name Settings in the navigation
tree to open the Domain Name Settings page.
3. Click OK
----End
3.5.8.4 Enable Dynamic Domain Name Resolution

To use the dynamic domain name resolution function, you must enable it first.
Context
Dynamic domain name resolution requires a special DNS server. This server maps domain
names to IP addresses and processes the resolution requirement of clients.

Procedure
Step 1 Choose System Management > DNS > Enable Dynamic Domain Name Resolution in the
navigation tree to open the Enable Dynamic Domain Name Resolution page, as shown in
Figure 3-53.
Figure 3-53 Enable Dynamic Domain Name Resolution
Table 3-41 describes the parameters on the Enable Dynamic Domain Name Resolution page.
Table 3-41 Enable Dynamic Domain Name Resolution
Enable Dynamic Domain Name Resolution Indicates whether to enable the resolution
function. You can set the DNS parameters
before enabling the resolution function, but
the DNS parameters take effect only after you
enable the resolution function.
Step 2 Select the parameters.

----End
3.5.9 Stacking
The stacking function connects multiple stacking-capable devices together to logically function
as one device. Up to five , S2750EIs, and S2720s can be connected through stack cables in a
ring or chain topology. Up to nine devices of other models can be connected through stack cables
in a ring or chain topology. All stacked devices logically function as one device to forward
packets. There are three roles of devices in a stack: master switch, standby switch, and slave
switch. All of the three types of switches are called member switches. The Ethernet switches in
a stack function as one device. You can manage all the switches in a stack by using the master
switch.
Context
l The following models support stacking function: S2720, S2750, S5700-P-LI (with GE
uplink interfaces), S5700-TP-LI (with GE uplink interfaces), S5700-X-LI (with 10GE

uplink interfaces). The stacking function is not supported on the S5700-10P-LI-AC and
S5700-10P-PWR-LI-AC in the S5700-P-LI series (with GE uplink interfaces).
NOTE
A stack of S5700-52X-LI-48CS-AC switches cannot be managed by the web-based network
management system.
l When a switch attempts to set up a stack with a switch enabled with the stacking function
but the stacking-enabled switch has some configurations that the stack does not support,
the new switch cannot join the stack and the system displays a message indicating that some
configurations are not supported by the stack. As a result, the new switch cannot be added
to the stack. The new switch can be added to the stack only after these configurations are
deleted.
l Before the stack is established, each switch is an independent entity. Each switch has its
own IP address and functions individually. Therefore, you need to manage each switch
separately. After the stack is established, all the member switches are presented as one
unified logical entity. In this manner, you can manage and maintain all the member switches
in a stack by using one IP address. The stacking protocol elects the master switch, standby
switch, and slave switch in a stack. Then, data can be backed up and the active/standby
switchover can be implemented.
Procedure
l Configure the stack.
1. Choose System Management > Stacking in the navigation tree to open the
Stacking page, as shown in Figure 3-54.
NOTE
The actual display varies depending on the device model.
Figure 3-54 Stacking
Table 3-42 describes the parameters on the Stacking page.
Table 3-42 Stacking
Stack Topology Type Indicates the topology type of the stack.

This parameter cannot be set.
Stack System MAC Indicates the MAC address of the stack.

This parameter cannot be set.

Stacking Indicates whether the stacking function

is enabled.
MAC Switch Delay Time Indicates the delay of MAC address

switching. This parameter takes effect
after the device is restarted.
After a switchover occurs between the
master and slave switches, the MAC
address of the stack is switched to be that
of the newly-elected master switch if the
previous master switch does not rejoin
the stack after the switchover times out.
The MAC address switchover time of
any member switch in a stack is the same
as that of the master switch.
NOTE
l By default, the MAC address switchover
timer is disabled. The system performs
the MAC address switchover
immediately after the active/standby
switchover occurs between switches.
l If the value of the MAC address
switchover timer is set to 0, it indicates
that MAC address switchover will not be
performed.
Stack Reserved VLAN Indicates the reserved VLAN of the

stack. By default, a stack specifies
VLAN 4093 as the reserved VLAN. A
reserved VLAN is used for exchanging
the stack protocol packets only.

3. Click OK.
l Modify the stack.
1. Choose System Management > Stacking in the navigation tree to open the
Stacking page.
2. Click , the Configure Stack page is displayed, as shown in Figure 3-55.
NOTE
The actual display varies depending on the device model.

Figure 3-55 Stack Settings
Table 3-43 describes the parameters on the Configure Stack page.
Table 3-43 Stack Settings
Next Stack ID Indicates the stack ID. This parameter

takes effect after the device is restarted.
Stack IDs can be configured before or
after the stack is established. By default,
all the stack IDs of member switches in
a stack are 0. If stack IDs are not
configured for member switches before
the stack is established, the stack assigns
stack IDs to member switches after
being established. After the stack is
established successfully, all the
configurations of the stack can be
performed on the master switch only.
Next Startup Priority Indicates the priority of the stack. This

parameter takes effect after the device is
restarted.
The stack priority can be configured
before or after the stack is established. If
the stack is established, this parameter
must be set on the master switch;
otherwise, it is set on each switch.

4. Click OK.

l Select the list of logical interface.

1. Click the standby switch or master switch of the list of switch role. The selected
physical stack interfaces of the switch are displayed in the list of logical interface, as
Figure 3-56 List of Logical Interfaces
2. Click the icon, the Configure Stack Interface page is displayed, as shown in
Figure 3-57.
Figure 3-57 Configure Stack Interface
Table 3-44 describes the parameters on the Configure Stack Interface page.
Table 3-44 Stack Interface Configuration
Logical Interface Name Indicates the name of the logical

interface on the device.

Selected Physical Stack Interfaces Selects an interface as the physical stack

interface.
3. Selects the name of the interface that functions as a stack interface.

4. Click OK.
5. Return to the Tacking page, and click Apply.
----End
3.5.10 Log Management

The Log Management page displays the latest 300 logs of the device. You can query and delete
the logs on this page.
Context
Logs provide information for system diagnosis and maintenance.
Procedure
Step 1 Choose System Management > Log Management to open the Log Management page.
Step 2 Set parameters.
Step 3 Click Query to view the logs that meet the search criteria.
Step 4 Click Reset to restore the default log query range.
Step 5 Click Clear to determine whether to clear all logs.
----End
3.5.11 SNMP
Simple Network Management Protocol (SNMP) is a standard network management protocol
widely used on TCP/IP networks. SNMP uses a central computer (a network management
station) that runs network management software to manage network elements.
3.5.11.1 SNMP Global Settings

You can set global SNMP for the device.
Context
SNMP agent is an agent program on the managed device. The SNMP agent maintains
information for the managed device, responds to the requests from the NMS, and sends
management data to the NMS. Before the NMS manages a device through SNMP, the SNMP
agent must be enabled on the device and a proper SNMP version needs to be selected.
A web system supports SNMPv1, SNMPv2c, and SNMPv3. The device and NMS must use the
same SNMP version.

NOTE
If a device is managed by multiple NMSs running different SNMP versions, all the SNMP versions need to be
set on the device so that the device can communicate with these NMSs.
Table 3-45 Usage scenarios of SNMP
Version Usage Scenario
SNMPv1 Applicable to small-sized networks that have

simple and stable topologies, have low
security requirements, or are not prone to
attacks. For example, campus networks and
small enterprise networks.
SNMPv2c Applicable to medium- or large-sized

networks that have low security requirements
or are not prone to attacks, have high service
traffic volume, and may be congested by
traffic, for example, VPNs.
SNMPv3 Applicable to all networks, especially the

networks having high security requirements.
SNMPv3 allows only authorized
administrators to manage the network. If the
NMS and managed devices communicate
over the public network, SNMPv3 is
recommended.
Procedure
Step 1 Choose System Management > SNMP in the navigation tree to open the SNMP Global
Settings page, as shown in Figure 3-58.
Figure 3-58 SNMP Global Settings

Table 3-46 describes parameters on the SNMP Global Settings page.
Table 3-46 SNMP Global Settings
SNMP Agent Indicates whether the SNMP agent is enabled.

By default, the SNMP agent is disabled.
SNMP Version Indicates the SNMP version on the device. By

default, SNMPv3 is supported. Choose one or
multiple versions. Ensure that the SNMP
versions on the device and on the NMS are
the same.
Local Engine ID This value is automatically generated by the

system or set by you.
Device Position Indicates the physical location of the device.

When the Device Position field is empty,
clicking Apply will display the factory
settings of the device.
Contact Information Indicates the contact information maintained

on the device.
When the Contact Information field is
empty, clicking Apply will display the
factory settings of the device.
----End
3.5.11.2 Community/Group Management

You can configure the SNMPv1 and SNMPv2c communities and SNMPv3 groups.
Context
The community/group management configurations vary with SNMP versions. After global
SNMP settings are complete, configure the communities/groups. Table 3-47 lists the mappings
between SNMP versions and configurations.
Table 3-47 Mappings between SNMP versions and community/group configurations
Version Configuration
SNMPv1 Community management

Version Configuration
SNMPv2c Community management
SNMPv1 and SNMPv2c Community management
SNMPv3 Group management and user management
SNMPv1 and SNMPv3 Community management, group

management and user management
SNMPv2c and SNMPv3 Community management, group

SNMPv1, SNMPv2c, and SNMPv3 Community management, group

Procedure
l Configure community management.
Create a community.
1. Choose System Management > SNMP > Community/Group Management in the
navigation tree to open the Community/Group Management page.
2. Click New in Community to open the Create Community page, as shown in Figure
3-59.
Figure 3-59 Create Community

Table 3-48 describes parameters on the Create Community page.
Table 3-48 Create Community
Community name Indicates the read/write community

name of SNMPv1 and SNMPv2c. This
is the password that the NMS uses to
perform the read and write operations on
the SNMP agent. The password
configured on the SNMP agent must be
the same as that configured on the NMS.
Confirm community name Enters the community name again to

confirm it.
Access mode Indicates the access rights of the

community name in the specified MIB
view.
MIB view Indicates the MIB object monitored and

managed by the NMS.
ACL name Restricts the NMS's rights to manage the

device.
3. Set parameters.
4. Click OK. The configuration is complete.
If the operation is successful, Community is displayed and a new item is added to the
list. The community name is displayed in cipher text. To add multiple communities,
repeat the preceding operations.
Delete a community.
2. Select the items that you want to delete in Community, or select all items.
3. Click Delete. The system asks you whether to delete the items.
l Configure group management.
Create a group.
2. Click New in Group to open the Create Group page, as shown in Figure 3-60.

Figure 3-60 Create Group
Table 3-49 describes parameters on the Create Group page.
Table 3-49 Create Group
Group name Indicates the SNMPv3 user group.
Security level Indicates the security level of the

SNMPv3 user group, including:
l No authentication, no encryption
l Authentication, no encryption
l Authentication and encryption
Read-only MIB view Indicates the MIB object that can only
be read by the NMS.
Read-write MIB view Indicates the MIB object that can be read
and written by the NMS.
Notification MIB view Indicates the MIB object that only sends
notifications to the NMS.
ACL name Restrict the NMS's rights to manage the

groups.
3. Set parameters.


Modify groups.
2. Click of the group that you want to modify in Group to open the Modify Group
Figure 3-61 Modify Group
NOTE
Table 3-49 describes parameters on the Modify Group page.

The group name cannot be changed.
3. Set parameters.
Delete a group.
2. Select the items that you want to delete in Group, or select all items.
l Configure user management.
Create a user.

2. Click New in User to open the Create User page, as shown in Figure 3-62.
Table 3-50 describes parameters on the Create User page.
Table 3-50 Create User
User name Indicates the SNMPv3 user name.

SNMPv3 user. In the current version, the
security level is fixed as no
authentication, no encryption.
Group name Indicates the group to which users will

be added.

groups.
3. Set parameters.


Modify a user.
2. Click of the user entry that you want to modify in User to open the Modify User
Table 3-51 lists the configuration parameters.
Table 3-51 Modify User
User name Indicates the SNMPv3 user name.

SNMPv3 user.
Authentication mode Indicates the authentication mode of the

SNMPv3 user.

Authentication password Indicates the authentication password of

the SNMPv3 user.
Confirm authentication password Enters the authentication password

again to confirm it.
Encryption mode Indicates the encryption mode of the

SNMPv3 user.
Encryption password Indicates the encryption password of the

SNMPv3 user.
Confirm Encryption password Enters the encryption password again to

confirm it.
Group name Indicates the group to which the user

will be added.

groups.
NOTE
The parameters for modifying a user vary with the security level of the user. The parameters listed
here may be different from the parameters displayed for you.
The User name and Security level parameters cannot be modified.
3. Set parameters.
Delete a user.
2. Select a user that you want to delete in User and click Delete. The system asks you
whether to delete the user.
----End
3.5.11.3 MIB View

You can restrict the NMS's rights to manage the device.
Context
A MIB view is a collection of all managed objects. The NMS manages devices by reading
information from and writing information to the managed objects in the MIB. A MIB view
defines the management information included in or excluded from the MIB view. Two
implementation methods are available for the MIB view:

l When the NMS manages most MIB objects on the managed device or some objects in the
MIB view do not need to be managed by the NMS, the unmanaged objectives can be
configured.
l When the NMS manages a few MIB objects on the managed device or some objects in the
MIB view are managed by the NMS with access restrictions, the objectives can be
configured.
Procedure
l Create a MIB view.
1. Choose System Management > SNMP > MIB View in the navigation tree to open
the MIB View page.
2. Click New to enter the Create MIB View page, as shown in Figure 3-64.
Figure 3-64 Create MIB View
Table 3-52 describes parameters on the Create MIB View page.

Table 3-52 Create MIB View
View name Indicates the name of the created MIB

view.
Rule Indicates the method of processing the

MIB sub-tree, including:
l Exclude
l Include
MIB subtree name/OID Indicates the name or OID of the MIB

sub-tree.
Added Rule List Indicates the list in which rules have

been added.
3. Create MIB view includes two tasks:
Create rules.
a. Set parameters by referring to Table 3-52.

b. Click Add. The configuration is complete.
If the operation is successful, the new rules are displayed in Added Rule List.
To add multiple rules, repeat the preceding operations.
Delete rules.
a. Click of the rules that you want to delete in Added Rule List.
If the operation is successful, the deleted rules are not displayed in Added Rule
List. To delete multiple rules, repeat the preceding operations.
4. Click OK.
If the operation is successful, MIB View is displayed and the new MIB view is added.
To add multiple MIB views, repeat the preceding operations.
l Modify MIB view.
the MIB View page.
2. Click of the MIB view that you want to modify to open the Modify MIB View
view, as shown in Figure 3-65.

Figure 3-65 Modify MIB View
Table 3-53 describes parameters on the Modify MIB View page.
Table 3-53 Modify MIB View

View name Indicates the name of the MIB view. The

MIB view name cannot be changed.
Rule Indicates the method of processing the

MIB sub-tree, including:
l Exclude
l Include
MIB subtree name/OID Indicates the name or OID of the MIB

sub-tree.
Added Rule List Indicates the list in which rules have

been added.
3. Modify MIB view includes two tasks:

Create rules.

a. Set parameters by referring to Table 3-53.

b. Click Add. The configuration is complete.
If the operation is successful, the new rules are displayed in Added Rule List.
To add multiple rules, repeat the preceding operations.
Delete rules.
a. Click of the rules that you want to delete in Added Rule List.
If the operation is successful, the deleted rules are not displayed in Added Rule
List. To delete multiple rules, repeat the preceding operations.
l Delete a MIB view.
the MIB View page.
2. Select the items that you want to delete, or select all items.
----End
3.5.11.4 Trap Setting

You can configure the trap function on the device.
Context
A trap is an alarm message sent from the managed device to the NMS to notify administrators
of the network faults. After receiving a trap from a managed device, the NMS does not need to
reply.
NOTE
The web management system supports a maximum of 20 trap target hosts. When the number of trap target hosts
to be configured exceeds the limit, the system displays a prompt message.
Procedure
l Configure trap.
1. Choose System Management > SNMP > Trap Setting in the navigation tree to open
the Trap Setting page, as shown in Figure 3-66.
Figure 3-66 Trap Setting

Table 3-54 describes parameters on the Trap Setting page.
Table 3-54 Configure Trap
SNMP Trap Indicates whether the SNMP trap

function is enabled.
Source Interface That Sends Trap Indicates the source interface that sends
Messages trap messages. Click Select to select a
source interface.
2. Set parameters.
3. Click Apply to complete the configuration.
l Configure the trap target host.
Create a trap target host.
the Trap Setting page.
2. Click New in Trap Target Host to open the Create Trap Target Host page, as shown
in Figure 3-67.
Figure 3-67 Create Trap Target Host
Table 3-55 describes parameters on the Create Trap Target Host page.

Table 3-55 Create Trap Target Host
Target host IP Specifies the IP address of the target

host.
Target host UDP port Specifies the port receiving trap

messages on the target host. The default
port number is 162.
Trap version Specifies the SNMP version matching

the trap messages, including:
l v1
l v2c
l v3
User Name Specifies the user name displayed on the

NMS.
l When the trap version is v1 or v2c,
the user name is a string of 1 to 32
characters without spaces.
l When the trap version is v3, the user
name must be the same as the user
name configured in Community/
Group Management.
Security level This parameter is mandatory when the

trap version is v3. Security levels
include:
l No authentication, no encryption
l Authentication, no encryption
l Authentication and encryption
3. Set parameters.
Delete the trap target host.
the Trap Setting page.
2. Select the items that you want to delete in Trap Target Host, or select all items.
----End
3.5.12 EasyOperation
This chapter describes how to configure roles, groups, and clients to implement Easy-Operation.

The Easy-Operation feature implements automatic version file loading on newly delivered or
unconfigured devices and batch upgrades of devices on a campus network. Table 3-56 lists the
device models and versions that support the Easy-Operation feature.
Table 3-56 Supports for the Easy-Operation feature

Model Number of
Managed
Clients

V200R005C00 S6700 S5700S-LI, and
S5700LI can
and later

switches switches,
&S6700) can only be
Chassis applied to
switches the batch
&S12700) batch
configuratio
n scenarios.
l If the clients
are fixed-
configuratio
n switches,
EasyDeploy
applies to the
batch
upgrade,
batch
configuratio
n,
unconfigure
d device
deployment,
and faulty
device
replacement
scenarios.

NOTE
Only Role configuration option is available for the devices that do not support the Commander role.
Additionally, such devices can only be configured as clients.
The Group configuration and Client configuration options are not available to the devices that function as
clients.
3.5.12.1 Role Configuration

On the Role configuration page, you can configure global Easy-Operation parameters for a
device, including the role, Commander IP address and port, and default files to be
downloaded.
Context
Before configuring EasyOperation on a device, determine the role of the device.
Procedure
Configuring a device as a client
1. Choose System Management > EasyOperation > Role configuration in the navigation
tree to display the Role configuration page.
2. Set Role type to Client, as shown in Figure 3-68.
Figure 3-68 Role configuration
must be the same as that configured on the Commander. If you keep the UDP port field
blank, the default UDP port is used.
4. Click Apply.
After you click Apply, the Group configuration and Client configuration tabs become
unavailable.
Configuring a device as a Commander
1. Choose System Management > EasyOperation > Role configuration in the navigation
tree to display the Role configuration page.

2. Set Role type to Commander, as shown in Figure 3-69.
Figure 3-69 Role configuration
Table 3-57 describes the parameters on the Role configuration page. If some areas are
folded, click to expand the areas.
Table 3-57 Role configuration parameters
Commander IP address This parameter is mandatory. The Commander IP

address must exist on the device that functions as the
Commander.
UDP port If you keep this field blank, the default UDP port is
used.
Client auto join If you select Open, the Commander automatically

learns client information, including each client's
MAC address, ESN, IP address, device type, device
model, system software name, configuration file
name, and patch file name. This function enables the
Commander to monitor and manage basic
information and version files for clients on the
network.
NOTE
After the client auto join function is enabled, the
Commander may learn information about unknown clients.
If you do not want the Commander to manage unknown
clients, disable this function.
Server type Server type Options are FTP, SFTP, and TFTP.
configure NOTE
FTP and TFTP cannot ensure secure file transfer. SFTP is
recommended on networks that require high security.
IP Enter the IP address of the file server.

User name Enter the user name used to log in to the file server.
Password Enter the password used to log in to the file server.
Configuration Options are No backup, Duplicate, and Overwrite.

file backup
method
Time interval Set the interval at which you want the Commander to
back up configuration files.
Download file File activation Options are Default type and Reload type.
configuration method By default, if downloaded files include a software
package (*.cc), clients activate all the downloaded
files by restarting. In a batch upgrade, if downloaded
files include a configuration file, clients activate all
the downloaded files by restarting.
File activation Options are Active now, Active delay, and Active in
time time. If you select Active delay or Active in time,
the related parameter is displayed for you to
configure.
Client auto If you select Yes, clients will delete non-startup

clear system software packages if they do not have
sufficient space for downloaded files.
NOTE
Whether clients can automatically clear their storage
medium depends on the file server type. If clients download
files from a TFTP server, they cannot automatically clear
their storage medium because they cannot obtain the sizes
of downloaded files. If an FTP or SFTP server is used but
the server cannot return the file sizes, clients cannot
automatically clear their storage medium.
Default download file The files specified here are default files to be
information downloaded to clients. You can specify a maximum
of three self-defined files.
If no file is specified in role configuration or group
configuration, the default file information is used.
3. Set parameters on the Role configuration page.

4. Click Apply.
3.5.12.2 Group Configuration

On the Group configuration page, you can query, add, or delete groups.
Context
You can configure a group to:

l Perform a batch upgrade for clients.

l Deploy unconfigured devices.
Procedure
l Query group information.
1. Choose System Management > EasyOperation > Group configuration in the
navigation tree to display the Group configuration page, as shown in Figure 3-70.
Figure 3-70 Query group information
2. Table 3-58 describes the parameters for querying groups.
Table 3-58 Group query parameters
Group name Enter the name of the group you want to query.
Group type Enter the type of the groups you want to query.
File activation The system displays the groups that use the specified file
method activation method.
File activation The system displays the groups that have the specified file
time activation time configured.
3. Set the search criteria.

4. Click Query. The system displays the groups meeting the search criteria in the group
list.
l Create a group.
1. On the Group configuration page, click New to display the Add Group dialog box.
2. To create a built-in group, set Group type to Built-in, as shown in Figure 3-71. Table
3-59 describes the parameters for a built-in group.

Figure 3-71 Built-in group configuration
Table 3-59 Parameters for a built-in group
Group type Select Built-in.
Group name Keep this field blank for a built-in group.
Matching Select a device type as required.

method
File download Set the file activation method, time, and information about files
settings to be downloaded.
To create a customized group, set Group type to Custom, as shown in Figure

3-72. Table 3-60 describes the parameters for a customized group.

Figure 3-72 Customized group configuration
Table 3-60 Parameters for a customized group
Group type Select Custom.
Group name This parameter is mandatory. The name must start with a letter
(lowercase a to z or uppercase A to Z).

Matching A customized group supports the following matching methods:

method l Device type: The device type you enter must be the same
as the actual device type. Configure a device type-based
group if a device type is not supported in built-in groups.
l Device model: Device model you enter must be the same as
the actual device model.
l MAC: Enter a MAC address and its mask or a MAC address
segment and its mask length.
l ESN: Enter the ESN of a client.
l IP address: Enter an IP address and its mask or an IP address
segment and its mask length.
After setting the matching method and rule, click Add.
NOTE
A device type-based or device model-based group supports only one
matching rule. A MAC-based, ESN-based, or IP address-based group
supports a maximum of 256 rules.
File download Set the file activation method, time, and information about files
settings to be downloaded.
3. Set the parameters and click OK.

l Start a batch upgrade.
1. Select the groups that you want to upgrade, as shown in Figure 3-73.
Figure 3-73 Upgrade
2. Click Upgrade.
3.5.12.3 Client Configuration

On the Client configuration page, you can add or delete client information and client
replacement information.
Context
You can perform the following operations on the Client configuration page:
l Add new or unconfigured devices to the client list to deploy the devices.
l Configure client replacement information to implement faulty device replacement.

Procedure
l Query client information.
1. Choose System Management > EasyOperation > Client configuration in the
navigation tree to display the Client configuration page, as shown in Figure 3-74.
Figure 3-74 Client configuration
2. Table 3-61 describes the parameters for querying client information.
Table 3-61 Client query parameters
Client ID Enter the ID of the client you want to query.
MAC Enter the MAC address of the client you want to query.
ESN Enter the ESN of the client you want to query.
IP Enter the IP address of the client you want to query.
Replacement l All: Displays all information meeting the search criteria.

configuration l Configured: Displays client replacement information
meeting the search criteria.
l Not configured: Displays information meeting the search
criteria other than client replacement information.

4. Click Query. The system displays the information meeting the search criteria in the
client list and client replacement information list.
l Add a client.
1. On the Client configuration page, click New to display the Add Client dialog box,

Figure 3-75 Add a client
Table 3-62 describes the parameters for a new client.
Table 3-62 Parameters for a new client
Client ID This parameter is mandatory. Enter the ID of the client you

want to add.
Device MAC Enter the client's MAC address or ESN. Only one of the two
parameters can be configured.
Device ESN
File download Specify files to be downloaded.

settings

l Add clients in a batch.
1. On the Client configuration page, click Batch to display the Batch dialog box, as

Figure 3-76 Add clients in a batch
2. Click template.zip to download this template to your computer, and then enter client
information in the template.
3. Click Browse and select the template.
4. Click to import client information from the template.

5. Check the imported client information in the Import result area, including client ID,
MAC address, and ESN of each client.
Information about new clients is displayed in the client listas shown in Figure 3-77. If
Client auto join is enabled on the Commander and the Commander IP address has been
configured on the clients, the client list displays client information learned by the
Commander. Besides, the current operating method, phase, and state of each client are also
displayed. The following are the examples of information that may be displayed:
Method: Normal running, Proactively upgrades, Empty configuration upgrade, usb
upgrade, Unknown method
Stage: Initialization, Applicate IP, Access to download the file information, Download,
Active file, Normal running, Unknown stage
State: Finish, Download system-software file, Download configuration file, Download
patch file, Download web file, Download license file, Download custom file1,
Download custom file2, Download custom file3, Unknown state
l Configure client replacement information.
1. In the client list shown in Figure 3-77, click next to the record of the faulty client
to display the Replacement information page, as shown in Figure 3-78.

Figure 3-77 Client list
2. Configure client replacement information.
Figure 3-78 Replacement information
Table 3-63 describes the parameters for client replacement.
Table 3-63 Replacement information
Client ID Enter the ID of the faulty client.
Device MAC Enter the new client's MAC address or ESN. Only one of the
two parameters can be configured.
Device ESN
File download Specify files to be downloaded.

settings

3.5.13 License Management

This section describes the functions of loading license files and displaying license status.
Context
You need to activate licenses in either of the following situations:
l Purchasing a license to obtain permissions on related functions after you purchase a new
device.
l Applying for a new license file, and upgrade and load the license file when the license file
is loaded on the device and a new feature is required.
NOTE
This node is only available in the NAC unified mode.

Only the S5720HI supports this node.
Procedure
Step 1 Choose System Management > License Management.
Figure 3-79 License Management
Step 2 Click System Management in the License Loading area and select the license file to upload.
Step 3 Click Load. The current license file is activated.

NOTE
If you need to adjust a license file between devices (for example, move a license file from device A to
device B) without changing the license authorization certificate or an upgraded license file is incompatible
with the original one, click Uninstall in the License Information area to obtain a license revocation code.
Use the license revocation code to obtain a new license file, and activate the license file.
You can view the license status, and authorization information in the License Information area.
Table 3-64 describes license parameters.

Table 3-64 License parameters
License status not loaded: default status. By default, a license is not loaded after the
system starts or when it is invalid.
Normal: A commercial license enters the Normal state after it is loaded.
Trial: A license enters the Trial state when the loaded ESN does not match
the license or after the license expires.
Demo: A temporary license enters the Demo state after it is loaded.
Emergency: When a license enters the Emergency state, dynamic
resources on the device are free from the license controls. That is, the
device runs with the maximum configurations of dynamic resources. A
license can remain in Emergency state for at most seven days. After seven
days, the license enters the original state.
Authorization Authorization information of the resources controlled by the license (only

Information wireless).
----End
3.6 Interface Management

This chapter describes interface configurations. The interfaces that can be managed include
Ethernet interfaces, Eth-Trunk interfaces, VLANIF interfaces, and LoopBack interfaces. You
can configure the interfaces and view configuration information.
3.6.1 Ethernet
Configure these interfaces as required.
3.6.1.1 Configuring Basic Attributes

You can configure and query the basic attributes of Ethernet interfaces.
Context
To identify an interface, you can set the description of the interface. You can query and configure
Ethernet interfaces as required.
Procedure
l Query basic attributes.
1. Choose Interface Management > Ethernet > Basic Attributes in the navigation tree
to open the Basic Attributes page.
3. Enter the interface number, for example, 0/0/1 (slot ID/subcard ID/interface
number).


l Configure basic attributes.
1. Choose Interface Management > Ethernet > Basic Attributes in the navigation tree
to open the Basic Attributes page.
2. Select a record and click Configure. The Configure Basic Attributes page is
Figure 3-80 Configure Basic Attributes
Table 3-65 describes the parameters on the Configure Basic Attributes page.
Table 3-65 Configure basic attributes

NOTE
the Configure Basic Attributes page. If
multiple interfaces are selected, the default
settings of the interfaces are displayed. You
can select only interfaces of the same type.

PVID Indicates the default VLAN of the

interface. This parameter cannot be
modified.
Status Indicates the status of the interface,

which can be enabled or disabled. By
default, the status of an interface is
enabled. This parameter is mandatory.
Link Type The value cannot be changed.
Negotiation Indicates whether auto-negotiation is

enabled. This parameter is mandatory.
By default, auto-negotiation is enabled,
and the duplex mode or interface rate
cannot be configured. If auto-
negotiation is disabled, the Duplex and
Speed parameters can be configured.
Duplex Indicates the duplex mode of the

interface, including full duplex and half
duplex. By default, the full duplex mode
is enabled on interfaces. This parameter
is mandatory.
To enable an interface to send and
receive packets at the same time, enable
the full duplex mode on the interface. To
disable an interface from sending and
receiving packets at the same time,
enable the half duplex mode on the
interface.
NOTE
A GE electrical interface can work in full
duplex, half duplex, or auto-negotiation
mode. However, if the speed is set to 1000
Mbits/s, the duplex mode must be full duplex
or auto-negotiation. A GE optical interface
operates in full duplex mode by default. You
can configure it to operate in full duplex
mode or auto-negotiation mode.
Speed Indicates the interface speed. This

NOTE
The speed on a GE electrical interface can
be 10 Mbits/s, 100 Mbits/s, or 1000 Mbits/s.
If the duplex mode is set to half duplex, the
interface speed cannot be 1000 Mbits/s. The
speed on a GE optical interface can be 100
Mbits/s, 1000Mbits/s. You can set the speed
to 100 Mbits/s, 1000 Mbits/s or enable auto-
negotiation.

Jumbo Indicates the length of a jumbo frame.

This parameter is optional.
Combo Type When the selected interface is set to

Combo interface, the Combo type can be
configured. The Combo types are
classified into auto, copper, and fiber.
The default type is auto.
Description Indicates the description of the interface.

3. Set parameters.
4. Click OK.
----End
3.6.1.2 Statistics on Interface

You can view traffic statistics on interfaces, update the statistics, or clear the statistics.
Context
NOTICE
The cleared traffic statistics cannot be restored; therefore, confirm the operation before clearing
the traffic statistics.
Procedure
Step 1 Choose Interface Management > Ethernet > Statistics on Interface in the navigation tree to
open the Statistics on Interface page, as shown in Figure 3-81.
Figure 3-81 Statistics on Interface

Step 2 Select a record and click Details to view details about the record.
NOTE
l To obtain latest traffic statistics, click Refresh.

l To clear traffic statistics on a specified interface and refresh the page, click Clear.
l To clear traffic statistics on all interfaces and refresh the page, click Clear All.
On the Details page, you can refresh ,clear and close the traffic statistics.
----End
3.6.2 Eth-Trunk
An Eth-Trunk is composed of Ethernet links. The Eth-Trunk interface does not exist physically.
The Eth-Trunk has the following advantages:

l Increasing bandwidth: The bandwidth of an Eth-Trunk interface is the total bandwidth of
all member interfaces.
l Improving reliability: When a link fails, traffic is automatically switched to other links.
This ensures reliability of the entire Eth-Trunk.
3.6.2.1 Eth-Trunk Port

An Eth-Trunk load balances incoming and outgoing traffic among multiple links and improves
the bandwidth and connection reliability between two switches.
Context
You can configure Eth-Trunks in the following scenarios:
l The bandwidth is insufficient when two switches are connected through only one link.
l The connection reliability cannot meet requirement when two switches are connected
through only one link.
Procedure
l Query Eth-Trunk information.
1. Choose Interface Management > Eth-Trunk > Eth-Trunkport in the navigation
tree, and the Eth-Trunkport page is displayed, as shown in Figure 3-82.
Figure 3-82 Eth-Trunk

2. Enter the interface name, for example, 12.

l Create an Eth-Trunk.
tree, and the Eth-Trunkport page is displayed.
2. Click New, and the Create Eth-Trunk page is displayed, as shown in Figure 3-83.
Figure 3-83 Create Eth-Trunk
Table 3-66 describes the parameters on the Create Eth-Trunk page.
Table 3-66 Create Eth-Trunk
Eth-Trunk Name Indicates the name of an Eth-Trunk.

NOTE
l On the S1720, S2720, S2750, S5700S-
LI and S5700LI switches, the value
ranges from 0 to 63. On the S5720HI
switches, the value ranges from 0 to 127.
l After creating an Eth-Trunk, you can
create another Eth-Trunk on the same
Create Eth-Trunk page. Enter an Eth-
Trunk name and click anywhere on the
page. Set parameters of the new Eth-
Trunk after the page is refreshed.

BPDU Indicates whether to enable BPDU. The

options are Enable and Disable. By
default, BPDU is disabled.
NOTE
The value can be Disable on the S1720,
S2720, S2750, S5700S-LI and S5700LI.
Working Mode Indicates the working mode of the Eth-

Trunk, including:
l Manual load balancing mode
When the bandwidth or the
reliability between two devices
needs to be increased and one device
does not support LACP, you should
create an Eth-Trunk in manual load
balancing mode and add member
interfaces to the Eth-Trunk.
l Static LACP mode
The links between two devices can
implement redundancy backup.
When a fault occurs on some links,
the backup links replace the faulty
ones to keep data transmission
uninterrupted.
The default mode is manual load
balancing.
NOTE
l Check whether the Eth-Trunk contains
member interfaces before you set the
working mode of the Eth-Trunk. If the
Eth-Trunk contains member interfaces,
the working mode of the Eth-Trunk
cannot be changed.
l The working modes on the local end and
remote end must be the same.

Min Active Links Indicates the lower threshold of the

number of active interfaces. You can
specify the lower threshold of active
interfaces in the Eth-Trunk. If the
number of active interfaces is smaller
than this value, the status of the Eth-
Trunk becomes Down.
NOTE
l The lower threshold must be not greater
than the upper threshold.
l The lower thresholds of active member
interfaces can be set to different values
for the local end and remote end. If the
lower thresholds at the two ends are
different, the greater one is used.
Max Active Links Indicates the upper threshold of the

number of active interfaces.
NOTE
l The lower threshold must be not greater
than the upper threshold.
l The upper thresholds of active member
interfaces can be set to different values
for the local end and remote end. If the
upper thresholds at the two ends are
different, the smaller one is used.
Load Balancing Mode Indicates the load balancing mode of

Eth-Trunk, including:
l Destination IP
l Destination MAC
l Source IP
l Exclusive-or of source and
destination IP
l Source MAC
l Exclusive-or of source and
destination MAC
By default, load balancing is based on
the "Exclusive-OR" result of the source
and destination IP addresses.
Link Type Indicates the link type of an interface.

The value cannot be changed.
Jumbo Indicates the length of a Jumbo frame.

Description Indicates the description of the created

Eth-Trunk.

Select Interface Adds member interfaces to the Eth-

Trunk.
An Eth-Trunk contains a maximum of
eight member interfaces.
NOTE
l Member interfaces of an Eth-Trunk must
have the same interface type.
l A member interface cannot be an Eth-
Trunk.
3. Set parameters.
When selecting the interface:

If this interface is configured by other Eth-Trunks, it is unavailable and cannot be
selected.
If this interface is not configured, you can select it.
If this interface is configured by other modules except shutdown and combo, the
Configure Basic Attributes page is displayed, as shown in Figure 3-84. You can
clear the original configurations of this interface.
Figure 3-84 Interface Configuration Information
4. Click OK.
l Modify Eth-Trunk


tree to open the Eth-Trunkport page.
2. Select a record that you want to modify and click to open the Modify Eth-
Trunk page, as shown in Figure 3-85.
Figure 3-85 Modify Eth-Trunk
Table 3-66 describes the parameters on the Modify Eth-Trunk page.
NOTE
l The Eth-Trunk name cannot be modified.

l Before changing the working mode of an Eth-Trunk, ensure that the Eth-Trunk does not
contain any member interfaces.
3. Set parameters.
When selecting the interface:

If this interface is configured by other Eth-Trunks, it is unavailable and cannot be
selected.
If this interface is not configured, you can select it.
If this interface is configured by other modules except shutdown and combo, the
Configure Basic Attributes page is displayed, as shown in Figure 3-86. You can
clear the original configurations of this interface.

Figure 3-86 Interface Configuration Information
4. Click OK.
l Delete Eth-Trunks.
tree to open the Eth-Trunkport page.
3. Click OK.
NOTE
An Eth-Trunk cannot be deleted when it has member interfaces.
----End
3.6.2.2 System LACP Priority

You can configure the LACP priorities in the system.
Context
Only the Eth-Trunk in static LACP mode needs to be configured with the LACP priority. The
default LACP priority is 32768.
Procedure
Step 1 Choose Interface Management > Eth-Trunk > System LACP Priority in the navigation tree
to open the System LACP Priority page, as shown in Figure 3-87.

Figure 3-87 System LACP Priority
Table 3-67 describes the parameters on the System LACP Priority page.
Table 3-67 System LACP Priority
Priority Indicates the system LACP priority. This

NOTE
A smaller value indicates a higher priority.
----End
3.6.3 VLANIF
When a switch needs to communicate with the devices at the network layer, you can create a
logical interface based on a VLAN on the switch, namely, a Vlanif interface. The VLANIF
interface does not exist physically.
Context
A Vlanif interface is a Layer 3 interface and can be configured with an IP address. Before creating
a Vlanif interface, you must create a VLAN. With a Vlanif interface, the switch can communicate
with the devices at the network layer.
NOTICE
If a Vlanif interface whose IP address is the same as the switch address is deleted or shut down,
you cannot log in to the Web system. In this case, you need to change the IP address of the Vlanif
interface. After changing the Vlanif address, you must log in to the switch with the new address.

Procedure
l Query VLANIF interface information.
1. Choose Interface Management > VLANIF in the navigation tree to open the
VLANIFport page.
2. Enter the number of the interface that you want to query, for example, 10. If you do
not enter any interface number, all Vlanif interfaces are displayed.
4. Select a record and click Details to view details about the record.
NOTE
To view real-time interface information, click the VLANIF tab on the left to refresh the page.
l Create a VLANIF interface.
VLANIFport page.
2. Click New to open the Create VLANIF page, as shown in Figure 3-88.
Figure 3-88 Create VLANIF
Table 3-68 describes the parameters on the Create VLANIF page.
Table 3-68 Create VLANIF
VLAN ID Indicates the VLAN ID corresponding to the

new Vlanif interface. This parameter is
mandatory.

Status Indicates the status of the Vlanif interface,

which can be enabled or disabled. By default,
a Vlanif interface is Up. This parameter is
mandatory.
MTU Indicates the MTU of the Vlanif interface.
Portal Server Indicates the name of the Portal server from the
drop-down list box.
NOTE
The S1720, S2720 and S2750EI do not support this
parameter.
Description Indicates the description of the Vlanif interface.
IPv4 IPv4 Address Indicates the IPv4 address of the Vlanif

Address interface, for example, 10.10.10.1.

mask from the drop-down list box.
Sub IP Address Indicates the secondary IP address of the Vlanif

interface.
Mask Indicates the mask of the secondary IP address.

Select a mask from the drop-down list box.
NOTE
The Add and Delete buttons are used to add and
delete secondary IP addresses.
3. Set parameters.
4. Click OK.
l Modify the VLANIF interface configuration.
VLANIFport page.
2. Select a record that you want to modify and click to open the Modify VLANIF

Figure 3-89 Modify VLANIF
NOTE
l Table 3-68 describes the parameters on the Modify VLANIF page.

l The Vlanif interface name cannot be changed.
3. Set parameters.
4. Click OK.
l Delete a VLANIF interface.
VLANIFport page.
3. Click OK.
----End
3.6.4 LoopBack
A LoopBack interface is a logical interface. It is always Up. The LoopBack interface is usually
used in LoopBack test.
Context
According to the TCP/IP protocol suite, the IP addresses in the network segment 127.0.0.0 are
LoopBack addresses. The system automatically creates an interface using loopback address
127.0.0.1. This interface is used to receive datagrams sent to the local device.
Procedure
l Query LoopBack interface information.
1. Choose Interface Management > LoopBack in the navigation tree to open the
LoopBackport page.

2. Enter the number of the interface that you want to query, for example, 12.
NOTE
If you do not enter any interface number, the system displays all loopback interfaces.
l Create a LoopBack interface.
LoopBackport page.
2. Click New to open the Create LoopBack page, as shown in Figure 3-90.
Figure 3-90 Create LoopBack
Table 3-69 describes the parameters on the Create LoopBack page.
Table 3-69 Create LoopBack
LoopBack Name Indicates the number of the LoopBack

interface. This parameter is mandatory.
IP Address Indicates the IP address of the LoopBack

interface, for example, 10.10.10.1.
Mask Indicates the mask of the IP address.

Select a mask from the drop-down list
box, for example, 24 (255.255.255.0).

Description Indicates the description of the

LoopBack interface.
3. Set parameters.
4. Click OK.
l Modify the LoopBack interface configuration.
LoopBackport page.
2. Select a record that you want to modify and click to open the Modify LoopBack
Figure 3-91 Modify LoopBack
NOTE
l Table 3-69 describes the parameters on the Modify LoopBack page.

l The LoopBack interface name cannot be changed.
3. Set parameters.
4. Click OK.
l Delete a LoopBack interface.
LoopBackport page.

3. Click OK.
----End
3.7 Service Management

This chapter describes service management for the switch. The Web system provides
management functions for VLAN, MAC, STP, Voice VLAN, DHCP, ARP, VRRP, and IGMP
Snooping services. You can query and configure the required services.
3.7.1 VLAN
The following sections describe how to configure and query VLANs, hybrid interfaces, access
interfaces, trunk interfaces, and VLANIF interfaces.
A local area network (LAN) can be divided into several logical LANs. Each logical LAN is a
broadcast domain, which is called a virtual LAN (VLAN). To put it simply, devices on a LAN
are logically grouped into different LAN segments, regardless of their physical locations.
VLANs isolate broadcast domains on a LAN.
3.7.1.1 VLAN
You can create, query, modify, and delete VLANs. In addition, you can create VLANs in a batch.
Context
l The switch supports 4094 VLANs from VLAN 1 to VLAN 4094.
l VLANs can isolate the hosts that require no communication with each other, which
improves network security, reduces broadcast traffic, and suppresses broadcast storms.
Procedure
l Query VLAN information.
1. Choose Service Management > VLAN > VLAN in the navigation tree to open the
VLAN page.
2. Enter a VLAN ID. If you do not enter any VLAN ID, all VLANs are displayed.
l Create a VLAN.
VLAN page.
2. Click New to open the Create VLAN page, as shown in Figure 3-92.

Figure 3-92 Create VLAN
Table 3-70 describes the parameters on the page.
Table 3-70 Create VLAN
VLAN ID Indicates the IDs of VLANs. The value

ranges from 1 to 4094. This parameter is
mandatory. You can enter multiple
VLAN IDs, for example, 1-3,5,7,9.
VLAN 1 is the default VLAN, and the
system will not re-create it.
Description Indicates the description of a VLAN.

This parameter is optional. When you
create VLANs in a batch, keep the
description empty.
3. Set parameters.
4. Click OK.
l Modify VLAN
VLAN page.
2. Click the icon to open the Modify VLAN page, as shown in Figure 3-93.

Figure 3-93 Modify VLAN
NOTE
l Table 3-70 describes the parameters on the page.

l The VLAN ID cannot be changed.
3. Set parameters.
4. Click OK.
l Delete a VLAN.
VLAN page.
NOTE
l VLAN 1 is the default VLAN and cannot be deleted.

l A VLAN cannot be deleted when it has the VLANIF interface configured.
3. Click OK.
----End
3.7.1.2 Hybrid Port

You can query, modify, or delete the configuration of a hybrid interface.
Context
A hybrid interface can connect to either a user host or a switch, and it can connect to an access
link or a trunk link. A hybrid interface permits frames from multiple VLANs to pass and can
remove VLAN tags of outgoing frames.
Procedure
l Query a hybrid interface.
1. Choose Service Management > VLAN > Hybrid port in the navigation tree to open
the Hybrid port page.

number).
l Modify the link type.
2. Select the interface whose link type you want to change.
3. Click Change Link Type. A dialog box is displayed asking "Modifying the link type
will clear VLANs on the selected interface. Conitnue?"
4. Click OK. The Change Link Type window is displayed, as shown in Figure 3-94.
Figure 3-94 Select a link type
5. Select the link type, access or trunk.

6. Click OK.
l Clear the VLAN configuration.
2. Select the interface configured by the VLAN that you want to clear.
3. Click Clear VLANs. A dialog box is displayed asking "Are you sure you want to
clear all VLANs and restore the default VLAN ?"
4. Click OK.
l Modify the hybrid interface configuration.
2. Click the icon to open the Modify VLAN configuration on interface page, as

Figure 3-95 Modify VLAN configuration on interface
Table 3-71 Modify VLAN configuration
Interface Name Indicates the name of the interface where

you want to modify the configuration.
This parameter cannot be modified.
PVID The value ranges from 1 to 4094. This

Tagged VLAN Indicates the IDs of VLANs. The value

optional. You can enter multiple VLAN
IDs, for example, 1-3,5,7,9.
UnTagged VLAN Indicates the IDs of VLANs. The value

NOTE
A VLAN supports either tagged mode or untagged mode.

3. Set parameters.
4. Click OK.
----End
3.7.1.3 Access Port

You can query, modify, or delete the configuration of an access interface.

Context
An access interface is connected to user hosts. It is mainly used to connect to access links, and
the Ethernet frames transmitted on the access link do not contain VLAN tags. If an access
interface is configured with a default VLAN, the access interface adds a VLAN tag to packets
and sets the VID field in the VLAN tag to the default VLAN ID. The access link transmits only
the Ethernet frames with the default VLAN ID.
Procedure
l Query an access interface.
1. Choose Service Management > VLAN > Access Port in the navigation tree to open
the Access Port page.
number).
5. The link type includes trunk and hybrid.

6. Click OK.

4. Click OK.
l Add to a VLAN.
2. Select an interface to be added to the VLAN.
3. Enter the ID of the VLAN to which you want to add the interface.
4. Click Add.
----End
3.7.1.4 Trunk Port

You can query, modify, or delete the configuration of a trunk interface.
Context
A trunk interface connects to a packet switching device and serves a trunk link. A trunk interface
allows frames from multiple VLANs to pass.
Procedure
l Query a trunk interface.
1. Choose Service Management > VLAN > Trunk port in the navigation tree to open
the Trunk port page.
number).

5. The link type includes access and hybrid.

6. Click OK.
4. Click OK.
l Modify a Trunk interface.
2. Click the icon to open the Modify VLAN configuration on interface page, as
Figure 3-98 Modify VLAN configuration on interface

Table 3-72 Modify VLAN configuration
Interface Name Indicates the name of the interface where

PVID The value ranges from 1 to 4094. This

PermitVLAN Indicates the IDs of VLANs. The value

3. Set parameters.
4. Click OK.
----End
3.7.1.5 VLANIF Port

When a switch needs to communicate with the devices at the network layer, you can create a
logical interface based on a VLAN on the switch, namely, a VLANIF interface. The VLANIF
interface is a configured interface and does not exist physically.
Context
A VLANIF interface is an interface at the network layer and can be configured with an IP address.
Before configuring a VLANIF interface, you must create the corresponding VLAN. The
switch then uses the VLANIF interface to communicate with the devices at the network layer.
NOTICE
l You can also access this page by choosing Interface Management > VLANIF page. The
navigation path provided here enables you to configure VLANIF interfaces directly after
configuring VLANs.
Procedure
l Query VLANIF interface information.
1. Choose Service Management > VLAN > VLANIF port in the navigation tree to
open the VLANIF port page.
2. Enter the number of the interface that you want to query, for example, 10. If you do
not enter any interface number, all VLANIF interfaces are displayed.
4. Select a record and click Details to view details about the record.

NOTE
To view real-time interface information, click on the VLANIF port tag page to refresh the
page.
l Create a VLANIF interface.
2. Click New to open the Create VLANIF page, as shown in Figure 3-99.
Figure 3-99 Create VLANIF
Table 3-73 Create VLANIF
VLAN ID Indicates the VLAN ID of the new VLANIF

interface. This parameter is mandatory.
Status Indicates the status of the VLANIF interface,

which can be enabled or disabled. This
parameter is mandatory. By default, the status
of a VLANIF interface is Up.
MTU Indicates the Maximum Transmission Unit

(MTU) of the VLANIF interface.
Portal Server Indicates the name of the Portal server from the
drop-down list box.
NOTE
The S1720, S2720 and S2750EI do not support this
parameter.

Description Indicates the description of the new VLANIF

interface.
IPv4 IPv4 Address Indicates the IPv4 address of the VLANIF

Address interface, for example, 10.10.10.1.

subnet mask from the drop-down list box.
Sub IP Address Indicates the secondary IP address of the

VLANIF interface.
Mask Indicates the mask of the secondary IP address.

Select a subnet mask from the drop-down list
box.
NOTE
The Add and Delete buttons are used to add and
delete secondary IP addresses. You can delete a
secondary IP address as well as add another
secondary IP address.
3. Set parameters.
4. Click OK.
l Modify the VLANIF interface configuration.
2. Select a record that you want to modify and click to open the Modify VLANIF
Figure 3-100 Modify VLANIF

NOTE

l The VLANIF interface name cannot be changed.
3. Set parameters.
4. Click OK.
l Delete a VLANIF interface.
3. Click OK.
----End
3.7.2 MAC
Each switch maintains a MAC address table (MAC table for short). The MAC table records
MAC addresses of all the devices connected to interfaces of the switch. When forwarding a data
frame, the switch searches the MAC table for the outbound interface according to the destination
MAC address of the frame. This reduces the number of broadcast frames.
3.7.2.1 MAC Table

You can enter the search criteria to search entries in the MAC table.
Context
The MAC table stores MAC addresses, VLAN IDs, and outbound interfaces learned by a
switch. When forwarding an Ethernet frame, the switch searches the MAC table for the outbound
interface according to the destination MAC address and VLAN ID in the Ethernet frame.
Procedure
Step 1 Choose Service Management > MAC > MAC Table in the navigation tree to open the MAC
Table page, as shown in Figure 3-101.

Figure 3-101 MAC Table
Table 3-74 describes the parameters on the MAC Table page.
Table 3-74 MAC Table
MAC Type Searches MAC entries based on the MAC

entry type. The options are All, Static,
Dynamic, Blackhole,and Sticky.
Interface Number Searches MAC based on interfaces. Enter the

interface type and number, for example, Eth-
Trunk12.
MAC Searches MAC entries based on MAC

addresses.
VLAN Searches MAC entries based on VLAN IDs .
Step 2 Set the search criteria.
Step 3 Click Query. The search results are displayed.
----End
3.7.2.2 MAC Aging Time

The MAC table needs to be updated constantly because the network topology always changes.
The entries automatically generated in a MAC table are not always valid. Each entry has a

lifecycle. If an entry is not updated within the lifecycle, it is deleted. This lifecycle is called the
aging time. If an entry is updated before its lifecycle ends, the aging timer of the entry is reset.
Context
You need to set the aging time properly. If the aging time is excessively short, the switch may
broadcast a large number of data frames because their destination MAC addresses cannot be
found in the MAC table. This degrades the performance of the switch.
l If the aging time is excessively long, the switch may save a large number of useless MAC
entries, and new MAC entries cannot be added because the number of MAC entries is
limited. As a result, the switch cannot update the MAC table according to network changes.
l If the aging time is excessively short, the switch may delete valid MAC entries, and
therefore the forwarding performance is degraded.
Generally, the default aging time (300s) is recommended.
Procedure
Step 1 Choose Service Management > MAC > MAC Aging Time in the navigation tree to open the
MAC Aging Time page, as shown in Figure 3-102.
Figure 3-102 MAC Aging Time
Table 3-75 describes the parameters on the MAC Aging Time page.
Table 3-75 MAC Aging Time
Aging Time Indicates the aging time of MAC entries.

----End
3.7.2.3 MAC Learning

A switch can learn source MAC addresses of data frames. After learning the interface connected
to the destination host, the switch sends data frames to the interface instead of broadcasting data
frames to all interfaces in the VLAN.

Context
By learning MAC addresses, a switch can obtain MAC addresses of devices on the network
connected to an interface.
Procedure
l Query MAC address learning on an interface.
1. Choose Service Management > MAC > MAC Learning in the navigation tree to
open the MAC Learning page.
3. Click Query. The search results are displayed.
l Configure MAC address learning on an interface.
2. In the Configure MAC Learning on Interface group box, select a record and click
Configure. The Configure Dynamic MAC Learning page is displayed, as shown in
Figure 3-103.
Figure 3-103 Configure Dynamic MAC Learning
Table 3-76 describes the parameters on the Configure Dynamic MAC Learning
page.
Table 3-76 Configure Dynamic MAC Learning

NOTE
configuration of the interface is displayed. If
settings of the interfaces are displayed.

MAC Learning Indicates whether to enable MAC

address learning.
Max MAC Entries Learned Indicates the maximum number of MAC

addresses that an interface can learn.
This parameter limits the number of
entries in the MAC table.

4. Click OK.
NOTE
To cancel the MAC address learning limit on an interface, select the corresponding record on
the MAC Learning page and click Cancel Limit.
l Query MAC address learning on a VLAN.
l Configure MAC address learning on a VLAN.
2. In the Configure MAC Learning on VLAN group box, select a record and click
Configure. The Configure Dynamic MAC Learning page is displayed, as shown in
Figure 3-104.
Figure 3-104 Configure Dynamic MAC Learning

Table 3-77 describes the parameters on the Configure Dynamic MAC Learning
page.
Table 3-77 Configure Dynamic MAC Learning
VLAN ID Indicates VLAN ID. The VLAN ID

cannot be modified. You can select
multiple interfaces each time.
NOTE
configuration of the interface is displayed. If
MAC Learning Indicates whether to enable MAC

address learning.

addresses that an VLAN can learn.

4. Click OK.
NOTE
To cancel the MAC address learning limit in a VLAN, select the corresponding record on the
MAC Learning page and click Cancel Limit.
----End
3.7.2.4 Static MAC Table

Static MAC entries are manually configured and never age.
Procedure
l Search static MAC entries.
1. Choose Service Management > MAC > Static MAC Table in the navigation tree to
open the Static MAC Table page.
l Create a static MAC entry.
2. Click New to open the Create Static MAC Entry page, as shown in Figure 3-105.

Figure 3-105 Create Static MAC Entry
Table 3-78 describes the parameters on the Create Static MAC Entry page.
Table 3-78 Create Static MAC Entry
MAC Indicates a MAC address in the format

H-H-H. This parameter is mandatory.
VLAN ID Indicates the IDs of VLANs. This

Interface Name Indicates the name of an interface, for

example, Eth-Trunk12. This parameter
is mandatory.
NOTE
The interface must be a member of the
specified VLAN.
3. Set parameters.
4. Click OK.
l Modify a static MAC entry.
2. Click to open the Modify Static MAC Entry page, as shown in Figure 3-106.

Figure 3-106 Modify Static MAC Entry
NOTE
l Table 3-78 describes the parameters on the Modify Static MAC Entry page.
l The VLAN ID and MAC address cannot be modified.
3. Set parameters.
4. Click OK.
l Delete a static MAC entry.
3. Click OK.
----End
3.7.2.5 Blackhole MAC Table

Blackhole MAC entries are used to discard data frames with the specified source or destination
MAC addresses. They are manually configured and never age.
Context
Blackhole MAC entries are used to discard data frames with the specified source or destination
MAC addresses.
Procedure
l Create a blackhole MAC entry.
1. Choose Service Management > MAC > Blackhole MAC Table in the navigation
tree to open the Blackhole MAC Table page.
2. Click New to open the Create Blackhole MAC Entry page, as shown in Figure
3-107.

Figure 3-107 Create Blackhole MAC Entry
Table 3-79 describes the parameters on the Create Blackhole MAC Entry page.
Table 3-79 Create Blackhole MAC Entry
Select Entry Indicates the type of a blackhole MAC

entry. This parameter is mandatory. The
options are:
l Global entry
l VLAN-based entry
By default, Global entry is selected.
MAC Indicates a blackhole MAC address, in

the format H-H-H.
VLAN ID Indicates the IDs of VLANs. This

This parameter is available only when
VLAN-based entry is selected.
3. Set parameters.
4. Click OK.
l Delete a blackhole MAC entry.
1. Choose Service Management > MAC > Blackhole MAC Table in the navigation
tree to open the Blackhole MAC Table page.
3. Click OK.
----End
3.7.2.6 Sticky MAC

You can configure the sticky MAC function on an interface.

Context
After the sticky MAC function is enabled on an interface, the dynamic MAC addresses learned
by the interface change to Sticky MAC addresses.
Procedure
l Enable the sticky MAC function.
1. Choose Service Management > MAC > Sticky MAC in the navigation tree to open
the Sticky MAC page.as shown in Figure 3-108.
Figure 3-108 Sticky MAC
Table 3-80 describes the parameters in the Sticky MAC Enable group box on this
page.
Table 3-80 Sticky MAC Enable
Port Security Indicates whether to enable port

security. The options are Enable and
Disable. By default, port security is
disabled. The following parameters are
available only when Enable is selected.

Sticky MAC Indicates whether to enable the Sticky

MAC function. The options are Enable
and Disable. By default, the sticky MAC
function is disabled.
NOTE
If the number of sticky MAC addresses on
an interface does not reach the limit, the
newly learned MAC addresses are converted
to static MAC addresses. When the number
of sticky MAC addresses reaches the limit,
non-sticky MAC entries are deleted when
new MAC addresses are learned.
Interface Protect Mode Indicates the interface protection mode,

that is, the action performed when the
number of learned MAC addresses
reaches the limit. The options are:
l Discard
The interface discards all the
subsequent packets whose source
MAC addresses are not in the MAC
table.
l Discard and Alarm
The interface discards all the
subsequent packets whose source
MAC addresses are not in the MAC
table and sends a trap.
l Shutdown
The system shuts down the interface
and generates an alarm.
If the sticky MAC function is disabled,
the interface does not send a trap when
the number of learned MAC addresses
reaches the threshold even if you select
the Discard and Alarm option. In this
case, the interface only discards new
packets whose source MAC addresses
are not in the MAC table.

addresses that an interface can learn.

3. Click Apply to complete the configuration.
----End

3.7.3 STP
The following sections describe how to query the STP information and set the global STP
parameters, STP parameters on an interface, and parameters of an MST region.
The Spanning Tree Protocol (STP) is applicable to ring networks. It uses certain algorithms to
implement path redundancy and prune a ring network into a tree-type network. This prevents
increase and infinite circulation of packets in the ring network.
3.7.3.1 STP Information

You can view STP information on the STP Information page.
Procedure
Step 1 Choose Service Management > STP > STP Information in the navigation tree to open the
STP Information page.
Step 2 Detailed STP information is displayed, as shown in Figure 3-109.

Figure 3-109 STP Information
----End
3.7.3.2 STP Global

You can set global STP parameters on the STP Global page.
Context
On certain networks, you need to modify STP parameters of some switches to optimize their
performance.

Procedure
Step 1 Choose Service Management > STP > STP Global in the navigation tree to open the STP
Global page, as shown in Figure 3-110.
Figure 3-110 STP Global
Table 3-81 describes the parameters on the STP Global page.
Table 3-81 STP Global
STP Indicates whether to enable STP. The options are

Enable and Disable. By default, STP is enabled.
Instance Instance Indicates the ID of a multi-spanning tree instance

(MSTI). You can enter any MSTI ID ranging from 0
to 4094.
Root Type Indicates the root type of the switch. The options are:
l Not set
The root type is not set.
l Primary
The switch is configured as root switch of the
MSTI.
l Secondary
The switch is configured as the backup root
switch of the MSTI.
By default, the Not set option is selected.

Priority Specifies the priority of the switch.

The priority is a major basis for the spanning tree
calculation. You can set different priorities for a
switch in different MSTIs.
NOTE
In an instance, if Root Type is Not set, you can select a
priority from the drop-down list box. If Root Type is
Primary or Secondary, the priority cannot be set.
Advanced BPDU Protection Indicates whether to enable BPDU protection. The

Configuration options are Enable and Disable. By default, BPDU
protection is disabled.
After BPDU protection is enabled , the switch shuts
down the edge interfaces that receive BPDUs and
notifies the NMS. The shutdown interfaces can only
be manually started by the network administrator.
Timeout Indicates the timeout interval. The timeout interval is

calculated based on the hello interval and hello time
multiplier.
Working Mode Indicates the working mode of STP. The options are:
l MSTP
The switch sends MSTP BPDUs in this mode.
l STP
The switch sends STP BPDUs in this mode.
l RSTP
The switch sends RSTP BPDUs in this mode.
The default mode is MSTP.
Max Hops Indicates the maximum hop count of the spanning tree
in an MST region. The default value is 20.
This parameter limits the network scale of the
spanning tree in the MST region. A configuration
message has the maximum hop count on the root
bridge. The hop count decreases by 1 every time the
configuration message passes a switch. When the hop
count decreases to 0, the configuration message is
discarded; therefore, switches with larger hop count
from the root bridge cannot participate in the spanning
tree calculation. This limits the network scale in an
MST region.

Pathcost Indicates the algorithm used to calculate the path cost.

Standard The options are:
l dot1t
Indicates the algorithm defined in IEEE 802.1t.
l dot1d-1998
Indicates the algorithm defined in IEEE 802.1d.
l legacy
Indicates Huawei algorithm.
The default algorithm is dot1t.
Bridge-diameter Indicates the network diameter in the MST region. The

default value is 7.
The network diameter refers to the maximum number
of devices between any two devices on a network.
The network diameter reflects the network scale.
STP Converge Indicates the STP convergence mode. The options are:
Mode l Fast
In this mode, the switch deletes the useless MAC
address entries and ARP entries directly.
l Normal
In this mode, the switch sets the remaining aging
time of the MAC address entries and the ARP
entries to 0 and ages them. If the number of ARP
aging detection times is greater than 0, the switch
carries out aging detection of the ARP entries.
The default mode is Normal.
Set Bridge forward-delay Indicates the delay of port status transition. The
Diameter and default value is 1500 centiseconds.
Timer
hello time Indicates the interval for sending hello packets. The
root bridge sends hello packets at this interval to check
whether faulty links exist. The default value is 200
centiseconds.
Max-age Indicates the maximum lifetime of a configuration

message. This parameter determines whether a
configuration message has expired. The default value
is 2000 centiseconds.
----End

3.7.3.3 STP Interface

You can set STP parameters on an interface.
Context
On certain networks, you need to modify STP parameters of some switches to optimize their
performance.
Procedure
Step 1 Choose Service Management > STP > STP Interface in the navigation tree, and the STP
Interface page is displayed.
Step 2 Select an interface and click Configure, and the STP Interface Settings page is displayed, as
Figure 3-111 STP Interface Settings
Table 3-82 describes the parameters on the STP Interface Settings page.

Table 3-82 STP Interface Settings
Interface Indicates the name of an interface. It is displayed

automatically and cannot be modified after you
select an interface. You can select only one
interface each time.
MSTP Indicates whether to enable MSTP. By default,

MSTP is enabled.
When STP is disabled on an interface, the interface
does not take part in the spanning tree calculation
and is always in Forwarding state.
NOTE
Loops may occur when STP is disabled on an interface.
Instance Instance Indicates the ID of an MSTI. You can select any

MSTI ID ranging from 0 to 4094.
Port Priority Indicates the priority of the interface.

The priority of an interface affects its role in the
specified MSTI. You can set different priorities for
an interface in different MSTIs so that traffic of
VLANs can be load balanced among different
physical links.
NOTE
When the priority of an interface changes, MSTP
recalculates the role of the interface and changes the
status of the interface.
Path Cost Indicates the path cost of the interface. The value
range varies according to the calculation algorithm
of path costs. The value ranges from 1 to 200000
when Huawei algorithm is used; the value ranges
from 1 to 65535 when the algorithm defined in
IEEE 802.1D is used; the value ranges from 1 to
200000000 when the algorithm defined in IEEE
802.1t is used.
The path cost is the basis for calculating the
spanning tree. If you set different path costs for an
interface in different MSTIs, traffic of different
VLANs is load balanced among multiple physical
links.
NOTE
When the path cost of an interface changes, the MSTP
recalculates the spanning tree based on the new path cost.

Advanced Edge port When the spanning tree is recalculated, edge ports
transit to the Forwarding state directly, which
reduces the status transition time. If an Ethernet
port is not connected to any Ethernet port of
theswitch, you need to configure the Ethernet port
as an edge port. There are three statuses: enable,
disable, none. The default value is none.
Protection Type Indicates the protection type on an interface. The

options are:
l None
No protection type is adopted.
l Root protection
Root protection prevents topology changes
caused by incorrect configurations or malicious
attacks.
l Loop protection
When link congestion occurs or a
unidirectional link is generated, the port
connected to the link cannot receive BPDUs
from the upstreamswitch. In this case, the
localswitch selects a new root port, the original
root port becomes the designated port, and the
blocked port transits to the Forwarding state.
Loop is then generated on the switching
network. To prevent this problem, you can
enable loop protection.
Point To Point Indicates the point-to-point connection type of the

interface. The options are:
l auto
The interface automatically detects whether it
is connected to a point-to-point link.
l force-true
The interface is connected to a point-to-point
link.
l force-false
The interface is not connected to a point-to-
point link.
The default value is auto.

Max BPDUs Sent Indicates the maximum number of BPDUs that an

interface can send in a hello interval.
A larger value indicates more BPDUs sent in a
hello interval and therefore more system resources
occupied. A proper value of this parameter can
limit the rate of sending BPDUs and prevent
excessive bandwidth usage when network flapping
occurs.
Digest Snooping Indicates whether to enable digest snooping. By

default, digest snooping is disabled.
NOTE
You can configure digest snooping to make the BPDU
key of a Huawei device the same as that of a third-party
device.
Rapid Transition Indicates the rapid status transition mode. The

options are Normal and Enhanced. The default
value is Enhanced.
Step 4 Click OK.

NOTE
Select a record on the STP Interface Settings page and click Details. Detailed STP settings of the interface
are displayed.
----End
3.7.3.4 MST Region

You can modify the configuration of an MST region.
Context
You need to modify the configuration of an MST region when you want to add a switch that is
not enabled with STP to the MST region or move a switch enabled with STP from one MST
region to another.
Procedure
Step 1 Choose Service Management > STP > MST Region in the navigation tree to open the MST
Region page.
Step 2 Click Modify to open the Modify Revision level page, as shown in Figure 3-112.

Figure 3-112 Modify Revision level
Table 3-83 describes the parameters on the Modify Revision level page.
Table 3-83 Modify Revision level
Region Name Indicates the name of an MST region. The

default value is the MAC address of the
switch.
The MST region name, the VLAN mapping
table, and the MSTP revision level identify
the region that the switch belongs to.
Revision Level Indicates the MSTP revision level of the MST

region.
The MST region name, the VLAN mapping
table, and the MSTP revision level identify
the region that the switch belongs to.
Instance-VLAN Mapping Configuration Indicates the mappings between MSTIs and

VLANs. You can add, modify, or delete a
mapping. The following step is to add an
instance-VLAN mapping.
Add an instance-VLAN mapping.

1. Click Add to open the Add Instance-VLAN Mapping page.


NOTE
You need to set the following parameters:

l Instance: select an instance ID.
l VLAN: enter a VLAN ID.
3. Click Add.
Step 4 Click Activate to complete the configuration.
----End
3.7.4 Voice VLAN

A voice VLAN is assigned to voice data flows. You can create a voice VLAN and add the
interface connected to a voice device to the voice VLAN. Then voice data flows can be
transmitted on the voice VLAN.
By configuring a voice VLAN, you can set quality of service (QoS) parameters for voice data
flows to increase the priority of the voice service and improve the quality of calls.
3.7.4.1 Voice VLAN

You can set parameters of a voice VLAN.
Context
l A voice VLAN is assigned to voice data flows. You can create a voice VLAN and add the
interface connected to a voice device to the voice VLAN. Then voice data flows can be
transmitted in the voice VLAN.
l After a voice VLAN is configured, interfaces connected to IP voice devices can be added
to or deleted from the voice VLAN automatically or manually and voice data flows can be
transmitted in the voice VLAN.
Procedure
l Query voice VLAN information.
1. Choose Service Management > Voice VLAN > Voice VLAN in the navigation tree
to open the Voice VLAN page.
3. Click Query to display all the matching records.
l Configure a voice VLAN.
1. Choose Service Management > Voice VLAN > Voice VLAN in the navigation tree
to open the Voice VLAN page.
2. Select an interface and click Configure to open the Configure Voice VLAN page,

Figure 3-113 Configure Voice VLAN
Table 3-84 describes the parameters on the Configure Voice VLAN page.
Table 3-84 Configure Voice VLAN

NOTE
the Configure Voice VLAN page. If
Voice VLAN Status Indicates whether to enable the voice

VLAN function. The options are
Enable and Disable. By default, the
value is Disable.
Voice VLAN ID Indicates the ID of the voice VLAN.

This parameter is mandatory when the
voice VLAN function is enabled.

Re-mark Mode Indicates the priority remarking mode of

the voice VLAN. The options are vlan
and mac-address.
Working Mode Indicates the working mode of the voice

VLAN. The options are Auto and
Manual.
Security Mode Indicates whether to enable the security

mode. The options are Security and
Normal.
Legacy Whether an interface can communicate

with third-party voice devices. The
options are Enable and Disable.

4. Click OK.
----End
3.7.4.2 Voice VLAN OUI

A switch checks whether an incoming flow is a voice data flow according to the source MAC
address of the data flow. If the source MAC address of the data flow matches the organizationally
unique identifier (OUI) address set in the system, the switch considers the data flow as a voice
data flow. When an interface receives a voice data flow, the interface is added to the voice VLAN
automatically. The voice flows with the voice VLAN tag sent from the voice device connected
to the interface can be forwarded by the interface.
Context
You can set an OUI address. The OUI is the first 24 bits of a MAC address. The institute of
Electrical and Electronics Engineers (IEEE) assigns an OUI to each vendor and you can identify
the vendor of a device according to the OUI. You can set the mask of the OUI on the switch to
adjust the length of the MAC address that the switch matches with the OUI.
Procedure
l Create a voice VLAN OUI.
1. Choose Service Management > Voice VLAN > Voice VLAN OUI in the navigation
tree to open the Voice VLAN OUI page.
2. Click New to open the Create a Voice VLAN OUI page, as shown in Figure
3-114.

Figure 3-114 Create a Voice VLAN OUI
Table 3-85 describes the parameters on the Create a Voice VLAN OUI page.
Table 3-85 Create a Voice VLAN OUI
OUI Address Indicates the MAC address of voice

packets. This parameter is mandatory.
The value is in the format 0812f231
05e1.
Mask Indicates the mask of the OUI address.

This parameter is mandatory. The value
is in the format ffff-ffff-ffff.
Description Indicates the description of the OUI

address.
3. Set parameters.
4. Click OK.
l Delete a voice VLAN OUI.
1. Choose Service Management > Voice VLAN > Voice VLAN OUI in the navigation
tree to open the Voice VLAN OUI page.

3. Click OK.
----End
3.7.5 DHCP
The switch supports Dynamic Host Configuration Protocol (DHCP) applications based on the
global address pool or an address pool configured on a VLANIF interface. The switch also
provides security guarantee for DHCP services and supports DHCP relay.
DHCP is a technology used to dynamically manage and configure clients in a concentrated

manner. DHCP adopts the client/server model. The client applies to the server for configurations
such as the IP address, subnet mask, and default gateway, and the server replies with
corresponding configurations according to policies.
3.7.5.1 DHCP
Context
You must enable DHCP before configuring the DHCP server and DHCP relay.
Procedure
Step 1 Choose Service Management > DHCP > DHCP in the navigation tree to open the DHCP
Figure 3-115 DHCP
Table 3-86 describes the parameters on the DHCP page.
Table 3-86 DHCP
DHCP Click Enable or Disable. Indicates whether

to enable DHCP. By default, DHCP is
disabled.

Step 2 Select the parameters.
----End
3.7.5.2 Configuring a Global Address Pool

A DHCP server can allocate IP addresses to clients by using a global address pool.
Context
You need to configure a DHCP server based on the global address pool to enable computers to
obtain IP addresses from the global address pool dynamically.
Procedure
l Query information about a global address pool.
1. Choose Service Management > DHCP > Configure Global Address Pool in the
navigation tree to display the Configure Global Address Pool page.
3. Click Query to display all the matching records, as shown in Figure 3-116.
Figure 3-116 Querying information about a global address pool
Table 3-87 describes the parameters for querying information about a global address
pool.
Table 3-87 Parameters for querying information about a global address pool
Address Pool Name Indicates the name of a global address pool.

NOTE
The value must be an existing global address pool on the
device; otherwise, there is no matching record.

Total:1 Indicates the number of matching records. The

following information is displayed:
l Address Pool Name
l Subnet Address
l Subnet Mask
l Gateway IP
l Expired
l Forbidden IP
For detailed meaning of each item, see Table
3-88.
l Create a global address pool.

2. Click New to display the Create a Global Address Pool page, as shown in Figure
3-117.
Figure 3-117 Create a Global Address Pool
Table 3-88 describes the parameters on the Create a Global Address Pool page.

Table 3-88 Parameters on the Create a Global Address Pool page
Basic Settings Address Pool Name Indicates the name of an address pool.
Subnet Address Indicates the IP subnet of the address

pool.
Subnet Mask Indicates the mask of the IP subnet.

Select a mask from the drop-down list
box, for example, 24 (255.255.255.0).
Gateway IP Indicates the IP address of a gateway.

You can configure a maximum of eight
gateway IP addresses.
Expired Indicates the lease of dynamic IP

addresses. The default lease is one day.
The value range is as follows:
l day: an integer ranging from 0 to
999
l hour: an integer ranging from 0 to
23
l minute: an integer ranging from 0
to 59
NOTE
Different address pools can have different
IP address leases, but addresses in one pool
have the same lease.
Forbidden IP Indicates the IP address that will not be

dynamically allocated to users.
NOTE
Some IP addresses are allocated to
applications such as the DNS server and
cannot be allocated to users. You can
specify these IP addresses as forbidden IP
addresses.
Configure DNS Client Domain Name Indicates the domain name allocated
for the Address by the DHCP server to the client.
Pool
DNS Server IP Indicates the IP address of a DNS
server. You can configure a maximum
of eight DNS server addresses.

Configure NetBIOS Node Type Indicates the type of a NetBIOS node.

NetBIOS for the The options are:
Address Pool l unspecified
The NetBIOS node type is not
specified.
l b-node
The NetBIOS node obtains the
mapping between the host name
and IP address in broadcast mode.
b represents broadcast.
l p-node
and IP address by communicating
with the NetBIOS server. p
represents peer to peer.
l m-node
The NetBIOS node is a p-type node
with some broadcast features. m
represents mixed.
l h-node
The NetBIOS node is a b-type node
using the peer-to-peer
communication mechanism. h
represents hybrid.
The default value is unspecified.
NetBIOS Server IP Indicates the IP address of a NetBIOS

of eight NetBIOS server addresses.
3. Set parameters.
4. Click OK.
l Modify a global address pool.
2. Click to display the Modify Global Address Pool page, as shown in Figure
3-118.

Figure 3-118 Modify Global Address Pool
NOTE
l Table 3-88 describes the parameters on the Modify Global Address Pool page.
l Address Pool Name, Subnet Address and Subnet Mask cannot be modified.
3. Set parameters.
4. Click OK.
l Delete a global address pool.
3. Click OK.
----End
3.7.5.3 Configuring a VLANIF Interface Address Pool

If a DHCP server based on a VLANIF interface address pool is configured, all the users going
online through this interface obtain IP addresses from the VLANIF interface address pool.
Context
Enable the DHCP service before configuring an address pool on a VLANIF interface.

Procedure
l Query information about a VLANIF interface address pool.
1. Choose Service Management > DHCP > Configure VLANIF Interface Address
Pool in the navigation tree to display the Configure VLANIF Interface Address
Pool page.
3. Click Query to display all the matching records, as shown in Figure 3-119.
Figure 3-119 Querying information about a VLANIF interface address pool
Table 3-89 describes the parameters for querying information about a VLANIF
interface address pool.
Table 3-89 Parameters for querying information about a VLANIF interface address
pool
VLANIF Name Indicates the name of a VLANIF interface.

NOTE
The VLANIF interface must be configured to work in
the interface address pool or global address pool mode;
otherwise, there is no matching record.
Total:1 Indicates the number of matching records. The

following information is displayed:
l VLANIF Name
l Address Pool type
l Interface IP
l Mask
l Gateway IP
l Expired
l Forbidden IP
For detailed meaning of each item, see Table
3-90.
l Create a VLANIF address pool.

Pool page.

2. Click New to display the Create a VLANIF Address Pool page, as shown in Figure
3-120.
Figure 3-120 Create a VLANIF Address Pool
Table 3-90 describes the parameters on the Create a VLANIF Address Pool page.
Table 3-90 Parameters on the Create a VLANIF Address Pool page
Basic Settings VLANIF Name Indicates the name of a VLNAIF

interface. Select a name from the drop-
down list box.
NOTE
The VLANIF interfaces in the drop-down
list box are created in the Interface
Management module.
Address Pool type Indicates the address pool type of a

VLNAIF interface.
l global: The interface works in the
global address pool mode.
l interface: The interface works in
the interface address pool mode.

Interface IP Indicates the IP address of the selected

VLANIF interface. The value is
displayed automatically after you
select a VLANIF interface.
Mask Indicates the subnet mask of the

selected VLANIF interface. The value
is displayed automatically after you
select a VLANIF interface.
Expired Indicates the lease of dynamic IP

addresses. The default lease is one day.
The value range is as follows:
l day: an integer ranging from 0 to
999
l hour: an integer ranging from 0 to
23
l minute: an integer ranging from 0
to 59
NOTE
This parameter can be configured only
when the address pool type is interface.
Different address pools can have different
IP address leases, but addresses in one pool
have the same lease.
Forbidden IP Indicates the IP address that will not be

dynamically allocated to users.
Some IP addresses are allocated to
applications such as the DNS server
and cannot be allocated to users. You
can specify these IP addresses as
forbidden IP addresses.
NOTE
Configure DNS Client Domain Name Indicates the domain name allocated
for the Address by the DHCP server to the client.
Pool NOTE
DNS Server IP Indicates the IP address of a DNS

of eight DNS server addresses.
NOTE

Configure NetBIOS Node Type Indicates the type of a NetBIOS node.

NetBIOS for the The options are:
Address Pool l unspecified
The NetBIOS node type is not
specified.
l b-node
and IP address in broadcast mode.
b represents broadcast.
l p-node
and IP address by communicating
with the NetBIOS server. p
represents peer to peer.
l m-node
The NetBIOS node is a p-type node
with some broadcast features. m
represents mixed.
l h-node
The NetBIOS node is a b-type node
using the peer-to-peer
communication mechanism. h
represents hybrid.
The default value is unspecified.
NOTE
NetBIOS Server IP Indicates the IP address of a NetBIOS

of eight NetBIOS server addresses.
NOTE

4. Click OK.
l Modify VLANIF Address Pool
Pool page.
2. Click to display the Modify VLANIF Address Pool page, as shown in Figure
3-121.

Figure 3-121 Modify VLANIF Address Pool
NOTE
l Table 3-90 describes the parameters on the Modify VLANIF Address Pool page.
l VLANIF Name, Interface IP and Mask cannot be modified.
4. Click OK.
l Delete a VLANIF Address Pool
Pool page.
3. Click OK.
----End
3.7.5.4 Configure DHCP Relay

By using a DHCP relay agent, the DHCP clients on a local area network (LAN) can communicate
with the DHCP servers on other network segments, and obtain IP addresses from them. The
DHCP clientson different network segments can also use one DHCP server. This reduces costs
and achieves centralized device management.

Context
l Before configuring the DHCP relay function, you must configure DHCP servers.
l DHCP relay is introduced to transmit packets between DHCP clients and a DHCP server
that are on different network segments. A DHCP relay agent can transparently transmit
DHCP broadcast packets between DHCP clients and a DHCP server that are on different
network segments.
l In applications, the DHCP relay function is generally implemented on a VLANIF interface
of a switch. This interface needs to be configured with an IP relay address to specify the
DHCP server. An IP relay address refers to the IP address of the DHCP server specified
on the DHCP relay agent. After the DHCP relay function is enabled on an interface, the
DHCP broadcast packets received on the interface are sent to the specified server.
l If DHCP server is configured on a network, the DHCP relay function can be enabled on a
switch. In this manner, the DHCP Request packet from clients can be transmitted to the
DHCP server on another network through the DHCP relay agent. To enable clients to obtain
IP addresses, the DHCP server must use a global address pool. That is, the interface of the
server connected to the DHCP relay agent cannot be configured with any address pool.
Procedure
l Create a DHCP server group.
1. Choose Service Management > DHCP > Configure DHCP Relay in the navigation
tree to open the Configure DHCP Relay page.
2. Click New to open the Create a DHCP Server Group page, as shown in Figure
3-122.
Figure 3-122 Create a DHCP Server Group
3. Set parameters.

4. Click OK.
l Delete a DHCP server group.
3. Click OK.
l Query DHCP relay information.
l Configure DHCP relay.
2. Select a record and click Configure to open the Configure DHCP Relay page, as
Figure 3-123 Configure DHCP Relay
Table 3-91 describes the parameters on the Configure DHCP Relay page.

Table 3-91 Configure DHCP Relay
VLANIF Name Indicates the name of a VLANIF

interface. The VLANIF interface name
cannot be modified. You can only select
one interface each time.
DHCP Server Group Name Indicates the name of a DHCP server

group. Select a configured DHCP server
from the drop-down list box.
3. Set parameters.
4. Click OK.
l Delete the DHCP relay configuration.
2. Select a record and click Clear Configuration. The system asks you whether to delete
the record.
3. Click OK.
----End
3.7.6 ARP
The following sections describe configurations of static ARP and dynamic ARP.
On a LAN, a host or a network device must know the logical address (IP address) of another
host or network device to send data to it. Only the logical address, however, is not enough. Since
IP packets are encapsulated in frames for transmission across a physical network, the physical
address of the destination device must also be known. Therefore, the mapping from a logical
address to a physical address is required. The Address Resolution Protocol (ARP) is introduced
to map IP addresses to physical addresses (Ethernet MAC addresses).
3.7.6.1 ARP Table

You can query ARP entries in the ARP table.
Context
l If two devices on an Ethernet network need to communicate with each other, they must
know MAC addresses of each other. Each device maintains a table of mappings from IP
addresses to MAC addresses, that is, an ARP table.
l The ARP table of a switch contains static and dynamic ARP entries. Static ARP entries are
maintained manually, and dynamic ARP entries age based on the aging timer.
Procedure
l Query the ARP table.

1. Choose Service Management > ARP > ARP Table in the navigation tree to open
the ARP Table page, as shown in Figure 3-124.
Figure 3-124 ARP Table
Table 3-92 describes the parameters on the ARP Table page.
Table 3-92 ARP Table
ARP Type Indicates the type of ARP entries. You

can search for static entries, dynamic
entries, or static+dynamic entries.
Destination IP Indicates the destination IP address in an

ARP entry, for example, 10.10.10.1.
Mask Indicates the mask of the destination IP

address, for example, 24
(255.255.255.0). You can specify the
destination IP address and mask to
search for ARP entries of a network
segment.
Destination MAC Indicates the destination MAC address

in an ARP entry, for example,
0022-0022-0022.
VLAN ID Indicates the VLAN ID in an ARP entry.
Interface Name Indicates the interface in an ARP entry.

First select an interface type from the
drop-down list box. The options are
All, Ethernet, GigabitEthernet,
XGigabitEthernet, Meth, Eth-Trunk.
Then enter the interface number in the
text box, for example, 0/0/1. To specify
an Eth-Trunk, enter the interface name
in the text box, for example, 12.


l Delete all dynamic entries.

You can click Reset Dynamic Entries to delete all dynamic ARP entries.
1. Choose Service Management > ARP > ARP Table in the navigation tree to open
the ARP Table page.
2. Click Reset Dynamic Entries. The system asks you whether to delete all dynamic
entries.
3. Click OK.
NOTE
You can click Refresh to display new ARP entries after deleting the original dynamic entries.
----End
3.7.6.2 Static ARP Table

You can query and configure static ARP entries.
Context
ARP entries can be maintained dynamically or manually. Manually configured mappings from
IP addresses to MAC addresses are static ARP entries. You can query, add, modify, and delete
ARP entries manually.
NOTICE
Static ARP entries are always valid when a switch works normally. When a VLAN is deleted,
the ARP entries of the VLAN are also deleted.
Procedure
l Query static ARP entries.
1. Choose Service Management > ARP > Static ARP Table in the navigation tree to
open the Static ARP Table page.
NOTE
The Static ARP Table page does not contain the ARP Type drop-down list box.
l Create a static ARP entry.
2. Click New to open the Create Static ARP page, as shown in Figure 3-125.

Figure 3-125 Create Static ARP
NOTE
l Table 3-93 describes the parameters on the Create Static ARP page.
Table 3-93 Create Static ARP
Destination IP Indicates the destination IP address in

the new ARP entry, for example,
10.10.10.1.
NOTE
This parameter cannot be set to the virtual IP
address of a VRRP group on a VLANIF
interface. Otherwise, an incorrect host route
will be created, causing forwarding errors.
Destination MAC Indicates the Ethernet MAC address

mapping the IP address. The value is in
the format 0812f23105e1.

VLAN ID Indicates the VLAN ID corresponding

to the IP address.
NOTE
l If you enter a VLAN ID, the created
ARP entry is in the specified VLAN.
l The VLANIF interface of the VLAN
must be in the same network segment as
the destination IP address.
Outgoing Indicates the type and number of the

outbound interface for ARP packets, for
example, GigabitEthernet0/0/1.
NOTE
The interface must be a member of the
specified VLAN.
3. Set parameters.
NOTE
The destination IP address and the IP address of the outbound interface must be in the same
network segment.
4. Click OK.
l Modify a static ARP entry.
2. Click to open the Modify Static ARP page, as shown in Figure 3-126.
Figure 3-126 Modify Static ARP

NOTE
l Table 3-93 describes the parameters on the Modify Static ARP page.
l The destination IP address and destination MAC address cannot be changed.
3. Set parameters.
4. Click OK.
l Delete Static ARP
NOTE
l To select a record, click the check box of the record.

l To delete records in batches, click the check boxes of the records.
3. Click OK.
----End
3.7.6.3 ARP Attribute

You can set parameters of dynamic ARP entries, such as the number of aging detection times
and aging time.
Context
You can set ARP parameters to use ARP entries flexibly.
Procedure
Step 1 Choose Service Management > ARP > ARP Attribute in the navigation tree to open the ARP
Attribute page, as shown in Figure 3-127.
Figure 3-127 ARP Attribute

Table 3-94 describes the parameters on the ARP Attribute page.
Table 3-94 ARP Attribute
VLANIF Indicates the name of a VLANIF interface.
Detect-Times Indicates the number of aging detection

times.
When a dynamic ARP entry expires, the
switch sends aging detection packets to the
corresponding host. If the host does not
respond after the specified number of
detection times, the ARP entry is deleted. A
proper number of aging detection times can
reduce address resolution errors caused by
slow update of ARP entries.
NOTE
If this parameter is set to 0, the switch deletes
expired ARP entries directly.
Aging Time Indicates the aging time of ARP entries. The

default value is 1200 seconds.
----End
3.7.7 VRRP
The following sections describe configurations of VRRP groups and VRRP parameters. The
S1720, S2720, S2750, S5700LI, and S5700S-LI switches do not support the VRRP function.
The Virtual Router Redundancy Protocol (VRRP) is a fault-tolerant protocol. VRRP integrates
multiple routing devices into a virtual router and uses certain mechanisms to switch services to
other routers when the next hop router fails, ensuring continuous and reliable communication.
3.7.7.1 VRRP
VRRP switches services from the master to the backup when the gateway becomes faulty,
providing continuous and reliable communication services.
Procedure
l Query VRRP group information.
1. Choose Service Management > VRRP > VRRP in the navigation tree to open the
VRRP page.


l Create a VRRP group.
VRRP page.
2. Click New to open the Create VRRP Group page, as shown in Figure 3-128.
Figure 3-128 Create VRRP Group
Table 3-95 describes the parameters on the Create VRRP Group page.
Table 3-95 Create VRRP Group
VRID Indicates the ID of a virtual router. This

VLANIF Select a VLANIF interface that requires

VRRP configuration. The VLANIF interface
must exist in the system.

Virtual IP Indicates the virtual IP address of the VRRP

group, for example, 192.168.70.111. This
NOTE
The virtual IP address can be an idle IP address in
the network segment of the VRRP group or the IP
address of an interface in the VRRP group.
Preempt Mode Indicates whether to adopt the preemption

mode.
l If Enable is selected, a backup
immediately preempts the Master state
when its priority is higher than the master.
l If Disable is selected, as long as the master
is working properly, the backup with
higher priority cannot be the master.
Advertise Timer Indicates the interval for sending VRRP

Advertisement packets. This parameter is
mandatory.
The master device sends VRRP
Advertisement packets to backup devices at
intervals to notify the backup devices that it
works normally. If the backup devices do not
receive any VRRP Advertisement packet
within an interval, the backup device with the
highest priority becomes the master.
Config Priority Indicates the priority of a member switch.

The role of each switch in a VRRP group is
determined by its priority. The switch with the
highest priority becomes the master.
Track Interface Name Indicates the number and type of the tracked
Interface interface, for example,
GigabitEthernet0/0/1.
Priority Indicates whether to increase or decrease the

VRRP priority of the tracked interface when
the tracked interface is Down.
NOTE
If the preemption mode is disabled, this parameter
cannot be set to Increase.
3. Set parameters.
4. Click OK.
l Modify the configuration of a VRRP group.

VRRP page.
2. Click to open the Modify VRRP Group page, as shown in Figure 3-129.
Figure 3-129 Modify VRRP Group
NOTE
l Table 3-95 describes the parameters on the Modify VRRP Group page.
l The VRID and VLANIF interface name cannot be changed.
3. Set parameters.
4. Click OK.
l Delete a VRRP group.
VRRP page.
3. Click OK.
----End
3.7.7.2 VRRP Attribute

The following sections describe the configurations of VRRP parameter.

Procedure
Step 1 Choose Service Management > VRRP > VRRP Attribute in the navigation tree to open the
VRRP Attribute page, as shown in Figure 3-130.
Figure 3-130 VRRP Attribute
Table 3-96 describes the parameters on the VRRP Attribute page.
Table 3-96 VRRP Attribute
Ping Virtual IP Indicates whether the ping command can ping

the virtual IP address of the VRRP group. The
default value is Permit.
Send Gratuitous ARP Indicates whether to allow the virtual router

to send gratuitous ARP packets. To enable the
network elements connected to the virtual
router to learn the virtual IP address of the
VRRP group, the virtual router needs to send
gratuitous ARP packets to the network
elements.
The default value is Permit.
Gratuitous ARP Interval Indicates the interval for sending gratuitous

ARP packets. This parameter is mandatory.

----End
3.7.8 IGMP Snooping

The following sections describe configurations of IGMP snooping on a switch.
After IGMP snooping is configured on a switch, the switch sets up a Layer 2 multicast forwarding
table by listening to the IGMP messages sent between a switch and hosts. The switch uses the

Layer 2 multicast forwarding table to manage and control forwarding of multicast packets,
implementing Layer 2 multicast.
3.7.8.1 Global IGMP Snooping

You can enable or disable global IGMP snooping.
Context
By default, IGMP snooping is disabled on a switch. You need to enable global IGMP snooping
on the switch before using this function.
Procedure
Step 1 Choose Service Management > IGMP Snooping > Global IGMP Snooping in the navigation
tree to open the Global IGMP Snooping page, as shown in Figure 3-131.
Figure 3-131 Global IGMP Snooping
Table 3-97 describes the parameters on the Global IGMP Snooping page.
Table 3-97 Global IGMP Snooping
Global IGMP Snooping Indicates whether to enable global IGMP

snooping. If global IGMP snooping is
disabled, IGMP snooping cannot be enabled
in a VLAN.
The options are Enable and Disable. By
default, global IGMP snooping is disabled.
----End

3.7.8.2 Configure IGMP Snooping in VLAN

You can query and configure IGMP snooping information in VLANs.
Context
By default, IGMP snooping is disabled on a switch. You need to enable global IGMP snooping
on the switch before using this function. By default, IGMP snooping is disabled in a VLAN after
global IGMP snooping is enabled. Therefore, you need to enable IGMP snooping in the VLAN.
Procedure
l Query IGMP snooping information.
1. Choose Service Management > IGMP Snooping > Configure IGMP Snooping in
VLAN in the navigation tree to open the Configure IGMP Snooping in VLAN page.
3. Click Query to display all the matching records.
l Configure IGMP snooping in a VLAN.
1. Choose Service Management > IGMP Snooping > Configure IGMP Snooping in
VLAN in the navigation tree to open the Configure IGMP Snooping in VLAN page.
2. Select a record and click Configure to open the Configure IGMP Snooping page,
Figure 3-132 Configure IGMP Snooping
Table 3-98 describes the parameters on the Configure IGMP Snooping page.

Table 3-98 Configure IGMP Snooping
VLAN ID Indicates the ID of a VLAN. The VLAN

ID cannot be changed. You can select
multiple VLANs each time.
NOTE
The VLAN must exist. If only one VLAN is
selected, the IGMP configuration in the
VLAN is displayed on the Configure IGMP
Snooping page. If multiple VLANs are
selected, the default IGMP snooping
configuration is displayed.
Enable IGMP Snooping Indicates whether to enable IGMP

snooping. The options are Enable and
Disable.
NOTE
l Before enabling IGMP snooping in a
VLAN, enable global IGMP snooping.
l After IGMP snooping is enabled in a
VLAN, this function takes effect only on
Ethernet interfaces in this VLAN.
Max Response Time Indicates the maximum response time of

IGMP Query messages.
l The maximum response time
controls the deadline for a host to
send an IGMP Membership Report
message. A proper maximum
response time enables hosts to
rapidly respond to IGMP Query
messages and prevent the congestion
caused by a large number of
Response messages sent at the same
time.
l You can adjust the aging time of
member interfaces by setting the
maximum response time.
IGMP Robust Count Indicates the IGMP robustness variable.

By setting the IGMP robustness
variable, you can:
l Specify the number of times the
querier sends a Group-Specific
Query message, which prevents
packet loss on the network.
l Adjust the aging time of member
interfaces.

Query Interval Indicates the interval for sending IGMP

Query messages.
Router Aging Time Indicates the aging time of a router

interface.

4. Click OK.
----End
3.8 WLAN(S5720HI)
This chapter describes WLAN AC configuration for the switch. You can query and configure
the WLAN AC. Only the S5720HI supports WLAN AC.
NOTE

Only the S5720HI supports node.
3.8.1 AC Configuration
This section describes basic paramter settings of an AC.
3.8.1.1 AC Configuration
This section describes how to configure basic AC functions. Before an AP goes online on the
AC, the basic function configuration must be complete.
Context
An AC manages APs, controls WLAN user access, and guarantees security. APs can
communicate with the AC only after the basic AC attributes are configured.
Procedure
Step 1 Choose WLAN > AC Configuration > AC Configuration.

Figure 3-133 AC Configuration
Step 2 On the AC Configuration tab page, set parameters described in Table 3-99.
Step 3 Click Apply.
NOTICE
When the country code is changed on an AC, information about APs connected to the AC is
deleted and the APs are reset.
Table 3-99 AC configuration parameter
ID AC ID.
Country code AC country code.
AP authentication mode The AC uses the configured authentication

mode to authenticate APs. By default, the AC
authenticates APs using MAC address
authentication.
NOTE
l MAC: The AP authentication mode can be set
to MAC address authentication.
l SN: The AP authentication mode can be set to
SN authentication.
l No authentication: The AP authentication
mode can be set to non-authentication.

Add APs If the AP authentication mode is set to

MAC or SN authentication, you can add APs
offline.
NOTE
addresses.
60de-4474-9640
60de-4474-9680
dcd2-fc9a-2110
AC source address Source interface of the AC.

l VLANIF: A VLANIF interface is used as
the source interface.
l LoopBack: A loopback interface is used
as the source interface.
NOTE
The selected source interface must have an IP
address.
To delete the AC's source interface, click
.
AP data buffer Enables the AC to buffer AP data.
Buffer duration (min) Sets the period during which the AC buffers
AP data.
Forwarding mode Forwarding mode of the AC.
----End
3.8.2 AP Info
This section describes parameter and function settings of an AP.
3.8.2.1 AP Information
This section describes how to add, modify, and delete an AP in AP Info.

Context
You can view information about the AP only after an AP goes online or add an AP offline.
NOTICE
l If the status of an AP is fault, the AP cannot be restarted.
l During the restart, you are disconnected from the AP.
Procedure
l Available APs
Adding an AP
1. Choose WLAN > AP Info > AP Info.
Figure 3-134 AP Info
2. In the Available APs area, click Create. In the Create AP dialog box that is displayed,
set parameters. Or, in the Available APs area, click Batch Add. In the Add APs
dialog box that is displayed, set parameters. See Table 3-100 for description of the
parameters.
3. Click OK. The AP is added to the Available APs.

Table 3-100 Parameters for adding an AP
ID ID of an AP to be added.
Name Name of an AP to be added.
Type Type of an AP to be added.

NOTE
If you select Customize, configure the name
and type ID of the customized AP. The name
must begin with WA, AP, wa, or ap.
Type name Name of the self-defined AP to be

added.
Type ID ID of the self-defined AP to be added.
MAC address MAC address of an AP to be added.

NOTE
authentication on the AC, you must set
MAC address or SN. When the
authentication mode is MAC address
MAC address.
SN SN of an AP to be added.
NOTE
MAC address or SN. When the
authentication mode is SN authentication on
the AC, you must set SN.

local file.
l Manual: Enter the MAC address or
SN of an AP to add the AP offline.
Configure an AP's MAC address or
SN in a local file and import the
MAC address or SN to the AC from
the local file.
NOTE
The file is in .txt format and contains
rows of MAC addresses or SNs. Each
row provides one MAC address or SN.
The following example is a file
containing rows of MAC addresses.
60de-4474-9640
60de-4474-9680
dcd2-fc9a-2110

AP Type Type of an AP.
File name Name of the local file used to record AP

MAC addresses or SNs. By importing
the local file to the AC, APs can be
added in a batch.
Modifying an AP
2. In the Available APs area, click corresponding to an AP.

3. In the Modify AP dialog box that is displayed, set parameters described in Table
3-101. Parameter ID and Type cannot be modified.
4. Click OK.
Table 3-101 Parameters for modifying an AP
ID ID of an AP.
Name Name of an AP to be modified.
Type AP type.
MAC address AP MAC address.
SN AP SN.

Access priority Radio that the AP allows STAs to use.

l Load balancing: STAs access the AP
based on the load of the 5 GHz radio
and 2.4 GHz radio.
l 5G-prior: STAs preferentially access
the 5 GHz radio.
l Normal: There is no limit on the
frequency band that STAs access.
NOTE
When an AP and STA support both 5 GHz
and 2.4 GHz frequency bands, the AP can
request the STA to associate with the 5 GHz
radio first.
Difference Difference between the number of STAs

associated with the 2.4 GHz radio and
that with the 5 GHz radio.
AC priority Priority of the local AC.

NOTE
A smaller value indicates a higher priority.
Region Region to which the AP belongs.
Profile Profile used by the AP.
Forwarding mode Data forwarding mode of an AP.

This parameter cannot be set when
service set-based forwarding is used.
Service connect Whether to enable service holding upon

link disconnection.
Allow new STAs Whether to permit access of new STAs.

After a link between the AP and AC
disconnects, offline APs permit or
forbid access of new STAs.
Frequency Band Working frequency of an AP. The value

can be 2.4 GHz or 5 GHz frequency
band.
NOTE
Only the AP2010DN supports this
parameter.
Channel bandwidth Channel bandwidth of the specified

radio on the AP.

Channel Channel of the specified radio on the

AP.
NOTE
After an AP region is configured, this
parameter can be set to a channel supported
by the AP region.
Power level Power level of a specified radio on the

AP.

Trunk.
NOTE
Only the AP5030DN, and AP5130DN
support this parameter.
Delete from Eth-Trunk AP wired interfaces are removed from

an Eth-Trunk.
NOTE

the AC.
l endpoint: The wired interface
connects to a host or Layer 2
network.
User isolate User isolation on an AP wired interface.

The user isolation function prevents
STAs associated with the same AP from
forwarding Layer 2 packets to each
other. This function ensures
communication security on wired
interfaces and allows uniform charging
for users.
NOTE
Before you enable user isolation on an AP
wired interface, the AP wired interface must
work in endpoint mode.

network.
NOTE
Default VLAN Default VLAN on an AP wired

interface.

Untagged VLAN Wired interfaces are added to a VLAN

in untagged mode.
Tagged VLAN Wired interfaces are added to a VLAN

in tagged mode.
Outbound ACL number ACL number in the outbound direction

of the AP wired interface.

Deleting an AP
2. In the Available APs area, select an AP and click Delete. In the Information dialog
box that is displayed, click OK.
Restarting an AP
2. In the Available APs area, select an AP to be restarted and click Restart. In the
Information dialog box that is displayed, click OK.
Restarting all APs
2. In the Available APs area, click Restart All APs. In the Information dialog box that
is displayed, click OK.
Adding an AP to a specified AP region
2. In the Available APs area, select an AP and click Add to Region. In the AP
Region dialog box that is displayed, select a region and click OK.
Delivering configurations to an AP
2. In the Available APs area, select an AP and click Commit Configuration. In the
Adding APs to the whitelist
2. In the Available APs area, select the APs to be added to the whitelist. Then, click
Add to Whitelist in the Available APs area. On the displayed Add to Whitelist page,
set the whitelist mode to MAC address whitelist or SN whitelist, and click OK. The
specified APs are added to the whitelist.
Adding APs to the blacklist
2. In the Available APs area, select the APs to be added to the blacklist. Then, click
Add to Blacklist in the Available APs area. On the displayed Information page,
click OK. The specified APs are added to the blacklist.

Selecting the AP profile

2. In the Available APs area, select the APs to be bound to the AP profile. Then, click
Select AP Profile in the Available APs area. On the displayed AP Profile page, select
an AP profile and click OK. The specified APs are bound to the AP profile.
Switching the working frequency.
NOTE
Only the AP2010DN support this function.
2. In the Available APs area, select the APs that need to switch the working frequency.
Then, click Switch Frequency Band in the Available APs area. On the displayed
Switch Frequency Band page, select the frequency band and click OK. The selected
APs switch to the specified working frequency.
Searching for an AP
2. Set Search and the query criteria, and click Go. You can view, modify, delete, restart,
and deliver configurations to an AP, and add an AP to a region.
l Unauthorized APs
Allowing an unauthorized AP to go online on an AC
2. In the Unauthorized APs area, select an AP and click Confirm. In the
Allowing all unauthorized APs to go online on an AC
2. In the Unauthorized APs area, click Confirm All. In the Information dialog box
that is displayed, click OK.
Adding unauthorized APs to the MAC address whitelist and SN whitelist.
2. In the Unauthorized APs area, click located at the right of an AP. In the Add
To Whitelist dialog box that is displayed, enter the MAC address and SN and click
OK. Or, in the Unauthorized APs area, select the APs to be added to the whitelist.
Then, click Add to Whitelist in the Unauthorized APs area. On the displayed Add
to Whitelist page, set the whitelist mode to MAC address whitelist or SN whitelist
and click OK. The specified APs are added to the whitelist.
NOTE
If the AP authentication mode is set to non-authentication, either the MAC address or the SN must
be entered; if the AP authentication mode is set to MAC authentication, the MAC address must be
entered; if the AP authentication mode is set to SN authentication, the SN must be entered.
Adding unauthorized APs to the blacklist
2. In the Unauthorized APs area, select the APs to be added to the blacklist. Then, click
Add to Blacklist in the Unauthorized APs area. On the displayed Information page,
click OK. The specified APs are added to the blacklist.
----End

3.8.2.2 AP Region
This section describes how to add, modify, and delete an AP region in AP Region.
Context
Adjusting the radio channel and power of an AP may lead to adjustment of another AP. To
quicken adjustment, minimize the impact, and reduce the workload, all the APs accessing the
same AC can be divided into several regions. The impact of adjustment on an AP is limited
within the local region. An AP region can also be used for batch AP upgrade. You can upgrade
APs of the same type in the same region in batches.
Procedure
l Creating an AP region
1. Choose WLAN > AP Info > AP Region.
Figure 3-135 AP Region
2. In the AP Region, click Create. In the Create AP Region dialog box that is displayed,
set parameters described in Table 3-102.
3. Click OK. The AP region is added to the AP region list.
Table 3-102 Parameters for creating an AP region
Region ID ID of an AP region to be added.
Region name Name of an AP region to be added.
Country code Country code specified for an AP

region.
l Modifying an AP region

2. In AP Region, click corresponding to an AP region.

3. In the Modify AP Region dialog box that is displayed, set parameters described in
Table 3-102. Parameter Region ID cannot be modified.
4. Click OK.
l Deleting an AP region
2. In the AP Region, select an AP region and click Delete. In the Information dialog
NOTICE
The configured default AP region, system default AP region, and AP regions contains
any AP cannot be deleted.
l Configuring the default AP region

2. In AP Region, click corresponding to an AP region to configure the region as the

default region.
l Searching for an AP region
2. Set Search and the query criteria, and click Go. AP regions matching the query criteria
are displayed. You can view, modify, and delete the AP regions.
----End
3.8.2.3 AP Profile
This section describes how to add, modify, and delete an AP profile in AP Profile.
Procedure
l Creating an AP profile
1. Choose WLAN > AP Info > AP Profile.

Figure 3-136 AP Profile
2. In the AP Profile area, click Create. In the Create AP Profile dialog box that is
displayed, set parameters described in Table 3-103.
3. Click OK. The AP profile is added to the AP profile list.
Table 3-103 Parameters for creating an AP profile
Profile name Name of an AP profile to be added.
AP indicator Whether to allow or forbid AP indicators

to turn on.

Eapol-response packet encapsulation Eapol-Response packet encapsulation

mode.
l If the authentication server can
process only EAP broadcast packets,
configure the AP to encapsulate
Eapol-Response packets into
broadcast packets.
process only EAP multicast packets,
Eapol-Response packets into
multicast packets.
process only EAP unicast packets,
Eapol-Response packets into unicast
packets with specified MAC
addresses or MAC addresses learned
by the AP.
By default, an AP encapsulates Eapol-
Response packets into unicast packets
with MAC addresses learned by the AP.
MAC address MAC address specified for Eapol-

Response packets.
Eapol-start packet encapsulation Eapol-Start packet encapsulation mode.

process only EAP broadcast packets,
Eapol-Start packets into broadcast
packets.
process only EAP multicast packets,
Eapol-Start packets into multicast
packets.
process only EAP unicast packets,
Eapol-Start packets into unicast
packets with specified MAC
addresses.
By default, an AP encapsulates Eapol-
Start packets into multicast packets.

MAC address MAC address specified for Eapol-Start

packets.
Eapol-response packet transform Eapol-Response packets to be

transformed by the AP.
l Specified: Configures the AP to
transform only the Eapol-Response
packets with the destination MAC
address being the AP's BSSID.
l All: Configures the AP to transform
all Eapol-Response packets.
By default, the AP transforms only the
Eapol-Response packets with the
destination MAC address being the AP's
BSSID.
Eapol-start packet transform Eapol-Start packets to be transformed

by the AP.
l Specified: Configures the AP to
transform only the Eapol-Start
packets with the destination MAC
address being the AP's BSSID.
l All: Configures the AP to transform
all Eapol-Start packets.
By default, the AP transforms only the
Eapol-Start packets with the destination
MAC address being the AP's BSSID.
MTU (Byte) Specifies the maximum size of packets

sent and received on an Ethernet port.
Log backup server IP IP address of the log backup server.
Offline management Whether to enable the offline

management function.
By default, offline management is
disabled.
Sampling interval (s) Sampling interval on an AP.
Statistics interval (s) Interval for collecting statistics on an

AP.
l Modifying an AP profile
2. In AP Profile area, click corresponding to an AP profile.

3. In the Modify AP Profile dialog box that is displayed, set parameters described in
Table 3-103. Parameter Profile Name cannot be modified.
4. Click OK.
l Deleting an AP profile
2. In the AP Profile area, select an AP profile and click Delete. In the Information
dialog box that is displayed, click OK.
NOTICE
The configured default AP profile, system default AP profile, and bound AP profiles
cannot be deleted.
l Configuring the default AP profile

2. In AP Profile area, click corresponding to an AP profile to configure the profile

as the default profile.
l Searching for an AP profile
2. Set Profile name, and click Search. AP profiles matching the query criteria are
displayed. You can view, modify, and delete the AP profiles.
----End
3.8.2.4 AP Whitelist
This section describes how to add or delete an AP whitelist in AP Whitelist.

Procedure
l Adding an AP MAC address to the AP whitelist
1. Choose WLAN > AP Info > AP Whitelist.
Figure 3-137 AP Whitelist
2. In the MAC Whitelist area, click Add. In the Add to MAC Whitelist dialog box that
is displayed, set parameters described in Table 3-104.
3. Click OK. The AP MAC address is added to the AP whitelist.
Table 3-104 Parameters for adding an AP MAC address to the AP whitelist
MAC address MAC address of an AP to be added to

the AP whitelist.
l Adding AP MAC addresses to the AP whitelist in batches

2. In the MAC Whitelist area, click Batch Add. In the Batch Add to MAC
Whitelist dialog box that is displayed, set parameters described in Table 3-105.
3. Click OK. The AP MAC addresses are added to the AP whitelist.

Table 3-105 Parameters for adding AP MAC addresses to the AP whitelist in batches
Start MAC address Start MAC address when you add AP

MAC addresses to the AP whitelist in
batches.
End MAC address End MAC address when you add AP

MAC addresses to the AP whitelist in
batches. The end MAC address must be
larger than or equal to the start MAC
address. A maximum of 4096 MAC
addresses can be added in batches.
l Deleting an AP MAC address from the AP whitelist

2. In the MAC Whitelist area, select an AP MAC address and click Delete. In the
l Deleting AP MAC addresses from the AP whitelist in batches
2. In the MAC Whitelist area, click Batch Delete. In the Batch Delete MAC
Whitelist dialog box that is displayed, set parameters described in Table 3-105.
3. Click OK. The AP MAC addresses are deleted from the AP whitelist.
l Searching for an AP MAC address in the AP whitelist
2. Set MAC address and click Search. You can delete the found AP MAC address from
the AP whitelist.
l Operations on the SN whitelist are similar to those on the AP whitelist.
NOTE
l When adding SNs to the whitelist in batches, ensure that the end SN is larger than or equal to the
start SN and the two SNs are of the same length.
l A maximum of 4096 SNs can be deleted in batches.
----End
3.8.2.5 AP Blacklist
This section describes how to add or delete an AP blacklist in AP Blacklist.
Procedure
l Adding an AP MAC address to the AP blacklist
1. Choose WLAN > AP Info > AP Blacklist.

Figure 3-138 AP Blacklist
2. In the MAC Blacklist area, click Add. In the Add to MAC Blacklist dialog box that
3. Click OK. The AP MAC address is added to the AP blacklist.
Table 3-106 Parameters for adding an AP MAC address to the AP blacklist
MAC address MAC address of an AP to be added to

the AP blacklist.
l Adding AP MAC addresses to the AP blacklist in batches

2. In the MAC Blacklist area, click Batch Add. In the Batch Add to MAC Blacklist
dialog box that is displayed, set parameters described in Table 3-107.
3. Click OK. The AP MAC addresses are added to the AP blacklist.
Table 3-107 Parameters for adding AP MAC addresses to the AP blacklist in batches
Start MAC address Start MAC address when you add AP

MAC addresses to the AP blacklist in
batches.

End MAC address End MAC address when you add AP

MAC addresses to the AP blacklist in
batches. The end MAC address must be
larger than or equal to the start MAC
address. A maximum of 128 MAC
addresses can be added to the AP
blacklist in batches.
l Deleting an AP MAC address from the AP blacklist

2. In the MAC Blacklist area, select an AP MAC address and click Delete. In the
l Deleting AP MAC addresses from the AP blacklist in batches
2. In the MAC Blacklist area, click Batch Delete. In the Batch Delete MAC
Blacklist dialog box that is displayed, set parameters described in Table 3-107.
3. Click OK. The AP MAC addresses are deleted from the AP blacklist.
l Searching for an AP MAC address in the AP blacklist
2. Set MAC address and click Search. You can delete the found AP MAC address from
the AP blacklist.
----End
3.8.3 WLAN Configuration

WLAN configuration includes configuration of common WLANs, Wireless Distribution System
(WDS), and Mesh networks.
3.8.3.1 WLAN Configuration

This section describes how to add, modify, and delete an WLAN in WLAN Configuration.
Context
On the web platform, you can create, modify, and query a WLAN.
Procedure
l Creating a common WLAN service
1. Choose WLAN > WLAN Configuration > WLAN Configuration.

Figure 3-139 WLAN Configuration
2. In the WLAN area, click Create, click Common WLAN Service.
3. In the Configure AP area, click Add. In the AP dialog box, select an AP, and click
OK.
4. Set parameters described in Table 3-108.
Table 3-108 Parameters for creating a common WLAN service
Radio Radio specified for a WLAN.
Radio profile Radio profile.
Channel bandwidth Channel bandwidth of the specified

radio on the AP. When multiple APs are
selected, this parameter is configurable
only when the APs are in the same AP
region.

Channel Channel of the specified radio on the

AP.
NOTE
After an AP region is configured, this
parameter can be set to a channel supported
by the AP region.
To avoid signal interference, ensure that
neighboring APs work on different
channels.
Power level Power level of a specified radio on the

AP.
By default, the power level of a radio is
0, indicating full power. The power level
depends on the AP type. The power
decreases 1 dBm each time when the
power level value increases one.
5. In the Configure WLAN Service area, click Add. In the Service Set dialog box,
select a service set, and click OK.
6. Click OK. The common WLAN service is added to the WLAN list.
l Creating a WDS
2. In the WLAN area, click Create, click Wireless Distribution System(WDS).

NOTE
APs of the AP2010DN, and AP6310SN-GN types do not support WDS.

OK.
NOTE
Middle and leaf APs must be added to the AC in offline mode. Otherwise, they cannot go
online.
Table 3-109 Parameters for creating a WDS
Radio For details, see Table 3-108.
Radio profile For details, see Table 3-108.
Bridge mode Working mode of the bridge.

Bridge whitelist status Whether the bridge whitelist function is

enabled for the bridge.
NOTE
The bridge whitelist function can be
configured only when the bridge works in
root or middle mode.
Channel bandwidth For details, see Table 3-108.
Channel For details, see Table 3-108.
Power level For details, see Table 3-108.
Bridge profile Bridge profile.
Bridge whitelist Bridge whitelist.

NOTE
A bridge whitelist can be configured only
when the bridge whitelist function is
enabled.
5. Click OK. The WDS is added to the WLAN list.

l Creating a wireless mesh network
2. In the WLAN area, click Create, click Wireless Mesh Network(Mesh).
OK.

NOTE
APs of the AP2010DN, and AP6310SN-GN types do not support mesh.

Table 3-110 Parameters for creating a wireless mesh network
Radio For details, see Table 3-108.
Radio profile For details, see Table 3-108.
Mesh role Role of the AP radio on the mesh

network.
Mesh whitelist status Mesh whitelist function enabled or

disabled.
Channel bandwidth For details, see Table 3-108.
Channel For details, see Table 3-108.
Power level For details, see Table 3-108.
Mesh profile Name of a mesh profile.
Mesh whitelist Name of a mesh whitelist.

NOTE
A mesh whitelist can be configured only
when the mesh whitelist function is enabled.
5. Click OK. The wireless mesh network is added to the WLAN list.
l Modifying a wireless network configuration
2. In the WLAN area, click corresponding to a record.

3. In the Modify WLAN Configuration dialog box that is displayed, set parameters
described in Table 3-108, Table 3-109, or Table 3-110.
4. Click OK.
l Deleting a wireless network configuration
2. In the WLAN area, select a configuration record and click Delete. In the
l Delivering a wireless network configuration.
2. In the WLAN area, select the configuration to be delivered and click Commit
Configuration. In the dialog box that is displayed, click OK.
----End
3.8.4 Radio Profile

This section describes how to configure radio and WMM profiles.
3.8.4.1 Radio Profile

This section describes how to configure a radio profile.
Context
A radio profile is a set of commonly-used basic radio parameters, including channel mode, power
mode, calibration switch, and calibration interval. If a radio is bound to a radio profile, the radio
has all parameters configured on the radio profile. Since one radio profile can be bound with
multiple radios, the radio profile can simplify radio configuration.
Procedure
l Creating a radio profile
1. Choose WLAN > Radio Profile to display the Radio Profile page.
2. On the Radio Profile page, click Create to display the Create Radio Profile page.

3. On the Create Radio Profile page, select or enter each parameter based on actual
requirements. For description of the parameters, see Table 3-111.
4. Click OK to save the parameter settings.
r

name

l Automatic mode: Allows an AP to select a channel for a radio
based on the WLAN radio environment. In automatic mode, you
do not need to specify channels for radios.
l Fixed mode: Provides users with an alternative way when they
want to specify channels by themselves or to avoid frequent
channel adjustment (this may cause intermittent service
interruption).

l Automatic mode: The AP selects the transmit power for a radio
based on the WLAN radio environment.
l Fixed mode: The transmit power for a radio must be set by users.

its best state.


r
Probe Probe interval for radio calibration.

interval

profile

um radio profile.
for
spatial
stream
1
l Maxim
um
MCS
for
spatial
stream
2
l Maxim
um
MCS
for
spatial
stream
3

r


threshold

considers that the radio environment deteriorates and it reports
alarms to the AC. If radio calibration is enabled, the AP calibrates
radio parameters.

threshold considers that the radio environment deteriorates and it reports
alarms to the AC. If radio calibration is enabled, the AP calibrates
radio parameters.

r


threshold NOTE



frame is discarded.

r


interval profile.
STA.
STA.

network.



r


device the AC.
detection.

NOTE

NOTE
The AP6x10SN/DN series excluding the AP6310 support beamforming.
AP2x10xN series, AP5x30xN series, AP5x10xN series and AP7x10xN series
APs support beamforming. The AP3x10xN series APs do not support
beamforming.

r
802.11n Configure the guard interval (GI) mode.

transmission rate.
802.11n A- Enable the MAC Protocol Data Unit (MPDU) aggregation function.
MPDU An 802.11 packet is sent as an MPDU, requiring channel competition
status and backoff and consuming channel resources. The 802.11n MPDU
802.11n A- Configure the maximum length of an A-MPDU.

MPDU
length

rate.

A-MPDU
length


r


strength signals.
performance.
NOTE

signal STAs.

r

strength


threshold AP.
100%

r

threshold AP.

device AC.
ation
saved on them.

service experience.


r

l Viewing radio profile details

2. On the Radio Profile page, click details at the last column to view the radio profile
details. For description of the parameters, see Table 3-111.
l Deleting a radio profile
2. On the Radio Profile page, select the radio profile to be deleted and click Delete to
delete the selected profile.
l Refreshing the radio profile list
2. On the Radio Profile page, click Refresh to update the radio profiles to the latest
information.
l Searching a radio profile
2. On the Radio Profile page, select a proper search item, enter the search keywords,
and click Go to search for radio profiles that match the search item and keywords.
NOTE
The radio profile search function supports fuzzy match based on keywords. For example, if
Profile Name is selected as the search item and the search keyword is P, all profile names that
contain the letter "P" can be found.
----End
3.8.4.2 WMM Profile

This section describes how to configure a WMM profile.
Context
802.11 provides services of the same quality for all applications. Different applications, however,
have different requirements for wireless networks. 802.11 cannot provide services of different
qualities for different applications.

To provide services of different qualities for different applications, the Wi-Fi Alliance defines
the Wi-Fi Multimedia (WMM) standard, which classifies data packets into four access categories
(ACs) in descending order of priorities, that is, AC-voice (AC-VO), AC-video (AC-VI), AC-
best effort (AC-BE), and AC-background (AC-BK). This standard ensures that high-priority
packets preempt channels.
A WMM profile is created to implement the WMM protocol. After a WMM profile is created,
packets with higher AP or STA priority preempt a wireless channel first, ensuring better quality
for voice and video services on WLANs.
You can configure WMM profiles to provide different services on STAs or APs with different
channel preemption capabilities and implement different QoS.
Procedure
l Creating a WMM profile
1. Choose WLAN > Radio Profile > WMM Profile to display the WMM Profile page.
2. On the WMM Profile page, click Create to display the Create WMM Profile page.
3. On the Create WMM Profile page, select or enter each parameter based on actual
requirements. For description of the parameters, see Table 3-112.
Table 3-112 Description of WMM profile configuration parameters
Profile WMM profile name.

name

WMM Whether to enable the WMM function.

status
Mandatory If the WMM mandatory switch is enabled, STAs that do not support
control WMM cannot connect to a WMM-enabled AP.
status If the WMM mandatory switch is disabled, STAs that do not support
WMM are allowed to connect to a WMM-enabled AP.
NOTE
On a WLAN, wireless channels are open and all STAs have the same chance
to occupy a channel. You can configure WMM to distinguish high-priority
packets and enable the high-priority packets to preempt channels. You can
also disable STAs that do not support WMM from connecting to a WMM-
enabled AP, which prevents those STAs from preempting channels of WMM-
capable STAs.
Client Client EDCA parameters.

EDCA Enhanced distributed channel access (EDCA) is a prioritized carrier
parameters sense multiple access with collision avoidance (CSMA/CA)
mechanism used by quality of service (QoS) STAs in a basic service
set (BSS). This mechanism is also used by the QoS access point (AP)
and operates concurrently with hybrid coordination function (HCF).
AP EDCA EDCA parameters of APs.

parameters
AC_VO AC_VO packets.
AC_VI AC_VI packets.
AC_BE AC_BE packets.
AC_BK AC_BK packets.
AIFSN Arbitration inter frame spacing number (AIFSN). It determines the

channel idle time.
In the distributed coordination function (DCF) protocol, the DCF
inter frame space (DIFS) has a fixed value. WMM provides different
DIFS values for different ACs. A large AIFSN value means that the
STA must wait for a long time and has a low priority.
ECWmin Exponent form of the minimum contention window. ECWmin and

ECWmax determine the average backoff time. A larger value
indicates a longer average backoff time and a lower priority.
ECWmax Exponent form of the maximum contention window. ECWmax and

ECWmin determine the average backoff time. A larger value
indicates a longer average backoff time and a lower priority.
TXOPLimi Transmission opportunity limit (TXOPLimit). It determines the

t maximum duration in which an STA can occupy a channel. A larger
value indicates a longer duration. If the TXOPLimit value is 0, the
STA can send only one data frame every time it preempts a channel.

Ack-Policy ACK policy. It includes:

l NORMAL ACK: During the interaction of 802.11 packets, the
receiver sends an ACK packet to confirm the receiving of a packet
from the sender.
l NO ACK: The receiver sends no ACK packet to confirm the
receiving of a packet from the sender. It applies to scenarios
where communication quality is good and interference is low.
l Viewing WMM profile details

2. On the WMM Profile page, click details at the last column to view the WMM profile
details. For description of the parameters, see Table 3-112.
l Deleting a WMM profile
2. On the WMM Profile page, select the WMM profile to be deleted and click Delete
to delete the selected profile.
l Refreshing the WMM profile list
2. On the WMM Profile page, click Refresh to update the WMM profiles to the latest
information.
l Searching a WMM profile
2. On the WMM Profile page, select a proper search item, enter the search keywords,
and click Go to search for WMM profiles that match the search item and keywords.
NOTE
The WMM profile search function supports fuzzy match based on keywords. For example, if
Profile Name is selected as the search item and the search keyword is P, all profile names that
contain the letter "P" can be found.
----End
3.8.5 Service Set

This section describes how to configure the service set, traffic profile, security profile, ESS
interface, as well as the STA whitelist and blacklist.
3.8.5.1 Service Set

This section describes how to add, modify, delete, and query a service set in Service Set.
Context
You must deliver service parameters to APs so that STAs can associate with APs to access the
network. A service set is a collection of service parameters. You can set the SSID, service VLAN,
maximum number of access STAs, and association aging time of STAs, and determine whether

to hide the SSID in a service set. Manually configure a service set and bind it to AP radios. All
service parameters in the service set then apply to the VAPs, and the APs can provide
differentiated WLAN services using these service parameters.
Procedure
l Creating a service set
1. Choose WLAN > Service Set > Service Set. The Service Set tab page is displayed.
Figure 3-140 Service Set
2. In the Service Set area, click Create. In the Create Service Set dialog box that is
displayed, set parameters described in Table 3-113.
3. Click OK.
Table 3-113 Parameters for creating a service set
Service set name Name of a service set.
Associated SSID SSID of the service set.

An SSID identifies a wireless network.
When you search for available wireless
networks on a STA such as your laptop,
SSIDs are displayed to identify the
available wireless networks.
Service VLAN Service VLAN bound to the service set.
Traffic profile Traffic profile bound to the service set.

Security profile Security profile bound to the service set.

NOTE
Note the following when the radio type is set
to 802.11n:
l The authentication mode cannot be set
to WEP in the security profile.
l The encryption mode cannot be TKIP if
the authentication mode is set to WPA
or WPA2 in the security profile.
ESS interface ESS interface bound to the service set.
Forwarding mode Data forwarding mode. The default

forwarding mode is the direct
forwarding mode.
This parameter cannot be set when AP-
based forwarding is used.
Tunnel forwarding protocol Protocol used for tunnel forwarding.
Address learning Whether to enable STA address

learning.
Strict address learning Whether to enable strict STA IP address

learning through DHCP.
IPSG Whether to enable IPSG.
SSID Hiding Whether to hide the SSID.
User isolation Whether to enable user isolation.
Offline management Whether to enable offline management.

NOTE
Only 2.4GHz type of Radio support offline
management service-set.
Service set type Type of the service set. The default value
is Service.
Maximum user count Maximum number of access users.
Connection time-out(min) Association aging time of STAs.
STA blacklist/whitelist profile Whether to enable the STA blacklist or

whitelist function.
STA whitelist profile Name of a STA whitelist profile.
STA blacklist profile Name of a STA blacklist profile.
l Modifying a service set


2. In the Service Set area, click of a service set.

3. In the Modify Service Set dialog box that is displayed, modify parameters described
in Table 3-113. Parameter Service Set Name cannot be modified.
4. Click OK.
l Deleting a service set
2. In the Service Set area, select a service set and click Delete. In the Information dialog
l Searching for service sets
2. In the Service Set area, set Search and click Go. Service sets matching the search
criteria are displayed. You can view, modify, and delete the service sets.
----End
3.8.5.2 Traffic Profile

This section describes how to create, modify, delete and searching for traffic profile.
Context
To apply priority mapping and traffic policing functions to a WLAN network, create a traffic
profile.
l Priority mapping: If Wi-Fi Multimedia (WMM) is enabled on both a STA and an AP, the
STA sends packets carrying a priority field. After receiving an 802.11 packet, the AP
converts it to an 802.3 packet. If the packet needs to be sent to the AC, the AP encapsulates
the 802.3 packet with a CAPWAP header. Priority mapping must be configured to retain
priorities of packets during the entire transmission process, ensuring end-to-end QoS.
After receiving an 802.11 packet from the STA, the AP maps the 802.1p priority or
priority in the Precedence field to the 802.11 user priority.

In tunnel forwarding mode, the 802.1p or Precedence field must be mapped to a tunnel
priority.
The AC forwards the 802.3 packets received from the Internet to the AP directly or
through a tunnel. After receiving the 802.3 packets, the AP maps the 802.1p or
Precedence field to the 802.11 user priority.
l Traffic policing: To protect network resources, the AC needs to limit the rate of packets
sent from STAs to a WLAN network.
Procedure
l Creating a traffic profile
1. Choose WLAN > Service Set > Traffic Profile. The Traffic Profile tab page is
displayed.
2. In the Traffic Profile area, click Create. In the Create Traffic Profile dialog box
that is displayed, set parameters described in Table 3-114.
3. Click OK.
Table 3-114 Parameters for creating a traffic profile
Traffic profile name Name of a traffic profile.

Upstream priority mode Mode in which user priorities of

upstream packets are mapped to 802.1p
priorities. The value can be Mapping
Value or Specify Value.
l When this parameter is set to
Mapping Value, specify 802.1p
priorities mapping to user priorities.
By default, user priority 0 maps
802.1p priority 0, user priority 1
maps user 802.1p 1, and so on.
l When this parameter is set to Specify
Value, specify a 802.1p priority. All
802.3 packets have the same 802.1p
priority.
802.1p priority 802.1p priorities of upstream packets

mapping to user priorities. By default,
user priority 0 maps 802.1p priority 0,
user priority 1 maps user 802.1p 1, and
so on.
User priority User priorities of upstream packets.
Downstream priority mapping mode Mode in which 802.1p priorities of

downstream 802.3 packets are mapped
to user priorities. The value can be
802.1p or ToS.
802.1p priority 802.1p priorities of downstream 802.3

packets mapping to user priorities. By
default, 802.1p priority 0 maps user
priority 0, 802.1p priority 1 maps user
priority 1, and so on.
Precedence priority Precedence field of downstream 802.3

packets mapping to user priorities. By
default, precedence 0 maps user priority
0, precedence 1 maps user priority 1, and
so on.
User priority User priorities of downstream packets.

Upstream tunnel priority mode Mode in which priorities of 802.3

packets are mapped to upstream tunnel
priorities.
l When Mapping Value is selected,
the following four modes are
supported:
ToS-802.1p: Maps ToS priorities
of 802.3 packets to 802.1p
priorities of the tunnel.
ToS-ToS: Maps ToS priorities of
802.3 packets to ToS priorities of
the tunnel.
802.1p-ToS: Maps 802.1p
priorities of 802.3 packets to ToS
priorities of the tunnel.
802.1p-802.1p: Maps 802.1p
priorities of 802.3 packets to
802.1p priorities of the tunnel.
l When Specify Value is selected,
specify a ToS or 802.1p priority for
the tunnel.
Upstream tunnel priority Priority of the upstream tunnel.
802.1p priority 802.1p priorities.
Precedence priority Value of the Precedence field.
STA upstream rate limit(kbit/s) Upstream rate limit for a STA.
STA downstream rate limit(kbit/s) Downstream rate limit for a STA.
VAP upstream rate limit(kbit/s) Upstream rate limit for all terminals
associating with a VAP. The value must
be larger than the upstream rate limit for
a STA.
VAP downstream rate limit(kbit/s) Downstream rate limit for all terminals
associating with a VAP. The value must
be larger than the downstream rate limit
for a STA.
l Modifying a traffic profile

displayed.
2. In the Traffic Profile area, click of a traffic profile.

3. In the Modify Traffic Profile dialog box that is displayed, modify parameters
described in Table 3-114.
4. Click OK.
l Deleting a traffic profile
displayed.
2. In the Traffic Profile area, select a traffic profile and click Delete.
3. In the Information dialog box that is displayed, click OK.
l Searching for traffic profiles
displayed.
2. In the Traffic Profile area, click Search. Traffic profiles matching the search criteria
are displayed. You can view, modify, and delete the traffic profiles.
----End
3.8.5.3 Security Profile

This section describes how to add, modify, and delete a service set in Security Profile.
Context
When configuring WLAN services, the administrator needs to bind the security profile to the
service set. This ensures secure access of STAs. You can query, create, modify, and delete a
security profile.
NOTE
If Authentication policy, Authentication mode, and Encryption mode are set to WEP, OPEN-SYSTEM, and
NONE respectively, users can access the WLAN without authentication. The settings bring security risks, and
therefore are not recommended. If the settings are required, configure the Portal security policy to enhance
security.

Procedure
l Querying a security profile
1. Choose WLAN > Service Set > Security Profile.
Figure 3-141 Security Profile
2. In the Security Profile area, view all existing security profiles. You can set Search,
enter a keyword, and click Go to search for a security profile.
l Creating a security profile
2. In the Security Profile area, click Create. In the Create Security Profile dialog box
that is displayed, set parameters described in Table 3-115.
3. Click OK.
If the security profile is displayed in the security profile list, the profile is created.
Table 3-115 Parameters for creating a security profile
Security profile name Name of the security profile that needs

to be created. This parameter is
mandatory.
This parameter cannot be modified
when modifying a security profile.
Authentication policy Authentication policy for the security

profile that needs to be configured. This
PTK periodic update Enable or disable periodic PTK update

in WPA or WPA2 authentication and
encryption.

Update interval The interval for updating PTKs in WPA

or WPA2 authentication and encryption.
Authentication mode Authentication mode for the security

profile that needs to be configured. This
Encryption mode Encryption mode of the security profile

that needs to be configured. This
Password type Password type of the security profile that

needs to be configured.
NOTE
The password type of the security profile is
mandatory only when a password needs to
be set.
Password Password of the security profile that

needs to be configured.
NOTE
The password of the security profile is
mandatory only when a password needs to
be set.
Confirm password The value must be the same as the value

of Password.
Index Select the password index of the security

profile that needs to be configured.
When selecting the WEP encryption
mode, set parameters and click Add to
List.
l Modifying a security profile

2. In the Security Profile area, click corresponding to a security profile to be

modified.
3. In the Modify Security Profile dialog box that is displayed, set parameters described
in Table 3-115.
4. Click OK.
l Deleting a security profile
2. In the Security Profile area, select a security profile, and click Delete.
If the security profile is removed from the security profile list, the profile is deleted.
----End

3.8.5.4 ESS Interface

This section describes how to add, modify, delete, and query an ESS interface in ESS
Interface.
Context
A VAP is a functional entity on an AP. Multiple VAPs can be created on an AP to provide access
services for different STAs. To differentiate VAPs that different STAs associate with, you must
create a dynamic interface for each VAP. Additionally, to speed up the configuration, you need
to use a profile to create multiple dynamic interfaces simultaneously. WLAN-DBSS interfaces
and WLAN-ESS interfaces are developed to solve the preceding problems.
Each VAP maps a WLAN-DBSS interface on an AC. A WLAN-DBSS interface is a virtual

Layer 2 interface and similar to a hybrid Layer 2 Ethernet interface. It has Layer 2 attributes and
supports network access control (NAC). A WLAN-DBSS interface inherits the attributes of its
WLAN-ESS interface. An AC dynamically creates a WLAN-DBSS interface on a WLAN-ESS
interface for each VAP and deletes the WLAN-DBSS interface when the VAP becomes invalid.
A WLAN-ESS interface is a profile used to configure attributes for WLAN-DBSS interfaces.

All the WLAN-DBSS interfaces belonging to the same WLAN-ESS interface have the same
attributes.
l When a service set bound to a WLAN-ESS interface is bound to a radio, a WLAN-DBSS
interface is automatically created and inherits the configuration of the WLAN-ESS
interface.
l When the service set bound to a radio is deleted, the created WLAN-DBSS interface is also
deleted.
You can create, modify, delete, and query extended service set (ESS) interfaces using the web
platform.
Procedure
l Creating an ESS interface
1. Choose WLAN > Service Set > ESS Interface. The ESS Interface tab page is
displayed.
Figure 3-142 ESS Interface
2. In the ESS Interface area, click Create. In the Create ESS Interface dialog box that

3. Click OK.
Table 3-116 Parameters for creating an ESS interface
ESS interface ID Number of an ESS interface.
Description Interface description.
Authentication mode/Authentication Authentication method on the interface.

mode2/Authentication mode3
User name format Format of the user name for MAC

address authentication.
MAC address type When User name format is set to MAC

address for MAC address
authentication, the MAC address can be
with or without hyphens (-), for
example, 0005-e01c-02e3 or
0005e01c02e3.
User name Fixed user name used for MAC address

authentication.
Password Password used for MAC address

authentication.
Confirm password Confirm password used for MAC

Reauthentication Whether to enable or disable the

reauthentication function.
Reauthentication time (s) Re-authentication interval.
Server Profile Service profile used for Portal

authentication.

Permit VLAN Permitted VLANs on ESS interfaces.
Permit domain Name of a permitted domain for WLAN

users.
l Modifying an ESS interface

displayed.
2. In the ESS Interface area, click of an ESS interface.

3. In the Modify WLAN ESS Interface dialog box that is displayed, modify parameters
described in Table 3-116. Parameter ESS Interface ID cannot be modified.
4. Click OK.
l Deleting an ESS interface
displayed.
2. In the ESS Interface area, select an ESS interface and click Delete. In the
l Searching for ESS interfaces
displayed.
2. In the ESS Interface area, set Search and click Go. ESS interfaces matching the
search criteria are displayed. You can view, modify, and delete the ESS interfaces.
----End
3.8.5.5 STA Blacklist/Whitelist Profile

This section describes how to add, modify, and delete a service set in STA Blacklist/Whitelist
Profile.

Context
STA blacklist and whitelist functions allow authorized STAs to connect to the WLAN and reject
access from unauthorized STAs.
l A whitelist contains MAC addresses of STAs that are allowed to connect to a WLAN. After
the whitelist function is enabled, only the STAs in the whitelist can connect to the WLAN,
and access from other STAs is rejected.
l A blacklist contains MAC addresses of STAs that are not allowed to connect to a WLAN.
After the blacklist function is enabled, STAs in the blacklist cannot connect to the WLAN,
and other STAs can connect to the WLAN.
When the blacklist or whitelist function is configured on a VAP, you must bind the STA blacklist
or whitelist profile to the service set after you configure the blacklist or whitelist in the profile.
The device supports the configuration of STA blacklist or whitelist function for an AP or a VAP.
If an AP and a VAP are configured with the blacklist or whitelist function, a STA can connect
to the WLAN only when it is permitted by both the configuration on the AP and VAP. To
configure a blacklist or whitelist based on an AP, see 3.8.11.4 STA Blacklist/Whitelist.
If the whitelist or blacklist is empty, all STAs can connect to the WLAN.
The configurations of STA blacklist and whitelist profiles are the same. The following describes
the configuration of STA whitelist profile as an example.
Procedure
l Querying a STA whitelist profile
1. Choose WLAN > Service Set > STA Blacklist/Whitelist Profile.
Figure 3-143 STA Blacklist/Whitelist Profile
2. In the STA Whitelist Profile area, view all existing STA whitelist profiles. You can
enter a keyword, and click Search to search for a STA whitelist profile.
l Creating a STA whitelist profile
2. In the STA Whitelist Profile area, click Create. In the Create STA Whitelist
Profile dialog box that is displayed, set parameters described in Table 3-117.

3. Click OK.
If the STA whitelist profile is displayed in the STA whitelist profile list, the profile is
created.
Table 3-117 Parameters for creating a STA whitelist profile
Profile name Name of a STA whitelist profile, which

is mandatory.

New method l Manually create: enter the MAC

address of a STA and add it to the list.
l Import from local file: configure
STAs' MAC addresses in a local file
and import the local file to the web
page. Then, add the MAC addresses
to the list in a batch.
NOTE
If the message "Your browser's security
settings are too high to complete this
process. See the help menu for
instructions on adjusting your security
settings." is displayed during file upload,
configure the Internet Explorer as
follow:
l Versions earlier than IE10: choose
Tools > Internet Options >
Security > Custom Level and click
Enable or Prompt next to Initialize
and script ActiveX controls not
marked as safe for scripting. If you
click Enable, the file can be
uploaded directly. If you click
Prompt, the message "An ActiveX
control on this page might be unsafe
to interact with other parts of the
page. Do you want to allow this
interaction?" is displayed. If you
click Yes, the file can be uploaded.
l IE10 and later versions: choose
Tools > Internet Options >
Security > Custom Level and click
Enable next to Include local
directory path when uploading
files to a server.
The file is in .txt format. Each row
provides one MAC address. For
example:
60de-4474-9640
60de-4474-9680
dcd2-fc9a-2110
MAC address MAC address of the STA for which a

whitelist needs to be created. To add a
MAC address, enter a MAC address and
click .
File name Click Browse, select a local file, and

click OK. STAs are added to the
whitelist.

l Modifying a STA whitelist profile

2. In the STA Whitelist Profile area, click corresponding to a STA whitelist profile
to be modified.
3. In the Modify STA Whitelist Profile dialog box that is displayed, set parameters
4. Click OK.
l Deleting a STA whitelist profile
2. In the STA Whitelist Profile area, select a STA whitelist profile, and click Delete.
In the Information dialog box that is displayed, click OK.
If the STA whitelist profile is removed from the STA whitelist profile list, the profile
is deleted.
----End
3.8.6 WDS Profile

This section describes how to configure parameters of the WDS profile and view information
about WDS virtual links.
WDS Introduction
A WDS connects two or more wired or wireless LANs wirelessly to establish a large network.
On a traditional WLAN, APs exchange data with STAs using wireless channels and connect to
a wired network through uplinks. To expand the coverage area of a wireless network, APs need
to be connected by switches. This deployment requires high costs and takes a long time. In some
places, such as subways, tunnels, and docks, it is difficult to connect APs to the Internet through
wired links. WDS technology can connect APs wirelessly in these places, which reduces network
deployment costs, makes the network easy to expand, and allows flexible networking.

WDS Concepts
Figure 3-144 WDS networking
WDS network
STA VAP: AP VAP: Root wired

VAP13 VAP12 interface
VAP0
AP3 AP2 AP1
(leaf) (middle) (root) AC
STA Internet
STA
Switch
Endpoint STA
wired interface
LAN
: Wireless virtual link

PC
l Service VAP: On a traditional WLAN, an AP is a physical entity that provides WLAN

services to STAs. A service virtual access point (VAP) is a logical entity that provides
access service for users. Multiple VAPs can be created on an AP to provide access service
for multiple user groups. As shown in Figure 3-144, VAP0 created on AP3 is a service
VAP.
l Bridge VAP: On a WDS network, an AP is a physical entity that provides WDS service
for neighboring devices. The bridge VAP is a logical entity that provides WDS service.
Bridge VAPs include AP VAPs and STA VAPs. AP VAPs provide connections for STA
VAPs. As shown in Figure 3-144, VAP13 created on AP3 is a STA VAP, and VAP12
created on AP2 is an AP VAP.
l Wireless virtual link: a connection set up between a STA VAP and an AP VAP on
neighboring APs. As shown in Figure 3-144, connections set up between AP1, AP2, and
AP3 are wireless virtual links.
l AP working mode: Depending on its location on a WDS network, an AP can work in root,
middle, or leaf mode, as shown in Figure 3-144.
Root: The AP directly connects to an AC through a wired link and uses an AP VAP to
set up wireless virtual links with a STA VAP.
Middle: The AP uses a STA VAP to connect to an AP VAP on an upstream AP and
uses an AP VAP to connect to a STA VAP on a downstream AP.
Leaf: The AP uses a STA VAP to connect to an AP VAP on an upstream AP.

l Working mode of an AP's wired interface: On a WDS network, an AP's wired interface can
connect to either an upstream wired network or a downstream user host or LAN. Depending
on an AP's location, a wired interface works in root or endpoint mode.
Root: The wired interface connects to an upstream wired network.
endpoint: The wired interface connects to a downstream user host or LAN.
NOTE
On a WDS network, one wired interface must work in root mode to connect to the wired network.
WDS Network Architecture

A WDS network can be deployed in point-to-point or point-to-multipoint mode.
l Point-to-point deployment
As shown in Figure 3-145, AP1 sets up wireless virtual links with AP2 to provide wireless
access service for users.
Figure 3-145 Point-to-point WDS deployment
AP1
STA Internet
AP2 Switch AC
STA
LAN
PC PC
l Point-to-multipoint deployment
As shown in Figure 3-146, AP1, AP2, and AP3 set up wireless virtual links with AP4. Data
from all STAs associating with AP1, AP2, and AP3 is forwarded by AP4.

Figure 3-146 Point-to-multipoint WDS deployment

PC
LAN
STA
AP1
STA
Internet
STA
AP2 AP4 AC
STA
AP3
STA
LAN

PC
WDS Configuration Process

Figure 3-147 shows the bindings between profiles and a radio during the WDS configuration.
Learn about the bindings before configuring WDS.

Figure 3-147 WDS configuration process

Create a Create a Create a Create a
WMM profile radio profile security profile bridge profile
Bind the WMM profile Bind the security profile

to the radio profile to the bridge profile
Configure a
radio
Bind the radio Bind the bridge

profile to the radio profile to the radio
Configure the bridge

working mode
Complete the WDS

configuration
3.8.6.1 Bridge Profile

In the Bridge Profile page, you can configure and modify bridge profile parameters.
Context
A bridge profile contains the parameters of WVLs between APs. After a bridge profile is bound
to a radio, the radio has all attributes of the bridge profile and a bridge VAP is automatically
created. The radio uses different VAP parameters to set up and maintain WVLs between APs.
A bridge profile in the WDS has the same function as a service set in traditional WLAN services.
A bridge profile is bound to a specified AP radio to create a bridge VAP. Bridge VAPs include
AP VAPs and STA VAPs.
As shown in Figure 3-148, when a bridge VAP is created, VAPs 12, 13, 14, and 15 are generated.
Among these VAPs, VAP 14 and VAP 15 are reserved. VAP 12 is an AP VAP and VAP 13 is
a STA VAP.

Figure 3-148 WDS bridge VAP
VAP13 VAP12 VAP13 VAP12

AP3 AP2 AC
AP1
Internet
(leaf) (middle) (root)
STA VAP AP VAPSTA VAP AP VAP
Procedure
l Creating a bridge profile
1. Choose WLAN > WDS Profile > Bridge Profile.
Figure 3-149 WDS Profile List
2. In the WDS Profile area, click Create.
3. In the Create Bridge Profile dialog box that is displayed, set parameters described
in Table 3-118.
4. Click OK.
Table 3-118 Parameters for creating a bridge profile
Bridge profile name Name of a bridge profile.

Bridge name Name of a bridge. On a WDS network,

connections between bridges are
established using the bridge name.
Security profile Security profile that a bridge profile is

bound to.
NOTE
The security profile bound to a bridge profile
must be WPA2+PSK+CCMP.
description of security profile
parameters.
Tagged VLAN A bridge is added to a VLAN or a group

of VLANs in tagged mode.
To add a bridge to a VLAN, enter a
VLAN ID in the Tagged VLAN text
box, and click . If the VLAN ID is
displayed in the text box below the
Tagged VLAN text box, the bridge is
added to the VLAN.
To delete a VLAN, enter a VLAN ID in
the Tagged VLAN text box, and click
. If the VLAN ID is removed from the
text box below the Tagged VLAN text
box, the VLAN is deleted.
NOTE
In the example, 1-3,5,7,9 indicates VLANs
1, 2, 3, 5, 7, and 9. 1-3 indicates VLANs 1
to 3.
l Modifying a bridge profile

2. In the WDS Profile area, click corresponding to a bridge profile.

3. In the Modify Bridge dialog box that is displayed, set parameters described in Table
3-118.
4. Click OK.
l Deleting a bridge profile
2. In the WDS Profile area, select a bridge profile, and click Delete. In the
l Refreshing bridge profile information
2. In the WDS Profile area, click Refresh.
l Searching for a bridge profile
2. In the WDS Profile area, set Search, enter a keyword, and click Go.
NOTE
Fuzzy match is supported. Assume that you enter the keyword P, all profile names with the
keyword P are displayed.
----End
3.8.6.2 Bridge Whitelist

You can configure a bridge whitelist to control AP access to the WDS network.
Context
A bridge whitelist contains MAC addresses of neighboring APs that can connect to a bridge. If
the whitelist is used, only neighboring APs with MAC addresses in the whitelist can connect to
the bridge. On WDS networks, the whitelist can be configured only on root APs or middle APs.
NOTE
l WVLs can be established only when neighboring APs with MAC addresses in the whitelist succeed in
authentication.
l If the bridge uses no whitelist, all the neighboring APs can connect to the bridge.
Procedure
l Creating a bridge whitelist
1. Choose WLAN > WDS Profile > Bridge Whitelist.
Figure 3-150 Bridge Whitelist List
2. In the Bridge Whitelist area, click Create.

3. In the Create Bridge Whitelist dialog box that is displayed, set parameters described
in Table 3-119.
4. Click OK.
Table 3-119 Parameters for creating a bridge whitelist
Whitelist Name of a bridge whitelist.

name
MAC MAC addresses of the neighboring APs that are allowed to access
address the bridge.
To add a MAC address to the bridge whitelist, enter a MAC address
in the MAC Address text box, and click . If the MAC address is
displayed in the text box below the MAC Address text box, the MAC
address is added to the bridge whitelist.
To delete a MAC address from the bridge whitelist, enter a MAC
address in the MAC Address text box, and click . If the MAC
address is removed from the text box below the MAC Address text
box, the MAC address is deleted from the bridge whitelist.
l Modifying a bridge whitelist

2. In the Bridge Whitelist area, click corresponding to a bridge whitelist.

3. In the Modify Bridge Whitelist dialog box that is displayed, set parameters described
in Table 3-119.
4. Click OK.
l Deleting a bridge whitelist
2. In the Bridge Whitelist area, select a bridge profile, and click Delete. In the
l Refreshing a bridge whitelist
2. In the Bridge Whitelist area, click Refresh.
l Searching for a bridge whitelist
2. In the Bridge Whitelist area, set Search, enter a keyword, and click Go.
NOTE
Fuzzy match is supported. Assume that you enter the keyword P, all whitelist names with the
keyword P are displayed.
----End
3.8.6.3 WVL Information

The WVL Information page displays WDS link information.
Context
After configuring the WDS, choose WLAN > AP Info and restart the root AP. Root AP restarting
takes about 10 minutes. After the root AP restarts, you can view wireless virtual link (WVL)
information.

Procedure
l Searching for WVL information
1. Choose WLAN > WDS Profile > WVL Information.
Figure 3-151 WVL Information
2. In the Wireless Virtual Link area, set Search, enter a keyword, and click Go. Table
3-120 describes WVL parameters.
NOTE
Fuzzy match is supported. Assume that you enter the keyword P, all AP IDs with the keyword
P are displayed.
Table 3-120 WVL parameters
r
AP ID ID of the bridge AP on the WDS network.
AP Name Name of the bridge AP on the WDS network.
AP MAC MAC address of the local bridge AP.
Radio Radio frequency of the WVL.

Type
Bridge- Bridge ID of the WVL.

link ID
WLAN ID VAP ID of the WVL.
Peer MAC MAC address of the AP that connects to the local bridge AP through
a WVL.
l Refreshing WVL information

1. Choose WLAN > WDS Profile > WVL Information.
2. In the Wireless Virtual Link area, click Refresh.
----End
3.8.7 Mesh Profile

This section describes how to configure parameters of the Mesh profile and view information
about Mesh virtual links.
3.8.7.1 Mesh Profile

In the Mesh Profile page, you can configure and modify Mesh profile parameters.

Context
On a traditional WLAN, APs exchange data with STAs using wireless channels and connect to
a wired network through uplinks. If no wired network is available for WLAN construction, a
wired network must be constructed first, which is both time- and money- consuming. If the
positions of some APs on a WLAN need to be adjusted, the wired network must be adjusted
accordingly, increasing the difficulty in network adjustment. With Mesh technology, APs can
connect each other wirelessly, which allows flexible networking and quick network deployment
and facilitates dynamic expansion of network coverage.
As shown in Figure 3-152, APs on a Mesh network can be sorted into the following types based
on functions:
l Mesh Point (MP): It is a mesh-capable node that uses IEEE 802.11 MAC and physical layer
protocols for wireless communication. This node supports automatic topology discovery,
automatic route discovery, and data packet forwarding. MPs can provide both mesh service
and user access service.
l Mesh Portal Point (MPP): It is an MP that connects the Mesh network to networks of other
types. This node has the portal function and can help mesh nodes communicate with
external networks.
Figure 3-152 Networking diagram
MPP MP1 MP2

LAN
AC
MP4 MP3
STA3
STA1 STA2
Mesh link
User
access
A Mesh profile contains the attributes of Mesh links set up between MPs. After a Mesh profile
is bound to a radio, the radio has all attributes of the Mesh profile and automatically creates a
Mesh VAP. The radio uses different VAP parameters to set up and maintain the Mesh links
between MPs.
A Mesh profile has the similar function with the service set in the traditional WLAN service. It
can be bound to the specified AP radio to create a Mesh VAP.

Procedure
l Creating a Mesh profile
1. Choose WLAN > Mesh Profile > Mesh Profile to display the Mesh Profile page.
Figure 3-153 Mesh Profile
2. On the Mesh Profile page, click Create. On the Create Mesh Profile page that is
displayed, set the parameters. For description of the parameters, see Table 3-121.
3. Click OK to complete the configuration.
Table 3-121 Parameters for creating a Mesh profile
Profile name Specifies the name of a Mesh profile.
Mesh ID Specifies the ID of a Mesh profile. By

default, the Mesh ID is configured as
huaweimesh.
Security profile Binds a security profile to the specified

Mesh profile.
NOTE
Currently, the security profile bound to a
mesh profile must be configured as WPA2
+PSK+CCMP.
Maximum connection count Specifies the maximum number of links

allowed by an MP.
RSSI threshold (dBm) Specifies the threshold of signal strength

received by a Mesh link.
Link report interval (s) Sets the interval at which an MP reports

the Mesh link information to the AC.

l Modifying a Mesh profile

2. Click the icon next to the Mesh profile details on the Mesh Profile page.
3. On the Modify Mesh Profile page, re-enter or reselect the parameters. For description
of the parameters, see Table 3-121.

l Deleting a Mesh profile
2. On the Mesh Profile page, select the Mesh profile and click Delete.
3. Click OK in the displayed dialog box to delete the selected Mesh profile.
l Refreshing Mesh profile information
2. In the Mesh Profile area, click Refresh.
l Searching a Mesh profile
2. Set Search, enter the corresponding keywords, and click Go to search for the Mesh
profile. After the Mesh profile is found, you can view, modify, or delete it.
----End
3.8.7.2 Mesh WhiteList

You can configure a Mesh whitelist to control AP access to the Mesh network.
Context
A Mesh whitelist contains MAC addresses of neighboring MPs that are allowed to connect to
an MP. After a Mesh whitelist is bound to an MP radio, only neighboring MPs with the MAC
addresses in the whitelist can connect to the MP.
NOTE
If the Mesh whitelist contains no entry, no neighboring MPs can connect to the MP.
Procedure
l Creating a Mesh whitelist

1. Choose WLAN > Mesh Profile > Mesh Whitelist to display the Mesh Whitelist
page.
Figure 3-154 Mesh WhiteList
2. On the Mesh Whitelist page, click Create. On the Create Mesh Whitelist page that
is displayed, set the parameters. For description of the parameters, see Table 3-122.
Table 3-122 Parameters for creating a Mesh whitelist

Whitelist name Specifies the name of a Mesh whitelist.
Mac address Specifies the MAC addresses of

neighboring MPs to be added to the
Mesh whitelist.
l Modifying a Mesh whitelist

page.
2. Click the icon next to the Mesh profile details in Mesh Whitelist.
3. On the Modify Mesh Whitelist page, re-enter or reselect the parameters. For
description of the parameters, see Table 3-122.


l Deleting a Mesh whitelist
page.
2. On the Mesh Whitelist page, select the Mesh whitelist to be deleted and click
Delete.
3. Click OK in the displayed dialog box to delete the selected Mesh whitelist.
l Searching a Mesh whitelist
page.
2. Enter the name of the Mesh whitelist to be searched in WhiteList name and click
Search to search for the Mesh whitelist. After the Mesh whitelist is found, you can
view, modify, or delete it.
----End
3.8.7.3 WVL Information

The WVL Information page displays Mesh link information.
Procedure
l Viewing WVL information
1. Choose WLAN > Mesh Profile > WVL Information to display the Wireless Virtual
Link page.

Figure 3-155 WVL Information
2. Select AP ID, AP name, or MAC address in Search, enter the search keywords, and
click Go to search for the WVL information matching the selected search item and
entered keywords. For description of the parameters, see Table 3-123.
NOTE
The WVL information search function supports fuzzy match based on keywords. For example, if
AP ID is selected as the search item and the search keyword is P, all AP IDs that contain the letter
"P" can be found.
Table 3-123 Description of WVL parameters

AP ID ID of an AP on a Mesh network.
AP Name Name of an AP on a Mesh network.
Local MAC MAC address of a bridge AP at the local

end.
Radio Radio frequency of the WVL.
Mesh-link ID ID of a WVL bridge.
WLAN ID ID of a WVL VAP.
Peer MAC MAC addresses of neighboring MPs

that establish WVLs with bridge APs at
the local end.
l Refreshing WVL information

1. Choose WLAN > Mesh Profile > WVL Information to display the Wireless Virtual
Link page.
2. In the Wireless Virtual Link area, click Refresh.
----End
3.8.8 Load Balancing

Load balancing can evenly distribute user traffic to different APs to ensure high performance
and bandwidth for each STA.
3.8.8.1 Static Load Balancing Group

This section describes configuration of a static load balancing group.
Context
The capabilities of an AP are limited. If a large number of STAs exist in a hotspot area, the
carrier deploys multiple APs in this area to meet requirements of the STAs. To prevent uneven

loads on APs, add these APs to a load balancing group. Pay attention to the following
information:
l A radio can join only one load balancing group.
l AP radios in a load balancing group work in different channels.
l Member radios in a load balancing group must be of the same type.
l Each load balancing group supports a maximum of three APs.
Procedure
l Creating a static load balancing group
1. Log in to the web platform, and choose WLAN > Load Balancing > Static Load
Balancing Group.
2. In the Load Balancing Group area, click Create. In the Create Load Balancing
Group dialog box that is displayed, set parameters described in Table 3-124.
3. Click OK.
Table 3-124 Parameters for creating a load balancing group
Group name Name of a static load balancing group,

which is a string of 1 to 31 characters.

Load balancing mode Load balancing mode. The value can be

Session mode and Traffic mode.
l Session mode: The load of the radio
is determined by the number of STAs
associated with the radio.
l Traffic mode: The load of a radio is
determined by the traffic on the radio
including the upstream and
downstream Ethernet packets. The
AP reports the traffic on the radio at
a specified interval, for example, 30
seconds.

Gap threshold(%) Gap threshold that is compared with the

load value calculated using the load
balancing algorithm. The load is
determined using the following
algorithms:
l Traffic-based load balancing
algorithms: Calculate the load values
of all members to get the maximum
and minimum values: (Current
traffic volume of the radio/Current
maximum rate of the radio) x 100%.
Calculate the difference between the
maximum and minimum values:
Maximum value - Minimum value.
Compare the difference with the
threshold. If the difference between
the maximum and minimum values
is smaller than or equal to the
threshold, load balancing is enabled.
If the difference between the
maximum and minimum values is
larger than the threshold, load
balancing is disabled.
l Session-based load balancing
algorithms: Calculate the load values
of all members to get the maximum
and minimum values: (Current
traffic volume of the radio/Current

Maximum number of association Maximum number of associations of the

requests load balancing group, which ranges
from 1 to 30. The default value is 6.
When the load is unbalanced in a load
balancing group, the AC rejects the APs
with heavier STA association loads.
However, when the number of STA
associations exceeds the maximum
value, the AP can connect to the AC.
Radio Radio on which load balancing is

performed.
AP region AP region in which load balancing is

performed.
APs in the load balancing group must be
in the same AP region.
Select AP Adds APs to or removes APs from a load

balancing group. The procedures are as
follows:
l Adding APs to the load balancing
group: Select APs in the available
AP list, and click to

add the APs to the selected AP list.
l Removing APs from the load
balancing group: Select APs in the
selected AP list, and click
to remove the APs

back to the available AP list.
l Modifying a static load balancing group

Balancing Group.
2. In the Load Balancing Group area, select a static load balancing group and click
.
3. In the Modify Load Balancing Group dialog box that is displayed, set parameters
4. Click OK.
l Deleting a static load balancing group
Balancing Group.

2. In the Load Balancing Group area, select a static load balancing group and click
Delete.
3. In the dialog box that is displayed, click OK.
l Updating static load balancing groups
Balancing Group.
2. In the Load Balancing Group area, click Refresh. Information about static load
balancing groups is updated.
l Searching for static load balancing groups
Balancing Group.
2. In the Load Balancing Group area, set Search and click Go. Static load balancing
groups matching the search criteria are displayed. You can view, modify, and delete
the static load balancing groups.
----End
3.8.8.2 Dynamic Load Balancing Group

This section describes configuration of a dynamic load balancing group.
Context
Static load balancing limits the maximum number of AP radios to 3 and allows only radios in
the same frequency band to join a load balancing group. Additionally, a load balancing group
needs to be manually specified. Dynamic load balancing is used to overcome the limitations of
static load balancing.
In dynamic load balancing mode, the AP determines whether a STA can be associated based on
the load of the dynamic load balancing group. Dynamic load balancing: A STA sends a broadcast
Probe Request frame to scan available APs. The APs that receive the Probe Request frame report
STA information to the AC. The AC adds these APs to a load balancing group, and then uses a
load balancing algorithm to determine whether to allow access from the STA.
Procedure
l Configuring dynamic load balancing
1. Log in to the web platform, and choose WLAN > Load Balancing > Dynamic Load
Balancing Group.

2. On the Dynamic Load Balancing Group area, set parameters described in Table
3-125.
3. Click Apply.
Table 3-125 Parameters for configuring dynamic load balancing
Dynamic load balancing group function Whether dynamic load balancing is

enabled. This function is enabled when
this parameter is set to Enable.
Load balancing mode Load balancing mode. The value can be

Session mode and Traffic mode.
l Session mode: The load of the radio
is determined by the number of STAs
associated with the radio.
l Traffic mode: The load of a radio is
determined by the traffic on the radio
including the upstream and
downstream Ethernet packets. The
AP reports the traffic on the radio at
a specified interval, for example, 30
seconds.
User count threshold(%) Threshold that is compared with the load

value calculated using the load
balancing algorithm in session mode.
The load is determined using the
following algorithms:
l Calculate the load values of all
members to get the maximum and
minimum values: (Current traffic
volume of the radio/Current

Traffic threshold(%) Threshold that is compared with the load

value calculated using the load
balancing algorithm in traffic mode. The
load is determined using the following
algorithms:
l (Current traffic volume of the radio/
Current maximum rate of the radio)
x 100%. Calculate the difference
between the maximum and
minimum values: Maximum value -
Minimum value. Compare the
difference with the threshold. If the
difference between the maximum
and minimum values is smaller than
or equal to the threshold, load
balancing is enabled. If the
difference between the maximum
and minimum values is larger than
the threshold, load balancing is
disabled.
Maximum number of association Maximum number of associations of the

requests load balancing group, which ranges
from 1 to 30. The default value is 6.
When the load is unbalanced in a load
balancing group, the AC rejects the APs
with heavier STA association loads.
However, when the number of STA
associations exceeds the maximum
value, the AP can connect to the AC.
----End
3.8.9 WIDS Configuration

This section describes how to configure parameters of the WIDS and SSID whitelist, and view
information about rogue devices, attack statistics, attack records, and dynamic blacklist.
3.8.9.1 WIDS Configuration

This section describes configuration of WIDS.
Context
WLAN networks are vulnerable to threats from rouge APs and users, ad-hoc networks, and so
on. The device supports the following mechanisms:

l WIDS: detects rouge APs, bridges, STAs, ad-hoc networks, and APs using the same
working channel.
l WIPS: disconnects authorized users from bogus APs and disconnects unauthorized STAs
and ad-hoc networks from APs.
Wireless Intrusion Detection System (WIDS) supports attack detection and can detect flood
attacks, weak IV attacks, spoofing attacks, and brude force cracking of the WPA/WPA2/WAPI
pre-shared key and the WEP shared key, and notify the network administrator of insecurity
factors using logs, statistics, and alarms. When detecting a device that initiates flood attacks or
brude force cracking, the AC adds the device to the blacklist and rejects packets from the device
within the blacklist timeout period.
Procedure
l Querying the status of an AP configured with WIDS
1. Choose WLAN > WIDS Configuration > WIDS Configuration.
Figure 3-156 WIDS Configuration
2. In the WIDS Configuration, view the status of an AP configured with WIDS. You
can set Search, enter a keyword, and click Go to search for an AP.
l Configuring WIDS for an AP
2. In the WIDS Configuration area, click Create. The page for setting parameters is
displayed. Table 3-126 describes the parameters.
3. In the Select AP area, click Add. In the AP List dialog box that is displayed, select
an AP and click OK.
4. In the Select AP area, select the AP to be configured.

5. Click next to WIDS Configuration, and set parameters described in Table 3-126.
6. In the Radio Configuration area. you can configure attack detection, device
detection, and countermeasure. To configure these functions for multiple radios, click
New. Table 3-126 describes parameters of these functions.

7. Click OK. The AP configured with WIDS is displayed in the WIDS configuration
list.
Table 3-126 WIDS parameters
Flood attack detection interval(s) Interval for detecting flood attacks.
Flood attack packet count Maximum number of packets of the

same type that an AP receives within the
detection period.
Brude force cracking detection interval Interval for detecting brude force
(s) cracking of the PSK key.
Brude force cracking count Maximum number of key negotiation

failures allowed by an AP within the
detection period.
Blacklist Dynamic blacklist enabled or disabled.
Blacklist aging time(s) Aging time of the dynamic blacklist.

After the dynamic blacklist is aged, the
AP allows a device goes online if the AP
detects no attack from the device.
Radio Radios on which the detection function

is configured.

Working mode l normal: An AP transmits data of

wireless users and does not monitor
wireless devices on the network.
l monitor: An AP scans wireless
devices on the network and listens on
all 802.11 frames on wireless
channels. In this mode, all WLAN
services on the AP are disabled and
the AP cannot transmit data of
wireless users.
l hybrid: An AP can monitor wireless
devices while transmitting data of
wireless users.
Attack detection Type of attacks to be detected.
Device detection Device detection enabled or disabled.

Device detection can be enabled on an
AP that works in monitor or hybrid
mode.
Countermeasure function Countermeasure enabled or disabled. If

countermeasure is enabled, the device
detection function must be enabled.
Countermeasure mode Type of rouge devices to be countered.

The countermeasure function prevents
rouge devices from accessing the
WLAN.
l Modifying WIDS configurations of an AP

2. In the WIDS Configuration area, click corresponding to an AP to be modified.

3. In the Modify WIDS Configuration dialog box that is displayed, set parameters
4. Click OK.
l Disabling WIDS from an AP
2. In the WIDS Configuration area, select an AP and click Delete.
If the AP is removed from the WIDS configuration list, the AP is deleted.
----End
3.8.9.2 SSID Whitelist

This section describes configuration of SSID whitelist.

Context
SSIDs in the whitelist can be used only by the AC. If the rouge AP uses the SSIDs, the monitor
AP does not counter the AP although SSIDs are countered.
Procedure
l Querying an SSID whitelist
1. Choose WLAN > WIDS Configuration > SSID Whitelist.
Figure 3-157 SSID Whitelist
2. In the SSID Whitelist area, enter a keyword or an SSID, and click Search.
l Creating an SSID whitelist
2. In the SSID Whitelist area, click Create. In the Create SSID Whitelist dialog box
that is displayed, set SSID.
3. Click OK. If the SSID is displayed in the SSID whitelist, the SSID whitelist is created.
l Modifying an SSID whitelist
2. In the SSID Whitelist area, click corresponding to an SSID to be modified.

3. In the Modify SSID Whitelist dialog box that is displayed, change the SSID.
4. Click OK.
l Deleting an SSID whitelist
2. In the SSID Whitelist area, select an SSID, and click Delete.
If the SSID is removed from the SSID whitelist, the SSID is deleted.
----End
3.8.9.3 Rogue Device

This section displays rogue devices.
Context
After device detection is enabled, you can view information about rogue devices and historical
records. All rouge devices are recorded in the historical records.
Procedure
l Viewing information about a rouge device
1. Choose WLAN > WIDS Configuration > Rogue Device.

Figure 3-158 Rogue Device
2. In the Rogue Device area, set Search, enter a keyword, and click Go. Table 3-127
describes search items of a rouge device.
Table 3-127 Search items of rouge device and historical records
Search item Description
MAC Address MAC address of a rouge device.
Discovery Time Time when a rouge device is detected.
Device Type Type of a rouge device.
Channel Channel of a rouge device.
Countermeasure Status Whether a rouge device is countered.
Monitor AP Monitoring AP that counters the

detected rouge device.
l Deleting information about a rouge device

2. In the Rogue Device area, select a rogue device, and click Delete.
l Viewing historical records of a rouge device
2. In the Historical Records of Rogue Devices area, set Search, enter a keyword, and
click Go. Table 3-127 describes search items of a rouge device.
l Deleting historical records of a rouge device
2. In the Historical Records of Rogue Devices area, select a rogue device, and click
Delete.
----End
3.8.9.4 Attack Statistics

This section displays attack statistics.
Context
After attack detection is enabled, you can view or delete statistics on attacks of different types.

Procedure
l Viewing statistics on attacks
1. Choose WLAN > WIDS Configuration > Attack Statistics.
Figure 3-159 Attack Statistics
2. In the Attack Statistics area, view statistics on attacks of different types. Table
3-128 describes different types of attacks.
Table 3-128 Types of attacks
Attack Type Description
Probe Request Frame Flood Attack Flood attack caused by Probe Request
frames
Authentication Request Frame Flood Flood attack caused by Authentication

Attack Request frames
Deauthentication Frame Flood Attack Flood attack caused by

Deauthentication Request frames
Association Request Frame Flood Flood attack caused by Association

Disassociation Request Frame Flood Flood attack caused by Disassociation

Reassociation Request Frame Flood Flood attack caused by Reassociation

Action Frame Flood Attack Flood attack caused by Action frames
Null Data Frame Flood Attack Flood attack caused by null data frames
Null Qos Frame Flood Attack Flood attack caused by null QoS frames
EAPOL Start Frame Flood Attack Flood attack caused by EAPOL start
frames
EAPOL Logoff Frame Flood Attack Flood attack caused by EAPOL logoff
frames
Weak IVs Detected Weak IV attack
Spoofed Deauthentication Frame Attack Deauthentication frame spoofing attack

Attack Type Description
Spoofed Disassociation Frame Attack Disassociation frame spoofing attack
WEP Share-key Attack Brude force cracking of the WEP shared

key
WPA Attack Brude force cracking of the WPA pre-

shared key
WPA2 Attack Brude force cracking of the WPA2 pre-

shared key
WAPI Attack Brude force cracking of the WAPI pre-

shared key
l Deleting statistics on attacks

1. Choose WLAN > WIDS Configuration > Attack Statistics.
2. In the Attack Statistics area, click Reset all. In the dialog box that is displayed, click
OK.
----End
3.8.9.5 Attack Records

This section displays attack records.
Context
After attack detection is enabled, information about a detected attack device will be saved in the
attack detection list. If the attack device starts no more attacks, the device is removed from the
attack detection list. This attack is added to the attack record list. You can check or delete entries
in the attack detection list and attack record list.
Procedure
l Querying attack detection list
1. Choose WLAN > WIDS Configuration > Attack Records.
Figure 3-160 Attack Records
2. In the Attack Detection List area, set Search, enter a keyword, and click Go. Table
3-129 describes search items.

Table 3-129 Search items of attack detection and attack records
MAC Address l When a spoofing attack occurs, this

parameter indicates the BSSID.
l When other attacks occur, this
parameter indicates the MAC
address of the device initiating the
attacks.
Attack Type Type of the detected attack, which is in

abbreviation mode.
l act: Action Frame Flood Attack
l asr: Association Request Frame
Flood Attack
l aur: Authentication Request Frame
Flood Attack
l daf: Deauthentication Frame Flood
Attack
l dar: Disassociation Request Frame
Flood Attack
l ndf: Null Data Frame Flood Attack
l pbr: Probe Request Frame Flood
Attack
l rar: Reassociation Request Frame
Flood Attack
l eap_start: EAPOL Start Frame Flood
Attack
l eap_logoff: EAPOL Logoff Frame
Flood Attack
l saf: Spoofed Disassociation Frame
Attack
l sdf: Spoofed Deauthentication
Frame Attack
l wiv: Weak IVs Detected
l wep: WEP Share-key Attack
l wpa: WPA Attack
l wpa2: WPA2 Attack
l wapi: WAPI Attack
Channel Channel of the detected attack.
RSSI Average RSSI of the detected attack

frames.
Detection Time Time when an attack is detected.

Monitoring AP AP that detects the attack.
l Deleting attack detection list

2. In the Attack Detection List area, click Clear. In the dialog box that is displayed,
click OK. All attack records are deleted.
l Querying attack records
2. In the Attack Records area, set Search, enter a keyword, and click Go. Table
l Deleting attack records
2. In the Attack Records area, click Clear. In the dialog box that is displayed, click
OK. All attack records are deleted.
----End
3.8.9.6 Dynamic Blacklist

This section displays dynamic blacklist.
Context
After attack detection and dynamic blacklist are enabled, an AP adds devices that initiate attacks
to the dynamic blacklist and rejects packets from these devices within the blacklist timeout
period.
Devices that initiate flood attacks and brute force cracking of the WPA/WPA2/WAPI pre-shared
key and the WEP shared key can be added to the dynamic blacklist.
Procedure
l Viewing the dynamic blacklist
1. Choose WLAN > WIDS Configuration > Dynamic Blacklist.
Figure 3-161 Dynamic Blacklist
2. In the Dynamic Blacklist area, set Search, enter a keyword, and click Go. Table

Table 3-130 Search items of dynamic blackist
MAC Address MAC address of a device in the dynamic

blacklist.
Attack Type Type of the detected attack, which is in

abbreviation mode.
Monitoring AP AP that detects the device and adds the

device to the dynamic device.
l Deleting entries from the dynamic blacklist

1. Choose WLAN > WIDS Configuration > Dynamic Blacklist.
2. In the Dynamic Blacklist area, select an entry, and click Delete.
----End
3.8.10 Backup Configuration

In the Backup Configuration page, you can perform dual-link cold backup.
3.8.10.1 Backup Configuration

In the Backup Configuration page, you can perform dual-link cold backup.
Context
In the AC + Fit AP networking, the AC manages and controls WLAN services of users. An AC
may control hundreds of APs and thousands of STAs; therefore, the AC must be highly reliable.
If the AC is faulty, the services of all users connected to the AC are interrupted. An AC can
perform dual-link cold backup.
l Dual-Link Cold Backup
As shown in Figure 3-162, an active AC and a standby AC are deployed on the WLAN.
The AP establishes CAPWAP tunnels with the two ACs, and periodically exchanges
CAPWAP packets with the ACs to monitor link status. The active AC controls access of
STAs. If the AP detects a fault on the link between the AP and active AC, the AP requests
the standby AC to trigger an active/standby switchover, that is, the standby AC becomes
the active AC to control access of STAs. This mechanism improves WLAN reliability.
After the original active AC is restored, the AP requests the active and standby ACs to
perform revertive switchover. The restored AC becomes the active AC again.

Figure 3-162 Dual-link cold backup networking diagram
Active Standby
AC AC
CA
l
Switch
ne
PW
tun
AP
p
ku
pr i
ac
ma
b
AP
ry
PW
t
un
CA
ne
AP l
STA STA
Procedure
l Configuring device backup
1. Log in to the web platform and choose WLAN > Backup Configuration > Backup
Configuration.
2. Enable or disable AC dual-link cold backup, as shown in Figure 3-163. Set or enter
corresponding backup parameters. For description of the parameters, see Table
3-131.
3. Click Apply to complete the backup configuration.
Figure 3-163 Dual-link cold backup

Table 3-131 Description of dual-link cold backup parameters
AC dual-link cold backup Whether to enable dual-link cold

backup. By default, dual-link cold
backup is disabled globally.
AC dual-link backup state Whether to enable dual-link backup. By

default, dual-link backup is disabled
globally.
AC dual-link restore state Whether to enable the active/standby

link switchback function. By default, the
active/standby link switchback function
is enabled.
Assume that AC1 is the active AC and
AC2 is the backup AC. When the link
between AC1 and an AP fails, AC2
takes the active role and the link between
AC2 and the AP becomes the active link.
In the case that active/standby link
switchback is enabled, when the link
between AC1 and the AP recovers, the
AP detects that AC1 priority is higher
than AC2 and instructs AC1 and AC2 to
perform switchback. AC1 becomes the
active AC again.
Local priority Priority of the AC.

In dual-link backup mode, the AC with
a higher priority acts as the active AC
and the AC with a lower priority acts as
the standby AC. A smaller value
indicates a higher priority.
Standby AC IP address IP address of the standby AC.
----End
3.8.11 Terminal Management

You can manage terminals connected to the device.
3.8.11.1 STA Management

In the STA Management page, you can view detailed information about the STAs and force
the STAs to go offline.

Context
On the STA Management tab page, you can view information about STAs such as the MAC
addresses, IP addresses, and radio modes.
Procedure
l Check STA information.
1. Choose WLAN > Terminal Management > STA Management.
Figure 3-164 STA Management
2. Set Search and the query criteria, and click Go. You can view information about found
STAs. Click details on the right of the STA's MAC address to check STA information.
Table 3-132 describes STA parameters.
Table 3-132 STA parameters
MAC address MAC address of a STA.
IP Address IP address of a STA.

AP ID ID of the AP that a STA associates with.
SSID SSID that a STA associates with.
Radio mode Radio mode used by a STA.
VLAN ID Service VLAN of a STA.
Access Channel Channel used by a STA.
Online Time STA online duration.
User Name User name of a STA.
Frequency Band Radios on an AP that STA can access.
Received Bytes(bytes) Bytes received by a STA from an AP.
Transmit Bytes(bytes) Bytes transmitted by a STA to an AP.
Uplink SNR(dB) Upstream signal-to-noise ratio (SNR) of

a STA.
Uplink Receiving Power(dBm) Upstream receive power of a STA.
Signal Intersity(dBm) Strength of radio signals received by a

STA.
Authentication Mode Authentication mode used by a STA.
Encryption Mode Encryption mode used during data

transmission between a STA and an AP.
l Force STAs to log out.

1. Choose WLAN > Terminal Management > STA Management
2. Set Search and the query criteria, and click Go. You can view information about found
STAs. Click on the right of the STA's MAC address to force the STA to log out.
----End
3.8.11.2 STA Statistics

The STA Statistics page displays STA statistics information.
Context
This page displays STA statistics.
Procedure
Step 1 Choose WLAN > Terminal Management > STA Statistics.

Figure 3-165 STA Statistics
Step 2 Enter the ID of the AP you want to query in AP ID and click Search to search STAs. For
description of the parameters, see Table 3-133.
Table 3-133 STA parameter description
Item Description
AP ID Specifies the AP ID.
Total Number Of Users Indicates the number of STAs connected to

the AP.
Number Of 2.4 GHz Users Indicates the number of STAs connected to

the 2.4 GHz radio of the AP.
Number Of 5 GHz Users Indicates the number of STAs connected to

the 5 GHz radio of the AP.
----End
3.8.11.3 Offline User Information

The Offline User Information page displays detailed information about offline users.
Context
This page displays information about offline users.
Procedure
Step 1 Choose WLAN > Terminal Management > Offline User Information.
Figure 3-166 Offline User Information

Step 2 Set Search and the query criteria, and click Go. You can view information about found STAs.
Table 3-134 describes STA parameters.
Table 3-134 Offline User parameters
User Name Name of the offline user.
MAC Address MAC address of the offline user.
IP Address IP address of the offline user.
Authentication Mode Authentication mode for the offline user.
Domain Name Authentication domain of the offline user.
Logout Cause Cause for the user's logout.
Interface Interfaces connected to the offline user.
VLAN Service VLAN of the offline user.
Online Time Login time of the online user.
Offline Time Logout time of the offline user.
----End
3.8.11.4 STA Blacklist/Whitelist

In the STA Blacklist/Whitelist page, you can configure and view STA blacklist and whitelist.
Context
STA blacklist and whitelist functions allow authorized STAs to connect to the WLAN and reject
access from unauthorized STAs.
l A whitelist contains MAC addresses of STAs that are allowed to connect to a WLAN. After
the whitelist function is enabled, only the STAs in the whitelist can connect to the WLAN,
and access from other STAs is rejected.
l A blacklist contains MAC addresses of STAs that are not allowed to connect to a WLAN.
After the blacklist function is enabled, STAs in the blacklist cannot connect to the WLAN,
and other STAs can connect to the WLAN.
If the blacklist or whitelist function is configured on an AP, the configured blacklist or whitelist
takes effect on all STAs connecting to the AP. The device supports the configuration of STA
blacklist or whitelist function for an AP or a VAP. If an AP and a VAP are configured with the
blacklist or whitelist function, a STA can connect to the WLAN only when it is permitted by
both the configuration on the AP and VAP. To configure a blacklist or whitelist based on a VAP,
see 3.8.5.5 STA Blacklist/Whitelist Profile.
If the whitelist or blacklist is empty, all STAs can connect to the WLAN.
The configurations of STA blacklist and whitelists are the same. The following describes the
configuration of STA whitelist as an example.

Procedure
l Querying a STA whitelist
1. Choose WLAN > Terminal Management > STA Blacklist/Whitelist.
Figure 3-167 STA Blacklist/Whitelist
2. In the STA Whitelist area, view all existing STA whitelists. You can enter a keyword,
and click Search to search for a STA whitelist.
l Creating a STA whitelist
2. In the STA Whitelist area, click Create. In the Create STA Whitelist dialog box
that is displayed, set MAC address or import the local file.
Manually create: enter the MAC address of a STA and add it to the list.
Import from local file: configure STAs' MAC addresses in a local file and import
the local file to the web page. Then, add the MAC addresses to the list in a batch.

NOTE
If the message "Your browser's security settings are too high to complete this process. See the
help menu for instructions on adjusting your security settings." is displayed during file upload,
configure the Internet Explorer as follow:
l Versions earlier than IE10: choose Tools > Internet Options > Security > Custom Level
and click Enable or Prompt next to Initialize and script ActiveX controls not marked
as safe for scripting. If you click Enable, the file can be uploaded directly. If you click
Prompt, the message "An ActiveX control on this page might be unsafe to interact with
other parts of the page. Do you want to allow this interaction?" is displayed. If you click
Yes, the file can be uploaded.
l IE10 and later versions: choose Tools > Internet Options > Security > Custom Level and
click Enable next to Include local directory path when uploading files to a server.
The file is in .txt format. Each row provides one MAC address. For example:
60de-4474-9640
60de-4474-9680
dcd2-fc9a-2110
3. Click OK.
If the STA whitelist is displayed in the STA whitelist list, the STA whitelist is created.
l Deleting a STA whitelist
2. In the STA Whitelist area, select a STA whitelist, and click Delete.
If the STA whitelist is removed from the STA whitelist list, the STA whitelist is
deleted.
----End
3.8.11.5 Blacklist/Whitelist Status

In the Blacklist/Whitelist Status page, you can configure and view STA blacklist and whitelist
status.
Context
The STA blacklist or whitelist takes effect only when the blacklist or whitelist function is enabled
on the AP.
An AP or a VAP can be configured with only the blacklist or whitelist function.
Procedure
l Viewing the blacklist or whitelist status
1. Choose WLAN > Terminal Management > Blacklist/Whitelist Status.
Figure 3-168 Blacklist/Whitelist Status

2. In the AP area, view the blacklist or whitelist status of all APs. You can set Search,
enter a keyword, and click Go to search for an AP.
l Configuring the blacklist or whitelist status for an AP
1. Choose WLAN > Terminal Management > Blacklist/Whitelist Status.
2. In the AP area, select an AP, and click any button described as follows, and click
OK.
Enable Whitelist: The STA whitelist takes effect. Only STAs in the whitelist can
associate with the AP.
Enable Blacklist: The STA blacklist takes effect. STAs in the blacklist cannot
associate with the AP.
Disable Blacklist/Whitelist: Neither the blacklist nor whitelist takes effect.
----End
3.8.12 Radio Calibration

The radio calibration function can dynamically adjust channels and power of APs managed by
the same AC to ensure that the APs work at the optimal performance.
3.8.12.1 Radio Calibration

This section describes radio calibration configuration.
Procedure
l Configure manual calibration.
1. Click WLAN > Radio Calibration. The Radio Calibration page is displayed.
2. In Radio Calibration Setting, set Calibration mode to Manual.

3. Click Advanced to set the calibration policy and sensitivity. See Table 3-135 for
description of the parameters.

Table 3-135 Calibration policy and sensitivity descriptions
Item Description
Prevent rogue-ap Set the radio calibration policy to

Prevent rogue-ap.
When rogue APs (rogue APs cannot be
controlled by an AC) exist on a network,
set the radio calibration policy to
Prevent rogue-ap. The device then
implements radio calibration to
minimize the rogue AP interference on
the entire network.
Prevent load ap Set the radio calibration policy to

Prevent load ap.
When an AP is heavily loaded, set the
radio calibration policy to Prevent load
ap. The device then preferentially
allocates channels with a little
interference to the heavily loaded APs.
Prevent non-wifi interference Set the radio calibration policy to

Prevent non-wifi interference.
When non-Wi-Fi devices exist on a
network, set the radio calibration policy
to Prevent non-wifi interference. The
device then implements radio
calibration to reduce interference of
non-Wi-Fi devices on the network.
Calibration sensitivity Configure radio calibration sensitivity.

There are three levels of radio
calibration sensitivity:
l Low
l Medium
l High

Item Description
Country code Displays the AC's country code.

For configuration details of the AC's
country code, see 3.8.1.1 AC
Configuration.
2.4G calibrate channel set Configure the global calibration channel

5G calibrate channel set set. There are calibration channel sets
for 2.4 GHz and 5 GHz radios.
You can specify a calibration channel set
for the AP. When implementing radio
calibration, the device can select
channels from the calibration channel
set. This reduces the burden on the
device. There are global calibration
channel set and region calibration
channel set.
The device implements radio calibration
according to the following principles:
l If no country code is configured in
the AP region, the device
implements radio calibration on
global calibration channels.
l If a country code is configured in the
AP region, the device implements
radio calibration based on whether
calibration channels are specified in
the AP region.
If calibration channels are
specified in the AP region, the
device implements radio
calibration only on channels
specified in the AP region.
If no calibration channel is
calibration on channels in the
calibration channel set that
corresponds to the country code
in the AP region.
For configurations about the
region calibration channel set,
see Configuring a Calibration
Channel Set in the AP Region in
3.8.2.2 AP Region.
4. Click Apply. The configuration is complete.

5. Click Start. Manual radio calibration is triggered.

l Configure automatic calibration.
2. In Radio Calibration Setting, set Calibration mode to Auto and specify the value
of Calibration interval.
Item Description

Prevent rogue-ap.
the entire network.

Prevent load ap.

Item Description


l Low
l Medium
l High

Configuration.

Item Description

channel set.
the AP region.
in the AP region.
3.8.2.2 AP Region.

l Configure scheduled calibration.
2. In Radio Calibration Setting, set Calibration mode to Periodic and specify the
value of Calibration time.

Item Description

Prevent rogue-ap.
the entire network.

Prevent load ap.


Item Description

l Low
l Medium
l High

Configuration.

Item Description

channel set.
the AP region.
in the AP region.
3.8.2.2 AP Region.

l Check the calibration result.
2. Click Real-Time Channel And Power List to check the current working channel and
power of the radio.

3. Set search criteria in Search and click Go. Channel and power of the APs matching
the search conditions are displayed. You can check the channel and power of specified
APs.
----End
3.8.13 System Maintenance

This section describes how to maintain the system, including how to upgrade a single AP or APs
in batches.
3.8.13.1 AP Batch Upgrade

In the AP Batch Upgrade page, you can upgrade many APs in batches at the same time.
Context
APs can be upgraded in batches.
l You can upgrade APs of the same type in batches.
l You can upgrade APs of the same type in a region in batches.
l You can upgrade APs of a specific type based on AP IDs.
NOTE
To upgrade APs in batches through the WLAN web platform, the APs must go online first.
Procedure
l Upgrading APs in batches
1. Choose WLAN > System Maintenance > AP Batch Upgrade. The AP Batch
Upgrade tab page is displayed.
Figure 3-169 AP Batch Upgrade
2. Set parameters in AP Batch Upgrade. The AP upgrade mode can be AC, FTP, or
SFTP. Table 3-138, Table 3-139, and Table 3-140 describe the parameters.

Table 3-138 Parameters for upgrading APs in AC mode
Upgrade mode AP upgrade mode.

l AC: The upgrade system software
must be uploaded to the AC in
advance. Upgrading APs in batches
takes a long time. To shorten the
service interruption time, you are
advised to upgrade APs in FTP or
SFTP mode.
l FTP: The upgrade system software
must be uploaded to the FTP server
in advance, and APs can
communicate with the FTP server.
l SFTP: The upgrade system software
must be uploaded to the SFTP server
in advance, and APs can
communicate with the SFTP server.
File name Name of the system software to be

loaded for upgrading APs.
Type Type of APs to be upgraded.
AP region Region of APs to be upgraded. When

this parameter is set to none, all APs of
the specified type are upgraded in
batches. When an AP region is selected,
APs of the specified type in the specified
AP region are upgraded in batches.
AP ID ID of APs to be upgraded. If no ID is
specified, APs are upgraded in batches
based on the specified AP region.
Table 3-139 Parameters for upgrading APs in FTP mode
Upgrade mode For details, see Table 3-138.
File name For details, see Table 3-138.
Type For details, see Table 3-138.
AP region For details, see Table 3-138.
AP ID For details, see Table 3-138.

Server IP address IP address of the FTP server for storing

the upgrade system software.
FTP User name User name for logging in to the FTP

server.
FTP Password Password for logging in to the FTP

server.
Table 3-140 Parameters for upgrading APs in SFTP mode
Type For details, see Table 3-138.
AP region For details, see Table 3-138.
AP ID For details, see Table 3-138.
Server IP address IP address of the SFTP server for storing

the upgrade system software.
SFTP User name User name for logging in to the SFTP

server.
SFTP Password Password for logging in to the SFTP

server.
3. Click Upgrade. APs are upgraded in batches.

l Querying the AP upgrade list
In the AP Upgrade area, set Search and click Go. APs matching the search criteria are
displayed. The upgrade file names of APs are displayed.
----End
3.8.13.2 Single AP Upgrade

This section describes how to upgrade a single AP and verify the validity of the upgrade version.
Context
Before upgrading APs in batches, upgrade an AP to check whether the upgrade version is normal,
ensuring subsequent upgrade success.
NOTE
To upgrade a single AP through the WLAN web platform, the AP must go online first.

Procedure
Step 1 Choose WLAN > System Maintenance > Single AP Upgrade. The Single AP Upgrade tab
page is displayed.
Figure 3-170 Single AP Upgrade
Step 2 Set parameters described in Table 3-141, Table 3-142, and Table 3-143.
Table 3-141 Parameters for upgrading APs in AC mode
Upgrade mode AP upgrade mode.

l AC: The upgrade system software must be
uploaded to the AC in advance.
l FTP: The upgrade system software must
be uploaded to the FTP server in advance,
and APs can communicate with the FTP
server.
l SFTP: The upgrade system software must
be uploaded to the SFTP server in
advance, and APs can communicate with
the SFTP server.
File name Name of the system software to be loaded for

upgrading APs.
Select an AP AP to be upgraded.
Table 3-142 Parameters for upgrading APs in FTP mode

Server IP address IP address of the FTP server for storing the

upgrade system software.
FTP User name User name for logging in to the FTP server.
FTP Password Password for logging in to the FTP server.
Select an AP For details, see Table 3-141.
Table 3-143 Parameters for upgrading APs in SFTP mode
Server IP address IP address of the SFTP server for storing the

upgrade system software.
SFTP User name User name for logging in to the SFTP server.
SFTP Password Password for logging in to the SFTP server.
Select an AP For details, see Table 3-141.
Step 3 Click Upgrade. The selected AP is upgraded.
----End
3.9 ACL
The following sections describe how to view, add, modify, delete ACLs and ACL effective
period, and configure the ACL function.
The access control list (ACL) is used to identify flows. A network device filters packets
according to certain rules. It must identify packets first, and then permits or denies the packets
according to the policy that you have configured.
3.9.1 Effective Period

By configuring the effective period, you can apply an ACL to packets in a certain period of time.
Context
l An effective period describes a special period of time. In practice, users may want certain
ACL rules to be valid during a certain period but be invalid out of the period. That is, the
ACL rules are used to filter packets based on the period of time. To implement this function,

users can set one or multiple periods, and apply the periods to a rule. Then, packets are
filtered based on the set periods.
l An effective period can contain periodic time ranges and absolute time ranges. A periodic
time range takes effect on a certain day in a week. An absolute time range contains the start
time and the end time.
Procedure
l Query the time range.
1. Choose ACL > Effective Period to open the Effective Period page.
2. Enter the name of the time range in the text box, for example, test.
l Add a time range.
2. Click New to open the Add Time Range page, as shown in Figure 3-171.
Figure 3-171 Add Time Range
Table 3-144 describes the parameters on the Add Time Range page.
Table 3-144 Add Time Range
Time Range Name Indicates the name of the created

effective period. This parameter is
mandatory.

Periodic Time Range Indicates the periodic time range.

A periodic time range takes effect on a
certain day in a week. You can create
multiple periodic time ranges by
clicking Add or delete all the periodic
time ranges by clicking Delete.
NOTE
If only one periodic time range is created in
an effective period, the effective period takes
effect when the current time is within the
periodic time range.
Absolute Time Range Indicates the absolute time range.

An absolute time range contains the start
time and the end time. You can create
multiple absolute time ranges by
clicking Add or delete all the absolute
time ranges by clicking Delete.
NOTE
If only one absolute time range is created in
an effective period, the effective period takes
effect when the current time is within the
absolute time range.
3. Set parameters.
NOTE
l If an effective period contains an absolute time range and a periodic time range, the effective
period takes effect only when the current time is within the absolute time range and the
periodic time range.
l The start time and end time of the absolute time range can be earlier than the current time.
l The Periodic Time Range and Absolute Time Range parameters cannot be kept blank
simultaneously.
4. Click OK.
l Modify a time range.
2. Click to open the Modify Time Range page, as shown in Figure 3-172.

Figure 3-172 Modify Time Range
NOTE
l Table 3-144 describes the parameters on the Modify Time Range page.
l The effective period name cannot be modified.
l The periodic time range and absolute time range can only be deleted, but cannot be
modified.
3. Set parameters.
4. Click OK.
l Delete a time range.
NOTE

3. Click OK.
----End
3.9.2 ACL
An ACL classifies packets according to matching rules. The rules can be source addresses,
destination addresses, or the port numbers of the packets.
Context
ACLs are classified into the following types:

l Basic ACL: matching packets based on source IP addresses at Layer 3

l Advanced ACL: matching packets based on the Layer 3 or Layer 4 information of packets,
such as source IP addresses, destination IP addresses, type of the protocol over IP, and the
protocol feature
l Layer 2 ACL: matching packets based on Layer 2 information of packets, such as source
MAC addresses, destination MAC addresses, 802.1P priorities, and the Layer 2 protocol
type
l User ACL: matching packets based on source IP addresses or source UCL groups,
destination IP addresses or destination UCL groups, IP protocol type, ICMP type, TCP
source/destination ports, and UDP source/destination ports.
NOTE
Only the S5720HI supports user ACL.
Procedure
l Query an ACL.
1. Choose ACL > ACL in the navigation tree to open the ACL Configuration page.
l Create an ACL.
2. Click New to open the Create ACL page.
3. Click the ACL tab, as shown in Figure 3-173.
Figure 3-173 Creating an ACL

Table 3-145 Parameters for creating an ACL
ACL Type Indicates the ACL type, including:

l Basic ACL
l Advanced ACL
l Layer 2 ACL
l User ACL
IP Version To create an IPv4 or IPv6 ACL, click the

IPv4 or IPv6 check box.
NOTE
If you select Layer 2 ACL or User ACL, the IP
version cannot be set.
ACL ID ACL Number Indicates the number of an ACL. It identifies

an ACL. The value of the ACL number is an
integer, including:
l 2000-2999: basic ACL
l 3000-3999: advanced ACL
l 4000-4999: Layer 2 ACL
l 6000-9999: User ACL
NOTE
l When you modify an ACL, the ACL number
cannot be changed.
l An ACL number or ACL name is required to
identify an ACL.
l When the unified NAC mode is configured,
user ACLs can be configured on the device.
ACL Name Indicates the name of an ACL. The ACL

name must be unique.
NOTE
l The ACL name is a string starting with a
letter. Spaces are not allowed.
l An ACL number or ACL name is required to
identify an ACL.
l When you modify an ACL, the ACL name
cannot be changed.
Step Indicates the interval between two rule IDs.

NOTE
The Step text box is unavailable after you set IP
Version to IPv6.

ACL Description Indicates the description of an ACL. This

NOTE
The ACL Description text box of the ACL is
unavailable after you set IP Version to IPv6.
4. Click Apply.
5. Click the Rules tab.
If the ACL is a basic ACL, the rule page is displayed, as shown in Figure 3-174.
Figure 3-174 Creating a basic ACL
Table 3-146 describes the parameters for creating a basic ACL.
Table 3-146 Parameters for creating a basic ACL
Rule Number Indicates the number of a rule.

NOTE
If you do not specify a rule number, the system
automatically allocates a number for the rule. The rule
number cannot be changed.
Action Indicates whether to permit or deny packets. The

default action is to permit.
Log Indicates whether to record logs when packets are

permitted. To record logs when packets are
permitted, click the check box.

Match IP All Source IP Indicates that packets from any source IP address
are permitted.
Specify Enter the specified IP address and the wildcard. By

Source IP default, all source IP addresses are specified.
NOTE
l To create an IPv4 ACL, enter the wildcard.
l To create an IPv6 ACL, enter the prefix length.
Time Range Name Click Select to set the time range name.
NOTE
The time range name is displayed on the configuration
result page.
Fragment Indicates that the rule is valid for only non-initial

fragments.
NOTE
l The rule page displays all the rules of the ACL. Click a record to view the details about the
record or modify the record. To deselect a record, click it again. You can add rules on the
rule page.
l When you modify the ACL rule, the ACL ID and rule number cannot be modified.
If the ACL is an advanced ACL, the rule page is displayed, as shown in Figure
3-175.
Figure 3-175 Creating an advanced ACL

Table 3-147 describes the parameters for creating an advanced ACL.
Table 3-147 Parameters for creating an advanced ACL

NOTE
automatically allocates a number for the rule. The
rule number cannot be changed.
Action Indicates whether to permit or deny packets.

The default action is to permit.
Log Indicates whether to record logs when packets

are permitted.
Protocol Type Indicates the type of the protocol. This

parameter is mandatory. The advanced IPv4
ACL supports the following protocols:
l IGMP
l GRE
l IP
l IPINIP
l OSPF
l TCP
l UDP
l ICMP
l Custom
NOTE
The text box is valid only when the protocol type
can be defined by users.
The advanced IPv6 ACL supports the following
protocols:
l GRE
l ICMPv6
l IPv6
l OSPF
l TCP
l UDP
l Custom
NOTE
The text box is valid only when the protocol type
can be defined by users.

ICMP Parameters (Type/Code) Indicates the type and code of ICMP/ICMPv6

ICMPv6 Parameters (Type/ packets, which are valid only when the protocol
Code) of packets is ICMP/ICMPv6. If this parameter
is not specified, all types of ICMP/ICMPv6
packets are matched. The ICMP/ICMPv6
packets can be matched based on:
l Type: filters packets based on ICMP/
ICMPv6 message type.
l Code: indicates the message code of the
ICMP/ICMPv6 message type.
Match IP All Source IP Indicates that packets from any source IP

address are permitted.
Specify Source Enter the specified IP address and the wildcard.

IP By default, all source IP addresses are specified.
NOTE
All Destination Indicates that packets from any destination IP

IP address are permitted.
Point Enter the specified IP address and the wildcard.

Destination IP By default, all destination IP addresses are
specified.
NOTE
Match Port Source Port This parameter is valid only when the protocol
type is TCP or UDP. If this parameter is not
specified, TCP or UDP packets with any source
port are matched.
Select a matching source port from the drop-
down list box. The value can be equal, greater,
smaller, or in the range. Enter the TCP or UDP
port number in the text box.
Destination This parameter is valid only when the protocol

Port type is TCP or UDP. If this parameter is not
specified, TCP or UDP packets with any
destination port are matched.
Select a matching destination port from the
drop-down list box. The value can be equal,
greater, smaller, or in the range. Enter the TCP
or UDP port number in the text box.

Match IP Precedence Indicates that packets are filtered based on the

Priority precedence field. By default, this parameter is
empty.
NOTE
This parameter cannot be configured in advanced
IPv6 ACLs on the S1720, S2720, S2750, S5700LI,
and S5700S-LI switches.
DSCP Value Specifies the Differentiated Services Code

Point (DSCP).
NOTE
l If you set the IP precedence or TOS, the DSCP
priority cannot be set.
l If you set the DSCP priority, the IP precedence
or TOS cannot be set.
l This parameter cannot be configured in advanced
IPv6 ACLs on the S1720, S2720, S2750,
S5700LI, and S5700S-LI switches.
TOS Indicates that packets are filtered based on the

type field.
NOTE
This parameter cannot be configured in advanced
IPv6 ACLs on the S1720, S2720, S2750, S5700LI,
and S5700S-LI switches.
NOTE
The time range name is displayed on the
configuration result page.
Fragment Indicates that the rule is valid for only non-

initial fragments.
NOTE
rule page.
If the ACL is a Layer 2 ACL, the rule page is displayed, as shown in Figure 3-176.

Figure 3-176 Creating a Layer 2 ACL rule
Table 3-148 describes the parameters for creating a Layer 2 ACL.
Table 3-148 Parameters for creating a Layer 2 ACL rule

NOTE

Match MAC Source MAC Indicates the source MAC address used by
the ACL rule. The value is in H-H-H format.
Mask Indicates the mask of the source MAC

address used by the ACL rule. The value is
in the format H-H-H. The default value
contains only Fs.
Destination MAC Indicates the destination MAC address used

by the ACL rule. The value is in H-H-H
format.

Mask Indicates the mask of the destination MAC

address used by the ACL rule. The value is
in the format H-H-H. The default value
contains only Fs.
Match Packet Indicates the encapsulation format of

Protocol Type Encapsulation protocol packets. The value can be Ethernet
Format II, 802.3, or SNAP.
Layer 2 Protocol Indicates the type of Layer 2 protocols.
Layer 2 Protocol Indicates the mask of the Layer 2 protocol.

Mask
Source VLAN ID Indicates the source VLAN ID.
Source VLAN ID Mask Indicates the mask of the source VLAN ID.
The value is in hexadecimal notation. It
ranges from 0 to 0xFFF. The default value is
0xFFF.
802.1p Priority Indicates the 802.1p priority of the ACL. By

default, this parameter is empty.
NOTE
NOTE
rule page.
If the ACL is a user ACL, the rule page is displayed, as shown in Figure 3-177.

Figure 3-177 Creating a user ACL
Table 3-149 describes the parameters for creating a user ACL.
Table 3-149 Parameters for creating a user ACL

NOTE


Protocol Type Indicates the type of the protocol. This

parameter is mandatory. The user ACL
supports the following protocols:
l IGMP
l GRE
l IP
l IPINIP
l OSPF
l TCP
l UDP
l ICMP
l Custom
NOTE
The text box is valid only when the protocol
type can be defined by users.
ICMP Parameters (Type/Code) Indicates the type and code of ICMP packets,
which are valid only when the protocol of
packets is ICMP. If this parameter is not
specified, all types of ICMP packets are
matched. The IGMP packets can be matched
based on:
l Type: filters packets based on ICMP
message type.
l Code: indicates the message code of the
ICMP message type.
Matched IP All source IP Indicates that packets from any source IP

Address or addresses and address or source UCL groups are permitted.
UCL Group UCL groups
Specify Source IP Enter the specified IP address and the

wildcard. By default, all source IP addresses
are specified.
Specified source Click Select to specify a source UCL group.

UCL group NOTE
The source UCL group names are displayed on the
result page displayed by choosing Security > Ucl
Group.
All destination IP Indicates that packets from any destination IP

addresses and address or destination UCL groups are
UCL groups permitted.
Point Destination Enter the specified IP address and the

IP wildcard. By default, all destination IP
addresses are specified.

Specified Click Select to specify a destination UCL

destination UCL group.
group NOTE
The destination UCL group names are displayed
on the result page displayed by choosing
Security > Ucl Group.
Match Port Source Port This parameter is valid only when the
parameter is not specified, TCP or UDP
packets with any source port are matched.
Select a matching source port from the drop-
down list box. The value can be equal,
greater, smaller, or in the range. Enter the
TCP or UDP port number in the text box.
Destination Port This parameter is valid only when the

parameter is not specified, TCP or UDP
packets with any destination port are
matched.
Select a matching destination port from the
drop-down list box. The value can be equal,
greater, smaller, or in the range. Enter the
TCP or UDP port number in the text box.
NOTE
NOTE
rule page.
6. Click the Action tab, as shown in Figure 3-178.
NOTE
When creating a user ACL, you do not need to configure the actions.
Figure 3-178 Creating an ACL action
The appearance of the S5720HI is as follows:

The appearance of the S1720, S2720, S2750, S5700LI, and S5700S-LI is as follows:

Table 3-150 Parameters for creating an ACL action
Flow Filter Indicates whether to enable the Flow Filter.

Traffic Statistics Indicates whether to enable the traffic

statistics. The value can be Enable or
Disable. By default, the value is Disable.
Configure CIR Specifies the committed information rate

Traffic (CIR), which is the allowed rate at which
Policing traffic can pass through.
PIR Specifies the peak information rate (PIR),

which is the maximum rate at which traffic
can pass through.
NOTE
l The value of PIR cannot be smaller than the
value of CIR. By default, the value of PIR is
equal to the value of CIR.
CBS Specifies the committed burst size (CBS),

which is the committed burst volume of
traffic that can pass through.
PBS Specifies the peak burst size (PBS), which is

the peak burst volume of traffic that can pass
through.
Green Green Indicates whether green packets are allowed

Packet Packets to pass through. The action can be pass or
s discard. By default, the action is pass.
NOTE
The S1720, S2720, S2750, S5700LI, and S5700S-
LI switches cannot be modified.
Re-mark Indicates whether to re-mark the 802.1p

802.1P priority.
Priority NOTE
The S1720, S2720, S2750, S5700LI, and S5700S-
LI switches do not support this parameter.
Re-mark Indicates whether to re-mark the DSCP

DSCP priority.
Priority NOTE
The S1720, S2720, S2750, S5700LI, and S5700S-
Yello Yellow Indicates whether yellow packets are allowed

w Packets to pass through. The action can be pass or
Packet discard. By default, the action is pass.
s


802.1P priority.
Priority NOTE
The S5720HI does not support this parameter.

DSCP priority.
Priority NOTE
Red Red Indicates whether red packets are allowed to

Packet Packets pass through. The action can be pass or
s discard. By default, the action is discard.

802.1P priority.
Priority NOTE

DSCP priority.
Priority NOTE
Configure 802.1P Priority Select the check box of 802.1p to configure

Re-mark the 802.1p priority.
Action
Local Priority Select the check box of the local priority to
configure the local priority.
NOTE
You cannot set both the 802.1p priority and the
local priority for redirection in a traffic behavior.
IP Priority Select the check box of the IP precedence to

configure the IP precedence.
DSCP Priority Select the check box of DSCP to configure

the DSCP priority.
Destination MAC Select the corresponding check box to

configure the destination MAC address.
The value is in the format H-H-H.
NOTE
The S1720, S2720, S2750, S5700LI, and S5700S-
VLAN ID Select the check box of VLAN ID to

configure VLAN ID.

Inner VLAN Select the check box of the inner VLAN to

configure the inner VLAN.
NOTE
The S1720, S2720, S2750, S5700LI, and S5700S-
Configure CPU Indicates that packets are redirected to the

Redirectio CPU.
n Action
Redirect to Interface Indicates the interface where packets are
redirected, for example, GigabitEthernet
0/0/1.
Redirect to Next 1. Select an IP address type. The value can

Hop IP be IPv4 and IPv6.
2. Configure the redirected next hop address
according to the IP address type.
NOTE
l You cannot configure both the next hop
address where packets are redirected and the
re-marked destination MAC address.
l The S1720, S2720, S2750, S5700LI, and
S5700S-LI switches do not support this
parameter.
7. Click the Apply tab.

NOTE
When creating a user ACL, you do not need to click Apply.

If the object is interface, the Target field is displayed as Interface, as shown in
Figure 3-179.

Figure 3-179 Applying an ACL to an interface
Table 3-151 Parameters for applying an ACL to an interface
Name Indicates all the interfaces on the device.
Inbound l You can select all ACLs. You can specify all
inbound interfaces by clicking the check
boxes of all inbound interfaces.
l You can select an ACL. You can specify an
inbound interface by clicking the check box
of an inbound interface.
l You can select multiple interfaces. You can
specify multiple inbound interfaces by
clicking the check boxes of multiple inbound
interfaces.

Outbound l You can select all ACLs. You can select all
outbound interfaces by clicking the check
box of all outbound interfaces.
l You can select an ACL. You can specify an
outbound interface by clicking the check box
of an outbound interface.
l You can select multiple interfaces. You can
specify multiple outbound interfaces by
clicking the check boxes of multiple
outbound interfaces.
NOTE
You can select the inbound and outbound interfaces
or one of them at one time.
If the object is interface, the Target field is displayed as Global, as shown in

Figure 3-180.
Figure 3-180 Applying an ACL globally
Table 3-152 Parameters for applying an ACL globally
VLAN ID l If the check box of VLAN is not selected and

the VLAN ID text box is not available, the
ACL is not applied to any VLAN.
l If the check box of VLAN is selected, the
ACL is applied to VLAN.
Direction NOTE
You can select the inbound and outbound interfaces
or one of them at one time.
8. Set parameter on each tab page.

9. Click OK.

NOTE
l After the ACL is created, ACL rules are configured, and the action has been applied by
clicking Apply on the Action tab page, the ACL can be successfully applied to an interface
or globally.
l If the ACL is not created, the system prompts you to create the ACL when you click
Apply on the Rules tab page.
l If the ACL is not created, the system prompts you to create the ACL when you click
Apply on the Apply tab page.
l The Action and Apply tabs are unavailable for configuring user ACLs.
l Edit an ACL.
2. Click the icon to open the Edit ACL page.
3. Click the ACL tab, as shown in Figure 3-181.
Figure 3-181 Editing an ACL
NOTE

l The ACL type and ACL identifier cannot be modified.
l The IPv6 ACL cannot be modified.
4. Click the Rules tab. The procedure for modifying a rule is similar to the procedure
for creating a rule.
5. Click the Action tab. The Action tab page does not display the created action. The
procedure for modifying a rule is similar to the procedure for creating a rule.
6. Click the Apply tab. The Apply tab page displays the object to which the rule is
applied.
NOTE
l The Apply tab page displays the object to which the ACL is applied.
l If an action is created, the new action will replace the original action and be delivered to
objects when you click the Apply tab.
7. Modify the configuration parameter on the tab page.
8. Click OK.
l Delete an ACL.

NOTE

3. Click OK. If the operation succeeds, the system returns to the ACL Configuration
page; otherwise, an error message is displayed.
l Check basic ACL objects.
2. Select a record that you want to check and click Objects to open the Object List
NOTE
The basic ACL object list does not contain user ACLs.
Figure 3-182 Object list
Table 3-153 Checking basic ACL objects
Object Name Indicates all objects that this ACL is

applied to.
ACL Indicates all ACLs applied to this object.
l Delete basic ACL objects.

2. Select the ACL whose objects you want to delete and click Objects to open the Object
List page.

3. Select the object name and click Delete. The system asks you whether to delete the
record.
4. Click OK.
----End
3.10 QoS
This chapter describes the implementation principle of class-based QoS, and configuration
methods of traffic management, interface-based rate limit, traffic shaping, priority mapping, and
congestion management.
By matching packets with the rules, the class-based QoS technology groups the packets sharing
common features into one class and provides the same QoS level for traffic of the same type. In
this manner, the class-based QoS technology provides differentiated services.
3.10.1 Traffic Management

The following sections describe the configuration methods of class-based QoS traffic
management, including the configurations of the traffic classifier, traffic behavior, traffic policy,
and application of the traffic policy.
3.10.1.1 Traffic Classifier

A traffic classifier is used to identify packets with certain features according to rules, and is the
prerequisite and basis for providing differentiated services.
Context
By matching packets with the rules, the class-based QoS technology classifies packets according
to certain rules and provides the same QoS level for traffic of the same type. In this manner, the
class-based QoS technology provides differentiated services. A traffic classifier matches the
packet header information with certain rules so that the packets sharing common features are
grouped into one class.
Procedure
l Create a traffic classifier.
1. Choose QoS > Traffic Management > Traffic Classifier in the navigation tree to
open the Traffic Classifier page.
2. Click New to open the Create Traffic Classifier page, as shown in Figure 3-183.

Figure 3-183 Create Traffic Classifier
Table 3-154 describes the parameters on the Create Traffic Classifier page.
Table 3-154 Create Traffic Classifier
Classifier Name Indicates the name of a traffic classifier.

Relation Between Rules Indicates the relationship between rules,

which can be AND or OR. By default,
the value is AND.
3. Set parameters.
4. Click OK.
l Modify Traffic Classifier
2. Click to open the Modify Traffic Classifier page, as shown in Figure 3-184.

Figure 3-184 Modify Traffic Classifier
NOTE
l Table 3-154 describes the parameters on the Modify Traffic Classifier page.
l The traffic classifier name cannot be modified.
3. Set parameters.
4. Click OK.
l Delete a traffic classifier.
NOTE
When you delete a traffic classifier, the matching rule in the traffic classifier is also deleted.
3. Click OK.
l Add rules to the traffic classifier.
2. Select the traffic classifier in which rules need to be added and click New to open the
Add Rules of Classifier page, as shown in Figure 3-185.

Figure 3-185 Add Rules of Classifier
Table 3-155 describes the parameters on the Add Rules of Classifier page.
Table 3-155 Add Rules of Classifier
Classifier Name Indicates the name of a traffic classifier, which is

set by the user.
Relation Between Rules Indicates the relationship between rules, which is

set by the user.
Match all packets Indicates that all the packets are matched.
Match discarded packets Indicates that discarded packets are matched.

NOTE
The S1720, S2720, S2750, S5700LI and S5700S-LI
switches do not support this parameter.

Match L2 protocol Indicates the matching rule based on the Layer 3

protocol type (Layer 2 encapsulated protocol
fields), including:
l arp
Indicates the ARP protocol.
l ip
Indicates the IP protocol.
l rarp
Indicates the RARP protocol.
Match IP protocol Indicates the matching IP protocol, which can be

IPv4 or IPv6.
Match DSCP Indicates the matching rule based on DSCP

Priority priorities.
IP Priority Indicates the value of the IP precedence.

When the relationship between rules in the traffic
classifier is OR, you can configure up to eight IP
precedences in a traffic classifier. If packets
match one IP precedence, they match the traffic
classifier. When the relationship between rules in
the traffic classifier is And, if you configure
multiple IP precedences, only the first IP
precedence takes effect.
VLAN8021p Indicates the matching rule based on 802.1p

priorities of VLAN packets.
Inner VLAN Indicates the matching rule based on 802.1p

8021p priorities in inner VLAN tags of QinQ packets.
NOTE
Match Start VLAN Indicates the start outer VLAN ID.

VLAN
End VLAN Indicates the end outer VLAN ID.
Inner VLAN Indicates the inner VLAN ID.

NOTE
Match Source MAC Indicates the matching rule based on source MAC
MAC addresses.
The value is in the format H-H-H. Each H
represents four hexadecimal digits.

Destination Indicates the matching rule based on destination

MAC MAC addresses.
represents four hexadecimal digits.
Mask Indicates the mask of the source MAC address.

represents four hexadecimal digits. If this
parameter is not specified, the default value is
FFFF-FFFF-FFFF. That is, all the MAC
addresses are matched.
Match Outgoing Indicates the matching rule based on outbound

Interface interfaces, for example, GigabitEthernet0/0/1.
NOTE
l This matching rule takes effect for only unicast
packets.
l The outbound interface for classifying traffic must
be different from the inbound interface where the
traffic policy is applied; otherwise, the traffic
policy cannot be used.
l The S1720, S2720, S2750, S5700LI and S5700S-
Incoming Indicates the matching rule based on inbound

interfaces, for example, GigabitEthernet0/0/1.
Match ACL ACL IPv4 Indicates the matching rule based on IPv4 ACLs.
Click Select ACL to select ACLs. You can select
multiple ACLs.
ACL IPv6 Indicates the matching rule based on IPv6 ACLs.

Click Select ACL to select ACLs. You can select
multiple ACLs.
NOTE
The sequence of matching rules in a traffic classifier affects the flow matching sequence.
For example, if the matching rules based on 802.1p priorities of VLAN packets and inner
VLAN tags are set, the system first matches flows with 802.1p priorities of VLAN packets and
then inner VLAN tags. If multiple matching rules are configured, the system matches flows
according to the matching rules one by one.
3. Set parameters.
4. Click OK.
l Delete rules.

3. Click OK.
----End
3.10.1.2 Traffic Behavior

A traffic behavior contains actions of traffic policing, re-marking, redirection, and traffic
statistics. You can configure the traffic behavior as required.
Context
The switch supports traffic behaviors of traffic policing, re-marking, redirection, and traffic
statistics.
Procedure
l Create a traffic behavior.
1. Choose QoS > Traffic Management > Traffic Behavior in the navigation tree to
open the Traffic Behavior page.
2. Click New to open the Create Traffic Behavior page, as shown in Figure 3-186.
Figure 3-186 Create Traffic Behavior
Table 3-156 describes the parameters on the Create Traffic Behavior page.

Table 3-156 Create Traffic Behavior
Behavior Name Indicates the name of a traffic behavior. This

Action Indicates the traffic action used to control

packets. The action can be deny, permit or
none. By default, the action is none.
Traffic Statistics Indicates whether to enable the traffic statistics.

The value can be Enable or Disable. By
default, the value is Disable.
Configu CIR Indicates the CIR, which is the allowed rate at

re which traffic can pass through.
Traffic
Policin PIR Indicates the PIR, which is the peak rate at
g which traffic can pass through.
NOTE
The value of PIR cannot be smaller than the value of
CIR. By default, the value of PIR is equal to the value
of the CIR.
CBS Specifies the committed burst size (CBS),

which is the average volume of burst traffic that
can pass through an interface.
PBS Specifies the peak burst size (PBS), which is the

maximum volume of burst traffic that can pass
through an interface.
The default value of PBS is related to the value
of PIR.
Green Green Indicates whether green packets are allowed to

NOTE
switches cannot be modified.
Re-mark Indicates the re-marked 802.1p priority.

8021P NOTE
Priority The S1720, S2720, S2750, S5700LI and S5700S-LI
Re-mark Indicates Re-mark DSCP Priority.

DSCP NOTE
Priority The S1720, S2720, S2750, S5700LI and S5700S-LI
Yellow Yellow Indicates whether yellow packets are allowed

Packet Packets to pass through. The action can be pass or


8021P
Priority

DSCP
Priority
Red Red Indicates whether red packets are allowed to

s discard. By default, the action is discard.

8021P
Priority

DSCP
Priority
Configu 8021P Priority Indicates the 802.1p priority.

re Re-
mark Local Priority Indicates the local priority.
Action NOTE
You cannot set both the 802.1p priority and the local
priority for redirection in a traffic behavior.
DSCP Priority Indicates the DSCP priority.
VLAN ID Indicates the VLAN ID.
Inner VLAN Indicates the inner VLAN ID.

NOTE
Configu Redirect to Interface Indicates the interface where packets are

re redirected, for example, Ethernet0/0/1.
Redirec
tion Redirect to Next Hop Indicates the next hop address where packets
Action IP are redirected, for example, 10.10.10.1.
NOTE
You cannot configure both the next hop address
where packets are redirected and the re-marked
destination MAC address.

NOTE cpu Indicates that packets are redirected to the CPU.
The
S1720,
S2720,
S2750,
S5700
LI and
S5700
S-LI
switch
es do
not
suppor
t this
3. Set param
parameters.
eter.
NOTE
To delete configuration of an item, deselect the checkbox of the item.

4. Click OK.
l Modify a traffic behavior.
2. Click to open the Modify Traffic Behavior page, as shown in Figure 3-187.
Figure 3-187 Modify Traffic Behavior
NOTE
The traffic classifier name cannot be modified.

3. Set parameters.
4. Click OK.
l Delete a traffic behavior.
3. Click OK.
----End
3.10.1.3 Traffic Policy

A traffic policy is a QoS policy in which traffic classifiers are bound to traffic behaviors.
Procedure
l Create a traffic policy.
1. Choose QoS > Traffic Management > Traffic Policy in the navigation tree to open
the Traffic Policy page.
2. Click New to open the Create Traffic Policy page, as shown in Figure 3-188.
Figure 3-188 Create Traffic Policy
Table 3-157 describes the parameters on the Create Traffic Policy page.
Table 3-157 Create Traffic Policy
Policy Name Indicates the name of a traffic policy.


Traffic Classifier Indicates the name of a traffic classifier.

NOTE
In a traffic policy, you can configure
multiple binding relationships between
traffic classifiers and traffic behaviors and
each traffic classifier can be bound to only
one traffic behavior.
Traffic Behavior Indicates the name of a traffic behavior.

NOTE
In a traffic policy, you can configure
multiple binding relationships between
traffic classifiers and traffic behaviors and
each traffic classifier can be bound to only
one traffic behavior.
3. Set parameters.
4. Click OK.
l Modify a traffic policy.
2. Click to open the Modify Traffic Policy page, as shown in Figure 3-189.
Figure 3-189 Modify Traffic Policy

NOTE
l Table 3-157 describes the parameters on the Modify Traffic Policy page.
l The traffic policy name cannot be modified.
3. Set parameters.
4. Click OK.
l Delete a traffic policy.
NOTE

3. Click OK.
----End
3.10.1.4 Apply Traffic Policy

A traffic policy takes effect only after being applied.
Context
A traffic policy can be used on an interface, globally, or in a VLAN so that traffic classifiers
bound to traffic behaviors in the traffic policy are used on the interface, globally, or in the VLAN.
Procedure
l Query information about the traffic policy application.
1. Choose QoS > Traffic Management > Apply Traffic Policy in the navigation tree
to open the Apply Traffic Policy page.
l Add a traffic policy application.
2. Click New to open the Add Traffic Policy Application page, as shown in Figure
3-190.

Figure 3-190 Add Traffic Policy Application-Interface
Figure 3-191 Add Traffic Policy Application-VLAN

Figure 3-192 Add Traffic Policy Application-Global
Table 3-158 describes the parameters on the Add Traffic Policy Application page.
Table 3-158 Add Traffic Policy Application
Target Indicates the name of the configured

traffic policy. The value can be
interface, VLAN, or global.
l If the traffic policy is applied to an
interface, you need to select an
interface on the displayed page, as
l If the traffic policy is applied to a
VLAN, you need to enter the VLAN
ID on the displayed page, as shown
in Figure 3-191.
l If the traffic policy is applied
globally, the page for global
application of the traffic policy is
displayed, as shown in Figure
3-192.
inbound Direction Indicates the inbound direction.
outbound Direction Indicates the outbound direction.
Select Interface Indicates the interface where the traffic

policy is applied.

3. Set parameters.
4. Click OK.
l Delete a traffic policy application.
NOTE
l Click the check box of the selected record.

l You can also move records to the recycle bin in batches. That is, click the check boxes of
the records.
3. Click OK.
----End
3.10.2 Interface-based Rate Limit

The interface-based rate limit technology limits the rate of incoming and outgoing packets of an
interface.
3.10.2.1 View Rate Limit

You can view detailed information about interface-based rate limiting.
Context
You can select an interface to view the rate limiting information.
Procedure
Step 1 Choose QoS > Limit Rate. The Limit Rate page is displayed, as shown in Figure 3-193.
Step 2 Select one or all interfaces and click Query. Rate limit information is displayed.
Figure 3-193 Viewing rate limiting information on an interface

NOTE
You can select only one interface to query its rate limit.
----End
3.10.2.2 Configure Rate Limit

The interface-based rate limit function is used to limit the rate of outgoing traffic or incoming
traffic on a physical interface.
Context
Before sending traffic from an interface, you can configure rate limit on the interface in the
outbound direction. This function controls all outgoing packets.
Before sending traffic from an interface, you can configure rate limit on the interface in the
inbound direction. This function controls all incoming packets.
Procedure
Step 1 Choose QoS > Limit Rate. The Limit Rate page is displayed.
Step 2 Select the interface on which the rate limit needs to be set and click Configure. The Configure
Rate Limit page is displayed, as shown in Figure 3-194.
Figure 3-194 Configure Rate Limit

Table 3-159 describes the parameters on the Configure Rate Limit page.
Table 3-159 Configure Rate Limit
Interface Name Name of the interface on which rate limit needs to be

configured. You can select multiple interfaces.
Inbound CIR Indicates the CIR in the inbound direction.
CBS Indicates the CBS in the inbound direction.
Outbound CIR Indicates the CIR in the outbound direction.
CBS Indicates the CBS in the outbound direction.
Step 3 Click Inbound or Outbound and set the values of CIR and CBS.
Step 4 Click OK to complete the configuration.
Step 5 Select an interface where rate limiting needs to be deleted and click Cancel Limit to delete the
rate limiting configuration.
----End
3.10.3 Traffic Shaping

Traffic shaping is also called queue shaping and interface shaping. The queue shaping
technology limits traffic in a defined range by setting the shaping rate of packets of the entire
queue. This prevents downstream traffic congestion.
3.10.3.1 View Traffic Shaping

You can view traffic shaping information about an interface.
Context
l The switch supports queue shaping and interface shaping.
l You can select an interface to view the traffic shaping information. You can select only
one interface.
Procedure
Step 1 Choose QoS > Traffic Shaping > View Traffic Shaping in the navigation tree to open the
View Traffic Shaping page.
Step 2 Select any interface.
Step 3 The traffic shaping information about the interface is displayed, as shown in Figure 3-195.

Figure 3-195 Viewing traffic shaping information
NOTE
You can select only one interface.
----End
3.10.3.2 Configure Traffic Shaping

You can configure the traffic shaping function.
Context
When the rate of an interface on a downstream device is smaller than the rate of an interface on
an upstream device or the burst traffic occurs, traffic congestion may occur on the interface of
the downstream device. In this case, you can configure traffic shaping on the interface of the
upstream device in the outbound direction so that traffic is sent at an even rate and the congestion
problem of the downstream device is solved.
Procedure
Step 1 Choose QoS > Traffic Shaping > Configure Traffic Shaping in the navigation tree to open
the Configure Traffic Shaping page, as shown in Figure 3-196.

Figure 3-196 Configure Traffic Shaping
Table 3-160 describes the parameters on the Configure Traffic Shaping page.
Table 3-160 Configure Traffic Shaping
Select Interface Indicates the interface where traffic shaping

needs to be configured. You can select
multiple interfaces.
Queues Indicates the queue. You can select multiple

queues.
CIR Indicates the CIR.
PIR Indicates the PIR of an interface. The default

value is the bandwidth of the interface and the
value cannot be smaller than the value of the
CIR.
Step 2 Select the interfaces that you want to configure.
Step 3 Select the queue that you want to configure and set the values of CIR, PIR.
NOTE
If you do not select the queue, the configurations of the queue are deleted.
----End

3.10.4 Congestion Management

To ensure that delay-sensitive services have higher QoS level than non-delay-sensitive services,
you can perform congestion management when temporary congestion occurs or increase
bandwidth when the network is always congested. Congestion management technology sends
flows of packets in queues by using queue scheduling technologies and scheduling
algorithms. The S1720, S2720, S2750, S5700LI, S5700S-LI series switches do not support
this function.
3.10.4.1 View Scheduling

You can view the queue scheduling mode on an interface.
Context
Queue scheduling technologies include PQ scheduling, DRR scheduling and WRR scheduling.
Procedure
Step 1 Choose QoS > Congestion Management > View Scheduling in the navigation tree to open the
View Scheduling page.
Step 2 Select any interface.
Step 3 The scheduling configuration on the interface is displayed, as shown in Figure 3-197.
Figure 3-197 Viewing the scheduling configuration on an interface
NOTE
You can select only one interface.
----End

3.10.4.2 Configure Scheduling

When congestion occurs on a network, queue scheduling solves the resource preemption
problem among multiple packets.
Context
l Congestion management technology prevents intermittent congestion on networks by using
queue scheduling technologies.
l Queue scheduling technologies include PQ scheduling, DRR scheduling and WRR
scheduling.
Procedure
Step 1 Choose QoS > Congestion Management > Configure Scheduling in the navigation tree to
open the Configure Scheduling page, as shown in Figure 3-198.
Figure 3-198 Configure Scheduling
Table 3-161 describes the parameters on the Configure Scheduling page.
Table 3-161 Configure Scheduling
Select Interface Indicates the interface where scheduling needs to be configured. You
can select multiple interfaces.
Queues Indicates the queue where scheduling needs to be configured.

Scheduling Mode Indicates the queue scheduling mode, including:

l PQ
In PQ mode, the switch schedules packets based on priorities of
queues in a strict manner. The weight is not used in this mode.
l DRR
In RR mode, the switch schedules packets circularly based on
priorities of queues. Based on RR scheduling, DRR scheduling is
used to schedule packet flows of all the queues according to the
maximum bandwidth assigned by the switch to the queues.
l WRR
Based on DRR scheduling, WRR scheduling is used to schedule
packet flows based on weights of queues.
The default value is WRR.
NOTE
WRR and DRR cannot be specified simultaneously.
Weight Indicates the weight used to schedule packet flows in queues. When the
scheduling mode is set to WRR or DRR, the weight can be configured.
Step 2 Select the interfaces that you want to configure.
Step 3 Set the scheduling mode and weight for the queue.
----End
3.10.5 Priority Mapping

You can configure priority mappings and trusted interfaces.
3.10.5.1 Priority Mapping

You can configure priority mappings on switches.
Context
When packets are sent to the inbound or outbound interface of a device, the device determines
the queues and priorities of packets according to 802.1p, DSCP or the IP precedence field. The
S1720, S2720, S2750, S5700LI, and S5700S-LI switches support priority mappings for
incoming packets. The S5720H supports priority mappings for incoming packets and outgoing
packets.
Procedure
l Create a Diff-Serv domain name.
NOTE
You can create a Diff-Serv domain name on the S5720HI switch.

1. Choose QoS > Priority Mapping to open the Priority Mapping in Inbound
Direction page.
NOTE
l By default, the Diff-Serv domain name is default.

l The maximum of eight Diff-Serv domain names can be created.
l You can create a Diff-Serv domain name in the same way on the Priority Mapping in
Outbound Direction page.
2. Click New. The Create Priority Mapping in Inbound Direction is displayed, as
Figure 3-199 Create Priority Mapping in Inbound Direction
Table 3-162 Create Priority Mapping in Inbound Direction
Diff-Serv Domain Name The value is a string of 1 to 31 characters. This

Select Mapping Type Mapping types include 802.1p-to-internal

Priority Mapping and DSCP-to-internal Priority
Mapping.

Start 802.1p Priority of Indicates the start 802.1p priority ranging from 0 to
Incoming Packets 7. This parameter is mandatory.
End 802.1p Priority of Indicates the end 802.1p priority ranging from 0 to
Incoming Packets 7.
Internal Priority of Outgoing Indicates the internal priority including eight

Packets options. This parameter is mandatory.
Discard Priority of Outgoing Indicates the discard priority including Green

Packets Packets, Yellow Packets, and Red Packets. This
NOTE
Select Mapping Type

l For example, select 802.1p-to-internal Priority Mapping as the default value.
l When DSCP-to-internal Priority Mapping is selected,
the page displays a list including Start DSCP Priority of Incoming Packets, End DSCP
Priority of Incoming Packets, Internal Priority of Outgoing Packets and Discard
Priority of Outgoing Packets.
l The values of Start DSCP Priority and End DSCP Priority range from 0 to 63.
l The values of Internal Priority and Discard Priority are consistent with that of 802.1p-
to-internal Priority Mapping.
3. Set parameters.
4. Click OK.
l Configure priority mapping.
Configure Priority Mapping in Inbound Direction.The S5720HI switch supports this
function.
1. Choose QoS > Priority Mapping > Priority Mapping in Inbound Direction to
open the Priority Mapping in Inbound Direction page.
2. Select a record and click Configure to open the Configure Priority Mapping in
Inbound Direction page, as shown in Figure 3-200.

Figure 3-200 Configure Priority Mapping in Inbound Direction
Table 3-163 Configure Priority Mapping in Inbound Direction
Diff-Serv Domain Name Indicates the current Diff-Serv domain

name. This parameter cannot be
modified.
Select Mapping Type Mapping types include 802.1p-to-

internal Priority Mapping and
DSCP-to-internal Priority
Mapping.
Start 802.1p Priority of Incoming Indicates the start 802.1p priority

Packets ranging from 0 to 7. This parameter is
mandatory.
End 802.1p Priority of Incoming Indicates the end 802.1p priority

Packets ranging from 0 to 7.
Internal Priority of Outgoing Packets Indicates the internal priority

including seven options. This

Discard Priority of Outgoing Packets Indicates the discard priority including

Green Packets, Yellow Packets, and
Red Packets. This parameter is
mandatory.
NOTE
Select Mapping Type

l For example, select 802.1p-to-internal Priority Mapping as the default value.
l When DSCP-to-internal Priority Mapping is selected,
the page displays a list including Start DSCP Priority of Incoming Packets, End
DSCP Priority of Incoming Packets, Internal Priority of Outgoing Packets and
Discard Priority of Outgoing Packets.
l The values of Start DSCP Priority and End DSCP Priority range from 0 to 63.
l The values of Internal Priority and Discard Priority are consistent with that of
802.1p-to-internal Priority Mapping.
3. Set parameters.
4. Click OK.
Configure Priority Mapping in Outbound Direction. The S5720HI switch supports this
function.
1. Choose QoS > Priority Mapping > Priority Mapping in Outbound Direction
to open the Priority Mapping in Outbound Direction page.
2. Select a record and click Configure to open the Configure Priority Mapping in
Outbound Direction page, as shown in Figure 3-201.

Figure 3-201 Configure Priority Mapping in Outbound Direction
Table 3-164 Configure Priority Mapping in Outbound Direction
Diff-Serv Domain Name Indicates the current Diff-Serv domain

name. This parameter cannot be
modified.
Select Mapping Type Mapping types include Internal-

to-802.1p Priority Mapping and
Internal-to-DSCP Priority
Mapping.
Internal Priority of Outgoing Packets Indicates the internal priority

including seven options. This
Discard Priority of Outgoing Packets Indicates the discard priority including

Green Packets, Yellow Packets, and
Red Packets. This parameter is
mandatory.

802.1p Priority of Incoming Packets Indicates the start 802.1p priority

ranging from 0 to 7. This parameter is
mandatory.
NOTE
Select Mapping Type

l For example, select Internal-to-802.1p Priority Mapping as the default value.
l When Internal-to-DSCP Priority Mapping is selected,
the page displays a list including Internal Priority of Outgoing Packets, Discard
Priority of Outgoing Packets, and 802.1p Priority of Incoming Packets.
l The DSCP value ranges from 0 to 63.
l The values of Internal Priority, Discard Priority are consistent with that of Internal-
to-DSCP Priority Mapping.
3. Set parameters.
4. Click OK.
Configure Priority Mapping. The S1720, S2720, S2750, S5700LI, and S5700S-LI
switches support this function.
1. Choose QoS > Priority Mapping to open the Priority Mapping page.
2. Click Configure to open the Priority Mapping page, as shown in Figure 3-202.
Figure 3-202 Priority Mapping

Table 3-165 Priority Mapping
Select Indicates the priority mapping type.

Mapping Type
Start Input Specifies the start DSCP value of the incoming packets. The
DSCP Value value ranges from 0 to 63. This parameter is mandatory.
Specifies the start IP precedence value of the incoming
packets. The value ranges from 0 to 7.
End Input Specifies the end DSCP value of the incoming packets. The
DSCP Value value ranges from 0 to 63.
Specifies the end IP precedence value of the incoming
packets. The value ranges from 0 to 7.
Output 802.1P Specifies the 802.1p priority of the outgoing packets. The
Priority value is an integer that ranges from 0 to 7. This parameter is
mandatory.
Specifies the discard priority of the outgoing packets. The
value is an integer that ranges from 0 to 2.
Specifies the DSCP priority of the outgoing packets. The
value is an integer that ranges from 0 to 63.
NOTE
Configure the priority mappings as follows:

l To map the DSCP to 802.1p priority, Start Input DSCP Value, End Input DSCP Value,
and Output 802.1P Priority.
l To map the DSCP to drop priority, Start Input DSCP Value, End Input DSCP Value,
Start Input Drop Priority.
l To map the DSCP to DSCP, Start Input DSCP Value, End Input DSCP Value, and
Output DSCP Value.
l To map the IP priority to 802.1p priority, Start Input IP Priority, End Input IP Priority,
and Output 802.1P Priority.
l To map the IP priority to IP priority , Start Input IP Priority, End Input IP Priority, and
Output IP Priority.
The following is an example for mapping the DSCP to 802.1p priority.
3. Set parameters.
4. Click OK.
l Delete priority mapping.
1. Choose QoS > Priority Mapping to open the Priority Mapping page.

NOTE
The S5720HI switch can delete priority mapping on the Priority Mapping in Inbound
Direction or Priority Mapping in Outbound Direction page.
NOTE

3. Click OK.
l Delete Diff-Serv Domain Name
NOTE
The S5720HI switch can delete a Diff-Serv domain name.

1. Choose QoS > Priority Mapping > Create Priority Mapping in Inbound
Direction to open the Priority Mapping in Inbound Direction page.
NOTE
l You can delete a Diff-Serv domain name in the same way on the Priority Mapping in
Outbound Direction page.
l By default, the Diff-Serv domain name is default. You cannot delete the default name.
3. Click OK.
----End
3.10.5.2 Trust Priority

You can query, add, modify, and delete the trust relations on interfaces.
Context
You can select the type of a trusted priority.
Procedure
l Query a trust relation.
1. Choose QoS > Priority Mapping > Trust Priority to open the Trust Priority page.
l Add a trust relation.
This function is only supported byS1720, S2720, S2750, S5700S-LI, and S5700LI
series switches.
1. Choose QoS > Priority Mapping > Trust Priority to open the Trust Priority
page.
2. Click New to open the Add Trust Relation page, as shown in Figure 3-203.

Figure 3-203 Add Trust Relation
Table 3-166 Add Trust Relation
Select Interface Indicates the interface that you want to

configure. You can select multiple
interfaces.
Select Priority to Trust Indicates the type of a trusted priority,

including:
l DSCP
l IP-Precedence
l 8021P
3. Set parameters.
4. Click OK.
This function is only supported by series switches.
1. Choose QoS > Priority Mapping > Trust Priority to open the Trust Priority
page.
2. Click New to open the Add Trust Relation page, as shown in Figure 3-204.

Figure 3-204 Add Trust Relation
Table 3-167 Add Trust Relation
Select Priority to Trust Indicates the type of a trusted priority,

including:
l 8021P inner
l 8021P outer
l DSCP
Diff-Serv Domain Name Indicates the name of the Diff-Serv

domain.
Outbound Mapping Indicates the type of a trusted priority,

including:
l yes
l no
Select Interface Indicates the interface that you want to

configure. You can select multiple
interfaces.
3. Set parameters.
4. Click OK.

l Modify trust relation. This function is only supported by series switches.

2. Select a record that you want to modify and click to open the Modify Trust
Relation page, as shown in Figure 3-205.
Figure 3-205 Modify Trust Relation
Table 3-168 Modify Trust Relation
Name This parameter cannot be modified.
Select Priority to Trust Indicates the type of the trusted priority.

l For the , the value can be 8021P
inner, 8021P outer, or DSCP.
Diff-Serv Domain Name Indicates the name of the Diff-Serv

domain.

Outbound Mapping Indicates the type of a trusted priority,

including:
l yes
l no
3. Click OK.
l Delete a trusted priority.
NOTE

l To delete records in batches, click the check boxes of records.
3. Click OK.
----End
3.11 IP Routing
This document describes the configurations of IP routing.
Switches are used to select routes for packets on the Internet. A Switch selects a proper route
for a received packet according to the destination address and sends the packet to the next hop
Switch. The last-hop device on the route sends the packet to the destination host.
3.11.1 IPv4 Route

The following sections describe the basic knowledge and configuration methods of IPv4 routing
tables, IPv4 static routes, and global parameters.
3.11.1.1 IPv4 Routing Tables

A switch forwards packets by using a routing table. Each device saves a routing table. Each entry
in the routing table contains an interface of the switch, and the device sends packets to the
physical interfaces.
Context
You can query information about all routing tables through the Web system, including
information about dynamic and static routing tables.
Procedure
Step 1 Choose IP Routing > IPv4 Route in the navigation tree to display the IPv4 Route page. Then
click the IPv4 Routing Tables tab.

Step 3 Click Query to display all matching records.
----End
3.11.1.2 IPv4 Static Route

Static routes are manually configured by network administrators. After static routes are
configured, networks can communicate through these routes. However, the static routes cannot
be automatically updated when one network fails. In this case, only administrators can update
them.
Context
It is recommended that you specify the next hop address when configuring a static route on the
switch. You need to specify the next hop; otherwise, the next hop cannot be determined because
most physical interfaces of the switch are Ethernet interfaces of the broadcast type and one
outbound interface can be associated with multiple next hop addresses. If the outbound interface
is specified, you must specify the next hop address of the interface.
Procedure
l Create an IPv4 static route.
1. Choose IP Routing > IPv4 Route in the navigation tree to display the IPv4 Route
page. Then click the IPv4 Routing Tables .
2. Click New to open the Create an IPv4 Static Route page, as shown in Figure
3-206.
Figure 3-206 Create an IPv4 Static Route

Table 3-169 describes the parameters on the Create an IPv4 Static Route page.
Table 3-169 Create an IPv4 Static Route
Destination Indicates the destination IP address or

the destination network address of an IP
packet, for example, 10.10.10.1. This
Mask Indicates the network mask that is used

with the destination address to identify
the address of the network segment
where the destination host or router
resides. The address of the network
segment where the destination host or
router resides can be calculated
according to the AND operation on the
destination address and network mask,
for example, 255.255.0.0. This
Outbound Interface Indicates the interface on a router from

which IP packets are forwarded, for
example, Vlanif10.
NextHop Indicates the next-hop router address

that IP packets pass through, for
example, 10.10.10.2. This parameter is
mandatory
Priority Indicates the priority of a route. Packets

may reach the same destination address
through multiple routes. These routes
may be discovered by different routing
protocols, or statically configured. The
route with the highest priority (smallest
value) is selected as the optimal route.
Description Indicates the description of an IPv4

static route. This parameter is optional.
3. Set parameters.
4. Click OK.
l Modify an IPv4 static route.
page. Then click the IPv4 Static Route tab.

2. Click to open the Modify IPv4 Static Route page, as shown in Figure 3-207.
Figure 3-207 Modify IPv4 Static Route
NOTE
l Table 3-169 describes the parameters on the Modify IPv4 Static Route page.
l The destination IP address and subnet mask cannot be changed.
3. Set parameters.
4. Click OK.
l Delete an IPv4 static route.
page. Then click the IPv4 Static Route tab.
2. Select a record that you want to delete and click Delete.
NOTE

3. Click OK.
----End
3.11.1.3 Global Parameters Setting

You can set and query global parameters of an IPv4 static route.

Context
NOTE
By default, the priority of an IPv4 static route is 60. If the priority of an IPv4 static route is not specified,
the default priority is used. If you change the default priority, the new default priority is valid for only new
IPv4 static routes.
Procedure
Step 1 Choose IP Routing > IPv4 Route in the navigation tree to display the IPv4 Route page. Then
click the Global Parameters tab, as shown in Figure 3-208.
Figure 3-208 Global Parameters
Table 3-170 describes the parameters on the Global Parameters page.
Table 3-170 Global Parameters
Static Route Priority Indicates the default priority of an IPv4 static

route. The value ranges from 1 to 255. The
value 1 indicates the highest priority and the
value 255 indicates the lowest priority. The
default value is 60. This parameter is
mandatory.
----End
3.12 Security
This chapter describes concepts and configurations of security management, including Port
isolation, Static user binding, AAA, 802.1x, and MAC Authen.

3.12.1 Port Isolation

You can configure and query the port isolation mode, bidirectional isolation, and unidirectional
isolation.
If you want to prevent members in a group from communicating with each other but allow them
to access the public devices, such as the printer and the server, you can set the port isolation
mode to isolation at both Layer 2 and Layer 3 or Layer 2 isolation and Layer 3 communication.
3.12.1.1 Bidirectional Isolation

You can create, query, modify, or delete an isolation mode or a bidirectional isolation
configuration.
Context
l Interfaces in a port isolation group are isolated from each other, but interfaces in different
port isolation groups can communicate.
l The switch supports a maximum of 64 port isolation groups, numbered from 1 to 64.
Procedure
l Configure an isolation mode.
NOTE
l The default mode is L2, namely, ports are isolated at Layer 2 but can communicate at Layer 3.
l After the isolation mode is selected, the bidirectional isolation and unidirectional isolation
configurations are applied to this mode.
l The S2750, S5700LI , S5700S-LI , S1720, S2720 support only Layer 2 isolation and Layer 3
communication.
l Configuring the isolation mode is not affected by switching the bidirectional isolation and
unidirectional isolation labels.
1. Choose Security > Port isolation in the navigation tree to open the Port isolation
page.
2. Choose the isolation mode. The isolation can be L2 or ALL. L2 is Layer 2 isolation
and Layer 3 communication. ALL is the isolation at both Layer 2 and Layer 3.
3. Click Apply.
l Query an isolation group.
1. Choose Security > Port isolation in the navigation tree to display the Port
isolation page. Then click the Bidirectional isolation tab.
2. Enter a number in the text box of Isolation Group Number.
l Create an isolation group.
2. Click New to open the Create an isolation group page, as shown in Figure 3-209.

Figure 3-209 Create an isolation group
Table 3-171 Create an isolation group
Isolation Group Number Indicates the value that the system

generates automatically. The value
ranges from 1 to 64. When creating an
isolation group, the system assigns the
minimum in existing numbers to the new
isolation group.
Select a port Select the interface that you want to add

to the isolation group on the port list on
the left. Click to display the new
interface on the right list.
3. Select an interface.
4. Click OK.
l Modify an isolation group.

2. Click the corresponding icon to open the Modify isolation group page, as shown
in Figure 3-210.
Figure 3-210 Modify isolation group

4. Click OK.
l Delete an isolation group.
2. Select the isolation group that you want to delete. You can delete an isolation group
or multiple isolation groups.
3. Click Delete. The system asks you whether to delete the record.
4. Click OK on the dialog box.
----End
3.12.1.2 Unidirectional Isolation

You can create, query, modify, and clear a unidirectional port isolation configuration.

Context
You can configure or delete the unidirectional isolation between the current interface and a
specified interface. If interface A is isolated from interface B, packets sent from interface A
cannot reach interface B, but packets sent from interface B can reach interface A.
NOTE
Interfaces can be isolated from one another. But an interface cannot be isolated from itself or from the
management interface unidirectionally. In addition, an Eth-Trunk cannot be isolated unidirectionally from
its member interfaces.
Procedure
l Query a unidirectional isolation.
isolation page. Then click the Unidirectional isolation tab.
3. Enter the interface number, for example, 0/0/1 (stack ID/subcard ID/interface
number).
l Configure a unidirectional port isolation.
NOTE
You can configure and modify unidirectional isolation in the same method.
2. Click the corresponding icon to open the Modify isolation port list page, as shown
in Figure 3-211.
Figure 3-211 Modify isolation port list

Table 3-172 Modify isolation port list
Port name Indicates the name of the interface where

Select a Port Select the interface that you want to add

to the isolation group on the port list on
the left. Click to display the new
interface on the right list.
4. Click OK.
l Clear a unidirectional isolation.
2. Select the interface configured with unidirectional isolation that you want to delete.
You can delete an interface or multiple interfaces.
3. Click Clear. The system asks you whether to delete the record.
4. Click OK on the dialog box.
----End
3.12.2 Static User Binding

Static user binding is configured manually and supports binding methods of IP+port, MAC+port,
IP+MAC+port, IP+port+VLAN, MAC+port+VLAN, and IP+MAC+port+VLAN.
3.12.2.1 View Static User Binding

You can view static user bindings on the Static user binding page. You can query information
according to the search criteria.
Procedure
Step 1 Choose Security > Static User Binding in the navigation tree to open the Static User
Binding page, as shown in Figure 3-212.
Figure 3-212 Static user binding

Table 3-173 Search criteria for static user binding
Interface Name Indicates the interface type and number that

you want to query.
VLAN ID l If the check box of VLAN is not selected

and the VLAN ID text box is not available,
all VLANs are queried.
l When the check box of VLAN is selected,
you can enter the VLAN ID that you want
to query.
Step 3 Click Query Search results are displayed.
----End
3.12.2.2 Configure Static User Binding

You can configure static user binding.
Procedure
l Create a binding.
1. Choose Security > Static user binding in the navigation tree to open the Static user
binding page.
2. Click New to open the Create a static user binding page, as shown in Figure
3-213.
Figure 3-213 Create a static user binding

Table 3-174 Create a static user binding
Interface Name Indicates the type and number of the interface that you want to
bind.
Binding mode The binding modes in the drop-down list box include:
l MAC+port
l IP+port
l IP+MAC
l IP+MAC+port
Select one binding mode from the modes above. This parameter
is mandatory.
VLAN ID Indicates the ID of the VLAN to be bound.
3. Set parameters.
4. Click OK.
l Delete a binding.
1. Choose Security > Static user binding in the navigation tree to open the Static user
binding page.
3. Click OK.
----End
3.12.3 AAA Configurations

Authentication, Authorization, and Accounting (AAA) is used to manage network security. It
provides a uniform framework to configure authentication, authorization, and accounting
security functions.
Generally, AAA uses the client/server model. In this model, the client runs on the resource side
that is managed through AAA, whereas the server collects and keeps all user information. This
model features good extensibility and facilitates concentrated management over user
information.
3.12.3.1 AAA Scheme

You can add, modify, and delete an authentication scheme, authorization scheme, or accounting
scheme.
Context
Authentication, Authorization, and Accounting are three independent service processes.
l In the authentication process, a device authenticates the user name, password, or user
information of an access request or a service request. The device, however, neither delivers

authorization information to the user nor triggers the accounting process. In AAA, a device
can adopt only authentication.
l In the authorization process, a device sends authorization requests to the authorization
server. After users pass authorization, the device sends authorization information to users.
If the authorization scheme is none, users do not need to be authorized. In this case, users
passing authentication have the default authority granted by the system.
l In the accounting process, a device sends accounting-start packets, accounting-update
packets, or accounting-stop packets to the accounting server. In AAA, an accounting
scheme is optional.
Procedure
l Create an authentication scheme.
NOTE
You can create an authentication scheme, authorization scheme, or accounting scheme. Here the
authentication scheme is used as an example.
1. Choose Security > AAA > AAA Scheme in the navigation tree to open the AAA
Scheme page.
2. Click New to open the Create Authentication Scheme page, as shown in Figure
3-214.
Figure 3-214 Create Authentication Scheme
Table 3-175 describes the parameters on the Create Authentication Scheme page.
Table 3-175 Create Authentication Scheme
Item Description
Authentication Indicates the name of an authentication scheme. This

Scheme Name parameter is mandatory.

Item Description
Mode Indicates the authentication mode. There are four

authentication modes for you to select.
NOTE
l The options are none, hwtacacs, radius, and local.
l You can use the combination of authentication modes. If the
authentication mode is none, you cannot configure an
authentication scheme.
l You cannot set the same authentication modes; otherwise, you
cannot create an authentication scheme.
3. Set parameters.
4. Click OK.
l Modify an authentication scheme.
NOTE
You can modify an authentication scheme, authorization scheme, or accounting scheme. Here the
authentication scheme is used as an example.
Scheme page.
2. Click to open the Modify Authentication Scheme page, as shown in Figure
3-215.
Figure 3-215 Modify Authentication Scheme
NOTE
l Table 3-175 describes the parameters on the Modify Authentication Scheme page.
l The authentication scheme name cannot be changed.
3. Set the authentication type as required.
4. Click OK.

l Delete an authentication scheme.

Scheme page.
NOTE

3. Click OK.
----End
3.12.3.2 Service Scheme

Access users must obtain authorization information before going online. Authorization
information about users can be managed by configuring a service scheme.
Context
A service scheme is a set of authorization information about users. After a service scheme is
created, you can set attributes of users in the service scheme view.
Procedure
l Create a service scheme.
1. Choose Security > AAA > Service Scheme in the navigation tree to open the Service
Scheme page.
2. Click New to open the Create Service Scheme page, as shown in Figure 3-216.

Figure 3-216 Create Service Scheme
Table 3-176 describes the parameters on the Create Service Scheme page.
Table 3-176 Create Service Scheme
Service Scheme Name Indicates the name of a new service

scheme.
Administrator Level Indicates the administrator level for a

user to log in to the switch.
Primary DNS IP Indicates the IP address of the primary

DNS server, for example, 10.10.10.1.
Secondary DNS IP Indicates the IP address of the secondary

DNS server, for example, 10.10.10.2.
NOTE
Before configuring the IP address of the
secondary DNS server, you must configure
an IP address for the primary DNS server.
User Vlan Indicates the ID of a user VLAN. To

configure VLANs, choose Service
Management > VLAN.

Ucl Group Indicates the name of a UCL group. To

configure a created UCL group, choose
Security > Ucl Group.
QoS Profile Indicates the name of a created QoS

profile. To configure a QoS protocol,
choose Security > QoS Profile.
NOTE
Only the S5720HI supports User Vlan, Ucl Group and QoS Profile, and these node are only available
in the NAC unified mode.
3. Set parameters.
4. Click OK.
l Modify a service scheme.
Scheme page.
2. Click to open the Modify Service Scheme page, as shown in Figure 3-217.
Figure 3-217 Modify Service Scheme

NOTE
l Table 3-176 describes the parameters on the Modify Service Scheme page.
l The service scheme name cannot be modified.
3. Set parameters.
4. Click OK.
l Delete a service scheme.
Scheme page.
NOTE

3. Click OK.
----End
3.12.3.3 RADIUS Configurations

You can create, modify, and delete the RADIUS server template, authentication/accounting
server, and authorization server. Before configuring a RADIUS authentication/ accounting
server, you must create a RADIUS server template. A RADIUS server builds a unique database
to store user names and passwords for authentication and accounting. The RADIUS
authorization server receives authorization information sent by users and sends authorization
information to users after users pass authorization.
Context
When a user logs in to a network device such as a switch or a network access server (NAS), the
user name and password are sent to the network device. After the RADIUS client (an NAS
server) on the network receives the user name and password, it sends an authentication request
to the RADIUS server. If the request is valid, the RADIUS server completes authentication and
sends the required authorization information to the RADIUS client. If the request is invalid, the
RADIUS server sends the authorization failure information to the RADIUS client.
NOTE
Most RADIUS configurations have default values. You can perform configurations according to
networking requirements. You can modify the RADIUS configuration only when the RADIUS server
template is not in use.
The RADIUS authorization server is mainly used to authorize users when users select services
dynamically.
Procedure
l Create a RADIUS server template.
1. Choose Security > AAA > RADIUS Config in the navigation tree to open the
RADIUS Config page.

2. Click New, and the Create RADIUS Template page is displayed, as shown in Figure
3-218.
Figure 3-218 Create RADIUS Template
Table 3-177 Create a RADIUS Server Template
Template Name Indicates the name of a new RADIUS

server template. This parameter is
mandatory.
Key When sending authentication packets,

the switch and the RADIUS server
encrypt important data such as the
password to ensure the security of data
transmission over the network. To
ensure the validity of the authenticator
and the authenticated end, the switch
and the RADIUS server must be
configured with the same key.
The value is a string. By default, the
shared key of a RADIUS server is
huawei.
Confirm Key Indicates the confirmed shared key. The

format is the same as that of the shared
key.
3. Set parameters.
4. Click OK.
l Modify a RADIUS server template.
RADIUS Config page.
2. Click , and the Modify RADIUS Template page is displayed, as shown in Figure
3-219.

Figure 3-219 Modify RADIUS Template
NOTE

l The template name cannot be modified.
3. Set parameters.
4. Click OK.
l Delete a RADIUS server template.
RADIUS Config page.
NOTE

3. Click OK.
l Create a RADIUS authentication/accounting server.
RADIUS Config page.
2. Click New, and the Create RADIUS Authentication/Accounting Server page is
Figure 3-220 Create RADIUS Authentication/Accounting Server

Table 3-178 Create RADIUS Authentication/Accounting Server
Server Type Indicates the server type.
Template Name Indicates the RADIUS server template

name. This parameter is mandatory.
IP address Indicates the IP address of the server, for

example, 10.10.10.1. This parameter is
mandatory.
Port Indicates the UDP port number of the

server. This parameter is mandatory.
Weight Indicates the weight of the server. The

default value is 80.
3. Set parameters.
NOTE
The device supports more than one servers. To add servers, click Add and set parameters.
When multiple servers are available, the device uses the server with the highest weight to perform
authentication and accounting. If the servers have the same weights, the device uses the server
configured first to perform authentication and accounting.
4. Click OK.
l Modify a RADIUS authentication/accounting server.
RADIUS Config page.
2. Click , and the Modify RADIUS Authentication/Accounting Server page is
Figure 3-221 Modify RADIUS Authentication/Accounting Server
NOTE

3. Set parameters.
4. Click OK.
l Delete a RADIUS authentication/accounting server.

RADIUS Config page.
3. Click OK.
l Create a RADIUS authorization server.
RADIUS Config page.
2. Click New, and the Create RADIUS Authorization Server page is displayed, as
Figure 3-222 Create RADIUS Authorization Server
Table 3-179 Create RADIUS Authorization Server
Server IP Indicates the IP address of the

authorization server, for example,
10.10.10.1. This parameter is
mandatory.
RADIUS Template Indicates the RADIUS server template

name. This parameter is optional.
Key To apply the shared key, select the check

box of the shared key. This parameter is
mandatory.
By default, no shared key is configured
on a RADIUS authorization server.
Ack Reserve Interval Indicates the duration in which an

authorization acknowledgment packet is
reserved. This parameter is optional.

3. Set parameters.
4. Click OK.
l Modify a RADIUS authorization server.
RADIUS Config page.
2. Click , and the Modify RADIUS Authorization Server page is displayed, as shown
in Figure 3-223.
Figure 3-223 Modify RADIUS Authorization Server
NOTE

l The IP address of the authorization server cannot be changed.
3. Set parameters.
4. Click OK.
l Delete a RADIUS authorization server.
1. Choose Security > AAA > RADIUS in the navigation tree to open the RADIUS
Config page.
3. Click OK.
----End
3.12.3.4 Domain Management

The switch manages users based on domains. You can configure the default authorization
scheme, RADIUS template, authentication scheme, and accounting scheme in a domain.
Context
If no AAA schemes are applied to a new domain, the default authentication scheme and
accounting scheme are adopted. By default, the new domain is not bound to any authorization
scheme.

Procedure
l Create a domain.
1. Choose Security > AAA > Domain in the navigation tree to open the Domain page.
2. Click New to open the Create Domain page, as shown in Figure 3-224.
Figure 3-224 Create Domain
Table 3-180 describes the parameters on the Create Domain page.
Table 3-180 Create Domain
Domain Name Indicates the name of a new RADIUS

server template. This parameter is
mandatory.
Authentication Scheme Indicates the authentication scheme of

the system.
Authorization Scheme Indicates the authorization scheme of

the system.
Accounting Scheme Indicates the accounting scheme of the

system.
Service Scheme Indicates the service scheme of the

system.
RADIUS Template Indicates the RADIUS server of the

system.
3. Set parameters.
4. Click OK.
l Modify a domain.

2. Click to open the Modify Domain page, as shown in Figure 3-225.
Figure 3-225 Modify Domain
NOTE
l Table 3-180 describes the parameters on the Modify Domain page.

l The domain name cannot be modified.
3. Set parameters.
4. Click OK.
l Delete a domain.
NOTE

3. Click OK.
----End
3.12.3.5 User Management

You can create a local database to maintain user information and manage users on the local
switch.
Context
You need to create a local user account and configure attributes of the local user so that the
switch can authenticate and authorize the local user that logs in according to the local user
information.
By default, a local user named admin exists in the system. The user password is
admin@huawei.com, and access type is HTTP.

NOTE
Security risks exist if the user access type is set to Telnet or FTP. It is recommended that you set the uesr access
type to SSH.
A simple password brings security risks. It is recommended that you change the password to a complicated one
after logging in to the web network management system using the default account. A password should consist
of at least 8 characters, and contain at least two types of the following: lowercase letters, uppercase letters,
numerals, special characters (such as ! $ # %). The password cannot contain spaces and single quotation marks
('). In addition, the password cannot be the same as the user name or the mirror user name.
The new user supports all access modes. The management user access modes such as Telnet, SSH, FTP, HTTP,
and Terminal have security risks. You are advised to configure the required access modes only.
Procedure
l Create a user.
1. Choose Security > AAA > User Management in the navigation tree to open the
User page.
2. Click New to open the Create User page, as shown in Figure 3-226.
Table 3-181 describes the parameters on the Create User page.

User Name Indicates a new user name. This

Password Indicates the password.
Confirm Password Confirms the password. It must be the

same as the password.
Use Level Indicates the user level. The value

ranges from 0 to 15.
NOTE
l Only users of level 3 or higher have the
management rights.
l You can create a user account at the same
or lower level.
FTP Directory Indicates the FTP directory, for

example, flash:/.
NOTE
If the access type of a local user is set to FTP,
this parameter is mandatory; otherwise, FTP
users cannot log in.
User State Indicates the user status, including:

l Active
l Block
By default, the value is Active.
NOTE
l If a local user is in Active state, a
switch accepts and processes the
authentication request of the user.
l If a local user is in block state, the
authentication request from this user is
denied.

Access Type Indicates the access type. After you

specify the access type of a user, only the
users using the specified access type can
log in.
The steps are as follows:
Select the access type in the right list box
and click . The selected access type
is displayed in the right list box.
By default, a user can log in by using any
access type.
NOTE
l You can hold shift or ctrl to select
multiple access types or click to
select all the access types.
l If you do not specify any value, all
options are selected by default. If you
deselect all options, the default settings
are restored (all access types are
supported).

NOTE
This parameter is only displayed on the user
modification page.
3. Set parameters.
4. Click OK.
l Modify a user.
1. Choose Security > AAA > User Management in the navigation tree to open the User
Management page.
2. Click to open the Modify User page, as shown in Figure 3-227.

NOTE
l Table 3-181 describes the parameters on the Modify User page.

l The user name cannot be modified.
3. Set parameters.
4. Click OK.
NOTE
When changing your password, enter the old password in Confirm Old Password, as shown in
Figure 3-228.
Figure 3-228 Confirm Old Password

l Delete a user.
1. Choose Security > AAA > User Management in the navigation tree to open the User
Management page.
NOTE
l The current user cannot be deleted.

l You can delete a user account at the same or lower level but not your own account.
3. Click OK.
----End
3.12.3.6 Change Mode

NAC supports the common configuration mode and unified configuration mode. With the NAC
function, the device can control user access to the network.
Context
NAC only provides a user authentication solution. To implement this solution, the AAA function
must also be configured.
NOTE
The device supports NAC. NAC controls a user's network access permission that involves personal
communication information collection or storage. Huawei will not collect or save user communication
information independently. You must use the features in compliance with applicable laws and regulations.
Ensure that your customers' privacy is protected when you are collecting or saving communication information.
Procedure
Step 1 Config Next Start Mode: Choose Security > AAA > Change Mode in the navigation tree to
open the Change Mode page, as shown in Figure 3-229.
Step 2 Click Traditional-mode or Unified-mode.

Figure 3-229 Change Mode

NOTE
After the common mode and unified mode are switched, you must save configuration and restart the device to
make each function in the new configuration mode take effect. By default, the unified NAC configuration mode
is used.
----End
3.12.4 802.1x
You can configure 802.1x parameters globally or on an interface.
IEEE 802.1x, or 802.1x in brief, is a port-based network access control protocol. 802.1x was
originated from IEEE 802.11 for wireless local area network (WLAN) access and was first
introduced to solve the problem of access authentication of WLAN users. Later, the 802.1x
protocol was applied on the Ethernet as a common access control mechanism on LAN interfaces
to solve problems of authentication and security on the Ethernet.
Port-based network access control indicates that authentication and control are implemented for
access devices on an interface of a LAN access control device. A user device can access LAN
resources only after it passes authentication.
NOTE
This node is only available in the NAC common mode.
3.12.4.1 802.1X Global Settings

802.1x parameters can be set before global 802.1x authentication is enabled, but take no effect.
After global 802.1x authentication is enabled, 802.1x parameters can be set before of each
interface takes effect.
Context
You can configure 802.1x authentication to authenticate and control access devices connected
to an interface of a LAN access control device.

Procedure
Step 1 Choose Security > 802.1X > 802.1X Global Settings in the navigation tree, and the 802.1X
Global Settings page is displayed, as shown in Figure 3-230.
Figure 3-230 802.1X Global Settings
Table 3-182 describes the parameters on the 802.1X Global Settings page.
Table 3-182 802.1X Global Settings
Global 802.1X Indicates whether to enable global 802.1x

authentication. The options are Enable and
802.1x parameters can be set before global
802.1x authentication is enabled, but take no
effect. After global 802.1x authentication is
enabled, 802.1x parameters can be set before
of each interface takes effect.

Quiet Period Indicates whether to enable the quiet timer

function. The options are Enable and
NOTE
If a user fails to pass 802.1x authentication after
the quiet timer function is enabled, the system
keeps the user quiet for a period. In this manner,
the impact caused by frequent authentication is
prevented. During the quiet period, the switch
discards 802.1x authentication request packets
from the user.
DHCP Trigger Indicates whether to trigger the 802.1x

authentication after receiving DHCP
messages. The options are Enable and
The switch is enabled to trigger 802.1x
authentication after receiving DHCP
messages. If a user fails to pass
authentication, the user cannot dynamically
obtain an IP address from the DHCP server.
Handshake Indicates whether to enable the handshake

function. The options are Enable and
NOTE
Not all clients support the handshake function. If
a client does not support the handshake function,
the switch will not receive handshake response
packets within the handshake interval. In this case,
you need to disable the handshake function to
prevent the switch from disconnecting users by
mistake.
Number of Quiet Failures Indicates the number of authentication

failures before the 802.1x user enters the quiet
state.
Retry Times Indicates the number of retransmission times.

If the switch does not receive a response after
sending an authentication request to a user,
the switch retransmits the authentication
request to the user. If the switch still fails to
receive the response when the number of sent
authentication requests reaches the limit, the
switch does not send the authentication
request to the user any more.
Client Timeout Indicates the timeout interval of the response

from the client.

Handshake Interval Indicates the interval of handshakes between

the switch and the 802.1x client.
NOTE
The value range varies depending on the device
model.
Re-authentication Interval Indicates the re-authentication interval. After

a user passes 802.1x authentication, the
device sends a re-authentication request to the
access user after a period. The re-
authentication interval is controlled by the re-
authentication timer.
Authentication Request Interval Indicates the interval for sending

authentication requests.
Quiet Period Indicates the value of the quiet timer. If a user

fails to pass 802.1x authentication, the access
device waits until the quiet timer expires and
re-initiates authentication requests. During
the quiet period, the authentication device
does not process authentication requests from
the user.
----End
3.12.4.2 802.1X Interface Settings

You can query, set, and delete 802.1x parameters of an interface.
Context
You can configure 802.1x authentication to authenticate and control access devices connected
to an interface of a LAN access control device.
Procedure
l Query information about 802.1x parameters on an interface.
1. Choose Security > 802.1X > 802.1X Interface Settings in the navigation tree to open
the 802.1X Interface Settings page.
l Set 802.1x parameters on an interface.

2. Select a record and click Configure. The Configure 802.1X Interface Parameters
page is displayed, as shown in Figure 3-231.
Figure 3-231 Configure 802.1X Interface Parameters
Table 3-183 describes the parameters on the Configure 802.1X Interface

Parameters page.
Table 3-183 Configure 802.1X Interface Parameters

NOTE
the Configure 802.1X Interface
Parameters page. If multiple interfaces are
selected, the default settings of the interfaces
are displayed.
Enable 802.1X Indicates whether to enable 802.1x

authentication. The options are Enable
and Disable. By default, the value is
Disable.
NOTE
The 802.1x configuration takes effect only
after 802.1x authentication is enabled
globally and on an interface.

Control Mode Indicates the access control mode of an

interface. The options are as follows:
l Auto
l Authorized-force
l Unauthorized-force
By default, the value is Auto.
Control Method Indicates the access control mode of an

interface. The options are:
l MAC
l Port
By default, the MAC address-based
access control method is used.
NOTE
If the value is Interface, only one user can
access the interface.
Max Number Of Users Indicates the maximum number of

access users on the specified interface.
If no interface is specified, all interfaces
support the same number of access
users.
NOTE
The value range varies depending on the
device type.
802.1X Re-Authentication Indicates whether to enable 802.1x re-

authentication. The options are Enable
and Disable. By default, the value is
disabled.
3. Set parameters.
4. Click OK.
l Clear the configuration of 802.1x parameters on an interface.
2. Select a record and click Clear Configuration. The system asks you whether to delete
the record.
3. Click OK.
----End
3.12.5 MAC Authen

You can configure MAC address authentication globally or on an interface.

You can configure the following authentication methods for MAC address authentication on the
switch:
l Remote Authentication Dial-In User Service (RADIUS) authentication
l Local authentication
3.12.5.1 Global Configuration

The configuration of MAC address authentication takes effect on each interface only after global
MAC address authentication is enabled.
Context
MAC address authentication can be configured on an interface before global MAC address
authentication is configured, but does not take effect on the interface. After global MAC address
authentication is enabled, MAC address authentication enabled on an interface takes effect
immediately.
Procedure
Step 1 Choose Security > MAC Authen > Global Configuration in the navigation tree to open the
Global Configuration page, as shown in Figure 3-232.
Figure 3-232 Global Configuration
Table 3-184 describes the parameters on the Global Configuration page.

Table 3-184 Global Configuration
Global MAC Authentication Indicates whether to enable global MAC

address authentication. Authentication
parameters can be set before global MAC
address authentication is enabled, but take no
effect. After global MAC address
authentication is enabled, the authentication
parameters of each interface take effect
immediately.
The options are Enable and Disable. By
default, the value is Disable.
Domain Indicates the domain for MAC address

authentication.
User Name Format Indicates the user name format. The options
are as follows:
l MAC
l Fixed user name
By default, the MAC address format is used.
MAC Indicates the format of MAC addresses. The

parameter is valid when MAC addresses of
users are used as user names. The options are
as follows:
l with-hyphen
l without-hyphen
By default, the value is without-hyphen.
User Name Indicates the user name. The value is valid

when the fixed user name is used for MAC
Fixed user name: All users use the user names
and passwords pre-configured on a switch;
therefore, whether users can pass
authentication depends on correctness of the
user names and passwords and the maximum
number of users allowed to use the user name.
Password Indicates the password of the user. The value

is valid when the fixed user name is used for
MAC address authentication.
Set the value of this parameter according to
the user name format.
Confirm Password Enter the password again to confirm the

password.

Offline Detect Timer Indicates the value of the offline-detect timer,

that is, the interval for the switch to detect
whether a user is offline. When detecting that
a user goes offline, the switch immediately
instructs the RADIUS server to stop charging
the user.
Quiet Timer Indicates the value of the quiet timer. If a user

fails to pass MAC address authentication, the
switch waits for a period set by the quiet
timer. Then the switch processes
authentication requests from the user. During
the quiet period, the switch does not process
authentication requests from the user.
----End
3.12.5.2 MAC Authentication on Interface

You can query, set, and delete MAC address authentication parameters on an interface.
Context
MAC address authentication can be configured on an interface before global MAC address
authentication is configured, but does not take effect on the interface. After global MAC address
authentication is enabled, MAC address authentication configured on an interface takes effect
immediately.
Procedure
l Query the configuration of MAC address authentication on an interface.
1. Choose Security > MAC Authen > MAC Authentication on Interface in the
navigation tree to open the MAC Authentication on Interface page.
l Configure Interface
2. Select a record and click Configure. The Configure Interface page is displayed, as

Table 3-185 describes the parameters on the Configure Interface page.
Table 3-185 Configure Interface

NOTE
the Configure Interface page. If multiple
interfaces are selected, the default settings of
the interfaces are displayed.
MAC Authentication Indicates whether to enable MAC

address authentication. The options are
Enable and Disable. By default, the
value is Disable.
Max of Access Users Indicates the maximum number of

access users on the specified interface
enabled with MAC address
authentication. If no interface is
specified, all interfaces can connect to
access users of the same number.
3. Set parameters.
4. Click OK.
l Clear the configuration of MAC address authentication parameters on an interface.

2. Select a record that you want to clear and click Clear Configuration.
NOTE

3. Click OK.
----End
3.12.6 Ucl Group

This section describes how to create and delete a UCL group.
Context
A UCL group identifies a user type that has the same network access rights. The UCL group is
used to classify users of a type and ACLs are deployed for these users, greatly simplifying
network deployment.
In an enterprise network, a server that provides resources has a fixed IP address. The
administrator can identify this server using a UCL group and associate the server IP address with
the UCL group to form a static UCL group. After a static UCL group is created for a resource
server, the user access policies can be managed based on the UCL group to simplify network
deployment.
NOTE

Procedure
l Creating a UCL group
1. Choose Security > Ucl Group to display the Ucl Group page.
2. Click New in Ucl Group to display the Create Ucl Group page, as shown in Figure
3-234.
Figure 3-234 Creating a UCL group

Table 3-186 describes the parameters for creating a UCL group.
Table 3-186 Parameters for creating a UCL group
Ucl Group Index Specifies the index of a UCL group.
Ucl Group Name Specifies the name of a UCL group.

l Deleting a UCL group
2. Select a UCL group that you want to delete and click Delete. The system asks you
whether to delete the UCL group.
l Creating a static resource group
2. Click New in Static Resource Group to display the Create Static Resource
Group page, as shown in Figure 3-235.
Figure 3-235 Creating a static resource group
Table 3-187 describes the parameters for creating a static resource group.

Table 3-187 Parameters for creating a static resource group
Ucl Group Index Specifies the index of a UCL group.

The value must be the index of a created
UCL group.
IP Specifies the IP address of a static

resource group.
Mask Specifies the mask of the IP address.

l Deleting a static resource group
2. Select a static resource group that you want to delete and click Delete. The system
asks you whether to delete the static resource group.
----End
3.12.7 QoS Profile

You can define QoS configurations in a QoS profile to implement such functions as traffic
policing and priority re-marking.
Context
NOTE

3.12.7.1 QoS Profile

This section describes how to configure a QoS profile.
Context
You can configure inbound/outbound traffic policy, 802.1p priority re-marking, and DSCP
priority re-marking in a QoS profile.
Procedure
l Query a QoS profile.
1. Choose Security > QoS Profile > QoS Profile to open the QoS Profile page.
2. Enter the name of the QoS profile in the text box, for example, test.
3. Click Query to display all matching records, as shown in Figure 3-236.

NOTE
If no QoS profile name is entered, when you click Query, information about all QoS profiles
is displayed.
Figure 3-236 QoS Profile
l Create a QoS profile.

2. Click New. The Create QoS Profile page is displayed.
Table 3-188 describes the parameters on the Create QoS Profile page, as shown in
Figure 3-237.
Figure 3-237 Create QoS Profile

Table 3-188 Parameters on the Create QoS Profile page
QoS Profile Name Enters the name of a new

QoS profile. This
802.1p Precedence Enters the re-marked

802.1p priority of
packets.
DSCP Precedence Enters the re-marked

DSCP priority of packets.
Inbound CAR Parameters CIR Enters the inbound

committed information
rate (CIR), which is the
allowed rate at which
traffic can pass through.
PIR Enters the inbound peak

information rate (PIR),
which is the maximum
rate of traffic that can pass
CBS Enters the inbound

committed burst size
(CBS), which is the
average volume of burst
traffic that can pass
PBS Enters the inbound peak

burst size (PBS), which is
the maximum volume of
burst traffic that can pass
Outbound CAR CIR Enters the outbound CIR,

Parameters which is the allowed rate
at which traffic can pass
through.
PIR Enters the outbound PIR,

rate of traffic that can pass

CBS Enters the outbound CBS,

which is the average
volume of burst traffic
that can pass through an
interface.
PBS Enters the outbound PBS,

volume of burst traffic
that can pass through an
interface.
3. Set parameters.
4. Click OK.
l Modify a QoS profile.
2. Click next to a record to open the Modify QoS Profile page.
NOTE
l Table 3-188 describes the parameters on the Modify QoS Profile page.
l The QoS profile name cannot be modified.
3. Set parameters.
4. Click OK.
l Delete a QoS profile.
NOTE
l To select a record, click the checkbox of the record.

l To delete records in batches, click the checkboxes of records.
3. Click OK.
----End
3.12.7.2 CAR Profile

This section describes how to configure a CAR profile.
Context
You can configure inbound/outbound traffic policing in a CAR profile.
Procedure
l Query a CAR profile.

1. Choose Security > QoS Profile > CAR Profile to open the CAR Profile page.
2. Enter the name of the CAR profile in the text box, for example, test.
3. Click Query to display all matching records, as shown in Figure 3-238.
NOTE
If no QoS profile name is entered, when you click Query, information about all CAR profiles
is displayed.
Figure 3-238 CAR Profile
l Create a CAR profile.

2. Click New. The Create CAR Profile page is displayed.
Table 3-189 describes the parameters on the Create CAR Profile page, as shown in
Figure 3-239.
Figure 3-239 Create CAR Profile
Table 3-189 Parameters on the Create CAR Profile page
CAR Profile Name Enters the name of a new CAR profile.


CIR Enters the committed information rate

(CIR), which is the guaranteed average
transmission rate. This parameter is
mandatory.
PIR Enters the peak information rate (PIR),

which is the maximum rate of traffic that
can pass through an interface.
CBS Enters the committed burst size (CBS),

which is the average volume of burst
traffic that can pass through an interface.
PBS Enters the peak burst size (PBS), which

is the maximum volume of burst traffic
that can pass through an interface.
3. Set parameters.
4. Click OK.
l Modify a CAR profile.
2. Click next to a record to open the Modify CAR Profile page.
NOTE
l Table 3-189 describes the parameters on the Modify CAR Profile page.
l The CAR profile name cannot be modified.
3. Set parameters.
4. Click OK.
l Delete a CAR profile.
NOTE
l To select a record, click the checkbox of the record.

l To delete records in batches, click the checkboxes of records.
3. Click OK.
----End
3.12.8 Authentication Event

This chapter describes how to configure service schemes for different authentication events.
NOTE


3.12.8.1 Pre-authentication
Context
Users in pre-authentication state have no network access policy.
To meet their network access requirements (for example, update the virus library and download
client software), service schemes can be used to assign certain network access rights to the users
in pre-authentication state.
Procedure
l Applying a service scheme to users in pre-authentication state
1. Choose Security > Authentication Event > Pre-Authentication to display the Pre-
Authentication page.
2. Select a service scheme and click Apply, as shown in Figure 3-240.
Figure 3-240 Applying a service scheme to users in pre-authentication state
Table 3-190 describes the parameters for applying a service scheme to users in pre-
authentication state.
Table 3-190 Parameters for applying a service scheme to users in pre-authentication

state
Service Scheme Name of the service scheme applied to

users in pre-authentication state.
l Deleting the service scheme applied to users in pre-authentication state

1. Choose Security > Authentication Event > Pre-Authentication to display the Pre-
Authentication page.

2. Click Clear Configuration. The system asks you whether to delete the service
scheme.
----End
3.12.8.2 Authentication-Failed
Context
Users do not have any network access policies when they fail to be authenticated because of
some reasons (for example, the users enter incorrect user names or passwords, or the
authentication server is Down).
To meet their network access requirements (for example, update the virus library and download
client software), service schemes can be used to assign certain network access rights to the users
who fail to be authenticated.
NOTE
There are four scenarios for applying and deleting service scheme for users who fail to be authenticated.
This section uses the scenario Apply to Authentication Server response fail to users as an example. The
operations for other scenarios are similar and not mentioned here.
Procedure
l Applying a service scheme to users who fail to be authenticated
1. Choose Security > Authentication Event > Authentication-Failed to display the
Authentication-Failed page.
2. Select a service scheme in Apply to Authentication Server response fail to users
and click Apply, as shown in Figure 3-241.

Figure 3-241 Applying a service scheme to users who fail to be authenticated
Table 3-191 describes the parameters for applying a service scheme to users who fail
to be authenticated.
Table 3-191 Parameters for applying a service scheme to users who fail to be
authenticated
Service Scheme Name of the service scheme applied to

users who fail to be authenticated.
l Deleting the service scheme applied to users who fail to be authenticated

1. Choose Security > Authentication Event > Authentication-Failed to display the
Authentication-Failed page.
2. Click Clear Configuration in Apply to Authentication Server response fail to
users. The system asks you whether to delete the service scheme.

----End
3.12.9 SSL
You can create, modify, and delete SSL policys.
Context
The Secure Sockets Layer (SSL) protocol uses data encryption, identity authentication, and
message integrity check to ensure security of Transmission Control Protocol (TCP)-based
application layer protocols. An SSL policy can be applied to application layer protocols to
provide secure connections.
NOTE

Procedure
l Create an SSL policy.
1. Choose Security > SSL in the navigation tree to open the SSL configuration page.
2. Click Create to open the Create SSL Policy page, as shown in Figure 3-242.
Figure 3-242 Create SSL Policy

Table 3-192 Create SSL Policy
SSL policy name Indicates the name of the SSL policy. The value
is case insensitive.
Cert type Indicates the certificate type.

l pem: indicates the certificate in PEM format.
The PEM format is most commonly used.
The file name extension of a PEM digital
certificate is .pem.
l asn1: indicates the certificate in ASN1
format. The ASN1 format is a universal
digital certificate format. The file name
extension of an ASN1 digital certificate
is .der.
l pfx: indicates the certificate in PFX format.
The PFX format is a universal digital
certificate format. The file name extension
of a PFX digital certificate is .pfx.
Cert name Indicates the name of a certificate file. The file

is saved in the sub-directory security of the
system directory.
Key pair type Indicates the type of key pair.

l DSA: indicates that the key pair type is DSA.
l RSA: indicates that the key pair type is RSA.
Verification type Indicates the type of verification. This

parameter is available only when the certificate
type is PFX.
l keyPairFile: indicates that the verification
type is key pair file.
l macCode: indicates that the verification type
is MAC code.
MAC code Indicates the message authentication code.

This parameter is available only when the
certificate type is PFX and verification mode is
MAC code.
Key pair file Indicates the name of the key pair file. The file
is saved in the sub-directory security of the
system directory.
This parameter is inavailable when the
certificate type is PFX and verification mode is
MAC code.

Auth code Indicates the authentication code of the key pair

file. This parameter is available only when the
certificate type is PEM or PFX.
3. Set the required parameters.

l Modify an SSL policy.
2. Select the SSL policy that you want to modify. Click of the SSL policy to open the
Modify SSL Policy page, as shown in Figure 3-243.
Figure 3-243 Modify SSL Policy
3. Set the required parameters.

l Delete an SSL policy.
2. Select the SSL policy that you want to delete and click Delete. The system asks you
whether to delete the policy.
----End

3.12.10 Portal Authentication

This chapter describes how to configure Portal authentication.
In Portal authentication, users do not need a specific client. The Portal server provides users with
free portal services and a Portal authentication page.
NOTE

3.12.10.1 External Portal Server

This section describes how to configure external Portal authentication.
Context
The Portal server is classified as either the external Portal server or the built-in Portal server.
The external Portal server has independent hardware, while the built-in Portal server is an entity
embedded in the access device (that is, functions of the Portal server are implemented by the
access device).
During external Portal authentication, you must configure parameters for the Portal server (for
example, the IP address for the Portal server) to ensure smooth communication between the
device and the Portal server.
Procedure
l Setting the maximum number users
1. Choose Security > Portal Authentication > External Portal Server.
2. In the Maximum number of users area, set the maximum number of Portal
authentication users and then click Apply.
l Querying an authentication server
2. In the Portal Servers area, view all authentication servers. You can set Search, enter
a keyword, and click Go to search for an authentication server.
l Creating an authentication server
2. In the Portal Servers area, click Create. In the Create Portal Server dialog box that

Figure 3-244 Creating an authentication server
Table 3-193 describes the parameters for creating an authentication server.
Table 3-193 Parameters for creating an authentication server
Server name User-defined name of the Portal server,

which identifiers an authentication
server. This parameter is mandatory.
URL URL of the Portal server.
SSID SSID that users associate with.
URL Option Click User-defined and set parameters

for the URL in User-Defined URL. For
details, see Table 3-194. URL
Example displays the URL that carries
the configured parameters.
Port number Number of the interface that the device

uses to listen to Portal protocol packets.

Shared key Shared key that the device uses to

exchange information with the Portal
server is configured.
Server IP address An IP address is configured for the

Portal server.
Enter an IP address and click . To

delete an IP address, select an IP address
and click .
To configure multiple IP addresses, set
URL for the Portal server.
Click User-defined in URL Option to display the page for customizing the URL, as
Figure 3-245 Customizing the URL

Table 3-194 URL parameters
AC-IP AC IP address carried in the URL and sets the parameter name.
AC-MAC AC MAC address carried in the URL and sets the parameter
name.
AP-IP AP IP address carried in the URL and sets the parameter name.
AP-MAC AP MAC address carried in the URL and sets the parameter
name.
Redirect-to URL Original URL that a user accesses carried in the URL and sets
the parameter name.
SSID SSID associated that users associate with carried in the URL
and sets the parameter name.
User IP address User IP address carried in the URL and sets the parameter
name.
User MAC User MAC address carried in the URL and sets the parameter
address name.
System name Device system name carried in the URL and sets the parameter
name.
MAC address l Without hyphens.

format l normal: Sets the MAC address format to XXXX-XXXX-
XXXX. You can specify a character as the delimiter.
l compact: Sets the MAC address format to XX-XX-XX-
XX-XX-XX. You can specify a character as the delimiter.
3. Click OK.
l Modifying an authentication server
2. In the Portal Servers area, click corresponding to an authentication server.

3. Set parameters on the Modify Portal Server page, as shown in Figure 3-246.

Figure 3-246 Modifying an authentication server
4. Click OK.
l Deleting an authentication server
2. In the Portal Servers area, select an authentication server and click Delete. The
system asks you whether to delete the policy.
----End
3.12.10.2 Built-in Portal Server

This section describes how to configure built-in Portal authentication.
Context
The Portal server is classified as either the external Portal server or the built-in Portal server.
The external Portal server has independent hardware, while the built-in Portal server is an entity
embedded in the access device (that is, functions of the Portal server are implemented by the
access device).
During the built-in Portal server configuration process, to ensure that the server can provide the
web authentication service, set parameters such as SSL policy, Port, and Web page file.

Procedure
Step 1 Choose Security > Portal Authentication > Built-in Portal Server.
Step 2 On the Built-in Portal Server tab page, set parameters and click Apply, as shown in Figure
3-247.
Figure 3-247 Configuring the built-in Portal server
Table 3-195 describes the parameters for configuring the built-in Portal server.
Table 3-195 Built-in Portal server parameters
Server IP address IP address of the Portal server. Users are then

redirected to the Portal server if they enter
URLs that are not located in the free IP
subnet.
NOTE
l The IP address assigned to the built-in Portal
server must have a reachable route to the user.
l The built-in Portal server cannot use the
gateway IP address of the device interface
connected to clients.
l It is recommended that a loopback interface
address be assigned to the built-in Portal server
because the loopback interface is stable.
Additionally, packets destined for loopback
interfaces are not sent to other interfaces on the
network; therefore, system performance is not
deteriorated even if many users request to go
online.
SSL policy SSL policy applied to HTTPS services

provided by the Portal server.

Port Port that provides the authentication service

on the Portal server.
Authentication mode Authentication mode including PAP and

CHAP. You are advised to use the CHAP
with high security.
Web page file File in .zip format. The file contains web
pages that users access during authentication.
----End
3.12.10.3 Customized Page

This section describes how to customize the web authentication page.
Context
When using built-in Portal authentication, you can customize the web authentication page to
meet requirements of different enterprises. You can design the page background, company logo,
and advertisement to customize the page.
Procedure
Step 1 Choose Security > Portal Authentication > Customized Page. The Customized Page is
displayed.
Step 2 Click Page Style. Three page styles are displayed. The first two are default styles and the last
one is a customized style.
l Default style: use the default background and user-defined logo and advertisement images.
The logo and advertisement image are displayed in preconfigured areas.
l Customized style: use a user-defined image as the background.
Step 3 Set page parameters described in Table 3-196, as shown in Figure 3-248.

Figure 3-248 Customized page
Table 3-196 Customized page parameters
Item Description
LOGO The logo is displayed at the upper left corner

on the Portal page.
Click Browse and select an image.
The logo image size cannot be larger than 128
KB. The logo image can be in JPG, JPEG, or
PNG format, with resolutions within 591 x 80
pixels.
Advertisement Image The advertisement is displayed at the right

side of the Portal page.
Click Browse and select an image.
The advertisement image size cannot be
larger than 256 KB. The image can be in JPG,
JPEG, or PNG format, with resolutions
within 670 x 405 pixels.
Background Image Click Browse and select an image.

The background image size cannot be larger
than 512 KB. The image can be in JPG, JPEG,
or PNG format, with resolutions within 1366
x 768 pixels.

Item Description
Background color Set a background color to fill in areas not

covered by the background image.
The hexadecimal notation of the RGB color
model is used for setting colors of web page
elements. The color value represents the
intensity of additive primary colors, red,
green, and blue. The lowest intensity and
highest intensity of each color are
respectively 0 and 255. The intensity value of
each primary color is represented by a
hexadecimal number. The three values are
listed together and prefixed with the pound
sign (#). For example, the color value
#FF0000 indicates red.
Acceptable Use Policy(in HTML format) The administrator can edit the login page used
for user authentication to customize a
disclaimer page. The hyperlink Acceptable
Use Policy will be displayed on the login
page. You can click the link to visit the
disclaimer page.
Portal usage guideline (in HTML format) This area is displayed on the right of the Portal
login page. You can customize the display
contents in the area.
Step 4 Click Apply. The configuration takes effect.

To reconfigure the Portal page, click Clear Config. To preview the customized page, click
Preview.
----End
3.12.10.4 Portal Free Rule

This section describes how to set portal free rules.
Context
You can set portal free rules for portal authentication users so that the users can access specified
network resources without being authenticated or when the users fail authentication.
Procedure
l Searching a portal free rule
1. Choose Security > Portal Authentication > Portal Free Rule.
2. In the Portal Free Rule area, view all portal free rules. You can enter a rule ID, and
click Search to search for a portal free rule.
l Creating a portal free rule


2. In the Portal Free Rule area, click Create. In the Create Portal Free Rule dialog
box that is displayed, as shown in Figure 3-249.
Figure 3-249 Creating a portal free rule
Table 3-197 describes the parameters for creating a portal free rule.
Table 3-197 Parameters for creating a portal free rule
- Rule ID ID of a portal free rule.

NOTE
The value range varies
depending on the device
type.
Source IP: If IP addresses Free-rule All users do not need to be

carried by packets from a authenticated.
Portal authentication user
are the same as the IP IP address IP address of a user.
address set in the Source Mask Network segment where a
IP area, the user does not user locates.
need to be authenticated
and can access IP Interface name Interface for transmitting
addresses specified in the packets. To select an
Destination IP area.
interface, click , select
an interface from the
interface list, and click
OK.

VLAN VLAN where a user

locates.
Destination IP: IP Free-rule Portal free rule users can

addresses that portal free access any destination IP.
rule users can access is
specified in the IP address IP address that portal free
Destination IP area. rule user can access.
Mask Network segment that

portal free rule user can
access.
3. Click OK. The portal free rule is displayed in the portal free rule list.
l Modifying a portal free rule
2. In the Portal Free Rule area, click corresponding to a portal free rule.
3. In the Modify Portal Free Rule dialog box that is displayed, as shown in Figure
3-250.
Figure 3-250 Modifying a portal free rule
4. Click OK.
l Deleting a portal free rule
2. In the Portal Free Rule area, select a portal free rule and click Delete. The system
asks you whether to delete the policy.

----End
3.12.11 Security Protection

Configure ACL Filtering to control incoming or outgoing traffic.
Context
An ACL is a set of rules that can only differentiate packets.
After ACLs are configured, you can configure ACL filtering to apply the ACLs so that packets
are filtered.
NOTE

Procedure
l Creating an ACL filtering rule
1. Choose Security > Security Protection > ACL Filtering.
2. Click Create and set parameters in the Create ACL Filtering dialog box that is
displayed, as shown in Figure 3-251. Table 3-198 describes the parameters.
Figure 3-251 Create ACL Filtering

Table 3-198 Parameters for creating an ACL filtering rule
Filter Type l global: ACL filtering applied to global

l Service Set: ACL filtering applied to a
service set
Click , select an interface or service set

from the list, and click OK. You can enter
the interface name or service set name and
click Search to find an interface or a service
set.
ACL Name of an ACL to apply.
Click , select an ACL from the list, and click

OK. You can enter the ACL name and click
Search to find an interface or a service set.
NOTE
You can select a created 3.9.2 ACL from the Select
ACL drop-down list box.
Only user ACLs ranging 6000 to 6999 can be applied
to global to filter packets. Only advanced ACLs
ranging 3000 to 3031 and user ACLs 6000 to 6031
can be applied to a service set to filter packets.
Direction Direction of the packets where an ACL filtering

rule is applied.
ACL filtering can be only used in the inbound
direction.
3. Click OK. An ACL filtering rule is added to the ACL filtering list.
l Modifying an ACL filtering rule
2. Click of an ACL filtering rule.

3. In the Modify ACL Filtering dialog box that is displayed, modify ACL described in
Table 3-198.
4. Click OK.
l Deleting an ACL filtering rule
2. Select the check box of an ACL filtering rule and click Delete.
3. In the dialog box that is displayed, click OK.
----End

3.13 Tools
This document describes the commands for maintaining and diagnosing the switch, that is, ping,
tracert, VCT, AAA Test, and RF-Ping.
3.13.1 Ping
Context
Procedure
Step 1 Choose Tools > Ping in the navigation tree to open the Ping page.
Step 2 Enter the IP address in the ping text box and click Start. The network connection information
Figure 3-252 Ping

NOTE
If no response packets are received within the timeout interval, the following information is displayed:
Request time out
The preceding information shows that a link is faulty.
----End
3.13.2 Tracert
You can use the tracert command to test the gateways that packets pass through from the source
host to the destination host. The tracert command is used to check network connectivity and
locate network faults.
Context
The Tracert command, also called Trace Route helps you check the IP addresses and the
number of gateways between the source and the destination. Tracert is used to check network
connectivity and locate network faults.
Procedure
Step 1 Choose Tools > Tracert in the navigation tree to open the Tracert page.
Step 2 Enter the IP address in the tracert text box and click Start. The Layer 3 devices where packets
pass through between the source host and the destination host are displayed, as shown in Figure
3-253.
Figure 3-253 Tracert

NOTE
l The output of the tracert command includes IP addresses of all the gateways through which the packet
reaches the destination. If one gateway sends back a packet indicating TTL timeout, * is displayed.
l The tracert test may takes a long time.
----End
3.13.3 VCT
The VCT function controls the hardware interfaces and displays the cable status on the GUI so
that you can conveniently and quickly locate faults and check lengths of cables.
Context
The VCT function helps to detect the type of a network cable fault and locate the faulty point.
In this manner, network cable faults can be conveniently located.
Procedure
Step 1 Choose Tools > VCT in the navigation tree, the VCT page is displayed.
Step 2 Select an interface. You can select only one interface each time.
Step 3 Click Start.
NOTICE
The system displays a message requesting you to confirm the operation.The operation may
cause Web NMS disconnected from the server. Continue?
Step 4 Click OK. The returned information is displayed, as shown in Figure 3-254.
Figure 3-254 VCT
----End
3.13.4 AAA Test

The AAA test tool is used to check whether the user can pass the RADIUS authentication.

Context
The AAA test tool checks whether a specified user can pass the RADIUS authentication.
NOTE

Procedure
Step 1 Choose Tools > AAA Test in the navigation tree.
Step 2 Enter parameters such as the RADIUS server template, authentication mode, user name, and
password. For parameter information, see Table 3-199.
Table 3-199 AAA test parameters
RADIUS server template RADIUS server template used in the

authentication.
Authentication mode Authentication mode used in the

authentication.
l - none -
l CHAP
l PAP
User name User name of the user to be tested.
Password Password of the user to be tested.
Step 3 Click Start.
After the AAA test is performed, the test result is displayed.
----End
3.13.5 RF-Ping
After the RF-Ping function is enabled, the device can automatically detect quality of wireless
links.
Context
The RF-Ping tool checks the quality of the link between the AP and STA.
After the RF-Ping test is performed, the test result is displayed.
NOTE


Procedure
Step 1 Choose Tools > RF-Ping.
Step 2 In the MAC address text box, enter the MAC address of the STA.
Step 3 Click Start.
----End

The following sections illustrate service configurations using several examples.
3.14.1 Example of Configuring VLANs

An example is provided to illustrate how to enable the users connected to different switches to
communicate with each other through the same VLAN.
Networking Requirements
As shown in Figure 3-255, an enterprise has four departments. Department 1 is connected to
GE0/0/1 of Switch through Switch. Department 2 is connected GE0/0/2 of Switch through LSW-
A. Department 3 is connected to GE0/0/3 of Switch through LSW-B. Department 4 is connected
to GE0/0/4 of Switch through Switch2. The requirements are as follows:

l Department 1 and department 2 in VLAN 2 are separated from department 3 and department
4 in VLAN 3.
l Department 1 and department 2 in VLAN 2 can communicate with each other.
l Department 3 and department 4 in VLAN 3 can communicate with each other.
Networking Diagram
Figure 3-255 Networking diagram of VLAN configurations
Network
Switch
GE0/0/1 GE0/0/4
Switch1 GE0/0/3 Switch2
GE0/0/2
LSW-A LSW-B
Department1 Department2 Department3 Department4

VLAN2 VLAN3
Procedure
l Add GE0/0/1 to VLAN 2 on Switch.
2. On the Hybrid port page, click the icon indicating the GigabitEthernet0/0/1
interface to open the Modify VLAN configuration on interface page.
3. Enter 2 in the Tagged VLAN text box.
4. Click OK.
NOTE
If the link type of the interface is not hybrid, please convert it to hybrid port before the
configuration.
4. Click OK.


4. Click OK.
4. Click OK.
----End
Result
On the Hybrid port page, you can view the configurations of GE0/0/1, GE0/0/2, GE0/0/3 and
GE0/0/4.


S1720&amp;S2700EI&amp;S5700 Series Ethernet Switches Web User Manual

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

S1720&amp;S2700EI&amp;S5700 Series Ethernet Switches Web User Manual

Hochgeladen von

Copyright:

Verfügbare Formate

S1720&S2700EI&S5700 Series Ethernet Switches

Web System Guide

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Issue 03 (2014-08-25) Huawei Proprietary and Confidential i

About This Document

This document is intended for:

l Data configuration engineers

Indicates an imminently hazardous situation

Indicates a potentially hazardous situation

Indicates a potentially hazardous situation

Indicates a potentially hazardous situation

Issue 03 (2014-08-25) Huawei Proprietary and Confidential ii

NOTE Calls attention to important information, best

Changes in Issue 03 (2014-08-25) V200R006(C00&C10)

Some contents are modified according to updates in the product.

Changes in Issue 02 (2014-06-10) V200R006C00

Issue 03 (2014-08-25) Huawei Proprietary and Confidential iii

Some contents are modified according to updates in the product.

Changes in Issue 01 (2014-04-30) V200R006C00

Issue 03 (2014-08-25) Huawei Proprietary and Confidential iv

About This Document.....................................................................................................................ii

Issue 03 (2014-08-25) Huawei Proprietary and Confidential v

2.3.1.1 View Configuration................................................................................................................................................42

Issue 03 (2014-08-25) Huawei Proprietary and Confidential vi

2.5.3.2 Faulty Device Replacement..................................................................................................................................120

Issue 03 (2014-08-25) Huawei Proprietary and Confidential vii

3.5 System Management...................................................................................................................................................216

Issue 03 (2014-08-25) Huawei Proprietary and Confidential viii

3.7 Service Management..................................................................................................................................................285

Issue 03 (2014-08-25) Huawei Proprietary and Confidential ix

Issue 03 (2014-08-25) Huawei Proprietary and Confidential x

3.8.11.5 Blacklist/Whitelist Status...................................................................................................................................444

Issue 03 (2014-08-25) Huawei Proprietary and Confidential xi

3.12.3.2 Service Scheme...................................................................................................................................................530

Issue 03 (2014-08-25) Huawei Proprietary and Confidential xii

1 Logging In to the Web System

About This Chapter

1.3 Configuring Login Through the Web System

1.4 Configuration Examples

Issue 03 (2014-08-25) Huawei Proprietary and Confidential 1

1.1 Logging In to the Device Through the Web System for

l Powering on the device

Table 1-1 Default configuration of the device

Parameter Default Setting

User name admin

Login IP address 192.168.1.253

Connect the PC to any Ethernet interface on the device.

Step 2 Configure an IP addresses for the PC.

Issue 03 (2014-08-25) Huawei Proprietary and Confidential 2

Step 3 Log in to the device through Web system.

Figure 1-1 First login page in the Web system

Step 4 (Optional) Changing the Web login password.

Figure 1-2 Page prompting users to change the login password

Issue 03 (2014-08-25) Huawei Proprietary and Confidential 3

1.2 Logging In to the Device Through the Web System for

l Powering on the device

Table 1-2 Default configuration of the device

Parameter Default Setting

User name admin

Login IP address 192.168.1.253

Connect the PC to any Ethernet interface on the device.

Step 2 Enter the initial configuration state.

S1720&S2700EI&S5700 Series Ethernet Switches Web User Manual

S1720&S2700EI&S5700 Series Ethernet Switches Web User Manual