Beruflich Dokumente
Kultur Dokumente
Issue 03
Date 2017-10-31
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Website: http://www.huawei.com
Email: support@huawei.com
Purpose
This document provides the typical configuration examples supported by the WLAN.
Intended Audience
This document is intended for:
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Symbol Description
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention Description
NOTE
The interface types, command outputs, and device models provided in this manual vary according to
device configurations and may differ from the actual information.
To obtain better user experience, you are advised to set the number of columns displayed on the
command line editor to 132 or higher.
The pages displayed on your web platform may be different from those in this example and shall prevail.
Security Conventions
l Password setting
When configuring a password, the cipher text is recommended. To ensure device
security, do not disable password complexity check, and change the password
periodically.
When you configure a password in cipher text that starts and ends with %^%#......%^%#
(the password can be decrypted by the device), the password is displayed in the same
manner as the configured one in the configuration file. Do not use this setting.
l Encryption algorithm
Currently, the device uses the following encryption algorithms: DES, 3DES, AES, RSA,
SHA1, SHA-2, MD5 and SMS4. The encryption algorithm depends on the applicable
scenario. Use the recommended encryption algorithm; otherwise, security defense
requirements may be not met.
– For the symmetrical encryption algorithm, use AES with the key of 128 bits or
more.
– For the asymmetrical encryption algorithm, use RSA with the key of 2048 bits or
more.
– For the hash algorithm, use SHA2 with the key of 256 bits or more.
– For the HMAC algorithm, use HMAC-SHA2.
– The encryption algorithms DES/3DES/RSA (RSA-1024 or lower)/MD5 (in digital
signature scenarios and password encryption)/SHA1 (in digital signature scenarios)
have a low security, which may bring security risks. If protocols allowed, using
more secure encryption algorithms, such as AES/RSA (RSA-2048 or higher)/
SHA2/HMAC-SHA2, is recommended.
– SHA2 is irreversible encryption algorithm. The irreversible encryption algorithm
must be used for the administrator password.
l Personal data
Some personal data (such as the MAC or IP addresses of users) may be obtained or used
during operation or fault location of your purchased products, services, features, so you
have an obligation to make privacy policies and take measures according to the
applicable law of the country to protect personal data.
Configuration Conventions
Large-scale or batch service configuration using scripts may cause high CPU usage,
preventing the system from processing regular services.
V200R007C20 AC6005
AC6605
ACU2
This model is released only in Russia.
AP2030DN
AP2050DN
AP2050DN-E
AP4030DN
AP4050DN
AP4050DN-E
AP4051DN
AP4130DN
AP4151DN
AP5030DN
AP5130DN
AP6050DN
AP6150DN
AP6510DN-AGN
AP7050DE
AP7050DN-E
AP8030DN
AP8050DN
AP8130DN
AP8150DN
AD9430DN-12
AD9430DN-24
R230D
R240D
R250D
R250D-E
Change History
Changes between document issues are cumulative. Therefore, the latest document version
contains all updates made to previous versions.
Contents
3 WLAN Configuration................................................................................................................. 13
3.1 WLAN Service Configuration Procedure.....................................................................................................................13
3.1.1 Reference Relationships Between WLAN Profiles...................................................................................................13
3.1.2 WLAN Basic Service Configuration Procedure........................................................................................................15
3.1.3 AP Group and AP...................................................................................................................................................... 16
3.1.4 Regulatory Domain Profile........................................................................................................................................18
3.1.5 Radio Profile..............................................................................................................................................................18
3.1.6 Air Scan Profile......................................................................................................................................................... 18
3.1.7 RRM Profile.............................................................................................................................................................. 19
3.1.8 VAP Profile................................................................................................................................................................20
3.1.9 SSID Profile...............................................................................................................................................................21
3.1.10 Authentication Profile..............................................................................................................................................21
3.1.11 Security Profile........................................................................................................................................................ 22
3.1.12 Traffic Profile.......................................................................................................................................................... 22
3.1.13 UCC Profile............................................................................................................................................................. 23
3.1.14 Attack Defense Profile.............................................................................................................................................23
3.1.15 User Profile..............................................................................................................................................................24
3.1.16 Soft GRE profile...................................................................................................................................................... 24
3.1.17 STA Blacklist Profile............................................................................................................................................... 24
3.1.18 STA Whitelist Profile.............................................................................................................................................. 25
3.1.19 SAC Profile..............................................................................................................................................................25
3.1.20 Hotspot2.0 Profile....................................................................................................................................................25
3.1.21 AP System Profile................................................................................................................................................... 26
3.1.22 AP Wired Port Profile..............................................................................................................................................29
3.1.23 AP Wired Port Link Profile..................................................................................................................................... 29
3.1.24 WIDS Profile........................................................................................................................................................... 29
3.1.25 WIDS Spoof SSID Profile....................................................................................................................................... 30
5.15.3 Example for Configuring the STA Blacklist and Whitelist................................................................................. 1879
5.16 WLAN QoS Configuration Examples.................................................................................................................... 1889
5.16.1 Example for Configuring WMM and Priority Mapping..................................................................................... 1889
5.16.2 Example for Configuring Traffic Policing...........................................................................................................1893
5.16.3 Example for Configuring Airtime Fair Scheduling............................................................................................. 1896
5.16.4 Example for Configuring ACL-based Packet Filtering....................................................................................... 1898
5.16.5 Example for Configuring Optimization for Voice and Video Services............................................................... 1901
5.16.6 Example for Configuring Priorities for Lync Packets......................................................................................... 1904
5.17 WLAN Enhanced Services Configuration Examples.............................................................................................1907
5.17.1 Example for Configuring WLAN-based E-Schoolbag........................................................................................1907
5.17.2 Example for Configuring WLAN Hotspot2.0 Services.......................................................................................1923
5.17.3 Example for Configuring Service Holding upon WLAN CAPWAP Link Disconnection..................................1936
5.17.4 Example for Configuring Channel Switching Without Service Interruption...................................................... 1946
5.17.5 Example for Configuring an AP to Go Online Using a Static IP Address.......................................................... 1954
5.17.6 Example for Configuring the Soft GRE Service................................................................................................. 1959
5.17.7 Example for Configuring CAC Based on the Number of Multicast Group Memberships................................. 1970
5.18 Typical Configuration for Interconnection Between AC and Cisco ISE Server.................................................... 1980
5.18.1 Example for Configuring 802.1x Authentication (Web)..................................................................................... 1980
5.18.2 Example for Configuring User Authorization Based on ACL Numbers or Dynamic VLANs (Web)................ 1995
5.18.3 Example for Configuring User Authorization Based on User Groups (Web)..................................................... 2013
5.19 Typical Configuration for Interconnection Between AC and Aruba ClearPass Server..........................................2030
5.19.1 Example for Configuring 802.1x Authentication (Web)..................................................................................... 2030
5.19.2 Example for Configuring User Authorization Based on ACL Numbers or Dynamic VLANs (Web)................ 2045
5.19.3 Example for Configuring User Authorization Based on User Groups (Web)..................................................... 2062
Contents
3 WLAN Configuration................................................................................................................. 13
3.1 WLAN Service Configuration Procedure.....................................................................................................................13
3.1.1 Reference Relationships Between WLAN Profiles...................................................................................................13
4.7.3 Example for Configuring Dual-link Cold Backup (Global Configuration Mode).................................................. 414
4.7.4 Example for Configuring Dual-Link HSB for ACs.................................................................................................422
4.7.5 Example for Configuring VRRP HSB.....................................................................................................................433
4.7.6 Example for Configuring N+1 Backup for ACs in the Same Network Segment....................................................449
4.7.7 Example for Configuring N+1 Backup for ACs in Different Network Segments.................................................. 465
4.8 Roaming Configuration Examples............................................................................................................................. 483
4.8.1 Example for Configuring Inter-VLAN Layer 3 Roaming....................................................................................... 483
4.8.2 Example for Configuring Intra-VLAN Roaming.................................................................................................... 495
4.8.3 Example for Configuring Inter-AC Layer 2 Roaming............................................................................................ 505
4.8.4 Example for Configuring Inter-AC Layer 3 Roaming............................................................................................ 516
4.9 Agile Distributed Networking Configuration Examples............................................................................................ 528
4.9.1 Example for Configuring an Agile Distributed WLAN.......................................................................................... 528
4.10 High-Density Configuration Examples.................................................................................................................... 536
4.10.1 Example for Configuring High-Density WLAN Services.................................................................................... 536
4.11 Example for Configuring Vehicle-Ground Communication.....................................................................................550
4.11.1 Example for Configuring Vehicle-Ground Fast Link Handover........................................................................... 550
4.11.2 Example for Configuring Vehicle-Ground Fast Link Handover (VRRP Backup for Vehicle-Mounted APs)...... 567
4.12 Radio Resource Management Configuration Examples...........................................................................................589
4.12.1 Example for Configuring Dynamic Load Balancing.............................................................................................589
4.12.2 Example for Configuring Static Load Balancing.................................................................................................. 593
4.12.3 Example for Configuring Band Steering............................................................................................................... 596
4.12.4 Example for Configuring Smart Roaming.............................................................................................................600
4.13 Spectrum Analysis Configuration Examples............................................................................................................603
4.13.1 Example for Configuring Spectrum Analysis....................................................................................................... 603
4.14 WLAN Security Configuration Examples................................................................................................................610
4.14.1 Example for Configuring Rogue Device Detection and Containment.................................................................. 610
4.14.2 Example for Configuring Attack Detection...........................................................................................................619
4.14.3 Example for Configuring the STA Blacklist and Whitelist................................................................................... 629
4.15 WLAN QoS Configuration Examples...................................................................................................................... 637
4.15.1 Common Misconfigurations.................................................................................................................................. 637
4.15.1.1 Multicast Packet Suppression Is Not Configured, Causing Slow Network Access of STAs............................. 637
4.15.2 Example for Configuring WMM and Priority Mapping....................................................................................... 639
4.15.3 Example for Configuring Traffic Policing.............................................................................................................645
4.15.4 Example for Configuring Airtime Fair Scheduling............................................................................................... 648
4.15.5 Example for Configuring ACL-based Packet Filtering......................................................................................... 651
4.15.6 Example for Configuring Optimization for Voice and Video Services................................................................. 655
4.15.7 Example for Configuring Priorities for Lync Packets........................................................................................... 657
4.16 WLAN Enhanced Services Configuration Examples...............................................................................................661
4.16.1 Example for Configuring WLAN-based E-schoolbag.......................................................................................... 661
4.16.2 Example for Configuring WLAN Hotspot2.0 Services.........................................................................................672
4.16.3 Example for Configuring Service Holding upon CAPWAP Link Disconnection.................................................684
4.16.4 Example for Configuring Channel Switching Without Service Interruption........................................................ 691
5.18.2 Example for Configuring User Authorization Based on ACL Numbers or Dynamic VLANs (Web)................ 1995
5.18.3 Example for Configuring User Authorization Based on User Groups (Web)..................................................... 2013
5.19 Typical Configuration for Interconnection Between AC and Aruba ClearPass Server..........................................2030
5.19.1 Example for Configuring 802.1x Authentication (Web)..................................................................................... 2030
5.19.2 Example for Configuring User Authorization Based on ACL Numbers or Dynamic VLANs (Web)................ 2045
5.19.3 Example for Configuring User Authorization Based on User Groups (Web)..................................................... 2062
Contents
3 WLAN Configuration................................................................................................................. 13
3.1 WLAN Service Configuration Procedure.....................................................................................................................13
3.1.1 Reference Relationships Between WLAN Profiles...................................................................................................13
3.1.2 WLAN Basic Service Configuration Procedure........................................................................................................15
3.1.3 AP Group and AP...................................................................................................................................................... 16
3.1.4 Regulatory Domain Profile........................................................................................................................................18
3.1.5 Radio Profile..............................................................................................................................................................18
3.1.6 Air Scan Profile......................................................................................................................................................... 18
3.1.7 RRM Profile.............................................................................................................................................................. 19
3.1.8 VAP Profile................................................................................................................................................................20
3.1.9 SSID Profile...............................................................................................................................................................21
3.1.10 Authentication Profile..............................................................................................................................................21
3.1.11 Security Profile........................................................................................................................................................ 22
3.1.12 Traffic Profile.......................................................................................................................................................... 22
3.1.13 UCC Profile............................................................................................................................................................. 23
3.1.14 Attack Defense Profile.............................................................................................................................................23
3.1.15 User Profile..............................................................................................................................................................24
3.1.16 Soft GRE profile...................................................................................................................................................... 24
3.1.17 STA Blacklist Profile............................................................................................................................................... 24
3.1.18 STA Whitelist Profile.............................................................................................................................................. 25
3.1.19 SAC Profile..............................................................................................................................................................25
4.3.10 Example for Configuring NAT Traversal Between the AC and APs.................................................................... 221
4.3.11 Example for Configuring VPN Traversal Between the AC and APs.................................................................... 230
4.3.12 Example for Configuring Hand-in-Hand WDS Services...................................................................................... 241
4.3.13 Example for Configuring Back-to-Back WDS......................................................................................................254
4.3.14 Example for Configuring Common Mesh Services.............................................................................................. 267
4.3.15 Example for Configuring Dual-MPP Mesh Services............................................................................................ 275
4.4 AP's Wired Interface Configuration Examples...........................................................................................................286
4.4.1 Example for Configuring an Eth-Trunk on an AP's Wired Uplink Interfaces.........................................................286
4.5 PPPoE Configuration Examples (Fat AP and Fat Central AP).................................................................................. 289
4.5.1 Example for Configuring the PPPoE Client............................................................................................................ 289
4.5.2 Example for Connecting LAN to the Internet Using the ADSL Modem................................................................ 291
4.6 Authentication Configuration Examples.................................................................................................................... 295
4.6.1 Example for Configuring External Portal Authentication....................................................................................... 295
4.6.2 Example for Configuring Built-in Portal Authentication for Local Users.............................................................. 305
4.6.3 Example for Configuring MAC Address-prioritized Portal Authentication........................................................... 315
4.6.4 Example for Configuring 802.1X Authentication................................................................................................... 326
4.6.5 Example for Configuring MAC Address Authentication........................................................................................337
4.6.6 Example for Configuring MAC Authentication for Local Users............................................................................ 347
4.6.7 Example for Configuring the RADIUS Server and AC to Deliver User Group Rights to Users............................355
4.6.8 Example for Configuring WeChat Authentication Using a Built-in Portal Server................................................. 366
4.6.9 Example for Configuring Different Authentication Modes for Multiple SSIDs..................................................... 373
4.7 Reliability Configuration Examples........................................................................................................................... 386
4.7.1 Example for Configuring Wireless Configuration Synchronization in VRRP HSB Scenarios.............................. 386
4.7.2 Example for Configuring Wireless Configuration Synchronization in Dual-Link HSB Scenarios........................ 403
4.7.3 Example for Configuring Dual-link Cold Backup (Global Configuration Mode).................................................. 414
4.7.4 Example for Configuring Dual-Link HSB for ACs.................................................................................................422
4.7.5 Example for Configuring VRRP HSB.....................................................................................................................433
4.7.6 Example for Configuring N+1 Backup for ACs in the Same Network Segment....................................................449
4.7.7 Example for Configuring N+1 Backup for ACs in Different Network Segments.................................................. 465
4.8 Roaming Configuration Examples............................................................................................................................. 483
4.8.1 Example for Configuring Inter-VLAN Layer 3 Roaming....................................................................................... 483
4.8.2 Example for Configuring Intra-VLAN Roaming.................................................................................................... 495
4.8.3 Example for Configuring Inter-AC Layer 2 Roaming............................................................................................ 505
4.8.4 Example for Configuring Inter-AC Layer 3 Roaming............................................................................................ 516
4.9 Agile Distributed Networking Configuration Examples............................................................................................ 528
4.9.1 Example for Configuring an Agile Distributed WLAN.......................................................................................... 528
4.10 High-Density Configuration Examples.................................................................................................................... 536
4.10.1 Example for Configuring High-Density WLAN Services.................................................................................... 536
4.11 Example for Configuring Vehicle-Ground Communication.....................................................................................550
4.11.1 Example for Configuring Vehicle-Ground Fast Link Handover........................................................................... 550
4.11.2 Example for Configuring Vehicle-Ground Fast Link Handover (VRRP Backup for Vehicle-Mounted APs)...... 567
4.12 Radio Resource Management Configuration Examples...........................................................................................589
4.18.4 Example for Configuring User Authorization Based on User Groups (CLI)........................................................882
4.18.5 Example for Configuring External Portal Authentication..................................................................................... 898
4.18.6 Example for Configuring MAC Address-Prioritized Portal Authentication (CLI)............................................... 911
4.19 Typical Configuration for Interconnection Between AC and Huawei Agile Controller-Campus Server................ 927
4.19.1 Example for Configuring Wireless 802.1X Authentication.................................................................................. 927
4.19.2 Example for Configuring Portal Authentication (Including MAC Address-Prioritized Portal Authentication) for
Wireless Users.................................................................................................................................................................. 939
4.19.3 Example for Configuring Wireless MAC Address Authentication....................................................................... 974
4.19.4 Example for Configuring Wireless Network Access Using a Terminal Running the Android, iOS, or Windows
OS..................................................................................................................................................................................... 986
4.19.5 Example for Configuring Guests to Obtain Passwords Through Mobile Phones to Pass Authentication Quickly
........................................................................................................................................................................................ 1000
4.19.6 Example for Configuring Guest Access Using Social Media Accounts (GooglePlus, Facebook, or Twitter
Accounts)........................................................................................................................................................................1010
4.19.7 Example for Configuring Guests Connect to Networks by Scanning Public QR Codes.................................... 1033
4.19.8 Example for Configuring 802.1X Authentication for Wireless Users in a VRRP HSB Environment................1049
4.19.9 Example for Configuring Portal Authentication for Wireless Users in a VRRP HSB Environment..................1071
4.19.10 Example for Configuring Portal Authentication for Wireless Users in an AC Dual-Link Backup Environment
........................................................................................................................................................................................ 1105
4.19.11 Example for Configuring Portal Authentication for Wireless Users in an AC N+1 Environment....................1132
4.19.12 Appendix............................................................................................................................................................1163
4.19.12.1 Common Page Customization Operations Using the Editor.......................................................................... 1163
4.19.12.2 Customizing Pages..........................................................................................................................................1174
4.19.12.3 Defining a Redirection Rule for the Portal Page............................................................................................ 1175
4.19.12.4 Example: Adding Language Templates.......................................................................................................... 1178
4.19.12.5 Configuring MAC Address Authentication....................................................................................................1180
4.19.12.6 Deploying a CA Certificate Server.................................................................................................................1185
4.19.12.7 Server Certificate Importing Tool...................................................................................................................1192
4.19.12.8 How Do I Continue to Access the Original Page After Successful Portal Authentication?...........................1194
4.19.12.9 What Should I Do Before Connecting a GPRS Modem to the Agile Controller-Campus?........................... 1195
4.20 Comprehensive Case...............................................................................................................................................1198
4.20.1 Example for Configuring Unified Access for Wired and Wireless Users........................................................... 1198
4.20.2 Higher Education Campus Network Deployment Case (S12700 Used as the Gateway and Authentication Point)
........................................................................................................................................................................................ 1216
4.20.2.1 Application Scenario and Service Requirements............................................................................................. 1216
4.20.2.2 Solution Design................................................................................................................................................ 1217
4.20.2.3 Configuration Roadmap and Data Plan............................................................................................................ 1218
4.20.2.4 Configuration Notes......................................................................................................................................... 1221
4.20.2.5 Configuration Procedure...................................................................................................................................1222
4.20.2.5.1 Configuring the Aggregation Switch S7700-A in Office Building A........................................................... 1222
4.20.2.5.2 Configuring the Access Switch S5700-A in Office Building A....................................................................1223
4.20.2.5.3 Configuring the Core Switch S12700............................................................................................................1223
4.20.2.5.4 Configuring the Egress Firewall USG6600...................................................................................................1230
4.20.2.5.5 Configuring the Agile Controller.................................................................................................................. 1234
Figures
Figure 4-22 Networking diagram for configuring hand-in-hand WDS services................................................. 242
Figure 4-23 Networking for configuring back-to-back WDS............................................................................. 255
Figure 4-24 Networking for configuring mesh services...................................................................................... 267
Figure 4-25 Networking for configuring dual-MPP Mesh services.................................................................... 275
Figure 4-26 Networking for configuring an Eth-Trunk on an AP's wired uplink interfaces...............................286
Figure 4-27 Networking diagram of the device functioning as the PPPoE client............................................... 289
Figure 4-28 Networking diagram for connecting a LAN to the Internet using an ADSL modem...................... 292
Figure 4-29 Networking for configuring external Portal authentication............................................................. 296
Figure 4-30 Networking for configuring built-in Portal authentication for local users.......................................306
Figure 4-31 Networking for configuring MAC address-prioritized Portal authentication.................................. 316
Figure 4-32 Networking diagram for configuring 802.1x authentication........................................................... 327
Figure 4-33 Networking diagram for configuring MAC address authentication................................................ 338
Figure 4-34 Networking for configuring MAC authentication for local users....................................................348
Figure 4-35 Networking for configuring user authorization based on user groups.............................................356
Figure 4-36 Networking diagram for configuring WeChat authentication using a built-in Portal server........... 366
Figure 4-37 Networking diagram for configuring different authentication modes for multiple SSIDs.............. 374
Figure 4-38 Networking for configuring wireless configuration synchronization in VRRP HSB scenarios (direct
forwarding)........................................................................................................................................................... 387
Figure 4-39 Networking diagram for configuring dual-link HSB....................................................................... 404
Figure 4-40 Networking for configuring dual-link cold backup......................................................................... 415
Figure 4-41 Networking for configuring dual-link HSB for ACs....................................................................... 423
Figure 4-42 Configuring VRRP HSB (direct forwarding).................................................................................. 434
Figure 4-43 Networking for configuring N+1 backup.........................................................................................450
Figure 4-44 Networking for configuring N+1 backup.........................................................................................466
Figure 4-45 Networking for configuring inter-VLAN Layer 3 roaming.............................................................484
Figure 4-46 Networking for configuring intra-VLAN roaming.......................................................................... 496
Figure 4-47 Networking for configuring inter-AC Layer 2 roaming.................................................................. 506
Figure 4-48 Networking for configuring inter-AC Layer 3 roaming.................................................................. 517
Figure 4-49 Networking for configuring an agile distributed WLAN.................................................................529
Figure 4-50 Networking diagram for configuring a high-density WLAN.......................................................... 537
Figure 4-51 Networking for configuring vehicle-ground fast link handover...................................................... 551
Figure 4-52 Networking for configuring vehicle-ground fast link handover...................................................... 568
Figure 4-53 Networking for configuring dynamic load balancing...................................................................... 590
Figure 4-54 Networking for configuring static load balancing........................................................................... 594
Figure 4-55 Networking for configuring Band Steering..................................................................................... 597
Figure 4-56 Networking for configuring smart roaming..................................................................................... 600
Figure 4-57 Networking for configuring spectrum analysis................................................................................604
Figure 4-58 Networking for configuring rogue device detection and containment.............................................611
Figure 4-59 Networking for configuring attack detection................................................................................... 620
Figure 4-60 Networking for configuring the STA blacklist and whitelist........................................................... 629
Figure 4-61 Networking for configuring WMM and priority mapping...............................................................639
Figure 4-62 Networking for configuring traffic policing.................................................................................... 645
Figure 4-63 Networking for configuring airtime fair scheduling........................................................................ 648
Figure 5-7 Networking for configuring rogue device detection and containment............................................ 1383
Figure 5-8 Networking diagram for configuring basic Layer 2 WLAN services..............................................1392
Figure 5-9 Networking diagram for configuring basic Layer 3 WLAN services..............................................1399
Figure 5-10 Networking diagram for configuring STAs to access the public network through NAT...............1406
Figure 5-11 Networking diagram of the device functioning as the PPPoE client............................................. 1414
Figure 5-12 Networking diagram for connecting a LAN to the Internet using an ADSL modem.................... 1416
Figure 5-13 Networking diagram of the device functioning as the PPPoE client............................................. 1420
Figure 5-14 Networking diagram for connecting a LAN to the Internet using an ADSL modem.................... 1423
Figure 5-15 Networking for configuring Layer 2 direct forwarding in inline mode......................................... 1427
Figure 5-16 Networking for configuring Layer 2 tunnel forwarding in inline mode........................................ 1436
Figure 5-17 Networking for configuring Layer 2 direct forwarding in bypass mode....................................... 1444
Figure 5-18 Networking for configuring Layer 2 tunnel forwarding in bypass mode...................................... 1453
Figure 5-19 Networking for configuring Layer 3 direct forwarding in inline mode......................................... 1463
Figure 5-20 Networking for configuring Layer 3 tunnel forwarding in inline mode........................................ 1475
Figure 5-21 Networking for configuring Layer 3 direct forwarding in bypass mode....................................... 1486
Figure 5-22 Networking for configuring Layer 3 tunnel forwarding in bypass mode...................................... 1497
Figure 5-23 Networking for configuring NAT traversal between the AC and APs.......................................... 1507
Figure 5-24 Networking for configuring VPN traversal between the AC and APs.......................................... 1517
Figure 5-25 Networking diagram for configuring hand-in-hand WDS services............................................... 1529
Figure 5-26 Networking for configuring back-to-back WDS........................................................................... 1543
Figure 5-27 Networking for configuring mesh services.................................................................................... 1554
Figure 5-28 Networking for configuring dual-MPP Mesh services.................................................................. 1564
Figure 5-29 Networking for configuring an Eth-Trunk on an AP's wired uplink interfaces.............................1575
Figure 5-30 Networking for configuring external Portal authentication........................................................... 1580
Figure 5-31 Networking for configuring built-in Portal authentication for local users.....................................1590
Figure 5-32 Networking for configuring MAC address-prioritized Portal authentication................................ 1600
Figure 5-33 Networking diagram for configuring 802.1x authentication......................................................... 1610
Figure 5-34 Networking diagram for configuring MAC address authentication.............................................. 1621
Figure 5-35 Networking for configuring MAC authentication for local users..................................................1632
Figure 5-36 Networking for configuring user authorization based on user groups...........................................1641
Figure 5-37 Networking diagram for configuring WeChat authentication using a built-in Portal server......... 1653
Figure 5-38 Networking diagram for configuring different authentication modes for multiple SSIDs............ 1661
Figure 5-39 Networking for configuring wireless configuration synchronization in VRRP HSB scenarios (direct
forwarding)......................................................................................................................................................... 1674
Figure 5-40 Networking diagram for configuring dual-link HSB..................................................................... 1687
Figure 5-41 Networking for configuring dual-link cold backup....................................................................... 1698
Figure 5-42 Networking for configuring dual-link HSB for ACs..................................................................... 1706
Figure 5-43 Configuring VRRP HSB (direct forwarding)................................................................................ 1715
Figure 5-44 Networking for configuring N+1 backup.......................................................................................1727
Figure 5-45 Networking for configuring N+1 backup.......................................................................................1738
Figure 5-46 Networking for configuring inter-VLAN Layer 3 roaming...........................................................1750
Figure 5-47 Networking for configuring intra-VLAN roaming........................................................................ 1762
Figure 5-48 Networking for configuring inter-AC Layer 2 roaming................................................................ 1773
Figures
Figure 4-34 Networking for configuring MAC authentication for local users....................................................348
Figure 4-35 Networking for configuring user authorization based on user groups.............................................356
Figure 4-36 Networking diagram for configuring WeChat authentication using a built-in Portal server........... 366
Figure 4-37 Networking diagram for configuring different authentication modes for multiple SSIDs.............. 374
Figure 4-38 Networking for configuring wireless configuration synchronization in VRRP HSB scenarios (direct
forwarding)........................................................................................................................................................... 387
Figure 4-39 Networking diagram for configuring dual-link HSB....................................................................... 404
Figure 4-40 Networking for configuring dual-link cold backup......................................................................... 415
Figure 4-41 Networking for configuring dual-link HSB for ACs....................................................................... 423
Figure 4-42 Configuring VRRP HSB (direct forwarding).................................................................................. 434
Figure 4-43 Networking for configuring N+1 backup.........................................................................................450
Figure 4-44 Networking for configuring N+1 backup.........................................................................................466
Figure 4-45 Networking for configuring inter-VLAN Layer 3 roaming.............................................................484
Figure 4-46 Networking for configuring intra-VLAN roaming.......................................................................... 496
Figure 4-47 Networking for configuring inter-AC Layer 2 roaming.................................................................. 506
Figure 4-48 Networking for configuring inter-AC Layer 3 roaming.................................................................. 517
Figure 4-49 Networking for configuring an agile distributed WLAN.................................................................529
Figure 4-50 Networking diagram for configuring a high-density WLAN.......................................................... 537
Figure 4-51 Networking for configuring vehicle-ground fast link handover...................................................... 551
Figure 4-52 Networking for configuring vehicle-ground fast link handover...................................................... 568
Figure 4-53 Networking for configuring dynamic load balancing...................................................................... 590
Figure 4-54 Networking for configuring static load balancing........................................................................... 594
Figure 4-55 Networking for configuring Band Steering..................................................................................... 597
Figure 4-56 Networking for configuring smart roaming..................................................................................... 600
Figure 4-57 Networking for configuring spectrum analysis................................................................................604
Figure 4-58 Networking for configuring rogue device detection and containment.............................................611
Figure 4-59 Networking for configuring attack detection................................................................................... 620
Figure 4-60 Networking for configuring the STA blacklist and whitelist........................................................... 629
Figure 4-61 Networking for configuring WMM and priority mapping...............................................................639
Figure 4-62 Networking for configuring traffic policing.................................................................................... 645
Figure 4-63 Networking for configuring airtime fair scheduling........................................................................ 648
Figure 4-64 Networking for configuring ACL-based packet filtering................................................................ 652
Figure 4-65 Networking for configuring optimization for voice and video services.......................................... 655
Figure 4-66 Networking for configuring priorities for Lync packets.................................................................. 658
Figure 4-67 Networking for configuring the WLAN-based e-schoolbag service............................................... 662
Figure 4-68 Networking for configuring WLAN Hotspot2.0 services................................................................673
Figure 4-69 Networking for configuring service holding upon WLAN CAPWAP link disconnection.............. 684
Figure 4-70 Networking for configuring channel switching without service interruption..................................692
Figure 4-71 Networking for configuring an AP to go online using a static IP address.......................................699
Figure 4-72 Networking for configuring the soft GRE service........................................................................... 703
Figure 4-73 Networking for configuring the WLAN BYOD service..................................................................713
Figure 4-74 Networking for configuring the Bonjour gateway........................................................................... 723
Figure 4-75 Networking for configuring bandwidth-based multicast CAC........................................................ 733
Figure 4-76 Networking for configuring CAC based on the number of multicast group memberships............. 741
Figure 4-77 Networking for interconnecting an AC with a network management server.................................. 749
Figure 4-78 Networking for configuring wireless packet obtaining....................................................................759
Figure 4-79 Networking diagram for configuring 802.1x authentication........................................................... 768
Figure 4-80 Networking diagram for configuring MAC address authentication................................................ 782
Figure 4-81 Networking for configuring user authorization based on ACL numbers or dynamic VLANs........796
Figure 4-82 Networking for configuring user authorization based on user groups.............................................812
Figure 4-83 Networking diagram for configuring external Portal authentication............................................... 827
Figure 4-84 Networking diagram for configuring 802.1x authentication........................................................... 842
Figure 4-85 Networking diagram for configuring MAC address authentication................................................ 856
Figure 4-86 Networking for configuring user authorization based on ACL numbers or dynamic VLANs........868
Figure 4-87 Networking for configuring user authorization based on user groups.............................................884
Figure 4-88 Networking diagram for configuring external Portal authentication............................................... 899
Figure 4-89 Networking for MAC address-prioritized Portal authentication......................................................913
Figure 4-90 Networking diagram........................................................................................................................ 928
Figure 4-91 Networking of Portal authentication for wireless users................................................................... 941
Figure 4-92 Configuration flow for Portal authentication service.......................................................................948
Figure 4-93 Networking of MAC address authentication................................................................................... 975
Figure 4-94 Networking diagram........................................................................................................................ 987
Figure 4-95 Networking diagram...................................................................................................................... 1050
Figure 4-96 Networking of Portal authentication for wireless users in HSB mode.......................................... 1072
Figure 4-97 Networking of Portal authentication for wireless users in an AC dual-link backup environment.1106
Figure 4-98 Networking of Portal authentication for wireless users in N+1 mode........................................... 1133
Figure 4-99 Networking for unified wired and wireless access.........................................................................1199
Figure 5-1 Networking diagram for configuring 802.1x authentication........................................................... 1306
Figure 5-2 Networking for configuring MAC address-prioritized Portal authentication.................................. 1316
Figure 5-3 Networking diagram for configuring a high-density WLAN.......................................................... 1326
Figure 5-4 Networking diagram for configuring hand-in-hand WDS services................................................. 1344
Figure 5-5 Networking for configuring vehicle-ground fast link handover...................................................... 1358
Figure 5-6 Networking for configuring an agile distributed WLAN.................................................................1374
Figure 5-7 Networking for configuring rogue device detection and containment............................................ 1383
Figure 5-8 Networking diagram for configuring basic Layer 2 WLAN services..............................................1392
Figure 5-9 Networking diagram for configuring basic Layer 3 WLAN services..............................................1399
Figure 5-10 Networking diagram for configuring STAs to access the public network through NAT...............1406
Figure 5-11 Networking diagram of the device functioning as the PPPoE client............................................. 1414
Figure 5-12 Networking diagram for connecting a LAN to the Internet using an ADSL modem.................... 1416
Figure 5-13 Networking diagram of the device functioning as the PPPoE client............................................. 1420
Figure 5-14 Networking diagram for connecting a LAN to the Internet using an ADSL modem.................... 1423
Figure 5-15 Networking for configuring Layer 2 direct forwarding in inline mode......................................... 1427
Figure 5-16 Networking for configuring Layer 2 tunnel forwarding in inline mode........................................ 1436
Figure 5-17 Networking for configuring Layer 2 direct forwarding in bypass mode....................................... 1444
Figure 5-18 Networking for configuring Layer 2 tunnel forwarding in bypass mode...................................... 1453
Figure 5-19 Networking for configuring Layer 3 direct forwarding in inline mode......................................... 1463
Figure 5-20 Networking for configuring Layer 3 tunnel forwarding in inline mode........................................ 1475
Figure 5-21 Networking for configuring Layer 3 direct forwarding in bypass mode....................................... 1486
Figure 5-22 Networking for configuring Layer 3 tunnel forwarding in bypass mode...................................... 1497
Figure 5-23 Networking for configuring NAT traversal between the AC and APs.......................................... 1507
Figure 5-24 Networking for configuring VPN traversal between the AC and APs.......................................... 1517
Figure 5-25 Networking diagram for configuring hand-in-hand WDS services............................................... 1529
Figure 5-26 Networking for configuring back-to-back WDS........................................................................... 1543
Figure 5-27 Networking for configuring mesh services.................................................................................... 1554
Figure 5-28 Networking for configuring dual-MPP Mesh services.................................................................. 1564
Figure 5-29 Networking for configuring an Eth-Trunk on an AP's wired uplink interfaces.............................1575
Figure 5-30 Networking for configuring external Portal authentication........................................................... 1580
Figure 5-31 Networking for configuring built-in Portal authentication for local users.....................................1590
Figure 5-32 Networking for configuring MAC address-prioritized Portal authentication................................ 1600
Figure 5-33 Networking diagram for configuring 802.1x authentication......................................................... 1610
Figure 5-34 Networking diagram for configuring MAC address authentication.............................................. 1621
Figure 5-35 Networking for configuring MAC authentication for local users..................................................1632
Figure 5-36 Networking for configuring user authorization based on user groups...........................................1641
Figure 5-37 Networking diagram for configuring WeChat authentication using a built-in Portal server......... 1653
Figure 5-38 Networking diagram for configuring different authentication modes for multiple SSIDs............ 1661
Figure 5-39 Networking for configuring wireless configuration synchronization in VRRP HSB scenarios (direct
forwarding)......................................................................................................................................................... 1674
Figure 5-40 Networking diagram for configuring dual-link HSB..................................................................... 1687
Figure 5-41 Networking for configuring dual-link cold backup....................................................................... 1698
Figure 5-42 Networking for configuring dual-link HSB for ACs..................................................................... 1706
Figure 5-43 Configuring VRRP HSB (direct forwarding)................................................................................ 1715
Figure 5-44 Networking for configuring N+1 backup.......................................................................................1727
Figure 5-45 Networking for configuring N+1 backup.......................................................................................1738
Figure 5-46 Networking for configuring inter-VLAN Layer 3 roaming...........................................................1750
Figure 5-47 Networking for configuring intra-VLAN roaming........................................................................ 1762
Figure 5-48 Networking for configuring inter-AC Layer 2 roaming................................................................ 1773
Figure 5-49 Networking for configuring inter-AC Layer 3 roaming................................................................ 1785
Figure 5-50 Networking for configuring an agile distributed WLAN...............................................................1798
Figure 5-51 Networking diagram for configuring a high-density WLAN........................................................ 1806
Figure 5-52 Networking for configuring vehicle-ground fast link handover.................................................... 1825
Figure 5-53 Networking for configuring dynamic load balancing.................................................................... 1841
Figure 5-54 Networking for configuring static load balancing......................................................................... 1844
Figure 5-55 Networking for configuring Band Steering................................................................................... 1847
Figure 5-56 Networking for configuring smart roaming................................................................................... 1850
Figure 5-57 Networking for configuring spectrum analysis..............................................................................1853
Figure 5-58 Networking for configuring rogue device detection and containment.......................................... 1859
Figure 5-59 Networking for configuring attack detection................................................................................. 1869
Figure 5-60 Networking for configuring the STA blacklist and whitelist......................................................... 1880
Tables
Tables
Table 4-127 Service data plan for wireless MAC address authentication........................................................... 977
Table 4-128 Accounting interval..........................................................................................................................980
Table 4-129 Network data planning.....................................................................................................................988
Table 4-130 Service data planning.......................................................................................................................988
Table 4-131 Data plan........................................................................................................................................ 1001
Table 4-132 Data Plan........................................................................................................................................ 1011
Table 4-133 Data plan........................................................................................................................................ 1033
Table 4-134 VLAN plan.....................................................................................................................................1051
Table 4-135 Network data plan.......................................................................................................................... 1051
Table 4-136 Service data plan............................................................................................................................ 1053
Table 4-137 Accounting interval........................................................................................................................1064
Table 4-138 VLAN plan.....................................................................................................................................1073
Table 4-139 Network data plan.......................................................................................................................... 1073
Table 4-140 Service data plan............................................................................................................................ 1076
Table 4-141 Accounting interval........................................................................................................................1086
Table 4-142 VLAN plan.....................................................................................................................................1107
Table 4-143 Network data plan.......................................................................................................................... 1107
Table 4-144 Service data plan............................................................................................................................ 1108
Table 4-145 Accounting interval........................................................................................................................ 1115
Table 4-146 VLAN plan.....................................................................................................................................1133
Table 4-147 Network data plan.......................................................................................................................... 1134
Table 4-148 Service data plan............................................................................................................................ 1136
Table 4-149 Accounting interval........................................................................................................................1144
Table 4-150 Set push rule related parameters.................................................................................................... 1175
Table 4-151 Network data planning................................................................................................................... 1199
Table 4-152 Service data planning.....................................................................................................................1201
Table 4-153 Radio channel data planning..........................................................................................................1204
Table 4-154 Basic service data plan of the core switch..................................................................................... 1218
Table 4-155 Authentication service data plan of the core switch...................................................................... 1219
Table 4-156 Service data plan of the Agile Controller...................................................................................... 1220
Table 4-157 Data plan of the egress solution and USG6600 HRP.................................................................... 1220
Table 4-158 Information about authorization results......................................................................................... 1248
Table 4-159 Basic service data plan of the core switch..................................................................................... 1258
Table 4-160 Basic service data plan of the NGFW module...............................................................................1259
Table 4-161 Basic service data plan of the aggregation switch S12700............................................................ 1259
Table 4-162 Basic service data plan of the aggregation switch S7700.............................................................. 1259
Table 4-163 Basic service data plan of the aggregation switch S12700 or S7700............................................ 1260
Table 4-164 Service data plan of the Agile Controller...................................................................................... 1260
Table 4-165 Data plan of the egress solution and USG6600 HRP.................................................................... 1262
Table 5-1 Data planning on the AC....................................................................................................................1307
Table 5-2 AC data planning............................................................................................................................... 1316
Table 5-3 Data planning..................................................................................................................................... 1326
1 Introduction to WLAN
Introduction to WLAN
Wired transmission media are usually used on a local area network (LAN), but these wired
media bring some problems in specific scenarios. For example, dial-up lines have low
transmission rates, and leased lines are expensive. Twisted pairs and coaxial cables also have
problems of high installation fees, long construction periods and inconvenient deployment.
As wireless network technologies develop fast, wireless media can transmit text, voice,
images, and even voice and images at the same time. The transmission distance of a wireless
network can reach tens of kilometers. Wireless networks are more widely used currently, and
the cost of wireless network construction is acceptable to most enterprises. Therefore,
wireless networks can compete with wired networks in performance, transmission distance,
and cost, even better than wired networks in some aspects.
WLAN Deployment
WLAN deployment is affected by technical factors and non-technical factors. Technical
factors include signal interference and wired network quality. Non-technical factors include
local laws and property management policies. Before deploying a WLAN, ensure that:
l The 2.4 GHz and 5 GHz frequency bands are allowed by local laws.
l The property management policy permits WLAN deployment.
WLAN Infrastructure
RADIUS
Server MAN NMS
AC AC
CAPWAP CAPWAP
tunnel tunnel
Aggregation Aggregation Aggregation
switch switch switch
AP AP AP
Chain networking
Chain networking Branched networking
(tunnel
(direct forwarding) (local forwarding)
forwarding)
As shown in Figure 1-1, a WLAN consists of access points (APs), PoE switches, access
controllers (ACs), Remote Authentication Dial In User Service (RADIUS) server, and
network management system (NMS).
l AP: WLAN access device. Huawei provides a series of fit APs to meet indoor and
outdoor networking requirements.
l PoE switch: upstream devices for APs. It provides data switching and power for APs. If
only one AC is required and the AC has PoE ports, the PoE switch is not required.
l AC: manages APs and controls the rights of WLAN users.
l RADIUS server: authenticates WLAN users and assigns rights to them. The RADIUS
server is installed on the SPES server.
l NMS: manages APs and ACs. It monitors status of ACs and APs in real time, processes
alarms, and analyzes data.
2 Product Overview
Introduction to AC6605
Huawei AC6605-26-PWR (AC6605 for short) is access controller (AC) applicable to MANs
and enterprise networks for wireless access. AC6605 has a large capacity and high
performance. It is highly reliable, easy to install and maintain, and features such advantages as
flexible networking and energy conservation.
Introduction to AC6005
Huawei AC6005 series (AC6005 for short) is access controllers (AC) applicable to MANs
and enterprise networks for wireless access. AC6005 has a large capacity and high
performance. It is highly reliable, easy to install and maintain, and features such advantages as
flexible networking and energy conservation.
Version
Device Version
ACU2 V200R007
AC6605 V200R007
AC6005 V200R007
NOTICE
Before WLAN configurations, ensure that the AC and AP versions match. Otherwise, APs
cannot go online. When the AC and AP versions do not match, upgrade the AC or AP. For
details about the upgrade, see related product upgrade guides.
WLAN APs are classified into three types depending on their usage scenarios:
l Indoor settled APs: applicable to small to medium coverage scenarios, for example,
multimedia classrooms, open office areas, and meeting rooms.
l Indoor distributed APs: applicable to medium-scale coverage scenarios that are subject
to coverage holes or important public places, such as hotels, airports, and conference
halls. Indoor distributed APs are not applicable to networks that require high capacities.
l Outdoor settled APs: applicable to open outdoor areas with high user densities, such as
squares, residential communities, schools, dormitories, and enterprise campus, or
outdoor places that have high demands for wireless access, such as pedestrian malls.
NOTE
Product Versions
NOTICE
Before performing WLAN configurations, ensure that the versions of the AC and APs match;
otherwise, the APs may fail to go online. If the versions of the AC and APs do not match,
upgrade the AC or APs. For the detailed upgrade procedure, see the upgrade guide of the
related products.
3 WLAN Configuration
URL-filter profile
UCC profile
Attack defense Antivirus profile
profile
VAP profile* User profile Intrusion prevention
profile
Soft-GRE profile
Location profile
BLE profile
Security profile*
WDS profile*
WDS whitelist profile
Security profile*
NOTE
WLAN profiles are designed to facilitate configuration and maintenance of WLAN functions.
When configuring WLAN service functions, users need to configure parameters in matching
WLAN profiles. After completing the configurations, they need to bind the profiles to upper-
level profiles, AP groups, or APs, and the configurations will be automatically delivered to
APs. After that, the configured functions automatically take effect on the APs.
NOTE
l If a WLAN profile is bound to an upper-level profile, this upper-level profile should be bound to an AP
group or AP.
l Configurations in an AP provisioning profile take effect only after they are manually delivered to APs.
Configurations in other WLAN profiles are automatically delivered to APs.
For example, to configure air interface scan parameters, you can configure the parameters in
an air scan profile and bind the air scan profile to a radio profile, which is then bound to an
AP group or AP, as shown in Figure 3-1. The configurations of air interface scan parameters
are automatically delivered to APs and take effect. If referencing relationships between
profiles are set in advance, parameter configurations in the air scan profile are automatically
delivered to APs.
Configure the AC to
manage Fit APs Configure a country code (in a regulatory
domain profile)
Configure system
Configure the AC’s source interface
parameters for the AC
Set the AP authentication mode and
configure APs to go online
Configure the AC to
Configure basic radio parameters (on
deliver WLAN services to
radios)
Fit APs
Bind
Bind
AP or AP group
As shown in Figure 3-3, the AP with ID 1 does not find any configurations on itself;
therefore, the AP uses all WLAN configurations in the AP group a to which it belongs.
AP group name: a
AP ID: 1
Name of the AP group
to which it belongs: a
As shown in Figure 3-4, the AP with ID 101 finds configurations on itself so the AP
preferentially uses the configurations. Since there is only regulatory domain profile
configuration on the AP, the AP acquires other configurations in AP group a to which it
belongs, for example, VAP profile, AP system profile, and other profiles shown in the
following figure.
AP ID: 101
Name of the AP group to
which it belongs: a
A regulatory domain profile provides configurations of country code, calibration channel, and
calibration bandwidth for an AP.
l A country code identifies the country to which AP radios belong. Different countries
support different AP radio attributes, including the transmit power and supported
channels. Correct country code configuration ensures that radio attributes of APs comply
with laws and regulations of countries and regions to which the APs are delivered. For
details, see Configuring Country Codes in the Configuration-WLAN Service
Configuration Guide.
l A calibration channel set limits the dynamic AP channel adjustment range when the
radio calibration function is configured. Radar channels and the channels that are not
supported by STAs are avoided. For details, see Radio Resource Management
Configuration Guide in the Configuration.
l The 5 GHz frequency band has richer spectrum resources. In addition to 20 MHz
channels, APs working on the 5 GHz frequency band support 40 MHz and 80 MHz
channels, Different calibration bandwidths support different calibration channels. Larger-
bandwidth channels mean higher transmission rates. However, at least three channels are
required in radio calibration to achieve the optimal calibration effect. When configuring
the calibration bandwidth, ensure that enough calibration channels are available for use.
For details, see Radio Resource Management Configuration Guide in the Configuration.
Radio profiles are used to optimize radio parameters, and control the in-service channel
switching function. For details, see Configuring a Radio in the Configuration-WLAN Service
Configuration Guide.
Radio profiles are divided into 2G and 5G radio profiles. 2G and 5G radio profiles apply to
2.4 GHz and 5 GHz radios respectively. The differences between configurations of 2G and 5G
radio profiles are as follows:
l 2G radio profiles allow you to configure the 802.11bg basic rate set and supported rate
set.
l 5G radio profiles allow you to configure the 802.11a basic rate set and supported rate set,
and perform 802.11ac-related configurations.
Radio profiles can reference air scan profiles and RRM profiles.
l Air scan profiles are designed for radio calibration, spectrum analysis, location, and
WIDS data analysis. APs periodically scan radio signals in their surrounding
environment and report the collected information to ACs or servers.
l RRM profiles are designed to maintain optimal radio resource utilization. They enable
APs to check the surrounding radio environment, dynamically adjust working channels
and transmit power, and evenly distribute access users. This function helps adjust radio
coverage, reduce radio signal interference, and enable a wireless network to quickly
adapt to changes in the radio environment. With the radio resource management
function, the wireless network can provide high service quality for wireless users. For
details, see Radio Resource Management Configuration Guide in the Configuration.
The air scan profile is used for radio calibration, spectrum analysis, WLAN device location,
and Wireless Intrusion Detection System (WIDS) data analysis. An AP periodically scans
surrounding radio signals and reports the collected information to an AC or server.
l Radio calibration
An authorized AP scans surrounding radio signals, collects information about
surrounding authorized APs, rogue APs, and non-Wi-Fi devices, and reports the
information to an AC.
For the detailed configuration, see Configuring Radio Calibration in the Configuration-
Radio Resource Management Configuration Guide.
l Spectrum analysis
An AP detects different types of interference resources on wireless networks, and
displays the information to users. Users can then use the information to locate these
interference sources. This function improves user experience.
For the detailed configuration, see Configuring Spectrum Analysis in the Configuration-
Spectrum Analysis Configuration Guide.
l WLAN device location
An AP collects radio signals, and reports the location information to the positioning
server. Alternatively, the AP can send the location information to the AC, which filters
the information and sends the filtered information to the positioning server. An AP can
collect radio signals in either of the two modes:
– The AP collects Received Signal Strength Indicator (RSSI) information of WLAN
terminals and rogue APs and reports the information to the positioning server. The
information is then used to locate WLAN terminals or rogue APs
– An AP scans spectrums and reports fast Fourier transform (FFT) results of radio
signals to an AC. The information is then used to identify and locate non-Wi-Fi
interference sources.
For the detailed configuration, see Configuring WLAN Tag Location in the
Configuration.
l WIDS data analysis
A monitor AP scans channels to monitor information about neighboring wireless
devices, collects information about neighboring wireless devices by listens on WLAN
packets sent from neighboring wireless devices, and periodically reports collected
information to an AC. The AC then uses the information to determine rogue devices.
For the detailed configuration, see Configuring Rogue Device Detection in the
Configuration-WLAN Security Configuration Guide.
The air scan profile takes effect only after it is referenced by the radio profile.
network to quickly adapt to changes in the radio environment. With the RRM profile, the
wireless network can provide high service quality for wireless users and maintain an optimal
radio resource utilization. For the detailed configuration, see Radio Resource Management
Configuration Guide in the Configuration.
The RRM profile takes effect only after it is referenced by the radio profile.
system can classify applications intelligently and identify key services to provide
sufficient bandwidths for them and limit traffic rates of non-critical services, thereby
providing refined QoS policy control. For details, see Configuring SAC in the
Configuration-QoS Configuration Guide.
l UCC profile: used to configure priorities for Microsoft Lync voice, video, desktop
sharing, and file transfer packets. For details, see Configuring Lync in the Configuration-
QoS Configuration Guide.
An SSID profile is used to configure the SSID name and other access parameters of a WLAN.
The following configurations are performed in an SSID profile:
l SSID hiding: When creating a WLAN, configure an AP to hide the SSID of the WLAN
to ensure security. Only the users who know the SSID can connect to the WALN.
l Maximum number of STAs: More access users on a VAP indicate fewer network
resources that each user can occupy. To ensure Internet experience of users, you can
configure a proper maximum number of access users on a VAP according to actual
network situations.
l SSID hiding when the number of STAs reaches the maximum: When this function is
enabled and the number of access users on a WLAN reaches the maximum, the SSID of
the WLAN is hidden and new users cannot search for the SSID.
l Denying access of non-HT STAs: Non-HT STAs that support only 802.11a, 802.11b, and
802.11g protocols cannot access a wireless network. These terminals provide a rate far
smaller than 802.11n and 802.11ac terminals. If the non-HT STAs access the wireless
network, data transmission rates of the 802.11n and 802.11ac terminals are decreased. To
ensure data transmission rates of the 802.11n and 802.11ac terminals, access of non-HT
STAs is denied.
l STA association timeout period: If an AP receives no data packet from an STA in a
continuous period of time, the STA goes offline after the association timeout period
expires.
l DTIM interval: The DTIM interval specifies how many Beacon frames are sent by an AP
before the Beacon frame that contains the DTIM. The Beacon frame carrying DTIM
wakes an STA in power-saving mode, and transmits the broadcast and multicast frames
saved on the AP to the STA.
For details about how to configure an SSID profile, see Configuring an SSID Profile in the
Configuration-WLAN Service Configuration Guide.
NAC implements access control on users. To facilitate NAC function configuration, the
device uses authentication profiles to uniformly manage NAC configuration. You can
configure parameters in an authentication profile to provide different access control modes for
users. For example, you can configure the access profile bound to the authentication profile to
determine the authentication mode for the authentication profile. The device then uses the
authentication mode to authenticate users on the VAP profile to which the authentication
profile is applied.
l Priority mapping
Packets of different types have different priorities. For example, 802.11 packets sent by
STAs carry user priorities or DSCP priorities, VLAN packets on wired networks carry
802.1p priorities, and IP packets carry DSCP priorities. Priority mapping must be
configured on network devices to retain the priorities of packets that traverse different
networks.
For details, see Configuring Priority Mapping in the Configuration-QoS Configuration
Guide-WLAN QoS Configuration.
l Traffic policing
To protect network resources and prevent network congestion, you can configure traffic
policing to limit the rate of traffic entering a WLAN. In a traffic profile, you can
configure rate limiting for upstream and downstream packets of all STAs or each STA on
a VAP.
For details, see Configuring Traffic Policing in the Configuration-QoS Configuration
Guide-WLAN QoS Configuration.
l Traffic optimization
On a WLAN, a large number of wireless packets need to be forwarded, which may easily
cause network congestion and degrade network performance. WLAN traffic optimization
measures, such as traffic limit and multicast optimization, can be taken to adjust network
traffic in real time, significantly reducing impact of burst data on the network and
improving network performance.
For details, see WLAN Traffic Optimization Configuration Guide in the Configuration.
l ACL-based packet priority re-marking
You can configure ACL-based packet filtering to enable a device to permit or deny
packets matching ACL rules to control network traffic.
For details, see Configuring ACL-based Packet Filtering in the Configuration-QoS
Configuration Guide-WLAN QoS Configuration.
l ACL-based packet priority re-marking
You can configure ACL-based packet re-marking priorities of packets matching ACL
rules to implement differentiated services for wireless packets.
For details, see Configuring ACL-based Priority Remarking in the Configuration-QoS
Configuration Guide-WLAN QoS Configuration.
For the detailed configuration, see Configuring a STA Blacklist Profile in the Configuration-
WLAN Security Configuration Guide.
A STA whitelist profile contains MAC addresses of wireless terminals allowed to connect to
the WLAN. To allow only some STAs to connect to the WLAN, configure a STA whitelist
profile and apply the STA whitelist profile to an AP system profile or a VAP profile.
The effective scope of the STA whitelist profile differs according to the profiles to which it is
applied.
l AP system profile: The STA whitelist profile takes effect based on the AP. APs using the
AP system profile will use the STA whitelist. The STA whitelist profile takes effect on
all STAs connected to the APs (all VAPs).
l VAP profile: The STA whitelist profile takes effect based on the VAP. If the STA
whitelist profile is applied to an AP, the STA whitelist profile applies only to STAs
connected to the corresponding VAPs.
For the detailed configuration, see Configuring a STA Whitelist Profile in the Configuration-
WLAN Security Configuration Guide.
Smart Application Control (SAC) is a smart engine that can identify and classify application
protocols. It uses service awareness technology to identify packets of dynamic protocols such
as HTTP and RTP by checking Layer 4 to Layer 7 information in the packets. SAC helps
implement fine-granular QoS policy control.
An SAC profile is used to configure policies for re-marking packet priorities, discarding
packets, and limiting packet rates based on applications or application groups, so as to control
different types of applications and ensure stable and highly efficient running of key services.
The configurations in an SAC profile take effect only after it is bound to a VAP profile or a
user group. For details, see Configuring SAC in the Configuration-QoS Configuration Guide-
SAC Configuration.
Hotspot2.0 networks are usually provided by network service providers who can set network
parameters in compliance with Hotspot2.0 standards to identify the networks. Wireless
terminals can obtain network information and automatically select and access the desired
networks based on the preset identity credentials. The administrator needs to configure the
APs through Hotspot2.0 profiles according to the parameters provided by the network service
providers so that the APs can provide Hotspot2.0 network information to the wireless
terminals. After the Hotspot2.0 profiles are applied to VAP profiles, the configuration takes
effect.
If a Hotspot2.0 network parameter carries multiple data entries, you need to configure the
parameter using a profile. In the profile, you can configure the entries of the parameter and
then bind the profile to a Hotspot2.0 profile.
Cellular network profile You can configure Hotspot 2.0 services on cellular
networks. When connecting to the networks, user terminals
can obtain network information from APs, which helps
them to select desired networks.
NAI realm profile A NAI realm profile is used to configure the network access
identifier (NAI) realm name, authentication mode, and
authentication parameters for networks accessible to users.
Roaming consortium profile If the user terminals need to roam among Hotspot2.0
networks of different operators, configure a roaming
consortium profile and add the organization identifiers
(OIs) of the operators to the roaming consortium profile. In
this way, after the user terminals connect to a network of an
operator in the profile, they can roam to networks of the
other operators while maintaining online.
Connection capability You can configure Hotspot2.0 services for networks. When
profile user terminals connect to the networks, they can obtain
network connection capability information from APs,
including allowed protocols and ports, which helps them to
select desired networks.
Operating class profile The operating class profile is used to configure the
operating class indication of AP in on the hotspot2.0
network. When a STA accesses the network, it can obtain
channel information used to access a Wi-Fi frequency from
AP so that the STA can set up a connection.
Operator domain profile A network domain name profile is used to configure the
operator domain profile. STAs can obtain the domain name
information through ANQP, which is used as a basis for
network selection.
Operator name profile You can specify different friendly names for different
languages so that users can select networks.
An AP system profile is used to configure AP system parameters and can reference STA
blacklist and whitelist profiles as well as spectrum analysis configuration. The following
configurations are performed in an AP system profile:
l Configure AP indicators.
Blinking indicators of indoor APs deployed in hospitals and hotels may affect people's
nighttime rest. Therefore, you can turn off AP indicators after APs are installed and run
properly.
l Configure the alarm function on an AP.
– You can configure alarm thresholds on an AP to monitor the AP in real time. When
the configured thresholds are exceeded, the AP generates alarms or logs to notify
the AC of AP status.
– If a STA cannot go online due to security type mismatch, UAC, or access user
upper limit exceeding, the STA will automatically re-connect to the AP. During this
period, the AP sends a large number of STA association failure alarms to the AC,
which degrades the system performance.
To solve this problem, enable alarm suppression for the AP. The AP then does not report
alarms repeatedly in the alarm suppression period, preventing alarm storms.
For details, see Configuring the Alarm Function on an AP in the Configuration - AP
Management Configuration Guide.
l Configure the log backup and log suppression functions on an AP.
– Logs record user operations and system running information. After logs are backed
up to a server, network administrators can summarize and analyze AP logs to learn
about the operations performed on APs for fault location.
The device supports automatic log backup. After automatic log backup is
configured, logs generated by an AP are automatically sent to the log server.
– If a STA keeps attempting to connect to an AP because of signal interference or
instability, the AP sends a large number of duplicate login and logout logs to the AC
in a short period, causing a huge waste of resources.
To address this problem, enable log suppression. The AP sends only one log about a
user to the AC within the log suppression period.
For details, see Configuring the Log Backup and Log Suppression Functions on an AP in
the Configuration - AP Management Configuration Guide.
l Configure LLDP on an AP.
The Link Layer Discovery Protocol (LLDP) helps the NMS obtain detailed Layer 2
information, such as the network topology, device interface status, and management
address.
After LLDP is configured on an AP, the AP can send LLDP packets carrying local
system status information to directly connected neighbors and parse LLDP packets
received from neighbors. After the AP discovers a neighbor, the AP sends neighbor
information to the AC. The NMS then obtains AP's LLDP information from the AC to
learn about the network topology.
For details, see Configuring LLDP on an AP in the Configuration - AP Management
Configuration Guide.
l Configure the effective scope of a STA blacklist or whitelist.
If a STA blacklist or whitelist is applied to an AP system profile, the STA blacklist or
whitelist takes effect on all APs using the AP system profile. For details, see Applying
the Configuration to a VAP Profile or an AP System Profile in the Configuration -
WLAN Security Configuration Guide.
l Configure some parameters for spectrum analysis.
The parameters include the IP address and port number of a spectrum server and aging
time of information about non-Wi-Fi devices on an AC during spectrum analysis. For
l A neighboring AP with the MAC address in the whitelist can set up a wireless virtual link with the
local AP only after passing security authentication.
l If no WDS whitelist profile is used, all neighboring APs can access the local AP.
l AP group radio or AP radio: You can configure major feature parameters for radios in an
AP group or a specified AP radio, including the working channel and bandwidth,
antenna gain, transmit power, and radio coverage distance. For example, when
configuring the WDS function, configure the same channel for radios of WDS APs.
l Radio profile: The radio profile is classified into the 2G and 5G radio profiles. You can
configure other radio parameters for WDS links through a radio profile.
By default, the system provides the WDS profile default. By default, the security profile
default-wds with the security policy WPA2+PSK+AES and the security key huawei_secwds
is referenced by a WDS profile regardless of whether the WDS profile is the default profile
provided by the system or a WDS profile created by users. If the default security profile
default-wds is used, you are advised to change the security key of the profile to ensure
security.
NOTE
l A neighboring AP with the MAC address in the whitelist can set up a wireless virtual link with the local
AP only after passing security authentication.
l If no WDS whitelist profile is used, all neighboring APs can access the local AP.
The security policy can be set to open system authentication only for the Mesh network in rail
transportation scenarios.
l Mesh whitelist profile: A Mesh whitelist profile contains MAC addresses of neighboring
APs allowed to set up Mesh links with an AP. After a Mesh whitelist profile is applied to
an AP radio, only APs with MAC addresses in the whitelist can access the AP, and other
APs are denied. On common Mesh networks, a Mesh whitelist must be configured for a
Mesh node.
NOTE
l A neighboring AP with the MAC address in the whitelist can set up a wireless virtual link with the
local AP only after passing security authentication.
l On a Mesh network where ATs are deployed, after FWA is enabled in a Mesh profile, you do not
need to configure a Mesh whitelist for a Mesh node. All ATs are allowed to access the Mesh node.
l AP group radio or AP radio: You can configure major feature parameters for radios in an
AP group or a specified AP radio, including the working channel and bandwidth,
antenna gain, transmit power, and radio coverage distance. For example, when
configuring the Mesh function, configure the same channel for radios of Mesh APs.
l Radio profile: The radio profile is classified into the 2G and 5G radio profiles. You can
configure other radio parameters for Mesh links through a radio profile.
l AP wired port profile: The AP wired port profile is used to configure AP wired port
parameters and Mesh roles. When configuring Mesh services, you need to configure AP
wired port parameters according to actual situations, enabling the Mesh network to
transmit user services. For example, if direct forwarding is used on a Mesh network, you
need to configure wired ports of Mesh APs to allow service VLANs to pass through.
l Mesh handover profile: After a Mesh handover profile is bound to a Mesh profile, the
Mesh profile can provide the fast Mesh link handover function and apply to train-ground
communication scenarios. A Mesh handover profile and the FWA mode of a Mesh
profile are mutually exclusive. A Mesh handover profile cannot be referenced by the
Mesh profile in which the FWA mode is enabled.
By default, the system provides the Mesh profile default. Both the default Mesh profile
default and a self-defined Mesh profile have the security profile default-mesh referenced by
default. In the security profile default-mesh, the security policy is set to WPA2+PSK+AES
and the security key to huawei_secmesh. If the default security profile default-mesh is used,
you are advised to change the security key of the profile to ensure security.
NOTE
l A neighboring AP with the MAC address in the whitelist can set up a wireless virtual link with the local
AP only after passing security authentication.
l On a Mesh network where ATs are deployed, after FWA is enabled in a Mesh profile, you do not need to
configure a Mesh whitelist for a Mesh node. All ATs are allowed to access the Mesh node.
An IoT profile provides the following communication parameters between an AP and a host
computer:
An AP communicates with an IoT card through a serial port. Each IoT card interface uses
independent serial communication parameters and framing parameters. By default, an IoT
card interface is bound to the preset serial profile preset-enjoyor-toeap. The default values of
the parameters are as follows:
An AP communicates with an IoT card through a serial port. Each IoT card interface uses
independent serial communication parameters and framing parameters. The serial
communication parameters and framing parameters can be set in a serial profile.
For details, see Configuring Communication Parameters Between an AP and an IoT Card in
the Configuration - IoT AP Configuration Guide.
Copying Profiles
To improve configuration efficiency, you can copy configurations in one profile to another
profile and then modify specific parameters.
For example, if you need to copy the configurations in VAP profile b to VAP profile a, you
only need to run the copy-from profile-name command in VAP profile a. The detailed
procedure is as follows:
<AC6605> system-view
[AC6605] wlan
[AC6605-wlan-view] vap-profile name a
[AC6605-wlan-vap-prof-a] copy-from b
NOTE
l You can perform this operation only between profiles of the same type. For example, you can copy the
configurations in a VAP profile to another VAP profile other than a radio profile.
l If a profile is bound to another profile, you cannot perform this operation in this profile. For example, if
VAP profile a is bound to an AP group, you cannot perform this operation in VAP profile a.
Management packets transmit management data between an AC and AP. Data packets
transmit data from STAs and the upper-layer network when WLAN users surf on the Internet.
On a WLAN, packets transmitted between STAs and APs are 802.11 packets. APs are bridges
between STAs and the upper layer wired network. They convert 802.11 packets into 802.3
packets and forward 802.3 packets to the wired network.
Management packets and service data packets are marked with different VLAN tags on a
WLAN.The following describes the forwarding process of management and service data
packets. Here, VLAN m and VLAN m' represent management VLANs, while VLAN s and
VLAN s' represent service VLANs.
l When an AP connects to an AC through a Layer 2 network, VLAN m is the same as
VLAN m', and VLAN s is the same as VLAN s'.
l When an AP connects to an AC through a Layer 3 network, VLAN m is different from
VLAN m', and VLAN s is different from VLAN s'.
WLAN roaming is categorized as Layer 2 and Layer 3 roaming depending on whether a STA
roams within the same subnet. In roaming scenarios, management packets are forwarded
through the CAPWAP tunnel, while service data packets can be forwarded through the
CAPWAP tunnel or using direct forwarding mode.
them with VLAN m'. The switch removes VLAN m from the packets. The AP
decapsulates the CAPWAP packets.
The devices between an AC and AP must be configured to allow VLAN m and transparently
transmit packets of VLAN m.
IP
Network
802.11 Payload
STA
Payload
IP
Network
802.11 Payload
STA
Payload
Figure 3-8 Forwarding service data packets over a soft GRE tunnel
IP
Network
802.11 Payload
STA
Payload
Internet
HAC FAC
Inter-AC roaming
Roaming
STA STA
Figure 3-10 Tunnel forwarding of service data packets during Layer 3 roaming
Internet
HAC FAC
CAPWAP tunnel
CAPWAP tunnel
Inter-AC roaming
Roaming
STA STA
l As shown in Figure 3-11, in direct forwarding mode, service packets exchanged between
the HAP and HAC are not encapsulated through the CAPWAP tunnel; therefore, whether
the HAP and HAC reside in the same subnet is unknown. Packets are forwarded back to
the HAP by default. If the HAP and HAC are located in the same subnet, configure the
HAC with higher performance as the home agent. This reduces the load on the HAP and
improves the forwarding efficiency.
Figure 3-11 Direct forwarding of service data packets during Layer 3 roaming
Internet
HAC FAC
Roaming
STA STA
Inter AC roaming
CAPWAP tunnel
Packet forwarding before roaming
Packet forwarding after roaming
Packet forwarding after AC is
specified as the home agent
Upstream service 1. The STA sends 1. The STA sends 1. The STA sends
data a service packet a service packet a service packet
to the HAP. to the FAP. to the FAP.
2. After receiving 2. After receiving 2. After receiving
the service the service the service
packet, the packet, the FAP packet, the FAP
HAP forwards sends it to the sends it to the
the service FAC over the FAC over the
packet to the CAPWAP CAPWAP
upper-layer tunnel. tunnel.
network 3. The FAC 3. The FAC
directly. forwards the forwards the
service packet service packet
to the HAC to the HAC
through a tunnel through a tunnel
between them. between them.
4. The HAC sends 4. The HAC
the service forwards the
packet to the service packet
HAP over the to the upper-
CAPWAP layer network.
tunnel.
5. The HAP
forwards the
service packet
to the upper-
layer network.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: The AC functions as the DHCP server to assign IP addresses
to APs, and SwitchB functions as the DHCP server to assign IP addresses to STAs.
l Service data forwarding mode: direct forwarding
l WLAN authentication mode: WPA-WPA2+802.1x+AES
Internet
Router
GE0/0/1
RADIUS Server
AC SwitchB GE0/0/4 10.23.103.1:1812
GE0/0/2
GE0/0/1 GE0/0/3
GE0/0/1
GE0/0/2
SwitchA
GE0/0/1
AP
STA STA
Management VLAN:VLAN 100
Service VLAN:VLAN 101
Data Planning
Configuration Roadmap
1. Configure network interworking.
2. Configure the AC and SwitchB to assign IP addresses to APs and STAs, respectively.
3. Configure APs to go online.
4. Configure 802.1X authentication on the AC.
5. Configure third-party server interconnection parameters.
NOTE
The AC and server must have the same RADIUS shared key.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure network interworking.
# Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 100 and VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN 101, GE0/0/2 to
VLAN 100 and VLAN 102, GE0/0/3 to VLAN 103, and GE0/0/4 to VLAN104. Create
VLANIF 102, VLANIF 103, and VLANIF 104, and configure a default route with the next
hop of the address of Router.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 to 104
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk pvid vlan 103
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 103
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface gigabitethernet 0/0/4
[SwitchB-GigabitEthernet0/0/4] port link-type trunk
[SwitchB-GigabitEthernet0/0/4] port trunk pvid vlan 104
[SwitchB-GigabitEthernet0/0/4] port trunk allow-pass vlan 104
[SwitchB-GigabitEthernet0/0/4] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] quit
[SwitchB] interface vlanif 103
[SwitchB-Vlanif103] ip address 10.23.103.2 24
[SwitchB-Vlanif103] quit
[SwitchB] interface vlanif 104
[SwitchB-Vlanif104] ip address 10.23.104.1 24
[SwitchB-Vlanif104] quit
[SwitchB] ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
# Add GE0/0/1 on the AC to VLAN 100 and VLAN 102. Create VLANIF 102 and configure
the static route to the RADIUS server.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100 101 102
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 102
[AC-GigabitEthernet0/0/1] quit
[AC] interface vlanif 102
[AC-Vlanif102] ip address 10.23.102.2 24
[AC-Vlanif102] quit
[AC] ip route-static 10.23.103.0 24 10.23.102.1
# Configure the IP address of GE0/0/1 on Router and a static route to the network segment for
STAs.
<Huawei> system-view
[Huawei] sysname Router
Step 2 Configure the AC and SwitchB to function as DHCP servers to assign IP addresses to APs
and STAs respectively.
# On the AC, configure the VLANIF 100 to assign IP addresses to APs.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and bind
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the APs offline to the AC and add the APs to the AP group ap-group1. Configure
names for the APs based on the AP locations, so that you can know where the APs are
located. For example, if the AP with MAC address 60de-4476-e360 is deployed in area 1,
name the AP area_1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 and radio 1. Radio 0 and radio 1 operate
on the 2.4 GHz and 5 GHz bands respectively.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field displays nor, the AP has gone online.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
--------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA
Uptime
--------------------------------------------------------------------------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S
--------------------------------------------------------------------------------
Total: 1
The settings of the AP channel and power in this example are for reference only. You need to configure the
AP channel and power based on the actual country code and network planning.
Automatic channel and power calibration functions are enabled by default. The manual
channel and power configurations take effect only when these two functions are disabled.
[AC-wlan-view] rrm-profile name default
[AC-wlan-rrm-prof-default] calibrate auto-channel-select disable
[AC-wlan-rrm-prof-default] calibrate auto-txpower-select disable
[AC-wlan-rrm-prof-default] quit
3. Create the authentication profile wlan-net and bind it to the 802.1x access profile,
authentication scheme, and RADIUS server template.
[AC] authentication-profile name wlan-net
[AC-authentication-profile-wlan-net] dot1x-access-profile wlan-net
[AC-authentication-profile-wlan-net] authentication-scheme wlan-net
[AC-authentication-profile-wlan-net] radius-server wlan-net
[AC-authentication-profile-wlan-net] quit
# Create the SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create the VAP profile wlan-net, configure the direct data forwarding mode and
service VLANs, and bind the security profile, authentication profile, and SSID profile to
the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] authentication-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind the VAP profile wlan-net to the AP group and apply the profile to radio 0 and
radio 1 of the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
l For interconnection with other third-party servers, see the corresponding product manual.
Step 7 Verify the configuration.
l The WLAN with SSID wlan-net is available for STAs connected to the AP.
l The wireless PC obtains an IP address after it associates with the WLAN.
l Use the 802.1x authentication client on a STA and enter the correct user name and
password. The STA is authenticated and can access the WLAN. You must configure the
client for PEAP authentication.
– Configuration on the Windows XP operating system:
i. On the Association tab page of the Wireless network properties dialog box,
add SSID wlan-net, set the authentication mode to WPA2, and encryption
algorithm to AES.
ii. On the Authentication tab page, set EAP type to PEAP and click Properties.
In the Protected EAP Properties dialog box, deselect Validate server
certificate and click Configure. In the displayed dialog box, deselect
Automatically use my Windows logon name and password and click OK.
– Configuration on the Windows 7 operating system:
i. Access the Manage wireless networks page, click Add, and select Manually
create a network profile. Add SSID wlan-net. Set the authentication mode to
WPA2-Enterprise, and encryption algorithm to AES. Click Next.
ii. Click Change connection settings. On the Wireless Network Properties
page that is displayed, select the Security tab page and click Settings. In the
Protected EAP Properties dialog box, deselect Validate server certificate
and click Configure. In the displayed dialog box, deselect Automatically use
my Windows logon name and password and click OK.
iii. Click OK. On the Wireless Network Properties page, click Advanced
settings. On the Advanced settings page that is displayed, select Specify
authentication mode, set the identity authentication mode to User
authentication, and click OK.
l After wireless users connect to the network, run the display access-user access-type
dot1x command on the AC to view users in 802.1x authentication mode. The user
huawei has gone online successfully.
[AC] display access-user access-type dot1x
------------------------------------------------------------------------------
UserID Username IP address MAC
Status
------------------------------------------------------------------------------
460 huawei 10.23.101.254 8000-6e74-e78a Success
------------------------------------------------------------------------------
Total: 1, printed: 1
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
Service Requirements
To improve WLAN security, an enterprise uses the MAC address-prioritized Portal
authentication mode to control user access.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: tunnel forwarding
l Authentication mode: MAC address-prioritized Portal authentication
l Security policy: open
Data Planning
Managemen VLAN100
t VLAN for
APs
Service VLAN101
VLAN for
STAs
IP address 10.23.100.2–10.23.100.254/24
pool for
APs
IP address 10.23.101.3–10.23.101.254/24
pool for
STAs
Item Data
MAC Name:wlan-net
access
profile
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure the APs to go online.
3. Configure MAC address-prioritized Portal authentication.
a. Configure RADIUS server parameters.
b. Configure a Portal access profile to manage Portal access control parameters.
c. Configure a MAC access profile for MAC address-prioritized Portal authentication.
d. Configure an authentication-free rule profile so that the AC allows packets to the
DNS server to pass through.
e. Configure an authentication profile to manage MAC address-prioritized Portal
authentication configuration.
4. Configure WLAN service parameters.
5. Configure third-party server interconnection parameters.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and GE0/0/2
and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On the AC, configure VLANIF 100 to assign IP addresses to APs.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the default
gateway address of STAs to 10.23.101.2.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] dhcp server dns-list 8.8.8.8
[SwitchB-Vlanif101] quit
Step 4 Configure a default route on AC with the outbound interface as the router's VLANIF 101.
[AC] ip route-static 0.0.0.0 0.0.0.0 10.23.101.2
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 1
Step 6 Configure a RADIUS server template, a RADIUS authentication scheme and a RADIUS
accounting scheme.
NOTE
Ensure that the RADIUS server IP address, port number, and shared key are configured correctly and are
the same as those on the RADIUS server.
NOTE
l In this example, the device is connected to the Agile Controller-Campus. The accounting function is not
implemented for accounting purposes, and is used to maintain terminal online information through
accounting packets.
l The accounting realtime command sets the real-time accounting interval. A shorter real-time accounting
interval requires higher performance of the device and RADIUS server. Set the real-time accounting
interval based on the user quantity.
1-99 3 minutes
100-499 6 minutes
500-999 12 minutes
≥ 1000 ≥ 15 minutes
Step 7 Configure the URL of the Portal authentication page. When a user attempts to access a
website before authentication, the AC redirects the website to the Portal server.
You are advised to configure the URL using a domain name to ensure secure and fast page
pushing. Before configuring the URL using a domain name, you must first configure the
mapping between the domain name and IP address of the Portal server on the DNS server.
NOTE
Configure parameters carried in the URL, which must be the same as those on the authentication server.
[AC] url-template name wlan-net
[AC-url-template-wlan-net] url http://portal.com:8080/portal
[AC-url-template-wlan-net] url-parameter ssid ssid redirect-url url
[AC-url-template-wlan-net] quit
Ensure that the Portal server IP address, URL address, port number, and shared key are configured
correctly and are the same as those on the Portal server.
[AC] web-auth-server wlan-net
[AC-web-auth-server-wlan-net] server-ip 10.23.103.1
[AC-web-auth-server-wlan-net] shared-key cipher Huawei123
[AC-web-auth-server-wlan-net] port 50200
[AC-web-auth-server-wlan-net] url-template wlan-net ciphered-parameter-name
cpname iv-parameter-name iv-value key cipher Huawei123
[AC-web-auth-server-wlan-net] quit
Step 9 Configure the Portal access profile wlan-net and configure Layer 2 Portal authentication.
[AC] portal-access-profile name wlan-net
[AC-portal-access-profile-wlan-net] web-auth-server wlan-net direct
[AC-portal-access-profile-wlan-net] quit
Step 10 Configure a MAC access profile for MAC address-prioritized Portal authentication.
[AC] mac-access-profile name wlan-net
[AC-mac-access-profile-wlan-net] quit
Step 12 Configure the authentication profile wlan-net and enable MAC address-prioritized Portal
authentication.
[AC] authentication-profile name wlan-net
[AC-authentication-profile-wlan-net] portal-access-profile wlan-net
[AC-authentication-profile-wlan-net] mac-access-profile wlan-net
[AC-authentication-profile-wlan-net] free-rule-template default_free_rule
[AC-authentication-profile-wlan-net] authentication-scheme wlan-net
[AC-authentication-profile-wlan-net] radius-server wlan-net
[AC-authentication-profile-wlan-net] quit
# Create security profile wlan-net and set the security policy in the profile. By default, the
security policy is open system.
[AC] wlan
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, configure the data forwarding mode and service VLANs, and
apply the security profile, SSID profile, and authentication profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode tunnel
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] authentication-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
For interconnection with the Agile Controller-Campus, see "Example for Configuring Portal
Authentication (Including MAC Address-Prioritized Portal Authentication) for Wireless
Users" in the Agile Controller-Campus Typical Configuration Examples.
For interconnection with other third-party servers, see the corresponding product manual.
l When a user opens the browser and attempts to access the network, the user is
automatically redirected to the authentication page provided by the Portal server. After
entering the correct user name and password on the page, the user can access the
network.
l Assume that the MAC address validity period configured on the server is 60 minutes. If a
user is disconnected from the wireless network for 5 minutes and reconnects to the
network, the user can directly access the network. If a user is disconnected from the
wireless network for 65 minutes and reconnects to the network, the user will be
redirected to the Portal authentication page.
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 101
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
authentication-profile name wlan-net
mac-access-profile wlan-net
portal-access-profile wlan-net
free-rule-template default_free_rule
authentication-scheme wlan-net
radius-server wlan-net
#
dhcp enable
#
aaa
authentication-scheme wlan-net
authentication-mode radius
accounting-scheme wlan-net
accounting-mode radius
accounting realtime 15
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 101
#
ip route-static 0.0.0.0 0.0.0.0 10.23.101.2
#
capwap source interface vlanif100
#
radius-server template wlan-net
radius-server shared-key cipher %^%#Oc6_BMCw#9gZ2@SMVtk!PAC6>Ou*eLW/"qLp+f#$
%^%#
radius-server authentication 10.23.102.1 1812 weight 80
#
free-rule-template name default_free_rule
free-rule 1 destination ip 8.8.8.8 mask 255.255.255.255
#
url-template name wlan-net
url http://portal.com:8080/portal
#
web-auth-server wlan-net
server-ip 10.23.103.1
port 50200
shared-key cipher %^%#4~ZXE3]6@BXu;2;aw}hA{rSb,@"L@T#e{%6G1AiD%^%#
url-template wlan-net ciphered-parameter-name cpname iv-parameter-name iv-
value key cipher %^%#4~ZXE3]6@BXu;2;aw}hA{rSb,@"L@T#e{%6G1AiD%^%#
#
portal-access-profile name wlan-net
web-auth-server wlan-net direct
#
wlan
security-profile name wlan-net
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
authentication-profile wlan-net
ap-group name ap-group1
regulatory-domain-profile default
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
#
mac-access-profile name wlan-net
#
return
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: direct forwarding
Data Planning
Item Data
Configuration Roadmap
1. Configure network interworking of the APs, AC, and other network devices.
2. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
3. Configure WLAN service parameters for STAs to access the WLAN.
4. Adjust WLAN high-density parameters.
You are advised to adjust WLAN high-density parameters according to Table 4-4.
Configure To reduce the burden on the Enable band steering. By default, band
5G-prior 2.4 GHz radio by steering is enabled.
access preferentially connecting
5G-capable STAs to the 5
GHz radio when a large
number of 2.4 GHz STAs
exist on the network.
Reduce To prevent users who Set the association aging time to 1 minute.
the user frequently disconnect from
associatio the wireless network.
n aging
time
Limit user To prevent advantaged Limit the downstream rate of each STA to
rates STAs from occupying too 2000 kbit/s in a VAP. Adjust the upstream
many rate sources and rate according to actual situations. In this
deteriorating service example, the upstream rate is set to 1000
experience of disadvantaged kbit/s.
STAs.
Configure To prevent weak-signal Enable smart roaming and set the SNR
smart STAs from degrading user threshold to 15 dB.
roaming experience.
Set the To prevent hidden STAs. Set the RTS-CTS operation mode to rts-
RTS-CTS cts and the RTS threshold to 1400 bytes.
threshold
Adjust the To improve the overall data Set the interval for sending Beacon frames
interval at traffic of APs. to 160 ms.
which
Beacon
frames
are sent
Set the To reduce extra overhead Set the GI mode to short GI.
guard and improve AP
interval transmission efficiency.
(GI)
mode to
short GI
Configure To improve the overall AP Delete low rates from the basic rate set.
the basic throughput.
rate set
Configure To improve air interface Use the default values. By default, the
the efficiency. multicast transmit rate of wireless packets
multicast is 11 Mbit/s for the 2.4 GHz radio and 6
rate Mbit/s for the 5 GHz radio.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLANs 10, 101, and 102. The default VLAN of
GE0/0/1 and GE0/0/3 is VLAN 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 101 102
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
# On SwitchB (aggregation switch), add GE0/0/1 to VLAN 10, VLAN 101, and VLAN 102,
GE0/0/2 to VLAN 100, and GE0/0/3 to VLAN 101 and VLAN 102. Create VLANIF 100 and
set its IP address to 10.23.100.2/24.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 10 100 101 102
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101 102
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101 102
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface vlanif 100
[SwitchB-Vlanif100] ip address 10.23.100.2 24
[SwitchB-Vlanif100] quit
# On Router, add GE1/0/0 to VLAN 101 and VLAN 102. Create VLANIF 101 and VLANIF
102 and set the IP address of VLANIF 101 to 10.23.101.2/24 and the IP address of VLANIF
102 to 10.23.102.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101 102
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101 102
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
[Router] interface vlanif 102
[Router-Vlanif102] ip address 10.23.102.2 24
[Router-Vlanif102] quit
# Configure a route from the AC to the APs with the next hop as SwitchB's VLANIF 100.
[AC] ip route-static 10.23.10.0 24 10.23.100.2
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# Configure DHCP relay on SwitchB.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 10
[SwitchB-Vlanif10] ip address 10.23.10.1 24
[SwitchB-Vlanif10] dhcp select relay
[SwitchB-Vlanif10] dhcp relay server-ip 10.23.100.1
[SwitchB-Vlanif10] quit
# On SwitchB, configure VLANIF 101 and VLANIF 102 to assign IP addresses to STAs and
set the default gateways.
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] dhcp select interface
[SwitchB-Vlanif102] dhcp server gateway-list 10.23.102.2
[SwitchB-Vlanif102] quit
This example uses the VLAN assignment algorithm hash (default) as an example. If the default setting is not
changed before, you do not need to run the assignment hash command.
In this example, only VLAN 101 and VLAN 102 are added to the VLAN pool. You can use the similar
method to add multiple VLANs to a VLAN pool.
[AC] vlan batch 101 102
[AC] vlan pool sta-pool
[AC-vlan-pool-sta-pool] vlan 101 102
[AC-vlan-pool-sta-pool] assignment hash
[AC-vlan-pool-sta-pool] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.23.10.254 AP5030DN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 1
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
# Enable the band steering function. By default, the band steering function is enabled.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-net-prof-wlan-net] undo band-steer disable
# Enable the broadcast flood detection function and set a broadcast flood threshold. By
default, the broadcast flood detection function is enabled.
[AC-wlan-net-prof-wlan-net] undo anti-attack broadcast-flood disable
[AC-wlan-net-prof-wlan-net] quit
# Set the maximum number of STAs associated with a VAP to 128, association timeout
period to 1 minute, and EDCA parameters for AC_BE packets of STAs.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] max-sta-number 128
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-wlan-net] association-timeout 1
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-wlan-net] wmm edca-client ac-be aifsn 3 ecw ecwmin 7
ecwmax 10
[AC-wlan-ssid-prof-wlan-net] quit
# Create traffic profile wlan-traffic and set the rate limit for upstream and downstream
traffic to 4000 kbit/s.
[AC-wlan-view] traffic-profile name wlan-traffic
[AC-wlan-traffic-prof-wlan-traffic] rate-limit client down 4000
[AC-wlan-traffic-prof-wlan-traffic] rate-limit client up 4000
[AC-wlan-traffic-prof-wlan-traffic] quit
4. Create an RRM profile, disable automatic calibration, enable airtime fair scheduling and
smart roaming, and set the SNR-based threshold for smart roaming to 15 dB.
[AC-wlan-view] traffic-profile name wlan-traffic
[AC-wlan-rrm-prof-wlan-rrm] calibrate auto-channel-select disable
[AC-wlan-rrm-prof-wlan-rrm] calibrate auto-txpower-select disable
[AC-wlan-rrm-prof-wlan-rrm] airtime-fair-schedule enable
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-rrm-prof-wlan-rrm] smart-roam enable
[AC-wlan-rrm-prof-wlan-rrm] smart-roam roam-threshold check-snr
[AC-wlan-rrm-prof-wlan-rrm] smart-roam roam-threshold snr 15
[AC-wlan-rrm-prof-wlan-rrm] quit
The settings of the AP channel and power in this example are for reference only. You need to configure the
AP channel and power based on the actual country code and network planning.
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
When a large number of users connect to the network in the stadium, the users still have good
Internet experience.
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10 101 to 102
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10 101 to 102
port-isolate enable
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 10 101 to 102
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10 101 to 102
port-isolate enable
#
return
l SwitchB configuration file
#
sysname SwitchB
#
vlan batch 10 100 to 102
#
dhcp enable
#
interface Vlanif10
ip address 10.23.10.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.23.100.1
#
interface Vlanif100
ip address 10.23.100.2 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
dhcp server gateway-list 10.23.101.2
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
dhcp select interface
dhcp server gateway-list 10.23.102.2
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 101 to 102
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 101 to 102
#
return
l Router configuration file
#
sysname Router
#
vlan batch 101 to 102
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 101 to 102
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 102
#
vlan pool sta-pool
vlan 101 to 102
#
dhcp enable
#
ip pool huawei
gateway-list 10.23.10.1
network 10.23.10.0 mask 255.255.255.0
option 43 sub-option 3 ascii 10.23.100.1
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
ip route-static 10.23.10.0 24 10.23.100.2
#
capwap source interface vlanif100
#
wlan
traffic-profile name wlan-traffic
rate-limit client up 4000
rate-limit client down 4000
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#wQ}eV*m'Y#f6Mj@h#DxTLrKaYm|)pBm@w$
(jpeqE%^%# aes
ssid-profile name wlan-net
ssid wlan-net
association-timeout 1
max-sta-number 128
wmm edca-client ac-be aifsn 3 ecw ecwmin 7 ecwmax 10 txoplimit 0
vap-profile name wlan-net
service-vlan vlan-pool sta-pool
ssid-profile wlan-net
security-profile wlan-net
traffic-profile wlan-traffic
anti-attack broadcast-flood sta-rate-threshold 50
regulatory-domain-profile name default
rrm-profile name wlan-rrm
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
airtime-fair-schedule enable
smart-roam enable
smart-roam roam-threshold snr 15
radio-2g-profile name wlan-radio2g
dot11bg basic-rate 6 9 12 18 24 36 48 54
beacon-interval 160
guard-interval-mode short
multicast-rate 11
wmm edca-ap ac-be aifsn 3 ecw ecwmin 5 ecwmax 6 txoplimit 0 ack-policy
normal
rrm-profile wlan-rrm
rts-cts-threshold 1400
rts-cts-mode rts-cts
radio-5g-profile name wlan-radio5g
beacon-interval 160
guard-interval-mode short
wmm edca-ap ac-be aifsn 3 ecw ecwmin 5 ecwmax 6 txoplimit 0 ack-policy
normal
multicast-rate 6
rrm-profile wlan-rrm
rts-cts-threshold 1400
rts-cts-mode rts-cts
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 60 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return
Networking Requirements
l AC networking mode: Layer 2 networking in bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (Switch_A) functions as a DHCP server to assign IP
addresses to STAs.
l Wireless backhaul mode: hand-in-hand WDS
l Backhaul radio: 5 GHz
l Service data forwarding mode: direct forwarding
Data Planning
Item Data
Item Data
l Name: wds-list2
l AP MAC address: MAC address of
AP_3 (leaf)
Item Data
l Name: wds-leaf
l WDS name: wlan-wds
l WDS working mode: leaf
l Tagged VLAN: VLAN 101
l Referenced profile: security profile wds-
security
l Name: ap-group2
l Root and leaf APs, such as AP_2, are
added to the group.
l Referenced profiles: WDS profiles wds-
root and wds-leaf, VAP profile wlan-
net, and regulatory domain profile
default
l Name: ap-group3
l Leaf APs, such as AP_3, are added to
the group.
l Referenced profiles: WDS profile wds-
leaf, VAP profile wlan-net, and
regulatory domain profile default
Configuration Roadmap
1. Configure root node AP_1 to go online on the AC.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
2. Configure WDS services so that APs in and Area C can go online through WDS wireless
virtual links.
3. Configure WLAN service parameters for STAs to access the WLAN.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
l Select proper antennas by following the WDS network planning and design, and use the
antenna calibration tool for calibration.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on Switch_B to VLAN 100 and VLAN 101. The default VLAN
of GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_B
[Switch_B] vlan batch 100 to 101
[Switch_B] interface gigabitEthernet 0/0/1
[Switch_B-GigabitEthernet0/0/1] port link-type trunk
[Switch_B-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_B-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_B-GigabitEthernet0/0/1] port-isolate enable
[Switch_B-GigabitEthernet0/0/1] quit
[Switch_B] interface gigabitEthernet 0/0/2
[Switch_B-GigabitEthernet0/0/2] port link-type trunk
[Switch_B-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 101
[Switch_B-GigabitEthernet0/0/2] quit
# Configure the aggregation switch Switch_A. Configure GE0/0/1 to allow packets from
VLAN 100 and VLAN 101 to pass through, GE0/0/2 to allow packets from VLAN 100 to
pass through, and GE0/0/3 to allow packets from VLAN 101 to pass through.
<HUAWEI> system-view
[HUAWEI] sysname Switch_A
[Switch_A] vlan batch 100 to 101
[Switch_A] interface gigabitEthernet 0/0/1
[Switch_A-GigabitEthernet0/0/1] port link-type trunk
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_A-GigabitEthernet0/0/1] quit
[Switch_A] interface gigabitEthernet 0/0/2
[Switch_A-GigabitEthernet0/0/2] port link-type trunk
[Switch_A-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/2] quit
[Switch_A] interface gigabitEthernet 0/0/3
[Switch_A-GigabitEthernet0/0/3] port link-type trunk
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# Configure Switch_A as a DHCP server to assign IP addresses to STAs from the interface
address pool.
[Switch_A] dhcp enable
[Switch_A] interface vlanif 101
[Switch_A-Vlanif101] ip address 10.23.101.1 24
[Switch_A-Vlanif101] dhcp select interface
[Switch_A-Vlanif101] dhcp server gateway-list 10.23.101.2
[Switch_A-Vlanif101] quit
# Enable DHCP on the AC to assign IP addresses to the APs from the interface address pool.
[AC] dhcp enable
[AC] interface vlanif 100 101
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
# Add AP_1, AP_2, and AP_3 to AP group ap-group1, ap-group2, and ap-group3,
respectively.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP8130DN is used and has two radios: radio 0 and radio 1.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 1 ap-mac 60de-4474-9640
[AC-wlan-ap-1] ap-name AP_1
[AC-wlan-ap-1] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
[AC-wlan-view] ap-id 2 ap-mac dcd2-fc04-b500
[AC-wlan-ap-2] ap-name AP_2
[AC-wlan-ap-2] ap-group ap-group2
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-2] quit
[AC-wlan-view] ap-id 3 ap-mac dcd2-fc96-e4c0
[AC-wlan-ap-3] ap-name AP_3
[AC-wlan-ap-3] ap-group ap-group3
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-3] quit
# Set key radio parameters for the WDS nodes. In this example, AP_1 and AP_3 use radio 1,
and AP_2 uses radio 0 and radio 1. Configure radio 0 of AP_2 to work on the 5 GHz
frequency band. To reduce channel interference, configure radio 0 and radio 1 of AP_2 to
work on different channels. Radio 1 and radio 0 are used to establish WDS links with AP_1
and AP_3 respectively. The coverage distance parameter specifies the radio coverage
distance, which is 3 by default, in 100 m. In this example, 4 is used. Set this parameter based
on actual situations.
NOTE
On a WDS network, radios used to create WDS links must work on the same channel.
[AC-wlan-view] ap-id 2
[AC-wlan-ap-2] radio 0
[AC-wlan-radio-2/0] frequency 5g
Warning: Modifying the frequency band will delete the channel, power, and antenn
a gain configurations of the current radio on the AP and reboot the AP. Continue
?[Y/N]:y
[AC-wlan-radio-2/0] quit
[AC-wlan-ap-2] quit
[AC-wlan-view] ap-id 1
[AC-wlan-ap-1] radio 1
[AC-wlan-radio-1/1] channel 40mhz-plus 157
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-1/1] coverage distance 4
[AC-wlan-radio-1/1] quit
[AC-wlan-ap-1] quit
[AC-wlan-view] ap-id 2
[AC-wlan-ap-2] radio 0
[AC-wlan-radio-2/0] channel 40mhz-plus 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-2/0] coverage distance 4
[AC-wlan-radio-2/0] quit
[AC-wlan-ap-2] radio 1
[AC-wlan-radio-2/1] channel 40mhz-plus 157
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-2/1] coverage distance 4
[AC-wlan-radio-2/1] quit
[AC-wlan-ap-2] quit
[AC-wlan-view] ap-id 3
[AC-wlan-ap-3] radio 1
[AC-wlan-radio-3/1] channel 40mhz-plus 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-3/1] coverage distance 4
[AC-wlan-radio-3/1] quit
[AC-wlan-ap-3] quit
# Configure security profile wds-security for WDS links. The security policy for the security
profile is WPA2+PSK+AES.
[AC-wlan-view] security-profile name wds-security
[AC-wlan-sec-prof-wds-security] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wds-security] quit
# Configure a WDS whitelist profile. Bind WDS whitelist profile wds-list1 to AP_1, and
allow access of only AP_2. Bind WDS whitelist profile wds-list2 to AP_2, and allow access
of only AP_3.
[AC-wlan-view] wds-whitelist-profile name wds-list1
[AC-wlan-wds-whitelist-wds-list1] peer-ap mac dcd2-fc04-b500
[AC-wlan-wds-whitelist-wds-list1] quit
[AC-wlan-view] wds-whitelist-profile name wds-list2
[AC-wlan-wds-whitelist-wds-list2] peer-ap mac dcd2-fc96-e4c0
[AC-wlan-wds-whitelist-wds-list2] quit
# Configure WDS profile wds-root. Set the WDS name to wlan-wds, and the WDS mode to
root. Bind security profile wds-security to the WDS profile and permit packets from VLAN
101 to pass through in tagged mode.
[AC-wlan-view] wds-profile name wds-root
[AC-wlan-wds-prof-wds-root] wds-name wlan-wds
[AC-wlan-wds-prof-wds-root] wds-mode root
[AC-wlan-wds-prof-wds-root] security-profile wds-security
[AC-wlan-wds-prof-wds-root] vlan tagged 101
[AC-wlan-wds-prof-wds-root] quit
# Configure WDS profile wds-leaf. Set the WDS name to wlan-wds, and the WDS mode to
leaf. Bind security profile wds-security to the WDS profile and permit packets from VLAN
101 to pass through in tagged mode.
# Bind WDS whitelist profile wds-list1 to radio 1 of AP group ap-group1. # Bind WDS
whitelist profile wds-list2 to radio 1 of AP group ap-group2.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] radio 1
[AC-wlan-group-radio-ap-group1/1] wds-whitelist-profile wds-list1
[AC-wlan-group-radio-ap-group1/1] quit
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] ap-group name ap-group2
[AC-wlan-ap-group-ap-group2] radio 1
[AC-wlan-group-radio-ap-group2/1] wds-whitelist-profile wds-list2
[AC-wlan-group-radio-ap-group2/1] quit
[AC-wlan-ap-group-ap-group2] quit
Step 6 Bind required profiles to the AP groups to make WDS services take effect.
# Bind WDS profile wds-root to AP group ap-group1.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] wds-profile wds-root radio 1
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-ap-group1] quit
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
# Bind the VAP profile to the AP groups. In this example, radio 1 on AP_1 and AP_3 is used
for WDS backhaul, and radio 0 for wireless service coverage. Apply VAP profile wlan-net to
radio 0 of the AP_1 and AP_3.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] ap-group name ap-group3
[AC-wlan-ap-group-ap-group3] vap-profile wlan-net wlan 3 radio 0
[AC-wlan-ap-group-ap-group3] quit
Step 8 Configure the channel and power for the 2.4 GHz radio.
NOTE
The settings of the AP channel and power in this example are for reference only. You need to configure the
AP channel and power based on the actual country code and network planning.
Run the display wlan wds link all command to display information about WDS links.
[AC-wlan-view] display wlan wds link all
Rf : radio ID Dis : coverage distance(100m)
Ch : channel Per : drop percent(%)
TSNR : total SNR(dB) P- : peer
The AC automatically delivers WLAN service configuration to the AP. After the service
configuration is complete, run the display vap ssid wlan-net command. If Status in the
command output is displayed as ON, the VAPs have been successfully created on AP radios.
[AC-wlan-view] display vap ssid wlan-net
WID : WLAN ID
--------------------------------------------------------------------------------
AP ID AP name RfID WID BSSID Status Auth type STA SSID
--------------------------------------------------------------------------------
1 AP_1 0 1 60DE-4474-9640 ON WPA/WPA2-PSK 0 wlan-net
3 AP_3 0 3 DCD2-FC96-E4C0 ON WPA/WPA2-PSK 0 wlan-net
-------------------------------------------------------------------------------
Total: 2
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 1 AP_1 0/1 2.4G 11n 3/34 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 1 5G: 0
----End
Configuration Files
l Switch_A configuration file
#
sysname Switch_A
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
wds-whitelist-profile name wds-list1
peer-ap mac dcd2-fc04-b500
wds-whitelist-profile name wds-list2
peer-ap mac dcd2-fc96-e4c0
wds-profile name wds-leaf
security-profile wds-security
vlan tagged 101
wds-name wlan-wds
wds-profile name wds-root
security-profile wds-security
vlan tagged 101
wds-name wlan-wds
wds-mode root
regulatory-domain-profile name default
rrm-profile name default
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 3
radio 1
wds-profile wds-root
wds-whitelist-profile wds-list1
ap-group name ap-group2
radio 0
wds-profile wds-root
wds-whitelist-profile wds-list2
radio 1
wds-profile wds-leaf
ap-group name ap-group3
radio 0
vap-profile wlan-net wlan 1
radio 1
wds-profile wds-leaf
ap-id 1 type-id 39 ap-mac 60de-4474-9640 ap-sn 210235554710CB000042
ap-name AP_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 40mhz-plus 157
coverage distance 4
ap-id 2 type-id 39 ap-mac dcd2-fc04-b500 ap-sn 210235555310CC000094
ap-name AP_2
ap-group ap-group2
radio 0
frequency 5g
channel 40mhz-plus 149
eirp 127
coverage distance 4
radio 1
channel 40mhz-plus 157
eirp 127
coverage distance 4
ap-id 3 type-id 39 ap-mac dcd2-fc96-e4c0 ap-sn 210235557610DB000046
ap-name AP_3
ap-group ap-group3
radio 0
channel 20mhz 11
eirp 127
radio 1
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l Wireless backhaul mode: Mesh-based vehicle-ground fast link handover
l Backhaul radio: 5 GHz radio
Data Planning
......
.......
Item Data
Item Data
Configuration Roadmap
1. Configure the ground network to enable Layer 2 communications between trackside APs
and the AC.
2. Configure multicast services on ground network devices to enable proper multicast data
forwarding on the ground network.
3. Configure vehicle-ground fast link handover on trackside and vehicle-mounted APs so
that the vehicle-mounted AP can set up Mesh connections with the trackside APs.
4. Configure the vehicle-mounted network to enable intra-network data communications.
NOTE
l This example uses Huawei AP9132DNs in Fit AP mode as the trackside APs and AP9132DNs in
Fat AP mode as the vehicle-mounted APs.
l Switches and routers used in this example are all Huawei products.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
l Configure ground network devices.
a. Configure Switch_A. Create VLAN 100, VLAN 101 and VLAN 200, add
interfaces GE0/0/1 to GE0/0/4 to VLAN 101, and configure these interfaces to
allow packets from VLAN 101 to pass through. Set PVIDs of GE0/0/3 and GE0/0/4
to VLAN 101. Add GE0/0/5 to VLAN 200, set its PVID to VLAN 200, and
configure GE0/0/5 to allow packets from VLAN 200 to pass through. Configure
GE0/0/1, GE0/0/2, and GE0/0/6 to allow packets from VLAN 100 to pass through.
<HUAWEI> system-view
[HUAWEI] sysname Switch_A
[Switch_A] vlan batch 100 101 200
[Switch_A] interface gigabitEthernet 0/0/1
[Switch_A-GigabitEthernet0/0/1] port link-type trunk
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch_A-GigabitEthernet0/0/1] quit
[Switch_A] interface gigabitEthernet 0/0/2
[Switch_A-GigabitEthernet0/0/2] port link-type trunk
[Switch_A-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch_A-GigabitEthernet0/0/2] quit
[Switch_A] interface gigabitEthernet 0/0/3
[Switch_A-GigabitEthernet0/0/3] port link-type trunk
[Switch_A-GigabitEthernet0/0/3] port trunk pvid vlan 101
[Switch_A-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[Switch_A-GigabitEthernet0/0/3] quit
[Switch_A] interface gigabitEthernet 0/0/4
[Switch_A-GigabitEthernet0/0/4] port link-type trunk
[Switch_A-GigabitEthernet0/0/4] port trunk pvid vlan 101
[Switch_A-GigabitEthernet0/0/4] port trunk allow-pass vlan 101
[Switch_A-GigabitEthernet0/0/4] quit
[Switch_A] interface gigabitEthernet 0/0/5
[Switch_A-GigabitEthernet0/0/5] port link-type trunk
[Switch_A-GigabitEthernet0/0/5] port trunk pvid vlan 200
[Switch_A-GigabitEthernet0/0/5] port trunk allow-pass vlan 200
[Switch_A-GigabitEthernet0/0/5] quit
[Switch_A] interface gigabitEthernet 0/0/6
[Switch_A-GigabitEthernet0/0/6] port link-type trunk
[Switch_A-GigabitEthernet0/0/6] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/6] quit
b. On Switch_A, configure an IP address for VLANIF 101 and enable the DHCP
server function to assign IP addresses for vehicle-mounted terminals.
[Switch_A] dhcp enable
[Switch_A] interface vlanif 101
[Switch_A-Vlanif101] ip address 10.23.224.1 24
[Switch_A-Vlanif101] dhcp select interface
[Switch_A-Vlanif101] dhcp server excluded-ip-address 10.23.224.2
10.23.224.3
[Switch_A-Vlanif101] quit
c. Configure an IP address for VLANIF 200 on Switch_A and specify the IP address
of GE1/0/0 on the router as the next hop address of the default route so that packets
from the vehicle-ground communication network can be forwarded to the egress
router.
[Switch_A] interface vlanif 200
[Switch_A-Vlanif200] ip address 10.23.200.2 24
[Switch_A-Vlanif200] quit
[Switch_A] ip route-static 0.0.0.0 0 10.23.200.1
d. Configure an IP address for GE1/0/0 on Router and configure routes to the internal
network segment, with the next hop address 10.23.200.2.
<Huawei> system-view
[Huawei] sysname Router
NOTE
You can configure routes to external networks and the NAT function on the egress router
according to service requirements to ensure normal communications between internal and
external networks.
e. Configure Switch_B and Switch_C to enable Layer 2 communications between
trackside APs and the ground network.
# On Switch_B, create VLAN 100 and VLAN 101, configure GE0/0/2 and GE0/0/1
to allow packets from VLAN 100 and VLAN 101 to pass through, and set the PVID
of GE0/0/1 to VLAN 100 (management VLAN for trackside APs).
# On Switch_C, create VLAN 100 and VLAN 101, configure GE0/0/2 and GE0/0/1
to allow packets from VLAN 100 and VLAN 101 to pass through, and set the PVID
of GE0/0/1 to VLAN 100.
NOTICE
If trackside APs are directly connected to the switches and Layer 2 multicast is
configured, enabling the fast leave function improves the quality of multicast
services. If the trackside APs are not directly connected to the switches or Layer 3
multicast is configured, you cannot configure the fast leave function because this
function may interrupt multicast services.
# Create VLAN 100 on the AC and configure GE0/0/1 to allow packets from
VLAN 100 to pass through.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100
[AC] interface gigabitEthernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet0/0/1] quit
# Create the AP group mesh-mpp and add trackside APs that require the same
configuration to the group.
[AC] wlan
[AC-wlan-view] ap-group name mesh-mpp
[AC-wlan-ap-group-mesh-mpp] quit
# Create a regulatory domain profile, configure the AC country code in the profile,
and apply the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name mesh-mpp
[AC-wlan-ap-group-mesh-mpp] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and
antenna gain configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-mesh-mpp] quit
[AC-wlan-view] quit
The default AP authentication mode is MAC address authentication. If the default settings are
retained, you do not need to run the ap auth-mode mac-auth command.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 1 ap-mac 0046-4b59-1d10
[AC-wlan-ap-1] ap-name L1_001
[AC-wlan-ap-1] ap-group mesh-mpp
Warning: This operation may cause AP reset. If the country code changes,
it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
[AC-wlan-view] ap-id 2 ap-mac 0046-4b59-1d20
[AC-wlan-ap-2] ap-name L1_003
[AC-wlan-ap-2] ap-group mesh-mpp
Warning: This operation may cause AP reset. If the country code changes,
it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-2] quit
[AC-wlan-view] ap-id 3 ap-mac 0046-4b59-1d30
[AC-wlan-ap-3] ap-name L1_010
[AC-wlan-ap-3] ap-group mesh-mpp
Warning: This operation may cause AP reset. If the country code changes,
it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-3] quit
[AC-wlan-view] ap-id 101 ap-mac 0046-4b59-1d40
[AC-wlan-ap-101] ap-name L1_150
[AC-wlan-ap-101] ap-group mesh-mpp
Warning: This operation may cause AP reset. If the country code changes,
it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-101] quit
[AC-wlan-view] ap-id 102 ap-mac 0046-4b59-1d50
[AC-wlan-ap-102] ap-name L1_160
[AC-wlan-ap-102] ap-group mesh-mpp
Warning: This operation may cause AP reset. If the country code changes,
it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-102] quit
[AC-wlan-view] ap-id 103 ap-mac 0046-4b59-1d60
[AC-wlan-ap-103] ap-name L1_170
[AC-wlan-ap-103] ap-group mesh-mpp
Warning: This operation may cause AP reset. If the country code changes,
it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-103] quit
i. Configure the trackside APs' uplink wired interfaces to allow packets from VLAN
101 to pass through.
# Configure the wired port profile wired-port and add the wired interfaces to
VLAN 101 in tagged mode.
[AC-wlan-view] wired-port-profile name wired-port
[AC-wlan-wired-port-wired-port] vlan tagged 101
[AC-wlan-wired-port-wired-port] quit
# Add MAC addresses of vehicle-mounted APs on other trains to the Mesh whitelist
whitelist01 according to the preceding procedure.
# Configure the security profile sp01 used by Mesh links. The sp01 supports the
security policy WPA2+PSK+AES.
[AC-wlan-view] security-profile name sp01
[AC-wlan-sec-prof-sp01] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-sp01] quit
# Configure the Mesh role. Set the Mesh role of trackside APs to Mesh-portal
through the AP system profile.
[AC-wlan-view] ap-system-profile name mesh-sys
[AC-wlan-ap-system-prof-mesh-sys] mesh-role Mesh-portal
[AC-wlan-ap-system-prof-mesh-sys] quit
# Configure the Mesh handover profile hand-over and enable the location-based
fast link handover algorithm.
[AC-wlan-view] mesh-handover-profile name hand-over
[AC-wlan-mesh-handover-hand-over] location-based-algorithm enable
[AC-wlan-mesh-handover-hand-over] quit
# Configure the Mesh profile. Set the ID of the Mesh network to mesh-net and
apply the security profile and Mesh handover profile.
[AC-wlan-view] mesh-profile name mesh-net
[AC-wlan-mesh-prof-mesh-net] mesh-id mesh-net
[AC-wlan-mesh-prof-mesh-net] security-profile sp01
[AC-wlan-mesh-prof-mesh-net] mesh-handover-profile hand-over
[AC-wlan-mesh-prof-mesh-net] quit
[AC-wlan-ap-group-mesh-mpp] radio 1
[AC-wlan-group-radio-mesh-mpp/1] channel 40mhz-plus 157
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-group-radio-mesh-mpp/1] mesh-whitelist-profile whitelist01
[AC-wlan-group-radio-mesh-mpp/1] mesh-profile mesh-net
[AC-wlan-group-radio-mesh-mpp/1] quit
[AC-wlan-ap-group-mesh-mpp] quit
[AC-wlan-view] quit
[AC] quit
# Add MAC addresses of all trackside APs along the rail line to the Mesh whitelist
of vehicle-mounted APs on the other trains according to the preceding configuration
procedure.
# Configure the security profile sp01 used by Mesh links. The sp01 supports the
security policy WPA2+PSK+AES.
[AP-wlan-view] security-profile name sp01
[AP-wlan-sec-prof-sp01] security wpa2 psk pass-phrase a1234567 aes
[AP-wlan-sec-prof-sp01] quit
# Configure the Mesh handover profile hand-over, enable the location-based fast
link handover algorithm, and set the moving direction of the vehicle-mounted AP to
forward.
[AP-wlan-view] mesh-handover-profile name hand-over
[AP-wlan-mesh-handover-hand-over] location-based-algorithm enable moving-
direction forward
[AP-wlan-mesh-handover-hand-over] quit
NOTE
In this example, the moving direction of the vehicle-mounted AP in the rear must be set to
backward.
# Configure the Mesh profile. Set the ID of the Mesh network to mesh-net and
apply the security profile and Mesh handover profile.
[AP-wlan-view] mesh-profile name mesh-net
[AP-wlan-mesh-prof-mesh-net] mesh-id mesh-net
[AP-wlan-mesh-prof-mesh-net] security-profile sp01
[AP-wlan-mesh-prof-mesh-net] mesh-handover-profile hand-over
[AP-wlan-mesh-prof-mesh-net] quit
[AP-wlan-view] quit
# Configure Mesh VAPs for other vehicle-mounted APs according to the preceding
configuration procedure.
e. Add proxied devices on the vehicle-mounted APs.
# Add proxied ground devices. Add MAC addresses of Switch_A, the network
management device, and multicast source on the vehicle-mounted APs.
[AP] wlan
[AP-wlan-view] mesh-proxy trackside-equip mac-address 707b-e8e9-d328
vlan 101
[AP-wlan-view] mesh-proxy trackside-equip mac-address 286e-d488-12cd
vlan 101
[AP-wlan-view] mesh-proxy trackside-equip mac-address 286e-d488-b6ab
vlan 101
39/47/-
L1_003 1 3 157 portal - -59 -7 0 0
50
19/14/37
L1_010 1 3 157 portal - -45 -33 0 0
37
20/17/17
L1_150 1 3 157 portal - -54 -39 0 0
46
34/43/-
L1_160 1 3 157 portal - -52 -7 0 0
32
21/18/35
L1_170 1 3 157 portal - -42 -33 0 0
29
26/14/19
------------------------------------------------------------------------------
--
-----------------
Total: 6
18:08:21
------------------------------------------------------------------------------
Total: 6
------------------------------------------------------------------------------
1 18:52:27 0046-4b59-1d50/-95/160 0046-4b59-1d60/-15/170
2 18:50:46 0046-4b59-1d40/-95/150 0046-4b59-1d50/-34/160
3 18:49:25 0046-4b59-1d30/-95/10 0046-4b59-1d40/-11/150
4 18:48:56 0046-4b59-1d20/-95/3 0046-4b59-1d30/-40/10
5 18:47:39 0046-4b59-1d10/-47/1 0046-4b59-1d20/-36/3
------------------------------------------------------------------------------
----End
Configuration Files
l Ground network devices
– Router configuration file
#
sysname Router
#
interface GigabitEthernet0/0/1
ip address 10.23.200.1 255.255.255.0
#
ip route-static 10.23.100.0 255.255.255.0 10.23.200.2
ip route-static 10.23.224.0 255.255.255.0 10.23.200.2
#
return
#
sysname Switch_C
#
vlan batch 100 to 101
#
igmp-snooping enable
#
vlan 101
igmp-snooping enable
igmp-snooping group-policy 2000
igmp-snooping prompt-leave group-policy 2000
#
acl number 2000
rule 5 permit source 225.1.1.1 0
rule 10 permit source 225.1.1.2 0
rule 15 permit source 225.1.1.3 0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
#
return
– AC configuration file
#
sysname AC
#
vlan batch 100
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
capwap source interface vlanif100
#
wlan
security-profile name
sp01
security wpa2 psk pass-phrase %^%#yUrI$*AU}-T<aI*$21X8,wdZ>"Q
%NVibT@S@ITs<%^%#
aes
mesh-handover-profile name hand-
over
location-based-algorithm enable
mesh-whitelist-profile name whitelist01
peer-ap mac 0046-4b59-2e10
peer-ap mac 0046-4b59-2e20
mesh-profile name mesh-
net
mesh-handover-profile hand-
over
security-profile
sp01
mesh-id mesh-net
regulatory-domain-profile name default
ap-system-profile name mesh-sys
mesh-role Mesh-portal
wired-port-profile name wired-port
vlan tagged 101
ap-group name mesh-
mpp
ap-system-profile mesh-
sys
wired-port-profile wired-port gigabitethernet
0
radio
1
mesh-profile mesh-
net
mesh-whitelist-profile
whitelist01
channel 40mhz-plus
157
ap-id 1 type-id 48 ap-mac 0046-4b59-1d10 ap-sn
210235554710CB000042
ap-name
L1_001
ap-group mesh-
mpp
ap-id 2 type-id 48 ap-mac 0046-4b59-1d20 ap-sn
210235555310CC000094
ap-name
L1_003
ap-group mesh-
mpp
ap-id 3 type-id 48 ap-mac 0046-4b59-1d30 ap-sn
210235419610CB002287
ap-name
L1_010
ap-group mesh-mpp
ap-id 101 type-id 48 ap-mac 0046-4b59-1d40 ap-sn
210235555310CC00AC69
ap-name
L1_150
ap-group mesh-mpp
ap-id 102 type-id 48 ap-mac 0046-4b59-1d50 ap-sn
210235555310CC003587
ap-name
L1_160
ap-group mesh-mpp
ap-id 103 type-id 48 ap-mac 0046-4b59-1d60 ap-sn
210235449210CB000011
ap-name
L1_170
ap-group mesh-mpp
#
return
igmp-snooping enable
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 101
port trunk allow-pass vlan 101
#
wlan
security-profile name
sp01
security wpa2 psk pass-phrase %^%#yUrI$*AU}-T<aI*$21X8,wdZ>"Q
%NVibT@S@ITs<%^%#
aes
mesh-handover-profile name hand-
over
location-based-algorithm enable moving-direction
forward
mesh-whitelist-profile name whitelist01
peer-ap mac 0046-4b59-1d10
peer-ap mac 0046-4b59-1d20
peer-ap mac 0046-4b59-1d30
peer-ap mac 0046-4b59-1d40
peer-ap mac 0046-4b59-1d50
peer-ap mac 0046-4b59-1d60
mesh-proxy trackside-equip mac-address 707b-e8e9-d328 vlan 101
mesh-proxy trackside-equip mac-address 286e-d488-12cd vlan 101
mesh-proxy trackside-equip mac-address 286e-d488-b6ab vlan 101
mesh-proxy onboard-equip mac-address 286e-d488-d359 vlan 101
mesh-proxy onboard-equip mac-address 286e-d488-d270 vlan 101
mesh-profile name mesh-net
mesh-handover-profile hand-over
security-profile sp01
mesh-id mesh-net
#
interface Wlan-
Radio0/0/1
mesh-profile mesh-
net
mesh-whitelist-profile
whitelist01
channel 40mhz-plus 157
#
return
Service Requirements
Students in dormitories need to access the Internet through WLANs.
Walls between numerous rooms in the dormitory building cause serious wireless signal
attenuation, degrading signal quality. To resolve this issue, an agile distributed WLAN is
used, with a remote unit (RU) deployed in each dormitory. RUs are connected to a central AP,
and all RUs and central APs are centrally managed by the AC, delivering high-quality WLAN
coverage for each dormitory.
Networking Requirements
l AC networking mode: Layer 2 networking in inline mode
l DHCP deployment mode: The AC functions as a DHCP server to assign IP addresses to
central APs, RUs, and STAs.
l Service data forwarding mode: tunnel forwarding
Data Planning
Item Data
IP address 10.23.100.2-10.23.100.254/24
pool for
central APs
and RUs
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs
Item Data
Configuration Roadmap
1. Configure the AC, RUs, central APs, and network devices to communicate at Layer 2.
2. Configure the AC as a DHCP server to assign IP addresses to central APs, RUs, and
STAs.
3. Configure the central APs and RUs to go online.
a. Create an AP group and add central APs and RUs that require the same
configuration to the group for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the central APs and RUs.
c. Configure the AP authentication mode and import the central APs and RUs offline
to allow them to go online.
4. Configure WLAN service parameters for STAs to access the WLAN.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
Procedure
Step 1 Configure the network devices.
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
# On the AC, add GE0/0/1 to VLAN 100, and GE0/0/2 to VLAN 101.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100 101
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk pvid vlan 100
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet0/0/1] port-isolate enable
[AC-GigabitEthernet0/0/1] quit
[AC] interface gigabitethernet 0/0/2
[AC-GigabitEthernet0/0/2] port link-type trunk
[AC-GigabitEthernet0/0/2] port trunk allow-pass vlan 101
[AC-GigabitEthernet0/0/2] quit
Step 3 Configure a DHCP server to assign IP addresses to central APs, RUs, and STAs.
# Configure the AC as a DHCP server to assign IP addresses to central APs and RUs from the
IP address pool on VLANIF 100, and assign IP addresses to STAs from the IP address pool
on VLANIF 101.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the central AP and RUs offline on the AC and add the central AP and RUs to AP
group ap-group1. Assume that the central AP's MAC address is 68a8-2845-62fd, name the
central AP central_AP; the RU's MAC addresses are fcb6-9897-c520 and fcb6-9897-ca40,
name the RUs ru_1 and ru_2, respectively.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 68a8-2845-62fd
[AC-wlan-ap-0] ap-name central_AP
Warning: This operation may cause AP reset. Continue? [Y/N]y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] ap-id 1 ap-mac fcb6-9897-c520
[AC-wlan-ap-1] ap-name ru_1
Warning: This operation may cause AP reset. Continue? [Y/N]y
[AC-wlan-ap-1] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
[AC-wlan-view] ap-id 2 ap-mac fcb6-9897-ca40
[AC-wlan-ap-2] ap-name ru_2
Warning: This operation may cause AP reset. Continue? [Y/N]y
[AC-wlan-ap-2] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-2] quit
# After the central AP is powered on, run the display ap all command to check the AP state.
If the State field is displayed as nor, the RUs go online successfully.
[AC-wlan-view] display ap all
Total AP information:
# Create security profile wlan-net and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode tunnel
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
The settings of the RU channel and power in this example are for reference only. You need to configure the
RU channel and power based on the actual country code and network planning.
Automatic channel and power calibration functions are enabled by default. The manual
channel and power configurations take effect only when these two functions are disabled.
[AC-wlan-view] rrm-profile name default
[AC-wlan-rrm-prof-default] calibrate auto-channel-select disable
[AC-wlan-rrm-prof-default] calibrate auto-txpower-select disable
[AC-wlan-rrm-prof-default] quit
[AC-wlan-view] ap-id 1
[AC-wlan-ap-1] radio 0
[AC-wlan-radio-1/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-1/0] eirp 127
[AC-wlan-radio-1/0] quit
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
----------------------------------------------------------------------------------
-------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
----------------------------------------------------------------------------------
-------
e019-1dc7-1e08 1 ru_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
----------------------------------------------------------------------------------
-------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
l Router configuration file
#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 101
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/
Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
rrm-profile name default
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 52 ap-mac 68a8-2845-62fd ap-sn 2102350KGF10F8000012
ap-name central_AP
ap-group ap-group1
ap-id 1 type-id 54 ap-mac fcb6-9897-c520 ap-sn 21500826402SF4900166
ap-name ru_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
ap-id 2 type-id 54 ap-mac fcb6-9897-ca40 ap-sn 21500826402SF4900207
ap-name ru_2
ap-group ap-group1
#
return
Service Requirements
An enterprise branch needs to deploy WLAN services for mobile office so that branch users
can access the enterprise network from anywhere at any time. Furthermore, users' services are
not affected during roaming in the coverage area.
The branch is located in an open place, making the WLAN vulnerable to attacks. For
example, an attacker deploys a rogue AP (area_2) with SSID wlan-net on the WLAN to
establish connections with STAs to intercept enterprise information, posing great threats to the
enterprise network. To prevent such attack, the detection and containment function can be
configured for authorized APs. In this way, the AC can detect rogue AP area_2 (neither
managed by the AC nor in the authorized AP list), preventing STAs from associating with the
rogue AP.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: tunnel forwarding
Figure 4-7 Networking for configuring rogue device detection and containment
Data Planning
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
Item Data
Configuration Roadmap
1. Configure basic WLAN services to enable STAs to connect to the WLAN.
2. Configure rogue device detection and containment so that APs can detect wireless device
information and report it to the AC. In addition, APs can contain detected rogue devices,
enabling STAs to disassociate from them.
NOTE
In this example, the authorized APs work in normal mode and have the detection function enabled. In
addition to transmitting WLAN service data, AP radios need to perform the monitoring function. Therefore,
temporary service interruption may occur when the radios periodically scan channels. In this example, the
APs can only contain rogue devices on the channel used by WLAN services. To achieve containment on all
channels, configure the APs to work in monitor mode. However, WLAN services are unavailable in this
mode.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and GE0/0/2
and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the default
gateway address of STAs to 10.23.101.2.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
# Create an AP group to which the APs with the same configuration can be added.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode tunnel
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
The settings of the AP channel and power in this example are for reference only. You need to configure the
AP channel and power based on the actual country code and network planning.
# Configure radio 1 of AP group ap-group1 to work in normal mode, and enable rogue
device detection and containment.
[AC-wlan-ap-group-ap-group1] radio 1
[AC-wlan-group-radio-ap-group1/1] work-mode normal
[AC-wlan-group-radio-ap-group1/1] wids device detect enable
[AC-wlan-group-radio-ap-group1/1] wids contain enable
[AC-wlan-group-radio-ap-group1/1] quit
[AC-wlan-ap-group-ap-group1] quit
# Create WIDS profile wlan-wids and configure the containment mode against rogue APs
using spoofing SSIDs.
[AC-wlan-view] wids-profile name wlan-wids
[AC-wlan-wids-prof-wlan-wids] contain-mode spoof-ssid-ap
[AC-wlan-wids-prof-wlan-wids] quit
STAs attempt to connect to the network through AP2. Countermeasures are taken on AP2, so
traffic between STAs and AP2 is stopped and then STAs connect to AP1.
C:\Documents and Settings\huawei> ping 10.23.101.22
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
l SwitchB configuration file
#
sysname SwitchB
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
dhcp server gateway-list 10.23.101.2
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 101
#
return
l Router configuration file
#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 101
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 101
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/
Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
rrm-profile name default
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
wids-profile name wlan-
wids
contain-mode spoof-ssid-ap
ap-group name ap-group1
wids-profile wlan-wids
radio 0
vap-profile wlan-net wlan 1
wids device detect enable
wids contain enable
radio 1
vap-profile wlan-net wlan 1
wids device detect enable
wids contain enable
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return
Networking Requirements
As shown in Figure 4-8, a Fat AP is connected to the Internet in wired mode and connects to
STAs in wireless mode. An enterprise branch needs to deploy basic WLAN services for
mobile office so that enterprise employees can access the enterprise internal network
anywhere, anytime.
Figure 4-8 Networking diagram for configuring basic Layer 2 WLAN services
Service VLAN:VLAN101
GE0/0/0
FAT AP VLAN101 Router
10.23.101.2/24
STA Internet
GE1/0/0
10.23.101.1/24
STA
Data planning
Item Data
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the AP and upper-layer devices to communicate at Layer 2.
2. Configure Router as a DHCP server to assign IP addresses to STAs from an IP address
pool on an interface.
3. Configure the AP's system parameters, including the country code.
4. Configure a VAP so that STAs can access the WLAN.
Configuration Notes
No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets, they
are usually sent at low rates. If a large number of such multicast packets are sent from the
network side, the air interfaces may be congested. You are advised to configure multicast
packet suppression on switch interfaces connected to APs to reduce impact of a large number
of low-rate multicast packets on the wireless network. Exercise caution when configuring the
rate limit; otherwise, the multicast services may be affected. For details on how to configure
traffic suppression, see 4.15.1.1 Multicast Packet Suppression Is Not Configured, Causing
Slow Network Access of STAs.
Procedure
Step 1 Configure the AP to communicate with the network devices.
NOTE
Configure the AP's uplink interfaces to transparently transmit packets of service VLANs as required.
# Create VLANIF 101 and configure its IP address for communication with Router.
[AP] interface vlanif 101
[AP-Vlanif101] ip address 10.23.101.2 24
[AP-Vlanif101] quit
# Create security profile wlan-net and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AP-wlan-view] ssid-profile name wlan-net
[AP-wlan-ssid-prof-wlan-net] ssid wlan-net
[AP-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the service VLAN, and apply the security profile and
SSID profile to the VAP profile.
[AP-wlan-view] vap-profile name wlan-net
[AP-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AP-wlan-vap-prof-wlan-net] security-profile wlan-net
[AP-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AP-wlan-vap-prof-wlan-net] quit
Automatic channel and power calibration functions are enabled by default. The manual
channel and power configurations take effect only when these two functions are disabled.
[AP-wlan-view] rrm-profile name default
[AP-wlan-rrm-prof-default] calibrate auto-channel-select disable
[AP-wlan-rrm-prof-default] calibrate auto-txpower-select disable
[AP-wlan-rrm-prof-default] quit
[AP-wlan-view] quit
NOTE
The settings of the AP channel and power in this example are for reference only. You need to configure the
AP channel and power based on the actual country code and network planning.
[AP] interface wlan-radio0/0/0
[AP-Wlan-Radio0/0/0] vap-profile wlan-net wlan 1
[AP-Wlan-Radio0/0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AP-Wlan-Radio0/0/0] eirp 127
[AP-Wlan-Radio0/0/0] quit
[AP] interface wlan-radio0/0/1
[AP-Wlan-Radio0/0/1] vap-profile wlan-net wlan 2
[AP-Wlan-Radio0/0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AP-Wlan-Radio0/0/1] eirp 127
[AP-Wlan-Radio0/0/1] quit
The configuration automatically takes effect after it is completed. Run the display vap ssid
wlan-net command. If Status in the command output is displayed as ON, the VAP has been
successfully created on the AP radios.
[AP] display vap ssid wlan-net
WID : WLAN ID
--------------------------------------------------------------------------------
AP MAC RfID WID BSSID Status Auth type STA SSID
--------------------------------------------------------------------------------
00bc-da3f-e900 0 1 00BC-DA3F-E900 ON WPA/WPA2-PSK 0 wlan-net
00bc-da3f-e900 1 2 00BC-DA3F-E910 ON WPA/WPA2-PSK 0 wlan-net
-------------------------------------------------------------------------------
Total: 2
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AP] display station all
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
----------------------------------------------------------------------------------
----------------
STA MAC Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address SSID
----------------------------------------------------------------------------------
----------------
14cf-9202-13dc 00bc-da3f-e900 0/1 2.4G 11n 19/13 -63 101
10.23.101.254 wlan-net
----------------------------------------------------------------------------------
----------------
Total: 1 2.4G: 1 5G: 0
----End
Configuration Files
l Router configuration file
#
sysname Router
#
dhcp enable
#
interface GigabitEthernet1/0/0
ip address 10.23.101.1
255.255.255.0
dhcp select interface
dhcp server excluded-ip-address 10.23.101.2
#
return
l AP configuration file
#
sysname AP
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
interface GigabitEthernet0/0/0
port link-type trunk
port trunk pvid vlan 101
port trunk allow-pass vlan 101
#
wlan
security-profile name wlan-net
Networking Requirements
As shown in Figure 4-9, a Fat AP is connected to the Internet in wired mode and connected to
STAs in wireless mode. An enterprise branch needs to deploy basic WLAN services for
mobile office so that enterprise employees can access the enterprise internal network
anywhere, anytime.
The requirements are as follows:
l A WLAN named wlan-net is available.
l Enterprise employees are assigned IP addresses on the network segment 10.23.101.0/24.
Figure 4-9 Networking diagram for configuring basic Layer 3 WLAN services
Service VLAN:VLAN101
GE0/0/0
FAT AP VLAN200 Router
10.23.200.1/24
STA Internet
GE1/0/0
VLAN200
10.23.200.2/24
STA
Data planning
Item Data
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the AP and upper-layer devices to communicate with each other.
2. Configure the AP as a DHCP server to assign IP addresses to STAs from an IP address
pool on an interface.
3. Configure the AP's system parameters, including the country code.
4. Configure a VAP so that STAs can access the WLAN.
Configuration Notes
No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets, they
are usually sent at low rates. If a large number of such multicast packets are sent from the
network side, the air interfaces may be congested. You are advised to configure multicast
packet suppression on switch interfaces connected to APs to reduce impact of a large number
of low-rate multicast packets on the wireless network. Exercise caution when configuring the
rate limit; otherwise, the multicast services may be affected. For details on how to configure
traffic suppression, see 4.15.1.1 Multicast Packet Suppression Is Not Configured, Causing
Slow Network Access of STAs.
Procedure
Step 1 Configure the network devices.
# Add GE1/0/0 on Router to VLAN 200. Create VLANIF 200 and set its IP address to
10.23.200.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 200
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 200
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 200
[Router-Vlanif200] ip address 10.23.200.2 24
[Router-Vlanif200] quit
# Add the AP's uplink interface GE0/0/1 to VLAN 200.Create VLANIF 200 and set its IP
address to 10.23.200.1/24.
<Huawei> system-view
[Huawei] sysname AP
[AP] vlan batch 200
[AP] interface gigabitethernet 0/0/0
[AP-GigabitEthernet0/0/0] port link-type trunk
[AP-GigabitEthernet0/0/0] port trunk allow-pass vlan 200
[AP-GigabitEthernet0/0/0] quit
[AP] interface vlanif 200
[AP-Vlanif200] ip address 10.23.200.1 24
[AP-Vlanif200] quit
# Configure a default route with the next hop IP address 10.23.200.2/24 on the AP.
[AP] ip route-static 0.0.0.0 0.0.0.0 10.23.200.2
# Configure the AP as a DHCP server to assign IP addresses to STAs from the IP address pool
on VLANIF 101.
[AP] dhcp enable
[AP] vlan batch 101
[AP] interface vlanif 101
[AP-Vlanif101] ip address 10.23.101.1 24
[AP-Vlanif101] dhcp select interface
[AP-Vlanif101] quit
# Create security profile wlan-net and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AP-wlan-view] ssid-profile name wlan-net
[AP-wlan-ssid-prof-wlan-net] ssid wlan-net
[AP-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the service VLAN, and apply the security profile and
SSID profile to the VAP profile.
[AP-wlan-view] vap-profile name wlan-net
[AP-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AP-wlan-vap-prof-wlan-net] security-profile wlan-net
[AP-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AP-wlan-vap-prof-wlan-net] quit
NOTE
The settings of the AP channel and power in this example are for reference only. You need to configure the
AP channel and power based on the actual country code and network planning.
[AP] interface wlan-radio0/0/0
[AP-Wlan-Radio0/0/0] vap-profile wlan-net wlan 1
[AP-Wlan-Radio0/0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AP-Wlan-Radio0/0/0] eirp 127
[AP-Wlan-Radio0/0/0] quit
[AP] interface wlan-radio0/0/1
[AP-Wlan-Radio0/0/1] vap-profile wlan-net wlan 2
[AP-Wlan-Radio0/0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AP-Wlan-Radio0/0/1] eirp 127
[AP-Wlan-Radio0/0/1] quit
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AP] display station all
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
----------------------------------------------------------------------------------
----------------
STA MAC Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address SSID
----------------------------------------------------------------------------------
----------------
----End
Configuration Files
l Router configuration file
#
sysname Router
#
vlan batch 200
#
interface Vlanif200
ip address 10.23.200.2 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 200
#
return
l AP configuration file
#
sysname AP
#
vlan batch 101 200
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface Vlanif200
ip address 10.23.200.1 255.255.255.0
#
interface GigabitEthernet0/0/0
port link-type trunk
port trunk allow-pass vlan 200
#
ip route-static 0.0.0.0 0.0.0.0 10.23.200.2
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#(yk#Q+M[\CMK]1)AWMX7MjZ)=e`fy@fA+.J
\ht3Y%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
rrm-profile name default
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
#
interface Wlan-Radio0/0/0
vap-profile wlan-net wlan 1
channel 20mhz 6
#
interface Wlan-Radio0/0/1
vap-profile wlan-net wlan 2
channel 20mhz 149
#
return
Networking Requirements
As shown in Figure 4-10, a Fat AP is connected to the Internet in wired mode and connected
to STAs in wireless mode. An enterprise branch needs to deploy basic WLAN services for
mobile office so that enterprise employees can access the enterprise internal network
anywhere, anytime. The administrator wants enterprise employees to access the public
network using public IP addresses.
Figure 4-10 Networking diagram for configuring STAs to access the public network through
NAT
Service VLAN:VLAN101
GE0/0/0
FAT AP VLAN200
202.169.10.1/24
STA Internet
202.169.10.2/24
STA
Data planning
Item Data
Item Data
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the AP as a DHCP server to assign IP addresses to STAs from an IP address
pool on an interface.
2. Configure the AP's system parameters, including the country code.
3. Configure a VAP so that STAs can access the WLAN.
4. Configure NAT so that users can access the public network using public IP addresses.
Configuration Notes
No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets, they
are usually sent at low rates. If a large number of such multicast packets are sent from the
network side, the air interfaces may be congested. You are advised to configure multicast
packet suppression on switch interfaces connected to APs to reduce impact of a large number
of low-rate multicast packets on the wireless network. Exercise caution when configuring the
rate limit; otherwise, the multicast services may be affected. For details on how to configure
traffic suppression, see 4.15.1.1 Multicast Packet Suppression Is Not Configured, Causing
Slow Network Access of STAs.
Procedure
Step 1 Configure the AP to communicate with the network devices.
# On the AP, create VLANIF 200, set its IP address to 202.169.10.1/24, and add GE0/0/0 to
VLAN 200.
<Huawei> system-view
[Huawei] sysname AP
[AP] vlan batch 200
[AP] interface vlanif 200
[AP-Vlanif200] ip address 202.169.10.1 24
[AP-Vlanif200] quit
[AP] interface gigabitethernet 0/0/0
[AP-GigabitEthernet0/0/0] port link-type trunk
# Configure a default route. The following assumes that the public IP address of the peer end
is 202.169.10.2/24.
[AP] ip route-static 0.0.0.0 0.0.0.0 202.169.10.2
# Configure the AP as a DHCP server to assign IP addresses to STAs from the IP address pool
on VLANIF 101.
[AP] dhcp enable
[AP] vlan batch 101
[AP] interface vlanif 101
[AP-Vlanif101] ip address 10.23.101.1 24
[AP-Vlanif101] dhcp select interface
[AP-Vlanif101] quit
# Create security profile wlan-net and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AP-wlan-view] ssid-profile name wlan-net
[AP-wlan-ssid-prof-wlan-net] ssid wlan-net
[AP-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the service VLAN, and apply the security profile and
SSID profile to the VAP profile.
[AP-wlan-view] vap-profile name wlan-net
[AP-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AP-wlan-vap-prof-wlan-net] security-profile wlan-net
[AP-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AP-wlan-vap-prof-wlan-net] quit
Automatic channel and power calibration functions are enabled by default. The manual
channel and power configurations take effect only when these two functions are disabled.
[AP-wlan-view] rrm-profile name default
[AP-wlan-rrm-prof-default] calibrate auto-channel-select disable
[AP-wlan-rrm-prof-default] calibrate auto-txpower-select disable
[AP-wlan-rrm-prof-default] quit
[AP-wlan-view] quit
NOTE
The settings of the AP channel and power in this example are for reference only. You need to configure the
AP channel and power based on the actual country code and network planning.
[AP] interface wlan-radio0/0/0
[AP-Wlan-Radio0/0/0] vap-profile wlan-net wlan 1
[AP-Wlan-Radio0/0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AP-Wlan-Radio0/0/0] eirp 127
[AP-Wlan-Radio0/0/0] quit
[AP] interface wlan-radio0/0/1
[AP-Wlan-Radio0/0/1] vap-profile wlan-net wlan 2
[AP-Wlan-Radio0/0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AP-Wlan-Radio0/0/1] eirp 127
[AP-Wlan-Radio0/0/1] quit
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
<AP> display station all
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
----------------------------------------------------------------------------------
-------------------
STA MAC Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address SSID
----------------------------------------------------------------------------------
-------------------
14cf-9202-13dc 00bc-da3f-e900 0/1 2.4G 11n 19/13 -63 101
10.23.101.254 wlan-net
----------------------------------------------------------------------------------
-------------------
Total: 1 2.4G: 1 5G: 0
# Run the display nat outbound command on the AP to check the IP address translation
result.
<AP> display nat outbound
NAT Outbound Information:
--------------------------------------------------------------------------------
Interface Acl Address-group/IP/Interface Type
--------------------------------------------------------------------------------
Vlanif200 2000 1 no-pat
--------------------------------------------------------------------------------
Total : 1
# Run the ping command on the AP to verify that users on the private network can access the
public network.
<AP> ping -a 10.23.101.1 202.169.10.2
PING 202.169.10.2: 56 data bytes, press CTRL_C to break
Reply from 202.169.10.2: bytes=56 Sequence=1 ttl=255 time=1 ms
Reply from 202.169.10.2: bytes=56 Sequence=2 ttl=255 time=1 ms
Reply from 202.169.10.2: bytes=56 Sequence=3 ttl=255 time=1 ms
Reply from 202.169.10.2: bytes=56 Sequence=4 ttl=255 time=1 ms
Reply from 202.169.10.2: bytes=56 Sequence=5 ttl=255 time=1 ms
-- 202.169.10.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/1/2 ms
----End
Configuration Files
l AP configuration file
#
sysname AP
#
vlan batch 101 200
#
dhcp enable
#
acl number 2000
rule 5 permit source 10.23.101.0 0.0.0.255
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface Vlanif200
ip address 202.169.10.1 255.255.255.0
nat outbound 2000
#
interface GigabitEthernet0/0/0
port link-type trunk
port trunk allow-pass vlan 200
#
ip route-static 0.0.0.0 0.0.0.0 202.169.10.2
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#(yk#Q+M[\CMK]1)AWMX7MjZ)=e`fy@fA+.J
\ht3Y%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
rrm-profile name default
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
#
interface Wlan-Radio0/0/0
vap-profile wlan-net wlan 1
channel 20mhz 6
#
interface Wlan-Radio0/0/1
vap-profile wlan-net wlan 1
channel 20mhz 149
#
return
Networking Requirements
l AC networking mode: Layer 2 networking in inline mode
l DHCP deployment mode: The AC functions as a DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: direct forwarding
Figure 4-11 Networking for configuring Layer 2 direct forwarding in inline mode
Data Planning
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
3. Configure WLAN service parameters for STAs to access the WLAN.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on the access switch to VLAN 100 and VLAN 101. The default
VLAN of GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/2] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
# On the AC, add GE0/0/1 to VLAN 100 and VLAN 101, and GE0/0/2 to VLAN 101.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100 101
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[AC-GigabitEthernet0/0/1] quit
[AC] interface gigabitethernet 0/0/2
[AC-GigabitEthernet0/0/2] port link-type trunk
[AC-GigabitEthernet0/0/2] port trunk allow-pass vlan 101
[AC-GigabitEthernet0/0/2] quit
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On the AC, configure VLANIF 100 to assign IP addresses to APs.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 1
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
The settings of the AP channel and power in this example are for reference only. You need to configure the
AP channel and power based on the actual country code and network planning.
Automatic channel and power calibration functions are enabled by default. The manual
channel and power configurations take effect only when these two functions are disabled.
[AC-wlan-view] rrm-profile name default
[AC-wlan-rrm-prof-default] calibrate auto-channel-select disable
[AC-wlan-rrm-prof-default] calibrate auto-txpower-select disable
[AC-wlan-rrm-prof-default] quit
The AC automatically delivers WLAN service configuration to the AP. After the service
configuration is complete, run the display vap ssid wlan-net command. If Status in the
command output is displayed as ON, the VAPs have been successfully created on AP radios.
[AC-wlan-view] display vap ssid wlan-net
WID : WLAN ID
--------------------------------------------------------------------------------
AP ID AP name RfID WID BSSID Status Auth type STA SSID
--------------------------------------------------------------------------------
0 area_1 0 1 60DE-4476-E360 ON WPA/WPA2-PSK 0 wlan-net
0 area_1 1 1 60DE-4476-E370 ON WPA/WPA2-PSK 0 wlan-net
-------------------------------------------------------------------------------
Total: 2
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
l Switch configuration file
#
sysname Switch
#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 101
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
Networking Requirements
l AC networking mode: Layer 2 networking in inline mode
l DHCP deployment mode: The AC functions as a DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: tunnel forwarding
Figure 4-12 Networking for configuring Layer 2 tunnel forwarding in inline mode
Data Planning
Item Data
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
3. Configure WLAN service parameters for STAs to access the WLAN.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on the access switch to VLAN 100. The default VLAN of
GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/2] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
# On the AC, add GE0/0/1 to VLAN 100, and GE0/0/2 to VLAN 101.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100 101
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet0/0/1] quit
[AC] interface gigabitethernet 0/0/2
[AC-GigabitEthernet0/0/2] port link-type trunk
[AC-GigabitEthernet0/0/2] port trunk allow-pass vlan 101
[AC-GigabitEthernet0/0/2] quit
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On the AC, configure VLANIF 100 to assign IP addresses to APs.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 1
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode tunnel
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
The settings of the AP channel and power in this example are for reference only. You need to configure the
AP channel and power based on the actual country code and network planning.
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
l Switch configuration file
#
sysname Switch
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 101
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 101
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/
Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
rrm-profile name default
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return
Networking Requirements
l AC networking mode: Layer 2 networking in bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: direct forwarding
Figure 4-13 Networking for configuring Layer 2 direct forwarding in bypass mode
Data Planning
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
3. Configure WLAN service parameters for STAs to access the WLAN.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100 and VLAN101. The default VLAN of
GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN101, GE0/0/2 to
VLAN100 and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On the AC, configure VLANIF 100 to assign IP addresses to APs.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the default
gateway address of STAs to 10.23.101.2.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 1
# Create security profile wlan-net and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
The settings of the AP channel and power in this example are for reference only. You need to configure the
AP channel and power based on the actual country code and network planning.
--------------------------------------------------------------------------------
0 area_1 0 1 60DE-4476-E360 ON WPA/WPA2-PSK 0 wlan-net
0 area_1 1 1 60DE-4476-E370 ON WPA/WPA2-PSK 0 wlan-net
-------------------------------------------------------------------------------
Total: 2
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
return
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/
Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
rrm-profile name default
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: tunnel forwarding
Figure 4-14 Networking for configuring Layer 2 tunnel forwarding in bypass mode
Data Planning
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
3. Configure WLAN service parameters for STAs to access the WLAN.
NOTE
During AP deployment, you can manually specify the working channels of the APs according to network
planning situations or configure the radio calibration function to enable the APs to automatically select the
optimal channels.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and GE0/0/2
and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On the AC, configure VLANIF 100 to assign IP addresses to APs.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the default
gateway address of STAs to 10.23.101.2.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 1
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode tunnel
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
# Create the air scan profile wlan-airscan and configure the scan channel set, scan interval,
and scan duration.
[AC-wlan-view] air-scan-profile name wlan-airscan
[AC-wlan-air-scan-prof-wlan-airscan] scan-channel-set dca-channel
[AC-wlan-air-scan-prof-wlan-airscan] scan-period 60
[AC-wlan-air-scan-prof-wlan-airscan] scan-interval 60000
[AC-wlan-air-scan-prof-wlan-airscan] quit
# Create the 2G radio profile wlan-radio2g and bind the RRM profile wlan-rrm and air scan
profile wlan-airscan to the 2G radio profile.
[AC-wlan-view] radio-2g-profile name wlan-radio2g
[AC-wlan-radio-2g-prof-wlan-radio2g] rrm-profile wlan-rrm
[AC-wlan-radio-2g-prof-wlan-radio2g] air-scan-profile wlan-airscan
[AC-wlan-radio-2g-prof-wlan-radio2g] quit
# Create the 5G radio profile wlan-radio5g and bind the RRM profile wlan-rrm and air scan
profile wlan-airscan to the 5G radio profile.
[AC-wlan-view] radio-5g-profile name wlan-radio5g
[AC-wlan-radio-5g-prof-wlan-radio5g] rrm-profile wlan-rrm
[AC-wlan-radio-5g-prof-wlan-radio5g] air-scan-profile wlan-airscan
[AC-wlan-radio-5g-prof-wlan-radio5g] quit
# Bind the 5G radio profile wlan-radio5g and 2G radio profile wlan-radio2g to the AP group
ap-group1.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] radio-5g-profile wlan-radio5g radio 1
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-ap-group1] radio-2g-profile wlan-radio2g radio 0
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-ap-group1] quit
# Set the radio calibration mode to manual and trigger radio calibration.
[AC-wlan-view] calibrate enable manual
[AC-wlan-view] calibrate manual startup
# Radio calibration stops one hour after the radio calibration is manually triggered. Set the
radio calibration mode to scheduled. Configure the APs to perform radio calibration in off-
peak hours, for example, between 00:00 am and 06:00 am.
[AC-wlan-view] calibrate enable schedule time 03:00:00
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
capwap source interface vlanif100
#
wlan
calibrate enable schedule time 03:00:00
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/
Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
dca-channel 5g channel-set 149,153,157,161
air-scan-profile name wlan-airscan
scan-channel-set dca-channel
rrm-profile name wlan-rrm
radio-2g-profile name wlan-radio2g
rrm-profile wlan-rrm
air-scan-profile wlan-airscan
radio-5g-profile name wlan-radio5g
rrm-profile wlan-rrm
air-scan-profile wlan-airscan
ap-group name ap-group1
radio 0
radio-2g-profile wlan-radio2g
vap-profile wlan-net wlan 1
radio 1
radio-5g-profile wlan-radio5g
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
#
return
Networking Requirements
l AC networking mode: Layer 3 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: tunnel forwarding
Figure 4-15 Networking for configuring Layer 3 tunnel forwarding in bypass mode
Data Planning
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure a VLAN pool for service VLANs.
3. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
4. Configure WLAN service parameters for STAs to access the WLAN.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 10. The default VLAN of
GE0/0/1 is VLAN 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 10
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 10, GE0/0/2 to VLAN 100,
VLAN 101, and VLAN 102, and GE0/0/3 to VLAN 101 and VLAN 102. Create VLANIF
100 and set the IP address of VLANIF 100 to 10.23.100.2/24.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 10 100 101 102
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101 102
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface vlanif 100
[SwitchB-Vlanif100] ip address 10.23.100.2 24
[SwitchB-Vlanif100] quit
# On Router, add GE1/0/0 to VLAN 101 and VLAN 102. Create VLANIF 101 and VLANIF
102 and set the IP address of VLANIF 101 to 10.23.101.2/24 and the IP address of VLANIF
102 to 10.23.102.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101 102
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101 102
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
[Router] interface vlanif 102
[Router-Vlanif102] ip address 10.23.102.2 24
[Router-Vlanif102] quit
# Add GE0/0/1on the AC to VLAN 100, VLAN 101, and VLAN 102 and create VLANIF
100.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan 100
[AC-vlan100] quit
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] quit
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101 102
[AC-GigabitEthernet0/0/1] quit
# Configure a route from the AC to the APs with the next hop as SwitchB's VLANIF 100.
[AC] ip route-static 10.23.10.0 24 10.23.100.2
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On SwitchB, configure VLANIF 101 and VLANIF 102 to assign IP addresses to STAs and
set the default gateways.
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] dhcp select interface
[SwitchB-Vlanif102] dhcp server gateway-list 10.23.102.2
[SwitchB-Vlanif102] quit
This example uses the VLAN assignment algorithm hash (default) as an example. If the default setting is not
changed before, you do not need to run the assignment hash command.
In this example, only VLAN 101 and VLAN 102 are added to the VLAN pool. You can use the similar
method to add multiple VLANs to a VLAN pool.
[AC] vlan batch 101 102
[AC] vlan pool sta-pool
[AC-vlan-pool-sta-pool] vlan 101 102
[AC-vlan-pool-sta-pool] assignment hash
[AC-vlan-pool-sta-pool] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.23.10.254 AP5030DN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 1
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode tunnel
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-pool sta-pool
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
The settings of the AP channel and power in this example are for reference only. You need to configure the
AP channel and power based on the actual country code and network planning.
Automatic channel and power calibration functions are enabled by default. The manual
channel and power configurations take effect only when these two functions are disabled.
[AC-wlan-view] rrm-profile name default
[AC-wlan-rrm-prof-default] calibrate auto-channel-select disable
[AC-wlan-rrm-prof-default] calibrate auto-txpower-select disable
[AC-wlan-rrm-prof-default] quit
The AC automatically delivers WLAN service configuration to the AP. After the service
configuration is complete, run the display vap ssid wlan-net command. If Status in the
command output is displayed as ON, the VAPs have been successfully created on AP radios.
[AC-wlan-view] display vap ssid wlan-net
WID : WLAN ID
--------------------------------------------------------------------------------
AP ID AP name RfID WID BSSID Status Auth type STA SSID
--------------------------------------------------------------------------------
0 area_1 0 1 60DE-4476-E360 ON WPA/WPA2-PSK 0 wlan-net
0 area_1 1 1 60DE-4476-E370 ON WPA/WPA2-PSK 0 wlan-net
-------------------------------------------------------------------------------
Total: 2
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 10
#
return
#
vlan batch 101 to 102
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 101 to 102
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 102
#
vlan pool sta-pool
vlan 101 to 102
#
dhcp enable
#
ip pool huawei
gateway-list 10.23.10.1
network 10.23.10.0 mask 255.255.255.0
option 43 sub-option 3 ascii 10.23.100.1
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 102
#
ip route-static 10.23.10.0 24 10.23.100.2
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/
Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
forward-mode tunnel
service-vlan vlan-pool sta-pool
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
rrm-profile name default
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return
Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area. A VLAN pool is configured as service VLANs to prevent IP address insufficiency or
waste. Furthermore, this measure can reduce the number of users in each VLAN and the size
of the broadcast domain.
Networking Requirements
l AC networking mode: Layer 3 networking in bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: direct forwarding
Figure 4-16 Networking for configuring Layer 3 direct forwarding in bypass mode
Data Planning
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure a VLAN pool for service VLANs.
3. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
4. Configure WLAN service parameters for STAs to access the WLAN.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 10, VLAN 101, and VLAN 102. The
default VLAN of GE0/0/1 is VLAN 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 101 102
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 10
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101 102
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
# On SwitchB (aggregation switch), add GE0/0/1 to VLAN 10, VLAN 101, and VLAN 102,
GE0/0/2 to VLAN 100, and GE0/0/3 to VLAN 101 and VLAN 102. Create VLANIF 100 and
set its IP address to 10.23.100.2/24.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 10 100 101 102
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101 102
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101 102
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface vlanif 100
[SwitchB-Vlanif100] ip address 10.23.100.2 24
[SwitchB-Vlanif100] quit
# On Router, add GE1/0/0 to VLAN 101 and VLAN 102. Create VLANIF 101 and VLANIF
102 and set the IP address of VLANIF 101 to 10.23.101.2/24 and the IP address of VLANIF
102 to 10.23.102.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101 102
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101 102
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
[Router] interface vlanif 102
[Router-Vlanif102] ip address 10.23.102.2 24
[Router-Vlanif102] quit
# Configure a route from the AC to the APs with the next hop as SwitchB's VLANIF 100.
[AC] ip route-static 10.23.10.0 24 10.23.100.2
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On SwitchB, configure VLANIF 101 and VLANIF 102 to assign IP addresses to STAs and
set the default gateways.
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] dhcp select interface
[SwitchB-Vlanif102] dhcp server gateway-list 10.23.102.2
[SwitchB-Vlanif102] quit
# On the AC, create a VLAN pool, add VLAN 101 and VLAN 102 to the pool, and set the
VLAN assignment algorithm to hash in the VLAN pool.
NOTE
This example uses the VLAN assignment algorithm hash (default) as an example. If the default setting is not
changed before, you do not need to run the assignment hash command.
In this example, only VLAN 101 and VLAN 102 are added to the VLAN pool. You can use the similar
method to add multiple VLANs to a VLAN pool.
[AC] vlan batch 101 102
[AC] vlan pool sta-pool
[AC-vlan-pool-sta-pool] vlan 101 102
[AC-vlan-pool-sta-pool] assignment hash
[AC-vlan-pool-sta-pool] quit
# Create an AP group to which the APs with the same configuration can be added.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.23.10.254 AP5030DN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 1
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-pool sta-pool
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
The settings of the AP channel and power in this example are for reference only. You need to configure the
AP channel and power based on the actual country code and network planning.
Automatic channel and power calibration functions are enabled by default. The manual
channel and power configurations take effect only when these two functions are disabled.
[AC-wlan-view] rrm-profile name default
[AC-wlan-rrm-prof-default] calibrate auto-channel-select disable
[AC-wlan-rrm-prof-default] calibrate auto-txpower-select disable
[AC-wlan-rrm-prof-default] quit
The AC automatically delivers WLAN service configuration to the AP. After the service
configuration is complete, run the display vap ssid wlan-net command. If Status in the
command output is displayed as ON, the VAPs have been successfully created on AP radios.
[AC-wlan-view] display vap ssid wlan-net
WID : WLAN ID
--------------------------------------------------------------------------------
AP ID AP name RfID WID BSSID Status Auth type STA SSID
--------------------------------------------------------------------------------
0 area_1 0 1 60DE-4476-E360 ON WPA/WPA2-PSK 0 wlan-net
0 area_1 1 1 60DE-4476-E370 ON WPA/WPA2-PSK 0 wlan-net
-------------------------------------------------------------------------------
Total: 2
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10 101 to 102
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10 101 to 102
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 10 101 to 102
#
return
#
vlan batch 101 to 102
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 101 to 102
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 102
#
vlan pool sta-pool
vlan 101 to 102
#
dhcp enable
#
ip pool huawei
gateway-list 10.23.10.1
network 10.23.10.0 mask 255.255.255.0
option 43 sub-option 3 ascii 10.23.100.1
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select global
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
ip route-static 10.23.10.0 24 10.23.100.2
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/
Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-pool sta-pool
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
rrm-profile name default
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return
Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area. A VLAN pool is configured as service VLANs to prevent IP address insufficiency or
waste. Furthermore, this measure can reduce the number of users in each VLAN and the size
of the broadcast domain.
Networking Requirements
l AC networking mode: Layer 3 networking in inline mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: direct forwarding
Figure 4-17 Networking for configuring Layer 3 direct forwarding in inline mode
Data Planning
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure a VLAN pool for service VLANs.
3. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
4. Configure WLAN service parameters for STAs to access the WLAN.
NOTE
During AP deployment, you can manually specify the working channels of the APs according to network
planning situations or configure the radio calibration function to enable the APs to automatically select the
optimal channels.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 10, VLAN 101, and VLAN 102. The
default VLAN of GE0/0/1 is VLAN 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 101 102
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 10
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101 102
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 101 102
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 on SwitchB to VLAN 10, VLAN 101, and VLAN 102, and GE0/0/2 to VLAN
100, VLAN 101, and VLAN 102. Create VLANIF 100 and set its IP address to
10.23.100.2/24.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 10 100 101 102
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101 102
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface vlanif 100
# On Router, add GE1/0/0 to VLAN 101 and VLAN 102. Create VLANIF 101 and VLANIF
102 and set the IP address of VLANIF 101 to 10.23.101.2/24 and the IP address of VLANIF
102 to 10.23.102.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101 102
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101 102
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
[Router] interface vlanif 102
[Router-Vlanif102] ip address 10.23.102.2 24
[Router-Vlanif102] quit
# Configure a route from the AC to the APs with the next hop as SwitchB's VLANIF 100.
[AC] ip route-static 10.23.10.0 24 10.23.100.2
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# Configure DHCP relay on SwitchB.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 10
[SwitchB-Vlanif10] ip address 10.23.10.1 24
[SwitchB-Vlanif10] dhcp select relay
[SwitchB-Vlanif10] dhcp relay server-ip 10.23.100.1
[SwitchB-Vlanif10] quit
# On SwitchB, configure VLANIF 101 and VLANIF 102 to assign IP addresses to STAs and
set the default gateways.
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] dhcp select interface
[SwitchB-Vlanif102] dhcp server gateway-list 10.23.102.2
[SwitchB-Vlanif102] quit
This example uses the VLAN assignment algorithm hash (default) as an example. If the default setting is not
changed before, you do not need to run the assignment hash command.
In this example, only VLAN 101 and VLAN 102 are added to the VLAN pool. You can use the similar
method to add multiple VLANs to a VLAN pool.
[AC] vlan batch 101 102
[AC] vlan pool sta-pool
[AC-vlan-pool-sta-pool] vlan 101 102
[AC-vlan-pool-sta-pool] assignment hash
[AC-vlan-pool-sta-pool] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.23.10.254 AP5030DN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 1
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-pool sta-pool
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
# Create the air scan profile wlan-airscan and configure the scan channel set, scan interval,
and scan duration.
[AC-wlan-view] air-scan-profile name wlan-airscan
[AC-wlan-air-scan-prof-wlan-airscan] scan-channel-set dca-channel
[AC-wlan-air-scan-prof-wlan-airscan] scan-period 60
[AC-wlan-air-scan-prof-wlan-airscan] scan-interval 60000
[AC-wlan-air-scan-prof-wlan-airscan] quit
# Create the 2G radio profile wlan-radio2g and bind the RRM profile wlan-rrm and air scan
profile wlan-airscan to the 2G radio profile.
[AC-wlan-view] radio-2g-profile name wlan-radio2g
[AC-wlan-radio-2g-prof-wlan-radio2g] rrm-profile wlan-rrm
[AC-wlan-radio-2g-prof-wlan-radio2g] air-scan-profile wlan-airscan
[AC-wlan-radio-2g-prof-wlan-radio2g] quit
# Create the 5G radio profile wlan-radio5g and bind the RRM profile wlan-rrm and air scan
profile wlan-airscan to the 5G radio profile.
[AC-wlan-view] radio-5g-profile name wlan-radio5g
[AC-wlan-radio-5g-prof-wlan-radio5g] rrm-profile wlan-rrm
[AC-wlan-radio-5g-prof-wlan-radio5g] air-scan-profile wlan-airscan
[AC-wlan-radio-5g-prof-wlan-radio5g] quit
# Bind the 5G radio profile wlan-radio5g and 2G radio profile wlan-radio2g to the AP group
ap-group1.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] radio-5g-profile wlan-radio5g radio 1
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-ap-group1] radio-2g-profile wlan-radio2g radio 0
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-ap-group1] quit
# Set the radio calibration mode to manual and trigger radio calibration.
[AC-wlan-view] calibrate enable manual
[AC-wlan-view] calibrate manual startup
# Radio calibration stops one hour after the radio calibration is manually triggered. Set the
radio calibration mode to scheduled. Configure the APs to perform radio calibration in off-
peak hours, for example, between 00:00 am and 06:00 am.
[AC-wlan-view] calibrate enable schedule time 03:00:00
The AC automatically delivers WLAN service configuration to the AP. After the service
configuration is complete, run the display vap ssid wlan-net command. If Status in the
command output is displayed as ON, the VAPs have been successfully created on AP radios.
[AC-wlan-view] display vap ssid wlan-net
WID : WLAN ID
--------------------------------------------------------------------------------
AP ID AP name RfID WID BSSID Status Auth type STA SSID
--------------------------------------------------------------------------------
0 area_1 0 1 60DE-4476-E360 ON WPA/WPA2-PSK 0 wlan-net
0 area_1 1 1 60DE-4476-E370 ON WPA/WPA2-PSK 0 wlan-net
-------------------------------------------------------------------------------
Total: 2
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10 101 to 102
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10 101 to 102
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 10 101 to 102
#
return
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 102
#
return
l Router configuration file
#
sysname Router
#
vlan batch 101 to 102
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 101 to 102
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 102
#
vlan pool sta-pool
vlan 101 to 102
#
dhcp enable
#
ip pool huawei
gateway-list 10.23.10.1
network 10.23.10.0 mask 255.255.255.0
option 43 sub-option 3 ascii 10.23.100.1
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 102
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 101 to 102
#
capwap source interface vlanif100
#
wlan
calibrate enable schedule time 03:00:00
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/
Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-pool sta-pool
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
dca-channel 5g channel-set 149,153,157,161
air-scan-profile name wlan-airscan
scan-channel-set dca-channel
rrm-profile name wlan-rrm
Networking Requirements
l AC networking mode: Layer 3 networking in inline mode
l DHCP deployment mode: The AC functions as a DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: tunnel forwarding
Figure 4-18 Networking for configuring Layer 3 tunnel forwarding in inline mode
Data Planning
Item Data
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure a VLAN pool for service VLANs.
3. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
4. Configure WLAN service parameters for STAs to access the WLAN.
NOTE
During AP deployment, you can manually specify the working channels of the APs according to network
planning situations or configure the radio calibration function to enable the APs to automatically select the
optimal channels.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 10. The default VLAN of
GE0/0/1 is VLAN 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 10
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 10
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 10, and GE0/0/2 to VLAN 100.
Create VLANIF 100 and set the IP address of VLANIF 100 to 10.23.100.2/24.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 10 100
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface vlanif 100
[SwitchB-Vlanif100] ip address 10.23.100.2 24
[SwitchB-Vlanif100] quit
# On Router, add GE1/0/0 to VLAN 101 and VLAN 102. Create VLANIF 101 and VLANIF
102 and set the IP address of VLANIF 101 to 10.23.101.2/24 and the IP address of VLANIF
102 to 10.23.102.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101 102
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101 102
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
[Router] interface vlanif 102
[Router-Vlanif102] ip address 10.23.102.2 24
[Router-Vlanif102] quit
# Configure GE0/0/1 on the AC to VLAN 100, and GE0/0/2 to VLAN 101 and VLAN 102.
Create VLANIF 100 and set the IP address of VLANIF 100 to 10.23.100.1/24.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100 101 102
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] quit
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet0/0/1] quit
[AC] interface gigabitethernet 0/0/2
[AC-GigabitEthernet0/0/2] port link-type trunk
[AC-GigabitEthernet0/0/2] port trunk allow-pass vlan 101 102
[AC-GigabitEthernet0/0/2] quit
# Configure a route from the AC to the APs with the next hop as SwitchB's VLANIF 100.
[AC] ip route-static 10.23.10.0 24 10.23.100.2
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# Create VLANIF 101 and VLANIF 102 on the AC to assign IP addresses to STAs.
This example uses the VLAN assignment algorithm hash (default) as an example. If the default setting is not
changed before, you do not need to run the assignment hash command.
In this example, only VLAN 101 and VLAN 102 are added to the VLAN pool. You can use the similar
method to add multiple VLANs to a VLAN pool.
[AC] vlan pool sta-pool
[AC-vlan-pool-sta-pool] vlan 101 102
[AC-vlan-pool-sta-pool] assignment hash
[AC-vlan-pool-sta-pool] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.23.10.254 AP5030DN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 1
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode tunnel
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-pool sta-pool
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
# Create the air scan profile wlan-airscan and configure the scan channel set, scan interval,
and scan duration.
[AC-wlan-view] air-scan-profile name wlan-airscan
[AC-wlan-air-scan-prof-wlan-airscan] scan-channel-set dca-channel
[AC-wlan-air-scan-prof-wlan-airscan] scan-period 60
[AC-wlan-air-scan-prof-wlan-airscan] scan-interval 60000
[AC-wlan-air-scan-prof-wlan-airscan] quit
# Create the 2G radio profile wlan-radio2g and bind the RRM profile wlan-rrm and air scan
profile wlan-airscan to the 2G radio profile.
[AC-wlan-view] radio-2g-profile name wlan-radio2g
[AC-wlan-radio-2g-prof-wlan-radio2g] rrm-profile wlan-rrm
[AC-wlan-radio-2g-prof-wlan-radio2g] air-scan-profile wlan-airscan
[AC-wlan-radio-2g-prof-wlan-radio2g] quit
# Create the 5G radio profile wlan-radio5g and bind the RRM profile wlan-rrm and air scan
profile wlan-airscan to the 5G radio profile.
[AC-wlan-view] radio-5g-profile name wlan-radio5g
[AC-wlan-radio-5g-prof-wlan-radio5g] rrm-profile wlan-rrm
[AC-wlan-radio-5g-prof-wlan-radio5g] air-scan-profile wlan-airscan
[AC-wlan-radio-5g-prof-wlan-radio5g] quit
# Bind the 5G radio profile wlan-radio5g and 2G radio profile wlan-radio2g to the AP group
ap-group1.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] radio-5g-profile wlan-radio5g radio 1
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-ap-group1] radio-2g-profile wlan-radio2g radio 0
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-ap-group1] quit
# Set the radio calibration mode to manual and trigger radio calibration.
[AC-wlan-view] calibrate enable manual
[AC-wlan-view] calibrate manual startup
# Radio calibration stops one hour after the radio calibration is manually triggered. Set the
radio calibration mode to scheduled. Configure the APs to perform radio calibration in off-
peak hours, for example, between 00:00 am and 06:00 am.
[AC-wlan-view] calibrate enable schedule time 03:00:00
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 10
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 102
#
vlan pool sta-pool
vlan 101 to 102
#
dhcp enable
#
ip pool huawei
gateway-list 10.23.10.1
network 10.23.10.0 mask 255.255.255.0
option 43 sub-option 3 ascii 10.23.100.1
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 101 to 102
#
capwap source interface vlanif100
#
wlan
calibrate enable schedule time 03:00:00
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/
Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
forward-mode tunnel
service-vlan vlan-pool sta-pool
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
dca-channel 5g channel-set 149,153,157,161
Networking Requirements
l AC networking mode: Layer 2 inline mode
l DHCP deployment mode: The AC functions as a DHCP server to allocate IP addresses
to APs and STAs.
l Service data forwarding mode: tunnel forwarding
Data Planning
Item Data
IP address FC01::/64
pool for
APs
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. On the AC, configure a DHCPv6 server to assign IP addresses to APs, and a DHCPv4
and DHCPv6 server to assign IP addresses to STAs.
3. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
4. Configure WLAN service parameters for STAs to access the WLAN.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IPv4 address to
10.23.101.2/24 and IPv6 address to FC02::2/64.
<Huawei> system-view
[Huawei] sysname Router
[Router] ipv6
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# On the AC, add GE0/0/1 to VLAN 100 and GE0/0/2 to VLAN 101.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100 101
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet0/0/1] quit
[AC] interface gigabitethernet 0/0/2
[AC-GigabitEthernet0/0/2] port link-type trunk
[AC-GigabitEthernet0/0/2] port trunk allow-pass vlan 101
[AC-GigabitEthernet0/0/2] quit
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# Configure the DHCPv4 and DHCPv6 servers on VLANIF 101 to assign IP addresses to
STAs.
[AC] dhcpv6 pool sta_pool
[AC-dhcpv6-pool-sta_pool] address prefix fc02::/64
[AC-dhcpv6-pool-sta_pool] quit
[AC] interface vlanif 101
[AC-Vlanif101] ipv6 enable
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] ipv6 address fc02::1/64
[AC-Vlanif101] undo ipv6 nd ra halt
[AC-Vlanif101] ipv6 nd autoconfig managed-address-flag
[AC-Vlanif101] ipv6 nd autoconfig other-flag
[AC-Vlanif101] dhcpv6 server sta_pool
[AC-Vlanif101] quit
# Create an AP group to which the APs with the same configuration can be added.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP status. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime
------------------------------------------------------------------------------
0 60de-4476-e360 area_1 ap-group1 FC01::3 AP5030DN nor 0 27S
------------------------------------------------------------------------------
Total: 1
# Create security profile wlan-net and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode tunnel
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
The settings of the AP channel and power in this example are for reference only. You need to configure the
AP channel and power based on the actual country code and network planning.
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
----------------------------------------------------------------------------------
-----------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IPv4
address IPv6 address
----------------------------------------------------------------------------------
-----------------------------------
14cf-9202-13dc 0 area_1 0/1 2.4G 11n 5/1 -62 101
10.23.101.254 FC02::546E:C25C:F4C7:B2AD
----------------------------------------------------------------------------------
-----------------------------------
Total: 1 2.4G: 1 5G: 0
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC configuration file
#
sysname AC
#
ipv6
#
vlan batch 100 to 101
#
dhcp enable
#
Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area.
APs are located in an enterprise branch, while the AC is located at the headquarters.
Administrators require unified AP management by the AC. Therefore, NAT traversal is
configured between the AC and APs to save the enterprise's public IP addresses.
Networking Requirements
l AC networking mode: NAT traversal between the AC at the headquarters and APs in the
branch
l DHCP deployment mode: Router_1 functions as a DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: direct forwarding
Figure 4-20 Networking for configuring NAT traversal between the AC and APs
Data Planning
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure NAT for address translation.
3. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
4. Configure WLAN service parameters for STAs to access the WLAN.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# On Switch, add GE0/0/1, GE0/0/2, and GE0/0/3 to VLAN 100 and VLAN 101. VLAN 100
is the default VLAN of GE0/0/1 and GE0/0/2.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
# On Router_1, add GE1/0/0 to VLAN 100 and VLAN 101. If the peer end of GE0/0/1 is at
2.2.2.2/24, set the IP address of GE0/0/1 to 2.2.2.1/24.
<Huawei> system-view
[Huawei] sysname Router_1
[Router_1] vlan batch 100 101
[Router_1] interface gigabitethernet1/0/0
[Router_1-GigabitEthernet1/0/0] port link-type trunk
[Router_1-GigabitEthernet1/0/0] port trunk allow-pass vlan 100 to 101
[Router_1-GigabitEthernet1/0/0] quit
[Router_1] interface gigabitethernet0/0/1
[Router_1-GigabitEthernet0/0/1] ip address 2.2.2.1 255.255.255.0
[Router_1-GigabitEthernet0/0/1] quit
# Configure a default route with the next hop address 2.2.2.2 on Router_1.
[Router_1] ip route-static 0.0.0.0 0.0.0.0 2.2.2.2
# On Router_2, add GE1/0/0 to VLAN 200. If the peer end of GE0/0/1 is at 3.3.3.2/24, set the
IP address of GE0/0/1 to 3.3.3.1/24. Create VLANIF 200 and set its IP address to
10.23.200.2/24.
<Huawei> system-view
[Huawei] sysname Router_2
[Router_2] vlan batch 200
[Router_2] interface GigabitEthernet1/0/0
[Router_2-GigabitEthernet1/0/0] port link-type trunk
[Router_2-GigabitEthernet1/0/0] port trunk allow-pass vlan 200
[Router_2-GigabitEthernet1/0/0] quit
[Router_2] interface gigabitethernet 0/0/1
[Router_2-GigabitEthernet0/0/1] ip address 3.3.3.1 255.255.255.0
[Router_2-GigabitEthernet0/0/1] quit
[Router_2] interface vlanif 200
[Router_2-Vlanif200] ip address 10.23.200.2 24
[Router_2-Vlanif200] quit
# Configure a default route with the next hop address 3.3.3.2 on Router_2.
[Router_2] ip route-static 0.0.0.0 0.0.0.0 3.3.3.2
# Configure a default route with the next hop address 10.23.200.2 on the AC.
[AC] ip route-static 0.0.0.0 0.0.0.0 10.23.200.2
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 and radio 1. Radio 0 and radio 1 operate
on the 2.4 GHz and 5 GHz bands, respectively.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S
1 60de-4474-9640 area_2 ap-group1 10.23.100.253 AP5030DN nor 0 11S
----------------------------------------------------------------------------------
---
Total: 2
# Create security profile wlan-net and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
NOTE
The settings of the AP channel and power in this example are for reference only. You need to configure the
AP channel and power based on the actual country code and network planning.
Automatic channel and power calibration functions are enabled by default. The manual
channel and power configurations take effect only when these two functions are disabled.
[AC-wlan-view] rrm-profile name default
[AC-wlan-rrm-prof-default] calibrate auto-channel-select disable
[AC-wlan-rrm-prof-default] calibrate auto-txpower-select disable
[AC-wlan-rrm-prof-default] quit
The AC automatically delivers WLAN service configuration to the AP. After the
configuration is complete, run the display vap ssid wlan-net command. If the Status field is
displayed as ON, the VAPs have been successfully created on AP radios.
[AC-wlan-view] display vap ssid wlan-net
WID : WLAN ID
--------------------------------------------------------------------------------
AP ID AP name RfID WID BSSID Status Auth type STA SSID
--------------------------------------------------------------------------------
0 area_1 0 1 60DE-4476-E360 ON WPA/WPA2-PSK 0 wlan-net
0 area_1 1 1 60DE-4476-E370 ON WPA/WPA2-PSK 0 wlan-net
0 area_2 0 1 60DE-4474-9640 ON WPA/WPA2-PSK 0 wlan-net
0 area_2 1 1 60DE-4474-9650 ON WPA/WPA2-PSK 0 wlan-net
-------------------------------------------------------------------------------
Total: 4
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
l Switch configuration file
#
sysname Switch
#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
return
interface Vlanif200
ip address 10.23.200.2 24
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 200
#
interface GigabitEthernet0/0/1
ip address 3.3.3.1 255.255.255.0
nat static global 3.3.3.3 inside 10.23.200.1
#
ip route-static 0.0.0.0 0.0.0.0 3.3.3.2
#
return
l AC configuration file
#
sysname AC
#
vlan batch 101 200
#
interface Vlanif200
ip address 10.23.200.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 200
#
ip route-static 0.0.0.0 0.0.0.0 10.23.200.2
#
capwap source interface vlanif200
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/
Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
rrm-profile name default
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
ap-id 1 type-id 35 ap-mac 60de-4474-9640 ap-sn 210235554710CB002312
ap-name area_2
ap-group ap-group1
#
return
Networking Requirements
l AC networking mode: IPSec tunnel between the AC at the headquarters and APs in the
branch.
l DHCP deployment mode: Router_1 functions as a DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: direct forwarding
Figure 4-21 Networking for configuring VPN traversal between the AC and APs
Data Planning
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure IPSec parameters to set up an IPSec tunnel.
a. Configure an IP address and a static route on each interface to implement
communication between both ends.
b. Configure ACLs and define the data flows to be protected by the IPSec tunnel.
c. Configure an IPSec proposal to define the traffic protection method.
d. Configure IKE peers and define the attributes used for IKE negotiation.
e. Configure an IPSec policy, and apply the ACL, IPSec proposal, and IKE peers to
the IPSec policy to define the data flows to be protected and protection method.
f. Apply the IPSec policy to the interface so that the interface can protect traffic.
3. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# On Switch, add GE0/0/1 and GE0/0/2 to VLAN 100 and VLAN 101. VLAN 100 is the
default VLAN of GE0/0/1.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/2] quit
# On Router_1, add GE1/0/0 to VLAN 100 and VLAN 101. If the peer end of GE0/0/1 is at
202.138.162.2/24, set the IP address of GE0/0/1 to 202.138.162.1/24.
<Huawei> system-view
[Huawei] sysname Router_1
[Router_1] vlan batch 100 101
[Router_1] interface gigabitethernet 1/0/0
[Router_1-GigabitEthernet1/0/0] port link-type trunk
[Router_1-GigabitEthernet1/0/0] port trunk allow-pass vlan 100 101
[Router_1-GigabitEthernet1/0/0] quit
[Router_1] interface gigabitethernet 0/0/1
[Router_1-GigabitEthernet0/0/1] ip address 202.138.162.1 255.255.255.0
[Router_1-GigabitEthernet0/0/1] quit
# Configure a default route with the next hop address 202.138.162.2 on Router_1.
# On Router_2, add GE1/0/0 to VLAN 200. Create VLANIF 200 and set its IP address to
10.23.200.2/24. If the peer end of GE0/0/1 is at 202.138.163.2/24, set the IP address of
GE0/0/1 to 202.138.163.1/24.
<Huawei> system-view
[Huawei] sysname Router_2
[Router_2] vlan batch 200
[Router_2] interface gigabitethernet 1/0/0
[Router_2-GigabitEthernet1/0/0] port link-type trunk
[Router_2-GigabitEthernet1/0/0] port trunk allow-pass vlan 200
[Router_2-GigabitEthernet1/0/0] quit
[Router_2] interface gigabitethernet 0/0/1
[Router_2-GigabitEthernet0/0/1] ip address 202.138.163.1 255.255.255.0
[Router_2-GigabitEthernet0/0/1] quit
[Router_2] interface vlanif 200
[Router_2-Vlanif200] ip address 10.23.200.2 24
[Router_2-Vlanif200] quit
# Configure a static route from Router_2 to APs with the next hop address 202.138.162.2 on
Router_2.
[Router_2] ip route-static 10.23.100.0 255.255.255.0 202.138.163.2
[Router_2] ip route-static 202.138.162.0 255.255.255.0 202.138.163.2
# Configure a static route from the AC to APs with the next hop address 10.23.200.2 on the
AC.
[AC] ip route-static 10.23.100.0 255.255.255.0 10.23.200.2
Step 4 Configure ACLs and define the data flows to be protected by the IPSec tunnel.
# On Router_2, configure an ACL to protect the data flows from the AC (IP address
10.23.200.0/24) at the headquarters to the APs (IP address 10.23.100.0/24) in the branch.
[Router_2] acl number 3101
[Router_2-acl-adv-3101] rule permit ip source 10.23.200.0 0.0.0.255 destination
10.23.100.0 0.0.0.255
[Router_2-acl-adv-3101] quit
# On Router_1, configure an ACL to protect the data flows from the APs (IP address
10.23.100.0/24) in the branch to the AC (IP address 10.23.200.0/24) at the headquarters.
[Router_1] acl number 3101
[Router_1-acl-adv-3101] rule permit ip source 10.23.100.0 0.0.0.255 destination
10.23.200.0 0.0.0.255
[Router_1-acl-adv-3101] quit
# Configure an IKE peer on Router_2, and configure the pre-shared key and peer ID
based on the default settings.
[Router_2] ike peer spub
[Router_2-ike-peer-spub] undo version 2
[Router_2-ike-peer-spub] ike-proposal 5
[Router_2-ike-peer-spub] pre-shared-key cipher huawei@1234
[Router_2-ike-peer-spub] remote-address 202.138.162.1
[Router_2-ike-peer-spub] quit
# Configure an IKE peer on Router_1, and configure the pre-shared key and peer ID
based on the default settings.
[Router_1] ike peer spua
[Router_1-ike-peer-spub] undo version 2
[Router_1-ike-peer-spub] ike-proposal 5
[Router_1-ike-peer-spua] pre-shared-key cipher huawei@1234
[Router_1-ike-peer-spua] remote-address 202.138.163.1
[Router_1-ike-peer-spua] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-net-prof-wlan-net] forward-mode direct-forward
[AC-wlan-net-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-net-prof-wlan-net] security-profile wlan-net
[AC-wlan-net-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-net-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
The settings of the AP channel and power in this example are for reference only. You need to configure the
AP channel and power based on the actual country code and network planning.
The AC automatically delivers WLAN service configuration to the AP. After the service
configuration is complete, run the display vap ssid wlan-net command. If Status in the
command output is displayed as ON, the VAPs have been successfully created on AP radios.
[AC-wlan-view] display vap ssid wlan-net
WID : WLAN ID
--------------------------------------------------------------------------------
AP ID AP name RfID WID BSSID Status Auth type STA SSID
--------------------------------------------------------------------------------
0 area_1 0 1 60DE-4476-E360 ON WPA/WPA2-PSK 0 wlan-net
0 area_1 1 1 60DE-4476-E370 ON WPA/WPA2-PSK 0 wlan-net
-------------------------------------------------------------------------------
Total: 2
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
# After the configurations are complete, the AC can ping the APs successfully and the data
transmitted between them is encrypted. You can run the display ipsec statistics esp command
to view packet statistics.
Run the display ike sa command on Router_2, and the following information is displayed:
<Router_2> display ike sa
Conn-ID Peer VPN Flag(s) Phase
---------------------------------------------------------
16 202.138.162.1 0 RD|ST v1:2
14 202.138.162.1 0 RD|ST v1:1
Number of SA entries : 2
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING
----End
Configuration Files
l AC configuration file
#
sysname AC
#
vlan batch 101 200
#
interface Vlanif200
ip address 10.23.200.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 200
#
ip route-static 10.23.100.0 255.255.255.0 10.23.200.2
#
capwap source interface vlanif200
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/
Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
rrm-profile name default
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer spua
undo version 2
pre-shared-key cipher %@%@HCf#WZWU9A;yLoD#V$8G*i_/%@%@
ike-proposal 5
remote-address 202.138.163.1
#
ipsec policy use1 10 isakmp
security acl 3101
ike-peer spua
proposal tran1
#
ip pool ap
gateway-list 10.23.100.1
network 10.23.100.0 mask 255.255.255.0
option 43 sub-option 3 ascii 10.23.100.1
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select global
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
ip address 202.138.162.1 255.255.255.0
ipsec policy use1
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
ip route-static 0.0.0.0 0.0.0.0 202.138.162.2
#
return
l Router_2 configuration file.
#
sysname Router_2
#
vlan batch 200
#
acl number 3101
rule 5 permit ip source 10.23.200.0 0.0.0.255 destination 10.23.100.0
0.0.0.255
#
ipsec proposal tran1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
#
ike proposal 5
encryption-algorithm aes-128
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer spub v1
undo version 2
pre-shared-key cipher %@%@HCf#WZWU9A;yLoD#V$8G*i_/%@%@
ike-proposal 5
remote-address 202.138.162.1
#
ipsec policy map1 10 isakmp
Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Considering the high costs of wired AP deployment, enterprises need to set up
wireless distribution system (WDS) links for wireless backhaul to provide service coverage,
ensuring that enterprise users can access the WLAN.
Networking Requirements
l AC networking mode: Layer 2 networking in bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (Switch_A) functions as a DHCP server to assign IP
addresses to STAs.
l Wireless backhaul mode: hand-in-hand WDS
l Backhaul radio: 5 GHz
l Service data forwarding mode: direct forwarding
Data Planning
Item Data
Item Data
l Name: wds-list2
l AP MAC address: MAC address of
AP_3 (leaf)
Item Data
l Name: wds-leaf
l WDS name: wlan-wds
l WDS working mode: leaf
l Tagged VLAN: VLAN 101
l Referenced profile: security profile wds-
security
l Name: ap-group2
l Root and leaf APs, such as AP_2, are
added to the group.
l Referenced profiles: WDS profiles wds-
root and wds-leaf, VAP profile wlan-
net, and regulatory domain profile
default
l Name: ap-group3
l Leaf APs, such as AP_3, are added to
the group.
l Referenced profiles: WDS profile wds-
leaf, VAP profile wlan-net, and
regulatory domain profile default
Configuration Roadmap
1. Configure root node AP_1 to go online on the AC.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
2. Configure WDS services so that APs in and Area C can go online through WDS wireless
virtual links.
3. Configure WLAN service parameters for STAs to access the WLAN.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
l Select proper antennas by following the WDS network planning and design, and use the
antenna calibration tool for calibration.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on Switch_B to VLAN 100 and VLAN 101. The default VLAN
of GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_B
[Switch_B] vlan batch 100 to 101
[Switch_B] interface gigabitEthernet 0/0/1
[Switch_B-GigabitEthernet0/0/1] port link-type trunk
[Switch_B-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_B-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_B-GigabitEthernet0/0/1] port-isolate enable
[Switch_B-GigabitEthernet0/0/1] quit
[Switch_B] interface gigabitEthernet 0/0/2
[Switch_B-GigabitEthernet0/0/2] port link-type trunk
[Switch_B-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 101
[Switch_B-GigabitEthernet0/0/2] quit
# Configure the aggregation switch Switch_A. Configure GE0/0/1 to allow packets from
VLAN 100 and VLAN 101 to pass through, GE0/0/2 to allow packets from VLAN 100 to
pass through, and GE0/0/3 to allow packets from VLAN 101 to pass through.
<HUAWEI> system-view
[HUAWEI] sysname Switch_A
[Switch_A] vlan batch 100 to 101
[Switch_A] interface gigabitEthernet 0/0/1
[Switch_A-GigabitEthernet0/0/1] port link-type trunk
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_A-GigabitEthernet0/0/1] quit
[Switch_A] interface gigabitEthernet 0/0/2
[Switch_A-GigabitEthernet0/0/2] port link-type trunk
[Switch_A-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/2] quit
[Switch_A] interface gigabitEthernet 0/0/3
[Switch_A-GigabitEthernet0/0/3] port link-type trunk
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# Configure Switch_A as a DHCP server to assign IP addresses to STAs from the interface
address pool.
[Switch_A] dhcp enable
[Switch_A] interface vlanif 101
[Switch_A-Vlanif101] ip address 10.23.101.1 24
[Switch_A-Vlanif101] dhcp select interface
[Switch_A-Vlanif101] dhcp server gateway-list 10.23.101.2
[Switch_A-Vlanif101] quit
# Enable DHCP on the AC to assign IP addresses to the APs from the interface address pool.
[AC] dhcp enable
[AC] interface vlanif 100 101
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
# Add AP_1, AP_2, and AP_3 to AP group ap-group1, ap-group2, and ap-group3,
respectively.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP8130DN is used and has two radios: radio 0 and radio 1.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 1 ap-mac 60de-4474-9640
[AC-wlan-ap-1] ap-name AP_1
[AC-wlan-ap-1] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
[AC-wlan-view] ap-id 2 ap-mac dcd2-fc04-b500
[AC-wlan-ap-2] ap-name AP_2
[AC-wlan-ap-2] ap-group ap-group2
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-2] quit
[AC-wlan-view] ap-id 3 ap-mac dcd2-fc96-e4c0
[AC-wlan-ap-3] ap-name AP_3
[AC-wlan-ap-3] ap-group ap-group3
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-3] quit
# Set key radio parameters for the WDS nodes. In this example, AP_1 and AP_3 use radio 1,
and AP_2 uses radio 0 and radio 1. Configure radio 0 of AP_2 to work on the 5 GHz
frequency band. To reduce channel interference, configure radio 0 and radio 1 of AP_2 to
work on different channels. Radio 1 and radio 0 are used to establish WDS links with AP_1
and AP_3 respectively. The coverage distance parameter specifies the radio coverage
distance, which is 3 by default, in 100 m. In this example, 4 is used. Set this parameter based
on actual situations.
NOTE
On a WDS network, radios used to create WDS links must work on the same channel.
[AC-wlan-view] ap-id 2
[AC-wlan-ap-2] radio 0
[AC-wlan-radio-2/0] frequency 5g
Warning: Modifying the frequency band will delete the channel, power, and antenn
a gain configurations of the current radio on the AP and reboot the AP. Continue
?[Y/N]:y
[AC-wlan-radio-2/0] quit
[AC-wlan-ap-2] quit
[AC-wlan-view] ap-id 1
[AC-wlan-ap-1] radio 1
[AC-wlan-radio-1/1] channel 40mhz-plus 157
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-1/1] coverage distance 4
[AC-wlan-radio-1/1] quit
[AC-wlan-ap-1] quit
[AC-wlan-view] ap-id 2
[AC-wlan-ap-2] radio 0
[AC-wlan-radio-2/0] channel 40mhz-plus 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-2/0] coverage distance 4
[AC-wlan-radio-2/0] quit
[AC-wlan-ap-2] radio 1
[AC-wlan-radio-2/1] channel 40mhz-plus 157
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-2/1] coverage distance 4
[AC-wlan-radio-2/1] quit
[AC-wlan-ap-2] quit
[AC-wlan-view] ap-id 3
[AC-wlan-ap-3] radio 1
[AC-wlan-radio-3/1] channel 40mhz-plus 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-3/1] coverage distance 4
[AC-wlan-radio-3/1] quit
[AC-wlan-ap-3] quit
# Configure security profile wds-security for WDS links. The security policy for the security
profile is WPA2+PSK+AES.
[AC-wlan-view] security-profile name wds-security
[AC-wlan-sec-prof-wds-security] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wds-security] quit
# Configure a WDS whitelist profile. Bind WDS whitelist profile wds-list1 to AP_1, and
allow access of only AP_2. Bind WDS whitelist profile wds-list2 to AP_2, and allow access
of only AP_3.
[AC-wlan-view] wds-whitelist-profile name wds-list1
[AC-wlan-wds-whitelist-wds-list1] peer-ap mac dcd2-fc04-b500
[AC-wlan-wds-whitelist-wds-list1] quit
[AC-wlan-view] wds-whitelist-profile name wds-list2
[AC-wlan-wds-whitelist-wds-list2] peer-ap mac dcd2-fc96-e4c0
[AC-wlan-wds-whitelist-wds-list2] quit
# Configure WDS profile wds-root. Set the WDS name to wlan-wds, and the WDS mode to
root. Bind security profile wds-security to the WDS profile and permit packets from VLAN
101 to pass through in tagged mode.
[AC-wlan-view] wds-profile name wds-root
[AC-wlan-wds-prof-wds-root] wds-name wlan-wds
[AC-wlan-wds-prof-wds-root] wds-mode root
[AC-wlan-wds-prof-wds-root] security-profile wds-security
[AC-wlan-wds-prof-wds-root] vlan tagged 101
[AC-wlan-wds-prof-wds-root] quit
# Configure WDS profile wds-leaf. Set the WDS name to wlan-wds, and the WDS mode to
leaf. Bind security profile wds-security to the WDS profile and permit packets from VLAN
101 to pass through in tagged mode.
# Bind WDS whitelist profile wds-list1 to radio 1 of AP group ap-group1. # Bind WDS
whitelist profile wds-list2 to radio 1 of AP group ap-group2.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] radio 1
[AC-wlan-group-radio-ap-group1/1] wds-whitelist-profile wds-list1
[AC-wlan-group-radio-ap-group1/1] quit
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] ap-group name ap-group2
[AC-wlan-ap-group-ap-group2] radio 1
[AC-wlan-group-radio-ap-group2/1] wds-whitelist-profile wds-list2
[AC-wlan-group-radio-ap-group2/1] quit
[AC-wlan-ap-group-ap-group2] quit
Step 6 Bind required profiles to the AP groups to make WDS services take effect.
# Bind WDS profile wds-root to AP group ap-group1.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] wds-profile wds-root radio 1
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-ap-group1] quit
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
# Bind the VAP profile to the AP groups. In this example, radio 1 on AP_1 and AP_3 is used
for WDS backhaul, and radio 0 for wireless service coverage. Apply VAP profile wlan-net to
radio 0 of the AP_1 and AP_3.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] ap-group name ap-group3
[AC-wlan-ap-group-ap-group3] vap-profile wlan-net wlan 3 radio 0
[AC-wlan-ap-group-ap-group3] quit
Step 8 Configure the channel and power for the 2.4 GHz radio.
NOTE
The settings of the AP channel and power in this example are for reference only. You need to configure the
AP channel and power based on the actual country code and network planning.
Run the display wlan wds link all command to display information about WDS links.
[AC-wlan-view] display wlan wds link all
Rf : radio ID Dis : coverage distance(100m)
Ch : channel Per : drop percent(%)
TSNR : total SNR(dB) P- : peer
The AC automatically delivers WLAN service configuration to the AP. After the service
configuration is complete, run the display vap ssid wlan-net command. If Status in the
command output is displayed as ON, the VAPs have been successfully created on AP radios.
[AC-wlan-view] display vap ssid wlan-net
WID : WLAN ID
--------------------------------------------------------------------------------
AP ID AP name RfID WID BSSID Status Auth type STA SSID
--------------------------------------------------------------------------------
1 AP_1 0 1 60DE-4474-9640 ON WPA/WPA2-PSK 0 wlan-net
3 AP_3 0 3 DCD2-FC96-E4C0 ON WPA/WPA2-PSK 0 wlan-net
-------------------------------------------------------------------------------
Total: 2
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 1 AP_1 0/1 2.4G 11n 3/34 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 1 5G: 0
----End
Configuration Files
l Switch_A configuration file
#
sysname Switch_A
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
wds-whitelist-profile name wds-list1
peer-ap mac dcd2-fc04-b500
wds-whitelist-profile name wds-list2
peer-ap mac dcd2-fc96-e4c0
wds-profile name wds-leaf
security-profile wds-security
vlan tagged 101
wds-name wlan-wds
wds-profile name wds-root
security-profile wds-security
vlan tagged 101
wds-name wlan-wds
wds-mode root
regulatory-domain-profile name default
rrm-profile name default
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 3
radio 1
wds-profile wds-root
wds-whitelist-profile wds-list1
ap-group name ap-group2
radio 0
wds-profile wds-root
wds-whitelist-profile wds-list2
radio 1
wds-profile wds-leaf
ap-group name ap-group3
radio 0
vap-profile wlan-net wlan 1
radio 1
wds-profile wds-leaf
ap-id 1 type-id 39 ap-mac 60de-4474-9640 ap-sn 210235554710CB000042
ap-name AP_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 40mhz-plus 157
coverage distance 4
ap-id 2 type-id 39 ap-mac dcd2-fc04-b500 ap-sn 210235555310CC000094
ap-name AP_2
ap-group ap-group2
radio 0
frequency 5g
channel 40mhz-plus 149
eirp 127
coverage distance 4
radio 1
channel 40mhz-plus 157
eirp 127
coverage distance 4
ap-id 3 type-id 39 ap-mac dcd2-fc96-e4c0 ap-sn 210235557610DB000046
ap-name AP_3
ap-group ap-group3
radio 0
channel 20mhz 11
eirp 127
radio 1
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (Switch_A) functions as a DHCP server to assign IP
addresses to STAs.
l Wireless backhaul mode: WDS back-to-back
l Backhaul radio: 5 GHz radio
Data Planning
WDS profile l wds-net1 (WDS profile used by AP_1): WDS mode root,
referenced WDS whitelist wds-list1, permitting access only
from AP_2
l wds-net2 (WDS profile used by AP_3): WDS mode root,
referenced WDS whitelist wds-list2, permitting access only
from AP_4
l wds-net3 (WDS profile used by AP_2 and AP_4):
referencing no WDS whitelist
Item Data
Configuration Roadmap
1. Configure WDS links in Area A and Area B so that AP_1 and AP_2 can go online on the
AC.
2. Configure Switch_C to enable AP_2 and AP_3 to communicate through the wired
network.
3. Configure WDS links in Area B and Area C so that AP_4 can go online on the AC.
4. Configure wired interfaces on AP_4 to enable wired users connected to AP_4 to access
the network.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on Switch_B to VLAN 100 and VLAN 101. The default VLAN
of GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_B
[Switch_B] vlan batch 100 to 101
[Switch_B] interface gigabitEthernet 0/0/1
[Switch_B-GigabitEthernet0/0/1] port link-type trunk
[Switch_B-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_B-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_B-GigabitEthernet0/0/1] port-isolate enable
[Switch_B-GigabitEthernet0/0/1] quit
[Switch_B] interface gigabitEthernet 0/0/2
[Switch_B-GigabitEthernet0/0/2] port link-type trunk
[Switch_B-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 101
[Switch_B-GigabitEthernet0/0/2] quit
# Configure the aggregation switch Switch_A. Configure GE0/0/1 to allow packets from
VLAN 100 and VLAN 101 to pass through, GE0/0/2 to allow packets from VLAN 100 to
pass through, and GE0/0/3 to allow packets from VLAN 101 to pass through.
<HUAWEI> system-view
[HUAWEI] sysname Switch_A
[Switch_A] vlan batch 100 to 101
[Switch_A] interface gigabitEthernet 0/0/1
[Switch_A-GigabitEthernet0/0/1] port link-type trunk
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_A-GigabitEthernet0/0/1] quit
[Switch_A] interface gigabitEthernet 0/0/2
[Switch_A-GigabitEthernet0/0/2] port link-type trunk
[Switch_A-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/2] quit
[Switch_A] interface gigabitEthernet 0/0/3
[Switch_A-GigabitEthernet0/0/3] port link-type trunk
[Switch_A-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[Switch_A-GigabitEthernet0/0/3] quit
# Configure the access switch Switch_C. Configure GE0/0/1 and GE0/0/2 to allow packets
from VLAN 100 and VLAN 101 to pass through.
<HUAWEI> system-view
[HUAWEI] sysname Switch_C
[Switch_C] vlan batch 100 to 101
[Switch_C] interface gigabitEthernet 0/0/1
[Switch_C-GigabitEthernet0/0/1] port link-type trunk
[Switch_C-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_C-GigabitEthernet0/0/1] quit
[Switch_C] interface gigabitEthernet 0/0/2
[Switch_C-GigabitEthernet0/0/2] port link-type trunk
[Switch_C-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 101
[Switch_C-GigabitEthernet0/0/2] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
# Configure GE0/0/1 of the AC to allow packets from VLAN 100 to pass through.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100 to 101
[AC] interface gigabitEthernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet0/0/1] quit
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# Configure Switch_A as a DHCP server to assign IP addresses to STAs from an interface
address pool.
# Enable the DHCP function on the AC to allow it to assign IP addresses to APs from an
interface address pool.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
Step 4 Configure the AP groups, country code, and AC's source interface.
# Create AP group wds-root1 and AP group wds-root2 for root APs and AP group wds-leaf1
and AP group wds-leaf2 for leaf APs.
[AC] wlan
[AC-wlan-view] ap-group name wds-root1
[AC-wlan-ap-group-wds-root1] quit
[AC-wlan-view] ap-group name wds-root2
[AC-wlan-ap-group-wds-root2] quit
[AC-wlan-view] ap-group name wds-leaf1
[AC-wlan-ap-group-wds-leaf1] quit
[AC-wlan-view] ap-group name wds-leaf2
[AC-wlan-ap-group-wds-leaf2] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP groups.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name wds-root1
[AC-wlan-ap-group-wds-root1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-wds-root1] quit
[AC-wlan-view] ap-group name wds-root2
[AC-wlan-ap-group-wds-root2] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-wds-root2] quit
[AC-wlan-view] ap-group name wds-leaf1
[AC-wlan-ap-group-wds-leaf1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-wds-leaf1] quit
[AC-wlan-view] ap-group name wds-leaf2
[AC-wlan-ap-group-wds-leaf2] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-wds-leaf2] quit
[AC-wlan-view] quit
# Add AP_1 to AP group wds-root1, AP_3 to AP group wds-root2, AP_2 to AP group wds-
leaf1, and AP_4 to AP group wds-leaf2.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP8130DN is used and has two radios: radio 0 and radio 1.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 1 ap-mac dcd2-fcf6-76a0
[AC-wlan-ap-1] ap-name AP_1
[AC-wlan-ap-1] ap-group wds-root1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
[AC-wlan-view] ap-id 2 ap-mac 60de-4474-9640
[AC-wlan-ap-2] ap-name AP_2
[AC-wlan-ap-2] ap-group wds-leaf1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-2] quit
[AC-wlan-view] ap-id 3 ap-mac dcd2-fc04-b500
[AC-wlan-ap-3] ap-name AP_3
[AC-wlan-ap-3] ap-group wds-root2
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-3] quit
[AC-wlan-view] ap-id 4 ap-mac 60de-4476-e360
[AC-wlan-ap-4] ap-name AP_4
[AC-wlan-ap-4] ap-group wds-leaf2
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-4] quit
# Configure radio parameters for WDS nodes. This example uses radio 1 of the AP8130DN.
The coverage distance parameter indicates the radio coverage distance parameter. By default,
the radio coverage distance parameter is 3 (unit: 100 meters). This example sets the radio
coverage distance parameter is 4. You can configure the parameter according to actual
situations.
NOTE
On a WDS network, radios used to create WDS links must work on the same channel.
[AC-wlan-view] ap-group name wds-root1
[AC-wlan-ap-group-wds-root1] radio 1
[AC-wlan-group-radio-wds-root1/1] channel 40mhz-plus 157
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-group-radio-wds-root1/1] coverage distance 4
[AC-wlan-group-radio-wds-root1/1] quit
[AC-wlan-ap-group-wds-root1] quit
[AC-wlan-view] ap-group name wds-root2
[AC-wlan-ap-group-wds-root2] radio 1
[AC-wlan-group-radio-wds-root2/1] channel 40mhz-plus 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-group-radio-wds-root2/1] coverage distance 4
[AC-wlan-group-radio-wds-root2/1] quit
[AC-wlan-ap-group-wds-root2] quit
[AC-wlan-view] ap-group name wds-leaf1
[AC-wlan-ap-group-wds-leaf1] radio 1
[AC-wlan-group-radio-wds-leaf1/1] channel 40mhz-plus 157
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-group-radio-wds-leaf1/1] coverage distance 4
[AC-wlan-group-radio-wds-leaf1/1] quit
[AC-wlan-ap-group-wds-leaf1] quit
[AC-wlan-view] ap-group name wds-leaf2
[AC-wlan-ap-group-wds-leaf2] radio 1
[AC-wlan-group-radio-wds-leaf2/1] channel 40mhz-plus 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-group-radio-wds-leaf2/1] coverage distance 4
[AC-wlan-group-radio-wds-leaf2/1] quit
[AC-wlan-ap-group-wds-leaf2] quit
# Configure the security profile wds-sec used by WDS links. The profile wds-sec supports the
security policy WPA2+PSK+AES.
[AC-wlan-view] security-profile name wds-sec
[AC-wlan-sec-prof-wds-sec] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wds-sec] quit
# Configure the WDS whitelist. Configure the WDS whitelist wds-list1 bound to AP_1 to
permit access only from AP_2. Configure the WDS whitelist wds-list2 bound to AP_3 to
permit access only from AP_4.
[AC-wlan-view] wds-whitelist-profile name wds-list1
[AC-wlan-wds-whitelist-wds-list1] peer-ap mac 60de-4474-9640
[AC-wlan-wds-whitelist-wds-list1] quit
[AC-wlan-view] wds-whitelist-profile name wds-list2
[AC-wlan-wds-whitelist-wds-list2] peer-ap mac 60de-4476-e360
[AC-wlan-wds-whitelist-wds-list2] quit
# Configure the WDS profile wds-net1. Set the WDS name to wds-net and WDS mode to
root. Apply the security profile wds-sec and allow packets from service VLAN 101 to pass
through in tagged mode.
[AC-wlan-view] wds-profile name wds-net1
[AC-wlan-wds-prof-wds-net1] wds-name wds-net
[AC-wlan-wds-prof-wds-net1] wds-mode root
[AC-wlan-wds-prof-wds-net1] security-profile wds-sec
[AC-wlan-wds-prof-wds-net1] vlan tagged 101
[AC-wlan-wds-prof-wds-net1] quit
# Configure the WDS profile wds-net2. Set the WDS name to wds-net and WDS mode to
root. Apply the security profile wds-sec and allow packets from service VLAN 101 to pass
through in tagged mode.
[AC-wlan-view] wds-profile name wds-net2
[AC-wlan-wds-prof-wds-net2] wds-name wds-net
# Configure the WDS profile wds-net3. Set the WDS name to wds-net and WDS mode to
leaf. Bind the security profile wds-sec to the WDS profile, allowing packets from service
VLAN 101 to pass through in tagged mode.
[AC-wlan-view] wds-profile name wds-net3
[AC-wlan-wds-prof-wds-net3] wds-name wds-net
[AC-wlan-wds-prof-wds-net3] wds-mode leaf
[AC-wlan-wds-prof-wds-net3] security-profile wds-sec
[AC-wlan-wds-prof-wds-net3] vlan tagged 101
[AC-wlan-wds-prof-wds-net3] quit
# Bind the WDS whitelist wds-list1 to radio 1 in AP group wds-root1 to permit access only
from AP_2. # Bind the WDS whitelist wds-list2 to radio 1 in AP group wds-root2 to permit
access only from AP_4.
[AC-wlan-view] ap-group name wds-root1
[AC-wlan-ap-group-wds-root1] radio 1
[AC-wlan-group-radio-wds-root1/1] wds-whitelist-profile wds-list1
[AC-wlan-group-radio-wds-root1/1] quit
[AC-wlan-ap-group-wds-root1] quit
[AC-wlan-view] ap-group name wds-root2
[AC-wlan-ap-group-wds-root2] radio 1
[AC-wlan-group-radio-wds-root2/1] wds-whitelist-profile wds-list2
[AC-wlan-group-radio-wds-root2/1] quit
[AC-wlan-ap-group-wds-root2] quit
Step 6 Configure the wired port profile used by the wired interfaces on AP_4 and set the wired
interface mode to endpoint. In this example, the PVID of the wired interface is set to VLAN
101 and the wired interface is added to VLAN 101 in tagged mode.
[AC-wlan-view] wired-port-profile name wired-port
[AC-wlan-wired-port-wired-port] mode endpoint
Warning: If the AP goes online through a wired port, the incorrect port mode con
figuration will cause the AP to go out of management. This fault can be recovere
d only by modifying the configuration on the AP. Continue? [Y/N]:y
[AC-wlan-wired-port-wired-port] vlan pvid 101
[AC-wlan-wired-port-wired-port] vlan tagged 101
[AC-wlan-wired-port-wired-port] quit
Step 7 Bind required profiles to the AP groups to make WDS services take effect.
# Configure the AP group wds-root1 and bind the WDS profile wds-net1 to the group.
[AC-wlan-view] ap-group name wds-root1
[AC-wlan-ap-group-wds-root1] wds-profile wds-net1 radio 1
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-wds-root1] quit
# Configure the AP group wds-root2 and bind the WDS profile wds-net2 to the group.
[AC-wlan-view] ap-group name wds-root2
[AC-wlan-ap-group-wds-root2] wds-profile wds-net2 radio 1
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-wds-root2] quit
# Configure the AP group wds-leaf1 and bind the WDS profile wds-net3 to the group.
[AC-wlan-view] ap-group name wds-leaf1
[AC-wlan-ap-group-wds-leaf1] wds-profile wds-net3 radio 1
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-wds-leaf1] quit
# Configure the AP group wds-leaf2, and bind the WDS profile wds-net3 and wired port
profile wired-port to the group.
Run the display wlan wds link all command to check information about the WDS links.
<AC> display wlan wds link all
Rf : radio ID Dis : coverage distance(100m)
Ch : channel Per : drop percent(%)
TSNR : total SNR(dB) P- : peer
WDS : WDS mode Re : retry ratio(%)
RSSI : RSSI(dBm) MaxR : max RSSI(dBm)
----------------------------------------------------------------------------------
---------------
APName P-APName Rf Dis Ch WDS P-Status RSSI MaxR Per Re
TS NR SNR(Ch0~2:dB)
----------------------------------------------------------------------------------
---------------
AP_1 AP_2 1 4 157 root normal -44 -40 0 3
50 45/49/-
AP_2 AP_1 1 4 157 leaf normal -38 -36 0 49
57 36/31/57
AP_3 AP_4 1 4 149 root normal -11 -7 0 1
83 81/80/-
AP_4 AP_3 1 4 149 leaf normal -4 -4 0 0
91 90/85/-
----------------------------------------------------------------------------------
---------------
Total: 4
----End
Configuration Files
l Switch_A configuration file
#
sysname Switch_A
#
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
capwap source interface vlanif100
#
wlan
Service Requirements
An enterprise needs to establish Mesh wireless backhaul links in different areas to expand
wireless coverage and reduce wired deployment costs.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l Wireless backhaul mode: Mesh portal-node
l Backhaul radio: 5 GHz radio
Data Planning
Item Data
Item Data
Configuration Roadmap
1. Configure network connectivity and enable the AP (MPP) in Area A to go online on the
AC in wired mode.
2. Configure Mesh services to enable APs (MPs) in Area B and Area C to go online on the
AC through Mesh links.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on Switch_B to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_B
[Switch_B] vlan batch 100
[Switch_B] interface gigabitEthernet 0/0/1
[Switch_B-GigabitEthernet0/0/1] port link-type trunk
[Switch_B-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_B-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch_B-GigabitEthernet0/0/1] port-isolate enable
[Switch_B-GigabitEthernet0/0/1] quit
[Switch_B] interface gigabitEthernet 0/0/2
[Switch_B-GigabitEthernet0/0/2] port link-type trunk
[Switch_B-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_B-GigabitEthernet0/0/2] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
# Configure GE0/0/1 of the AC to allow packets from VLAN 100 to pass through.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100
[AC] interface gigabitEthernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
Step 4 Configure the AP groups, country code, and AC's source interface.
# Create AP groups for MPPs and MPs respectively and add APs that require the same
configuration to the same group.
[AC] wlan
[AC-wlan-view] ap-group name mesh-mpp
[AC-wlan-ap-group-mesh-mpp] quit
[AC-wlan-view] ap-group name mesh-mp
[AC-wlan-ap-group-mesh-mp] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP groups.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name mesh-mpp
[AC-wlan-ap-group-mesh-mpp] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-mesh-mpp] quit
[AC-wlan-view] ap-group name mesh-mp
[AC-wlan-ap-group-mesh-mp] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-mesh-mp] quit
[AC-wlan-view] quit
# Add area_1 to the AP group mesh-mpp and area_2 and area_3 to the AP group mesh-mp.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP8130DN is used and has two radios: radio 0 and radio 1.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 1 ap-mac 60de-4476-e360
[AC-wlan-ap-1] ap-name area_1
[AC-wlan-ap-1] ap-group mesh-mpp
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
[AC-wlan-view] ap-id 2 ap-mac dcd2-fc04-b500
[AC-wlan-ap-2] ap-name area_2
[AC-wlan-ap-2] ap-group mesh-mp
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-2] quit
[AC-wlan-view] ap-id 3 ap-mac 60de-4474-9640
[AC-wlan-ap-3] ap-name area_3
[AC-wlan-ap-3] ap-group mesh-mp
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-3] quit
# Configure the security profile mesh-sec used by Mesh links. The Mesh network supports
only the security policy WPA2+PSK+AES.
[AC-wlan-view] security-profile name mesh-sec
[AC-wlan-sec-prof-mesh-sec] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-mesh-sec] quit
# Configure Mesh roles. Set the Mesh role of area_1 to Mesh-portal. area_2 and area_3 use
the default Mesh role Mesh-node. Mesh roles are configured through the AP system profile.
[AC-wlan-view] ap-system-profile name mesh-sys
[AC-wlan-ap-system-prof-mesh-sys] mesh-role Mesh-portal
[AC-wlan-ap-system-prof-mesh-sys] quit
# Configure a Mesh profile. Set the Mesh network ID to mesh-net, aging time of Mesh links
to 30s, and bind the security profile and Mesh whitelist to the Mesh profile.
[AC-wlan-view] mesh-profile name mesh-net
[AC-wlan-mesh-prof-mesh-net] mesh-id mesh-net
[AC-wlan-mesh-prof-mesh-net] link-aging-time 30
[AC-wlan-mesh-prof-mesh-net] security-profile mesh-sec
[AC-wlan-mesh-prof-mesh-net] quit
Step 6 Bind required profiles to the AP groups to make Mesh services take effect.
# Bind the AP wired port profile wired-port to AP groups mesh-mpp and mesh-mp to make
AP wired port parameters take effect on Mesh nodes. This example assumes that all APs
connect to Switch_B through GE0.
[AC-wlan-view] ap-group name mesh-mpp
[AC-wlan-ap-group-mesh-mpp] wired-port-profile wired-port gigabitethernet 0
[AC-wlan-ap-group-mesh-mpp] quit
[AC-wlan-view] ap-group name mesh-mp
[AC-wlan-ap-group-mesh-mp] wired-port-profile wired-port gigabitethernet 0
[AC-wlan-ap-group-mesh-mp] quit
# Bind the AP system profile mesh-sys to the AP group mesh-mpp to make the MPP role
take effect on area_1.
[AC-wlan-view] ap-group name mesh-mpp
[AC-wlan-ap-group-mesh-mpp] ap-system-profile mesh-sys
[AC-wlan-ap-group-mesh-mpp] quit
# Bind the Mesh profile mesh-net to AP groups mesh-mpp and mesh-mp to make Mesh
services take effect.
[AC-wlan-view] ap-group name mesh-mpp
[AC-wlan-ap-group-mesh-mpp] mesh-profile mesh-net radio 1
[AC-wlan-ap-group-mesh-mpp] quit
[AC-wlan-view] ap-group name mesh-mp
[AC-wlan-ap-group-mesh-mp] mesh-profile mesh-net radio 1
[AC-wlan-ap-group-mesh-mp] quit
[AC-wlan-view] quit
[AC] quit
# After the configuration is complete, run the display ap all command to check whether Mesh
nodes go online successfully. If State is displayed as nor, APs have gone online successfully.
<AC> display ap all
Total AP information:
nor : normal [3]
--------------------------------------------------------------------------------
----------
ID MAC Name Group IP Type State STA Upt
ime
--------------------------------------------------------------------------------
----------
1 60de-4476-e360 area_1 mesh-mpp 10.23.100.254 AP8130DN nor 0
13M:45S
2 dcd2-fc04-b500 area_2 mesh-mp 10.23.100.251 AP8130DN nor 0
5M:22S
3 60de-4474-9640 area_3 mesh-mp 10.23.100.253 AP8130DN nor 0
4M:14S
--------------------------------------------------------------------------------
---
Total: 3
# After Mesh services take effect, run the display wlan mesh link all command to check
Mesh link information.
----End
Configuration Files
l Configuration file of the Switch_A
#
sysname Switch_A
#
vlan batch 100
#
dhcp enable
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
Service Requirements
If an enterprise needs to provide wireless network access services for different areas, multiple
Mesh Portal Points (MPPs) can be configured to work on different channels. This can reduce
MP contention for wireless channels, thus improving coverage performance.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l Wireless backhaul node: dual Mesh portal-node
l Backhaul radio: 5 GHz radio
Data Planning
Configuration Roadmap
1. Configure network connectivity and enable APs (MPPs) in Area A to go online on the
AC in wired mode.
2. Configure Mesh services to enable APs (MPs) in Area B to go online on the AC through
Mesh links.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
l During the configuration of a Mesh network with multiple MPPs, to enable MPs to set
up wireless links with multiple MPPs simultaneously, configure the MPPs to work on the
same channel.
l On a Mesh network, radios of APs with 802.11ac chips can interconnect only with radios
of neighbors with 802.11ac chips, and radios of APs with 802.11n chips can interconnect
only with radios of neighbors with 802.11n chips. Table 4-30 lists types of chips used by
AP models.
Mesh not
AP4030TN 802.11n 802.11ac
supported
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1, GE0/0/2, and GE0/0/3 on Switch_B to VLAN 100. The default VLAN of
GE0/0/1 and GE0/0/2 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_B
[Switch_B] vlan batch 100
[Switch_B] interface gigabitEthernet 0/0/1
[Switch_B-GigabitEthernet0/0/1] port link-type trunk
[Switch_B-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_B-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch_B-GigabitEthernet0/0/1] port-isolate enable
[Switch_B-GigabitEthernet0/0/1] quit
[Switch_B] interface gigabitEthernet 0/0/2
[Switch_B-GigabitEthernet0/0/2] port link-type trunk
[Switch_B-GigabitEthernet0/0/2] port trunk pvid vlan 100
[Switch_B-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_B-GigabitEthernet0/0/2] port-isolate enable
[Switch_B-GigabitEthernet0/0/2] quit
[Switch_B] interface gigabitEthernet 0/0/3
[Switch_B-GigabitEthernet0/0/3] port link-type trunk
[Switch_B-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[Switch_B-GigabitEthernet0/0/3] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
# Configure GE0/0/1 of the AC to allow packets from VLAN 100 to pass through.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100
[AC] interface gigabitEthernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet0/0/1] quit
# Enable DHCP on the AC and configure the AC to assign IP addresses to APs through an
interface address pool.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
Step 4 Configure the AP groups, country code, and AC's source interface.
# Create AP groups for MPPs and MPs respectively. You can add APs that require the same
configuration to the same group.
[AC] wlan
[AC-wlan-view] ap-group name mesh-mpp
[AC-wlan-ap-group-mesh-mpp] quit
[AC-wlan-view] ap-group name mesh-mp
[AC-wlan-ap-group-mesh-mp] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP groups.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name mesh-mpp
[AC-wlan-ap-group-mesh-mpp] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-mesh-mpp] quit
[AC-wlan-view] ap-group name mesh-mp
[AC-wlan-ap-group-mesh-mp] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-mesh-mp] quit
[AC-wlan-view] quit
# Add AP_1 and AP_2 to the AP group mesh-mpp and AP_3 and AP_4 to the AP group
mesh-mp.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP8130DN is used and has two radios: radio 0 and radio 1.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 1 ap-mac 60de-4474-9640
[AC-wlan-ap-1] ap-name AP_1
[AC-wlan-ap-1] ap-group mesh-mpp
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
[AC-wlan-view] ap-id 2 ap-mac dcd2-fc04-b500
[AC-wlan-ap-2] ap-name AP_2
[AC-wlan-ap-2] ap-group mesh-mpp
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-2] quit
[AC-wlan-view] ap-id 3 ap-mac dcd2-fc96-e4c0
[AC-wlan-ap-3] ap-name AP_3
[AC-wlan-ap-3] ap-group mesh-mp
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-3] quit
[AC-wlan-view] ap-id 4 ap-mac 1047-80ac-cc60
[AC-wlan-ap-4] ap-name AP_4
[AC-wlan-ap-4] ap-group mesh-mp
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-4] quit
# Configure radio parameters for Mesh nodes. Radio 1 of the AP8130DN is used as an
example. The radio coverage distance parameter is 3 (unit: 100 m) by default. This example
sets the radio coverage distance parameter to 4. You can configure the parameter according to
your service needs.
NOTE
During the configuration of a Mesh network with multiple MPPs, to enable MPs to set up wireless links with
multiple MPPs simultaneously, configure the MPPs to work on the same channel.
# Configure the security profile mesh-sec used by Mesh links. The profile mesh-sec supports
the security policy WPA2+PSK+AES.
# Configure Mesh roles. Set Mesh roles of AP_1 and AP_2 to Mesh-portal. AP_3 and AP_4
use the default Mesh role Mesh-node. Mesh roles are configured through the AP system
profile.
[AC-wlan-view] ap-system-profile name mesh-sys
[AC-wlan-ap-system-prof-mesh-sys] mesh-role Mesh-portal
[AC-wlan-ap-system-prof-mesh-sys] quit
# Configure a Mesh profile. Set the Mesh network ID to mesh-net, aging time of Mesh links
to 30s, and bind the security profile to the Mesh profile.
[AC-wlan-view] mesh-profile name mesh-net
[AC-wlan-mesh-prof-mesh-net] mesh-id mesh-net
[AC-wlan-mesh-prof-mesh-net] link-aging-time 30
[AC-wlan-mesh-prof-mesh-net] security-profile mesh-sec
[AC-wlan-mesh-prof-mesh-net] quit
Step 6 Bind required profiles to the AP groups to make Mesh services take effect.
# Bind the AP wired port profile wired-port to AP groups mesh-mpp and mesh-mp to make
AP wired port parameters take effect on Mesh nodes. This example assumes that all APs
connect to Switch_B through GE0.
[AC-wlan-view] ap-group name mesh-mpp
[AC-wlan-ap-group-mesh-mpp] wired-port-profile wired-port gigabitethernet 0
[AC-wlan-ap-group-mesh-mpp] quit
[AC-wlan-view] ap-group name mesh-mp
[AC-wlan-ap-group-mesh-mp] wired-port-profile wired-port gigabitethernet 0
[AC-wlan-ap-group-mesh-mp] quit
# Bind the AP system profile mesh-sys to the AP group mesh-mpp to make the MPP role
take effect on AP_1 and AP_2.
[AC-wlan-view] ap-group name mesh-mpp
[AC-wlan-ap-group-mesh-mpp] ap-system-profile mesh-sys
[AC-wlan-ap-group-mesh-mpp] quit
# Bind the Mesh profile mesh-net to AP groups mesh-mpp and mesh-mp to make Mesh
services take effect.
[AC-wlan-view] ap-group name mesh-mpp
[AC-wlan-ap-group-mesh-mpp] mesh-profile mesh-net radio 1
[AC-wlan-ap-group-mesh-mpp] quit
[AC-wlan-view] ap-group name mesh-mp
[AC-wlan-ap-group-mesh-mp] mesh-profile mesh-net radio 1
[AC-wlan-ap-group-mesh-mp] quit
# After dual-MPP Mesh services take effect, run the display wlan mesh link all command to
check Mesh link information.
[AC-wlan-view] display wlan mesh link all
Rf : radio ID Dis : coverage distance(100m)
Ch : channel Per : drop percent(%)
TSNR : total SNR(dB) P- : peer
Mesh : Mesh mode Re : retry ratio(%)
RSSI : RSSI(dBm) MaxR : max RSSI(dBm)
----------------------------------------------------------------------------------
---------------
APName P-APName Rf Dis Ch Mesh P-Status RSSI MaxR Per Re TS
NR SNR(Ch0~2:dB)
----------------------------------------------------------------------------------
---------------
AP_1 AP_4 1 4 157 portal normal -28 -27 0 25 70
62/69/-
AP_1 AP_3 1 4 157 portal normal -18 -2 0 0 78
73/77/-
AP_2 AP_4 1 4 157 portal normal -17 -16 0 52 80
57/49/80
AP_2 AP_3 1 4 157 portal normal -24 -21 0 0 72
58/54/72
AP_4 AP_1 1 4 157 node normal -29 -29 0 0 65
64/58/-
AP_4 AP_2 1 4 157 node normal -21 -19 0 10 76
76/64/-
AP_4 AP_3 1 4 157 node normal -7 -1 0 0 89
88/82/-
AP_3 AP_2 1 4 157 node normal -35 -32 0 35 61
51/60/-
AP_3 AP_1 1 4 157 node normal -27 -23 0 0 70
68/66/-
AP_3 AP_4 1 4 157 node normal -13 -11 0 23 83
80/81/-
----------------------------------------------------------------------------------
---------------
Total: 10
# Run the display wlan mesh route all command to check Mesh routes on the Mesh network.
[AC-wlan-view] display wlan mesh route all
--------------------------------------------------------------------------
# When the link between AP_2 and AC is faulty, AP_2 automatically changes to an MP and
goes online through Mesh links. Run the display wlan mesh route all command. The
command output shows that AP_2, AP_3, and AP_4 go online on AP_1.
[AC-wlan-view] display wlan mesh route all
--------------------------------------------------------------------------
AP name/MAC/Mesh role/Radio Next-hop name/MAC/Mesh role/Radio
--------------------------------------------------------------------------
AP_4 /1047-80ac-cc60/MP /1 AP_1 /60de-4474-9640/MPP/1
AP_2 /dcd2-fc04-b500/MP /1 AP_4 /1047-80ac-cc60/MP /1
AP_3 /dcd2-fc96-e4c0/MP /1 AP_1 /60de-4474-9640/MPP/1
--------------------------------------------------------------------------
Total: 3
----End
Configuration Files
l Switch_A configuration file
#
sysname Switch_A
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
capwap source interface vlanif100
#
wlan
security-profile name mesh-sec
security wpa2 psk pass-phrase %^%#WXq~51G1^G;~|`C\G$v-`XoiIe4z$CNAM#@TeN^+%^
%# aes
mesh-whitelist-profile name mesh-list
peer-ap mac 60de-4474-9640
peer-ap mac dcd2-fc04-b500
peer-ap mac dcd2-fc96-e4c0
peer-ap mac 1047-80ac-cc60
mesh-profile name mesh-net
security-profile mesh-sec
mesh-id mesh-net
link-aging-time 30
regulatory-domain-profile name domain1
ap-system-profile name mesh-sys
mesh-role Mesh-portal
ap-group name mesh-mp
wired-port-profile wired-port gigabitethernet 0
regulatory-domain-profile domain1
radio 1
mesh-profile mesh-net
mesh-whitelist-profile mesh-list
channel 40mhz-plus 157
coverage distance 4
ap-group name mesh-mpp
ap-system-profile mesh-sys
wired-port-profile wired-port gigabitethernet 0
regulatory-domain-profile domain1
radio 1
mesh-profile mesh-net
mesh-whitelist-profile mesh-list
channel 40mhz-plus 157
coverage distance 4
ap-id 1 ap-mac 60de-4474-9640
ap-name
AP_1
ap-group mesh-mpp
ap-id 2 ap-mac dcd2-fc04-b500
ap-name
AP_2
ap-group mesh-mpp
ap-id 3 ap-mac dcd2-fc96-e4c0
ap-name
AP_3
ap-group mesh-mp
ap-id 4 ap-mac 1047-80ac-cc60
ap-name
AP_4
ap-group mesh-mp
#
return
Service Requirements
The administrator wants to configure an Eth-Trunk on an AP's wired uplink interfaces to
ensure uplink reliability.
Networking Requirements
l AC networking mode: Layer 2 inline mode
l Service data forwarding mode: tunnel forwarding
Figure 4-26 Networking for configuring an Eth-Trunk on an AP's wired uplink interfaces
Data Planning
Item Data
Configuration Roadmap
1. Configure an Eth-Trunk on a switch.
2. Configure an Eth-Trunk for an AP on the AC.
3. Restart the AP.
4. Connect the switch and AP physically.
Configuration Notes
l This example is applicable to an AP with two or more wired uplink interfaces.
l This example assumes that the AP has gone online and describes how to configure an
Eth-Trunk on the wired uplink interfaces of the AP. Before physical connections,
configure the Eth-Trunk. Otherwise, a loop will occur on the network, causing the AP to
go offline.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Check AP information.
Check Item Command Data
# Create the AP wired port profile wired-port1. Add GE0 and GE1 on the AP to Eth-Trunk0.
[AC] wlan
[AC-wlan-view] wired-port-profile name wired-port1
[AC-wlan-wired-port-wired-port1] eth-trunk 0
[AC-wlan-wired-port-wired-port1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] wired-port-profile wired-port1 gigabitethernet 0
[AC-wlan-ap-group-ap-group1] wired-port-profile wired-port1 gigabitethernet 1
[AC-wlan-ap-group-ap-group1] quit
The configuration on the AP's wired interfaces takes effect only after the AP is restarted.
[AC-wlan-view] ap-reset ap-name AP1
Warning: Reset AP(s), continue?[Y/N]:y
----End
Configuration Files
l Switch configuration file
#
sysname Switch
#
vlan batch 100
#
interface Eth-Trunk1
description Connect to AP1
port link-type trunk
port trunk pvid vlan 100
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/1
eth-trunk 1
#
interface GigabitEthernet0/0/2
eth-trunk 1
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100
#
interface Eth-Trunk0
description Connect to switch
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100
#
wlan
wired-port-profile name wired-port1
eth-trunk 0
ap-group name ap-group1
wired-port-profile wired-port1 gigabitethernet 0
wired-port-profile wired-port1 gigabitethernet 1
#
return
Figure 4-27 Networking diagram of the device functioning as the PPPoE client
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Configure the PPPoE server.
# Configure the authentication mode, IP address allocation mode, and IP address or IP address
pool for the PPPoE client. For details about the configuration procedure, see the
documentation of the PPPoE server.
Step 2 Configure a dialer interface.
<Huawei> system-view
[Huawei] sysname AP
[AP] interface dialer 1
[AP-Dialer1] ppp chap user user1@system
[AP-Dialer1] ppp chap password cipher huawei123
[AP-Dialer1] ip address ppp-negotiate
[AP-Dialer1] quit
Step 4 Configure NAT to translate private addresses of hosts in the LAN to public addresses so that
the hosts can dial up to the Internet.
[AP] acl number 3002
[AP-acl-adv-3002] rule 5 permit ip source 192.168.10.0 0.0.0.255
[AP-acl-adv-3002] quit
[AP] interface dialer 1
[AP-Dialer1] nat outbound 3002
[AP-Dialer1] quit
Step 5 Configure a static route from the local host to the PPPoE server.
[AP] ip route-static 0.0.0.0 0 dialer 1
[AP] quit
----End
Configuration Files
Configuration file of the PPPoE client
#
sysname AP
#
vlan batch 100
#
acl number 3002
rule 5 permit ip source 192.168.10.0 0.0.0.255
#
interface Dialer1
link-protocol ppp
ppp chap user user1@system
ppp chap password cipher %^%#LHG2'Q8n%8NSLn'4-i'Z18)-%eT"v*||t1Mh;NbH%^%#
ip address ppp-negotiate
nat outbound 3002
#
interface Vlanif100
pppoe-client dial-bundle-number 1
#
interface GigabitEthernet0/0/0
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
ip route-static 0.0.0.0 0.0.0.0 Dialer1
#
return
Figure 4-28 Networking diagram for connecting a LAN to the Internet using an ADSL
modem
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure AP as the PPPoE client so that hosts in the LAN can access the Internet
without installing PPPoE client software.
2. Configure Router as the PPPoE server to provide RADIUS authentication and
accounting functions.
3. Configure NAT so that LAN users can access the external network.
Procedure
Step 1 Configure the PPPoE client.
# Configure the dialer interface.
<Huawei> system-view
[Huawei] sysname AP
[AP] interface dialer 1
[AP-Dialer1] ppp chap user user1
[AP-Dialer1] ppp chap password cipher huawei123
[AP-Dialer1] dialer timer idle 300
[AP-Dialer1] dialer queue-length 8
[AP-Dialer1] ip address ppp-negotiate
[AP-Dialer1] quit
# Configure NAT to translate private addresses of hosts in the LAN to public addresses so that
the hosts can dial up to the Internet.
[AP] acl number 3002
[AP-acl-adv-3002] rule 5 permit ip source 192.168.10.0 0.0.0.255
[AP-acl-adv-3002] quit
[AP] interface dialer 1
[AP-Dialer1] nat outbound 3002
[AP-Dialer1] quit
# Configure a static route from the PPPoE client to the PPPoE server.
[AP] ip route-static 0.0.0.0 0 dialer 1
[AP] quit
3. Configure the domain named system and apply authentication scheme 1, accounting
scheme 1, and RADIUS server template shiva to the domain.
[Router-aaa] domain system
[Router-aaa-domain-system] authentication-scheme 1
[Router-aaa-domain-system] accounting-scheme 1
----End
Configuration Files
l Configuration file of AP
#
sysname AP
#
vlan batch 100
#
acl number 3002
rule 5 permit ip source 192.168.10.0 0.0.0.255
#
interface Dialer1
link-protocol ppp
ppp chap user user1
ppp chap password cipher %^%#D]<B>${2C"o|jLLQwm<#=FP[~\b3P!w0Vr6BLp4A%^%#
ip address ppp-negotiate
dialer queue-length 8
dialer timer idle 300
nat outbound 3002
#
interface Vlanif100
pppoe-client dial-bundle-number 1
#
interface GigabitEthernet0/0/0
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
Service Requirements
To improve WLAN security, an enterprise uses the external Portal authentication mode to
control user access.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
Data Planning
Item Data
Managemen VLAN100
t VLAN for
APs
Service VLAN101
VLAN for
STAs
Item Data
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
Authenticati l Name:default_free_rule
on-free rule l Authentication-free resource: IP address of the DNS server (8.8.8.8)
profile
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure the APs to go online.
3. Configure external Portal authentication.
a. Configure RADIUS server parameters.
b. Configure a Portal access profile to manage Portal access control parameters.
c. Configure an authentication-free rule profile so that the AC allows packets to the
DNS server to pass through.
d. Configure an authentication profile to manage external Portal authentication
configuration.
4. Configure WLAN service parameters.
5. Configure third-party server interconnection parameters.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and GE0/0/2
and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On the AC, configure VLANIF 100 to assign IP addresses to APs.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the default
gateway address of STAs to 10.23.101.2.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] dhcp server dns-list 8.8.8.8
[SwitchB-Vlanif101] quit
Step 4 Configure a default route on AC with the outbound interface as the router's VLANIF 101.
[AC] ip route-static 0.0.0.0 0.0.0.0 10.23.101.2
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]y
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 1
Step 6 Configure a RADIUS server template, a RADIUS authentication scheme and a RADIUS
accounting scheme.
NOTE
Ensure that the RADIUS server IP address, port number, and shared key are configured correctly and are
the same as those on the RADIUS server.
NOTE
l In this example, the device is connected to the Agile Controller-Campus. The accounting function is not
implemented for accounting purposes, and is used to maintain terminal online information through
accounting packets.
l The accounting realtime command sets the real-time accounting interval. A shorter real-time accounting
interval requires higher performance of the device and RADIUS server. Set the real-time accounting
interval based on the user quantity.
1-99 3 minutes
100-499 6 minutes
500-999 12 minutes
≥ 1000 ≥ 15 minutes
Step 7 Configure the URL of the Portal authentication page. When a user attempts to access a
website before authentication, the AC redirects the website to the Portal server.
You are advised to configure the URL using a domain name to ensure secure and fast page
pushing. Before configuring the URL using a domain name, you must first configure the
mapping between the domain name and IP address of the Portal server on the DNS server.
NOTE
Configure parameters carried in the URL, which must be the same as those on the authentication server.
[AC] url-template name wlan-net
[AC-url-template-wlan-net] url http://portal.com:8080/portal
[AC-url-template-wlan-net] url-parameter ssid ssid redirect-url url
[AC-url-template-wlan-net] quit
Ensure that the Portal server IP address, URL address, port number, and shared key are configured
correctly and are the same as those on the Portal server.
[AC] web-auth-server wlan-net
[AC-web-auth-server-wlan-net] server-ip 10.23.103.1
[AC-web-auth-server-wlan-net] shared-key cipher Huawei123
[AC-web-auth-server-wlan-net] port 50200
[AC-web-auth-server-wlan-net] url-template wlan-net ciphered-parameter-name
cpname iv-parameter-name iv-value key cipher Huawei123
[AC-web-auth-server-wlan-net] quit
Step 9 Configure the Portal access profile wlan-net and configure Layer 2 Portal authentication.
[AC] portal-access-profile name wlan-net
[AC-portal-access-profile-wlan-net] web-auth-server wlan-net direct
[AC-portal-access-profile-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
# Create VAP profile wlan-net, configure the data forwarding mode and service VLANs, and
apply the security profile, SSID profile, and authentication profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode tunnel
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] authentication-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
authentication-profile name wlan-net
portal-access-profile wlan-net
free-rule-template default_free_rule
authentication-scheme wlan-net
radius-server wlan-net
#
dhcp enable
#
aaa
authentication-scheme wlan-net
authentication-mode radius
accounting-scheme wlan-net
accounting-mode radius
accounting realtime 15
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
Service Requirements
To improve WLAN security, an enterprise uses the Portal authentication mode. To reduce
costs, the enterprise deploys an AC as the Portal server and uses the local authentication mode
so that authentication is performed on the AC.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
Figure 4-30 Networking for configuring built-in Portal authentication for local users
Data Planning
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure the APs to go online.
3. Configure built-in Portal authentication for local users.
a. Configure local authentication parameters.
b. Configure a Portal access profile for the built-in Portal server to manage Portal
access control parameters.
c. Configure an authentication-free rule profile so that the AC allows packets to the
DNS server to pass through.
d. Configure an authentication profile to manage built-in Portal authentication
configuration.
4. Configure WLAN service parameters to control access from STAs.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and GE0/0/2
and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On the AC, configure VLANIF 100 to assign IP addresses to APs.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the default
gateway address of STAs to 10.23.101.2.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
# Create an AP group to which the APs with the same configuration can be added.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 1
# Configure the user name, password, and service type of the local user.
[AC-aaa] local-user guest password cipher guest@123
[AC-aaa] local-user guest service-type web
[AC-aaa] quit
NOTE
The local certificate abc_local.pem, CA certificate abc_ca.pem, and RSA key pair privatekey.pem have
been requested, obtained, and uploaded to the storage medium of the device. If multiple CA certificates are
requested, perform the same operation to load the certificates to the memory of the device. When
privatekey.pem is generated, the key is Huawei@123.
[AC] pki realm abc
[AC-pki-realm-abc] quit
[AC] pki import-certificate local realm abc pem filename abc_local.pem
[AC] pki import-certificate ca realm abc pem filename abc_ca.pem
[AC] pki import rsa-key-pair key1 pem privatekey.pem password Huawei@123
# Configure the SSL policy default_policy and load the digital certificate.
[AC] ssl policy default_policy type server
[AC-ssl-policy-default_policy] pki-realm abc
[AC-ssl-policy-default_policy] version tls1.0 tls1.1 tls1.2
[AC-ssl-policy-default_policy] ciphersuite rsa_aes_128_sha256 rsa_aes_256_sha256
[AC-ssl-policy-default_policy] quit
[AC] http secure-server ssl-policy default_policy
[AC] http secure-server enable
# Check the configuration of the SSL policy. The status of the CA and local certificates must
be loaded.
[AC] display ssl policy default_policy
------------------------------------------------------------------------------
Policy name :
default_policy
Policy ID : 2
Policy type : Server
Cipher suite : rsa_aes_128_sha256
rsa_aes_256_sha256
PKI realm : abc
Version : tls1.0 tls1.1 tls1.2
Cache number : 32
Time out(second) : 3600
Server certificate load status : loaded
CA certificate chain load status : loaded
SSL renegotiation status : enable
Bind number : 1
SSL connection number : 0
------------------------------------------------------------------------------
[AC-LoopBack1] quit
[AC] portal local-server ip 10.23.101.1
[AC] portal local-server https ssl-policy default_policy port 20000
# Create the Portal access profile wlan-net and configure it to use the built-in Portal server.
[AC] portal-access-profile name wlan-net
[AC-portal-access-profile-wlan-net] portal local-server enable
[AC-portal-access-profile-wlan-net] quit
Step 9 Configure an authentication-free rule profile to allow users to access the DNS server before
authentication.
[AC] free-rule-template name default_free_rule
[AC-free-rule-default_free_rule] free-rule 1 destination ip 8.8.8.8 mask 32
[AC-free-rule-default_free_rule] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, configure the data forwarding mode and service VLANs, and
apply the security profile, SSID profile, and authentication profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode tunnel
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] authentication-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
entering the correct user name and password on the page, the user can access the
network.
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC configuration file
#
sysname AC
#
pki realm
abc
pki import-certificate local realm abc pem filename abc_local.pem
pki import-certificate ca realm abc pem filename abc_ca.pem
pki import rsa-key-pair key1 pem privatekey.pem password Huawei@123
#
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: tunnel forwarding
l Authentication mode: MAC address-prioritized Portal authentication
l Security policy: open
Data Planning
Managemen VLAN100
t VLAN for
APs
Service VLAN101
VLAN for
STAs
IP address 10.23.100.2–10.23.100.254/24
pool for
APs
Item Data
IP address 10.23.101.3–10.23.101.254/24
pool for
STAs
MAC Name:wlan-net
access
profile
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure the APs to go online.
3. Configure MAC address-prioritized Portal authentication.
a. Configure RADIUS server parameters.
b. Configure a Portal access profile to manage Portal access control parameters.
c. Configure a MAC access profile for MAC address-prioritized Portal authentication.
d. Configure an authentication-free rule profile so that the AC allows packets to the
DNS server to pass through.
e. Configure an authentication profile to manage MAC address-prioritized Portal
authentication configuration.
4. Configure WLAN service parameters.
5. Configure third-party server interconnection parameters.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and GE0/0/2
and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On the AC, configure VLANIF 100 to assign IP addresses to APs.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the default
gateway address of STAs to 10.23.101.2.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] dhcp server dns-list 8.8.8.8
[SwitchB-Vlanif101] quit
Step 4 Configure a default route on AC with the outbound interface as the router's VLANIF 101.
[AC] ip route-static 0.0.0.0 0.0.0.0 10.23.101.2
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]y
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 1
Step 6 Configure a RADIUS server template, a RADIUS authentication scheme and a RADIUS
accounting scheme.
NOTE
Ensure that the RADIUS server IP address, port number, and shared key are configured correctly and are
the same as those on the RADIUS server.
NOTE
l In this example, the device is connected to the Agile Controller-Campus. The accounting function is not
implemented for accounting purposes, and is used to maintain terminal online information through
accounting packets.
l The accounting realtime command sets the real-time accounting interval. A shorter real-time accounting
interval requires higher performance of the device and RADIUS server. Set the real-time accounting
interval based on the user quantity.
1-99 3 minutes
100-499 6 minutes
500-999 12 minutes
≥ 1000 ≥ 15 minutes
Step 7 Configure the URL of the Portal authentication page. When a user attempts to access a
website before authentication, the AC redirects the website to the Portal server.
You are advised to configure the URL using a domain name to ensure secure and fast page
pushing. Before configuring the URL using a domain name, you must first configure the
mapping between the domain name and IP address of the Portal server on the DNS server.
NOTE
Configure parameters carried in the URL, which must be the same as those on the authentication server.
[AC] url-template name wlan-net
[AC-url-template-wlan-net] url http://portal.com:8080/portal
[AC-url-template-wlan-net] url-parameter ssid ssid redirect-url url
[AC-url-template-wlan-net] quit
Ensure that the Portal server IP address, URL address, port number, and shared key are configured
correctly and are the same as those on the Portal server.
[AC] web-auth-server wlan-net
[AC-web-auth-server-wlan-net] server-ip 10.23.103.1
[AC-web-auth-server-wlan-net] shared-key cipher Huawei123
[AC-web-auth-server-wlan-net] port 50200
[AC-web-auth-server-wlan-net] url-template wlan-net ciphered-parameter-name
cpname iv-parameter-name iv-value key cipher Huawei123
[AC-web-auth-server-wlan-net] quit
Step 9 Configure the Portal access profile wlan-net and configure Layer 2 Portal authentication.
[AC] portal-access-profile name wlan-net
[AC-portal-access-profile-wlan-net] web-auth-server wlan-net direct
[AC-portal-access-profile-wlan-net] quit
Step 10 Configure a MAC access profile for MAC address-prioritized Portal authentication.
[AC] mac-access-profile name wlan-net
[AC-mac-access-profile-wlan-net] quit
Step 12 Configure the authentication profile wlan-net and enable MAC address-prioritized Portal
authentication.
[AC] authentication-profile name wlan-net
[AC-authentication-profile-wlan-net] portal-access-profile wlan-net
[AC-authentication-profile-wlan-net] mac-access-profile wlan-net
[AC-authentication-profile-wlan-net] free-rule-template default_free_rule
[AC-authentication-profile-wlan-net] authentication-scheme wlan-net
[AC-authentication-profile-wlan-net] radius-server wlan-net
[AC-authentication-profile-wlan-net] quit
[AC] wlan
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, configure the data forwarding mode and service VLANs, and
apply the security profile, SSID profile, and authentication profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode tunnel
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] authentication-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
dhcp enable
#
aaa
authentication-scheme wlan-net
authentication-mode radius
accounting-scheme wlan-net
accounting-mode radius
accounting realtime 15
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 101
#
ip route-static 0.0.0.0 0.0.0.0 10.23.101.2
#
capwap source interface vlanif100
#
radius-server template wlan-net
radius-server shared-key cipher %^%#Oc6_BMCw#9gZ2@SMVtk!PAC6>Ou*eLW/"qLp+f#$
%^%#
radius-server authentication 10.23.102.1 1812 weight 80
#
free-rule-template name default_free_rule
free-rule 1 destination ip 8.8.8.8 mask 255.255.255.255
#
url-template name wlan-net
url http://portal.com:8080/portal
#
web-auth-server wlan-net
server-ip 10.23.103.1
port 50200
shared-key cipher %^%#4~ZXE3]6@BXu;2;aw}hA{rSb,@"L@T#e{%6G1AiD%^%#
url-template wlan-net ciphered-parameter-name cpname iv-parameter-name iv-
value key cipher %^%#4~ZXE3]6@BXu;2;aw}hA{rSb,@"L@T#e{%6G1AiD%^%#
#
portal-access-profile name wlan-net
web-auth-server wlan-net direct
#
wlan
security-profile name wlan-net
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
authentication-profile wlan-net
ap-group name ap-group1
regulatory-domain-profile default
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
#
mac-access-profile name wlan-net
#
return
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: The AC functions as the DHCP server to assign IP addresses
to APs, and SwitchB functions as the DHCP server to assign IP addresses to STAs.
l Service data forwarding mode: direct forwarding
l WLAN authentication mode: WPA-WPA2+802.1x+AES
Internet
Router
GE0/0/1
RADIUS Server
AC SwitchB GE0/0/4 10.23.103.1:1812
GE0/0/2
GE0/0/1 GE0/0/3
GE0/0/1
GE0/0/2
SwitchA
GE0/0/1
AP
STA STA
Management VLAN:VLAN 100
Service VLAN:VLAN 101
Data Planning
Configuration Roadmap
1. Configure network interworking.
2. Configure the AC and SwitchB to assign IP addresses to APs and STAs, respectively.
3. Configure APs to go online.
4. Configure 802.1X authentication on the AC.
5. Configure third-party server interconnection parameters.
NOTE
The AC and server must have the same RADIUS shared key.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure network interworking.
# Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 100 and VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN 101, GE0/0/2 to
VLAN 100 and VLAN 102, GE0/0/3 to VLAN 103, and GE0/0/4 to VLAN104. Create
VLANIF 102, VLANIF 103, and VLANIF 104, and configure a default route with the next
hop of the address of Router.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 to 104
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk pvid vlan 103
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 103
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface gigabitethernet 0/0/4
[SwitchB-GigabitEthernet0/0/4] port link-type trunk
[SwitchB-GigabitEthernet0/0/4] port trunk pvid vlan 104
[SwitchB-GigabitEthernet0/0/4] port trunk allow-pass vlan 104
[SwitchB-GigabitEthernet0/0/4] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] quit
[SwitchB] interface vlanif 103
[SwitchB-Vlanif103] ip address 10.23.103.2 24
[SwitchB-Vlanif103] quit
[SwitchB] interface vlanif 104
[SwitchB-Vlanif104] ip address 10.23.104.1 24
[SwitchB-Vlanif104] quit
[SwitchB] ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
# Add GE0/0/1 on the AC to VLAN 100 and VLAN 102. Create VLANIF 102 and configure
the static route to the RADIUS server.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100 101 102
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 102
[AC-GigabitEthernet0/0/1] quit
[AC] interface vlanif 102
[AC-Vlanif102] ip address 10.23.102.2 24
[AC-Vlanif102] quit
[AC] ip route-static 10.23.103.0 24 10.23.102.1
# Configure the IP address of GE0/0/1 on Router and a static route to the network segment for
STAs.
<Huawei> system-view
[Huawei] sysname Router
Step 2 Configure the AC and SwitchB to function as DHCP servers to assign IP addresses to APs
and STAs respectively.
# On the AC, configure the VLANIF 100 to assign IP addresses to APs.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and bind
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the APs offline to the AC and add the APs to the AP group ap-group1. Configure
names for the APs based on the AP locations, so that you can know where the APs are
located. For example, if the AP with MAC address 60de-4476-e360 is deployed in area 1,
name the AP area_1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 and radio 1. Radio 0 and radio 1 operate
on the 2.4 GHz and 5 GHz bands respectively.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field displays nor, the AP has gone online.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
--------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA
Uptime
--------------------------------------------------------------------------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S
--------------------------------------------------------------------------------
Total: 1
The settings of the AP channel and power in this example are for reference only. You need to configure the
AP channel and power based on the actual country code and network planning.
Automatic channel and power calibration functions are enabled by default. The manual
channel and power configurations take effect only when these two functions are disabled.
[AC-wlan-view] rrm-profile name default
[AC-wlan-rrm-prof-default] calibrate auto-channel-select disable
[AC-wlan-rrm-prof-default] calibrate auto-txpower-select disable
[AC-wlan-rrm-prof-default] quit
3. Create the authentication profile wlan-net and bind it to the 802.1x access profile,
authentication scheme, and RADIUS server template.
[AC] authentication-profile name wlan-net
[AC-authentication-profile-wlan-net] dot1x-access-profile wlan-net
[AC-authentication-profile-wlan-net] authentication-scheme wlan-net
[AC-authentication-profile-wlan-net] radius-server wlan-net
[AC-authentication-profile-wlan-net] quit
# Create the SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create the VAP profile wlan-net, configure the direct data forwarding mode and
service VLANs, and bind the security profile, authentication profile, and SSID profile to
the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] authentication-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind the VAP profile wlan-net to the AP group and apply the profile to radio 0 and
radio 1 of the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
l For interconnection with other third-party servers, see the corresponding product manual.
Step 7 Verify the configuration.
l The WLAN with SSID wlan-net is available for STAs connected to the AP.
l The wireless PC obtains an IP address after it associates with the WLAN.
l Use the 802.1x authentication client on a STA and enter the correct user name and
password. The STA is authenticated and can access the WLAN. You must configure the
client for PEAP authentication.
– Configuration on the Windows XP operating system:
i. On the Association tab page of the Wireless network properties dialog box,
add SSID wlan-net, set the authentication mode to WPA2, and encryption
algorithm to AES.
ii. On the Authentication tab page, set EAP type to PEAP and click Properties.
In the Protected EAP Properties dialog box, deselect Validate server
certificate and click Configure. In the displayed dialog box, deselect
Automatically use my Windows logon name and password and click OK.
– Configuration on the Windows 7 operating system:
i. Access the Manage wireless networks page, click Add, and select Manually
create a network profile. Add SSID wlan-net. Set the authentication mode to
WPA2-Enterprise, and encryption algorithm to AES. Click Next.
ii. Click Change connection settings. On the Wireless Network Properties
page that is displayed, select the Security tab page and click Settings. In the
Protected EAP Properties dialog box, deselect Validate server certificate
and click Configure. In the displayed dialog box, deselect Automatically use
my Windows logon name and password and click OK.
iii. Click OK. On the Wireless Network Properties page, click Advanced
settings. On the Advanced settings page that is displayed, select Specify
authentication mode, set the identity authentication mode to User
authentication, and click OK.
l After wireless users connect to the network, run the display access-user access-type
dot1x command on the AC to view users in 802.1x authentication mode. The user
huawei has gone online successfully.
[AC] display access-user access-type dot1x
------------------------------------------------------------------------------
UserID Username IP address MAC
Status
------------------------------------------------------------------------------
460 huawei 10.23.101.254 8000-6e74-e78a Success
------------------------------------------------------------------------------
Total: 1, printed: 1
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: The AC functions as the DHCP server to assign IP addresses
to APs, and SwitchB functions as the DHCP server to assign IP addresses to STAs.
l Service data forwarding mode: direct forwarding
l Authentication mode: open system authentication
Internet
Router
GE0/0/1
Radius Server
AC SwitchB GE0/0/4 10.23.103.1:1812
GE0/0/2
GE0/0/1 GE0/0/3
GE0/0/1
GE0/0/2
SwitchA
GE0/0/1
AP
STA STA
Data Planning
Configuration Roadmap
1. Configure network interworking.
2. Configure the AC and SwitchB to assign IP addresses to APs and STAs, respectively.
3. Configure APs to go online.
4. Configure MAC address authentication on the AC.
5. Configure third-party server interconnection parameters.
NOTE
The AC and server must have the same RADIUS shared key.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure network interworking.
# Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 100 and VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN 101, GE0/0/2 to
VLAN 100 and VLAN 102, GE0/0/3 to VLAN 103, and GE0/0/4 to VLAN104. Create
VLANIF 102, VLANIF 103, and VLANIF 104, and configure a default route with the next
hop of the address of Router.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 to 104
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk pvid vlan 103
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 103
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface gigabitethernet 0/0/4
[SwitchB-GigabitEthernet0/0/4] port link-type trunk
[SwitchB-GigabitEthernet0/0/4] port trunk pvid vlan 104
[SwitchB-GigabitEthernet0/0/4] port trunk allow-pass vlan 104
[SwitchB-GigabitEthernet0/0/4] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] quit
[SwitchB] interface vlanif 103
[SwitchB-Vlanif103] ip address 10.23.103.2 24
[SwitchB-Vlanif103] quit
[SwitchB] interface vlanif 104
[SwitchB-Vlanif104] ip address 10.23.104.1 24
[SwitchB-Vlanif104] quit
[SwitchB] ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
# Add GE0/0/1 on the AC to VLAN 100 and VLAN 102. Create VLANIF 102 and configure
the static route to the RADIUS server.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100 101 102
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 102
[AC-GigabitEthernet0/0/1] quit
[AC] interface vlanif 102
[AC-Vlanif102] ip address 10.23.102.2 24
[AC-Vlanif102] quit
[AC] ip route-static 10.23.103.0 24 10.23.102.1
# Configure the IP address of GE0/0/1 on Router and a static route to the network segment for
STAs.
<Huawei> system-view
[Huawei] sysname Router
Step 2 Configure the AC and SwitchB to function as DHCP servers to assign IP addresses to APs
and STAs respectively.
# On the AC, configure the VLANIF 100 to assign IP addresses to APs.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and bind
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the APs offline to the AC and add the APs to the AP group ap-group1. Configure
names for the APs based on the AP locations, so that you can know where the APs are
located. For example, if the AP with MAC address 60de-4476-e360 is deployed in area 1,
name the AP area_1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 and radio 1. Radio 0 and radio 1 operate
on the 2.4 GHz and 5 GHz bands respectively.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field displays nor, the AP has gone online.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
--------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA
Uptime
--------------------------------------------------------------------------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S
--------------------------------------------------------------------------------
Total: 1
The settings of the AP channel and power in this example are for reference only. You need to configure the
AP channel and power based on the actual country code and network planning.
3. Create the authentication profile wlan-net and bind it to the MAC access profile,
authentication scheme, and RADIUS server template.
[AC] authentication-profile name wlan-net
[AC-authentication-profile-wlan-net] mac-access-profile wlan-net
[AC-authentication-profile-wlan-net] authentication-scheme wlan-net
[AC-authentication-profile-wlan-net] radius-server wlan-net
[AC-authentication-profile-wlan-net] quit
# Create the security profile wlan-net and set the security policy in the profile. By
default, the security policy is open system authentication.
[AC] wlan
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] quit
# Create the SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-wlan-net] quit
# Create the VAP profile wlan-net, configure the direct data forwarding mode and
service VLANs, and bind the security profile, authentication profile, and SSID profile to
the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] authentication-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind the VAP profile wlan-net to the AP group and apply the profile to radio 0 and
radio 1 of the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
l For interconnection with the Agile Controller-Campus, see "Example for Configuring
Wireless AC Address Authentication" in the Agile Controller-Campus Typical
Configuration Examples.
l For interconnection with other third-party servers, see the corresponding product manual.
Step 7 Verify the configuration.
l After dumb terminals associate with the WLAN, authentication is performed
automatically. After the terminals pass authentication, they can access the network.
l After dumb terminals associate with the WLAN, run the display access-user access-
type mac-authen command on the AC. The command output shows that user huawei
using the mac-authen authentication mode has successfully gone online.
[AC] display access-user access-type mac-authen
------------------------------------------------------------------------------
UserID Username IP address MAC
Status
------------------------------------------------------------------------------
460 huawei 10.23.101.254 8000-6e74-e78a Success
------------------------------------------------------------------------------
Total: 1, printed: 1
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
return
wlan
security-profile name wlan-net
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
authentication-profile wlan-net
rrm-profile name default
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
regulatory-domain-profile name default
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
mac-access-profile name wlan-net
#
return
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: tunnel forwarding
l Authentication mode: MAC authentication
l Security policy:open
Figure 4-34 Networking for configuring MAC authentication for local users
Data Planning
Item Data
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure the APs to go online.
3. Configure MAC authentication for local users.
a. Configure AAA local authentication.
b. Configure a MAC access profile to manage MAC access control parameters.
c. Configure an authentication profile to manage MAC configuration.
4. Configure WLAN service parameters to control access from STAs.
NOTE
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and GE0/0/2
and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On the AC, configure VLANIF 100 to assign IP addresses to APs.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the default
gateway address of STAs to 10.23.101.2.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 1
# Configure the user name, password, and service type of the local user. (When AAA local
authentication is used for MAC address authentication users, the service type of the local user
is not matched and checked.)
[AC-aaa] local-user 0011-2233-4455 password cipher guest@123
[AC-aaa] local-user 0011-2233-4455 service-type 8021x
[AC-aaa] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, configure the data forwarding mode and service VLANs, and
apply the security profile, SSID profile, and authentication profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode tunnel
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] authentication-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
authentication-profile name wlan-net
mac-access-profile wlan-net
authentication-scheme wlan-net
#
dhcp enable
#
aaa
authentication-scheme wlan-net
local-user 0011-2233-4455 password cipher %^%#UOqb<rt$CW%80lUOh;xKLN;s~^Icp!
s7MZ.8(Y|5%^%#
local-user 0011-2233-4455 privilege level 0
local-user 0011-2233-4455 service-type 8021x
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
authentication-profile wlan-net
ap-group name ap-group1
regulatory-domain-profile default
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
#
mac-access-profile name wlan-net
mac-authen username macaddress format without-hyphen password cipher %^
%#PW~_5m;sAFFI.cEB"%^@6@4$96ds_5+O'28+d3:A%^%#
#
return
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: The AC and SwitchB function as DHCP servers to assign IP
addresses to APs and STAs, respectively.
l Service data forwarding mode: direct forwarding
l WLAN authentication mode: WPA-WPA2+802.1X+AES
Figure 4-35 Networking for configuring user authorization based on user groups
Internet
Router
GE0/0/1
RADIUS Server
AC SwitchB GE0/0/4 10.23.103.1:1812
GE0/0/2
GE0/0/1 GE0/0/3
GE0/0/1
GE0/0/2
SwitchA
GE0/0/1
AP
STA STA
Management VLAN:VLAN 100
Service VLAN:VLAN 101
Data Planning
Configuration Roadmap
1. Configure network interworking.
2. Configure the AC and SwitchB to assign IP addresses to APs and STAs, respectively.
3. Configure APs to go online.
4. Configure 802.1x authentication and user authorization on the AC.
5. Configure third-party server interconnection parameters.
NOTE
The AC and server must have the same RADIUS shared key.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure network interworking.
# Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 100 and VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN 101, GE0/0/2 to
VLAN 100 and VLAN 102, GE0/0/3 to VLAN 103, and GE0/0/4 to VLAN104. Create
VLANIF 102, VLANIF 103, and VLANIF 104, and configure a default route with the next
hop of the address of Router.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 to 104
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk pvid vlan 103
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 103
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface gigabitethernet 0/0/4
[SwitchB-GigabitEthernet0/0/4] port link-type trunk
[SwitchB-GigabitEthernet0/0/4] port trunk pvid vlan 104
[SwitchB-GigabitEthernet0/0/4] port trunk allow-pass vlan 104
[SwitchB-GigabitEthernet0/0/4] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] quit
[SwitchB] interface vlanif 103
[SwitchB-Vlanif103] ip address 10.23.103.2 24
[SwitchB-Vlanif103] quit
[SwitchB] interface vlanif 104
[SwitchB-Vlanif104] ip address 10.23.104.1 24
[SwitchB-Vlanif104] quit
[SwitchB] ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
# Add GE0/0/1 on the AC to VLAN 100 and VLAN 102. Create VLANIF 102 and configure
the static route to the RADIUS server.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100 101 102
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 102
[AC-GigabitEthernet0/0/1] quit
[AC] interface vlanif 102
[AC-Vlanif102] ip address 10.23.102.2 24
[AC-Vlanif102] quit
[AC] ip route-static 10.23.103.0 24 10.23.102.1
# Configure the IP address of GE0/0/1 on Router and a static route to the network segment for
STAs.
<Huawei> system-view
[Huawei] sysname Router
[Router] interface gigabitethernet 0/0/1
[Router-GigabitEthernet0/0/1] ip address 10.23.104.2 24
[Router-GigabitEthernet0/0/1] quit
[Router] ip route-static 10.23.101.0 24 10.23.104.1
Step 2 Configure the AC and SwitchB to function as DHCP servers to assign IP addresses to APs
and STAs respectively.
# On the AC, configure the VLANIF 100 to assign IP addresses to APs.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and bind
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the APs offline to the AC and add the APs to the AP group ap-group1. Configure
names for the APs based on the AP locations, so that you can know where the APs are
located. For example, if the AP with MAC address 60de-4476-e360 is deployed in area 1,
name the AP area_1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 and radio 1. Radio 0 and radio 1 operate
on the 2.4 GHz and 5 GHz bands respectively.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field displays nor, the AP has gone online.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
--------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA
Uptime
--------------------------------------------------------------------------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S
--------------------------------------------------------------------------------
Total: 1
The settings of the AP channel and power in this example are for reference only. You need to configure the
AP channel and power based on the actual country code and network planning.
3. Create the authentication profile wlan-net and bind it to the 802.1x access profile,
authentication scheme, and RADIUS server template.
[AC] authentication-profile name wlan-net
[AC-authentication-profile-wlan-net] dot1x-access-profile wlan-net
[AC-authentication-profile-wlan-net] authentication-scheme wlan-net
[AC-authentication-profile-wlan-net] radius-server wlan-net
[AC-authentication-profile-wlan-net] quit
# Create the SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create the VAP profile wlan-net, configure the direct data forwarding mode and
service VLANs, and bind the security profile, authentication profile, and SSID profile to
the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] authentication-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind the VAP profile wlan-net to the AP group and apply the profile to radio 0 and
radio 1 of the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
NOTE
Configure the RADIUS server to authorize the user group group1 to authenticated employees.
[AC] acl 3001
[AC-acl-adv-3001] rule 1 permit ip destination 10.23.200.0 0.0.0.255
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 102
#
authentication-profile name wlan-net
dot1x-access-profile wlan-net
authentication-scheme wlan-net
radius-server wlan-net
#
dhcp enable
#
radius-server template wlan-net
radius-server shared-key cipher %^%#*7d1;XNof/|Q0:DsP!,W51DIYPx}`AARBdJ'0B^$
%^%#
radius-server authentication 10.23.103.1 1812 weight 80
#
acl number 3001
rule 1 permit ip destination 10.23.200.0 0.0.0.255
rule 2 deny ip
#
user-group group1
acl-id 3001
#
aaa
authentication-scheme wlan-net
authentication-mode radius
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 102
#
ip route-static 10.23.103.0 255.255.255.0 10.23.102.1
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
security wpa-wpa2 dot1x aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
authentication-profile wlan-net
regulatory-domain-profile name default
rrm-profile name default
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
dot1x-access-profile name wlan-net
#
return
Networking Requirements
As shown in Figure 4-36, the AC of a shop directly connects to an AP. The shop deploys a
WLAN wlan-net to provide wireless network access for consumers. The AC functions as a
DHCP server to assign IP addresses on the network segment 10.23.101.0/24 to wireless users.
To improve its brand popularity and image, the shop allows consumers to connect to the open
Wi-Fi network using WeChat. Users can obtain access to the Internet by simply following the
WeChat public account of the shop, without the need to enter a user name or password.
Figure 4-36 Networking diagram for configuring WeChat authentication using a built-in
Portal server
Management VLAN:
VLAN 100
Service VLAN: VLAN 101
WeChat server
AP
area_1 GE0/0/1 GE0/0/2
STA VLAN100 VLAN101
Intranet
AC
STA Built-in Portal server
10.1.1.1/24 DNS server
10.23.200.2
Configuration Roadmap
1. Configure basic WLAN services so that the AC can communicate with upstream and
downstream network devices, and the AP can go online.
2. Set the AAA authentication mode to none.
3. Configure a Portal access profile for the built-in Portal server to manage Portal access
control parameters.
4. Configure WeChat authentication for WeChat users.
5. Configure an authentication profile to manage NAC configuration.
6. Configure WLAN service parameters, and bind a security policy profile and the
authentication profile to a VAP profile to control access of STAs.
Data Plan
Item Data
Authenticati l Name: p1
on profile l Bound profile and authentication scheme: Portal access profile portal1
and authentication scheme wechat
Item Data
Procedure
Step 1 Configure the AC to enable exchange of CAPWAP packets between the AP and AC.
# Add AC interface GE0/0/1 to VLAN 100 (management VLAN).
NOTE
In this example, tunnel forwarding is used to transmit service data. If direct forwarding is used,
configure port isolation on GE0/0/1 that connects the AC to the AP. If port isolation is not configured, a
large number of broadcast packets will be transmitted over the VLAN or WLAN users on different APs
will be able to directly communicate at Layer 2.
In tunnel forwarding mode, the management VLAN and service VLAN cannot be the same.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100 101
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk pvid vlan 100
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet0/0/1] quit
Step 3 Configure the AC as a DHCP server to assign IP addresses to the AP and STAs.
# Configure the AC as a DHCP server to allocate an IP address to the AP from the IP address
pool on VLANIF 100, and allocate IP addresses to STAs from the IP address pool on
VLANIF 101.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
Step 4 Configure a route from the AC to the server area (Assume that the IP address of the upper-
layer device connected to the AC is 10.23.101.2).
[AC] ip route-static 10.23.200.0 255.255.255.0 10.23.101.2
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the APs offline on the AC and add the APs to AP group ap-group1. Configure a
name for the AP based on the AP's deployment location, so that you can know where the AP
is deployed from its name. This example assumes that the AP's MAC address is 60de-4476-
e360 and the AP is deployed in area 1. Name the AP area_1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP6010DN-AGN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field displays nor, the AP has gone online.
[AC] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP6010DN-AGN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 1
# Create the Portal access profile portal1 and configure it to use the built-in Portal server and
WeChat authentication function.
[AC] portal-access-profile name portal1
[AC-portal-access-profile-portal1] portal local-server enable
[AC-portal-access-profile-portal1] portal local-server wechat
[AC-portal-access-profile-portal1] quit
# Configure the AC to automatically obtain shop information from the WeChat server.
[AC] portal local-server wechat-authen
[AC-wechat-authen] wechat-server-ip ssl-policy ssl-wechat
[AC-wechat-authen] polling-time 4800
[AC-wechat-authen] quit
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profile wlan-vap, configure the data forwarding mode and service VLANs, and
apply the security profile, SSID profile, and authentication profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] authentication-profile p1
[AC-wlan-vap-prof-wlan-vap] quit
# Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
The channel and power configuration for the AP radios in this example is for reference only. In actual
scenarios, configure channels and power for AP radios based on country codes of APs and network planning
results.
[AC-wlan-ap-0] radio 1
[AC-wlan-radio-0/1] channel 20mhz 149
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/1] eirp 127
[AC-wlan-radio-0/1] quit
[AC-wlan-ap-0] quit
----End
Configuration Files
AC configuration file
#
sysname AC
#
portal local-server ip 10.1.1.1
portal local-server http port 1025
#
vlan batch 100 to 101
#
authentication-profile name p1
portal-access-profile portal1
free-rule-template default_free_rule
authentication-scheme wechat
#
dns resolve
dns server 10.23.200.2
#
dhcp enable
#
pki realm pki-wechat
#
ssl policy ssl-wechat type client
pki-realm pki-wechat
undo server-verify enable
#
free-rule-template name
default_free_rule
#
portal-access-profile name portal1
portal local-server enable
portal local-server wechat
#
aaa
authentication-scheme wechat
authentication-mode none
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
Administrators want to deploy different SSIDs for WLAN access of guests and employees,
and different authentication modes for them to ensure WLAN security.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: tunnel forwarding
Figure 4-37 Networking diagram for configuring different authentication modes for multiple
SSIDs
Data Planning
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for 10.23.102.3-10.23.102.254/24
STAs
Item Data
l Name: guest
l Referenced profiles and authentication schemes: Portal access profile
wlan-net, MAC access profile wlan-net, RADIUS server template
wlan-net, authentication scheme wlan-net, accounting scheme wlan-
net, and authentication-free rule template default_free_rule
l Name: guest
l SSID name: guest
l Name: guest
l Security policy: open
l Name: guest
l Forwarding mode: tunnel forwarding
l Service VLAN: VLAN 102
l Referenced profiles: SSID profile guest, security profile guest, and
authentication profile guest
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure APs to go online.
3. Configure 802.1x authentication and MAC address-prioritized Portal authentication.
4. Configure WLAN service parameters for STAs to access the WLAN.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB to VLAN 100, and GE0/0/2 and GE0/0/3 to VLAN
101 and VLAN 102, respectively.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101 102
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101 102
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on the router to VLAN 101 and VLAN 102. Create interfaces VLANIF 101
and VLANIF 102, and set the IP addresses of VLANIF 101 and VLANIF 102 to
10.23.101.2/24 and 10.23.102.2/24, respectively.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101 102
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101 102
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
[Router] interface vlanif 102
[Router-Vlanif102] ip address 10.23.102.2 24
[Router-Vlanif102] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
# Add GE0/0/1 on the AC to VLAN 100, VLAN 101, and VLAN 102.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100 101 102
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101 102
[AC-GigabitEthernet0/0/1] quit
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On the AC, configure VLANIF 100 to provide IP addresses to APs.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
# On SwitchB, configure VLANIF 101 and VLANIF 102 address pools to assign IP addresses
to employees and guests, respectively. Set the default gateway address for employees and
guests to 10.23.101.2 and 10.23.102.2, respectively. Specify the DNS server address 8.8.8.8
for VLANIF 101 and VLANIF 102 address pools.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] dhcp server dns-list 8.8.8.8
[SwitchB-Vlanif101] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] dhcp select interface
[SwitchB-Vlanif102] dhcp server gateway-list 10.23.102.2
[SwitchB-Vlanif102] dhcp server dns-list 8.8.8.8
[SwitchB-Vlanif102] quit
Step 4 Configure the AC's default routes with VLANIF 101 and VLANIF 102 on the router as the
next hops.
[AC] ip route-static 0.0.0.0 0.0.0.0 10.23.101.2
[AC] ip route-static 0.0.0.0 0.0.0.0 10.23.102.2
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---
Step 6 Configure a RADIUS server template, a RADIUS authentication scheme and a RADIUS
accounting scheme.
NOTE
Ensure that the RADIUS server IP address, port number, and shared key are configured correctly and are
the same as those on the RADIUS server.
NOTE
l In this example, the device is connected to the Agile Controller-Campus. The accounting function is not
implemented for accounting purposes, and is used to maintain terminal online information through
accounting packets.
l The accounting realtime command sets the real-time accounting interval. A shorter real-time accounting
interval requires higher performance of the device and RADIUS server. Set the real-time accounting
interval based on the user quantity.
1-99 3 minutes
100-499 6 minutes
500-999 12 minutes
≥ 1000 ≥ 15 minutes
Step 7 Configure the URL of the Portal authentication page. When a user attempts to access a
website before authentication, the AC redirects the website to the Portal server.
You are advised to configure the URL using a domain name to ensure secure and fast page
pushing. Before configuring the URL using a domain name, you must first configure the
mapping between the domain name and IP address of the Portal server on the DNS server.
NOTE
Configure parameters carried in the URL, which must be the same as those on the authentication server.
[AC] url-template name wlan-net
[AC-url-template-wlan-net] url http://portal.com:8080/portal
[AC-url-template-wlan-net] url-parameter ssid ssid redirect-url url
[AC-url-template-wlan-net] quit
Ensure that the Portal server IP address, URL address, port number, and shared key are configured
correctly and are the same as those on the Portal server.
[AC] web-auth-server wlan-net
[AC-web-auth-server-wlan-net] server-ip 10.23.103.1
[AC-web-auth-server-wlan-net] shared-key cipher Huawei123
[AC-web-auth-server-wlan-net] port 50200
[AC-web-auth-server-wlan-net] url-template wlan-net ciphered-parameter-name
cpname iv-parameter-name iv-value key cipher Huawei123
[AC-web-auth-server-wlan-net] quit
Step 9 Configure the Portal access profile wlan-net and configure Layer 2 Portal authentication.
[AC] portal-access-profile name wlan-net
[AC-portal-access-profile-wlan-net] web-auth-server wlan-net direct
[AC-portal-access-profile-wlan-net] quit
Step 10 Configure a MAC access profile for MAC address-prioritized Portal authentication.
[AC] mac-access-profile name wlan-net
[AC-mac-access-profile-wlan-net] quit
Step 12 Configure an 802.1x access profile to manage 802.1x access control parameters.
# Create security profiles employee and guest, and set the security policies to WPA-
WPA2+802.1X+AES and open, respectively.
[AC] wlan
[AC-wlan-view] security-profile name employee
[AC-wlan-sec-prof-employee] security wpa-wpa2 dot1x aes
[AC-wlan-sec-prof-employee] quit
[AC-wlan-view] security-profile name guest
[AC-wlan-sec-prof-guest] quit
# Create SSID profiles employee and guest, and set the SSID names to employee and guest,
respectively.
[AC-wlan-view] ssid-profile name employee
[AC-wlan-ssid-prof-employee] ssid employee
[AC-wlan-ssid-prof-employee] quit
[AC-wlan-view] ssid-profile name guest
[AC-wlan-ssid-prof-guest] ssid guest
[AC-wlan-ssid-prof-guest] quit
# Create VAP profiles employee and guest, set the data forwarding mode and service
VLANs, and bind the security, SSID, and authentication profiles to the VAP profiles.
[AC-wlan-view] vap-profile name employee
[AC-wlan-vap-prof-employee] forward-mode tunnel
[AC-wlan-vap-prof-employee] service-vlan vlan-id 101
[AC-wlan-vap-prof-employee] security-profile employee
[AC-wlan-vap-prof-employee] ssid-profile employee
[AC-wlan-vap-prof-employee] authentication-profile employee
[AC-wlan-vap-prof-employee] quit
[AC-wlan-view] vap-profile name guest
[AC-wlan-vap-prof-guest] forward-mode tunnel
[AC-wlan-vap-prof-guest] service-vlan vlan-id 102
[AC-wlan-vap-prof-guest] security-profile guest
[AC-wlan-vap-prof-guest] ssid-profile guest
[AC-wlan-vap-prof-guest] authentication-profile guest
[AC-wlan-vap-prof-guest] quit
# Bind the VAP profiles to the AP groups, and apply configurations of VAP profiles employee
and guest to radio 0 and radio 1 of the APs.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile employee wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile employee wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] vap-profile guest wlan 2 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile guest wlan 2 radio 1
[AC-wlan-ap-group-ap-group1] quit
The settings of the AP channel and power in this example are for reference only. You need to configure the
AP channel and power based on the actual country code and network planning.
Automatic channel and power calibration functions are enabled by default. The manual
channel and power configurations take effect only when these two functions are disabled.
[AC-wlan-view] rrm-profile name default
[AC-wlan-rrm-prof-default] calibrate auto-channel-select disable
[AC-wlan-rrm-prof-default] calibrate auto-txpower-select disable
[AC-wlan-rrm-prof-default] quit
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
ssid-profile guest
security-profile guest
authentication-profile guest
vap-profile name employee
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile employee
security-profile employee
authentication-profile employee
regulatory-domain-profile name default
rrm-profile name default
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
ap-group name ap-group1
radio 0
vap-profile employee wlan 1
vap-profile guest wlan 2
radio 1
vap-profile employee wlan 1
vap-profile guest wlan 2
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
dot1x-access-profile name wlan-net
#
mac-access-profile name wlan-net
#
return
Service Requirements
To ensure that services are running normally, an enterprise wants to improve network
reliability while reducing the configuration maintenance workload. Wireless configuration
synchronization can be deployed in VRRP HSB to meet this requirement. In this solution, the
master and backup ACs are often deployed in the same location, and the service switchover is
fast and has higher reliability than dual-link HSB.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: The AC functions as a DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: direct forwarding
l Switch cluster: A cluster is set up using a CSS card, containing SwitchB and SwitchC at
the core layer. SwitchB is the active switch and SwitchC is the standby switch.
Data Planning
Item Data
Configuration Roadmap
1. Configure a cluster between SwitchB and SwitchC through cluster cards to improve the
core layer reliability and configure SwitchB as the master switch.
2. Set up connections between the AP, ACs, and other network devices.
3. Configure a VRRP group on AC1 and AC2 and configure a high priority for AC1 as the
active device to forward traffic, and a low priority for AC2 as the standby device.
4. Configure basic WLAN services to ensure that users can access the Internet through
WLAN.
5. Configure the hot standby (HSB) function so that service information on AC1 is backed
up to AC2 in batches in real time, ensuring seamless service switchover from the active
device to the standby device.
6. Configure the wireless configuration synchronization function in VRRP HSB scenarios.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
l Check whether loops occur on the wired network. If loops occur, configure MSTP on
corresponding NEs.
Procedure
Step 1 Establish a cluster through cluster cards.
# Set the CSS ID, CSS priority, and CSS connection mode to 1, 100, and CSS card connection
for SwitchB.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] set css mode css-card
[SwitchB] set css id 1
[SwitchB] set css priority 100
# Set the CSS ID, CSS priority, and CSS connection mode to 2, 10, and CSS card connection
for SwitchC.
<HUAWEI> system-view
[HUAWEI] sysname SwitchC
[SwitchC] set css mode css-card
[SwitchC] set css id 2
[SwitchC] set css priority 10
# Log in to the CSS through the console port on any MPU to check whether the CSS is
established successfully.
<SwitchB> display device
Chassis 1 (Master Switch)
S12708's Device status:
Slot Sub Type Online Power Register Status Role
-------------------------------------------------------------------------------
1 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
5 - ET1D2G48SEC0 Present PowerOn Registered Normal NA
7 - ET1D2X16SSC0 Present PowerOn Registered Normal NA
9 - ET1D2MPUA000 Present PowerOn Registered Normal Slave
10 - ET1D2MPUA000 Present PowerOn Registered Normal Master
12 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
13 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
14 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
PWR1 - - Present PowerOn Registered Normal NA
PWR2 - - Present PowerOn Registered Normal NA
CMU2 - EH1D200CMU00 Present PowerOn Registered Normal Master
FAN1 - - Present PowerOn Registered Normal NA
FAN2 - - Present PowerOn Registered Normal NA
FAN3 - - Present PowerOn Registered Normal NA
FAN4 - - Present PowerOn Registered Normal NA
Chassis 2 (Standby Switch)
S12708's Device status:
Slot Sub Type Online Power Register Status Role
-------------------------------------------------------------------------------
1 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
3 - ET1D2G48SEC0 Present PowerOn Registered Normal NA
4 - ET1D2X16SSC0 Present PowerOn Registered Normal NA
9 - ET1D2MPUA000 Present PowerOn Registered Normal Slave
10 - ET1D2MPUA000 Present PowerOn Registered Normal Master
12 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
13 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
14 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
PWR1 - - Present PowerOn Registered Normal NA
Chassis Id CSS Enable CSS Status CSS Mode Priority Master Force
------------------------------------------------------------------------------
1 On Master CSS card 100 Off
2 On Standby CSS card 10 Off
The command output shows card status and CSS status of both member switches, indicating
that the CSS is established successfully.
The command output shows that all the cluster links are in Up state, indicating that the CSS
has been established successfully.
Step 2 Configure SwitchA, SwitchB, SwitchC, AC1, and AC2 so that CAPWAP packets can be
transmitted between the AP and ACs.
NOTE
If direct forwarding is used, configure port isolation on GE0/0/1 of the SwitchA (connecting to the AP).
If port isolation is not configured, many broadcast packets will be transmitted in the VLANs or WLAN
users on different APs can directly communicate at Layer 2.
# Set the PVID of GE0/0/1 on SwitchA connected to the AP to management VLAN 100 and
add GE0/0/1 to VLAN 100 and service VLAN 101. Add GE0/0/2 on SwitchA connected to
SwitchB to VLAN 100 and VLAN 101 and GE0/0/3 on SwitchA connected to SwitchC to
VLAN 100 and VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] port link-type trunk
[SwitchA-GigabitEthernet0/0/3] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/3] quit
# Add GE1/1/0/2 that connects SwitchB to SwitchA to VLAN 100 and VLAN 101 (service
VLAN), and add GE1/1/0/1 that connects SwitchB to AC1 to VLAN 100 and VLAN 101.
Add GE2/1/0/2 that connects SwitchC to SwitchA to VLAN 100 and VLAN 101 (service
VLAN), and add GE2/1/0/1 that connects SwitchC to AC1 to VLAN 100 and VLAN 101.
[SwitchB] sysname CSS
[CSS] vlan batch 100 101
[CSS] interface gigabitethernet 1/1/0/1
[CSS-GigabitEthernet1/1/0/1] port link-type trunk
[CSS-GigabitEthernet1/1/0/1] undo port trunk allow-pass vlan 1
[CSS-GigabitEthernet1/1/0/1] port trunk allow-pass vlan 100 101
[CSS-GigabitEthernet1/1/0/1] quit
[CSS] interface gigabitethernet 1/1/0/2
[CSS-GigabitEthernet1/1/0/2] port link-type trunk
[CSS-GigabitEthernet1/1/0/2] undo port trunk allow-pass vlan 1
[CSS-GigabitEthernet1/1/0/2] port trunk allow-pass vlan 100 101
[CSS-GigabitEthernet1/1/0/2] quit
[CSS] interface gigabitethernet 2/1/0/1
[CSS-GigabitEthernet2/1/0/1] port link-type trunk
[CSS-GigabitEthernet2/1/0/1] undo port trunk allow-pass vlan 1
[CSS-GigabitEthernet2/1/0/1] port trunk allow-pass vlan 100 101
[CSS-GigabitEthernet2/1/0/1] quit
[CSS] interface gigabitethernet 2/1/0/2
[CSS-GigabitEthernet2/1/0/2] port link-type trunk
[CSS-GigabitEthernet2/1/0/2] undo port trunk allow-pass vlan 1
[CSS-GigabitEthernet2/1/0/2] port trunk allow-pass vlan 100 101
[CSS-GigabitEthernet2/1/0/2] quit
# Add GE0/0/1 that connects AC1 to SwitchB to VLAN 100 and VLAN 101, and configure
VLANIF 100 and VLANIF 101.
<AC6605> system-view
[AC6605] sysname AC1
[AC1] vlan batch 100 101
[AC1] interface gigabitethernet 0/0/1
[AC1-GigabitEthernet0/0/1] port link-type trunk
[AC1-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[AC1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[AC1-GigabitEthernet0/0/1] quit
[AC1] interface vlanif 100
[AC1-Vlanif100] ip address 10.23.100.1 24
[AC1-Vlanif100] quit
# Add GE0/0/1 that connects AC2 to SwitchC to VLAN 100 and VLAN 101, and configure
VLANIF 100 and VLANIF 101.
<AC6605> system-view
[AC6605] sysname AC2
[AC2] vlan batch 100 101
[AC2] interface gigabitethernet 0/0/1
[AC2-GigabitEthernet0/0/1] port link-type trunk
[AC2-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[AC2-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[AC2-GigabitEthernet0/0/1] quit
[AC2] interface vlanif 100
[AC2-Vlanif100] ip address 10.23.100.2 24
[AC2-Vlanif100] quit
[AC2] interface vlanif 101
[AC2-Vlanif101] ip address 10.23.101.2 24
[AC2-Vlanif101] quit
The configuration for AC2 is similar to that for AC1 and is not mentioned here.
Step 5 Configure VRRP on AC1 to implement AC hot standby.
# Set the recovery delay of the VRRP group to 60 seconds.
# Create a management VRRP group on AC1, set AC1's VRRP priority to 120, and set the
preemption delay to 1800s.
[AC1] interface vlanif 100
[AC1-Vlanif100] vrrp vrid 1 virtual-ip 10.23.100.3
[AC1-Vlanif100] vrrp vrid 1 priority 120
[AC1-Vlanif100] vrrp vrid 1 preempt-mode timer delay 1800
[AC1-Vlanif100] admin-vrrp vrid 1
[AC1-Vlanif100] quit
# Create a service VRRP group on AC1 and set the preemption delay to 1800s.
[AC1] interface vlanif 101
[AC1-Vlanif101] vrrp vrid 2 virtual-ip 10.23.101.3
[AC1-Vlanif101] vrrp vrid 2 preempt-mode timer delay 1800
[AC1-Vlanif101] vrrp vrid 2 track admin-vrrp interface vlanif 100 vrid 1
unflowdown
[AC1-Vlanif101] quit
# Create HSB service 0 on AC1, configure the IP addresses and port numbers for the active
and standby channels, and set the retransmission times and interval of HSB packets.
[AC1] hsb-service 0
[AC1-hsb-service-0] service-ip-port local-ip 10.23.102.1 peer-ip 10.23.102.2
local-data-port 10241 peer-data-port 10241
[AC1-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[AC1-hsb-service-0] quit
# Create HSB group 0 on AC1, and bind it to HSB service 0 and the management VRRP
group.
[AC1] hsb-group 0
[AC1-hsb-group-0] bind-service 0
[AC1-hsb-group-0] track vrrp vrid 1 interface vlanif 100
[AC1-hsb-group-0] quit
# Create HSB service 0 on AC2, configure the IP addresses and port numbers for the active
and standby channels, and set the retransmission times and interval of HSB packets.
[AC2] hsb-service 0
[AC2-hsb-service-0] service-ip-port local-ip 10.23.102.2 peer-ip 10.23.102.1
local-data-port 10241 peer-data-port 10241
[AC2-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[AC2-hsb-service-0] quit
# Create HSB group 0 on AC2, and bind it to HSB service 0 and the management VRRP
group.
[AC2] hsb-group 0
[AC2-hsb-group-0] bind-service 0
[AC2-hsb-group-0] track vrrp vrid 1 interface vlanif 100
[AC2-hsb-group-0] quit
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In
actual situations, the security policy must be configured according to service requirements.
[AC1-wlan-view] security-profile name wlan-net
[AC1-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC1-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC1-wlan-view] ssid-profile name wlan-net
[AC1-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC1-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and
apply the security profile and SSID profile to the VAP profile.
[AC1-wlan-view] vap-profile name wlan-net
[AC1-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC1-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC1-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC1-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC1-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1
of the AP.
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] quit
Step 9 Configure the wireless configuration synchronization function in VRRP HSB scenarios.
# Configure the wireless configuration synchronization function on AC1.
[AC1] wlan
[AC1-wlan-view] master controller
[AC1-master-controller] master-redundancy peer-ip ip-address 10.23.102.2 local-ip
ip-address 10.23.102.1 psk H@123456
[AC1-master-controller] master-redundancy track-vrrp vrid 1 interface vlanif 100
[AC1-master-controller] quit
[AC1-wlan-view] quit
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Config type : member-vrrp
Backup-forward : disabled
Create time : 2016-11-17 16:58:35
Last change time : 2016-11-17 16:58:38
[AC2] display vrrp
Vlanif100 | Virtual Router 1
State : Backup
Virtual IP : 10.23.100.3
Master IP : 10.23.100.1
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 120
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : admin-vrrp
Backup-forward : disabled
Create time : 2016-11-17 02:31:42 UTC-07:00
Last change time : 2016-11-17 02:32:21 UTC-07:00
# Run the display hsb-service 0 command on AC1 and AC2 to check the HSB service
status. In the command output, the Service State field is Connected, indicating that the
HSB channel has been established.
[AC1] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 10.23.102.1
Peer IP Address : 10.23.102.2
Source Port : 10241
Destination Port : 10241
Keep Alive Times : 3
Keep Alive Interval : 6
Service State : Connected
Service Batch Modules :
----------------------------------------------------------
[AC2] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 10.23.102.2
Peer IP Address : 10.23.102.1
Source Port : 10241
Destination Port : 10241
Keep Alive Times : 3
# Run the display hsb-group 0 command on AC1 and AC2 to check the HSB group
status.
[AC1] display hsb-group 0
Hot Standby Group Information:
----------------------------------------------------------
HSB-group ID : 0
Vrrp Group ID : 1
Vrrp Interface : Vlanif100
Service Index : 0
Group Vrrp Status : Master
Group Status : Active
Group Backup Process : Realtime
Peer Group Device Name : AC6605
Peer Group Software Version : V200R007C20
Group Backup Modules : Access-user
AP
DHCP
----------------------------------------------------------
[AC2] display hsb-group 0
Hot Standby Group Information:
----------------------------------------------------------
HSB-group ID : 0
Vrrp Group ID : 1
Vrrp Interface : Vlanif100
Service Index : 0
Group Vrrp Status : Backup
Group Status : Inactive
Group Backup Process : Realtime
Peer Group Device Name : AC6605
Peer Group Software Version : V200R007C20
Group Backup Modules : Access-user
AP
DHCP
---------------------------------------------------------
3. The WLAN with SSID wlan-net is available for STAs connected to AP, and these STAs
can connect to the WLAN.
When the links between SwitchA and SwitchB and between AC1 and SwitchB are
disconnected, AC2 switches to the active AC. This ensures service transmission stability.
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/3
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100 to 101
#
return
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 46 ap-mac 60de-4476-e360 ap-sn 21500826402SF6902787
ap-name area_1
ap-group ap-group1
master controller
master-redundancy track-vrrp vrid 1 interface Vlanif100
master-redundancy peer-ip ip-address 10.23.102.2 local-ip ip-address
10.23.102.1 psk %^%#`P0}*pN+2P=Qf%V={&JQX(NhE"MP,/rC"F6%vqZF%^%#
#
return
l AC2 configuration file
#
sysname AC2
#
vrrp recover-delay 60
#
vlan batch 100 to 102
#
dhcp enable
#
dhcp server database enable
dhcp server database recover
#
interface Vlanif100
ip address 10.23.100.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.23.100.3
admin-vrrp vrid 1
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
vrrp vrid 2 virtual-ip 10.23.101.3
vrrp vrid 2 track admin-vrrp interface Vlanif100 vrid 1 unflowdown
dhcp select interface
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 102
#
capwap source ip-address 10.23.100.3
#
hsb-service 0
service-ip-port local-ip 10.23.102.2 peer-ip 10.23.102.1 local-data-port
10241 peer-data-port 10241
service-keep-alive detect retransmit 3 interval 6
hsb-group 0
track vrrp vrid 1 interface Vlanif100
bind-service 0
hsb enable
#
hsb-service-type access-user hsb-group 0
#
hsb-service-type dhcp hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#l{2<+jk#}MLoI!
=wMR^@U")pIh<wUY3&FbIb(>"P%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 46 ap-mac 60de-4476-e360 ap-sn 21500826402SF6902787
ap-name area_1
ap-group ap-group1
master controller
master-redundancy track-vrrp vrid 1 interface Vlanif100
master-redundancy peer-ip ip-address 10.23.102.1 local-ip ip-address
10.23.102.2 psk %^%#7KXNDf(-X/No\4)i&z|./NQ@)WDlUT'`K33Mef47%^%#
#
return
Service Requirements
To ensure that services are running normally, an enterprise wants to improve network
reliability while reducing the configuration maintenance workload. Wireless configuration
synchronization can be deployed in dual-link HSB to meet this requirement. This solution
frees active and standby ACs from location restrictions and allows both ACs to be flexibly
deployed.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: The router functions as a DHCP server to assign IP addresses
to APs and STAs.
l Service data forwarding mode: tunnel forwarding
Data Planning
Item Data
Active AC AC1
Standby AC AC2
Master AC AC1
Local AC AC2
Configuration Roadmap
1. Configure network interworking of the AC1, AC2, and other network devices. Configure
the Router as a DHCP server to assign IP addresses to APs and STAs.
2. Configure basic WLAN services on AC1 and only private WLAN service parameters on
AC2.
3. Configure AC1 as the active AC and AC2 as the standby AC. Configure dual-link HSB
on the active AC first and then on the standby AC. When dual-link HSB is enabled, all
APs are restarted.
4. Configure wireless configuration synchronization in the dual-link HSB scenarios.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure SwitchA, SwitchB, AC1, and AC2 to ensure that the APs and ACs can exchange
CAPWAP packets.
NOTE
In this example, tunnel forwarding is used. If direct forwarding is used, configure port isolation on
GE0/0/1 that connects SwitchA to the AP. If port isolation is not configured, many broadcast packets
will be transmitted in the VLANs or WLAN users on different APs can directly communicate at Layer
2.
# Set the PVID on GE0/0/1 of SwitchA to management VLAN 100 and add the interface to
VLAN 100. Add GE0/0/2 of SwitchA to VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
# Add GE0/0/2 and GE0/0/3 of SwitchB to both VLAN 101 and VLAN 102 and add GE0/0/4
of SwitchB connecting to Router to both VLAN 100 and VLAN 101.
[SwitchB] vlan batch 101 102
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 101 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101 102
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface gigabitethernet 0/0/4
[SwitchB-GigabitEthernet0/0/4] port link-type trunk
[SwitchB-GigabitEthernet0/0/4] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/4] quit
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In
actual situations, the security policy must be configured according to service requirements.
[AC1-wlan-view] security-profile name wlan-net
[AC1-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC1-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC1-wlan-view] ssid-profile name wlan-net
[AC1-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC1-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and
apply the security profile and SSID profile to the VAP profile.
[AC1-wlan-view] vap-profile name wlan-net
[AC1-wlan-vap-prof-wlan-net] forward-mode tunnel
[AC1-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC1-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC1-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC1-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1
of the AP.
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC1-wlan-ap-group-ap-group1] quit
NOTE
By default, dual-link backup is disabled, and running the ac protect enable command restarts all APs. After
the APs are restarted, the dual-link backup function takes effect.
If dual-link backup is enabled, running the ac protect enable command does not restart APs. You need to run
the ap-reset command on the active AC to restart all APs and make the dual-link backup function take effect.
[AC1-wlan-view] ap-system-profile name wlan-net
[AC1-wlan-ap-system-prof-wlan-net] primary-access ip-address 10.23.100.2
[AC1-wlan-ap-system-prof-wlan-net] backup-access ip-address 10.23.100.3
[AC1-wlan-ap-system-prof-wlan-net] quit
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] ap-system-profile wlan-net
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] undo ac protect restore disable
[AC1-wlan-view] ac protect enable
Warning: This operation maybe cause AP reset, continue?[Y/N]: y
# On AC2, configure the IP address of the primary AC as the source IP address of AC1, and
the IP address of the backup AC as the source IP address of AC2.
[AC2-wlan-view] ap-system-profile name wlan-net
[AC2-wlan-ap-system-prof-wlan-net] primary-access ip-address 10.23.100.2
[AC2-wlan-ap-system-prof-wlan-net] backup-access ip-address 10.23.100.3
[AC2-wlan-ap-system-prof-wlan-net] quit
[AC2-wlan-view] ap-group name ap-group1
[AC2-wlan-ap-group-ap-group1] ap-system-profile wlan-net
[AC2-wlan-ap-group-ap-group1] quit
[AC2-wlan-view] undo ac protect restore disable
[AC2-wlan-view] ac protect enable
Warning: This operation maybe cause AP reset, continue?[Y/N]: y
# Restart the AP on AC1 and deliver the dual-link backup configuration to the AP.
[AC1-wlan-view] ap-reset all
Warning: Reset AP(s), continue?[Y/N]:y
[AC1-wlan-view] quit
# Create HSB service 0 on AC2 and configure the IP addresses and port numbers for the
active and standby channels.
[AC2-wlan-view] quit
[AC2] hsb-service 0
[AC2-hsb-service-0] service-ip-port local-ip 10.23.102.2 peer-ip 10.23.102.1
local-data-port 10241 peer-data-port 10241
[AC2-hsb-service-0] quit
[AC1] wlan
[AC1-wlan-view] master controller
[AC1-master-controller] local-controller ip-address 10.23.100.3 psk H@123456
[AC1-master-controller] quit
# Configure AC2 as a local AC and specify the IP address of the master AC.
[AC2] wlan
[AC2-wlan-view] master-controller ip-address 10.23.100.2 psk H@123456
# When public configurations are modified on the master AC, the public configurations are
automatically synchronized to the local AC. When the AP detects a fault on the link
connected to AC1, it instructs AC2 to take the active role. This ensures service stability.
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
l SwitchB configuration file
#
sysname SwitchB
#
vlan batch 100 to 102
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 102
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 100 to 102
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
return
l Router configuration file
#
sysname Router
#
vlan batch 100 to 101
#
dhcp enable
#
ip pool sta
gateway-list 10.23.101.1
network 10.23.101.0 mask 255.255.255.0
#
ip pool ap
gateway-list 10.23.100.1
network 10.23.100.0 mask 255.255.255.0
excluded-ip-address 10.23.100.2 10.23.100.3
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select global
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select global
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
return
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 102
#
capwap source interface vlanif100
#
hsb-service 0
service-ip-port local-ip 10.23.102.2 peer-ip 10.23.102.1 local-data-port
10241 peer-data-port 10241
#
hsb-service-type access-user hsb-service 0
#
hsb-service-type ap hsb-service 0
#
wlan
ac protect enable
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#DmLbQP`BNIa6M}<rK3J>%m9$2xA+y-
fNA<TAP&}F%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
ap-system-profile name wlan-net
primary-access ip-address 10.23.100.2
backup-access ip-address 10.23.100.3
master-controller ip-address 10.23.100.2 psk %^%#mh|sYMl/}'U|"W/rBd
\9HICmNy{,BIi0c^F:z;V#%^%#
ap-group name ap-group1
ap-system-profile wlan-net
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
#
return
Service Requirements
An enterprise uses two APs to deploy WLAN area A to provide WLAN services. The
enterprise requires that dual-link backup be configured to improve data transmission
reliability.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: The switch functions as a DHCP server to assign IP addresses
to APs and STAs.
l Service data forwarding mode: direct forwarding
Data Planning
Active AC AC1
Local priority: 0
Standby AC AC2
Local priority: 1
Item Data
Configuration Roadmap
1. Configure network interworking of AC1, AC2, and other network devices. Configure the
switch as a DHCP server to assign IP addresses to APs and STAs.
2. Configure AC1 as the active AC and configure basic WLAN services on AC1.
3. Configure AC2 as the standby AC and configure basic WLAN services on AC2. Ensure
that service configurations on AC1 and AC2 are the same.
4. Configure dual-link backup on the active AC first and then on the standby AC. When
dual-link backup is enabled, all APs are restarted. After dual-link backup configurations
are complete, the standby AC replaces the active AC to manage APs if the CAPWAP
tunnel between the active AC and APs is disconnected.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
l Dual-link backup cannot back up DHCP information. When the AC functions as the
DHCP server to assign IP addresses to APs and STAs, APs and STAs need to re-obtain
IP addresses if the active AC is faulty. It is recommended that the switch function as the
DHCP server. If the AC must be used as the DHCP server, configure address pools
containing different IP addresses on the active and standby ACs to prevent IP address
conflicts.
Procedure
Step 1 Configure the switch and ACs to enable the ACs to communicate with the APs.
# Create VLAN 100 (management VLAN) and VLAN 101 (service VLAN) on the switch. Set
the link type of GE0/0/1 and GE0/0/4 that connect the switch to the APs to trunk and PVID of
the interfaces to 100, and configure the interfaces to allow packets of VLAN 100 and VLAN
101 to pass through. Set the link type of GE0/0/2 and GE0/0/3 on the switch to trunk, and
configure the interfaces to allow packets of VLAN 100 to pass through.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/4
[Switch-GigabitEthernet0/0/4] port link-type trunk
[Switch-GigabitEthernet0/0/4] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/4] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/4] port-isolate enable
[Switch-GigabitEthernet0/0/4] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type trunk
[Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/3] quit
<AC6605> system-view
[AC6605] sysname AC2
[AC2] vlan batch 100 101
[AC2] interface gigabitethernet 0/0/1
[AC2-GigabitEthernet0/0/1] port link-type trunk
[AC2-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC2-GigabitEthernet0/0/1] quit
Step 2 Configure the DHCP function on the switch to assign IP addresses to APs and STAs.
# Configure VLANIF 100 to use the interface address pool to assign IP addresses to APs.
[Switch] dhcp enable
[Switch] interface vlanif 100
[Switch-Vlanif100] ip address 10.23.100.1 255.255.255.0
[Switch-Vlanif100] dhcp select interface
[Switch-Vlanif100] dhcp server excluded-ip-address 10.23.100.2 10.23.100.3
[Switch-Vlanif100] quit
# Configure VLANIF 101 to use the interface address pool to assign IP addresses to STAs.
[Switch] interface vlanif 101
[Switch-Vlanif101] ip address 10.23.101.1 255.255.255.0
[Switch-Vlanif101] dhcp select interface
[Switch-Vlanif101] quit
# Create an AP group to which the APs with the same configuration can be added.
[AC1] wlan
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and
apply the profile to the AP group.
[AC1-wlan-view] regulatory-domain-profile name default
[AC1-wlan-regulate-domain-default] country-code cn
[AC1-wlan-regulate-domain-default] quit
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna
gain configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] quit
# Import the APs offline on the AC and add the APs to the AP group ap-group1.
Assume that the APs' MAC addresses are 60de-4476-e360 and 60de-4474-9640.
Configure names for the APs based on the APs' deployment locations, so that you can
know where the APs are deployed from their names. For example, if the AP with MAC
address 60de-4476-e360 is deployed in area 1, name the AP area_1, the AP with MAC
address 60de-4474-9640 is deployed in area 2, name the AP area_2.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained,
you do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 and radio 1.
[AC1] wlan
[AC1-wlan-view] ap auth-mode mac-auth
[AC1-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC1-wlan-ap-0] ap-name area_1
[AC1-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it
will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC1-wlan-ap-0] quit
[AC1-wlan-view] ap-id 1 ap-mac 60de-4474-9640
[AC1-wlan-ap-1] ap-name area_2
[AC1-wlan-ap-1] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it
will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC1-wlan-ap-1] quit
# After the APs are powered on, run the display ap all command to check the AP state.
If the State field displays nor, the APs have gone online.
[AC1-wlan-view] display ap all
Total AP information:
nor : normal [2]
------------------------------------------------------------------------------
-------
ID MAC Name Group IP Type State STA
Uptime
------------------------------------------------------------------------------
-------
0 60de-4476-e360 area_1 ap-group1 10.23.100.253 AP5030DN nor 0
10S
1 60de-4474-9640 area_2 ap-group1 10.23.100.254 AP5030DN nor 0
10S
------------------------------------------------------------------------------
-------
Total: 2
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In
actual situations, the security policy must be configured according to service requirements.
[AC1-wlan-view] security-profile name wlan-net
[AC1-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC1-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC1-wlan-view] ssid-profile name wlan-net
[AC1-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC1-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and
apply the security profile and SSID profile to the VAP profile.
[AC1-wlan-view] vap-profile name wlan-net
[AC1-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC1-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC1-wlan-vap-prof-wlan-net] security-profile wlan-net
# Bind VAP profile wlan-net to the AP group, and apply the profile to radio 0 and radio
1 of the APs.
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC1-wlan-ap-group-ap-group1] quit
# Configure basic parameters for AC2 according to the configurations of AC1. The
configuration of AC2 is similar to that of AC1 except the source interface address.
# Configure the AC1 priority and AC2 IP address on AC1. Enable dual-link backup and
revertive switchover globally, and restart all APs to make the dual-link backup function take
effect.
NOTE
By default, dual-link backup is disabled, and running the ac protect enable command restarts all APs. After
the APs are restarted, the dual-link backup function takes effect.
If dual-link backup is enabled, running the ac protect enable command does not restart APs. You need to run
the ap-reset command on the active AC to restart all APs and make the dual-link backup function take effect.
[AC1-wlan-view] ac protect protect-ac 10.23.100.3 priority 0
[AC1-wlan-view] undo ac protect restore disable
[AC1-wlan-view] ac protect enable
Warning: This operation maybe cause AP reset, continue?[Y/N]: y
Run the display ac protect command on the active and standby ACs to check the dual-link
information and priority on the two ACs.
[AC1-wlan-view] display ac protect
------------------------------------------------------------
Protect state : enable
Protect AC : 10.23.100.3
Priority : 0
Protect restore : enable
...
------------------------------------------------------------
[AC2-wlan-view] display ac protect
------------------------------------------------------------
Protect state : enable
Protect AC : 10.23.100.2
Priority : 1
Protect restore : enable
...
------------------------------------------------------------
# When the link between the AP and AC1 is faulty, AC2 takes the active role. This ensures
service stability.
----End
Configuration Files
l Switch configuration file
#
sysname Switch
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
dhcp server excluded-ip-address 10.23.100.2 10.23.100.3
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
return
Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
ap-id 1 type-id 35 ap-mac 60de-4474-9640 ap-sn 210235419610D2000097
ap-name area_2
ap-group ap-group1
#
return
Service Requirements
An enterprise deploys a WLAN to provide WLAN services to users. The enterprise requires
dual-link HSB to improve data transmission reliability.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: The router functions as a DHCP server to assign IP addresses
to APs and STAs.
l Service data forwarding mode: tunnel forwarding
Data Planning
Item Data
Active AC AC1
Local priority: 0
Standby AC AC2
Local priority: 1
IP addresses and port numbers for the active IP address: VLANIF 102, 10.23.102.1/24
and standby channels of AC1 Port number: 10241
IP addresses and port numbers for the active IP address: VLANIF 102, 10.23.102.2/24
and standby channels of AC2 Port number: 10241
Item Data
Configuration Roadmap
1. Configure network interworking of the AP1, AC2, and other network devices.
2. Configure basic WLAN services to ensure that users can access the enterprise network.
3. Configure global dual-link backup on the ACs.
4. Configure hot standby on the ACs so that the WLAN and NAC services on AC1 are
backed up to AC2 in real time or in a batch. If AC1 is faulty, AC2 takes over services
from AC1. User services are not interrupted.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
l Dual-link backup cannot back up DHCP information. When the AC functions as the
DHCP server to assign IP addresses to APs and STAs, APs and STAs need to re-obtain
IP addresses if the active AC is faulty. It is recommended that Router function as the
DHCP server. If the AC must be used as the DHCP server, configure address pools
containing different IP addresses on the active and standby ACs to prevent IP address
conflicts.
Procedure
Step 1 Configure SwitchA, SwitchB, AC1, and AC2 to ensure that the APs and ACs can exchange
CAPWAP packets.
NOTE
In this example, tunnel forwarding is used. If direct forwarding is used, configure port isolation on
GE0/0/1 that connects SwitchA to the AP. If port isolation is not configured, many broadcast packets
will be transmitted in the VLANs or WLAN users on different APs can directly communicate at Layer
2.
# Set the PVID on GE0/0/1 of SwitchA to management VLAN 100 and add the interface to
VLAN 100. Add GE0/0/2 of SwitchA to VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 of AC1 to service VLAN 101, and backup VLAN 102.
[AC1] vlan batch 101 102
[AC1] interface vlanif 100
[AC1-Vlanif100] ip address 10.23.100.2 24
[AC1-Vlanif100] quit
[AC1] interface vlanif 102
[AC1-Vlanif102] ip address 10.23.102.1 24
[AC1-Vlanif102] quit
[AC1] interface gigabitethernet 0/0/1
[AC1-GigabitEthernet0/0/1] port trunk allow-pass vlan 101 102
[AC1-GigabitEthernet0/0/1] quit
# Add GE0/0/2 and GE0/0/3 of SwitchB to both VLAN 101 and VLAN 102 and add GE0/0/4
of SwitchB connecting to Router to both VLAN 100 and VLAN 101.
[SwitchB] vlan batch 101 102
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 101 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101 102
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface gigabitethernet 0/0/4
[SwitchB-GigabitEthernet0/0/4] port link-type trunk
[SwitchB-GigabitEthernet0/0/4] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/4] quit
Only the configurations on AC1 are provided here. The configurations on AC2 are the same as those on
AC1.
1. Configure system parameters for AC1.
[AC1] wlan
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] regulatory-domain-profile name default
[AC1-wlan-regulate-domain-default] country-code cn
[AC1-wlan-regulate-domain-default] quit
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna
gain configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] quit
[AC1] capwap source interface vlanif 100
[AC1] wlan
# Create security profile wlan-net and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In
actual situations, the security policy must be configured according to service requirements.
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC1-wlan-view] ssid-profile name wlan-net
[AC1-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC1-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and
apply the security profile and SSID profile to the VAP profile.
# Bind VAP profile wlan-net to the AP group, and apply the profile to radio 0 and radio
1 of the AP.
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC1-wlan-ap-group-ap-group1] quit
# Configure the AC2 priority and AC1 IP address on AC2 to implement dual-link backup.
[AC2-wlan-view] ac protect enable
Warning: This operation maybe cause AP reset, continue?[Y/N]:y
[AC2-wlan-view] ac protect protect-ac 10.23.100.2 priority 1
[AC2-wlan-view] quit
# Restart the AP on AC1 and deliver the dual-link backup configuration to the AP.
[AC1-wlan-view] ap-reset all
Warning: Reset AP(s), continue?[Y/N]:y
[AC1-wlan-view] quit
# Create HSB service 0 on AC2 and configure the IP addresses and port numbers for the
active and standby channels.
[AC2] hsb-service 0
[AC2-hsb-service-0] service-ip-port local-ip 10.23.102.2 peer-ip 10.23.102.1
local-data-port 10241 peer-data-port 10241
[AC2-hsb-service-0] quit
# Run the display hsb-service 0 command on AC1 and AC2 to check the HSB service status.
The value of the Service State field is Connected, which indicates that the HSB channels are
set up.
[AC1] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 10.23.102.1
Peer IP Address : 10.23.102.2
Source Port : 10241
Destination Port : 10241
Keep Alive Times : 5
Keep Alive Interval : 3
Service State : Connected
Service Batch Modules : AP
Access-user
----------------------------------------------------------
[AC2] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 10.23.102.2
Peer IP Address : 10.23.102.1
Source Port : 10241
Destination Port : 10241
Keep Alive Times : 5
Keep Alive Interval : 3
Service State : Connected
Service Batch Modules : AP
Access-user
----------------------------------------------------------
The WLAN with SSID wlan-net is available for STAs connected to AP1, and these STAs can
connect to the WLAN.
When the AP detects a fault on the link connected to AC1, it instructs AC2 to take the active
role. User services are not interrupted.
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
Service Requirements
An enterprise deploys a WLAN to provide WLAN services to users. The enterprise requires
VRRP HSB to improve data transmission reliability.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: The AC functions as a DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: direct forwarding
l Switch cluster: A cluster is set up using a CSS card, containing SwitchB and SwitchC at
the core layer. SwitchB is the active switch and SwitchC is the standby switch.
Data Planning
Item Configuration
Item Configuration
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a cluster between SwitchB and SwitchC through cluster cards to improve the
core layer reliability and configure SwitchB as the master switch.
2. Set up connections between the AP, ACs, and other network devices.
3. Configure basic WLAN services to ensure that users can access the Internet through
WLAN.
4. Configure a VRRP group on AC1 and AC2 and configure a high priority for AC1 as the
active device to forward traffic, and a low priority for AC2 as the standby device.
5. Configure the hot standby (HSB) function so that service information on AC1 is backed
up to AC2 in batches in real time, ensuring seamless service switchover from the active
device to the standby device.
NOTE
Check whether loops occur on the wired network. If loops occur, configure MSTP on corresponding NEs.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Establish a cluster through cluster cards.
# Set the CSS ID, CSS priority, and CSS connection mode to 1, 100, and CSS card connection
for SwitchB.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] set css mode css-card
[SwitchB] set css id 1
[SwitchB] set css priority 100
# Set the CSS ID, CSS priority, and CSS connection mode to 2, 10, and CSS card connection
for SwitchC.
<HUAWEI> system-view
[HUAWEI] sysname SwitchC
[SwitchC] set css mode css-card
[SwitchC] set css id 2
[SwitchC] set css priority 10
# Log in to the CSS through the console port on any MPU to check whether the CSS is
established successfully.
<SwitchB> display device
Chassis 1 (Master Switch)
S12708's Device status:
Slot Sub Type Online Power Register Status Role
-------------------------------------------------------------------------------
1 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
5 - ET1D2G48SEC0 Present PowerOn Registered Normal NA
7 - ET1D2X16SSC0 Present PowerOn Registered Normal NA
9 - ET1D2MPUA000 Present PowerOn Registered Normal Slave
10 - ET1D2MPUA000 Present PowerOn Registered Normal Master
12 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
13 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
14 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
PWR1 - - Present PowerOn Registered Normal NA
PWR2 - - Present PowerOn Registered Normal NA
CMU2 - EH1D200CMU00 Present PowerOn Registered Normal Master
FAN1 - - Present PowerOn Registered Normal NA
FAN2 - - Present PowerOn Registered Normal NA
FAN3 - - Present PowerOn Registered Normal NA
FAN4 - - Present PowerOn Registered Normal NA
Chassis 2 (Standby Switch)
S12708's Device status:
Slot Sub Type Online Power Register Status Role
-------------------------------------------------------------------------------
1 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
3 - ET1D2G48SEC0 Present PowerOn Registered Normal NA
4 - ET1D2X16SSC0 Present PowerOn Registered Normal NA
9 - ET1D2MPUA000 Present PowerOn Registered Normal Slave
10 - ET1D2MPUA000 Present PowerOn Registered Normal Master
12 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
13 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
14 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
PWR1 - - Present PowerOn Registered Normal NA
Chassis Id CSS Enable CSS Status CSS Mode Priority Master Force
------------------------------------------------------------------------------
1 On Master CSS card 100 Off
2 On Standby CSS card 10 Off
The command output shows card status and CSS status of both member switches, indicating
that the CSS is established successfully.
The command output shows that all the cluster links are in Up state, indicating that the CSS
has been established successfully.
Step 2 Configure SwitchA, SwitchB, SwitchC, AC1, and AC2 so that CAPWAP packets can be
transmitted between the AP and ACs.
NOTE
If direct forwarding is used, configure port isolation on GE0/0/1 of the SwitchA (connecting to the AP).
If port isolation is not configured, many broadcast packets will be transmitted in the VLANs or WLAN
users on different APs can directly communicate at Layer 2.
# Set the PVID of GE0/0/1 on SwitchA connected to the AP to management VLAN 100 and
add GE0/0/1 to VLAN 100 and service VLAN 101. Add GE0/0/2 on SwitchA connected to
SwitchB to VLAN 100 and VLAN 101 and GE0/0/3 on SwitchA connected to SwitchC to
VLAN 100 and VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] port link-type trunk
[SwitchA-GigabitEthernet0/0/3] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/3] quit
# Add GE1/1/0/2 that connects SwitchB to SwitchA to VLAN 100 and VLAN 101 (service
VLAN), and add GE1/1/0/1 that connects SwitchB to AC1 to VLAN 100 and VLAN 101.
Add GE2/1/0/2 that connects SwitchC to SwitchA to VLAN 100 and VLAN 101 (service
VLAN), and add GE2/1/0/1 that connects SwitchC to AC1 to VLAN 100 and VLAN 101.
[SwitchB] sysname CSS
[CSS] vlan batch 100 101
[CSS] interface gigabitethernet 1/1/0/1
[CSS-GigabitEthernet1/1/0/1] port link-type trunk
[CSS-GigabitEthernet1/1/0/1] undo port trunk allow-pass vlan 1
[CSS-GigabitEthernet1/1/0/1] port trunk allow-pass vlan 100 101
[CSS-GigabitEthernet1/1/0/1] quit
[CSS] interface gigabitethernet 1/1/0/2
[CSS-GigabitEthernet1/1/0/2] port link-type trunk
[CSS-GigabitEthernet1/1/0/2] undo port trunk allow-pass vlan 1
[CSS-GigabitEthernet1/1/0/2] port trunk allow-pass vlan 100 101
[CSS-GigabitEthernet1/1/0/2] quit
[CSS] interface gigabitethernet 2/1/0/1
[CSS-GigabitEthernet2/1/0/1] port link-type trunk
[CSS-GigabitEthernet2/1/0/1] undo port trunk allow-pass vlan 1
[CSS-GigabitEthernet2/1/0/1] port trunk allow-pass vlan 100 101
[CSS-GigabitEthernet2/1/0/1] quit
[CSS] interface gigabitethernet 2/1/0/2
[CSS-GigabitEthernet2/1/0/2] port link-type trunk
[CSS-GigabitEthernet2/1/0/2] undo port trunk allow-pass vlan 1
[CSS-GigabitEthernet2/1/0/2] port trunk allow-pass vlan 100 101
[CSS-GigabitEthernet2/1/0/2] quit
# Add GE0/0/1 that connects AC1 to SwitchB to VLAN 100 and VLAN 101, and configure
VLANIF 100 and VLANIF 101.
<AC6605> system-view
[AC6605] sysname AC1
[AC1] vlan batch 100 101
[AC1] interface gigabitethernet 0/0/1
[AC1-GigabitEthernet0/0/1] port link-type trunk
[AC1-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[AC1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[AC1-GigabitEthernet0/0/1] quit
[AC1] interface vlanif 100
[AC1-Vlanif100] ip address 10.23.100.1 24
[AC1-Vlanif100] quit
# Add GE0/0/1 that connects AC2 to SwitchC to VLAN 100 and VLAN 101, and configure
VLANIF 100 and VLANIF 101.
<AC6605> system-view
[AC6605] sysname AC2
[AC2] vlan batch 100 101
[AC2] interface gigabitethernet 0/0/1
[AC2-GigabitEthernet0/0/1] port link-type trunk
[AC2-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[AC2-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[AC2-GigabitEthernet0/0/1] quit
[AC2] interface vlanif 100
[AC2-Vlanif100] ip address 10.23.100.2 24
[AC2-Vlanif100] quit
[AC2] interface vlanif 101
[AC2-Vlanif101] ip address 10.23.101.2 24
[AC2-Vlanif101] quit
The configuration for AC2 is similar to that for AC1 and is not mentioned here.
Step 5 Configure VRRP on AC1 to implement AC hot standby.
# Set the recovery delay of the VRRP group to 60 seconds.
# Create a management VRRP group on AC1, set AC1's VRRP priority to 120, and set the
preemption delay to 1800s.
[AC1] interface vlanif 100
[AC1-Vlanif100] vrrp vrid 1 virtual-ip 10.23.100.3
[AC1-Vlanif100] vrrp vrid 1 priority 120
[AC1-Vlanif100] vrrp vrid 1 preempt-mode timer delay 1800
[AC1-Vlanif100] admin-vrrp vrid 1
[AC1-Vlanif100] quit
# Create a service VRRP group on AC1 and set the preemption delay to 1800s.
[AC1] interface vlanif 101
[AC1-Vlanif101] vrrp vrid 2 virtual-ip 10.23.101.3
[AC1-Vlanif101] vrrp vrid 2 preempt-mode timer delay 1800
[AC1-Vlanif101] vrrp vrid 2 track admin-vrrp interface vlanif 100 vrid 1
unflowdown
[AC1-Vlanif101] quit
# Create HSB service 0 on AC1, configure the IP addresses and port numbers for the active
and standby channels, and set the retransmission times and interval of HSB packets.
[AC1] hsb-service 0
[AC1-hsb-service-0] service-ip-port local-ip 10.23.102.1 peer-ip 10.23.102.2
local-data-port 10241 peer-data-port 10241
[AC1-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[AC1-hsb-service-0] quit
# Create HSB group 0 on AC1, and bind it to HSB service 0 and the management VRRP
group.
[AC1] hsb-group 0
[AC1-hsb-group-0] bind-service 0
[AC1-hsb-group-0] track vrrp vrid 1 interface vlanif 100
[AC1-hsb-group-0] quit
# Create HSB service 0 on AC2, configure the IP addresses and port numbers for the active
and standby channels, and set the retransmission times and interval of HSB packets.
[AC2] hsb-service 0
[AC2-hsb-service-0] service-ip-port local-ip 10.23.102.2 peer-ip 10.23.102.1
local-data-port 10241 peer-data-port 10241
[AC2-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[AC2-hsb-service-0] quit
# Create HSB group 0 on AC2, and bind it to HSB service 0 and the management VRRP
group.
[AC2] hsb-group 0
[AC2-hsb-group-0] bind-service 0
[AC2-hsb-group-0] track vrrp vrid 1 interface vlanif 100
[AC2-hsb-group-0] quit
Step 7 Configure WLAN services on AC1. The configurations on AC2 are similar to those on AC1.
An AP in normal state on the active AC is in standby state on AC2.
1. Configure system parameters for AC1.
[AC1] wlan
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] regulatory-domain-profile name default
[AC1-wlan-regulate-domain-default] country-code cn
[AC1-wlan-regulate-domain-default] quit
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna
gain configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] quit
[AC1] capwap source ip-address 10.23.100.3
[AC1-wlan-ap-0] quit
[AC1-wlan-view] display ap all
Total AP information:
nor : normal [1]
------------------------------------------------------------------------------
-------
ID MAC Name Group IP Type State
STA Uptime
------------------------------------------------------------------------------
-------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor
0 10S
------------------------------------------------------------------------------
-------
Total: 1
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In
actual situations, the security policy must be configured according to service requirements.
[AC1-wlan-view] security-profile name wlan-net
[AC1-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC1-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC1-wlan-view] ssid-profile name wlan-net
[AC1-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC1-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and
apply the security profile and SSID profile to the VAP profile.
[AC1-wlan-view] vap-profile name wlan-net
[AC1-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC1-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC1-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC1-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC1-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1
of the AP.
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] quit
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : admin-vrrp
Backup-forward : disabled
Create time : 2005-07-31 01:25:55 UTC+08:00
Last change time : 2005-07-31 02:48:22 UTC+08:00
# Run the display hsb-service 0 command on AC1 and AC2 to check the HSB service status.
The command output displays that the Service State field is Connected, indicating that the
HSB channel has been established.
# Run the display hsb-group 0 command on AC1 and AC2 to check the HSB group status.
[AC1] display hsb-group 0
Hot Standby Group Information:
----------------------------------------------------------
HSB-group ID : 0
Vrrp Group ID : 1
Vrrp Interface : Vlanif100
Service Index : 0
Group Vrrp Status : Master
Group Status : Active
Group Backup Process : Realtime
Peer Group Device Name : AC6605
Peer Group Software Version : V200R007C20
Group Backup Modules : Access-user
DHCP
AP
----------------------------------------------------------
[AC2] display hsb-group 0
Hot Standby Group Information:
----------------------------------------------------------
HSB-group ID : 0
Vrrp Group ID : 1
Vrrp Interface : Vlanif100
Service Index : 0
Group Vrrp Status : Backup
Group Status : Inactive
Group Backup Process : Realtime
Peer Group Device Name : AC6605
Peer Group Software Version : V200R007C20
Group Backup Modules : Access-user
DHCP
AP
----------------------------------------------------------
The WLAN with SSID wlan-net is available for STAs connected to AP, and these STAs can
connect to the WLAN.
When the links between SwitchA and SwitchB and between AC1 and SwitchB are
disconnected, AC2 switches to the active AC. This ensures service transmission stability.
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/3
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100 to 101
#
return
#
sysname AC2
#
vrrp recover-delay 60
#
vlan batch 100 to 102
#
dhcp enable
#
dhcp server database enable
dhcp server database recover
#
interface Vlanif100
ip address 10.23.100.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.23.100.3
admin-vrrp vrid 1
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
vrrp vrid 2 virtual-ip 10.23.101.3
vrrp vrid 2 track admin-vrrp interface Vlanif100 vrid 1 unflowdown
dhcp select interface
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 102
#
capwap source ip-address 10.23.100.3
#
hsb-service 0
service-ip-port local-ip 10.23.102.2 peer-ip 10.23.102.1 local-data-port
10241 peer-data-port 10241
service-keep-alive detect retransmit 3 interval 6
#
hsb-group 0
track vrrp vrid 1 interface Vlanif100
bind-service 0
hsb enable
#
hsb-service-type access-user hsb-group 0
#
hsb-service-type dhcp hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#G.DGWgjG./fvyr*oM)KMgc*sR}!
GUWLa"%G_E.^B%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
#
return
4.7.6 Example for Configuring N+1 Backup for ACs in the Same
Network Segment
Service Requirements
In public places where a large number of users exist in a large area, many APs are deployed
and managed by multiple ACs to provide free-of-charge WLAN access services. These
services are value-added services that require low network reliability and allow temporary
service interruption. An AC is required to be a backup of all ACs to save costs. To meet this
requirement, build an N+1 backup wireless LAN to provide reliable services and reduce
device purchase costs. ACs of different models can work in N+1 backup mode, but versions
of the ACs must be the same.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: Switch_1 functions as a DHCP server to assign IP addresses
to APs and STAs.
l Service data forwarding mode: direct forwarding
Data Planning
Item Data
Item Data
AC_2:
l Name: wlan-net1
l SSID name: wlan-net1
AC_3:
l Names: wlan-net and wlan-net1
l SSID names: wlan-net and wlan-net1
Item Data
AC_2:
l Name: wlan-net1
l Security policy: WPA-WPA2+PSK
+AES
l Password: a1234567
AC_3:
l Name: wlan-net
– Security policy: WPA-WPA2+PSK
+AES
– Password: a1234567
l Name: wlan-net1
– Security policy: WPA-WPA2+PSK
+AES
– Password: a1234567
AC_1:
l Name: wlan-net1
l Forwarding mode: direct forwarding
l Service VLAN: VLAN 102
l Referenced profiles: SSID profile wlan-
net1 and security profile wlan-net1
Item Data
AC_3:
l Name: wlan-net
– Forwarding mode: direct forwarding
– Service VLAN: VLAN 101
– Referenced profiles: SSID profile
wlan-net and security profile wlan-
net
l Name: wlan-net1
– Forwarding mode: direct forwarding
– Service VLAN: VLAN 102
– Referenced profiles: SSID profile
wlan-net1 and security profile wlan-
net1
Configuration Roadmap
1. Configure network interworking of each AC and other network devices. Configure
Switch_1 as a DHCP server to assign IP addresses to APs and STAs.
2. Configure AC_1 and AC_2 as the active ACs of AP_1 and AP_2 respectively, and
configure basic WLAN services on AC_1 and AC_2.
3. Configure AC_3 as the standby AC and configure basic WLAN services on AC_3.
Ensure that service configurations on AC_3 are the same as those on AC_1 and AC_2.
4. Configure N+1 backup on the active ACs first and then on the standby AC. When N+1
backup is enabled, all APs are restarted.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
Procedure
Step 1 Configure the switches and ACs to enable the ACs to communicate with the APs.
# On Switch_1, create VLAN 100, VLAN 101, and VLAN 102. Configure VLAN 100 as the
management VLAN, VLAN 101 and VLAN 102 as service VLANs. Add GE0/0/1 connected
to AC_1 to VLAN 100 and VLAN 101, GE0/0/2 connected to AC_2 to VLAN 100 and
VLAN 102, GE0/0/3 and GE0/0/4 respectively connected to AC_3 and Switch_2 to VLAN
100, VLAN 101, and VLAN 102.
<HUAWEI> system-view
[HUAWEI] sysname Switch_1
[Switch_1] vlan batch 100 to 102
[Switch_1] interface gigabitethernet 0/0/1
[Switch_1-GigabitEthernet0/0/1] port link-type trunk
[Switch_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_1-GigabitEthernet0/0/1] quit
[Switch_1] interface gigabitethernet 0/0/2
[Switch_1-GigabitEthernet0/0/2] port link-type trunk
[Switch_1-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102
[Switch_1-GigabitEthernet0/0/2] quit
[Switch_1] interface gigabitethernet 0/0/3
[Switch_1-GigabitEthernet0/0/3] port link-type trunk
[Switch_1-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 to 102
[Switch_1-GigabitEthernet0/0/3] quit
[Switch_1] interface gigabitethernet 0/0/4
[Switch_1-GigabitEthernet0/0/4] port link-type trunk
[Switch_1-GigabitEthernet0/0/4] port trunk allow-pass vlan 100 to 102
[Switch_1-GigabitEthernet0/0/4] quit
# On Switch_2, add GE0/0/3 connected to Switch_1 to VLAN 100, VLAN 101, and VLAN
102, GE0/0/1 connected to AP_1 to VLAN 100 and VLAN 101, and GE0/0/2 connected to
AP_2 to VLAN 100 and VLAN 102. Set the PVID of GE0/0/1 and GE0/0/2 to VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_2
[Switch_2] vlan batch 100 to 102
[Switch_2] interface gigabitethernet 0/0/1
[Switch_2-GigabitEthernet0/0/1] port link-type trunk
[Switch_2-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_2-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_2-GigabitEthernet0/0/1] port-isolate enable
[Switch_2-GigabitEthernet0/0/1] quit
[Switch_2] interface gigabitethernet 0/0/2
[Switch_2-GigabitEthernet0/0/2] port link-type trunk
[Switch_2-GigabitEthernet0/0/2] port trunk pvid vlan 100
[Switch_2-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102
# On AC_1, add GE0/0/1 connected to Switch_1 to VLAN 100 and VLAN 101.
<AC6605> system-view
[AC6605] sysname AC_1
[AC_1] vlan batch 100 101
[AC_1] interface gigabitethernet 0/0/1
[AC_1-GigabitEthernet0/0/1] port link-type trunk
[AC_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[AC_1-GigabitEthernet0/0/1] quit
[AC_1] interface vlanif 100
[AC_1-Vlanif100] ip address 10.23.100.2 255.255.255.0
[AC_1-Vlanif100] quit
# On AC_2, add GE0/0/1 connected to Switch_1 to VLAN 100 and VLAN 102.
<AC6605> system-view
[AC6605] sysname AC_2
[AC_2] vlan batch 100 102
[AC_2] interface gigabitethernet 0/0/1
[AC_2-GigabitEthernet0/0/1] port link-type trunk
[AC_2-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 102
[AC_2-GigabitEthernet0/0/1] quit
[AC_2] interface vlanif 100
[AC_2-Vlanif100] ip address 10.23.100.3 255.255.255.0
[AC_2-Vlanif100] quit
# On AC_3, add GE0/0/1 connected to Switch_1 to VLAN 100, VLAN 101, and VLAN 102.
<AC6605> system-view
[AC6605] sysname AC_3
[AC_3] vlan batch 100 to 102
[AC_3] interface gigabitethernet 0/0/1
[AC_3-GigabitEthernet0/0/1] port link-type trunk
[AC_3-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 102
[AC_3-GigabitEthernet0/0/1] quit
[AC_3] interface vlanif 100
[AC_3-Vlanif100] ip address 10.23.100.4 255.255.255.0
[AC_3-Vlanif100] quit
Step 2 Configure Switch_1 as a DHCP server to assign IP addresses to STAs and APs. Switch_1
allocates IP addresses to APs from the IP address pool on VLANIF 100, and allocates IP
addresses to STA_1 and STA_2 from the IP address pool on VLANIF 101 and VLANIF 102
respectively.
[Switch_1] dhcp enable
[Switch_1] interface vlanif 100
[Switch_1-Vlanif100] ip address 10.23.100.1 255.255.255.0
[Switch_1-Vlanif100] dhcp select interface
[Switch_1-Vlanif100] dhcp server excluded-ip-address 10.23.100.2 10.23.100.4
[Switch_1-Vlanif100] quit
[Switch_1] interface vlanif 101
[Switch_1-Vlanif101] ip address 10.23.101.1 255.255.255.0
[Switch_1-Vlanif101] dhcp select interface
[Switch_1-Vlanif101] quit
[Switch_1] interface vlanif 102
[Switch_1-Vlanif102] ip address 10.23.102.1 255.255.255.0
[Switch_1-Vlanif102] dhcp select interface
[Switch_1-Vlanif102] quit
# Create an AP group to which the APs with the same configuration can be added.
[AC_1] wlan
[AC_1-wlan-view] ap-group name ap-group1
[AC_1-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and
apply the profile to the AP group.
[AC_1-wlan-view] regulatory-domain-profile name default
[AC_1-wlan-regulate-domain-default] country-code cn
[AC_1-wlan-regulate-domain-default] quit
[AC_1-wlan-view] ap-group name ap-group1
[AC_1-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna
gain configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC_1-wlan-ap-group-ap-group1] quit
[AC_1-wlan-view] quit
# Import the APs offline on the AC and add the APs to the AP group ap-group1. In this
example, the AP's MAC address is 60de-4476-e360. Configure a name for the AP based
on the AP's deployment location, so that you can know where the AP is located. For
example, if the AP with MAC address 60de-4476-e360 is deployed in area 1, name the
AP area_1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained,
you do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 and radio 1.
[AC_1] wlan
[AC_1-wlan-view] ap auth-mode mac-auth
[AC_1-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC_1-wlan-ap-0] ap-name area_1
[AC_1-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it
will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC_1-wlan-ap-0] quit
# After the APs are powered on, run the display ap all command to check the AP state.
If the State field displays nor, the APs have gone online.
[AC_1-wlan-view] display ap all
Total AP information:
nor : normal [1]
------------------------------------------------------------------------------
-------
ID MAC Name Group IP Type State STA
Uptime
------------------------------------------------------------------------------
-------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
10S
------------------------------------------------------------------------------
-------
Total: 1
# Create security profile wlan-net and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In
actual situations, the security policy must be configured according to service requirements.
[AC_1-wlan-view] security-profile name wlan-net
[AC_1-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC_1-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC_1-wlan-view] ssid-profile name wlan-net
[AC_1-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC_1-wlan-ssid-prof-wlan-net] quit
# Create AP system profile ap-system and configure the AP's individual priority.
[AC_1-wlan-view] ap-system-profile name ap-system
[AC_1-wlan-ap-system-prof-ap-system] priority 3
Warning: This action will take effect after resetting AP.
[AC_1-wlan-ap-system-prof-ap-system] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and
apply the security profile and SSID profile to the VAP profile.
[AC_1-wlan-view] vap-profile name wlan-net
[AC_1-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC_1-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC_1-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC_1-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC_1-wlan-vap-prof-wlan-net] quit
# Bind the VAP profile and AP system profile to the AP group and apply the VAP profile
wlan-net to radio 0 and radio 1 of the APs.
[AC_1-wlan-view] ap-group name ap-group1
[AC_1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC_1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC_1-wlan-ap-group-ap-group1] ap-system-profile ap-system
[AC_1-wlan-ap-group-ap-group1] quit
# Import the APs offline on the AC and add the APs to the AP group ap-group2. In this
example, the AP's MAC address is 60de-4474-9640. Configure a name for the AP based on
the AP's deployment location, so that you can know where the AP is located. For example, if
the AP with MAC address 60de-4474-9640 is deployed in area 2, name the AP area_2.
[AC_2-wlan-view] ap auth-mode mac-auth
[AC_2-wlan-view] ap-id 1 ap-mac 60de-4474-9640
[AC_2-wlan-ap-1] ap-name area_2
[AC_2-wlan-ap-1] ap-group ap-group2
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC_2-wlan-ap-1] quit
# Create security profile wlan-net1 and set the security policy in the profile.
[AC_2-wlan-view] security-profile name wlan-net1
[AC_2-wlan-sec-prof-wlan-net1] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC_2-wlan-sec-prof-wlan-net1] quit
# Create VAP profile wlan-net1, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC_2-wlan-view] vap-profile name wlan-net1
[AC_2-wlan-vap-prof-wlan-net1] forward-mode direct-forward
[AC_2-wlan-vap-prof-wlan-net1] service-vlan vlan-id 102
[AC_2-wlan-vap-prof-wlan-net1] security-profile wlan-net1
[AC_2-wlan-vap-prof-wlan-net1] ssid-profile wlan-net1
[AC_2-wlan-vap-prof-wlan-net1] quit
# Bind the VAP profile and AP system profile to the AP group and apply the VAP profile
wlan-net1 to radio 0 and radio 1 of the APs.
[AC_2-wlan-view] ap-group name ap-group2
[AC_2-wlan-ap-group-ap-group2] vap-profile wlan-net1 wlan 1 radio 0
[AC_2-wlan-ap-group-ap-group2] vap-profile wlan-net1 wlan 1 radio 1
[AC_2-wlan-ap-group-ap-group2] ap-system-profile ap-system1
[AC_2-wlan-ap-group-ap-group2] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and
apply the profile to the AP group.
[AC_3-wlan-view] regulatory-domain-profile name default
[AC_3-wlan-regulate-domain-default] country-code cn
[AC_3-wlan-regulate-domain-default] quit
[AC_3-wlan-view] ap-group name ap-group1
[AC_3-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna
gain configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC_3-wlan-ap-group-ap-group1] quit
[AC_3-wlan-view] ap-group name ap-group2
[AC_3-wlan-ap-group-ap-group2] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna
gain configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC_3-wlan-ap-group-ap-group2] quit
[AC_3-wlan-view] quit
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained,
you do not need to run the ap auth-mode mac-auth command.
[AC_3] wlan
[AC_3-wlan-view] ap auth-mode mac-auth
[AC_3-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC_3-wlan-ap-0] ap-name area_1
[AC_3-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it
will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC_3-wlan-ap-0] quit
[AC_3-wlan-view] ap-id 1 ap-mac 60de-4474-9640
[AC_3-wlan-ap-1] ap-name area_2
[AC_3-wlan-ap-1] ap-group ap-group2
Warning: This operation may cause AP reset. If the country code changes, it
will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC_3-wlan-ap-1] quit
# After the APs are powered on, run the display ap all command to check the AP state.
The command output shows that the status of the APs is both fault.
[AC_3-wlan-view] display ap all
Total AP information:
fault : fault [2]
------------------------------------------------------------------------------
---------
ID MAC Name Group IP Type State STA
Uptime
------------------------------------------------------------------------------
---------
0 60de-4476-e360 area_1 ap-group1 - AP5030DN fault 0 -
1 60de-4474-9640 area_2 ap-group2 - AP5030DN fault 0 -
------------------------------------------------------------------------------
---------
Total: 2
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC_3-wlan-view] ssid-profile name wlan-net
[AC_3-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC_3-wlan-ssid-prof-wlan-net] quit
# Create SSID profile wlan-net1 and set the SSID name to wlan-net1.
[AC_3-wlan-view] ssid-profile name wlan-net1
[AC_3-wlan-ssid-prof-wlan-net1] ssid wlan-net1
[AC_3-wlan-ssid-prof-wlan-net1] quit
# Create AP system profile ap-system and configure the IP address of the standby AC.
# Create AP system profile ap-system1 and configure the IP address of the standby AC.
[AC_3-wlan-view] ap-system-profile name ap-system1
[AC_3-wlan-ap-system-prof-ap-system1] protect-ac ip-address 10.23.100.3
Warning: This action will take effect after resetting AP.
[AC_3-wlan-ap-system-prof-ap-system1] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and
apply the security profile and SSID profile to the VAP profile.
[AC_3-wlan-view] vap-profile name wlan-net
[AC_3-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC_3-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC_3-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC_3-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC_3-wlan-vap-prof-wlan-net] quit
# Create VAP profile wlan-net1, set the data forwarding mode and service VLAN, and
apply the security profile and SSID profile to the VAP profile.
[AC_3-wlan-view] vap-profile name wlan-net1
[AC_3-wlan-vap-prof-wlan-net1] forward-mode direct-forward
[AC_3-wlan-vap-prof-wlan-net1] service-vlan vlan-id 102
[AC_3-wlan-vap-prof-wlan-net1] security-profile wlan-net
[AC_3-wlan-vap-prof-wlan-net1] ssid-profile wlan-net1
[AC_3-wlan-vap-prof-wlan-net1] quit
# Bind the VAP profile and AP system profile to the AP group and apply the VAP profile
wlan-net to radio 0 and radio 1 of the APs.
[AC_3-wlan-view] ap-group name ap-group1
[AC_3-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC_3-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC_3-wlan-ap-group-ap-group1] ap-system-profile ap-system
[AC_3-wlan-ap-group-ap-group1] quit
[AC_3-wlan-view] ap-group name ap-group2
[AC_3-wlan-ap-group-ap-group2] vap-profile wlan-net1 wlan 1 radio 0
[AC_3-wlan-ap-group-ap-group2] vap-profile wlan-net1 wlan 1 radio 1
[AC_3-wlan-ap-group-ap-group2] ap-system-profile ap-system1
[AC_3-wlan-ap-group-ap-group2] quit
# On AC_1, enable N+1 backup and restart all APs to make the function take effect.
NOTE
By default, N+1 backup is enabled. The system displays an Info message if you run the undo ac protect
enable command. You need to run the ap-reset all command to restart all APs. After the APs are restarted, N
+1 backup starts to take effect.
[AC_1-wlan-view] undo ac protect enable
Info: Backup function has already disabled.
[AC_1-wlan-view] ap-reset all
Warning: Reset AP(s), continue?[Y/N]:y
# On AC_2, enable N+1 backup and restart all APs to make the function take effect.
[AC_2-wlan-view] undo ac protect enable
Info: Backup function has already disabled.
[AC_2-wlan-view] ap-reset all
Warning: Reset AP(s), continue?[Y/N]:y
# Run the display ac protect and display ap-system-profile commands on AC_1 to check N
+1 backup information.
[AC_1-wlan-view] display ac protect
------------------------------------------------------------
Protect state : disable
Protect AC : 10.23.100.4
Priority : 6
Protect restore : enable
...
------------------------------------------------------------
[AC_1-wlan-view] display ap-system-profile name ap-system
------------------------------------------------------------------------------
AC priority : 3
Protect AC IP address : 10.23.100.4
Primary AC : -
Backup AC : -
...
------------------------------------------------------------------------------
# Run the display ac protect and display ap-system-profile commands on AC_2 to check N
+1 backup information.
[AC_2-wlan-view] display ac protect
------------------------------------------------------------
Protect state : disable
Protect AC : 10.23.100.4
Priority : 6
Protect restore : enable
...
------------------------------------------------------------
[AC_2-wlan-view] display ap-system-profile name ap-system1
------------------------------------------------------------------------------
AC priority : 3
Protect AC IP address : 10.23.100.4
Primary AC : -
Backup AC : -
...
------------------------------------------------------------------------------
# Run the display ac protect and display ap-system-profile commands on AC_3 to check N
+1 backup information.
[AC_3-wlan-view] display ac protect
------------------------------------------------------------
Protect state : disable
Protect AC : -
Priority : 5
Protect restore : enable
...
------------------------------------------------------------
[AC_3-wlan-view] display ap-system-profile name ap-system
------------------------------------------------------------------------------
AC priority : -
Protect AC IP address : 10.23.100.2
Primary AC : -
Backup AC : -
...
------------------------------------------------------------------------------
[AC_3-wlan-view] display ap-system-profile name ap-system1
------------------------------------------------------------------------------
AC priority : -
Protect AC IP address : 10.23.100.3
Primary AC : -
Backup AC : -
...
------------------------------------------------------------------------------
The WLAN with the SSID wlan-net or wlan-net1 is available for STAs connected to the
APs, and these STAs can connect to the WLAN and go online normally.
When the link between an AP and AC_1 or AC_2 fails, AC_3 takes over the active role. This
ensures accelerate service recovery.
----End
Configuration Files
l Switch_1 configuration file
#
sysname Switch_1
#
vlan batch 100 to 102
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
dhcp server excluded-ip-address 10.23.100.2 10.23.100.4
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/2
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
#
return
l AC_2 configuration file
#
sysname AC_2
#
vlan batch 100 102
#
interface Vlanif100
ip address 10.23.100.3 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 102
#
capwap source interface vlanif100
#
wlan
ac protect protect-ac 10.23.100.4 priority 6
security-profile name wlan-net1
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/
Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-net1
ssid wlan-net1
vap-profile name wlan-net1
service-vlan vlan-id 102
ssid-profile wlan-net1
security-profile wlan-net1
regulatory-domain-profile name default
ap-system-profile name ap-system1
priority 3
ap-group name ap-group2
ap-system-profile ap-system1
radio 0
vap-profile wlan-net1 wlan 1
radio 1
vap-profile wlan-net1 wlan 1
ap-id 1 type-id 35 ap-mac 60de-4474-9640 ap-sn 210235419610D2000097
ap-name area_2
ap-group ap-group2
#
return
l AC_3 configuration file
#
sysname AC_3
#
vlan batch 100 to 102
#
interface Vlanif100
ip address 10.23.100.4 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 102
#
capwap source interface vlanif100
#
wlan
ac protect priority 5
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/
Mc!,}s`X*B]}A%^%# aes
security-profile name wlan-net1
Service Requirements
A large enterprise has branches in different areas. ACs are deployed in the branches to
manage APs and provide WLAN access and e-mail services. These services require low
network reliability and allow temporary service interruption. An AC is required to be a
backup of all ACs to save costs. In this scenario, the enterprise can deploy a high performance
AC at the headquarters as a standby AC to provide backup services for active ACs in the
branches.
Networking Requirements
l AC networking mode: Layer 3 bypass mode
l DHCP deployment mode: Router_3 functions as a DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: direct forwarding
Data Planning
Item Data
Item Data
AC_2:
l Name: wlan-net1
l SSID name: wlan-net1
AC_3:
l Name: wlan-net
l SSID name: wlan-net
l Name: wlan-net1
l SSID name: wlan-net1
Item Data
AC_2:
l Name: wlan-net1
l Forwarding mode: direct forwarding
l Service VLAN: VLAN 102
l Referenced profiles: SSID profile wlan-
net1 and security profile wlan-net1
AC_3:
l Name: wlan-net
– Forwarding mode: direct forwarding
– Service VLAN: VLAN 101
– Referenced profiles: SSID profile
wlan-net and security profile wlan-
net
l Name: wlan-net1
– Forwarding mode: direct forwarding
– Service VLAN: VLAN 102
– Referenced profiles: SSID profile
wlan-net1 and security profile wlan-
net1
Configuration Roadmap
1. Configure network interworking of each AC and other network devices. Configure
Router_3 as a DHCP server to assign IP addresses to APs and STAs.
2. Configure AC_1 and AC_2 as the active ACs of AP_1 and AP_2 respectively, and
configure basic WLAN services on AC_1 and AC_2.
3. Configure AC_3 as the standby AC and configure basic WLAN services on AC_3.
Ensure that service configurations on AC_3 are the same as those on AC_1 and AC_2.
4. Configure N+1 backup on the active ACs first and then on the standby AC. When N+1
backup is enabled, all APs are restarted.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the routers, switches, and ACs to ensure communications among them.
# On Router_1, create VLAN 99, VLAN 101 and VLAN 201. VLAN 99 is used as the
management VLAN and VLAN 101 is used as the service VLAN. Add Eth2/0/0 connected to
Switch_1 to VLAN 99 and VLAN 101, and Eth2/0/1 connected to AC_1 to VLAN 201.
Configure the IP address 10.23.99.1/24 for VLANIF 99, 10.23.101.1/24 for VLANIF 101 and
10.23.201.2/24 for VLANIF 201.
<Huawei> system-view
[Huawei] sysname Router_1
[Router_1] vlan batch 99 101 201
[Router_1] interface ethernet 2/0/0
[Router_1-Ethernet2/0/0] port link-type trunk
[Router_1-Ethernet2/0/0] port trunk allow-pass vlan 99 101
[Router_1-Ethernet2/0/0] quit
[Router_1] interface ethernet 2/0/1
[Router_1-Ethernet2/0/1] port link-type trunk
[Router_1-Ethernet2/0/1] port trunk allow-pass vlan 201
[Router_1-Ethernet2/0/1] quit
[Router_1] interface vlanif 99
[Router_1-Vlanif99] ip address 10.23.99.1 255.255.255.0
[Router_1-Vlanif99] quit
[Router_1] interface vlanif 101
[Router_1-Vlanif101] ip address 10.23.101.1 255.255.255.0
[Router_1-Vlanif101] quit
[Router_1] interface vlanif 201
[Router_1-Vlanif201] ip address 10.23.201.2 255.255.255.0
[Router_1-Vlanif201] quit
# On Router_2, create VLAN 100, VLAN 102 and VLAN 202. VLAN 100 is used as the
management VLAN and VLAN 102 is used as the service VLAN. Add Eth2/0/0 connected to
Switch_2 to VLAN 100 and VLAN 102, and Eth2/0/1 connected to AC_2 to VLAN 202.
Configure the IP address 10.23.100.1/24 for VLANIF 100, 10.23.102.1/24 for VLANIF 102
and 10.23.202.2/24 for VLANIF 202. See Router_1 for the detailed configuration procedure.
# On Router_3, create VLAN 200, VLAN 203, and add Eth2/0/0 connected to the Network to
VLAN 200, and Eth2/0/1 connected to AC_3 to VLAN 203. Configure the IP address
10.23.200.1/24 for VLANIF 200. Configure the IP address 10.23.203.2/24 for VLANIF 203.
See Router_1 for the detailed configuration procedure.
# On Switch_1, create VLAN 99 and VLAN 101. Add GE0/0/2 connected to Router_1 and
GE0/0/1 connected to AP_1 to VLAN 99 and VLAN 101, and the PVID of GE0/0/1 is VLAN
99.
<HUAWEI> system-view
[HUAWEI] sysname Switch_1
[Switch_1] vlan batch 99 101
[Switch_1] interface gigabitethernet 0/0/1
[Switch_1-GigabitEthernet0/0/1] port link-type trunk
[Switch_1-GigabitEthernet0/0/1] port trunk pvid vlan 99
[Switch_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 99 101
[Switch_1-GigabitEthernet0/0/1] port-isolate enable
[Switch_1-GigabitEthernet0/0/1] quit
[Switch_1] interface gigabitethernet 0/0/2
[Switch_1-GigabitEthernet0/0/2] port link-type trunk
[Switch_1-GigabitEthernet0/0/2] port trunk allow-pass vlan 99 101
[Switch_1-GigabitEthernet0/0/2] quit
# On Switch_2, create VLAN 100 and VLAN 102. Add GE0/0/2 connected to Router_2 and
GE0/0/1 connected to AP_2 to VLAN 100 and VLAN 102, and the PVID of GE0/0/1 is
VLAN 100. See Switch_1 for the detailed configuration procedure.
# On AC_1, create VLAN 101 and VLAN 201, and add GE0/0/1 connected to Router_1 to
VLAN 201. Configure the IP address 10.23.201.1/24 for VLANIF 201.
<AC6605> system-view
[AC6605] sysname AC_1
[AC_1] vlan batch 101 201
[AC_1] interface gigabitethernet 0/0/1
[AC_1-GigabitEthernet0/0/1] port link-type trunk
[AC_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 201
[AC_1-GigabitEthernet0/0/1] quit
[AC_1] interface vlanif 201
[AC_1-Vlanif201] ip address 10.23.201.1 255.255.255.0
[AC_1-Vlanif201] quit
# On AC_2, create VLAN 102, and VLAN 202, and add GE0/0/1 connected to Router_2 to
VLAN 202. Configure the IP address 10.23.202.1/24 for VLANIF 202. See AC_1 for the
detailed configuration procedure.
# On AC_3, create VLAN 101, VLAN 102, and VLAN 203, and add GE0/0/1 connected to
Router_3 to VLAN 203. Configure the IP address 10.23.203.1/24 for VLANIF 203. See
AC_1 for the detailed configuration procedure.
# Configure reachable routes between AC_1 and AC_3, AP_1 and AC_3, AC_2 and AC_3,
and between AP_2 and AC_3. Perform the configurations according to networking
requirements. The configuration procedure is not provided here.
# Configure the route between AC_1 and AP_1 with the next hop as Router_1's VLANIF 201.
[AC_1] ip route-static 10.23.99.0 24 10.23.201.2
# Configure the route between AC_2 and AP_2 with the next hop as Router_2's VLANIF 202.
[AC_2] ip route-static 10.23.101.0 24 10.23.202.2
# Configure Router_3 as the DHCP server to assign IP addresses to APs and STAs, and
configure the Option 43 field to advertise the IP addresses of AC_1 and AC_3 to AP_1, and
to advertise the IP addresses of AC_2 and AC_3 to AP_2. Configure the DHCP server to
assign IP address to AP_1 from the IP address pool ap_1_pool, to AP_2 from ap_2_pool, to
STA1 from sta_1_pool, and to STA2 from sta_2_pool.
NOTE
In this example, AP_1 and AP_2 cannot share an IP address pool; otherwise, AP_1 can discover AC_2 and
AP_2 can discover AC_1, which will cause APs unable to connect to the correct AC based on AC priority.
[Router_3] dhcp enable
[Router_3] ip pool ap_1_pool
[Router_3-ip-pool-ap_1_pool] network 10.23.99.0 mask 24
[Router_3-ip-pool-ap_1_pool] gateway-list 10.23.99.1
[Router_3-ip-pool-ap_1_pool] option 43 sub-option 2 ip-address 10.23.201.1
10.23.203.1
[Router_3-ip-pool-ap_1_pool] quit
[Router_3] ip pool ap_2_pool
[Router_3-ip-pool-ap_2_pool] network 10.23.100.0 mask 24
[Router_3-ip-pool-ap_2_pool] gateway-list 10.23.100.1
[Router_3-ip-pool-ap_2_pool] option 43 sub-option 2 ip-address 10.23.202.1
10.23.203.1
[Router_3-ip-pool-ap_2_pool] quit
[Router_3] ip pool sta_1_pool
[Router_3-ip-pool-sta_1_pool] network 10.23.101.0 mask 24
[Router_3-ip-pool-sta_1_pool] gateway-list 10.23.101.1
[Router_3-ip-pool-sta_1_pool] quit
[Router_3] ip pool sta_2_pool
[Router_3-ip-pool-sta_2_pool] network 10.23.102.0 mask 24
[Router_3-ip-pool-sta_2_pool] gateway-list 10.23.102.1
[Router_3-ip-pool-sta_2_pool] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and
apply the profile to the AP group.
[AC_1-wlan-view] regulatory-domain-profile name default
[AC_1-wlan-regulate-domain-default] country-code cn
[AC_1-wlan-regulate-domain-default] quit
# Import the APs offline on the AC and add the APs to the AP group ap-group1. In this
example, the AP's MAC address is 60de-4476-e360. Configure a name for the AP based
on the AP's deployment location, so that you can know where the AP is located. For
example, if the AP with MAC address 60de-4476-e360 is deployed in area 1, name the
AP area_1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained,
you do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 and radio 1.
[AC_1] wlan
[AC_1-wlan-view] ap auth-mode mac-auth
[AC_1-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC_1-wlan-ap-0] ap-name area_1
[AC_1-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it
will clear channel, power and antenna gain configurati
ons of the radio, Whether to continue? [Y/N]:y
[AC_1-wlan-ap-0] quit
# After the APs are powered on, run the display ap all command to check the AP state.
If the State field displays nor, the APs have gone online.
[AC_1-wlan-view] display ap all
Total AP information:
nor : normal [1]
------------------------------------------------------------------------------
--
ID MAC Name Group IP Type State STA
Uptime
------------------------------------------------------------------------------
--
0 60de-4476-e360 area_1 ap-group1 10.23.99.254 AP5030DN nor 0
10S
------------------------------------------------------------------------------
--
Total: 1
# Create security profile wlan-net and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In
actual situations, the security policy must be configured according to service requirements.
# Create SSID profile wlan-net and set the SSID name to wlan-net.
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and
apply the security profile and SSID profile to the VAP profile.
[AC_1-wlan-view] vap-profile name wlan-net
[AC_1-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC_1-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC_1-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC_1-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC_1-wlan-vap-prof-wlan-net] quit
# Bind the VAP profile to the AP group and apply the VAP profile wlan-net to radio 0
and radio 1 of the APs.
[AC_1-wlan-view] ap-group name ap-group1
[AC_1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC_1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC_1-wlan-ap-group-ap-group1] quit
# Import the APs offline on the AC and add the APs to the AP group ap-group2. In this
example, the AP's MAC address is 60de-4474-9640. Configure a name for the AP based on
the AP's deployment location, so that you can know where the AP is located. For example, if
the AP with MAC address 60de-4474-9640 is deployed in area 2, name the AP area_2.
[AC_2] wlan
[AC_2-wlan-view] ap auth-mode mac-auth
[AC_2-wlan-view] ap-id 1 ap-mac 60de-4474-9640
[AC_2-wlan-ap-1] ap-name area_2
[AC_2-wlan-ap-1] ap-group ap-group2
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configurati
ons of the radio, Whether to continue? [Y/N]:y
[AC_2-wlan-ap-1] quit
# Create security profile wlan-net1 and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
# Create VAP profile wlan-net1, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC_2-wlan-view] vap-profile name wlan-net1
[AC_2-wlan-vap-prof-wlan-net1] forward-mode direct-forward
[AC_2-wlan-vap-prof-wlan-net1] service-vlan vlan-id 102
[AC_2-wlan-vap-prof-wlan-net1] security-profile wlan-net1
[AC_2-wlan-vap-prof-wlan-net1] ssid-profile wlan-net1
[AC_2-wlan-vap-prof-wlan-net1] quit
# Bind the VAP profile to the AP group and apply the VAP profile wlan-net1 to radio 0 and
radio 1 of the APs.
[AC_2-wlan-view] ap-group name ap-group2
[AC_2-wlan-ap-group-ap-group2] vap-profile wlan-net1 wlan 1 radio 0
[AC_2-wlan-ap-group-ap-group2] vap-profile wlan-net1 wlan 1 radio 1
[AC_2-wlan-ap-group-ap-group2] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and
apply the profile to the AP group.
[AC_3-wlan-view] regulatory-domain-profile name default
[AC_3-wlan-regulate-domain-default] country-code cn
[AC_3-wlan-regulate-domain-default] quit
[AC_3-wlan-view] ap-group name ap-group1
[AC_3-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna
gain configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC_3-wlan-ap-group-ap-group1] quit
[AC_3-wlan-view] ap-group name ap-group2
[AC_3-wlan-ap-group-ap-group2] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna
gain configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC_3-wlan-ap-group-ap-group2] quit
[AC_3-wlan-view] quit
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained,
you do not need to run the ap auth-mode mac-auth command.
[AC_3] wlan
[AC_3-wlan-view] ap auth-mode mac-auth
[AC_3-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC_3-wlan-ap-0] ap-name area_1
[AC_3-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it
will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC_3-wlan-ap-0] quit
[AC_3-wlan-view] ap-id 1 ap-mac 60de-4474-9640
[AC_3-wlan-ap-1] ap-name area_2
[AC_3-wlan-ap-1] ap-group ap-group2
Warning: This operation may cause AP reset. If the country code changes, it
will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC_3-wlan-ap-1] quit
# Run the display ap all command on the AC to check the AP running status. The
command output shows that the state of area_1 and area_2 is both fault.
[AC_3-wlan-view] display ap all
Total AP information:
idle : idle [2]
------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime
------------------------------------------------------------------------
0 60de-4476-e360 area_1 ap-group1 - - fault 0 -
1 60de-4474-9640 area_2 ap-group2 - - fault 0 -
------------------------------------------------------------------------
Total: 2
# Create security profiles wlan-net and wlan-net1, and configure security policies.
[AC_3-wlan-view] security-profile name wlan-net
[AC_3-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC_3-wlan-sec-prof-wlan-net] quit
[AC_3-wlan-view] security-profile name wlan-net1
[AC_3-wlan-sec-prof-wlan-net1] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC_3-wlan-sec-prof-wlan-net1] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC_3-wlan-view] ssid-profile name wlan-net
[AC_3-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC_3-wlan-ssid-prof-wlan-net] quit
# Create SSID profile wlan-net1 and set the SSID name to wlan-net1.
[AC_3-wlan-view] ssid-profile name wlan-net1
[AC_3-wlan-ssid-prof-wlan-net1] ssid wlan-net1
[AC_3-wlan-ssid-prof-wlan-net1] quit
# Create AP system profile ap-system and configure the IP address of the standby AC.
[AC_3-wlan-view] ap-system-profile name ap-system
[AC_3-wlan-ap-system-prof-ap-system] protect-ac ip-address 10.23.201.1
Warning: This action will take effect after resetting AP.
[AC_3-wlan-ap-system-prof-ap-system] quit
# Create AP system profile ap-system1 and configure the IP address of the standby AC.
[AC_3-wlan-view] ap-system-profile name ap-system1
[AC_3-wlan-ap-system-prof-ap-system1] protect-ac ip-address 10.23.202.1
Warning: This action will take effect after resetting AP.
[AC_3-wlan-ap-system-prof-ap-system1] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and
apply the security profile and SSID profile to the VAP profile.
[AC_3-wlan-view] vap-profile name wlan-net
[AC_3-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC_3-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC_3-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC_3-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC_3-wlan-vap-prof-wlan-net] quit
# Create VAP profile wlan-net1, set the data forwarding mode and service VLAN, and
apply the security profile and SSID profile to the VAP profile.
[AC_3-wlan-view] vap-profile name wlan-net1
[AC_3-wlan-vap-prof-wlan-net1] forward-mode direct-forward
[AC_3-wlan-vap-prof-wlan-net1] service-vlan vlan-id 102
[AC_3-wlan-vap-prof-wlan-net1] security-profile wlan-net1
[AC_3-wlan-vap-prof-wlan-net1] ssid-profile wlan-net1
[AC_3-wlan-vap-prof-wlan-net1] quit
# Bind the VAP profile and AP system profile to the AP group and apply the VAP profile
to radio 0 and radio 1 of the APs.
[AC_3-wlan-view] ap-group name ap-group1
[AC_3-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC_3-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC_3-wlan-ap-group-ap-group1] ap-system-profile ap-system
[AC_3-wlan-ap-group-ap-group1] quit
[AC_3-wlan-view] ap-group name ap-group2
[AC_3-wlan-ap-group-ap-group2] vap-profile wlan-net1 wlan 1 radio 0
[AC_3-wlan-ap-group-ap-group2] vap-profile wlan-net1 wlan 1 radio 1
[AC_3-wlan-ap-group-ap-group2] ap-system-profile ap-system1
[AC_3-wlan-ap-group-ap-group2] quit
# On AC_1, enable N+1 backup and restart all APs to make the function take effect.
NOTE
By default, N+1 backup is enabled. The system displays an Info message if you run the undo ac protect
enable command. You need to run the ap-reset all command to restart all APs. After the APs are restarted, N
+1 backup starts to take effect.
[AC_1-wlan-view] undo ac protect enable
Info: Backup function has already disabled.
[AC_1-wlan-view] ap-reset all
Warning: Reset AP(s), continue?[Y/N]:y
# On AC_2, enable N+1 backup and restart all APs to make the function take effect.
[AC_2-wlan-view] undo ac protect enable
Info: Backup function has already disabled.
[AC_2-wlan-view] ap-reset all
Warning: Reset AP(s), continue?[Y/N]:y
# Run the display ac protect command on AC_2 to check N+1 backup information.
[AC_2-wlan-view] display ac protect
------------------------------------------------------------
Protect state : disable
Protect AC : 10.23.203.1
Priority : 0
Protect restore : enable
...
------------------------------------------------------------
# Run the display ac protect and display ap-system-profile commands on AC_3 to check N
+1 backup information.
[AC_3-wlan-view] display ac protect
------------------------------------------------------------
Protect state : disable
Protect AC : -
Priority : 5
Protect restore : enable
...
------------------------------------------------------------
[AC_3-wlan-view] display ap-system-profile name ap-system
------------------------------------------------------------------------------
AC priority : -
Protect AC IP address : 10.23.201.1
Primary AC : -
Backup AC : -
...
------------------------------------------------------------------------------
[AC_3-wlan-view] display ap-system-profile name ap-system1
------------------------------------------------------------------------------
AC priority : -
Protect AC IP address : 10.23.202.1
Primary AC : -
Backup AC : -
...
------------------------------------------------------------------------------
The WLAN with the SSID wlan-net or wlan-net1 is available for STAs connected to the
APs, and these STAs can connect to the WLAN and go online normally.
When the link between an AP and AC_1 or AC_2 fails, AC_3 takes over the active role. This
ensures accelerate service recovery.
----End
Configuration Files
l Switch_1 configuration file
#
sysname Switch_1
#
vlan batch 99 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 99
port trunk allow-pass vlan 99 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 99 101
#
return
Networking Requirement
l AC networking mode: Layer 3 networking in bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: direct forwarding
Data Planning
Item Data
Item Data
l Name: ap-group2
l Referenced profiles: VAP profile wlan-
net2, regulatory domain profile default,
2G radio profile wlan-radio2g, and 5G
radio profile wlan-radio5g
l Name: wlan-net2
l Forwarding mode: direct forwarding
l Service VLAN: VLAN 102
l Referenced profiles: SSID profile wlan-
net and security profile wlan-net
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
3. Configure WLAN service parameters for STAs to access the WLAN.
NOTE
During AP deployment, you can manually specify the working channels of the APs according to network
planning situations or configure the radio calibration function to enable the APs to automatically select the
optimal channels.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
Procedure
Step 1 Configure the network devices.
# On SwitchA, add GE0/0/1 to VLAN 10 and VLAN 101, GE0/0/2 to VLAN 10, VLAN 101,
and VLAN102, and GE0/0/3 to VLAN 10 and VLAN 102. The default VLAN of GE0/0/1
and GE0/0/3 is VLAN 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 101 102
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 10
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 101 102
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] port link-type trunk
[SwitchA-GigabitEthernet0/0/3] port trunk pvid vlan 10
[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 10 102
[SwitchA-GigabitEthernet0/0/3] port-isolate enable
[SwitchA-GigabitEthernet0/0/3] quit
# On SwitchB (aggregation switch), add GE0/0/1 to VLAN 10, VLAN 101, and VLAN 102,
GE0/0/2 to VLAN 100, and GE0/0/3 to VLAN 101 and VLAN 102. Create VLANIF 100 and
set its IP address to 10.23.100.2/24.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 10 100 101 102
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101 102
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101 102
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface vlanif 100
[SwitchB-Vlanif100] ip address 10.23.100.2 24
[SwitchB-Vlanif100] quit
# On Router, add GE1/0/0 to VLAN 101 and VLAN 102. Create VLANIF 101 and VLANIF
102 and set the IP address of VLANIF 101 to 10.23.101.2/24 and the IP address of VLANIF
102 to 10.23.102.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101 102
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101 102
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
[Router] interface vlanif 102
[Router-Vlanif102] ip address 10.23.102.2 24
[Router-Vlanif102] quit
# Configure a route from the AC to the APs with the next hop as SwitchB's VLANIF 100.
[AC] ip route-static 10.23.10.0 24 10.23.100.2
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# Configure DHCP relay on SwitchB.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 10
[SwitchB-Vlanif10] ip address 10.23.10.1 24
[SwitchB-Vlanif10] dhcp select relay
[SwitchB-Vlanif10] dhcp relay server-ip 10.23.100.1
[SwitchB-Vlanif10] quit
# On SwitchB, configure VLANIF 101 and VLANIF 102 to assign IP addresses to STAs and
set the default gateways.
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] dhcp select interface
[SwitchB-Vlanif102] dhcp server gateway-list 10.23.102.2
[SwitchB-Vlanif102] quit
Step 4 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On SwitchB, configure VLANIF 101 and VLANIF 102 to assign IP addresses to STAs and
set the default gateways.
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] dhcp select interface
[SwitchB-Vlanif102] dhcp server gateway-list 10.23.102.2
[SwitchB-Vlanif102] quit
# Create an AP group to which the APs with the same configuration can be added.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] ap-group name ap-group2
[AC-wlan-ap-group-ap-group2] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] ap-group name ap-group2
[AC-wlan-ap-group-ap-group2] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group2] quit
[AC-wlan-view] quit
# Import the APs offline on the AC and add area_1 and area_2 to AP groups ap-group1 and
ap-group2, respectively. Assume that the MAC address of area_1 is 60de-4476-e360.
Configure a name for the AP based on the AP's deployment location, so that you can know
where the AP is deployed from its name. For example, name the AP area_1 if it is deployed
in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 1 ap-mac dcd2-fc04-b500
[AC-wlan-ap-1] ap-name area_2
Warning: This operation may cause AP reset. Continue? [Y/N]y
[AC-wlan-ap-1] ap-group ap-group2
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.23.10.254 AP5030DN nor 0 15S
1 dcd2-fc04-b500 area_2 ap-group2 10.23.10.253 AP5030DN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 2
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profiles wlan-net1 and wlan-net2, set the data forwarding mode and service
VLAN, and apply the security profile and SSID profile to the VAP profile.
# Bind the VAP profiles to the AP groups. Apply VAP profile wlan-net1 to radio 1 and radio
1 of area_1, and VAP profile wlan-net2 to radio 0 and radio 1 of area_2.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net1 wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net1 wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] ap-group name ap-group2
[AC-wlan-ap-group-ap-group2] vap-profile wlan-net2 wlan 1 radio 0
[AC-wlan-ap-group-ap-group2] vap-profile wlan-net2 wlan 1 radio 1
[AC-wlan-ap-group-ap-group2] quit
# Create the air scan profile wlan-airscan and configure the scan channel set, scan interval,
and scan duration.
[AC-wlan-view] air-scan-profile name wlan-airscan
[AC-wlan-air-scan-prof-wlan-airscan] scan-channel-set dca-channel
[AC-wlan-air-scan-prof-wlan-airscan] scan-period 60
[AC-wlan-air-scan-prof-wlan-airscan] scan-interval 60000
[AC-wlan-air-scan-prof-wlan-airscan] quit
# Create the 2G radio profile wlan-radio2g and bind the RRM profile wlan-rrm and air scan
profile wlan-airscan to the 2G radio profile.
[AC-wlan-view] radio-2g-profile name wlan-radio2g
[AC-wlan-radio-2g-prof-wlan-radio2g] rrm-profile wlan-rrm
[AC-wlan-radio-2g-prof-wlan-radio2g] air-scan-profile wlan-airscan
[AC-wlan-radio-2g-prof-wlan-radio2g] quit
# Create the 5G radio profile wlan-radio5g and bind the RRM profile wlan-rrm and air scan
profile wlan-airscan to the 5G radio profile.
[AC-wlan-view] radio-5g-profile name wlan-radio5g
[AC-wlan-radio-5g-prof-wlan-radio5g] rrm-profile wlan-rrm
[AC-wlan-radio-5g-prof-wlan-radio5g] air-scan-profile wlan-airscan
[AC-wlan-radio-5g-prof-wlan-radio5g] quit
# Bind 5G radio profile wlan-radio5g and 2G radio profile wlan-radio2g to AP groups ap-
group1 and ap-group2.
# Set the radio calibration mode to manual and trigger radio calibration.
[AC-wlan-view] calibrate enable manual
[AC-wlan-view] calibrate manual startup
# Radio calibration stops one hour after the radio calibration is manually triggered. Set the
radio calibration mode to scheduled. Configure the APs to perform radio calibration in off-
peak hours, for example, between 00:00 am and 06:00 am.
[AC-wlan-view] calibrate enable schedule time 03:00:00
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
# When the STA moves from the coverage area of AP_1 to that of AP_2, run the display
station ssid wlan-net command on AC_2. The command output shows that the STA has
associated with AP_2.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
----------------------------------------------------------------------------------
------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
----------------------------------------------------------------------------------
------
e019-1dc7-1e08 1 area_2 1/1 5G 11n 46/59 -58 101
10.23.101.254
----------------------------------------------------------------------------------
------
Total: 1 2.4G: 0 5G: 1
# Run the display station roam-track sta-mac e019-1dc7-1e08 command on AC_2 to check
the STA roaming track.
[AC-wlan-view] display station roam-track sta-mac e019-1dc7-1e08
Access SSID:wlan-net
Rx/Tx:link receive rate/link transmit rate(Mbps)
z:Zero Roam c:PMK Cache Roam r:802.11r Roam
------------------------------------------------------------------------------
L2/L3 AC IP AP name Radio ID
BSSID TIME In/Out RSSI Out Rx/Tx
------------------------------------------------------------------------------
-- 10.23.100.1 area_1 1
60DE-4476-E370 2016/01/12 16:52:58 -51/-48 46/13
L3 10.23.100.1 area_2 1
60DE-4474-9650 2016/01/12 16:55:45 -58/- -/-
------------------------------------------------------------------------------
Number: 1
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10 101 to 102
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10 101
port-isolate enable
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 10 101 to 102
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10 102
port-isolate enable
#
return
Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area.
Networking Requirement
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
Data Planning
Item Data
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
3. Configure WLAN service parameters for STAs to access the WLAN.
NOTE
During AP deployment, you can manually specify the working channels of the APs according to network
planning situations or configure the radio calibration function to enable the APs to automatically select the
optimal channels.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1, GE0/0/2, and GE0/0/3 on SwitchA to VLAN 100. The default VLAN of
GE0/0/1 and GE0/0/3 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] port link-type trunk
[SwitchA-GigabitEthernet0/0/3] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/3] port-isolate enable
[SwitchA-GigabitEthernet0/0/3] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and GE0/0/2
and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the default
gateway address of STAs to 10.23.101.2.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
# Create an AP group to which the APs with the same configuration can be added.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC] wlan
[AC-wlan-view] ap-id 1 ap-mac dcd2-fc04-b500
[AC-wlan-ap-1] ap-name area_2
Warning: This operation may cause AP reset. Continue? [Y/N]y
[AC-wlan-ap-1] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 15S
1 dcd2-fc04-b500 area_2 ap-group1 10.23.100.253 AP5030DN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 2
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode tunnel
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
# Create the air scan profile wlan-airscan and configure the scan channel set, scan interval,
and scan duration.
[AC-wlan-view] air-scan-profile name wlan-airscan
[AC-wlan-air-scan-prof-wlan-airscan] scan-channel-set dca-channel
[AC-wlan-air-scan-prof-wlan-airscan] scan-period 60
[AC-wlan-air-scan-prof-wlan-airscan] scan-interval 60000
[AC-wlan-air-scan-prof-wlan-airscan] quit
# Create the 2G radio profile wlan-radio2g and bind the RRM profile wlan-rrm and air scan
profile wlan-airscan to the 2G radio profile.
[AC-wlan-view] radio-2g-profile name wlan-radio2g
[AC-wlan-radio-2g-prof-wlan-radio2g] rrm-profile wlan-rrm
[AC-wlan-radio-2g-prof-wlan-radio2g] air-scan-profile wlan-airscan
[AC-wlan-radio-2g-prof-wlan-radio2g] quit
# Create the 5G radio profile wlan-radio5g and bind the RRM profile wlan-rrm and air scan
profile wlan-airscan to the 5G radio profile.
[AC-wlan-view] radio-5g-profile name wlan-radio5g
[AC-wlan-radio-5g-prof-wlan-radio5g] rrm-profile wlan-rrm
[AC-wlan-radio-5g-prof-wlan-radio5g] air-scan-profile wlan-airscan
[AC-wlan-radio-5g-prof-wlan-radio5g] quit
# Bind the 5G radio profile wlan-radio5g and 2G radio profile wlan-radio2g to the AP group
ap-group1.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] radio-5g-profile wlan-radio5g radio 1
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-ap-group1] radio-2g-profile wlan-radio2g radio 0
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-ap-group1] quit
# Set the radio calibration mode to manual and trigger radio calibration.
[AC-wlan-view] calibrate enable manual
[AC-wlan-view] calibrate manual startup
# Radio calibration stops one hour after the radio calibration is manually triggered. Set the
radio calibration mode to scheduled. Configure the APs to perform radio calibration in off-
peak hours, for example, between 00:00 am and 06:00 am.
[AC-wlan-view] calibrate enable schedule time 03:00:00
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
When the STA moves from the coverage area of AP_1 to that of AP_2, run the display
station ssid wlan-net command on AC. The command output shows that the STA has
associated with AP_2.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
----------------------------------------------------------------------------------
------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
----------------------------------------------------------------------------------
------
e019-1dc7-1e08 1 area_2 1/1 5G 11n 46/59 -58 101
10.23.101.254
----------------------------------------------------------------------------------
------
Total: 1 2.4G: 0 5G: 1
Run the display station roam-track sta-mac e019-1dc7-1e08 command on AC to check the
STA roaming track.
[AC-wlan-view] display station roam-track sta-mac e019-1dc7-1e08
Access SSID:wlan-net
Rx/Tx:link receive rate/link transmit rate(Mbps)
z:Zero Roam c:PMK Cache Roam r:802.11r Roam
------------------------------------------------------------------------------
L2/L3 AC IP AP name Radio ID
BSSID TIME In/Out RSSI Out Rx/Tx
------------------------------------------------------------------------------
-- 10.23.100.1 area_1 1
60DE-4476-E370 2016/01/12 16:52:58 -51/-48 46/13
L2 10.23.100.1 area_2 1
60DE-4474-9650 2016/01/12 16:55:45 -58/- -/-
------------------------------------------------------------------------------
Number: 1
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable
#
return
l SwitchB configuration file
#
sysname SwitchB
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
dhcp server gateway-list 10.23.101.2
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 101
#
return
l Router configuration file
#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 101
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area.
Networking Requirement
l AC networking mode: AC_1 and AC_2 in a mobility group
l DHCP deployment mode: AC_1 functions as a DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: tunnel forwarding
Data Planning
DHCP AC_1 functions as a DHCP server to allocate IP addresses to APs and STAs.
server
IP address 10.23.100.3-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
3. Configure WLAN service parameters for STAs to access the WLAN.
4. Configure WLAN roaming on AC_1 and AC_2 to achieve inter-AC roaming.
NOTE
During AP deployment, you can manually specify the working channels of the APs according to network
planning situations or configure the radio calibration function to enable the APs to automatically select the
optimal channels.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on Switch_1 to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_1
[Switch_1] vlan batch 100
[Switch_1] interface gigabitethernet 0/0/1
[Switch_1-GigabitEthernet0/0/1] port link-type trunk
# Add GE0/0/1 and GE0/0/2 on Switch_2 to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_2
[Switch_2] vlan batch 100
[Switch_2] interface gigabitethernet 0/0/1
[Switch_2-GigabitEthernet0/0/1] port link-type trunk
[Switch_2-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_2-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch_2-GigabitEthernet0/0/1] quit
[Switch_2] interface gigabitethernet 0/0/2
[Switch_2-GigabitEthernet0/0/2] port link-type trunk
[Switch_2-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_2-GigabitEthernet0/0/2] quit
# On AC_2, add GE0/0/1 to VLAN 100 and GE0/0/2 to VLAN 100 and VLAN 101.
<AC6605> system-view
[AC6605] sysname AC_2
[AC_2] vlan batch 100 101
[AC_2] interface gigabitethernet 0/0/1
[AC_2-GigabitEthernet0/0/1] port link-type trunk
[AC_2-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC_2-GigabitEthernet0/0/1] quit
[AC_2] interface gigabitethernet 0/0/2
[AC_2-GigabitEthernet0/0/2] port link-type trunk
[AC_2-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[AC_2-GigabitEthernet0/0/2] quit
[AC_2] interface vlanif 100
[AC_2-Vlanif100] ip address 10.23.100.2 255.255.255.0
[AC_2-Vlanif100] quit
[AC_2] interface vlanif 101
[AC_2-Vlanif101] ip address 10.23.101.2 255.255.255.0
[AC_2-Vlanif101] quit
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On AC_1, configure VLANIF 100 and VLANIF 101 to assign IP addresses to APs and
STAs, respectively.
[AC_1] dhcp enable
[AC_1] interface vlanif 100
# Create an AP group to which the APs with the same configuration can be added.
[AC_1] wlan
[AC_1-wlan-view] ap-group name ap-group1
[AC_1-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC_1-wlan-view] regulatory-domain-profile name default
[AC_1-wlan-regulate-domain-default] country-code cn
[AC_1-wlan-regulate-domain-default] quit
[AC_1-wlan-view] ap-group name ap-group1
[AC_1-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC_1-wlan-ap-group-ap-group1] quit
[AC_1-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC_1] wlan
[AC_1-wlan-view] ap auth-mode mac-auth
[AC_1-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC_1-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]y
[AC_1-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC_1-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC_1-wlan-view] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 1
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC_1-wlan-view] security-profile name wlan-net
[AC_1-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC_1-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC_1-wlan-view] ssid-profile name wlan-net
[AC_1-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC_1-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC_1-wlan-view] vap-profile name wlan-net
[AC_1-wlan-vap-prof-wlan-net] forward-mode tunnel
[AC_1-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC_1-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC_1-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC_1-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC_1-wlan-view] ap-group name ap-group1
[AC_1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC_1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC_1-wlan-ap-group-ap-group1] quit
# Create the air scan profile wlan-airscan and configure the scan channel set, scan interval,
and scan duration. By default, an air scan channel set contains all channels supported by the
corresponding country code of an AP.
# Create the 2G radio profile wlan-radio2g and bind the RRM profile wlan-rrm and air scan
profile wlan-airscan to the 2G radio profile.
[AC_1-wlan-view] radio-2g-profile name wlan-radio2g
[AC_1-wlan-radio-2g-prof-wlan-radio2g] rrm-profile wlan-rrm
[AC_1-wlan-radio-2g-prof-wlan-radio2g] air-scan-profile wlan-airscan
[AC_1-wlan-radio-2g-prof-wlan-radio2g] quit
# Create the 5G radio profile wlan-radio5g and bind the RRM profile wlan-rrm and air scan
profile wlan-airscan to the 5G radio profile.
[AC_1-wlan-view] radio-5g-profile name wlan-radio5g
[AC_1-wlan-radio-5g-prof-wlan-radio5g] rrm-profile wlan-rrm
[AC_1-wlan-radio-5g-prof-wlan-radio5g] air-scan-profile wlan-airscan
[AC_1-wlan-radio-5g-prof-wlan-radio5g] quit
# Bind the 5G radio profile wlan-radio5g and 2G radio profile wlan-radio2g to the AP group
ap-group1.
[AC_1-wlan-view] ap-group name ap-group1
[AC_1-wlan-ap-group-ap-group1] radio-5g-profile wlan-radio5g radio 1
[AC_1-wlan-ap-group-ap-group1] radio-2g-profile wlan-radio2g radio 0
[AC_1-wlan-ap-group-ap-group1] quit
# Set the radio calibration mode to manual and trigger radio calibration.
[AC_1-wlan-view] calibrate enable manual
[AC_1-wlan-view] calibrate manual startup
# Radio calibration stops one hour after the radio calibration is manually triggered. Set the
radio calibration mode to scheduled. Configure the APs to perform radio calibration in off-
peak hours, for example, between 00:00 am and 06:00 am.
[AC-wlan-view] calibrate enable schedule time 03:00:00
----
AP ID AP name RfID WID BSSID Status Auth type STA
SSID
----------------------------------------------------------------------------------
----
0 area_1 0 1 60DE-4476-E360 ON WPA/WPA2-PSK 0
wlan-net
0 area_1 1 1 60DE-4476-E370 ON WPA/WPA2-PSK 0
wlan-net
----------------------------------------------------------------------------------
-----
Total: 2
[AC_2-wlan-view] display vap ssid wlan-net
WID : WLAN ID
----------------------------------------------------------------------------------
----
AP ID AP name RfID WID BSSID Status Auth type STA SSID
----------------------------------------------------------------------------------
----
1 area_2 0 1 DCD2-FC04-B500 ON WPA/WPA2-PSK 0
wlan-net
1 area_2 1 1 DCD2-FC04-B510 ON WPA/WPA2-PSK 0
wlan-net
----------------------------------------------------------------------------------
---
Total: 2
# Run the display mobility-group name mobility command on AC_1 to check the state of
AC_1 and AC_2 in the mobility group. If the State field is displayed as normal, AC_1 and
AC_2 are in normal state.
[AC_1-wlan-view] display mobility-group name mobility
--------------------------------------------------------------------------------
State IP address Description
--------------------------------------------------------------------------------
normal 10.23.100.1 -
normal 10.23.100.2 -
--------------------------------------------------------------------------------
Total: 2
# In the coverage area of AP_1, connect the STA to the wireless network with SSID wlan-net
and enter the password a1234567. After the STA successfully associates with the network,
run the display station ssid wlan-net command on AC_1. The command output shows that
the STA with MAC address e019-1dc7-1e08 has associated with AP_1.
[AC_1-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
----------------------------------------------------------------------------------
--
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
----------------------------------------------------------------------------------
--
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -57 101
10.23.101.254
----------------------------------------------------------------------------------
--
Total: 1 2.4G: 0 5G: 1
# When the STA moves from the coverage area of AP_1 to that of AP_2, run the display
station ssid wlan-net command on AC_2. The command output shows that the STA has
associated with AP_2.
[AC_2-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
----------------------------------------------------------------------------------
--
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
----------------------------------------------------------------------------------
--
e019-1dc7-1e08 1 area_2 1/1 5G 11n 46/59 -58 101
10.23.101.254
----------------------------------------------------------------------------------
--
Total: 1 2.4G: 0 5G: 1
# Run the display station roam-track sta-mac e019-1dc7-1e08 command on AC_2 to check
the STA roaming track.
[AC_2-wlan-view] display station roam-track sta-mac e019-1dc7-1e08
Access SSID:wlan-net
Rx/Tx: link receive rate/link transmit rate(Mbps)
z:Zero Roam c:PMK Cache Roam r:802.11r Roam
------------------------------------------------------------------------------
L2/L3 AC IP AP name Radio ID
BSSID TIME In/Out RSSI Out Rx/Tx
------------------------------------------------------------------------------
-- 10.23.100.1 area_1 1
60de-4476-e360 2015/02/09 16:11:51 -57/-57 22/3
L2 10.23.100.2 area_2 1
dcd2-fc04-b500 2015/02/09 16:13:53 -58/- -/-
------------------------------------------------------------------------------
Number: 1
----End
Configuration Files
l Switch_1 configuration file
#
sysname Switch_1
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
Networking Requirement
l AC networking mode: AC_1 and AC_2 in a mobility group
l DHCP deployment mode:
– AC_1 functions as a DHCP server to assign IP addresses to APs and STAs
connected to it.
– AC_2 functions as a DHCP server to assign IP addresses to APs and STAs
connected to it.
l Service data forwarding mode: direct forwarding
Data Planning
DHCP AC_1 functions as a DHCP server to allocate IP addresses to STAs and APs
server connected to it.
AC_2 functions as a DHCP server to allocate IP addresses to STAs and APs
connected to it.
IP address 10.23.100.2-10.23.100.254/24
pool for the 10.23.200.2-10.23.200.254/24
APs
IP address 10.23.101.2-10.23.101.254/24
pool for the 10.23.102.2-10.23.102.254/24
STAs
l Name: ap-group2
l Referenced profile: VAP profile wlan-net2 and regulatory domain
profile default, 2G radio profile wlan-radio2g, and 5G radio profile
wlan-radio5g
Item Data
l Name: wlan-net2
l Forwarding mode: direct forwarding
l Service VLAN: VLAN 102
l Referenced profiles: SSID profile wlan-net and security profile wlan-
net
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
3. Configure WLAN service parameters for STAs to access the WLAN.
4. Configure WLAN roaming on AC_1 and AC_2 to achieve inter-AC roaming.
NOTE
During AP deployment, you can manually specify the working channels of the APs according to network
planning situations or configure the radio calibration function to enable the APs to automatically select the
optimal channels.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on Switch_1 to VLAN 100 and VLAN 101. The default VLAN
of GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_1
[Switch_1] vlan batch 100 101
[Switch_1] interface GigabitEthernet 0/0/1
[Switch_1-GigabitEthernet0/0/1] port link-type trunk
[Switch_1-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch_1-GigabitEthernet0/0/1] quit
[Switch_1] interface gigabitethernet 0/0/2
[Switch_1-GigabitEthernet0/0/2] port link-type trunk
[Switch_1-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch_1-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on Switch_2 to VLAN 200 and VLAN 102. The default VLAN
of GE0/0/1 is VLAN 200.
<HUAWEI> system-view
[HUAWEI] sysname Switch_2
[Switch_2] vlan batch 200 102
[Switch_2] interface gigabitethernet 0/0/1
[Switch_2-GigabitEthernet0/0/1] port link-type trunk
[Switch_2-GigabitEthernet0/0/1] port trunk pvid vlan 200
[Switch_2-GigabitEthernet0/0/1] port trunk allow-pass vlan 200 102
[Switch_2-GigabitEthernet0/0/1] quit
# Configure Router.
<HUAWEI> system-view
[HUAWEI] sysname Router
[Router] interface gigabitethernet 0/0/1
[Router-GigabitEthernet0/0/1] ip address 10.23.100.2 255.255.255.0
[Router-GigabitEthernet0/0/1] quit
[Router] interface gigabitethernet 0/0/2
[Router-GigabitEthernet0/0/2] ip address 10.23.200.2 255.255.255.0
[Router-GigabitEthernet0/0/2] quit
Step 4 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On AC_1, configure VLANIF 100 and VLANIF 101 to assign IP addresses to APs and
STAs, respectively.
[AC_1] dhcp enable
[AC_1] interface vlanif 100
[AC_1-Vlanif100] ip address 10.23.100.1 255.255.255.0
[AC_1-Vlanif100] dhcp select interface
[AC_1-Vlanif100] quit
[AC_1] interface vlanif 101
[AC_1-Vlanif101] ip address 10.23.101.1 255.255.255.0
# On AC_2, configure VLANIF 200 and VLANIF 102 to assign IP addresses to APs and
STAs, respectively.
[AC_2] dhcp enable
[AC_2] interface vlanif 200
[AC_2-Vlanif100] ip address 10.23.200.1 255.255.255.0
[AC_2-Vlanif100] dhcp select interface
[AC_2-Vlanif100] quit
[AC_2] interface vlanif 102
[AC_2-Vlanif102] ip address 10.23.102.1 255.255.255.0
[AC_2-Vlanif102] dhcp select interface
[AC_2-Vlanif102] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC_1-wlan-view] regulatory-domain-profile name default
[AC_1-wlan-regulate-domain-default] country-code cn
[AC_1-wlan-regulate-domain-default] quit
[AC_1-wlan-view] ap-group name ap-group1
[AC_1-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC_1-wlan-ap-group-ap-group1] quit
[AC_1-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC_1] wlan
[AC_1-wlan-view] ap auth-mode mac-auth
[AC_1-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC_1-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]y
[AC_1-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC_1-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC_1-wlan-view] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 1
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC_1-wlan-view] security-profile name wlan-net
[AC_1-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC_1-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC_1-wlan-view] ssid-profile name wlan-net
[AC_1-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC_1-wlan-net-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC_1-wlan-view] vap-profile name wlan-net1
[AC_1-wlan-vap-prof-wlan-net1] forward-mode direct-forward
[AC_1-wlan-vap-prof-wlan-net1] service-vlan vlan-id 101
[AC_1-wlan-vap-prof-wlan-net1] security-profile wlan-net
[AC_1-wlan-vap-prof-wlan-net1] ssid-profile wlan-net
[AC_1-wlan-vap-prof-wlan-net1] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC_1-wlan-view] ap-group name ap-group1
[AC_1-wlan-ap-group-ap-group1] vap-profile wlan-net1 wlan 1 radio 0
[AC_1-wlan-ap-group-ap-group1] vap-profile wlan-net1 wlan 1 radio 1
[AC_1-wlan-ap-group-ap-group1] quit
# Create the air scan profile wlan-airscan and configure the scan channel set, scan interval,
and scan duration. By default, an air scan channel set contains all channels supported by the
corresponding country code of an AP.
[AC-wlan-view] air-scan-profile name wlan-airscan
[AC_1-wlan-air-scan-prof-wlan-airscan] scan-channel-set dca-channel
[AC_1-wlan-air-scan-prof-wlan-airscan] scan-period 60
[AC_1-wlan-air-scan-prof-wlan-airscan] scan-interval 60000
[AC_1-wlan-air-scan-prof-wlan-airscan] quit
# Create the 2G radio profile wlan-radio2g and bind the RRM profile wlan-rrm and air scan
profile wlan-airscan to the 2G radio profile.
[AC_1-wlan-view] radio-2g-profile name wlan-radio2g
[AC_1-wlan-radio-2g-prof-wlan-radio2g] rrm-profile wlan-rrm
[AC_1-wlan-radio-2g-prof-wlan-radio2g] air-scan-profile wlan-airscan
[AC_1-wlan-radio-2g-prof-wlan-radio2g] quit
# Create the 5G radio profile wlan-radio5g and bind the RRM profile wlan-rrm and air scan
profile wlan-airscan to the 5G radio profile.
[AC_1-wlan-view] radio-5g-profile name wlan-radio5g
[AC_1-wlan-radio-5g-prof-wlan-radio5g] rrm-profile wlan-rrm
[AC_1-wlan-radio-5g-prof-wlan-radio5g] air-scan-profile wlan-airscan
[AC_1-wlan-radio-5g-prof-wlan-radio5g] quit
# Bind the 5G radio profile wlan-radio5g and 2G radio profile wlan-radio2g to the AP group
ap-group1.
[AC_1-wlan-view] ap-group name ap-group1
[AC_1-wlan-ap-group-ap-group1] radio-5g-profile wlan-radio5g radio 1
[AC_1-wlan-ap-group-ap-group1] radio-2g-profile wlan-radio2g radio 0
[AC_1-wlan-ap-group-ap-group1] quit
# Set the radio calibration mode to manual and trigger radio calibration.
[AC_1-wlan-view] calibrate enable manual
[AC_1-wlan-view] calibrate manual startup
# Radio calibration stops one hour after the radio calibration is manually triggered. Set the
radio calibration mode to scheduled. Configure the APs to perform radio calibration in off-
peak hours, for example, between 00:00 am and 06:00 am.
[AC-wlan-view] calibrate enable schedule time 03:00:00
# In the coverage area of AP_1, connect the STA to the wireless network with SSID wlan-net
and enter the password a1234567. After the STA successfully associates with the network,
run the display station ssid wlan-net command on AC_1. The command output shows that
the STA with MAC address e019-1dc7-1e08 has associated with AP_1.
[AC_1-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
----------------------------------------------------------------------------------
--
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
----------------------------------------------------------------------------------
--
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -57 101
10.23.101.254
----------------------------------------------------------------------------------
--
Total: 1 2.4G: 0 5G: 1
# When the STA moves from the coverage area of AP_1 to that of AP_2, run the display
station ssid wlan-net command on AC_2. The command output shows that the STA has
associated with AP_2.
[AC_2-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
----------------------------------------------------------------------------------
--
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
----------------------------------------------------------------------------------
--
e019-1dc7-1e08 1 area_2 1/1 5G 11n 46/59 -58 101
10.23.101.254
----------------------------------------------------------------------------------
--
Total: 1 2.4G: 0 5G: 1
# Run the display station roam-track sta-mac e019-1dc7-1e08 command on AC_2 to check
the STA roaming track.
[AC_2-wlan-view] display station roam-track sta-mac e019-1dc7-1e08
Access SSID:wlan-net
Rx/Tx: link receive rate/link transmit rate(Mbps)
z:Zero Roam c:PMK Cache Roam r:802.11r Roam
------------------------------------------------------------------------------
L2/L3 AC IP AP name Radio ID
BSSID TIME In/Out RSSI Out Rx/Tx
------------------------------------------------------------------------------
-- 10.23.100.1 area_1 1
----End
Configuration Files
l Switch_1 configuration file
#
sysname Switch_1
#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 101
#
return
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
ip route-static 10.23.200.0 255.255.255.0 10.23.100.2
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#]:krYrz_r<ee}|Cq@9V(W{ZD$"\-R-HD_y.
4#U4,%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net1
forward-mode direct-forward
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
dca-channel 5g channel-set 149,153,157,161
mobility-group name mobility
member ip-address 10.23.100.1
member ip-address 10.23.200.1
air-scan-profile name wlan-airscan
scan-channel-set dca-channel
rrm-profile name wlan-rrm
radio-2g-profile name wlan-radio2g
rrm-profile wlan-rrm
air-scan-profile wlan-airscan
radio-5g-profile name wlan-radio5g
rrm-profile wlan-rrm
air-scan-profile wlan-airscan
ap-group name ap-group1
radio 0
radio-2g-profile wlan-radio2g
vap-profile wlan-net1 wlan 1
radio 1
radio-5g-profile wlan-radio5g
vap-profile wlan-net1 wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name ap1
ap-group ap-group1
#
return
l AC_2 configuration file
#
sysname AC_2
#
vlan batch 101 to 102 200
#
dhcp enable
#
interface Vlanif200
ip address 10.23.200.1 255.255.255.0
dhcp select interface
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 102 200
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 200
#
ip route-static 10.23.100.0 255.255.255.0 10.23.200.2
#
capwap source interface vlanif200
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#]:krYrz_r<ee}|Cq@9V(W{ZD$"\-R-HD_y.
4#U4,%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net2
service-vlan vlan-id 102
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
dca-channel 5g channel-set 149,153,157,161
mobility-group name mobility
member ip-address 10.23.100.1
member ip-address 10.23.200.1
air-scan-profile name wlan-airscan
scan-channel-set dca-channel
rrm-profile name wlan-rrm
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
radio-2g-profile name wlan-radio2g
rrm-profile wlan-rrm
air-scan-profile wlan-airscan
radio-5g-profile name wlan-radio5g
rrm-profile wlan-rrm
air-scan-profile wlan-airscan
ap-group name ap-group2
radio 0
radio-2g-profile wlan-radio2g
vap-profile wlan-net2 wlan 1
radio 1
radio-5g-profile wlan-radio5g
vap-profile wlan-net2 wlan 1
ap-id 1 type-id 35 ap-mac dcd2-fc04-b500 ap-sn 210235554710CB000078
ap-name ap2
ap-group ap-group2
#
return
Service Requirements
Students in dormitories need to access the Internet through WLANs.
Walls between numerous rooms in the dormitory building cause serious wireless signal
attenuation, degrading signal quality. To resolve this issue, an agile distributed WLAN is
used, with a remote unit (RU) deployed in each dormitory. RUs are connected to a central AP,
and all RUs and central APs are centrally managed by the AC, delivering high-quality WLAN
coverage for each dormitory.
Networking Requirements
l AC networking mode: Layer 2 networking in inline mode
l DHCP deployment mode: The AC functions as a DHCP server to assign IP addresses to
central APs, RUs, and STAs.
l Service data forwarding mode: tunnel forwarding
Data Planning
Item Data
Item Data
IP address 10.23.100.2-10.23.100.254/24
pool for
central APs
and RUs
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs
Configuration Roadmap
1. Configure the AC, RUs, central APs, and network devices to communicate at Layer 2.
2. Configure the AC as a DHCP server to assign IP addresses to central APs, RUs, and
STAs.
3. Configure the central APs and RUs to go online.
a. Create an AP group and add central APs and RUs that require the same
configuration to the group for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the central APs and RUs.
c. Configure the AP authentication mode and import the central APs and RUs offline
to allow them to go online.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
# On the AC, add GE0/0/1 to VLAN 100, and GE0/0/2 to VLAN 101.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100 101
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk pvid vlan 100
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet0/0/1] port-isolate enable
[AC-GigabitEthernet0/0/1] quit
Step 3 Configure a DHCP server to assign IP addresses to central APs, RUs, and STAs.
# Configure the AC as a DHCP server to assign IP addresses to central APs and RUs from the
IP address pool on VLANIF 100, and assign IP addresses to STAs from the IP address pool
on VLANIF 101.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the central AP and RUs offline on the AC and add the central AP and RUs to AP
group ap-group1. Assume that the central AP's MAC address is 68a8-2845-62fd, name the
central AP central_AP; the RU's MAC addresses are fcb6-9897-c520 and fcb6-9897-ca40,
name the RUs ru_1 and ru_2, respectively.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 68a8-2845-62fd
[AC-wlan-ap-0] ap-name central_AP
Warning: This operation may cause AP reset. Continue? [Y/N]y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] ap-id 1 ap-mac fcb6-9897-c520
[AC-wlan-ap-1] ap-name ru_1
Warning: This operation may cause AP reset. Continue? [Y/N]y
[AC-wlan-ap-1] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
[AC-wlan-view] ap-id 2 ap-mac fcb6-9897-ca40
[AC-wlan-ap-2] ap-name ru_2
Warning: This operation may cause AP reset. Continue? [Y/N]y
[AC-wlan-ap-2] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-2] quit
# After the central AP is powered on, run the display ap all command to check the AP state.
If the State field is displayed as nor, the RUs go online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [3]
----------------------------------------------------------------------------------
-----
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
-----
0 68a8-2845-62fd central_AP ap-group1 10.23.100.254 AD9430DN-24 nor 0
2M:25S
1 fcb6-9897-c520 ru_1 ap-group1 10.23.100.253 R240D nor 0
3M:5S
2 fcb6-9897-ca40 ru_2 ap-group1 10.23.100.252 R240D nor 0
3M:14S
----------------------------------------------------------------------------------
-----
Total: 3
# Create security profile wlan-net and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode tunnel
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
The settings of the RU channel and power in this example are for reference only. You need to configure the
RU channel and power based on the actual country code and network planning.
Automatic channel and power calibration functions are enabled by default. The manual
channel and power configurations take effect only when these two functions are disabled.
[AC-wlan-view] rrm-profile name default
[AC-wlan-rrm-prof-default] calibrate auto-channel-select disable
[AC-wlan-rrm-prof-default] calibrate auto-txpower-select disable
[AC-wlan-rrm-prof-default] quit
The AC automatically delivers WLAN service configuration to the RUs. After the
configuration is complete, run the display vap ssid wlan-net command. If the Status field is
displayed as ON, the VAPs have been successfully created on RU radios.
[AC-wlan-view] display vap ssid wlan-net
WID : WLAN ID
--------------------------------------------------------------------------------
AP ID AP name RfID WID BSSID Status Auth type STA SSID
--------------------------------------------------------------------------------
1 ru_1 0 1 FCB6-9897-C520 ON WPA/WPA2-PSK 0 wlan-net
1 ru_1 1 1 FCB6-9897-C530 ON WPA/WPA2-PSK 0 wlan-net
2 ru_2 0 1 FCB6-9897-CA40 ON WPA/WPA2-PSK 0 wlan-net
2 ru_2 1 1 FCB6-9897-CA50 ON WPA/WPA2-PSK 0 wlan-net
--------------------------------------------------------------------------------
Total: 4
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
----------------------------------------------------------------------------------
-------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
----------------------------------------------------------------------------------
-------
e019-1dc7-1e08 1 ru_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
----------------------------------------------------------------------------------
-------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
l Router configuration file
#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 101
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 101
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/
Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
rrm-profile name default
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 52 ap-mac 68a8-2845-62fd ap-sn 2102350KGF10F8000012
ap-name central_AP
ap-group ap-group1
ap-id 1 type-id 54 ap-mac fcb6-9897-c520 ap-sn 21500826402SF4900166
ap-name ru_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
ap-id 2 type-id 54 ap-mac fcb6-9897-ca40 ap-sn 21500826402SF4900207
ap-name ru_2
ap-group ap-group1
#
return
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: direct forwarding
Data Planning
Item Data
Configuration Roadmap
1. Configure network interworking of the APs, AC, and other network devices.
2. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
3. Configure WLAN service parameters for STAs to access the WLAN.
4. Adjust WLAN high-density parameters.
You are advised to adjust WLAN high-density parameters according to Table 4-53.
Configure To reduce the burden on the Enable band steering. By default, band
5G-prior 2.4 GHz radio by steering is enabled.
access preferentially connecting
5G-capable STAs to the 5
GHz radio when a large
number of 2.4 GHz STAs
exist on the network.
Reduce To prevent users who Set the association aging time to 1 minute.
the user frequently disconnect from
associatio the wireless network.
n aging
time
Limit user To prevent advantaged Limit the downstream rate of each STA to
rates STAs from occupying too 2000 kbit/s in a VAP. Adjust the upstream
many rate sources and rate according to actual situations. In this
deteriorating service example, the upstream rate is set to 1000
experience of disadvantaged kbit/s.
STAs.
Configure To prevent weak-signal Enable smart roaming and set the SNR
smart STAs from degrading user threshold to 15 dB.
roaming experience.
Set the To prevent hidden STAs. Set the RTS-CTS operation mode to rts-
RTS-CTS cts and the RTS threshold to 1400 bytes.
threshold
Adjust the To improve the overall data Set the interval for sending Beacon frames
interval at traffic of APs. to 160 ms.
which
Beacon
frames
are sent
Set the To reduce extra overhead Set the GI mode to short GI.
guard and improve AP
interval transmission efficiency.
(GI)
mode to
short GI
Configure To improve the overall AP Delete low rates from the basic rate set.
the basic throughput.
rate set
Configure To improve air interface Use the default values. By default, the
the efficiency. multicast transmit rate of wireless packets
multicast is 11 Mbit/s for the 2.4 GHz radio and 6
rate Mbit/s for the 5 GHz radio.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLANs 10, 101, and 102. The default VLAN of
GE0/0/1 and GE0/0/3 is VLAN 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 101 102
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
# On SwitchB (aggregation switch), add GE0/0/1 to VLAN 10, VLAN 101, and VLAN 102,
GE0/0/2 to VLAN 100, and GE0/0/3 to VLAN 101 and VLAN 102. Create VLANIF 100 and
set its IP address to 10.23.100.2/24.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 10 100 101 102
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101 102
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101 102
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface vlanif 100
[SwitchB-Vlanif100] ip address 10.23.100.2 24
[SwitchB-Vlanif100] quit
# On Router, add GE1/0/0 to VLAN 101 and VLAN 102. Create VLANIF 101 and VLANIF
102 and set the IP address of VLANIF 101 to 10.23.101.2/24 and the IP address of VLANIF
102 to 10.23.102.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101 102
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101 102
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
[Router] interface vlanif 102
[Router-Vlanif102] ip address 10.23.102.2 24
[Router-Vlanif102] quit
# Configure a route from the AC to the APs with the next hop as SwitchB's VLANIF 100.
[AC] ip route-static 10.23.10.0 24 10.23.100.2
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# Configure DHCP relay on SwitchB.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 10
[SwitchB-Vlanif10] ip address 10.23.10.1 24
[SwitchB-Vlanif10] dhcp select relay
[SwitchB-Vlanif10] dhcp relay server-ip 10.23.100.1
[SwitchB-Vlanif10] quit
# On SwitchB, configure VLANIF 101 and VLANIF 102 to assign IP addresses to STAs and
set the default gateways.
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] dhcp select interface
[SwitchB-Vlanif102] dhcp server gateway-list 10.23.102.2
[SwitchB-Vlanif102] quit
This example uses the VLAN assignment algorithm hash (default) as an example. If the default setting is not
changed before, you do not need to run the assignment hash command.
In this example, only VLAN 101 and VLAN 102 are added to the VLAN pool. You can use the similar
method to add multiple VLANs to a VLAN pool.
[AC] vlan batch 101 102
[AC] vlan pool sta-pool
[AC-vlan-pool-sta-pool] vlan 101 102
[AC-vlan-pool-sta-pool] assignment hash
[AC-vlan-pool-sta-pool] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.23.10.254 AP5030DN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 1
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
# Enable the band steering function. By default, the band steering function is enabled.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-net-prof-wlan-net] undo band-steer disable
# Enable the broadcast flood detection function and set a broadcast flood threshold. By
default, the broadcast flood detection function is enabled.
[AC-wlan-net-prof-wlan-net] undo anti-attack broadcast-flood disable
[AC-wlan-net-prof-wlan-net] quit
# Set the maximum number of STAs associated with a VAP to 128, association timeout
period to 1 minute, and EDCA parameters for AC_BE packets of STAs.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] max-sta-number 128
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-wlan-net] association-timeout 1
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-wlan-net] wmm edca-client ac-be aifsn 3 ecw ecwmin 7
ecwmax 10
[AC-wlan-ssid-prof-wlan-net] quit
# Create traffic profile wlan-traffic and set the rate limit for upstream and downstream
traffic to 4000 kbit/s.
[AC-wlan-view] traffic-profile name wlan-traffic
[AC-wlan-traffic-prof-wlan-traffic] rate-limit client down 4000
[AC-wlan-traffic-prof-wlan-traffic] rate-limit client up 4000
[AC-wlan-traffic-prof-wlan-traffic] quit
4. Create an RRM profile, disable automatic calibration, enable airtime fair scheduling and
smart roaming, and set the SNR-based threshold for smart roaming to 15 dB.
[AC-wlan-view] traffic-profile name wlan-traffic
[AC-wlan-rrm-prof-wlan-rrm] calibrate auto-channel-select disable
[AC-wlan-rrm-prof-wlan-rrm] calibrate auto-txpower-select disable
[AC-wlan-rrm-prof-wlan-rrm] airtime-fair-schedule enable
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-rrm-prof-wlan-rrm] smart-roam enable
[AC-wlan-rrm-prof-wlan-rrm] smart-roam roam-threshold check-snr
[AC-wlan-rrm-prof-wlan-rrm] smart-roam roam-threshold snr 15
[AC-wlan-rrm-prof-wlan-rrm] quit
The settings of the AP channel and power in this example are for reference only. You need to configure the
AP channel and power based on the actual country code and network planning.
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
When a large number of users connect to the network in the stadium, the users still have good
Internet experience.
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10 101 to 102
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10 101 to 102
port-isolate enable
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 10 101 to 102
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 10
port trunk allow-pass vlan 10 101 to 102
port-isolate enable
#
return
l SwitchB configuration file
#
sysname SwitchB
#
vlan batch 10 100 to 102
#
dhcp enable
#
interface Vlanif10
ip address 10.23.10.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.23.100.1
#
interface Vlanif100
ip address 10.23.100.2 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
dhcp server gateway-list 10.23.101.2
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
dhcp select interface
dhcp server gateway-list 10.23.102.2
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 101 to 102
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 101 to 102
#
return
l Router configuration file
#
sysname Router
#
vlan batch 101 to 102
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 101 to 102
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 102
#
vlan pool sta-pool
vlan 101 to 102
#
dhcp enable
#
ip pool huawei
gateway-list 10.23.10.1
network 10.23.10.0 mask 255.255.255.0
option 43 sub-option 3 ascii 10.23.100.1
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
ip route-static 10.23.10.0 24 10.23.100.2
#
capwap source interface vlanif100
#
wlan
traffic-profile name wlan-traffic
rate-limit client up 4000
rate-limit client down 4000
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#wQ}eV*m'Y#f6Mj@h#DxTLrKaYm|)pBm@w$
(jpeqE%^%# aes
ssid-profile name wlan-net
ssid wlan-net
association-timeout 1
max-sta-number 128
wmm edca-client ac-be aifsn 3 ecw ecwmin 7 ecwmax 10 txoplimit 0
vap-profile name wlan-net
service-vlan vlan-pool sta-pool
ssid-profile wlan-net
security-profile wlan-net
traffic-profile wlan-traffic
anti-attack broadcast-flood sta-rate-threshold 50
regulatory-domain-profile name default
rrm-profile name wlan-rrm
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
airtime-fair-schedule enable
smart-roam enable
smart-roam roam-threshold snr 15
radio-2g-profile name wlan-radio2g
dot11bg basic-rate 6 9 12 18 24 36 48 54
beacon-interval 160
guard-interval-mode short
multicast-rate 11
wmm edca-ap ac-be aifsn 3 ecw ecwmin 5 ecwmax 6 txoplimit 0 ack-policy
normal
rrm-profile wlan-rrm
rts-cts-threshold 1400
rts-cts-mode rts-cts
radio-5g-profile name wlan-radio5g
beacon-interval 160
guard-interval-mode short
wmm edca-ap ac-be aifsn 3 ecw ecwmin 5 ecwmax 6 txoplimit 0 ack-policy
normal
multicast-rate 6
rrm-profile wlan-rrm
rts-cts-threshold 1400
rts-cts-mode rts-cts
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 60 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l Wireless backhaul mode: Mesh-based vehicle-ground fast link handover
l Backhaul radio: 5 GHz radio
Data Planning
......
.......
Item Data
Item Data
Configuration Roadmap
1. Configure the ground network to enable Layer 2 communications between trackside APs
and the AC.
2. Configure multicast services on ground network devices to enable proper multicast data
forwarding on the ground network.
3. Configure vehicle-ground fast link handover on trackside and vehicle-mounted APs so
that the vehicle-mounted AP can set up Mesh connections with the trackside APs.
4. Configure the vehicle-mounted network to enable intra-network data communications.
NOTE
l This example uses Huawei AP9132DNs in Fit AP mode as the trackside APs and AP9132DNs in
Fat AP mode as the vehicle-mounted APs.
l Switches and routers used in this example are all Huawei products.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
l Configure ground network devices.
a. Configure Switch_A. Create VLAN 100, VLAN 101 and VLAN 200, add
interfaces GE0/0/1 to GE0/0/4 to VLAN 101, and configure these interfaces to
allow packets from VLAN 101 to pass through. Set PVIDs of GE0/0/3 and GE0/0/4
to VLAN 101. Add GE0/0/5 to VLAN 200, set its PVID to VLAN 200, and
configure GE0/0/5 to allow packets from VLAN 200 to pass through. Configure
GE0/0/1, GE0/0/2, and GE0/0/6 to allow packets from VLAN 100 to pass through.
<HUAWEI> system-view
[HUAWEI] sysname Switch_A
[Switch_A] vlan batch 100 101 200
[Switch_A] interface gigabitEthernet 0/0/1
[Switch_A-GigabitEthernet0/0/1] port link-type trunk
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch_A-GigabitEthernet0/0/1] quit
[Switch_A] interface gigabitEthernet 0/0/2
[Switch_A-GigabitEthernet0/0/2] port link-type trunk
[Switch_A-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch_A-GigabitEthernet0/0/2] quit
[Switch_A] interface gigabitEthernet 0/0/3
[Switch_A-GigabitEthernet0/0/3] port link-type trunk
[Switch_A-GigabitEthernet0/0/3] port trunk pvid vlan 101
[Switch_A-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[Switch_A-GigabitEthernet0/0/3] quit
[Switch_A] interface gigabitEthernet 0/0/4
[Switch_A-GigabitEthernet0/0/4] port link-type trunk
[Switch_A-GigabitEthernet0/0/4] port trunk pvid vlan 101
[Switch_A-GigabitEthernet0/0/4] port trunk allow-pass vlan 101
[Switch_A-GigabitEthernet0/0/4] quit
[Switch_A] interface gigabitEthernet 0/0/5
[Switch_A-GigabitEthernet0/0/5] port link-type trunk
[Switch_A-GigabitEthernet0/0/5] port trunk pvid vlan 200
[Switch_A-GigabitEthernet0/0/5] port trunk allow-pass vlan 200
[Switch_A-GigabitEthernet0/0/5] quit
[Switch_A] interface gigabitEthernet 0/0/6
[Switch_A-GigabitEthernet0/0/6] port link-type trunk
[Switch_A-GigabitEthernet0/0/6] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/6] quit
b. On Switch_A, configure an IP address for VLANIF 101 and enable the DHCP
server function to assign IP addresses for vehicle-mounted terminals.
[Switch_A] dhcp enable
[Switch_A] interface vlanif 101
[Switch_A-Vlanif101] ip address 10.23.224.1 24
[Switch_A-Vlanif101] dhcp select interface
[Switch_A-Vlanif101] dhcp server excluded-ip-address 10.23.224.2
10.23.224.3
[Switch_A-Vlanif101] quit
c. Configure an IP address for VLANIF 200 on Switch_A and specify the IP address
of GE1/0/0 on the router as the next hop address of the default route so that packets
from the vehicle-ground communication network can be forwarded to the egress
router.
[Switch_A] interface vlanif 200
[Switch_A-Vlanif200] ip address 10.23.200.2 24
[Switch_A-Vlanif200] quit
[Switch_A] ip route-static 0.0.0.0 0 10.23.200.1
d. Configure an IP address for GE1/0/0 on Router and configure routes to the internal
network segment, with the next hop address 10.23.200.2.
<Huawei> system-view
[Huawei] sysname Router
NOTE
You can configure routes to external networks and the NAT function on the egress router
according to service requirements to ensure normal communications between internal and
external networks.
e. Configure Switch_B and Switch_C to enable Layer 2 communications between
trackside APs and the ground network.
# On Switch_B, create VLAN 100 and VLAN 101, configure GE0/0/2 and GE0/0/1
to allow packets from VLAN 100 and VLAN 101 to pass through, and set the PVID
of GE0/0/1 to VLAN 100 (management VLAN for trackside APs).
# On Switch_C, create VLAN 100 and VLAN 101, configure GE0/0/2 and GE0/0/1
to allow packets from VLAN 100 and VLAN 101 to pass through, and set the PVID
of GE0/0/1 to VLAN 100.
NOTICE
If trackside APs are directly connected to the switches and Layer 2 multicast is
configured, enabling the fast leave function improves the quality of multicast
services. If the trackside APs are not directly connected to the switches or Layer 3
multicast is configured, you cannot configure the fast leave function because this
function may interrupt multicast services.
# Create VLAN 100 on the AC and configure GE0/0/1 to allow packets from
VLAN 100 to pass through.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100
[AC] interface gigabitEthernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet0/0/1] quit
# Create the AP group mesh-mpp and add trackside APs that require the same
configuration to the group.
[AC] wlan
[AC-wlan-view] ap-group name mesh-mpp
[AC-wlan-ap-group-mesh-mpp] quit
# Create a regulatory domain profile, configure the AC country code in the profile,
and apply the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name mesh-mpp
[AC-wlan-ap-group-mesh-mpp] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and
antenna gain configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-mesh-mpp] quit
[AC-wlan-view] quit
The default AP authentication mode is MAC address authentication. If the default settings are
retained, you do not need to run the ap auth-mode mac-auth command.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 1 ap-mac 0046-4b59-1d10
[AC-wlan-ap-1] ap-name L1_001
[AC-wlan-ap-1] ap-group mesh-mpp
Warning: This operation may cause AP reset. If the country code changes,
it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
[AC-wlan-view] ap-id 2 ap-mac 0046-4b59-1d20
[AC-wlan-ap-2] ap-name L1_003
[AC-wlan-ap-2] ap-group mesh-mpp
Warning: This operation may cause AP reset. If the country code changes,
it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-2] quit
[AC-wlan-view] ap-id 3 ap-mac 0046-4b59-1d30
[AC-wlan-ap-3] ap-name L1_010
[AC-wlan-ap-3] ap-group mesh-mpp
Warning: This operation may cause AP reset. If the country code changes,
it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-3] quit
[AC-wlan-view] ap-id 101 ap-mac 0046-4b59-1d40
[AC-wlan-ap-101] ap-name L1_150
[AC-wlan-ap-101] ap-group mesh-mpp
Warning: This operation may cause AP reset. If the country code changes,
it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-101] quit
[AC-wlan-view] ap-id 102 ap-mac 0046-4b59-1d50
[AC-wlan-ap-102] ap-name L1_160
[AC-wlan-ap-102] ap-group mesh-mpp
Warning: This operation may cause AP reset. If the country code changes,
it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-102] quit
[AC-wlan-view] ap-id 103 ap-mac 0046-4b59-1d60
[AC-wlan-ap-103] ap-name L1_170
[AC-wlan-ap-103] ap-group mesh-mpp
Warning: This operation may cause AP reset. If the country code changes,
it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-103] quit
i. Configure the trackside APs' uplink wired interfaces to allow packets from VLAN
101 to pass through.
# Configure the wired port profile wired-port and add the wired interfaces to
VLAN 101 in tagged mode.
[AC-wlan-view] wired-port-profile name wired-port
[AC-wlan-wired-port-wired-port] vlan tagged 101
[AC-wlan-wired-port-wired-port] quit
# Add MAC addresses of vehicle-mounted APs on other trains to the Mesh whitelist
whitelist01 according to the preceding procedure.
# Configure the security profile sp01 used by Mesh links. The sp01 supports the
security policy WPA2+PSK+AES.
[AC-wlan-view] security-profile name sp01
[AC-wlan-sec-prof-sp01] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-sp01] quit
# Configure the Mesh role. Set the Mesh role of trackside APs to Mesh-portal
through the AP system profile.
[AC-wlan-view] ap-system-profile name mesh-sys
[AC-wlan-ap-system-prof-mesh-sys] mesh-role Mesh-portal
[AC-wlan-ap-system-prof-mesh-sys] quit
# Configure the Mesh handover profile hand-over and enable the location-based
fast link handover algorithm.
[AC-wlan-view] mesh-handover-profile name hand-over
[AC-wlan-mesh-handover-hand-over] location-based-algorithm enable
[AC-wlan-mesh-handover-hand-over] quit
# Configure the Mesh profile. Set the ID of the Mesh network to mesh-net and
apply the security profile and Mesh handover profile.
[AC-wlan-view] mesh-profile name mesh-net
[AC-wlan-mesh-prof-mesh-net] mesh-id mesh-net
[AC-wlan-mesh-prof-mesh-net] security-profile sp01
[AC-wlan-mesh-prof-mesh-net] mesh-handover-profile hand-over
[AC-wlan-mesh-prof-mesh-net] quit
[AC-wlan-ap-group-mesh-mpp] radio 1
[AC-wlan-group-radio-mesh-mpp/1] channel 40mhz-plus 157
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-group-radio-mesh-mpp/1] mesh-whitelist-profile whitelist01
[AC-wlan-group-radio-mesh-mpp/1] mesh-profile mesh-net
[AC-wlan-group-radio-mesh-mpp/1] quit
[AC-wlan-ap-group-mesh-mpp] quit
[AC-wlan-view] quit
[AC] quit
# Add MAC addresses of all trackside APs along the rail line to the Mesh whitelist
of vehicle-mounted APs on the other trains according to the preceding configuration
procedure.
# Configure the security profile sp01 used by Mesh links. The sp01 supports the
security policy WPA2+PSK+AES.
[AP-wlan-view] security-profile name sp01
[AP-wlan-sec-prof-sp01] security wpa2 psk pass-phrase a1234567 aes
[AP-wlan-sec-prof-sp01] quit
# Configure the Mesh handover profile hand-over, enable the location-based fast
link handover algorithm, and set the moving direction of the vehicle-mounted AP to
forward.
[AP-wlan-view] mesh-handover-profile name hand-over
[AP-wlan-mesh-handover-hand-over] location-based-algorithm enable moving-
direction forward
[AP-wlan-mesh-handover-hand-over] quit
NOTE
In this example, the moving direction of the vehicle-mounted AP in the rear must be set to
backward.
# Configure the Mesh profile. Set the ID of the Mesh network to mesh-net and
apply the security profile and Mesh handover profile.
[AP-wlan-view] mesh-profile name mesh-net
[AP-wlan-mesh-prof-mesh-net] mesh-id mesh-net
[AP-wlan-mesh-prof-mesh-net] security-profile sp01
[AP-wlan-mesh-prof-mesh-net] mesh-handover-profile hand-over
[AP-wlan-mesh-prof-mesh-net] quit
[AP-wlan-view] quit
# Configure Mesh VAPs for other vehicle-mounted APs according to the preceding
configuration procedure.
e. Add proxied devices on the vehicle-mounted APs.
# Add proxied ground devices. Add MAC addresses of Switch_A, the network
management device, and multicast source on the vehicle-mounted APs.
[AP] wlan
[AP-wlan-view] mesh-proxy trackside-equip mac-address 707b-e8e9-d328
vlan 101
[AP-wlan-view] mesh-proxy trackside-equip mac-address 286e-d488-12cd
vlan 101
[AP-wlan-view] mesh-proxy trackside-equip mac-address 286e-d488-b6ab
vlan 101
39/47/-
L1_003 1 3 157 portal - -59 -7 0 0
50
19/14/37
L1_010 1 3 157 portal - -45 -33 0 0
37
20/17/17
L1_150 1 3 157 portal - -54 -39 0 0
46
34/43/-
L1_160 1 3 157 portal - -52 -7 0 0
32
21/18/35
L1_170 1 3 157 portal - -42 -33 0 0
29
26/14/19
------------------------------------------------------------------------------
--
-----------------
Total: 6
18:08:21
------------------------------------------------------------------------------
Total: 6
------------------------------------------------------------------------------
1 18:52:27 0046-4b59-1d50/-95/160 0046-4b59-1d60/-15/170
2 18:50:46 0046-4b59-1d40/-95/150 0046-4b59-1d50/-34/160
3 18:49:25 0046-4b59-1d30/-95/10 0046-4b59-1d40/-11/150
4 18:48:56 0046-4b59-1d20/-95/3 0046-4b59-1d30/-40/10
5 18:47:39 0046-4b59-1d10/-47/1 0046-4b59-1d20/-36/3
------------------------------------------------------------------------------
----End
Configuration Files
l Ground network devices
– Router configuration file
#
sysname Router
#
interface GigabitEthernet0/0/1
ip address 10.23.200.1 255.255.255.0
#
ip route-static 10.23.100.0 255.255.255.0 10.23.200.2
ip route-static 10.23.224.0 255.255.255.0 10.23.200.2
#
return
#
sysname Switch_C
#
vlan batch 100 to 101
#
igmp-snooping enable
#
vlan 101
igmp-snooping enable
igmp-snooping group-policy 2000
igmp-snooping prompt-leave group-policy 2000
#
acl number 2000
rule 5 permit source 225.1.1.1 0
rule 10 permit source 225.1.1.2 0
rule 15 permit source 225.1.1.3 0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
#
return
– AC configuration file
#
sysname AC
#
vlan batch 100
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
capwap source interface vlanif100
#
wlan
security-profile name
sp01
security wpa2 psk pass-phrase %^%#yUrI$*AU}-T<aI*$21X8,wdZ>"Q
%NVibT@S@ITs<%^%#
aes
mesh-handover-profile name hand-
over
location-based-algorithm enable
mesh-whitelist-profile name whitelist01
peer-ap mac 0046-4b59-2e10
peer-ap mac 0046-4b59-2e20
mesh-profile name mesh-
net
mesh-handover-profile hand-
over
security-profile
sp01
mesh-id mesh-net
regulatory-domain-profile name default
ap-system-profile name mesh-sys
mesh-role Mesh-portal
wired-port-profile name wired-port
vlan tagged 101
ap-group name mesh-
mpp
ap-system-profile mesh-
sys
wired-port-profile wired-port gigabitethernet
0
radio
1
mesh-profile mesh-
net
mesh-whitelist-profile
whitelist01
channel 40mhz-plus
157
ap-id 1 type-id 48 ap-mac 0046-4b59-1d10 ap-sn
210235554710CB000042
ap-name
L1_001
ap-group mesh-
mpp
ap-id 2 type-id 48 ap-mac 0046-4b59-1d20 ap-sn
210235555310CC000094
ap-name
L1_003
ap-group mesh-
mpp
ap-id 3 type-id 48 ap-mac 0046-4b59-1d30 ap-sn
210235419610CB002287
ap-name
L1_010
ap-group mesh-mpp
ap-id 101 type-id 48 ap-mac 0046-4b59-1d40 ap-sn
210235555310CC00AC69
ap-name
L1_150
ap-group mesh-mpp
ap-id 102 type-id 48 ap-mac 0046-4b59-1d50 ap-sn
210235555310CC003587
ap-name
L1_160
ap-group mesh-mpp
ap-id 103 type-id 48 ap-mac 0046-4b59-1d60 ap-sn
210235449210CB000011
ap-name
L1_170
ap-group mesh-mpp
#
return
igmp-snooping enable
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 101
port trunk allow-pass vlan 101
#
wlan
security-profile name
sp01
security wpa2 psk pass-phrase %^%#yUrI$*AU}-T<aI*$21X8,wdZ>"Q
%NVibT@S@ITs<%^%#
aes
mesh-handover-profile name hand-
over
location-based-algorithm enable moving-direction
forward
mesh-whitelist-profile name whitelist01
peer-ap mac 0046-4b59-1d10
peer-ap mac 0046-4b59-1d20
peer-ap mac 0046-4b59-1d30
peer-ap mac 0046-4b59-1d40
peer-ap mac 0046-4b59-1d50
peer-ap mac 0046-4b59-1d60
mesh-proxy trackside-equip mac-address 707b-e8e9-d328 vlan 101
mesh-proxy trackside-equip mac-address 286e-d488-12cd vlan 101
mesh-proxy trackside-equip mac-address 286e-d488-b6ab vlan 101
mesh-proxy onboard-equip mac-address 286e-d488-d359 vlan 101
mesh-proxy onboard-equip mac-address 286e-d488-d270 vlan 101
mesh-profile name mesh-net
mesh-handover-profile hand-over
security-profile sp01
mesh-id mesh-net
#
interface Wlan-
Radio0/0/1
mesh-profile mesh-
net
mesh-whitelist-profile
whitelist01
channel 40mhz-plus 157
#
return
Service Requirements
To reduce network deployment costs and better serve passengers, a rail transportation
enterprise wants to use WLAN technology to implement vehicle-ground communications and
expects that multicast servers on the ground network can deliver multimedia information
services to passengers. If a vehicle-mounted AP is faulty, the network is faulty, affecting
vehicle-ground communication. To prevent such an issue, the customer requires a redundancy
for the two vehicle-mounted APs. The VRRP function is recommended.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l Wireless backhaul mode: Mesh-based vehicle-ground fast link handover
l Backhaul radio: 5 GHz radio
Data Planning
......
.......
Item Data
Item Data
Configuration Roadmap
1. Configure the ground network to enable Layer 2 communications between trackside APs
and the AC.
2. Configure multicast services on ground network devices to enable proper multicast data
forwarding on the ground network.
3. Configure vehicle-ground fast link handover on trackside and vehicle-mounted APs so
that the vehicle-mounted APs can set up Mesh connections with the trackside APs.
4. Configure the vehicle-mounted network to enable intra-network data communications
and configure VRRP and BFD between the vehicle-mounted APs.
NOTE
l This example uses Huawei AP9132DNs in Fit AP mode as the trackside APs and AP9132DNs in
Fat AP mode as the vehicle-mounted APs.
l Switches and routers used in this example are all Huawei products.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
l Configure ground network devices.
a. Configure Switch_A. Create VLAN 100, VLAN 101 and VLAN 200, add
interfaces GE0/0/1 to GE0/0/4 to VLAN 101, and configure these interfaces to
allow packets from VLAN 101 to pass through. Set PVIDs of GE0/0/3 and GE0/0/4
to VLAN 101. Add GE0/0/5 to VLAN 200, set its PVID to VLAN 200, and
configure GE0/0/5 to allow packets from VLAN 200 to pass through. Configure
GE0/0/1, GE0/0/2, and GE0/0/6 to allow packets from VLAN 100 to pass through.
<HUAWEI> system-view
[HUAWEI] sysname Switch_A
[Switch_A] vlan batch 100 101 200
[Switch_A] interface gigabitEthernet 0/0/1
[Switch_A-GigabitEthernet0/0/1] port link-type trunk
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch_A-GigabitEthernet0/0/1] quit
[Switch_A] interface gigabitEthernet 0/0/2
[Switch_A-GigabitEthernet0/0/2] port link-type trunk
[Switch_A-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch_A-GigabitEthernet0/0/2] quit
[Switch_A] interface gigabitEthernet 0/0/3
[Switch_A-GigabitEthernet0/0/3] port link-type trunk
[Switch_A-GigabitEthernet0/0/3] port trunk pvid vlan 101
[Switch_A-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[Switch_A-GigabitEthernet0/0/3] quit
[Switch_A] interface gigabitEthernet 0/0/4
[Switch_A-GigabitEthernet0/0/4] port link-type trunk
[Switch_A-GigabitEthernet0/0/4] port trunk pvid vlan 101
[Switch_A-GigabitEthernet0/0/4] port trunk allow-pass vlan 101
[Switch_A-GigabitEthernet0/0/4] quit
[Switch_A] interface gigabitEthernet 0/0/5
[Switch_A-GigabitEthernet0/0/5] port link-type trunk
[Switch_A-GigabitEthernet0/0/5] port trunk pvid vlan 200
[Switch_A-GigabitEthernet0/0/5] port trunk allow-pass vlan 200
[Switch_A-GigabitEthernet0/0/5] quit
[Switch_A] interface gigabitEthernet 0/0/6
[Switch_A-GigabitEthernet0/0/6] port link-type trunk
[Switch_A-GigabitEthernet0/0/6] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/6] quit
b. On Switch_A, configure an IP address for VLANIF 101.
[Switch_A] dhcp enable
[Switch_A] interface vlanif 101
[Switch_A-Vlanif101] ip address 10.23.224.1 24
[Switch_A-Vlanif101] quit
c. Configure an IP address for VLANIF 200 on Switch_A and specify the IP address
of GE1/0/0 on the router as the next hop address of the default route so that packets
from the vehicle-ground communication network can be forwarded to the egress
router.
[Switch_A] interface vlanif 200
[Switch_A-Vlanif200] ip address 10.23.200.2 24
[Switch_A-Vlanif200] quit
[Switch_A] ip route-static 0.0.0.0 0 10.23.200.1
e. Configure an IP address for GE1/0/0 on Router and configure routes to the internal
network segment, with the next hop address 10.23.200.2.
<Huawei> system-view
[Huawei] sysname Router
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] ip address 10.23.200.1 24
[Router-GigabitEthernet1/0/0] quit
[Router] ip route-static 10.23.224.0 24 10.23.200.2
[Router] ip route-static 10.23.100.0 24 10.23.200.2
NOTE
You can configure routes to external networks and the NAT function on the egress router
according to service requirements to ensure normal communications between internal and
external networks.
f. Configure Switch_B and Switch_C to enable Layer 2 communications between
trackside APs and the ground network.
# On Switch_B, create VLAN 100 and VLAN 101, configure GE0/0/2 and GE0/0/1
to allow packets from VLAN 100 and VLAN 101 to pass through, and set the PVID
of GE0/0/1 to VLAN 100 (management VLAN for trackside APs).
# Configure other interfaces connected to trackside APs on Switch_B according to
GE0/0/1: allow packets from VLAN 100 and VLAN 101 to pass through and set
their PVIDs to VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_B
[Switch_B] vlan batch 100 101
[Switch_B] interface gigabitEthernet 0/0/2
[Switch_B-GigabitEthernet0/0/2] port link-type trunk
[Switch_B-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch_B-GigabitEthernet0/0/2] quit
[Switch_B] interface gigabitEthernet 0/0/1
[Switch_B-GigabitEthernet0/0/1] port link-type trunk
[Switch_B-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_B-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch_B-GigabitEthernet0/0/1] quit
# On Switch_C, create VLAN 100 and VLAN 101, configure GE0/0/2 and GE0/0/1
to allow packets from VLAN 100 and VLAN 101 to pass through, and set the PVID
of GE0/0/1 to VLAN 100.
# Configure other interfaces connected to trackside APs on Switch_C according to
GE0/0/1: allow packets from VLAN 100 and VLAN 101 to pass through and set
their PVIDs to VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_C
[Switch_C] vlan batch 100 101
[Switch_C] interface gigabitEthernet 0/0/2
[Switch_C-GigabitEthernet0/0/2] port link-type trunk
[Switch_C-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch_C-GigabitEthernet0/0/2] quit
[Switch_C] interface gigabitEthernet 0/0/1
[Switch_C-GigabitEthernet0/0/1] port link-type trunk
[Switch_C-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_C-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch_C-GigabitEthernet0/0/1] quit
NOTICE
If trackside APs are directly connected to the switches and Layer 2 multicast is
configured, enabling the fast leave function improves the quality of multicast
services. If the trackside APs are not directly connected to the switches or Layer 3
multicast is configured, you cannot configure the fast leave function because this
function may interrupt multicast services.
# Create VLAN 100 on the AC and configure GE0/0/1 to allow packets from
VLAN 100 to pass through.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100
[AC] interface gigabitEthernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet0/0/1] quit
# Create the AP group mesh-mpp and add trackside APs that require the same
configuration to the group.
[AC] wlan
[AC-wlan-view] ap-group name mesh-mpp
[AC-wlan-ap-group-mesh-mpp] quit
# Create a regulatory domain profile, configure the AC country code in the profile,
and apply the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name mesh-mpp
[AC-wlan-ap-group-mesh-mpp] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and
antenna gain configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-mesh-mpp] quit
[AC-wlan-view] quit
The default AP authentication mode is MAC address authentication. If the default settings are
retained, you do not need to run the ap auth-mode mac-auth command.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 1 ap-mac 0046-4b59-1d10
[AC-wlan-ap-1] ap-name L1_001
[AC-wlan-ap-1] ap-group mesh-mpp
Warning: This operation may cause AP reset. If the country code changes,
it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
[AC-wlan-view] ap-id 2 ap-mac 0046-4b59-1d20
[AC-wlan-ap-2] ap-name L1_003
[AC-wlan-ap-2] ap-group mesh-mpp
Warning: This operation may cause AP reset. If the country code changes,
it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-2] quit
[AC-wlan-view] ap-id 3 ap-mac 0046-4b59-1d30
[AC-wlan-ap-3] ap-name L1_010
[AC-wlan-ap-3] ap-group mesh-mpp
Warning: This operation may cause AP reset. If the country code changes,
it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-3] quit
[AC-wlan-view] ap-id 101 ap-mac 0046-4b59-1d40
[AC-wlan-ap-101] ap-name L1_150
[AC-wlan-ap-101] ap-group mesh-mpp
Warning: This operation may cause AP reset. If the country code changes,
it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-101] quit
[AC-wlan-view] ap-id 102 ap-mac 0046-4b59-1d50
[AC-wlan-ap-102] ap-name L1_160
[AC-wlan-ap-102] ap-group mesh-mpp
Warning: This operation may cause AP reset. If the country code changes,
it will clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-102] quit
j. Configure the trackside APs' uplink wired interfaces to allow packets from VLAN
101 to pass through.
# Configure the wired port profile wired-port and add the wired interfaces to
VLAN 101 in tagged mode.
[AC-wlan-view] wired-port-profile name wired-port
[AC-wlan-wired-port-wired-port] vlan tagged 101
[AC-wlan-wired-port-wired-port] quit
# Create the Mesh whitelist whitelist01 and add MAC addresses of vehicle-
mounted APs to the Mesh whitelist.
[AC-wlan-view] mesh-whitelist name whitelist01
[AC-wlan-mesh-whitelist-whitelist01] peer-ap mac 0046-4b59-2e10
[AC-wlan-mesh-whitelist-whitelist01] peer-ap mac 0046-4b59-2e20
[AC-wlan-mesh-whitelist-whitelist01] quit
# Add MAC addresses of vehicle-mounted APs on other trains to the Mesh whitelist
whitelist01 according to the preceding procedure.
# Configure the security profile sp01 used by Mesh links. The sp01 supports the
security policy WPA2+PSK+AES.
[AC-wlan-view] security-profile name sp01
[AC-wlan-sec-prof-sp01] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-sp01] quit
# Configure the Mesh role. Set the Mesh role of trackside APs to Mesh-portal
through the AP system profile.
[AC-wlan-view] ap-system-profile name mesh-sys
[AC-wlan-ap-system-prof-mesh-sys] mesh-role Mesh-portal
[AC-wlan-ap-system-prof-mesh-sys] quit
# Configure the Mesh handover profile hand-over and enable the location-based
fast link handover algorithm.
[AC-wlan-view] mesh-handover-profile name hand-over
[AC-wlan-mesh-handover-hand-over] location-based-algorithm enable
[AC-wlan-mesh-handover-hand-over] quit
# Configure the Mesh profile. Set the ID of the Mesh network to mesh-net and
apply the security profile and Mesh handover profile.
[AC-wlan-view] mesh-profile name mesh-net
[AC-wlan-mesh-prof-mesh-net] mesh-id mesh-net
[AC-wlan-mesh-prof-mesh-net] security-profile sp01
[AC-wlan-mesh-prof-mesh-net] mesh-handover-profile hand-over
[AC-wlan-mesh-prof-mesh-net] quit
m. Configure Switch_D.
# Create VLANs and configure IP addresses for the VLANIF interfaces.
<HUAWEI> system-view
[HUAWEI] sysname Switch_D
[Switch_D] vlan batch 101 161 165
[Switch_D] interface gigabitethernet 0/0/1
[Switch_D-GigabitEthernet0/0/1] port trunk allow-pass vlan 161 165
[Switch_D-GigabitEthernet0/0/1] port link-type trunk
[Switch_D-GigabitEthernet0/0/1] quit
[Switch_D] interface gigabitethernet 0/0/2
[Switch_D-GigabitEthernet0/0/2] port link-type trunk
[Switch_D-GigabitEthernet0/0/2] port trunk allow-pass vlan 161 165
[Switch_D-GigabitEthernet0/0/2] quit
[Switch_D] interface gigabitethernet 0/0/3
[Switch_D-GigabitEthernet0/0/3] port link-type trunk
[Switch_D-GigabitEthernet0/0/3] port trunk pvid vlan 101
[Switch_D-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[Switch_D-GigabitEthernet0/0/3] quit
[Switch_D] interface gigabitethernet 0/0/4
[Switch_D-GigabitEthernet0/0/4] port link-type trunk
[Switch_D-GigabitEthernet0/0/4] port trunk pvid vlan 101
[Switch_D-GigabitEthernet0/0/4] port trunk allow-pass vlan 101
[Switch_D-GigabitEthernet0/0/4] quit
[Switch_D] interface vlanif 101
[Switch_D-Vlanif101] ip address 10.23.224.2 24
[Switch_D-Vlanif101] quit
[Switch_D] interface vlanif 161
[Switch_D-Vlanif161] ip address 10.23.161.1 24
[Switch_D-Vlanif161] quit
[Switch_D] interface vlanif 165
[Switch_D-Vlanif165] ip address 10.23.165.1 24
[Switch_D-Vlanif165] quit
# Create the Mesh whitelist whitelist01 and add MAC addresses of all trackside
APs along the rail line to the Mesh whitelist.
[AP-wlan-view] mesh-whitelist-profile name whitelist01
[AP-wlan-mesh-whitelist-whitelist01] peer-ap mac 0046-4b59-1d10
[AP-wlan-mesh-whitelist-whitelist01] peer-ap mac 0046-4b59-1d20
[AP-wlan-mesh-whitelist-whitelist01] peer-ap mac 0046-4b59-1d30
[AP-wlan-mesh-whitelist-whitelist01] peer-ap mac 0046-4b59-1d40
[AP-wlan-mesh-whitelist-whitelist01] peer-ap mac 0046-4b59-1d50
[AP-wlan-mesh-whitelist-whitelist01] peer-ap mac 0046-4b59-1d60
[AP-wlan-mesh-whitelist-whitelist01] quit
# Add MAC addresses of all trackside APs along the rail line to the Mesh whitelist
of vehicle-mounted APs on the other trains according to the preceding configuration
procedure.
# Configure the security profile sp01 used by Mesh links. The sp01 supports the
security policy WPA2+PSK+AES.
[AP-wlan-view] security-profile name sp01
[AP-wlan-sec-prof-sp01] security wpa2 psk pass-phrase a1234567 aes
[AP-wlan-sec-prof-sp01] quit
# Configure the Mesh handover profile hand-over, enable the location-based fast
link handover algorithm, and set the moving direction of the vehicle-mounted AP to
forward.
[AP-wlan-view] mesh-handover-profile name hand-over
[AP-wlan-mesh-handover-hand-over] location-based-algorithm enable moving-
direction forward
[AP-wlan-mesh-handover-hand-over] quit
NOTE
In this example, the moving direction of the vehicle-mounted AP in the rear must be set to
backward.
# Configure the Mesh profile. Set the ID of the Mesh network to mesh-net and
apply the security profile and Mesh handover profile.
[AP-wlan-view] mesh-profile name mesh-net
[AP-wlan-mesh-prof-mesh-net] mesh-id mesh-net
[AP-wlan-mesh-prof-mesh-net] security-profile sp01
[AP-wlan-mesh-prof-mesh-net] mesh-handover-profile hand-over
[AP-wlan-mesh-prof-mesh-net] quit
[AP-wlan-view] quit
# Configure Mesh VAPs for other vehicle-mounted APs according to the preceding
configuration procedure.
e. Add proxied devices on the vehicle-mounted APs.
# Add proxied ground devices. Add MAC addresses of Switch_A, the network
management device, and multicast source on the vehicle-mounted APs.
[AP] wlan
[AP-wlan-view] mesh-proxy trackside-equip mac-address 707b-e8e9-d328
vlan 101
[AP-wlan-view] mesh-proxy trackside-equip mac-address 286e-d488-12cd
vlan 101
[AP-wlan-view] mesh-proxy trackside-equip mac-address 286e-d488-b6ab
vlan 101
The preceding configurations for the two vehicle-mounted APs are the same except the AP name.
Name the vehicle-mounted AP in the rear AP2. Configurations for the two APs are different from
this step.
# Configure VRRP.
# Configure VRRP.
[AP2] interface Vlanif 161
[AP2-Vlanif161] vrrp vrid 1 virtual-ip 10.23.161.4
[AP2-Vlanif161] admin-vrrp vrid 1
[AP2-Vlanif161] vrrp vrid 1 priority 110
[AP2-Vlanif161] quit
[AP2] interface Vlanif 165
[AP2-Vlanif165] vrrp vrid 2 virtual-ip 10.23.165.4
[AP2-Vlanif165] vrrp vrid 2 track admin-vrrp interface vlanif 161 vrid 1
unflowdown
[AP2-Vlanif165] vrrp vrid 2 priority 110
[AP2-Vlanif165] quit
[AP2] interface Vlanif 101
# After vehicle-ground fast link handover configuration is complete, run the display
wlan mesh link all command on the AC to view Mesh connections between trackside
and vehicle-mounted APs.
<AC> display wlan mesh link all
Rf : radio ID Dis : coverage
distance(100m)
Ch : channel Per : drop
percent(%)
TSNR : total SNR(dB) P- :
peer
Mesh : Mesh mode Re : retry
ratio(%)
RSSI : RSSI(dBm) MaxR : max
RSSI(dBm)
------------------------------------------------------------------------------
--
-----------------
39/47/-
L1_003 1 3 157 portal - -59 -7 0 0
50
19/14/37
L1_010 1 3 157 portal - -45 -33 0 0
37
20/17/17
34/43/-
L1_160 1 3 157 portal - -52 -7 0 0
32
21/18/35
L1_170 1 3 157 portal - -42 -33 0 0
29
26/14/19
------------------------------------------------------------------------------
--
-----------------
Total: 6
Total: 6
------------------------------------------------------------------------------
1 18:52:27 0046-4b59-1d50/-95/160 0046-4b59-1d60/-15/170
2 18:50:46 0046-4b59-1d40/-95/150 0046-4b59-1d50/-34/160
3 18:49:25 0046-4b59-1d30/-95/10 0046-4b59-1d40/-11/150
4 18:48:56 0046-4b59-1d20/-95/3 0046-4b59-1d30/-40/10
5 18:47:39 0046-4b59-1d10/-47/1 0046-4b59-1d20/-36/3
------------------------------------------------------------------------------
------------------------------------------------------------------------------
--
Total UP/DOWN Session Number : 2/0
----End
Configuration Files
l Ground network devices
– Router configuration file
#
sysname Router
#
interface GigabitEthernet1/0/0
ip address 10.23.200.1 255.255.255.0
#
ip route-static 10.23.100.0 255.255.255.0 10.23.200.2
ip route-static 10.23.224.0 255.255.255.0 10.23.200.2
#
return
#
interface GigabitEthernet0/0/6
port link-type trunk
port trunk allow-pass vlan 100
#
ip route-static 0.0.0.0 0.0.0.0 10.23.200.1
ip route-static 10.23.224.0 255.255.255.0 10.23.224.4
#
return
– Switch_B configuration file
#
sysname Switch_B
#
vlan batch 100 to 101
#
igmp-snooping enable
#
vlan 101
igmp-snooping enable
igmp-snooping group-policy 2000
igmp-snooping prompt-leave group-policy 2000
#
acl number 2000
rule 5 permit source 225.1.1.1 0
rule 10 permit source 225.1.1.2 0
rule 15 permit source 225.1.1.3 0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
#
return
– Switch_C configuration file
#
sysname Switch_C
#
vlan batch 100 to 101
#
igmp-snooping enable
#
vlan 101
igmp-snooping enable
igmp-snooping group-policy 2000
igmp-snooping prompt-leave group-policy 2000
#
acl number 2000
rule 5 permit source 225.1.1.1 0
rule 10 permit source 225.1.1.2 0
rule 15 permit source 225.1.1.3 0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
capwap source interface vlanif100
#
wlan
security-profile name
sp01
security wpa2 psk pass-phrase %^%#yUrI$*AU}-T<aI*$21X8,wdZ>"Q
%NVibT@S@ITs<%^%#
aes
mesh-handover-profile name hand-
over
location-based-algorithm enable
mesh-whitelist-profile name whitelist01
peer-ap mac 0046-4b59-2e10
peer-ap mac 0046-4b59-2e20
mesh-profile name mesh-
net
mesh-handover-profile hand-
over
security-profile
sp01
mesh-id mesh-net
regulatory-domain-profile name default
ap-system-profile name mesh-sys
mesh-role Mesh-portal
wired-port-profile name wired-port
vlan tagged 101
ap-group name mesh-
mpp
ap-system-profile mesh-
sys
wired-port-profile wired-port gigabitethernet
0
radio
1
mesh-profile mesh-
net
mesh-whitelist-profile
whitelist01
channel 40mhz-plus
157
ap-id 1 type-id 48 ap-mac 0046-4b59-1d10 ap-sn
210235554710CB000042
ap-name
L1_001
ap-group mesh-
mpp
ap-id 2 type-id 48 ap-mac 0046-4b59-1d20 ap-sn
210235555310CC000094
ap-name
L1_003
ap-group mesh-
mpp
ap-id 3 type-id 48 ap-mac 0046-4b59-1d30 ap-sn
210235419610CB002287
ap-name
L1_010
ap-group mesh-mpp
ap-id 101 type-id 48 ap-mac 0046-4b59-1d40 ap-sn
210235555310CC00AC69
ap-name
L1_150
ap-group mesh-mpp
ap-id 102 type-id 48 ap-mac 0046-4b59-1d50 ap-sn
210235555310CC003587
ap-name
L1_160
ap-group mesh-mpp
ap-id 103 type-id 48 ap-mac 0046-4b59-1d60 ap-sn
210235449210CB000011
ap-name
L1_170
ap-group mesh-mpp
#
return
%NVibT@S@ITs<%^%#
aes
mesh-handover-profile name hand-over
location-based-algorithm enable moving-direction forward
mesh-whitelist-profile name whitelist01
peer-ap mac 0046-4b59-1d10
peer-ap mac 0046-4b59-1d20
peer-ap mac 0046-4b59-1d30
peer-ap mac 0046-4b59-1d40
peer-ap mac 0046-4b59-1d50
peer-ap mac 0046-4b59-1d60
mesh-proxy trackside-equip mac-address 707b-e8e9-d328 vlan 101
mesh-proxy trackside-equip mac-address 286e-d488-12cd vlan 101
mesh-proxy trackside-equip mac-address 286e-d488-b6ab vlan 101
mesh-proxy onboard-equip mac-address 286e-d488-d359 vlan 101
mesh-proxy onboard-equip mac-address 286e-d488-d270 vlan 101
mesh-profile name mesh-net
mesh-handover-profile hand-over
security-profile sp01
mesh-id mesh-net
#
interface Wlan-Radio0/0/1
mesh-profile mesh-net
mesh-whitelist-profile whitelist01
channel 40mhz-plus 157
#
return
– Vehicle-mounted AP (in the rear) configuration file
#
sysname AP2
#
igmp-snooping enable
#
vlan batch 101 161 165
#
vlan 101
igmp-snooping enable
#
interface Vlanif101
ip address 10.23.224.6 255.255.255.0
vrrp vrid 3 virtual-ip 10.23.224.4
vrrp vrid 3 priority 110
vrrp vrid 3 track admin-vrrp interface Vlanif161 vrid 1 unflowdown
#
interface Vlanif161
ip address 10.23.161.3 255.255.255.0
vrrp vrid 1 virtual-ip 10.23.161.4
admin-vrrp vrid 1
vrrp vrid 1 priority 110
vrrp vrid 1 track bfd-session 2 link increased 50
vrrp vrid 1 track bfd-session 12 link
#
interface Vlanif165
ip address 10.23.165.3 255.255.255.0
vrrp vrid 2 virtual-ip 10.23.165.4
vrrp vrid 2 priority 110
vrrp vrid 2 track admin-vrrp interface Vlanif161 vrid 1 unflowdown
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 161 165
#
bfd atob bind peer-ip 10.23.161.2 interface Vlanif161
discriminator local 2
discriminator remote 1
min-tx-interval 50
min-rx-interval 50
commit
#
Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. The enterprises also need to prevent one AP radio from being heavily loaded.
Furthermore, users' services are not affected during roaming in the coverage area.
As shown in Figure 4-53, before load balancing is configured, 30 users are connected to AP
area_1, and 10 users are connected to AP area_2.
Networking Requirements
AP area_1 and AP area_2 form a dynamic load balancing group to balance loads on the APs
to prevent excessive user access to a single AP. A dynamic load balancing group can be set up
only when:
l AP area_1 and AP area_2 are managed by the same AC.
l STAs can detect SSIDs of both the APs.
Data Planning
Configuration Roadmap
Configure dynamic load balancing to prevent one AP from being heavily loaded.
Configuration Notes
l Currently, the load balancing function is implemented in the STA access phase. In
scenarios with complex user service types and unstable traffic, the expected load
balancing effect cannot be achieved. In this case, you are not advised to enable load
balancing based on the channel usage.
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Check the basic configuration of the WLAN.
Check Item Command Data
Check all profiles display ap-group name ap- VAP profile: wlan-net
referenced by the AP group. group1
# Create the RRM profile wlan-net, and enable dynamic load balancing in the RRM profile
wlan-net and set the start threshold for dynamic load balancing to 15 and load difference
threshold to 25%.
<AC6605> system-view
[AC6605] sysname AC
[AC] wlan
[AC-wlan-view] rrm-profile name wlan-net
# Create the 2G radio profile wlan-radio2g and bind the RRM profile wlan-net to the 2G
radio profile.
[AC-wlan-view] radio-2g-profile name wlan-radio2g
[AC-wlan-radio-2g-prof-wlan-radio2g] rrm-profile wlan-net
[AC-wlan-radio-2g-prof-wlan-radio2g] quit
# Create the 5G radio profile wlan-radio5g and bind the RRM profile wlan-net to the 5G
radio profile.
[AC-wlan-view] radio-5g-profile name wlan-radio5g
[AC-wlan-radio-5g-prof-wlan-radio5g] rrm-profile wlan-net
[AC-wlan-radio-5g-prof-wlan-radio5g] quit
# Bind the 5G radio profile wlan-radio5g and 2G radio profile wlan-radio2g to the AP group
ap-group1.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] radio-5g-profile wlan-radio5g radio 1
[AC-wlan-ap-group-ap-group1] radio-2g-profile wlan-radio2g radio 0
[AC-wlan-ap-group-ap-group1] quit
# When a new STA requests to connect to AP area_1, the AC uses a dynamic load balancing
algorithm to redirect the STA to the AP area_2 with a light load according to the information
reported by APs.
----End
Configuration Files
l AC configuration file
#
sysname AC
#
wlan
rrm-profile name wlan-net
sta-load-balance dynamic enable
sta-load-balance dynamic start-threshold 15
sta-load-balance dynamic gap-threshold 25
radio-2g-profile name wlan-radio2g
rrm-profile wlan-net
radio-5g-profile name wlan-radio5g
rrm-profile wlan-net
ap-group name ap-group1
radio 0
radio-2g-profile wlan-radio2g
vap-profile wlan-net wlan 1
radio 1
radio-5g-profile wlan-radio5g
vap-profile wlan-net wlan 1
#
return
Networking Requirements
AP area_1 and AP area_2 form a static load balancing group to balance loads on the APs to
prevent excessive user access to a single AP. A static load balancing group can be set up only
when:
l AP area_1 and AP area_2 are managed by the same AC.
l STAs can detect SSIDs of both the APs.
Data Planning
Configuration Roadmap
Configure static load balancing based on the number of users to prevent one AP from being
heavily loaded.
Configuration Notes
l Load balancing takes effect during the STA association stage. In scenarios with complex
user service types and unstable traffic, loads cannot be balanced as expected. In this case,
load balancing based on the channel utilization is not recommended.
l If dual-band APs are used, traffic is load balanced among APs working on the same
frequency band.
l Each load balancing group supports a maximum of 16 AP radios.
l Under the agile distributed network architecture composed of the central AP and RUs,
you only need to add radios of the RUs to a static load balancing group.
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure static load balancing.
1. Create a static load balancing group, and add AP area_1 and AP area_2 to it.
<AC6605> system-view
[AC6605] sysname AC
[AC] wlan
[AC-wlan-view] sta-load-balance static-group name wlan-static
[AC-wlan-sta-lb-static-wlan-static] member ap-name area_1
[AC-wlan-sta-lb-static-wlan-static] member ap-name area_2
# Set the start threshold for static load balancing based on the number of users to 15 and
load difference threshold to 5%.
[AC-wlan-sta-lb-static-wlan-static] sta-number start-threshold 15
[AC-wlan-sta-lb-static-wlan-static] sta-number gap-threshold 5
[AC-wlan-sta-lb-static-wlan-static] quit
l When a new STA requests to connect to AP area_1, the AC uses a static load balancing
algorithm to redirect the STA to the AP area_2 with a light load based on the configured
load balancing group.
----End
Configuration Files
l AC configuration file
#
sysname AC
#
wlan
sta-load-balance static-group name wlan-static
sta-number gap-threshold 5
member ap-id 0 radio 0
member ap-id 0 radio 1
member ap-id 1 radio 0
member ap-id 1 radio 1
sta-number start-threshold 15
#
return
Networking Requirements
Use APs that support both 5 GHz and 2.4 GHz frequency bands.
Data Planning
Item Data
Configuration Roadmap
Configure the band steering function and proper band steering parameters so that STAs can
preferentially access the 5 GHz frequency band.
Configuration Notes
l Use APs that support both 5 GHz and 2.4 GHz frequency bands and configure the same
SSID and security policy on the 5 GHz and 2.4 GHz radios.
l To allow a STA to preferentially associate with the 5 GHz radio and achieve a better
access effect, configure larger power for the 5 GHz radio than the 2.4 GHz radio.
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Check the basic configuration of the WLAN.
Check Item Command Data
Check all profiles display ap-group name ap- VAP profile: wlan-net
referenced by the AP group. group1
When band steering is enabled on one radio of an AP, the function takes effect on the SSID of the AP. If
different VAP profiles are applied to two radios of the AP, you only need to enable the band steering function
in the VAP profile of one radio.
<AC6605> system-view
[AC6605] sysname AC
[AC] wlan
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-vap] undo band-steer disable
[AC-wlan-vap-prof-wlan-vap] quit
# Create the RRM profile wlan-rrm and configure load balancing between radios in the
profile to prevent heavy load on a single radio. The start threshold for load balancing between
radios is 15, and the load difference threshold is 25%.
[AC-wlan-view] rrm-profile name wlan-rrm
[AC-wlan-rrm-prof-wlan-rrm] band-steer balance start-threshold 15
[AC-wlan-rrm-prof-wlan-rrm] band-steer balance gap-threshold 25
[AC-wlan-rrm-prof-wlan-rrm] quit
# Create the 2G radio profile radio2g and bind the RRM profile wlan-rrm to the 2G radio
profile.
NOTE
If different RRM profiles are bound to the 2G and 5G radio profiles and configured with different band
steering parameters, parameters in the 2G radio profile preferentially take effect.
[AC-wlan-view] radio-2g-profile name radio2g
[AC-wlan-radio-2g-prof-radio2g] rrm-profile wlan-rrm
[AC-wlan-radio-2g-prof-radio2g] quit
# Run the display rrm-profile name wlan-rrm command on the AC to check the band
steering configuration.
[AC-wlan-view] display rrm-profile name wlan-rrm
------------------------------------------------------------
...
Band balance start threshold : 15
Band balance gap threshold(%) : 25
...
------------------------------------------------------------
# In the conference hall, most STAs connect to the 5 GHz frequency band, and users enjoy
good service experience.
----End
Configuration Files
l AC configuration file
#
sysname AC
#
wlan
rrm-profile name wlan-rrm
band-steer balance gap-threshold 25
band-steer balance start-threshold 15
radio-2g-profile name wlan-radio2g
rrm-profile wlan-rrm
radio-5g-profile name wlan-radio5g
rrm-profile wlan-rrm
ap-group name ap-group1
radio 0
radio-2g-profile wlan-radio2g
vap-profile wlan-net wlan 1
radio 1
radio-5g-profile wlan-radio5g
vap-profile wlan-net wlan 1
#
return
Networking Requirements
To ensure optimal user experience, a stadium requires that users associate with the nearest
APs when moving on the stadium stand. Furthermore, users' services are not affected during
roaming in the coverage area.
Data Planning
Configuration Roadmap
Configure smart roaming and proper smart roaming parameters to forcibly disconnect weak-
signal users (especially sticky terminals) so that the users can reconnect or roam to APs with
strong signals.
NOTE
Some terminals on live networks have low roaming aggressiveness. As a result, they stick to the initially
connected APs regardless of whether they move far from the APs, and have weak signals or low rates. The
terminals fail to roam to neighbor APs with better signals. They are called sticky terminals.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Check the basic configuration of the WLAN.
Check all profiles display ap-group name ap- VAP profile: wlan-net
referenced by the AP group. group1
# Create the RRM profile wlan-rrm, enable smart roaming in the RRM profile, configure
SNR-based and rate-based roaming trigger modes and their roaming thresholds to 30 dB and
30%, respectively.
<AC6605> system-view
[AC6605] sysname AC
[AC] wlan
[AC-wlan-view] rrm-profile name wlan-rrm
[AC-wlan-rrm-prof-wlan-rrm] smart-roam enable
[AC-wlan-rrm-prof-wlan-rrm] smart-roam roam-threshold check-snr check-rate
[AC-wlan-rrm-prof-wlan-rrm] smart-roam roam-threshold snr 30
[AC-wlan-rrm-prof-wlan-rrm] smart-roam roam-threshold rate 30
[AC-wlan-rrm-prof-wlan-rrm] quit
# Create the 2G radio profile wlan-radio2g and bind the RRM profile wlan-rrm to the 2G
radio profile.
[AC-wlan-view] radio-2g-profile name wlan-radio2g
[AC-wlan-radio-2g-prof-wlan-radio2g] rrm-profile wlan-rrm
[AC-wlan-radio-2g-prof-wlan-radio2g] quit
# Create the 5G radio profile wlan-radio5g and bind the RRM profile wlan-rrm to the 5G
radio profile.
[AC-wlan-view] radio-5g-profile name wlan-radio5g
[AC-wlan-radio-5g-prof-wlan-radio5g] rrm-profile wlan-rrm
[AC-wlan-radio-5g-prof-wlan-radio5g] quit
# Bind the 5G radio profile wlan-radio5g and 2G radio profile wlan-radio2g to the AP group
ap-group1.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] radio-5g-profile wlan-radio5g radio 1
[AC-wlan-ap-group-ap-group1] radio-2g-profile wlan-radio2g radio 0
[AC-wlan-ap-group-ap-group1] quit
# When a large number of users in the stadium access the WLAN, they can still enjoy good
Internet experience.
----End
Configuration Files
l AC configuration file
#
sysname AC
#
wlan
rrm-profile name wlan-rrm
smart-roam enable
smart-roam roam-threshold check-snr check-rate
smart-roam roam-threshold snr 30
smart-roam roam-threshold rate 30
radio-2g-profile name radio2g
rrm-profile wlan-rrm
radio-5g-profile name radio5g
rrm-profile wlan-rrm
ap-group name ap-group1
radio 0
radio-2g-profile wlan-radio2g
vap-profile wlan-net wlan 1
radio 1
radio-5g-profile wlan-radio5g
vap-profile wlan-net wlan 1
#
return
Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area. The enterprise is located in an open place, and the WLAN is vulnerable to interference.
When discovering severe interference on the WLAN, the network administrator can detect
whether non-Wi-Fi interference exists on the WLAN through the spectrum analysis function.
Networking Requirements
Data Planning
Item Data
Item Data
Configuration Roadmap
Configure spectrum analysis so that the APs can detect non-Wi-Fi devices and send alarms to
the AC.
Configuration Notes
l If air scan related functions are enabled for a radio in normal mode, such as WIDS,
spectrum analysis, and terminal location, the radio transmits common WLAN service
data and provides the monitoring function that may affect transmission of common
WLAN service data.
l In spectrum analysis scenarios, to obtain enough sampling data, it is recommended that
the scanning interval be set no more than 10 seconds and the scanning duration to 100
ms.
l The channels to be scanned for spectrum analysis are fixed as all channels supported by
the corresponding country code of an AP and are irrelevant to the configuration in an air
scan profile.
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Check the basic configuration of the WLAN.
Check Item Command Data
Check all profiles display ap-group name ap- VAP profile: wlan-net
referenced by the AP group. group1
# Create the air scan profile wlan-airscan and configure the scan interval and scan duration.
[AC-wlan-view] air-scan-profile name wlan-airscan
[AC-wlan-air-scan-prof-wlan-airscan] scan-period 100
[AC-wlan-air-scan-prof-wlan-airscan] scan-interval 8000
[AC-wlan-air-scan-prof-wlan-airscan] quit
# Create the 2G radio profile wlan-radio2g and bind the air scan profile wlan-airscan to the
2G radio profile.
[AC-wlan-view] radio-2g-profile name wlan-radio2g
[AC-wlan-radio-2g-prof-wlan-radio2g] air-scan-profile wlan-airscan
[AC-wlan-radio-2g-prof-wlan-radio2g] quit
# Create the 5G radio profile wlan-radio5g and bind the air scan profile wlan-airscan to the
5G radio profile.
[AC-wlan-view] radio-5g-profile name wlan-radio5g
[AC-wlan-radio-5g-prof-wlan-radio5g] air-scan-profile wlan-airscan
[AC-wlan-radio-5g-prof-wlan-radio5g] quit
# Bind the 5G radio profile wlan-radio5g and 2G radio profile wlan-radio2g to the AP group
ap-group1.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] radio-5g-profile wlan-radio5g radio 1
Warning: This action may cause service interruption. Continue?[Y/N]y
# Bind the AP system profile wlan-spectrum to the AP group ap-group1 and enable
spectrum analysis in the AP group.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] ap-system-profile wlan-spectrum
[AC-wlan-ap-group-ap-group1] radio 0
[AC-wlan-group-radio-ap-group1/0] spectrum-analysis enable
[AC-wlan-group-radio-ap-group1/0] quit
[AC-wlan-ap-group-ap-group1] radio 1
[AC-wlan-group-radio-ap-group1/1] spectrum-analysis enable
[AC-wlan-group-radio-ap-group1/1] quit
[AC-wlan-ap-group-ap-group1] quit
# Enable the function of reporting spectrum analysis data on AP radios. The spectrum server
performs spectrum analysis and draws spectrum graphs based on the data reported by the APs.
The spectrum-report command becomes invalid after a restart, and needs to be configured
again.
[AC-wlan-view] spectrum-report ap-name area_1 radio 0
[AC-wlan-view] spectrum-report ap-name area_1 radio 1
# Run the display spectrum-analysis server-reporter command on the AC to check the APs
that report spectrum packets to the spectrum server.
[AC-wlan-view] display spectrum-analysis server-reporter
------------------------------------------------------------
ID AP name Radio ID
------------------------------------------------------------
1 area_1 0
1 area_1 1
------------------------------------------------------------
Total: 2
# Run the display wlan non-wifi-device all command on the AC to check the detected non-
Wi-Fi devices.
[AC-wlan-view] display wlan non-wifi-device all
----------------------------------------------------------------
Detect AP name : area_1
Detect AP radio ID : 1
Detect AP channel : 36
Non-Wi-Fi device type : 9
Non-Wi-Fi device name : Unknown fix freq device
Non-Wi-Fi device frequency type : Narrow bandwidth
Non-Wi-Fi device channel : 149,150
Non-Wi-Fi device RSSI : -62,-66
Non-Wi-Fi device detect time last : 2017-07-02/08:16:56
Non-Wi-Fi device center frequency(MHz) : 5749
4. Select your desired spectrum chart from the drop-down list box in the upper left corner.
You can select Lower or Upper on the spectrum charts of a 5G radio to view spectrum
charts of different frequencies.
5. The Real-Time FFT chart shows that the signal strength of interference is mostly within
the range of -80 dBm to -40 dBm. On the Swept Spectrogram chart, click Modify, set
the signal strength scope at both ends of the color bar, and click Apply. The Swept
Spectrogram chart shows that channel 149 has the most severe interference.
6. On the Active Devices chart, click . A list of the detected non-Wi-Fi devices is
displayed.
----End
Configuration Files
l AC configuration file
#
sysname AC
#
wlan
air-scan-profile name wlan-airscan
scan-period 100
scan-interval 8000
radio-2g-profile name wlan-radio2g
air-scan-profile wlan-airscan
radio-5g-profile name wlan-radio5g
air-scan-profile wlan-airscan
ap-system-profile name wlan-spectrum
spectrum-analysis server ip-address 10.137.43.4 port 55555 via-ac ac-port
5001
spectrum-analysis non-wifi-device aging-time 5
ap-group name ap-group1
ap-system-profile wlan-spectrum
radio 0
radio-2g-profile wlan-radio2g
vap-profile wlan-net wlan 1
spectrum-analysis enable
radio 1
radio-5g-profile wlan-radio5g
vap-profile wlan-net wlan 1
spectrum-analysis enable
#
return
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: tunnel forwarding
Figure 4-58 Networking for configuring rogue device detection and containment
Data Planning
Item Data
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
Item Data
Configuration Roadmap
1. Configure basic WLAN services to enable STAs to connect to the WLAN.
2. Configure rogue device detection and containment so that APs can detect wireless device
information and report it to the AC. In addition, APs can contain detected rogue devices,
enabling STAs to disassociate from them.
NOTE
In this example, the authorized APs work in normal mode and have the detection function enabled. In
addition to transmitting WLAN service data, AP radios need to perform the monitoring function. Therefore,
temporary service interruption may occur when the radios periodically scan channels. In this example, the
APs can only contain rogue devices on the channel used by WLAN services. To achieve containment on all
channels, configure the APs to work in monitor mode. However, WLAN services are unavailable in this
mode.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and GE0/0/2
and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On the AC, configure VLANIF 100 to assign IP addresses to APs.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the default
gateway address of STAs to 10.23.101.2.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 1
# Create security profile wlan-net and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode tunnel
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
The settings of the AP channel and power in this example are for reference only. You need to configure the
AP channel and power based on the actual country code and network planning.
Automatic channel and power calibration functions are enabled by default. The manual
channel and power configurations take effect only when these two functions are disabled.
[AC-wlan-view] rrm-profile name default
[AC-wlan-rrm-prof-default] calibrate auto-channel-select disable
[AC-wlan-rrm-prof-default] calibrate auto-txpower-select disable
[AC-wlan-rrm-prof-default] quit
# Configure radio 0 of AP group ap-group1 to work in normal mode, and enable rogue
device detection and containment.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] radio 0
[AC-wlan-group-radio-ap-group1/0] work-mode normal
[AC-wlan-group-radio-ap-group1/0] wids device detect enable
[AC-wlan-group-radio-ap-group1/0] wids contain enable
[AC-wlan-group-radio-ap-group1/0] quit
# Configure radio 1 of AP group ap-group1 to work in normal mode, and enable rogue
device detection and containment.
[AC-wlan-ap-group-ap-group1] radio 1
[AC-wlan-group-radio-ap-group1/1] work-mode normal
[AC-wlan-group-radio-ap-group1/1] wids device detect enable
[AC-wlan-group-radio-ap-group1/1] wids contain enable
[AC-wlan-group-radio-ap-group1/1] quit
[AC-wlan-ap-group-ap-group1] quit
# Create WIDS profile wlan-wids and configure the containment mode against rogue APs
using spoofing SSIDs.
[AC-wlan-view] wids-profile name wlan-wids
[AC-wlan-wids-prof-wlan-wids] contain-mode spoof-ssid-ap
[AC-wlan-wids-prof-wlan-wids] quit
STAs attempt to connect to the network through AP2. Countermeasures are taken on AP2, so
traffic between STAs and AP2 is stopped and then STAs connect to AP1.
C:\Documents and Settings\huawei> ping 10.23.101.22
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: tunnel forwarding
Data Planning
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
Item Data
Configuration Roadmap
1. Configure basic WLAN services to ensure that users can access the WLAN.
2. Configure brute force PSK cracking attack detection for WPA2-PSK authentication and
flood attack detection so that WLAN devices can detect attack devices.
3. Configure the dynamic blacklist function to add attack devices to the dynamic blacklist
and to reject packets from these devices within the aging time of the dynamic blacklist.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and GE0/0/2
and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On the AC, configure VLANIF 100 to assign IP addresses to APs.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the default
gateway address of STAs to 10.23.101.2.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 1
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode tunnel
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
The settings of the AP channel and power in this example are for reference only. You need to configure the
AP channel and power based on the actual country code and network planning.
Automatic channel and power calibration functions are enabled by default. The manual
channel and power configurations take effect only when these two functions are disabled.
[AC-wlan-view] rrm-profile name default
[AC-wlan-rrm-prof-default] calibrate auto-channel-select disable
[AC-wlan-rrm-prof-default] calibrate auto-txpower-select disable
[AC-wlan-rrm-prof-default] quit
# Enable brute force PSK cracking attack detection for WPA2-PSK authentication and flood
attack detection.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] radio 0
[AC-wlan-group-radio-ap-group1/0] wids attack detect enable wpa2-psk
[AC-wlan-group-radio-ap-group1/0] wids attack detect enable flood
[AC-wlan-group-radio-ap-group1/0] quit
[AC-wlan-ap-group-ap-group1] radio 1
[AC-wlan-group-radio-ap-group1/1] wids attack detect enable wpa2-psk
[AC-wlan-group-radio-ap-group1/1] wids attack detect enable flood
[AC-wlan-group-radio-ap-group1/1] quit
[AC-wlan-ap-group-ap-group1] quit
# Set the interval for brute force attack detection to 70 seconds in WPA2-PSK authentication,
the maximum number of key negotiation failures allowed within the detection period to 25,
and quiet time to 700s.
# Set the interval for flood attack detection to 70 seconds, flood attack detection threshold to
350, and quiet time to 700s.
[AC-wlan-wids-prof-wlan-wids] flood-detect interval 70
[AC-wlan-wids-prof-wlan-wids] flood-detect threshold 350
[AC-wlan-wids-prof-wlan-wids] flood-detect quiet-time 700
# Create AP system profile wlan-system, and set the aging time of the dynamic blacklist to
200s.
[AC-wlan-view] ap-system-profile name wlan-system
[AC-wlan-ap-system-prof-wlan-system] dynamic-blacklist aging-time 200
[AC-wlan-ap-system-prof-wlan-system] quit
Step 9 Bind WIDS profile wlan-wids and AP system profile wlan-system to AP group ap-group1.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] wids-profile wlan-wids
[AC-wlan-ap-group-ap-group1] ap-system-profile wlan-system
[AC-wlan-ap-group-ap-group1] quit
The display wlan dynamic-blacklist command displays information about attack devices in
the dynamic blacklist.
[AC-wlan-view] display wlan dynamic-blacklist all
#AP: Number of monitor APs that have detected the device
act: Action frame asr: Association request
aur: Authentication request daf: Deauthentication frame
dar: Disassociation request eapl: EAPOL logoff frame
pbr: Probe request rar: Reassociation request
eaps: EAPOL start frame
-------------------------------------------------------------------------------
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 101
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/
Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
rrm-profile name default
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
wids-profile name wlan-wids
flood-detect interval 70
flood-detect threshold 350
flood-detect quiet-time 700
brute-force-detect interval 70
brute-force-detect threshold 25
brute-force-detect quiet-time 700
dynamic-blacklist enable
ap-system-profile name wlan-system
dynamic-blacklist aging-time 200
ap-group name ap-group1
ap-system-profile wlan-system
wids-profile wlan-wids
radio 0
vap-profile wlan-net wlan 1
wids attack detect enable flood
wids attack detect enable wpa2-psk
radio 1
vap-profile wlan-net wlan 1
wids attack detect enable flood
wids attack detect enable wpa2-psk
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: tunnel forwarding
Figure 4-60 Networking for configuring the STA blacklist and whitelist
Data Planning
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
Item Data
Configuration Roadmap
1. Configure basic WLAN services to ensure that users can access the WLAN.
2. Configure a STA whitelist. Add MAC addresses of management personnel's wireless
terminals to the whitelist. To prevent configuration impacts on other VAPs, configure the
STA whitelist for a VAP, instead of an AP.
3. Configure a STA blacklist for an AP. Add MAC addresses of some STAs to the blacklist
to prevent the STAs from associating with the AP, ensuing WLAN network security.
NOTE
The STA whitelist and blacklist cannot be configured simultaneously for a VAP or an AP, that is, the STA
whitelist and blacklist cannot take effect at the same time in a VAP profile or an AP system profile.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and GE0/0/2
and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the default
gateway address of STAs to 10.23.101.2.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
# Create an AP group to which the APs with the same configuration can be added.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode tunnel
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
The settings of the AP channel and power in this example are for reference only. You need to configure the
AP channel and power based on the actual country code and network planning.
# Create the VAP profile wlan-net and bind the STA whitelist profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] sta-access-mode whitelist sta-whitelist
[AC-wlan-vap-prof-wlan-net] quit
# Create the AP system profile wlan-system and bind the STA blacklist profile to the AP
system profile.
[AC-wlan-view] ap-system-profile name wlan-system
[AC-wlan-ap-system-prof-wlan-system] sta-access-mode blacklist sta-blacklist
[AC-wlan-ap-system-prof-wlan-system] quit
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/
Mc!,}s`X*B]}A%^%# aes
sta-blacklist-profile name sta-blacklist
sta-mac 0011-2233-4477
sta-mac 0011-2233-4488
sta-whitelist-profile name sta-whitelist
sta-mac 0011-2233-4455
sta-mac 0011-2233-4466
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
forward-mode tunnel
service-vlan vlan-id 101
sta-access-mode whitelist sta-whitelis
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
rrm-profile name default
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
ap-system-profile name wlan-system
sta-access-mode blacklist sta-blacklist
ap-group name ap-group1
ap-system-profile wlan-system
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return
Symptom
No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets, they
are usually sent at low rates. If a large amount of abnormal multicast traffic is received on the
network side, the air interfaces may be congested, and STAs may suffer from slow network
access. You are advised to configure multicast packet suppression to reduce impact of a large
number of low-rate multicast packets on the wireless network. Exercise caution when
configuring the rate limit; otherwise, the multicast services may be affected.
l In direct forwarding mode, you are advised to configure multicast packet suppression on
switch interfaces connected to APs.
l In tunnel forwarding mode, you are advised to configure multicast packet suppression on
WLAN-ESS interfaces of the AC.
Procedure
l Configure multicast packet suppression in direct forwarding mode.
a. Create the traffic classifier test and define a matching rule.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] traffic classifier test
[SwitchA-classifier-test] if-match destination-mac 0100-5e00-0000 mac-
address-mask ffff-ff00-0000 //Match the destination MAC address of
multicast packets.
[SwitchA-classifier-test] quit
b. Create the traffic behavior test, enable traffic statistics collection, and set the traffic
rate limit.
[SwitchA] traffic behavior test
[SwitchA-behavior-test] statistic enable
[SwitchA-behavior-test] car cir 100 //Set the rate limit to 100
kbit/s. If multicast services are available, you are advised to set the
rate limit according to the service traffic.
[SwitchA-behavior-test] quit
c. Create the traffic policy test and bind the traffic classifier and traffic behavior to the
traffic policy.
[SwitchA] traffic policy test
[SwitchA-trafficpolicy-test] classifier test behavior test
[SwitchA-trafficpolicy-test] quit
----End
Data Planning
Item Data
Configuration Roadmap
1. Configure the WMM function so that network bandwidth is preferentially allocated to
voice and video services at the wireless side.
2. Configure priority mapping to ensure a higher priority of voice and video services so that
network bandwidth is preferentially allocated to these services.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Check the basic configuration of the WLAN.
NOTE
l If an AP has different configurations from that in the AP group, the configuration on the AP takes
precedence.
l A new profile takes effect only after being bound to an AP or an AP group.
# Enter 2G radio profile wlan-radio2g and set EDCA parameters on APs to enable voice and
video services to preferentially use network bandwidth.
<AC6606> system-view
[AC6606] sysname AC
[AC] wlan
[AC-wlan-view] radio-2g-profile name wlan-radio2g
[AC-wlan-radio-2g-prof-wlan-radio2g] wmm edca-ap ac-vo aifsn 2 ecw ecwmin 2
ecwmax 4 txoplimit 0 ack-policy normal
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-2g-prof-wlan-radio2g] wmm edca-ap ac-vi aifsn 5 ecw ecwmin 3
ecwmax 5 txoplimit 0 ack-policy normal
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-2g-prof-wlan-radio2g] wmm edca-ap ac-be aifsn 12 ecw ecwmin 6
ecwmax 10 txoplimit 0 ack-policy normal
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-2g-prof-wlan-radio2g] wmm edca-ap ac-bk aifsn 12 ecw ecwmin 8
ecwmax 10 txoplimit 0 ack-policy normal
# Enter 5G radio profile wlan-radio5g and set EDCA parameters on APs to enable voice and
video services to preferentially use network bandwidth. The configuration is similar to that in
the 2G radio profile and is not mentioned here.
# Enter SSID profile wlan-net and set EDCA parameters on STAs to enable voice and video
services to preferentially use network bandwidth.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] wmm edca-client ac-vo aifsn 2 ecw ecwmin 2 ecwmax 4
txoplimit 0
[AC-wlan-ssid-prof-wlan-net] wmm edca-client ac-vi aifsn 5 ecw ecwmin 3 ecwmax 5
txoplimit 0
[AC-wlan-ssid-prof-wlan-net] wmm edca-client ac-be aifsn 12 ecw ecwmin 6 ecwmax
10 txoplimit 0
[AC-wlan-ssid-prof-wlan-net] wmm edca-client ac-bk aifsn 12 ecw ecwmin 8 ecwmax
10 txoplimit 0
[AC-wlan-ssid-prof-wlan-net] quit
This example requires that voice and video packets have the highest priority so that these packets are
preferentially transmitted. By default, the uplink and downlink mapping modes on the air interface are
802.11e and DSCP, respectively. The uplink and downlink priority mapping on the air interface can ensure
that voice and video packets have the highest tunnel DSCP priority. Therefore, you do not need to modify
default priority mapping.
To change the default priority mapping, for example, to enable video packets with a higher priority than voice
packets, you can refer to this step.
By default, the user priority of voice packets is set to 6 or 7, and that of the video packets is set to 4 or 5. In
this example, the tunnel DSCP priority of video packets is set to 48 and 56, and that of voice packets is set to
32 and 40. Video packets with a higher priority are preferentially transmitted.
# Create traffic profile wlan-traffic and configure priority mapping in the profile.
[AC-wlan-view] traffic-profile name wlan-traffic
[AC-wlan-traffic-prof-wlan-traffic] priority-map downstream trust dscp
[AC-wlan-traffic-prof-wlan-traffic] priority-map downstream dscp 48 to 55 dot11e 4
[AC-wlan-traffic-prof-wlan-traffic] priority-map downstream dscp 56 to 63 dot11e 5
[AC-wlan-traffic-prof-wlan-traffic] priority-map downstream dscp 32 to 39 dot11e 6
[AC-wlan-traffic-prof-wlan-traffic] priority-map downstream dscp 40 to 47 dot11e 7
[AC-wlan-traffic-prof-wlan-traffic] priority-map tunnel-upstream trust dot11e
[AC-wlan-traffic-prof-wlan-traffic] priority-map tunnel-upstream dot11e 6 dscp 32
[AC-wlan-traffic-prof-wlan-traffic] priority-map tunnel-upstream dot11e 7 dscp 40
[AC-wlan-traffic-prof-wlan-traffic] priority-map tunnel-upstream dot11e 4 dscp 48
[AC-wlan-traffic-prof-wlan-traffic] priority-map tunnel-upstream dot11e 5 dscp 56
[AC-wlan-traffic-prof-wlan-traffic] quit
...
------------------------------------------------------------
AP EDCA parameters:
---------------------------------------------------
ECWmax ECWmin AIFSN TXOPLimit Ack-Policy
AC_VO 4 2 2 0 normal
AC_VI 5 3 5 0 normal
AC_BE 10 6 12 0 normal
AC_BK 10 8 12 0 normal
---------------------------------------------------
Run the display ssid-profile name wlan-net command on the AC to check the EDCA
settings on STAs in the SSID radio profile. The EDCA parameter priorities of AC_VI and
AC_VO packets are higher than those of AC_BE and AC_BK packets. Therefore, voice and
video services are enabled to preferentially use wireless channels.
[AC-wlan-view] display ssid-profile name wlan-net
-------------------------------------------------------------------
...
-------------------------------------------------------------------
WMM EDCA client parameters:
-------------------------------------------------------------------
ECWmax ECWmin AIFSN TXOPLimit
AC_VO 4 2 2 0
AC_VI 5 3 5 0
AC_BE 10 6 12 0
AC_BK 10 8 12 0
-------------------------------------------------------------------
Run the display traffic-profile name wlan-traffic command on the AC to check the priority
mapping configuration in the traffic radio profile. The DSCP priorities of AC_VI and
AC_VO packets are higher than those of AC_BE and AC_BK packets. Therefore, voice and
video services will be preferentially transmitted.
[AC-wlan-view] display traffic-profile name wlan-traffic
----------------------------------------------------
...
CAPWAP priority upstream map mode: 802.11e map DSCP
0 map 0
1 map 8
2 map 16
3 map 24
6 map 32
7 map 40
4 map 48
5 map 56
CAPWAP priority upstream map mode: 802.11e map 802.1p
0 map 0
1 map 1
2 map 2
3 map 3
4 map 4
5 map 5
6 map 6
7 map 7
WMM priority downstream map mode: DSCP map 802.11e
0-7 map 0
8-15 map 1
16-23 map 2
24-31 map 3
48-55 map 4
56-63 map 5
32-39 map 6
40-47 map 7
WMM priority downstream map mode: 802.1p map 802.11e
0 map 0
1 map 1
2 map 2
3 map 3
4 map 4
5 map 5
6 map 6
7 map 7
----------------------------------------------------------------------------------
-----------
Traffic Type Direction AppliedRecord
----------------------------------------------------------------------------------
-----------
----------------------------------------------------------------------------------
-----------
----------------------------------------------------
----End
Configuration Files
l AC configuration file
#
sysname AC
#
wlan
traffic-profile name wlan-traffic
priority-map downstream dscp 48 to 55 dot11e 4
priority-map downstream dscp 56 to 63 dot11e 5
priority-map downstream dscp 32 to 39 dot11e 6
priority-map downstream dscp 40 to 47 dot11e 7
priority-map tunnel-upstream dot11e 6 dscp 32
priority-map tunnel-upstream dot11e 7 dscp 40
priority-map tunnel-upstream dot11e 4 dscp 48
priority-map tunnel-upstream dot11e 5 dscp 56
ssid-profile name wlan-net
wmm edca-client ac-be aifsn 12 ecw ecwmin 6 ecwmax 10 txoplimit 0
wmm edca-client ac-bk aifsn 12 ecw ecwmin 8 ecwmax 10 txoplimit 0
wmm edca-client ac-vi aifsn 5 ecw ecwmin 3 ecwmax 5 txoplimit 0
wmm edca-client ac-vo aifsn 2 ecw ecwmin 2 ecwmax 4 txoplimit 0
vap-profile name wlan-net
ssid-profile wlan-net
traffic-profile wlan-traffic
radio-2g-profile name wlan-radio2g
wmm edca-ap ac-be aifsn 12 ecw ecwmin 6 ecwmax 10 txoplimit 0 ack-policy
normal
wmm edca-ap ac-bk aifsn 12 ecw ecwmin 8 ecwmax 10 txoplimit 0 ack-policy
normal
wmm edca-ap ac-vi aifsn 5 ecw ecwmin 3 ecwmax 5 txoplimit 0 ack-policy
normal
wmm edca-ap ac-vo aifsn 2 ecw ecwmin 2 ecwmax 4 txoplimit 0 ack-policy
normal
radio-5g-profile name wlan-radio5g
wmm edca-ap ac-be aifsn 12 ecw ecwmin 6 ecwmax 10 txoplimit 0 ack-policy
normal
wmm edca-ap ac-bk aifsn 12 ecw ecwmin 8 ecwmax 10 txoplimit 0 ack-policy
normal
wmm edca-ap ac-vi aifsn 5 ecw ecwmin 3 ecwmax 5 txoplimit 0 ack-policy
normal
wmm edca-ap ac-vo aifsn 2 ecw ecwmin 2 ecwmax 4 txoplimit 0 ack-policy
normal
ap-group name ap-group1
radio 0
radio-2g-profile wlan-radio2g
vap-profile wlan-net wlan 1
radio 1
radio-5g-profile wlan-radio5g
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
#
return
Networking Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area.
To prevent STAs from maliciously occupying network resources and reduce network
congestion, the administrator requires that the uplink rate limit of each STA be 2 Mbit/s and
the total uplink rate limit of all STAs on a VAP be 30 Mbit/s.
Data Planning
Item Data
Configuration Roadmap
1. Configure the uplink rate limits of a single STA and all STAs on a VAP in a traffic
profile to achieve traffic policing.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Check the basic configuration of the WLAN.
Check Command Data
Item
NOTE
l If an AP has different configurations from that in the AP group, the configuration on the AP takes
precedence.
l A new profile takes effect only after being bound to an AP or an AP group.
----End
Configuration Files
l AC configuration file
#
sysname AC
#
wlan
traffic-profile name wlan-traffic
rate-limit client up 2048
rate-limit vap up 30720
vap-profile name wlan-net
traffic-profile wlan-traffic
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
#
return
Data Planning
Configuration Roadmap
1. Enable airtime fair scheduling to ensure that multiple users on a radio can fairly use
network bandwidth to improve overall user experience.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Check the basic configuration of the WLAN.
Check Command Data
Item
NOTE
l If an AP has different configurations from that in the AP group, the configuration on the AP takes
precedence.
l A new profile takes effect only after being bound to an AP or an AP group.
# Create the RRM profile wlan-rrm and enable airtime fair scheduling.
<AC6606> system-view
[AC6606] sysname AC
[AC] wlan
[AC-wlan-view] rrm-profile name wlan-rrm
[AC-wlan-rrm-prof-wlan-rrm] airtime-fair-schedule enable
[AC-wlan-rrm-prof-wlan-rrm] quit
Run the display rrm-profile name wlan-rrm command on the AC to check the configuration
of the RRM profile. The command output shows that airtime fair scheduling has been
enabled. Therefore, users on the network can fairly use network bandwidth.
[AC-wlan-view] display rrm-profile name wlan-rrm
------------------------------------------------------------
Auto channel select : enable
Auto transmit power select : enable
PER threshold for trigger channel/power select(%) : 60
Airtime fairness schedule : enable
----End
Configuration Files
l AC configuration file
#
sysname AC
#
wlan
rrm-profile name wlan-rrm
airtime-fair-schedule enable
radio-2g-profile name wlan-radio2g
rrm-profile wlan-rrm
radio-5g-profile name wlan-radio5g
rrm-profile wlan-rrm
ap-group name ap-group1
radio 0
radio-2g-profile wlan-radio2g
radio 1
radio-5g-profile wlan-radio5g
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
#
return
Data Planning
Configuration Roadmap
1. Configure ACL-based packet filtering in a traffic profile.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
Procedure
Step 1 Check the basic configuration of the WLAN.
Check Command Data
Item
NOTE
l If an AP has different configurations from that in the AP group, the configuration on the AP takes
precedence.
l A new profile takes effect only after being bound to an AP or an AP group.
[AC] wlan
[AC-wlan-view] traffic-profile name wlan-traffic
[AC-wlan-traffic-prof-wlan-traffic] traffic-filter inbound ipv4 acl 3001
[AC-wlan-traffic-prof-wlan-traffic] quit
----End
Configuration Files
l AC configuration file
#
sysname AC
#
acl number 3001
rule 5 deny ip source 10.23.101.10 0 destination 10.23.101.11 0
#
wlan
traffic-profile name wlan-traffic
traffic-filter inbound ipv4 acl 3001
vap-profile name wlan-net
traffic-profile wlan-traffic
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
#
return
Networking Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area.
Voice, video, and data services are transmitted on the WLAN. The administrator requires that
voice and video services of QQ and WeChat have a higher priority to ensure good user
experience in these QQ and WeChat services.
Figure 4-65 Networking for configuring optimization for voice and video services
Data Planning
Item Data
Configuration Roadmap
1. Configure optimization for voice and video services so that these QQ and WeChat
services have a higher priority than data services.
Configuration Notes
l The configuration of optimization for voice and video services supports only tunnel
forwarding.
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure optimization for voice and video services.
NOTE
After the security engine is enabled, the system automatically loads the default signature database.
By default, the voice and video traffic awareness and optimization function is enabled.
[AC] undo voice-aware app-protocol qq disable
[AC] undo voice-aware app-protocol weixin disable
[AC] undo video-aware app-protocol qq disable
[AC] undo video-aware app-protocol weixin disable
[AC] wlan
If a user makes video calls after optimization is configured for video services and the
configuration is successfully delivered, you can run the display video-aware-list command to
check video session information.
[AC-wlan-view] display video-aware-list ap-name area_1 radio 0
----------------------------------------------------------------------------------
-------------
Protocol Source IP/Port Destination IP/
Port
----------------------------------------------------------------------------------
-------------
qq 191.168.1.254/123
191.168.1.253/123
weixin 191.168.1.253/123
191.168.1.254/123
----------------------------------------------------------------------------------
-------------
Total: 2
If a user makes voice calls after optimization is configured for voice services and the
configuration is successfully delivered, you can run the display video-aware-list command to
check voice session information.
[AC-wlan-view] display voice-aware-list ap-name area_1 radio 0
-------------------------------------------------------------------------------
Protocol Source IP/Port Destination IP/Port
-------------------------------------------------------------------------------
qq 191.168.1.254/123 191.168.1.253/123
weixin 191.168.1.253/123 191.168.1.254/123
-------------------------------------------------------------------------------
Total : 2
----End
Configuration Files
l AC configuration file
#
defence engine enable
sysname AC
#
return
Data Planning
Configuration Roadmap
1. Configure priorities for Lync packets to set higher priorities for voice and video packets
than those of desktop sharing and file transfer packets.
Configuration Notes
l The configuration of priorities for Lync packets supports only tunnel forwarding
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Check the basic configuration of the WLAN.
Check Command Data
Item
NOTE
l If an AP has different configurations from that in the AP group, the configuration on the AP takes
precedence.
l A new profile takes effect only after being bound to an AP or an AP group.
NOTE
l The port number of the HTTP service specified on the AC must be consistent with the port number on the
Lync server.
l You need to specify the IP address of the AC for the Lync server and the port number of the Lync server.
----End
Configuration Files
l AC configuration file
#
sysname AC
#
lync listener http-port 9000
#
wlan
ucc-profile name wlan-ucc
lync-voice remark dot1p 6
lync-video remark dot1p 5
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: direct forwarding
Data Planning
Item Data
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100 and VLAN 101. The default VLAN
of GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN 101, GE0/0/2 to
VLAN 100, and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On the AC, configure VLANIF 100 to assign IP addresses to APs.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the default
gateway address of STAs to 10.23.101.2.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP4030TN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 1
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to all radios of the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio all
[AC-wlan-ap-group-ap-group1] quit
# Enable the broadcast flood detection function and configure the rate threshold for
broadcast flood detection. By default, the broadcast flood detection function is enabled.
[AC-wlan-vap-prof-wlan-net] undo anti-attack broadcast-flood disable
[AC-wlan-vap-prof-wlan-net] anti-attack broadcast-flood sta-rate-threshold 50
[AC-wlan-vap-prof-wlan-net] quit
2. Adjust parameters in SSID profile wlan-net.
# Set the maximum number of STAs that can be associated with a VAP to 128 and set
EDCA parameters for AC_BE packets on STAs.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] max-sta-number 128
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-wlan-net] wmm edca-client ac-be aifsn 3 ecw ecwmin 7
ecwmax 10
[AC-wlan-ssid-prof-wlan-net] quit
3. Create a traffic profile and adjust traffic profile parameters.
# Create traffic profile wlan-traffic and set the uplink and downlink rate limits for a STA
to 4000 kbit/s.
[AC-wlan-view] traffic-profile name wlan-traffic
[AC-wlan-traffic-prof-wlan-traffic] rate-limit client down 4000
[AC-wlan-traffic-prof-wlan-traffic] rate-limit client up 4000
[AC-wlan-traffic-prof-wlan-traffic] quit
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The settings of the AP channel and
power in this example are for reference only. You need to configure the AP channel and power based on the
actual country code and network planning.
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
return
#
sysname SwitchB
#
vlan batch 100 101
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
dhcp server gateway-list 10.23.101.2
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 101
#
return
l Router configuration file
#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 101
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
capwap source interface vlanif100
#
wlan
traffic-profile name wlan-traffic
rate-limit client up 4000
rate-limit client down 4000
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#wQ}eV*m'Y#f6Mj@h#DxTLrKaYm|)pBm@w$
(jpeqE%^%# aes
ssid-profile name wlan-net
ssid wlan-net
max-sta-number 128
wmm edca-client ac-be aifsn 3 ecw ecwmin 7 ecwmax 10 txoplimit 0
Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area. On a traditional WLAN, users need to manually select an SSID and set authentication
information to access the WLAN, causing poor user experience. To enhance user experience,
Hotspot2.0 services are deployed using a subscriber identity module (SIM) card for
authentication. In this way, users can access the WLAN automatically without awareness.
Networking Requirements
l AC networking mode: Layer 2 networking in bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (Switch_B) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: direct forwarding
Data Planning
Item Data
Item Data
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
3. Configure WLAN service parameters for STAs to access the WLAN.
4. Configure WPA2-802.1x authentication based on the operator's AAA server information
5. Configure Hotspot2.0 services based on the operator's network information.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100 and VLAN101. The default VLAN of
GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN101, GE0/0/2 to
VLAN100 and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On the AC, configure VLANIF 100 to assign IP addresses to APs.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the default
gateway address of STAs to 10.23.101.2.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
# Create an AP group to which the APs with the same configuration can be added.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 1
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
The settings of the AP channel and power in this example are for reference only. You need to configure the
AP channel and power based on the actual country code and network planning.
# Configure an AAA authentication scheme and configure the device to use RADIUS
authentication preferentially.
[AC] aaa
[AC-aaa] authentication-scheme wlan-authen
[AC-aaa-authen-wlan-authen] authentication-mode radius local
[AC-aaa-authen-wlan-authen] quit
[AC-aaa] quit
# Configure an 802.1x access profile and configure EAP relay authentication for 802.1x users.
[AC] dot1x-access-profile name wlan-net
[AC-dot1x-access-profile-wlan-net] dot1x authentication-method eap
[AC-dot1x-access-profile-wlan-net] quit
# Configure an authentication profile and bind the AAA authentication scheme, RADIUS
server template, and 802.1x access profile to the authentication profile.
[AC] authentication-profile name wlan-net
[AC-authentication-profile-wlan-net] dot1x-access-profile wlan-net
[AC-authentication-profile-wlan-net] authentication-scheme wlan-authen
[AC-authentication-profile-wlan-net] radius-server wlan-radius
[AC-authentication-profile-wlan-net] quit
# Configure Hotspot2.0 profile wlan-net based on the operator's network parameters. Ensure
that the WPA2-802.1x authentication profile has been bound to the VAP profile.
[AC] wlan
[AC-wlan-view] cellular-network-profile name wlan-net
[AC-wlan-cellular-network-prof-wlan-net] plmn-id 46000
[AC-wlan-cellular-network-prof-wlan-net] quit
[AC-wlan-view] connection-capability-profile name wlan-net
[AC-wlan-co-cap-prof-wlan-net] connection-capability tcp-http on
[AC-wlan-co-cap-prof-wlan-net] quit
[AC-wlan-view] operator-name-profile name wlan-net
[AC-wlan-wlan-op-name-prof-wlan-net] operator-friendly-name language-code eng
name mobileA
[AC-wlan-wlan-op-name-prof-wlan-net] quit
[AC-wlan-view] operating-class-profile name wlan-net
[AC-wlan-op-class-prof-wlan-net] operating-class-indication 81
[AC-wlan-op-class-prof-wlan-net] quit
[AC-wlan-view] operator-domain-profile name wlan-net
[AC-wlan-op-domain-prof-wlan-net] domain-name www.mobileA.com
[AC-wlan-op-domain-prof-wlan-net] quit
[AC-wlan-view] nai-realm-profile name wlan-net
[AC-wlan-nai-realm-prof-wlan-net] nai-realm realm-name www.mobileA.com
[AC-wlan-nai-realm-prof-wlan-net] quit
[AC-wlan-view] venue-name-profile name wlan-net
[AC-wlan-ve-na-prof-wlan-net] venue-name language-code eng name Coffee
[AC-wlan-ve-na-prof-wlan-net] quit
[AC-wlan-view] roaming-consortium-profile name wlan-net
[AC-wlan-ro-co-prof-wlan-net] roaming-consortium-oi 50-6f-9a in-beacon
[AC-wlan-ro-co-prof-wlan-net] quit
[AC-wlan-view] hotspot2-profile name wlan-net
[AC-wlan-hotspot2-prof-wlan-net] network-type public-free internet-access
[AC-wlan-hotspot2-prof-wlan-net] undo p2p-cross-connect disable
[AC-wlan-hotspot2-prof-wlan-net] venue-type group-code 1 type-code 13
[AC-wlan-hotspot2-prof-wlan-net] hessid 60de-4476-e360
[AC-wlan-hotspot2-prof-wlan-net] ipv4-address-avail available
[AC-wlan-hotspot2-prof-wlan-net] ipv6-address-avail available
[AC-wlan-hotspot2-prof-wlan-net] network-authen-type acceptance
[AC-wlan-hotspot2-prof-wlan-net] cellular-network-profile wlan-net
[AC-wlan-hotspot2-prof-wlan-net] connection-capability-profile wlan-net
[AC-wlan-hotspot2-prof-wlan-net] operator-name-profile wlan-net
[AC-wlan-hotspot2-prof-wlan-net] operating-class-profile wlan-net
Step 9 Apply the authentication profile and Hotspot2.0 profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] authentication-profile wlan-net
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-vap-prof-wlan-net] hotspot2-profile wlan-net
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-vap-prof-wlan-net] quit
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
authentication-profile name wlan-net
dot1x-access-profile wlan-net
authentication-scheme wlan-authen
radius-server wlan-radius
#
dhcp enable
#
radius-server template wlan-radius
radius-server shared-key cipher %^%#3|_'15Yp[3cBVN4*3lB3o&@0%pll(XJ:9@Yw'`(!
%^%#
radius-server authentication 10.23.102.1 1812 weight 80
radius-server retransmit 2
undo radius-server user-name domain-included
#
aaa
authentication-scheme wlan-authen
authentication-mode radius local
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
security wpa-wpa2 dot1x aes
ssid-profile name wlan-net
ssid wlan-net
roaming-consortium-profile name wlan-net
roaming-consortium-oi 50-6f-9a in-beacon
operating-class-profile name wlan-net
operating-class-indication 81
cellular-network-profile name wlan-net
plmn-id 46000
connection-capability-profile name wlan-net
connection-capability tcp-http on
operator-domain-profile name wlan-net
operator-name-profile name wlan-net
operator-friendly-name language-code eng name mobileA
venue-name-profile name wlan-net
venue-name language-code eng name Coffee
nai-realm-profile name wlan-net
nai-realm realm-name www.mobileA.com
hotspot2-profile name wlan-net
hessid 60de-4476-e360
network-type public-free internet-access
venue-type group-code 1 type-code 13
ipv4-address-avail available
ipv6-address-avail available
network-authen-type acceptance
cellular-network-profile wlan-net
connection-capability-profile wlan-net
operator-name-profile wlan-net
operating-class-profile wlan-net
operator-domain-profile wlan-net
nai-realm-profile wlan-net
venue-name-profile wlan-net
roaming-consortium-profile wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
authentication-profile wlan-net
hotspot2-profile wlan-net
regulatory-domain-profile name default
rrm-profile name default
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
dot1x-access-profile name wlan-net
#
return
Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area.
The enterprise requires that data forwarding be not affected even when the AC is faulty to
improve data transmission reliability.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: Switch functions as a DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: direct forwarding
Figure 4-69 Networking for configuring service holding upon WLAN CAPWAP link
disconnection
Data Planning
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
3. Configure WLAN service parameters for STAs to access the WLAN.
4. Configure service holding upon CAPWAP link disconnection to improve data
transmission reliability so that data forwarding is not affected even when the AC is
faulty.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Create VLAN 100 (management VLAN) and VLAN 101 (service VLAN) on the switch. Set
the link type of GE0/0/1 that connects the switch to the APs to trunk and PVID of the
interface to 100, and configure the interface to allow packets of VLAN 100 and VLAN 101 to
pass. Set the link type of GE0/0/2 on the switch to trunk, and configure the interface to allow
packets of VLAN 100 to pass.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.1.2.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.1.2.2 24
[Router-Vlanif101] quit
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# Configure VLANIF 100 to use the interface address pool to allocate IP addresses to APs.
[Switch] dhcp enable
[Switch] interface vlanif 100
[Switch-Vlanif100] ip address 10.1.1.1 255.255.255.0
[Switch-Vlanif100] dhcp select interface
[Switch-Vlanif100] quit
# Configure VLANIF 101 to use the interface address pool to allocate IP addresses to STAs.
[Switch] interface vlanif 101
[Switch-Vlanif101] ip address 10.1.2.1 255.255.255.0
[Switch-Vlanif101] dhcp select interface
[Switch-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.1.2.254 AP5030DN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 1
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create the AP system profile ap-system and configure the service holding function.
[AC-wlan-view] ap-system-profile name ap-system
[AC-wlan-ap-system-prof-ap-system] keep-service enable allow new-access
[AC-wlan-ap-system-prof-ap-system] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
# Bind the AP system profile and VAP profile to the AP group and apply the VAP profile to
radio 0 and radio 1 of the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] ap-system-profile ap-system
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
The settings of the AP channel and power in this example are for reference only. You need to configure the
AP channel and power based on the actual country code and network planning.
----End
Configuration Files
l Switch configuration file
#
sysname Switch
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.1.2.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
l Router configuration file
#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.1.2.2 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 101
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/
Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
forward-mode direct-forward
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
rrm-profile name default
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
ap-system-profile name ap-system
keep-service enable allow new-access
ap-group name ap-group1
ap-system-profile ap-system
radio 0
Networking Requirements
l AC networking mode: Layer 2 networking in bypass mode
l DHCP deployment mode: Switch functions as a DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: direct forwarding
Figure 4-70 Networking for configuring channel switching without service interruption
Data Planning
Item Data
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
3. Configure WLAN service parameters for STAs to access the WLAN.
4. Configure channel switching without service interruption to improve WLAN service
reliability so that services are not interrupted even when APs change their working
channels.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on Switch to VLAN 100 and VLAN 101, and GE0/0/3 to VLAN
100. VLAN 100 is the default VLAN of GE0/0/1 and GE0/0/2.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/2] port-isolate enable
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type trunk
[Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
# On the AC, add GE0/0/1 to VLAN 100. Create VLANIF 100 and set its IP address to
10.23.101.2/24.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100 101
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet0/0/1] quit
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.1.1.2 24
[AC-Vlanif100] quit
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# Create an AP group to which the APs with the same configuration can be added.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
MAC addresses of AP1 and AP2 are 60de-4476-e360 and dcd2-fc04-b500, respectively.
Configure names for the APs based on the APs' deployment locations, so that you can know
where the APs are deployed from their names. For example, name AP1 area_1 if it is
deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] ap-id 1 ap-mac dcd2-fc04-b500
[AC-wlan-ap-1] ap-name area_2
[AC-wlan-ap-1] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [2]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.1.1.253 AP5030DN nor 0 10S
1 dcd2-fc04-b500 area_2 ap-group1 10.1.1.254 AP5030DN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 2
# Create security profile wlan-net and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
The following example configures a 2G radio profile. The configuration of the 5G radio profile is similar.
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind the 2G radio profile, 5G radio profile, and VAP profile to the AP group and apply the
VAP profile to radio 0 and radio 1 of the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] radio-2g-profile wlan-radio2g radio 0
[AC-wlan-ap-group-ap-group1] radio-5g-profile wlan-radio5g radio 1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
----End
Configuration Files
l Switch configuration file
#
sysname Switch
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
dhcp select interface
dhcp server excluded-ip-address 10.1.1.2
#
interface Vlanif101
ip address 10.1.2.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/
Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
radio-2g-profile name wlan-radio2g
radio-5g-profile name wlan-radio5g
ap-group name ap-group1
radio 0
radio-2g-profile wlan-radio2g
vap-profile wlan-net wlan 1
radio 1
radio-5g-profile wlan-radio5g
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
ap-id 1 type-id 35 ap-mac dcd2-fc04-b500 ap-sn 210235419610D2000097
ap-name area_2
ap-group ap-group1
#
return
Service Requirements
Administrators need to configure static IP addresses for APs so that the APs can discover an
AC. When the APs are authenticated by the AC, the APs go online properly on the AC.
Networking Requirements
AC networking mode: Layer 2 networking (AP goes online using a static IP address.)
Data Planning
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
d. Configure static IP addresses for the APs and enable the APs to go online.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on Switch to VLAN 100. VLAN 100 is the default VLAN of
GE0/0/1.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/2] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
# On the AC, add GE0/0/1 to VLAN 100. Create VLANIF 100 and set its IP address to
10.23.100.1/24.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet0/0/1] quit
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
# Create an AP group to which the APs with the same configuration can be added.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.23.100.100 AP5030DN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 1
----End
Configuration Files
l Switch configuration file
#
sysname Switch
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
capwap source interface vlanif100
#
wlan
regulatory-domain-profile name default
ap-group name ap-group1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
provision-ap
address-mode static
ip-address 10.23.100.100 255.255.255.0
#
return
Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area. A wired network has been deployed in an area. To provide more convenient network
access services, administrators need to deploy a wireless network in this area. To facilitate the
unified management of wired and wireless users, administrators also need to use the existing
wired access gateway ME60 for authentication and accounting of wireless users.
Networking Requirements
l AC networking mode: Layer 2 networking in bypass mode
l DHCP deployment mode:
– The ME60 functions as a DHCP server to assign IP addresses to STAs.
– Switch functions as a DHCP server to assign IP addresses to APs.
l Service data forwarding mode: soft GRE forwarding
Data Planning
IP address 10.23.100.3-10.23.100.254/24
pool for
APs
AC data planning
Item Data
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs
VE Virtual-Ethernet2/0/0
interface for
soft GRE
Item Data
Configuration Roadmap
1. Configure network interworking of the APs, AC, Switch, and ME60.
2. Configure Switch and ME60 to function as DHCP servers to assign IP addresses to APs
and STAs, respectively.
3. Configure the ME60, soft GRE tunnel, and authentication and accounting functions.
4. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
5. Configure WLAN service parameters.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# On Switch, add GE0/0/1 to VLAN 100 and VLAN 101, GE0/0/2 to VLAN 100, and
GE0/0/3 to VLAN 199. Set the PVIDs of GE0/0/1 and GE0/0/3 to VLAN 100 and VLAN
199, respectively. Create VLANIF 199 and set its IP address to 10.23.199.2/24.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 101 199
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type trunk
[Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 199
[Switch-GigabitEthernet0/0/3] port trunk pvid vlan 199
[Switch-GigabitEthernet0/0/3] quit
[Switch] interface vlanif 199
[Switch-Vlanif199] ip address 10.23.199.2 24
[Switch-Vlanif199] quit
# On the ME60, set the IP address of GE2/0/0 to 10.23.199.1/24, and configure a route to
10.23.100.0/24.
<HUAWEI> system-view
[HUAWEI] sysname ME60
[ME60] interface gigabitethernet 2/0/0
[ME60-GigabitEthernet2/0/0] ip address 10.23.199.1 24
[ME60-GigabitEthernet2/0/0] quit
[ME60] ip route-static 10.23.100.0 24 10.23.199.2
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# Configure Switch as a DHCP server to assign IP addresses to APs, and configure a route to
10.23.200.0/24.
[Switch] dhcp enable
[Switch] interface vlanif 100
# Configure an IP address for the loopback interface and bind the soft GRE group to it.
[ME60] interface loopback 1
[ME60-LoopBack1] ip address 10.23.200.1 255.255.255.0
[ME60-LoopBack1] binding soft-gre group group1
[ME60-LoopBack1] quit
# Create an AP group to which the APs with the same configuration can be added.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 1
# Create security profile wlan-net and use the default security policy in the profile.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create soft GRE profile wlan-soft and set the soft GRE profile parameters.
[AC-wlan-view] softgre-profile name wlan-soft
[AC-wlan-softgre-prof-wlan-soft] destination ip-address 10.23.200.1
[AC-wlan-softgre-prof-wlan-soft] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode softgre wlan-soft
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
The settings of the AP channel and power in this example are for reference only. You need to configure the
AP channel and power based on the actual country code and network planning.
Automatic channel and power calibration functions are enabled by default. The manual
channel and power configurations take effect only when these two functions are disabled.
[AC-wlan-view] rrm-profile name default
[AC-wlan-rrm-prof-default] calibrate auto-channel-select disable
[AC-wlan-rrm-prof-default] calibrate auto-txpower-select disable
[AC-wlan-rrm-prof-default] quit
The AC automatically delivers WLAN service configuration to the AP. After the
configuration is complete, run the display vap ssid wlan-net command. If the Status field is
displayed as ON, the VAPs have been successfully created on AP radios.
[AC-wlan-view] display vap ssid wlan-net
WID : WLAN ID
--------------------------------------------------------------------------------
AP ID AP name RfID WID BSSID Status Auth type STA SSID
--------------------------------------------------------------------------------
0 area_1 0 1 60DE-4476-E360 ON open 0 wlan-net
0 area_1 1 1 60DE-4476-E370 ON open 0 wlan-net
-------------------------------------------------------------------------------
Total: 2
Connect STAs to the WLAN with SSID wlan-net. Run the display station ssid wlan-net
command on the AC. The command output shows that the STAs are connected to the WLAN
wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
l Switch configuration file
#
sysname Switch
#
vlan batch 100 to 101 199
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.2 255.255.255.0
dhcp select interface
dhcp server excluded-ip-address 10.23.100.1
#
interface Vlanif199
ip address 10.23.199.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 199
port trunk allow-pass vlan 199
#
ip route-static 10.23.200.0 0.0.0.0 10.23.199.2
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
ssid-profile name wlan-net
ssid wlan-net
softgre-profile name wlan-soft
destination ip-address 10.23.200.1
vap-profile name wlan-net
forward-mode softgre wlan-soft
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
rrm-profile name default
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return
authentication-scheme radius
accounting-scheme radius
ip-pool sta-pool
radius-server group radius1
#
#
interface GigabitEthernet2/0/0
undo shutdown
ip address 10.23.199.1 255.255.255.0
#
interface Virtual-Ethernet2/0/0
soft-gre enable
#
interface Virtual-Ethernet2/0/0.1
user-vlan 101
bas
#
access-type layer2-subscriber default-domain authentication aaadomain1
authentication-method bind
#
#
interface LoopBack1
ip address 10.23.200.1 255.255.255.0
binding soft-gre group group1
#
soft-gre group group1
master Virtual-Ethernet2/0/0
#
ip route-static 10.23.100.0 255.255.255.0 10.23.199.2
#
return
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: tunnel forwarding
Data Planning
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
Item Data
Configuration Roadmap
1. Configure basic WLAN services to ensure that users can access the WLAN.
2. Configure local authentication and authorization for 802.1x users.
3. Configure the URL push function so that the first web request from an authenticated user
is redirected to a specified web page.
4. Configure the terminal type identification function to allow only the STAs of the huawei
type to connect to the wireless network.
5. Configure an 802.1x access profile to manage 802.1x access control parameters.
6. Configure an authentication profile and bind the AAA domain and 802.1x access profile
to the authentication profile.
7. Bind the authentication profile to a VAP profile to control access from STAs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and GE0/0/2
and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On the AC, configure VLANIF 100 to assign IP addresses to APs.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the default
gateway address of STAs to 10.23.101.2.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 1
# Create an AAA scheme abc and set the authentication mode to local.
[AC-wlan-view] quit
[AC] aaa
[AC-aaa] authentication-scheme abc
[AC-aaa-authen-abc] authentication-mode local
[AC-aaa-authen-abc] quit
# Create the AAA domain huawei.com and apply the AAA authentication scheme abc to the
domain.
[AC-aaa] domain huawei.com
[AC-aaa-domain-huawei.com] authentication-scheme abc
[AC-aaa-domain-huawei.com] quit
# Create a local user test, and set the user password to admin@12345, user level to 3, service
type to 8021x, and allowed terminal type to huawei.
[AC-aaa] local-user test password cipher admin@12345 privilege level 3
[AC-aaa] local-user test service-type 8021x
[AC-aaa] local-user test device-type huawei
# Configure the URL push function to specify the web page that an authenticated user must
access when the user connects to the network for the first time. After this function is
configured, the AC can obtain the UA field from the HTTP Get packet sent by the terminal.
NOTE
Ensure that the user client has a reachable route to the DNS server on the network so that domain name
resolution can be implemented. Ensure that the user client has a reachable route to the network segment
of the IP address corresponding to the domain name www.login.com so that the URL push function can
be implemented.
[AC-aaa] domain huawei.com
[AC-aaa-domain-huawei.com] force-push url www.login.com
[AC-aaa-domain-huawei.com] quit
[AC-aaa] quit
# Enable UA so that the AC can obtain and send the UA field from the HTTP Get packet sent
by the terminal to the terminal type identification module.
[AC] http parse user-agent enable
# Create the terminal type identification profile huawei and configure identification rules 0 to
4 in the profile.
Rules 0 to 2 are used to match Option 12, Option 55, and Option60 information in DHCP
packets from terminals. Rule 3 is used to match vendor OUI information. Rule 4 is used to
match user agent (UA) information in HTTP packets from terminals. If terminal information
can match any of the rules, the terminal type identifier huawei is set for the terminal.
[AC] device-profile profile-name huawei
[AC-device-profile-huawei] device-type huawei
[AC-device-profile-huawei] rule 0 dhcp-option 12 sub-match ascii
android-9f09b5dc88a64c37
[AC-device-profile-huawei] rule 1 dhcp-option 55 sub-match ascii \001!
\003\006\017\0343:;
[AC-device-profile-huawei] rule 2 dhcp-option 60 sub-match ascii dhcpcd-5.2.10
[AC-device-profile-huawei] rule 3 mac fcff-ffff-ffff mask 8
[AC-device-profile-huawei] rule 4 user-agent sub-match Mozille/5.0 (Linux; U;
Android 4.1.2; zh-CN; ZTE U956 Build/JZ054K) AppleWebKit/534.31 (KHTNL, like
Gecko) UCBrowser/8.8.3.276 U3/0.8.8 Moblie Sofari/534.31
[AC-device-profile-huawei] if-match rule 0 or rule 1 or rule 2 or rule 3 or rule 4
[AC-device-profile-huawei] enable
[AC-device-profile-huawei] quit
Step 8 Configure an 802.1x access profile to manage 802.1x access control parameters.
Step 9 Create the authentication profile wlan-authentication, set the default user domain, configure
authentication in the domain huawei.com for STAs, and bind the 802.1x access profile to the
authentication profile.
[AC] authentication-profile name wlan-authentication
[AC-authentication-profile-wlan-authentication] access-domain huawei.com dot1x
[AC-authentication-profile-wlan-authentication] dot1x-access-profile wlan-dot1x
[AC-authentication-profile-wlan-authentication] quit
# Create security profile wlan-net and set the security policy to open in the profile. By
default, the security policy is open.
[AC] wlan
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, configure the data forwarding mode and service VLANs, and
bind the security profile, authentication profile, and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode tunnel
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] authentication-profile wlan-authentication
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and bind the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
The settings of the AP channel and power in this example are for reference only. You need to configure the
AP channel and power based on the actual country code and network planning.
Automatic channel and power calibration functions are enabled by default. The manual
channel and power configurations take effect only when these two functions are disabled.
[AC-wlan-view] rrm-profile name default
[AC-wlan-rrm-prof-default] calibrate auto-channel-select disable
[AC-wlan-rrm-prof-default] calibrate auto-txpower-select disable
[AC-wlan-rrm-prof-default] quit
The WLAN with the SSID wlan-net is available for STAs after the configuration is complete.
l If an STA of Huawei type has the CHAP-support client software installed, the STA can
be successfully authenticated and connect to the WLAN after correct user name and
password are entered.
l If an STA of a non-Huawei type has the CHAP-support client software installed, the STA
cannot be authenticated even if the correct user name and password are entered.
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: tunnel forwarding
Data Planning
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.4-10.23.101.254/24
pool for 10.23.102.4-10.23.102.254/24
STAs
Item Data
l Name: ap-group2
l Referenced profiles: VAP profile wlan-net2, regulatory domain profile
default, 2G radio profile wlan-radio2g, and 5G radio profile wlan-
radio5g
l Name: wlan-net2
l Forwarding mode: tunnel forwarding
l Service VLAN: VLAN 102
l Referenced profiles: SSID profile wlan-net1 and security profile wlan-
net1
Item Data
Configuration Roadmap
1. Configure basic WLAN services to ensure that users can access the WLAN.
2. Configure the Bonjour gateway on the AC to allow service discovery across VLANs.
NOTE
If mobile terminals with Apple iOS V6.0 or later dynamically obtain IP addresses using DHCP, run the dns-
list command in the global address pool view or the dhcp server dns-list command in the interface address
pool view to configure the DNS server IP address.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1, GE0/0/2, and GE0/0/3 on SwitchA (access switch) to VLAN 100. The
default VLAN of GE0/0/1 and GE0/0/3 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] port link-type trunk
[SwitchA-GigabitEthernet0/0/3] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/3] port-isolate enable
[SwitchA-GigabitEthernet0/0/3] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and GE0/0/2
andGE0/0/3 to VLAN 101 and VLAN 102.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101 102
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101 102
[SwitchB-GigabitEthernet0/0/3] quit
# On the router, add GE1/0/0 to VLAN 101 and VLAN 102. Create VLANIF 101 and
VLANIF 102 and set the IP address of VLANIF 101 to 10.23.101.2/24 and VLANIF 102 to
10.23.102.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101 102
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101 102
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
[Router] interface vlanif 102
[Router-Vlanif102] ip address 10.23.102.2 24
[Router-Vlanif102] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
# Add GE0/0/1 on the AC to VLAN 100, VLAN 101 and VLAN 102.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100 101 102
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101 102
[AC-GigabitEthernet0/0/1] quit
# Configure VLANIF 101 and VLANIF 102 on SwitchB to assign IP addresses to STAs, and
specify 10.23.101.2 and 10.23.102.2 as the default gateway addresses for STAs in Department
1 and 2, respectively.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] ap-group name ap-group2
[AC-wlan-ap-group-ap-group2] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group2] quit
[AC-wlan-view] quit
# Import APs offline on the AC and add authorized APs to AP group ap-group1 and monitor
APs to AP group ap-group2. Configure names for the APs based on the APs' deployment
location, so that you can know where the APs are located by name. For example, if the AP
with MAC address 60de-4476-e360 is deployed in area 1, name the AP area_1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] ap-id 1 ap-mac dcd2-fc04-b500
[AC-wlan-ap-1] ap-name area_2
[AC-wlan-ap-1] ap-group ap-group2
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-1] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [2]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.23.100.253 AP5030DN nor 0 10S
1 dcd2-fc04-b500 area_2 ap-group2 10.23.100.254 AP5030DN nor 0 15S
----------------------------------------------------------------------------------
---
Total: 2
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net1
[AC-wlan-sec-prof-wlan-net1] security wpa-wpa2 psk pass-phrase a1234567 aes
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-sec-prof-wlan-net1] quit
# Create SSID profile wlan-net1 and set the SSID name to wlan-net1.
[AC-wlan-view] ssid-profile name wlan-net1
[AC-wlan-ssid-prof-wlan-net1] ssid wlan-net1
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-wlan-net1] quit
# Create VAP profile wlan-net1, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net1
[AC-wlan-vap-prof-wlan-net1] forward-mode tunnel
[AC-wlan-vap-prof-wlan-net1] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net1] security-profile wlan-net1
[AC-wlan-vap-prof-wlan-net1] ssid-profile wlan-net1
[AC-wlan-vap-prof-wlan-net1] quit
# Create VAP profile wlan-net2, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net2
[AC-wlan-vap-prof-wlan-net2] forward-mode tunnel
[AC-wlan-vap-prof-wlan-net2] service-vlan vlan-id 102
[AC-wlan-vap-prof-wlan-net2] security-profile wlan-net1
[AC-wlan-vap-prof-wlan-net2] ssid-profile wlan-net1
[AC-wlan-vap-prof-wlan-net2] quit
# Create the RRM profile wlan-rrm and enable automatic channel selection and automatic
transmit power selection in the RRM profile. By default, automatic channel selection and
automatic transmit power selection are enabled.
[AC-wlan-view] rrm-profile name wlan-rrm
[AC-wlan-rrm-prof-wlan-rrm] undo calibrate auto-channel-select disable
[AC-wlan-rrm-prof-wlan-rrm] undo calibrate auto-txpower-select disable
[AC-wlan-rrm-prof-wlan-rrm] quit
# Create the air scan profile wlan-airscan and configure the scan channel set, scan interval,
and scan duration.
[AC-wlan-view] air-scan-profile name wlan-airscan
[AC-wlan-air-scan-prof-wlan-airscan] scan-channel-set dca-channel
[AC-wlan-air-scan-prof-wlan-airscan] scan-period 60
[AC-wlan-air-scan-prof-wlan-airscan] scan-interval 60000
[AC-wlan-air-scan-prof-wlan-airscan] quit
# Create the 2G radio profile wlan-radio2g and bind the RRM profile wlan-rrm and air scan
profile wlan-airscan to the 2G radio profile.
[AC-wlan-view] radio-2g-profile name wlan-radio2g
[AC-wlan-radio-2g-prof-wlan-radio2g] rrm-profile wlan-rrm
[AC-wlan-radio-2g-prof-wlan-radio2g] air-scan-profile wlan-airscan
[AC-wlan-radio-2g-prof-wlan-radio2g] quit
# Create the 5G radio profile wlan-radio5g and bind the RRM profile wlan-rrm and air scan
profile wlan-airscan to the 5G radio profile.
[AC-wlan-view] radio-5g-profile name wlan-radio5g
[AC-wlan-radio-5g-prof-wlan-radio5g] rrm-profile wlan-rrm
[AC-wlan-radio-5g-prof-wlan-radio5g] air-scan-profile wlan-airscan
[AC-wlan-radio-5g-prof-wlan-radio5g] quit
# Bind the 5G radio profile wlan-radio5g and 2G radio profile wlan-radio2g to the AP group
ap-group1.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] radio-5g-profile wlan-radio5g radio 1
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-ap-group1] radio-2g-profile wlan-radio2g radio 0
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-ap-group1] quit
# Bind the 5G radio profile wlan-radio5g and 2G radio profile wlan-radio2g to the AP group
ap-group2.
[AC-wlan-view] ap-group name ap-group2
[AC-wlan-ap-group-ap-group2] radio-5g-profile wlan-radio5g radio 1
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-ap-group2] radio-2g-profile wlan-radio2g radio 0
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ap-group-ap-group2] quit
# Set the radio calibration mode to manual and trigger radio calibration.
[AC-wlan-view] calibrate enable manual
[AC-wlan-view] calibrate manual startup
# Radio calibration stops one hour after the radio calibration is manually triggered. Set the
radio calibration mode to scheduled. Configure the APs to perform radio calibration in off-
peak hours, for example, between 00:00 am and 06:00 am.
[AC-wlan-view] calibrate enable schedule time 03:00:00
# Set the service discovery interval. Configure the IP addresses of VLANIF 101 and VLANIF
102 as the source IP addresses for sending mDNS requests.
[AC] vlan 101
[AC-vlan101] mdns probe interval 100
[AC-vlan101] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.3 24
[AC] vlan 102
[AC-vlan102] mdns probe interval 100
[AC-vlan102] quit
[AC] interface vlanif 102
[AC-Vlanif102] ip address 10.23.102.3 24
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
return
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
dhcp server gateway-list 10.23.101.2
dhcp server excluded-ip-address 10.23.101.3
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
dhcp select interface
dhcp server gateway-list 10.23.102.2
dhcp server excluded-ip-address 10.23.102.3
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 102
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 101 to 102
#
return
l Router configuration file
#
sysname Router
#
vlan batch 101 to 102
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 101 to 102
#
return
l AC configuration file
#
sysname AC
#
mdns gateway enable
#
vlan batch 100 to 102
#
dhcp enable
#
vlan 101
mdns probe interval 100
#
vlan 102
mdns probe interval 100
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.3 255.255.255.0
#
interface Vlanif102
Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area.
The multicast source for video conferences is deployed on the enterprise network to provide
enterprise video conferencing services. The multicast source address ranges from 225.1.1.1 to
225.1.1.5. To restrict the access of employees when the multicast bandwidth reaches the
maximum, administrators need to configure bandwidth-based multicast CAC, ensuring the
conference access quality.
Networking Requirements
l AC networking mode: Layer 2 networking in inline mode
l DHCP deployment mode: The AC functions as a DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: tunnel forwarding
Data Planning
Item Data
Item Data
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs
Configuration Roadmap
1. Configure basic WLAN services to ensure that users can access the WLAN.
2. Configure multicast-to-unicast conversion to convert multicast packets into unicast
packets to improve the efficiency of multicast data transmission.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on the access switch to VLAN 100. The default VLAN of
GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/2] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
# On the AC, add GE0/0/1 to VLAN 100, and GE0/0/2 to VLAN 101.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100 101
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet0/0/1] quit
[AC] interface gigabitethernet 0/0/2
[AC-GigabitEthernet0/0/2] port link-type trunk
[AC-GigabitEthernet0/0/2] port trunk allow-pass vlan 101
[AC-GigabitEthernet0/0/2] quit
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On the AC, configure VLANIF 100 to assign IP addresses to APs.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 1
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode tunnel
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
The settings of the AP channel and power in this example are for reference only. You need to configure the
AP channel and power based on the actual country code and network planning.
Automatic channel and power calibration functions are enabled by default. The manual
channel and power configurations take effect only when these two functions are disabled.
[AC-wlan-view] rrm-profile name default
[AC-wlan-rrm-prof-default] calibrate auto-channel-select disable
[AC-wlan-rrm-prof-default] calibrate auto-txpower-select disable
[AC-wlan-rrm-prof-default] quit
# Create AP system profile wlan-system. Configure the multicast group address to range
from 225.1.1.1 to 225.1.1.5, and set the multicast group bandwidth to 2048 kbit/s.
[AC-wlan-view] ap-system-profile name wlan-system
[AC-wlan-ap-system-prof-wlan-system] ap-system-profile name wlan-system
[AC-wlan-ap-system-prof-wlan-system] igmp-snooping group-bandwidth start-group-
address 225.1.1.1 end-group-address 225.1.1.5 bandwidth 2048
[AC-wlan-ap-system-prof-wlan-system] quit
--------------------------------------------------------------------------------
0 area_1 0 1 60DE-4476-E360 ON WPA/WPA2-PSK 0 wlan-net
0 area_1 1 1 60DE-4476-E370 ON WPA/WPA2-PSK 0 wlan-net
-------------------------------------------------------------------------------
Total: 2
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
Run the display wlan igmp-snooping vap-cac ap-id 0 command on the AC. When the
difference between the CurBw and MaxBw values is smaller than the configured bandwidth
of a multicast group, new users cannot join the multicast group.
[AC-wlan-view] display wlan igmp-snooping vap-cac ap-id 0
Info: This operation may take a few seconds, please wait.done.
Rf : Radio ID WID : WLAN ID
CurBw : Current bandwidth(kbps) MaxBw : Max bandwidth(kbps)
CurUser : Current user number MaxUser : Max user number
BwUtilization : Bandwidth utilization UserUtilization : User utilization
--------------------------------------------------------------------------------
Rf WID CurBw/MaxBw BwUtilization CurUser/MaxUser UserUtilization
--------------------------------------------------------------------------------
0 1 0/40960 0% 0/0 0%
1 1 0/40960 0% 0/0 0%
--------------------------------------------------------------------------------
Total: 2
----End
Configuration Files
l Switch configuration file
#
sysname Switch
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 101
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 101
#
capwap source interface vlanif100
#
wlan
traffic-profile name wlan-traffic
igmp-snooping enable
igmp-snooping max-bandwidth 40960
traffic-optimize multicast-unicast enable
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/
Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
traffic-profile wlan-traffic
regulatory-domain-profile name default
rrm-profile name default
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
ap-system-profile name wlan-system
igmp-snooping group-bandwidth start-group-address 225.1.1.1 end-group-
address 225.1.1.5 bandwidth 2048
ap-group name ap-group1
ap-system-profile wlan-system
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return
Networking Requirements
l AC networking mode: Layer 2 networking in inline mode
l DHCP deployment mode: The AC functions as a DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: tunnel forwarding
Figure 4-76 Networking for configuring CAC based on the number of multicast group
memberships
Data Planning
Item Data
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs
Configuration Roadmap
1. Configure basic WLAN services to ensure that users can access the WLAN.
2. Configure multicast-to-unicast conversion to convert multicast packets into unicast
packets to improve the efficiency of multicast data transmission.
3. Configure CAC based on the number of multicast group memberships to control the
access of multicast users.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on the access switch to VLAN 100. The default VLAN of
GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/2] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
# On the AC, add GE0/0/1 to VLAN 100, and GE0/0/2 to VLAN 101.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100 101
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet0/0/1] quit
[AC] interface gigabitethernet 0/0/2
[AC-GigabitEthernet0/0/2] port link-type trunk
[AC-GigabitEthernet0/0/2] port trunk allow-pass vlan 101
[AC-GigabitEthernet0/0/2] quit
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On the AC, configure VLANIF 100 to assign IP addresses to APs.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 1
# Create security profile wlan-net and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode tunnel
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
The settings of the AP channel and power in this example are for reference only. You need to configure the
AP channel and power based on the actual country code and network planning.
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
Run the display wlan igmp-snooping vap-cac ap-id 0 command on the AC. When the
CurUser value is equal to the MaxUser value, new users cannot join the multicast group.
[AC-wlan-view] display wlan igmp-snooping vap-cac ap-id 0
Info: This operation may take a few seconds, please wait.done.
Rf : Radio ID WID : WLAN ID
CurBw : Current bandwidth(kbps) MaxBw : Max bandwidth(kbps)
CurUser : Current user number MaxUser : Max user number
BwUtilization : Bandwidth utilization UserUtilization : User utilization
--------------------------------------------------------------------------------
Rf WID CurBw/MaxBw BwUtilization CurUser/MaxUser UserUtilization
--------------------------------------------------------------------------------
0 1 0/0 0% 0/20 0%
1 1 0/0 0% 0/20 0%
--------------------------------------------------------------------------------
Total: 2
----End
Configuration Files
l Switch configuration file
#
sysname Switch
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
l Router configuration file
#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 101
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 101
#
capwap source interface vlanif100
#
wlan
traffic-profile name wlan-traffic
igmp-snooping enable
igmp-snooping max-user 20
traffic-optimize multicast-unicast enable
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/
Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
traffic-profile wlan-traffic
regulatory-domain-profile name default
rrm-profile name default
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: direct forwarding
Data Planning
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
Item Data
IP address 10.23.1.1
of the
network
managemen
t server
Read-only public123
community
name
Read-write private123
community
name
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
3. Configure WLAN service parameters for STAs to access the WLAN.
4. Configure SNMP.
– Set the SNMP version on the AC to SNMPv2c.
– Configure access rights so that the network management server can manage
network devices.
The SNMP version running on the network management server must be consistent with that configured on
the AC.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100 and VLAN101. The default VLAN of
GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN101, GE0/0/2 to
VLAN100 and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100 101
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet0/0/1] quit
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the default
gateway address of STAs to 10.23.101.2.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
# Create an AP group to which the APs with the same configuration can be added.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 1
# Create security profile wlan-net and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
The settings of the AP channel and power in this example are for reference only. You need to configure the
AP channel and power based on the actual country code and network planning.
Automatic channel and power calibration functions are enabled by default. The manual
channel and power configurations take effect only when these two functions are disabled.
[AC-wlan-view] rrm-profile name default
[AC-wlan-rrm-prof-default] calibrate auto-channel-select disable
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
# Create the MIB view public_view, exclude the private subtree, and include the internet
subtree.
[AC] snmp-agent mib-view public_view include internet
[AC] snmp-agent mib-view public_view exclude private
# Create the MIB view private_view and include the mgmt subtree.
[AC] snmp-agent mib-view private include mgmt
# Create the read-only community public123 and reference public_view in read-only mode.
Create the read-write community private123 and reference private_view in read-write mode.
NOTE
The read-only and read-write community names must be consistent with those configured on the network
management server.
# Configure the target host of trap messages. Set the transfer protocol to SNMPv2c, host name
in trap messages to trap, target host name to NetCenter, and target host IP address to
10.23.1.1.
[AC] snmp-agent target-host trap-paramsname NetCenter v2c securityname trap
[AC] snmp-agent target-host trap-hostname NetCenter address 10.23.1.1 udp-port
162 trap-paramsname NetCenter
Total number is 1
Total number is 1
# If the online state of the AP is displayed on the network management server, the
configuration has taken effect.
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
return
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
dhcp server gateway-list 10.23.101.2
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 101
#
return
l Router configuration file
#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-type trunk
port trunk allow-pass vlan 101
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
snmp-agent local-engineid 800007DB03DCD2FCF9B5CA
snmp-agent community read %^%#&c{~@`7"T1LM>_VKF}SQAB[B*cK_-!A)3ZW!l^=L4[|8Aa!
NJNJOI<UdLWv,b8]NSoUFd2Vg\n)$\*wC%^%# mib-view public_
view
snmp-agent community write %^%#@=;PMXwdY=FN;)XZvMWPS|<II8n%:R!
FNAFnv{IKt4rR>6e.=<ZB["=N>yq;Hq.p:i<-E!-[1PS{i<'Q%^%# mib-view privat
e_view
snmp-agent sys-info version v2c
snmp-agent target-host trap-hostname NetCenter address 10.23.1.1 udp-port
162 trap-paramsname NetCenter
snmp-agent target-host trap-paramsname NetCenter v2c securityname %^
%##E9e5qFq#7{N#(<FX;(;@-ZuXCzh(W.oc_%Yk}G6%^%#
snmp-agent mib-view private include mgmt
snmp-agent mib-view public_view include internet
snmp-agent mib-view public_view exclude private
snmp-agent
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/
Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
rrm-profile name default
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return
Networking Requirements
l AC networking mode: Layer 2 networking in inline mode
l DHCP deployment mode: The AC functions as a DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: tunnel forwarding
Data Planning
Item Data
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs
Item Data
Configuration Roadmap
1. Configure basic WLAN services to ensure that users can access the WLAN.
2. Configure global parameters for obtaining packets, including the maximum length,
saving mode, upload mode, and server.
3. Configure a packet filtering rule.
4. Enable the wireless packet obtaining function.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on the access switch to VLAN 100. The default VLAN of
GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/2] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
# On the AC, add GE0/0/1 to VLAN 100, and GE0/0/2 to VLAN 101.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100 101
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet0/0/1] quit
[AC] interface gigabitethernet 0/0/2
[AC-GigabitEthernet0/0/2] port link-type trunk
[AC-GigabitEthernet0/0/2] port trunk allow-pass vlan 101
[AC-GigabitEthernet0/0/2] quit
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# Create an AP group to which the APs with the same configuration can be added.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 1
# Create security profile wlan-net and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode tunnel
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
The settings of the AP channel and power in this example are for reference only. You need to configure the
AP channel and power based on the actual country code and network planning.
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
----End
Configuration Files
l Switch configuration file
#
sysname Switch
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 101
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/
Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
rrm-profile name default
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return
802.1x authentication is more secure than MAC address authentication and Portal
authentication; however, it requires that 802.1x client software be installed on all user
terminals, allowing low networking flexibility. In contrast, MAC address authentication does
not need client software, but user terminals' MAC addresses must be registered on the
authentication server. Network configuration and management are complex. Portal
authentication also does not need client software, allowing flexible deployment. However, it
does not provide high security. Therefore, 802.1x authentication is applicable to network
construction scenarios where users are densely distributed and high information security is
required.
When the AC is interconnected with the Cisco ISE, three authentication methods, that is,
Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol
(CHAP), and Extensible Authentication Protocol (EAP), can be used in 802.1x authentication.
The configurations for the three authentication methods are similar. The following uses EAP
as an example.
For details about how to configure 802.1x authentication on the AC, see Configure 802.1x
authentication on the AC.
For details about how to configure the authentication on the Cisco ISE server, see Configure
the Cisco ISE.
Product Version
Service Requirements
When users attempt to access the WLAN, they can use 802.1x clients for authentication. After
entering the correct user names and passwords, users can connect to the Internet. Furthermore,
users' services are not affected during roaming in the coverage area.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: The AC functions as the DHCP server to assign IP addresses
to APs, and SwitchB functions as the DHCP server to assign IP addresses to STAs.
l Service data forwarding mode: direct forwarding
l WLAN authentication mode: WPA-WPA2+802.1x+AES
Internet
Router
GE0/0/1
RADIUS Server
AC SwitchB GE0/0/4 10.23.103.1:1812
GE0/0/2
GE0/0/1 GE0/0/3
GE0/0/1
GE0/0/2
SwitchA
GE0/0/1
AP
STA STA
Management VLAN:VLAN 100
Service VLAN:VLAN 101
Data Planning
Department R&D
Configuration Roadmap
1. Configure network interworking.
2. Configure the AC and SwitchB to assign IP addresses to APs and STAs, respectively.
3. Configure APs to go online.
4. Configure WLAN service parameters.
5. Configure 802.1x authentication on the AC.
6. Configure the Cisco ISE server.
Configuration Notes
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l The AC and server must have the same RADIUS shared key.
Procedure
Step 1 Configure network interworking.
# Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 100 and VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN 101, GE0/0/2 to
VLAN 100 and VLAN 102, GE0/0/3 to VLAN 103, and GE0/0/4 to VLAN104. Create
VLANIF 102, VLANIF 103, and VLANIF 104, and configure a default route with the next
hop of the address of Router.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 to 104
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk pvid vlan 103
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 103
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface gigabitethernet 0/0/4
[SwitchB-GigabitEthernet0/0/4] port link-type trunk
[SwitchB-GigabitEthernet0/0/4] port trunk pvid vlan 104
[SwitchB-GigabitEthernet0/0/4] port trunk allow-pass vlan 104
[SwitchB-GigabitEthernet0/0/4] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] quit
[SwitchB] interface vlanif 103
[SwitchB-Vlanif103] ip address 10.23.103.2 24
[SwitchB-Vlanif103] quit
[SwitchB] interface vlanif 104
[SwitchB-Vlanif104] ip address 10.23.104.1 24
[SwitchB-Vlanif104] quit
[SwitchB] ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
# Add GE0/0/1 on the AC to VLAN 100 and VLAN 102. Create VLANIF 102 and configure
the static route to the RADIUS server.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100 101 102
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 102
[AC-GigabitEthernet0/0/1] quit
[AC] interface vlanif 102
[AC-Vlanif102] ip address 10.23.102.2 24
[AC-Vlanif102] quit
[AC] ip route-static 10.23.103.0 24 10.23.102.1
# Configure the IP address of GE0/0/1 on Router and a static route to the network segment for
STAs.
<Huawei> system-view
[Huawei] sysname Router
[Router] interface gigabitethernet 0/0/1
[Router-GigabitEthernet0/0/1] ip address 10.23.104.2 24
[Router-GigabitEthernet0/0/1] quit
[Router] ip route-static 10.23.101.0 24 10.23.104.1
Step 2 Configure the AC and SwitchB to function as DHCP servers to assign IP addresses to APs
and STAs respectively.
# On the AC, configure the VLANIF 100 to assign IP addresses to APs.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and bind
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the APs offline to the AC and add the APs to the AP group ap-group1. Configure
names for the APs based on the AP locations, so that you can know where the APs are
located. For example, if the AP with MAC address 60de-4476-e360 is deployed in area 1,
name the AP area_1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 and radio 1. Radio 0 and radio 1 operate
on the 2.4 GHz and 5 GHz bands respectively.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field displays nor, the AP has gone online.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
--------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA
Uptime
--------------------------------------------------------------------------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S
--------------------------------------------------------------------------------
Total: 1
The settings of the AP channel and power in this example are for reference only. You need to configure the
AP channel and power based on the actual country code and network planning.
3. Create the authentication profile wlan-net and bind it to the 802.1x access profile,
authentication scheme, and RADIUS server template.
[AC] authentication-profile name wlan-net
[AC-authentication-profile-wlan-net] dot1x-access-profile wlan-net
[AC-authentication-profile-wlan-net] authentication-scheme wlan-net
[AC-authentication-profile-wlan-net] radius-server wlan-net
[AC-authentication-profile-wlan-net] quit
# Create the SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create the VAP profile wlan-net, configure the direct data forwarding mode and
service VLANs, and bind the security profile, authentication profile, and SSID profile to
the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] authentication-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind the VAP profile wlan-net to the AP group and apply the profile to radio 0 and
radio 1 of the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Choose Administration > Identity Management > Identities > Users. In the pane on
the right side, click Add to create the account with the user name of huawei and
password of huawei123. Add the account to department R&D. Then, click Submit.
3. Add the AC so that the Cisco ISE can interwork with the AC.
# Choose Administration > Network Resources > Network Device Profiles. In the
pane on the left side, click Add and create a device profile named Huawei. Then, click
Submit.
# Choose Administration > Network Resources > Network Devices. In the pane on
the right side, click Add. Set the device name to AC6605, IP address to 10.23.102.2/32,
and RADIUS shared key to huawei@123. Then, click Submit.
# Select Allow CHAP, Allow MS-CHAPv2, and Allow PEAP. For other parameters,
use the default settings. Click Save.
NOTE
By default, the Cisco ISE disables the CHAP authentication protocol. You need to select the CHAP
authentication protocol on the server so that the CHAP protocol can be used to carry out the test-aaa test
on the AC.
Step 7 On the AC, check whether users can pass RADIUS authentication.
[AC] test-aaa huawei huawei123 radius-template wlan-net
Info: Account test succeed.
i. On the Association tab page of the Wireless network properties dialog box,
add SSID wlan-net, set the authentication mode to WPA2, and encryption
algorithm to AES.
ii. On the Authentication tab page, set EAP type to PEAP and click Properties.
In the Protected EAP Properties dialog box, deselect Validate server
certificate and click Configure. In the displayed dialog box, deselect
Automatically use my Windows logon name and password and click OK.
– Configuration on the Windows 7 operating system:
i. Access the Manage wireless networks page, click Add, and select Manually
create a network profile. Add SSID wlan-net. Set the authentication mode to
WPA2-Enterprise, and encryption algorithm to AES. Click Next.
ii. Click Change connection settings. On the Wireless Network Properties
page that is displayed, select the Security tab page and click Settings. In the
Protected EAP Properties dialog box, deselect Validate server certificate
and click Configure. In the displayed dialog box, deselect Automatically use
my Windows logon name and password and click OK.
iii. Click OK. On the Wireless Network Properties page, click Advanced
settings. On the Advanced settings page that is displayed, select Specify
authentication mode, set the identity authentication mode to User
authentication, and click OK.
l After wireless users connect to the network, run the display access-user access-type
dot1x command on the AC to view users in 802.1x authentication mode. The user
huawei has gone online successfully.
[AC] display access-user access-type dot1x
------------------------------------------------------------------------------
UserID Username IP address MAC
Status
------------------------------------------------------------------------------
460 huawei 10.23.101.254 8000-6e74-e78a Success
------------------------------------------------------------------------------
Total: 1, printed: 1
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
return
authentication-mode radius
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 102
#
ip route-static 10.23.103.0 255.255.255.0 10.23.102.1
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
security wpa-wpa2 dot1x aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
authentication-profile wlan-net
regulatory-domain-profile name default
rrm-profile name default
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
dot1x-access-profile name wlan-net
#
return
MAC address authentication is applicable to dumb terminals such as printers and fax
machine.
For details about how to configure MAC address authentication on the AC, see Configure
MAC address authentication on the AC.
For details about how to configure MAC address authentication on the Cisco ISE server, see
Configure the Cisco ISE.
Service Requirements
MAC address authentication is used to authenticate dumb terminals such as wireless network
printers and wireless phones that cannot have an authentication client installed.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: The AC functions as the DHCP server to assign IP addresses
to APs, and SwitchB functions as the DHCP server to assign IP addresses to STAs.
l Service data forwarding mode: direct forwarding
l Authentication mode: open system authentication
Internet
Router
GE0/0/1
Radius Server
AC SwitchB GE0/0/4 10.23.103.1:1812
GE0/0/2
GE0/0/1 GE0/0/3
GE0/0/1
GE0/0/2
SwitchA
GE0/0/1
AP
STA STA
Data Planning
Configuration Roadmap
1. Configure network interworking.
2. Configure the AC and SwitchB to assign IP addresses to APs and STAs, respectively.
3. Configure APs to go online.
4. Configure basic WLAN services.
5. Configure MAC address authentication on the AC.
6. Configure the Cisco ISE server.
Configuration Notes
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l The AC and server must have the same RADIUS shared key.
Procedure
Step 1 Configure network interworking.
# Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 100 and VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN 101, GE0/0/2 to
VLAN 100 and VLAN 102, GE0/0/3 to VLAN 103, and GE0/0/4 to VLAN104. Create
VLANIF 102, VLANIF 103, and VLANIF 104, and configure a default route with the next
hop of the address of Router.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 to 104
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk pvid vlan 103
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 103
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface gigabitethernet 0/0/4
[SwitchB-GigabitEthernet0/0/4] port link-type trunk
[SwitchB-GigabitEthernet0/0/4] port trunk pvid vlan 104
[SwitchB-GigabitEthernet0/0/4] port trunk allow-pass vlan 104
[SwitchB-GigabitEthernet0/0/4] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] quit
[SwitchB] interface vlanif 103
[SwitchB-Vlanif103] ip address 10.23.103.2 24
[SwitchB-Vlanif103] quit
[SwitchB] interface vlanif 104
[SwitchB-Vlanif104] ip address 10.23.104.1 24
[SwitchB-Vlanif104] quit
[SwitchB] ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
# Add GE0/0/1 on the AC to VLAN 100 and VLAN 102. Create VLANIF 102 and configure
the static route to the RADIUS server.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100 101 102
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 102
[AC-GigabitEthernet0/0/1] quit
[AC] interface vlanif 102
[AC-Vlanif102] ip address 10.23.102.2 24
[AC-Vlanif102] quit
[AC] ip route-static 10.23.103.0 24 10.23.102.1
# Configure the IP address of GE0/0/1 on Router and a static route to the network segment for
STAs.
<Huawei> system-view
[Huawei] sysname Router
[Router] interface gigabitethernet 0/0/1
[Router-GigabitEthernet0/0/1] ip address 10.23.104.2 24
[Router-GigabitEthernet0/0/1] quit
[Router] ip route-static 10.23.101.0 24 10.23.104.1
Step 2 Configure the AC and SwitchB to function as DHCP servers to assign IP addresses to APs
and STAs respectively.
# On the AC, configure the VLANIF 100 to assign IP addresses to APs.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and bind
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the APs offline to the AC and add the APs to the AP group ap-group1. Configure
names for the APs based on the AP locations, so that you can know where the APs are
located. For example, if the AP with MAC address 60de-4476-e360 is deployed in area 1,
name the AP area_1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 and radio 1. Radio 0 and radio 1 operate
on the 2.4 GHz and 5 GHz bands respectively.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field displays nor, the AP has gone online.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
--------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA
Uptime
--------------------------------------------------------------------------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S
--------------------------------------------------------------------------------
Total: 1
The settings of the AP channel and power in this example are for reference only. You need to configure the
AP channel and power based on the actual country code and network planning.
3. Create the authentication profile wlan-net and bind it to the MAC access profile,
authentication scheme, and RADIUS server template.
[AC] authentication-profile name wlan-net
[AC-authentication-profile-wlan-net] mac-access-profile wlan-net
[AC-authentication-profile-wlan-net] authentication-scheme wlan-net
[AC-authentication-profile-wlan-net] radius-server wlan-net
[AC-authentication-profile-wlan-net] quit
# Create the SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-wlan-net] quit
# Create the VAP profile wlan-net, configure the direct data forwarding mode and
service VLANs, and bind the security profile, authentication profile, and SSID profile to
the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] authentication-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind the VAP profile wlan-net to the AP group and apply the profile to radio 0 and
radio 1 of the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
2. Add STAs.
# Choose Administration > Identity Management > Identities > EndPoints. In the
pane on the right side, click Add. On the page that is displayed, set MAC Address and
click Save.
3. Add the AC so that the Cisco ISE can interwork with the AC.
# Choose Administration > Network Resources > Network Device Profiles. In the
pane on the left side, click Add and create a device profile named Huawei. Then, click
Submit.
# Choose Administration > Network Resources > Network Devices. In the pane on
the right side, click Add. Set the device name to AC6605, IP address to 10.23.102.2/32,
and RADIUS shared key to huawei@123. Then, click Submit.
# Select Allow CHAP, Allow MS-CHAPv2, and Allow PEAP. For other parameters,
use the default settings. Click Save.
NOTE
By default, the Cisco ISE disables the CHAP authentication protocol. You need to select the CHAP
authentication protocol on the server so that the CHAP protocol can be used to carry out the test-aaa test
on the AC.
Step 7 On the AC, check whether users can pass RADIUS authentication.
[AC] test-aaa huawei huawei123 radius-template wlan-net
Info: Account test succeed.
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
return
l SwitchB configuration file
#
sysname SwitchB
#
vlan batch 100 to 104
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
interface Vlanif103
ip address 10.23.103.2 255.255.255.0
#
interface Vlanif104
ip address 10.23.104.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 102
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 103
port trunk allow-pass vlan 103
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk pvid vlan 104
port trunk allow-pass vlan 104
#
ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
#
return
l Router configuration file
#
sysname Router
#
interface GigabitEthernet0/0/1
ip address 10.23.104.2 255.255.255.0
#
ip route-static 10.23.101.0 255.255.255.0 10.23.104.1
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 102
#
authentication-profile name wlan-net
mac-access-profile wlan-net
authentication-scheme wlan-net
radius-server wlan-net
#
dhcp enable
#
radius-server template wlan-net
radius-server shared-key cipher %^%#*7d1;XNof/|Q0:DsP!,W51DIYPx}`AARBdJ'0B^$
%^%#
radius-server authentication 10.23.103.1 1812 weight 80
radius-attribute set Service-Type 10 auth-type mac
#
aaa
authentication-scheme wlan-net
authentication-mode radius
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 102
#
ip route-static 10.23.103.0 255.255.255.0 10.23.102.1
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
authentication-profile wlan-net
rrm-profile name default
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
regulatory-domain-profile name default
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
mac-access-profile name wlan-net
#
return
Service Requirements
Network access rights are controlled based on user roles when users access the WLAN
through 802.1x authentication.
A large number of employees use wireless terminals to access an enterprise network. To
ensure network security, the administrator needs to control network access rights of terminals.
After successful authentication, terminals can access the service server (with IP address
10.23.105.1) and devices in the laboratory (with VLAN ID 20 and IP address segment
10.23.20.2-10.23.20.100).
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to allocate IP addresses to APs.
– SwitchB functions as a DHCP server to assign IP addresses to STAs.
l Service data forwarding mode: direct forwarding
l WLAN authentication mode: WPA-WPA2+802.1x+AES
Figure 4-81 Networking for configuring user authorization based on ACL numbers or
dynamic VLANs
Data Planning
Department R&D
Configuration Roadmap
1. Configure network interworking.
2. Configure basic WLAN services.
3. Configure the parameters for interconnecting the AC and RADIUS server and network
access rights after successful authentication.
4. Configure the Cisco ISE server.
– Add users.
– Add the AC.
– Configure the password authentication protocol.
– Configure authentication policies.
– Configure authorization policies.
Configuration Notes
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l The AC and server must have the same RADIUS shared key.
l If a terminal obtains an IP address using DHCP, you need to manually trigger the DHCP
process to request an IP address after VLAN-based authorization is successful or the
authorization VLAN changes.
Procedure
Step 1 Configure network interworking.
# Add GE0/0/1 and GE0/0/3 on SwitchA (access switch) to VLAN20, VLAN 100 and VLAN
101 and GE0/0/2 to VLAN 20.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 20 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 20 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 20
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] port link-type trunk
[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 20 100 101
[SwitchA-GigabitEthernet0/0/3] quit
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN20, VLAN 100 and VLAN 101,
GE0/0/2 to VLAN 100 and VLAN 102, GE0/0/3 to VLAN 103, GE0/0/4 to VLAN104, and
GE0/0/5 to VLAN 105.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 20 100 to 105
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 20 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk pvid vlan 103
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 103
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface gigabitethernet 0/0/4
[SwitchB-GigabitEthernet0/0/4] port link-type trunk
[SwitchB-GigabitEthernet0/0/4] port trunk pvid vlan 104
[SwitchB-GigabitEthernet0/0/4] port trunk allow-pass vlan 104
[SwitchB-GigabitEthernet0/0/4] quit
[SwitchB] interface gigabitethernet 0/0/5
[SwitchB-GigabitEthernet0/0/5] port link-type trunk
[SwitchB-GigabitEthernet0/0/5] port trunk pvid vlan 105
[SwitchB-GigabitEthernet0/0/5] port trunk allow-pass vlan 105
[SwitchB-GigabitEthernet0/0/5] quit
# Create VLANIF interfaces VLANIF 102, VLANIF 103, VLANIF 104 and VLANIF 105 on
SwitchB and configure configure a default route with the next hop of the address of Router.
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] quit
[SwitchB] interface vlanif 103
[SwitchB-Vlanif103] ip address 10.23.103.2 24
[SwitchB-Vlanif103] quit
[SwitchB] interface vlanif 104
[SwitchB-Vlanif104] ip address 10.23.104.1 24
[SwitchB-Vlanif104] quit
[SwitchB] interface vlanif 105
[SwitchB-Vlanif105] ip address 10.23.105.2 24
[SwitchB-Vlanif105] quit
[SwitchB] ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
# On the AC, add GE0/0/1 connected to SwitchB to VLAN 100 and VLAN 102, create
VLANIF 102, and configure the static route to the RADIUS server.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100 102
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 102
[AC-GigabitEthernet0/0/1] quit
[AC] interface vlanif 102
[AC-Vlanif102] ip address 10.23.102.2 24
[AC-Vlanif102] quit
[AC] ip route-static 10.23.103.0 24 10.23.102.1
# Configure the IP address of GE0/0/1 on Router and a static route to the network segment for
STAs.
<Huawei> system-view
[Huawei] sysname Router
[Router] interface gigabitethernet 0/0/1
[Router-GigabitEthernet0/0/1] ip address 10.23.104.2 24
[Router-GigabitEthernet0/0/1] quit
[Router] ip route-static 10.23.101.0 24 10.23.104.1
Step 2 Configure the AC and SwitchB to function as DHCP servers to assign IP addresses to APs
and STAs respectively.
# On the AC, configure the VLANIF 100 to assign IP addresses to APs.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and bind
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the APs offline to the AC and add the APs to the AP group ap-group1. Configure
names for the APs based on the AP locations, so that you can know where the APs are
located. For example, if the AP with MAC address 60de-4476-e360 is deployed in area 1,
name the AP area_1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 and radio 1. Radio 0 and radio 1 operate
on the 2.4 GHz and 5 GHz bands respectively.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field displays nor, the AP has gone online.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
--------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA
Uptime
--------------------------------------------------------------------------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S
--------------------------------------------------------------------------------
Total: 1
The settings of the AP channel and power in this example are for reference only. You need to configure the
AP channel and power based on the actual country code and network planning.
Automatic channel and power calibration functions are enabled by default. The manual
channel and power configurations take effect only when these two functions are disabled.
[AC-wlan-view] rrm-profile name default
[AC-wlan-rrm-prof-default] calibrate auto-channel-select disable
[AC-wlan-rrm-prof-default] calibrate auto-txpower-select disable
[AC-wlan-rrm-prof-default] quit
3. Create the authentication profile wlan-net and bind it to the 802.1x access profile,
authentication scheme, and RADIUS server template.
[AC] authentication-profile name wlan-net
[AC-authentication-profile-wlan-net] dot1x-access-profile wlan-net
[AC-authentication-profile-wlan-net] authentication-scheme wlan-net
[AC-authentication-profile-wlan-net] radius-server wlan-net
[AC-authentication-profile-wlan-net] quit
# Create the SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create the VAP profile wlan-net, configure the direct data forwarding mode and
service VLANs, and bind the security profile, authentication profile, and SSID profile to
the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
# Bind the VAP profile wlan-net to the AP group and apply the profile to radio 0 and
radio 1 of the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
Step 6 Configure the authorization parameter ACL 3002 for users who pass authentication.
[AC] acl 3002
[AC-acl-adv-3002] rule 1 permit ip destination 10.23.105.1 0
[AC-acl-adv-3002] rule 2 deny ip destination any
[AC-acl-adv-3002] quit
# Choose Administration > Identity Management > Identities > Users. In the pane on
the right side, click Add to create the account with the user name of huawei and
password of huawei123. Add the account to department R&D. Then, click Submit.
3. Add the AC so that the Cisco ISE can interwork with the AC.
# Choose Administration > Network Resources > Network Device Profiles. In the
pane on the left side, click Add and create a device profile named Huawei. Then, click
Submit.
# Choose Administration > Network Resources > Network Devices. In the pane on
the right side, click Add. Set the device name to AC6605, IP address to 10.23.102.2/32,
and RADIUS shared key to huawei@123. Then, click Submit.
# Select Allow CHAP, Allow MS-CHAPv2, and Allow PEAP. For other parameters,
use the default settings. Click Save.
NOTE
By default, the Cisco ISE disables the CHAP authentication protocol. You need to select the CHAP
authentication protocol on the server so that the CHAP protocol can be used to carry out the test-aaa test
on the AC.
# Choose Policy > Policy Elements > Results > Authorization > Authorization
Profiles. In the pane on the right side, click Add. Enter the name, set the delivery
attribute to Radius:Filter-ID, and enter the ACL number 3002.
# Click Submit to complete the configuration and return to the Authorization Profiles
page.
# In the pane on the right side, click Add, enter the name, and configure the following
delivery attributes.
– Radius:Tunnel-Type: VLAN
– Radius:Tunnel-Medium-Type: 802
– Radius:Tunnel-Private-Group-ID: 20
# Choose Policy > Authorization. In the pane on the right side, click the triangle next to
Edit. Choose Insert New Rule Above to add a new authorization rule named
ACL_VLAN. Set the authorized user group to R&D and select PermitAccess,
ACL_3002, and VLAN_20 under Permissions.
# Click Done on the right side. Then click Save to complete the authorization rule
configuration.
Step 8 On the AC, check whether users can pass RADIUS authentication.
[AC] test-aaa huawei huawei123 radius-template wlan-net
Info: Account test succeed.
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 20 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 20 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 20
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 20 100 to 101
#
return
interface Vlanif104
ip address 10.23.104.1 255.255.255.0
#
interface Vlanif105
ip address 10.23.105.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 20 100 to 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 102
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 103
port trunk allow-pass vlan 103
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk pvid vlan 104
port trunk allow-pass vlan 104
#
interface GigabitEthernet0/0/5
port link-type trunk
port trunk pvid vlan 105
port trunk allow-pass vlan 105
#
ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
#
return
l Router configuration file
#
sysname Router
#
interface GigabitEthernet0/0/1
ip address 10.23.104.2 255.255.255.0
#
ip route-static 10.23.101.0 255.255.255.0 10.23.104.1
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 102
#
authentication-profile name wlan-net
dot1x-access-profile wlan-net
authentication-scheme wlan-net
radius-server wlan-net
#
dhcp enable
#
radius-server template wlan-net
radius-server shared-key cipher %^%#r2}aCaYC_5+]c@/eolcB+CNMD=m\g2HmQ1/!crRU
%^%#
radius-server authentication 10.23.103.1 1812 weight 80
#
acl number 3002
rule 1 permit ip destination 10.23.105.1 0
rule 2 deny ip
#
aaa
authentication-scheme wlan-net
authentication-mode radius
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 102
#
ip route-static 10.23.103.0 255.255.255.0 10.23.102.1
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
security wpa-wpa2 dot1x aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
authentication-profile wlan-net
regulatory-domain-profile name default
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
dot1x-access-profile name wlan-net
#
return
A user group consists of users (terminals) with the same attributes such as the role and rights.
For example, you can divide users on a campus network into the R&D group, finance group,
marketing group, and guest group based on the enterprise department structure, and grant
different security policies to different departments.
When the AC is interconnected with the Cisco ISE, three authentication methods, that is
Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol
(CHAP), and Extensible Authentication Protocol (EAP), can be used in 802.1x authentication.
The configurations for the three authentication methods are similar. The following uses EAP
as an example.
For details about how to configure user authorization based on user groups on the AC, see
Configure a user group.
For details about how to configure user authorization based on user groups on the Cisco ISE
server, see Configure the Cisco ISE.
Service Requirements
Different user groups are created to assign network access rights to different users when they
access the WLAN through 802.1x authentication. Furthermore, users' services are not affected
during roaming in the coverage area.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: The AC and SwitchB function as DHCP servers to assign IP
addresses to APs and STAs, respectively.
l Service data forwarding mode: direct forwarding
l WLAN authentication mode: WPA-WPA2+802.1X+AES
Figure 4-82 Networking for configuring user authorization based on user groups
Internet
Router
GE0/0/1
RADIUS Server
AC SwitchB GE0/0/4 10.23.103.1:1812
GE0/0/2
GE0/0/1 GE0/0/3
GE0/0/1
GE0/0/2
SwitchA
GE0/0/1
AP
STA STA
Management VLAN:VLAN 100
Service VLAN:VLAN 101
Data Plan
Department R&D
Configuration Roadmap
1. Configure network interworking.
2. Configure the AC and SwitchB to assign IP addresses to APs and STAs, respectively.
3. Configure APs to go online.
4. Configure 802.1x authentication and user authorization on the AC.
5. Configure the Cisco ISE server.
Configuration Notes
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l The AC and server must have the same RADIUS shared key.
Procedure
Step 1 Configure network interworking.
# Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 100 and VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN 101, GE0/0/2 to
VLAN 100 and VLAN 102, GE0/0/3 to VLAN 103, and GE0/0/4 to VLAN104. Create
VLANIF 102, VLANIF 103, and VLANIF 104, and configure a default route with the next
hop of the address of Router.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 to 104
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk pvid vlan 103
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 103
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface gigabitethernet 0/0/4
[SwitchB-GigabitEthernet0/0/4] port link-type trunk
[SwitchB-GigabitEthernet0/0/4] port trunk pvid vlan 104
[SwitchB-GigabitEthernet0/0/4] port trunk allow-pass vlan 104
[SwitchB-GigabitEthernet0/0/4] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] quit
[SwitchB] interface vlanif 103
[SwitchB-Vlanif103] ip address 10.23.103.2 24
[SwitchB-Vlanif103] quit
[SwitchB] interface vlanif 104
[SwitchB-Vlanif104] ip address 10.23.104.1 24
[SwitchB-Vlanif104] quit
[SwitchB] ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
# Add GE0/0/1 on the AC to VLAN 100 and VLAN 102. Create VLANIF 102 and configure
the static route to the RADIUS server.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100 101 102
[AC] interface gigabitethernet 0/0/1
# Configure the IP address of GE0/0/1 on Router and a static route to the network segment for
STAs.
<Huawei> system-view
[Huawei] sysname Router
[Router] interface gigabitethernet 0/0/1
[Router-GigabitEthernet0/0/1] ip address 10.23.104.2 24
[Router-GigabitEthernet0/0/1] quit
[Router] ip route-static 10.23.101.0 24 10.23.104.1
Step 2 Configure the AC and SwitchB to function as DHCP servers to assign IP addresses to APs
and STAs respectively.
# Create an AP group to which the APs with the same configuration can be added.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and bind
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the APs offline to the AC and add the APs to the AP group ap-group1. Configure
names for the APs based on the AP locations, so that you can know where the APs are
located. For example, if the AP with MAC address 60de-4476-e360 is deployed in area 1,
name the AP area_1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 and radio 1. Radio 0 and radio 1 operate
on the 2.4 GHz and 5 GHz bands respectively.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field displays nor, the AP has gone online.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
--------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA
Uptime
--------------------------------------------------------------------------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S
--------------------------------------------------------------------------------
Total: 1
The settings of the AP channel and power in this example are for reference only. You need to configure the
AP channel and power based on the actual country code and network planning.
[AC-wlan-view] quit
[AC] radius-server template wlan-net
[AC-radius-wlan-net] radius-server authentication 10.23.103.1 1812
[AC-radius-wlan-net] radius-server shared-key cipher huawei@123
[AC-radius-wlan-net] quit
3. Create the authentication profile wlan-net and bind it to the 802.1x access profile,
authentication scheme, and RADIUS server template.
[AC] authentication-profile name wlan-net
[AC-authentication-profile-wlan-net] dot1x-access-profile wlan-net
[AC-authentication-profile-wlan-net] authentication-scheme wlan-net
[AC-authentication-profile-wlan-net] radius-server wlan-net
[AC-authentication-profile-wlan-net] quit
# Create the security profile wlan-net and set the security policy in the profile.
[AC] wlan
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 dot1x aes
[AC-wlan-sec-prof-wlan-net] quit
# Create the SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create the VAP profile wlan-net, configure the direct data forwarding mode and
service VLANs, and bind the security profile, authentication profile, and SSID profile to
the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] authentication-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind the VAP profile wlan-net to the AP group and apply the profile to radio 0 and
radio 1 of the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
NOTE
Configure the RADIUS server to authorize the user group group1 to authenticated employees.
[AC] acl 3001
[AC-acl-adv-3001] rule 1 permit ip destination 10.23.200.0 0.0.0.255
[AC-acl-adv-3001] rule 2 deny ip destination any
[AC-acl-adv-3001] quit
[AC] user-group group1
[AC-user-group-group1] acl-id 3001
[AC-user-group-group1] quit
# Choose Administration > Identity Management > Identities > Users. In the pane on
the right side, click Add to create the account with the user name of huawei and
password of huawei123. Add the account to department R&D. Then, click Submit.
3. Add the AC so that the Cisco ISE can interwork with the AC.
# Choose Administration > Network Resources > Network Device Profiles. In the
pane on the left side, click Add and create a device profile named Huawei. Then, click
Submit.
# Choose Administration > Network Resources > Network Devices. In the pane on
the right side, click Add. Set the device name to AC6605, IP address to 10.23.102.2/32,
and RADIUS shared key to huawei@123. Then, click Submit.
# Select Allow CHAP, Allow MS-CHAPv2, and Allow PEAP. For other parameters,
use the default settings. Click Save.
NOTE
By default, the Cisco ISE disables the CHAP authentication protocol. You need to select the CHAP
authentication protocol on the server so that the CHAP protocol can be used to carry out the test-aaa test
on the AC.
# Choose Policy > Authorization. Click next to Edit and choose Insert New Rule
Above from the menu to add a new authorization policy.
# In the new authorization policy, configure Rule Name, Conditions, and Permissions.
Click Done and then Save.
Step 8 On the AC, check whether users can pass RADIUS authentication.
[AC] test-aaa huawei huawei123 radius-template wlan-net
Info: Account test succeed.
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
return
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk pvid vlan 104
port trunk allow-pass vlan 104
#
ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
#
return
l Router configuration file
#
sysname Router
#
interface GigabitEthernet0/0/1
ip address 10.23.104.2 255.255.255.0
#
ip route-static 10.23.101.0 255.255.255.0 10.23.104.1
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 102
#
authentication-profile name wlan-net
dot1x-access-profile wlan-net
authentication-scheme wlan-net
radius-server wlan-net
#
dhcp enable
#
radius-server template wlan-net
radius-server shared-key cipher %^%#*7d1;XNof/|Q0:DsP!,W51DIYPx}`AARBdJ'0B^$
%^%#
radius-server authentication 10.23.103.1 1812 weight 80
#
acl number 3001
rule 1 permit ip destination 10.23.200.0 0.0.0.255
rule 2 deny ip
#
user-group group1
acl-id 3001
#
aaa
authentication-scheme wlan-net
authentication-mode radius
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 102
#
ip route-static 10.23.103.0 255.255.255.0 10.23.102.1
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
security wpa-wpa2 dot1x aes
ssid-profile name wlan-net
ssid wlan-net
Product V200R007C20
Service Requirements
To improve WLAN security, an enterprise performs external Portal authentication using
HTTP or HTTPS to access-control users.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: The AC functions as the DHCP server to assign IP addresses
to APs, and SwitchB functions as the DHCP server to assign IP addresses to STAs.
l Service data forwarding mode: direct forwarding
l Authentication mode: external Portal authentication
l Security policy: open system authentication
Data Planning
Department Huawei
Configuration Roadmap
1. Configure network interworking.
2. Configure the AC and SwitchB to assign IP addresses to APs and STAs, respectively.
3. Configure APs to go online.
4. Configure WLAN service parameters.
5. Configure Portal authentication on the AC.
6. Configure the Cisco ISE server.
Configuration Notes
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l The AC and server must have the same RADIUS shared key.
Procedure
Step 1 Configure network interworking.
# Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 100 and VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN 101, GE0/0/2 to
VLAN 100 and VLAN 102, GE0/0/3 to VLAN 103, and GE0/0/4 to VLAN104. Create
VLANIF 102, VLANIF 103, and VLANIF 104, and configure a default route with the next
hop of the address of Router.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 to 104
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk pvid vlan 103
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 103
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface gigabitethernet 0/0/4
[SwitchB-GigabitEthernet0/0/4] port link-type trunk
[SwitchB-GigabitEthernet0/0/4] port trunk pvid vlan 104
[SwitchB-GigabitEthernet0/0/4] port trunk allow-pass vlan 104
[SwitchB-GigabitEthernet0/0/4] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] quit
[SwitchB] interface vlanif 103
[SwitchB-Vlanif103] ip address 10.23.103.2 24
[SwitchB-Vlanif103] quit
[SwitchB] interface vlanif 104
[SwitchB-Vlanif104] ip address 10.23.104.1 24
[SwitchB-Vlanif104] quit
[SwitchB] ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
# Add GE0/0/1 on the AC to VLAN 100 and VLAN 102. Create VLANIF 102 and configure
the static route to the RADIUS server.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100 101 102
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 102
[AC-GigabitEthernet0/0/1] quit
[AC] interface vlanif 102
# Configure the IP address of GE0/0/1 on Router and a static route to the network segment for
STAs.
<Huawei> system-view
[Huawei] sysname Router
[Router] interface gigabitethernet 0/0/1
[Router-GigabitEthernet0/0/1] ip address 10.23.104.2 24
[Router-GigabitEthernet0/0/1] quit
[Router] ip route-static 10.23.101.0 24 10.23.104.1
Step 2 Configure the AC and SwitchB to function as DHCP servers to assign IP addresses to APs
and STAs respectively.
# Create an AP group to which the APs with the same configuration can be added.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and bind
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the APs offline to the AC and add the APs to the AP group ap-group1. Configure
names for the APs based on the AP locations, so that you can know where the APs are
located. For example, if the AP with MAC address 60de-4476-e360 is deployed in area 1,
name the AP area_1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 and radio 1. Radio 0 and radio 1 operate
on the 2.4 GHz and 5 GHz bands respectively.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field displays nor, the AP has gone online.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
--------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA
Uptime
--------------------------------------------------------------------------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S
--------------------------------------------------------------------------------
Total: 1
Ensure that the Portal server IP address and URL are configured correctly and are the same as those on
the Portal server.
The ISE Portal URL is in format of https://10.23.103.1:8443/portal/
PortalSetup.action#portal=0ce17ad0-6d90-11e5-978e-005056bf2f0a and can be obtained through Step
5.5.
[AC] http secure-server ssl-policy default_policy
[AC] http secure-server enable
[AC] portal https-redirect enable
[AC] portal web-authen-server https ssl-policy default_policy port
8443 //Parse the HTTPS authentication request from users and send
authentication information to the server.
[AC] interface loopback 0
[AC-LoopBack0] ip address 10.0.0.1 32
[AC-LoopBack0] quit
3. Configure the Portal access profile wlan-net and configure Layer 3 Portal authentication.
[AC] portal-access-profile name wlan-net
[AC-portal-access-profile-wlan-net] web-auth-server wlan-net layer3
[AC-portal-access-profile-wlan-net] quit
# Create the SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create the VAP profile wlan-net, configure the direct data forwarding mode and
service VLANs, and bind the security profile, authentication profile, and SSID profile to
the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] authentication-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind the VAP profile wlan-net to the AP group and apply the profile to radio 0 and
radio 1 of the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Choose Administration > Network Resources > Network Devices. In the pane on
the right side, click Add. Set the device name to AC6605, IP address to 10.23.102.2/32,
and RADIUS shared key to huawei@123. Then, click Submit.
# Select Allow CHAP. For other parameters, use the default settings. Click Save.
4. Add a user.
# Choose Administration > Identity Management > Identities > Users. In the pane on
the right side, click Add to create the account with the user name of huawei and
password of huawei123. Then, click Submit.
# On the Portals Settings and Customization page, click Portal test URL and copy the
link from the address bar.
Step 6 On the AC, check whether users can pass RADIUS authentication.
[AC] test-aaa huawei huawei123 radius-template wlan-net
Info: Account test succeed.
Status
------------------------------------------------------------------------------
460 huawei 10.23.101.254 8000-6e74-e78a Success
------------------------------------------------------------------------------
Total: 1, printed: 1
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
return
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 102
#
interface LoopBack0
ip address 10.0.0.1 255.255.255.255
#
ip route-static 10.23.103.0 255.255.255.0 10.23.102.1
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
authentication-profile wlan-net
regulatory-domain-profile name default
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 ap-mac 60de-4476-e360
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
#
return
802.1x authentication is more secure than MAC address authentication and Portal
authentication; however, it requires that 802.1x client software be installed on all user
terminals, allowing low networking flexibility. In contrast, MAC address authentication does
not need client software, but user terminals' MAC addresses must be registered on the
authentication server. Network configuration and management are complex. Portal
authentication also does not need client software, allowing flexible deployment. However, it
does not provide high security. Therefore, 802.1x authentication is applicable to network
construction scenarios where users are densely distributed and high information security is
required.
When the AC is interconnected with the Aruba ClearPass, three authentication methods, that
is, Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol
(CHAP), and Extensible Authentication Protocol (EAP), can be used in 802.1x authentication.
The configurations for the three authentication methods are similar. The following uses EAP
as an example.
For details about how to configure 802.1x authentication on the AC, see Configure 802.1x
authentication on the AC.
For details about how to configure the authentication on the Aruba ClearPass server, see
Configure the Aruba ClearPass.
Service Requirements
When users attempt to access the WLAN, they can use 802.1x clients for authentication. After
entering the correct user names and passwords, users can connect to the Internet. Furthermore,
users' services are not affected during roaming in the coverage area.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: The AC functions as the DHCP server to assign IP addresses
to APs, and SwitchB functions as the DHCP server to assign IP addresses to STAs.
l Service data forwarding mode: direct forwarding
l WLAN authentication mode: WPA-WPA2+802.1x+AES
Internet
Router
GE0/0/1
RADIUS Server
AC SwitchB GE0/0/4 10.23.103.1:1812
GE0/0/2
GE0/0/1 GE0/0/3
GE0/0/1
GE0/0/2
SwitchA
GE0/0/1
AP
STA STA
Management VLAN:VLAN 100
Service VLAN:VLAN 101
Data Planning
l Name: TEST-AAA
l Type: 802.1X Wireless – Identity Only
l Authentication method: PAP (only for
the test-aaa test)
l Authentication source: Local User
Respository[Local SQL DB]
Configuration Roadmap
1. Configure network interworking.
2. Configure the AC and SwitchB to assign IP addresses to APs and STAs, respectively.
3. Configure APs to go online.
4. Configure WLAN service parameters.
5. Configure 802.1x authentication on the AC.
6. Configure the Aruba ClearPass server.
Configuration Notes
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l The AC and server must have the same RADIUS shared key.
Procedure
Step 1 Configure network interworking.
# Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 100 and VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN 101, GE0/0/2 to
VLAN 100 and VLAN 102, GE0/0/3 to VLAN 103, and GE0/0/4 to VLAN104. Create
VLANIF 102, VLANIF 103, and VLANIF 104, and configure a default route with the next
hop of the address of Router.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 to 104
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk pvid vlan 103
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 103
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface gigabitethernet 0/0/4
[SwitchB-GigabitEthernet0/0/4] port link-type trunk
[SwitchB-GigabitEthernet0/0/4] port trunk pvid vlan 104
[SwitchB-GigabitEthernet0/0/4] port trunk allow-pass vlan 104
[SwitchB-GigabitEthernet0/0/4] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] quit
[SwitchB] interface vlanif 103
[SwitchB-Vlanif103] ip address 10.23.103.2 24
[SwitchB-Vlanif103] quit
[SwitchB] interface vlanif 104
[SwitchB-Vlanif104] ip address 10.23.104.1 24
[SwitchB-Vlanif104] quit
[SwitchB] ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
# Add GE0/0/1 on the AC to VLAN 100 and VLAN 102. Create VLANIF 102 and configure
the static route to the RADIUS server.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100 101 102
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 102
[AC-GigabitEthernet0/0/1] quit
[AC] interface vlanif 102
[AC-Vlanif102] ip address 10.23.102.2 24
[AC-Vlanif102] quit
[AC] ip route-static 10.23.103.0 24 10.23.102.1
# Configure the IP address of GE0/0/1 on Router and a static route to the network segment for
STAs.
<Huawei> system-view
[Huawei] sysname Router
[Router] interface gigabitethernet 0/0/1
[Router-GigabitEthernet0/0/1] ip address 10.23.104.2 24
[Router-GigabitEthernet0/0/1] quit
[Router] ip route-static 10.23.101.0 24 10.23.104.1
Step 2 Configure the AC and SwitchB to function as DHCP servers to assign IP addresses to APs
and STAs respectively.
# On the AC, configure the VLANIF 100 to assign IP addresses to APs.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and bind
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the APs offline to the AC and add the APs to the AP group ap-group1. Configure
names for the APs based on the AP locations, so that you can know where the APs are
located. For example, if the AP with MAC address 60de-4476-e360 is deployed in area 1,
name the AP area_1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 and radio 1. Radio 0 and radio 1 operate
on the 2.4 GHz and 5 GHz bands respectively.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field displays nor, the AP has gone online.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
--------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA
Uptime
--------------------------------------------------------------------------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S
--------------------------------------------------------------------------------
Total: 1
The settings of the AP channel and power in this example are for reference only. You need to configure the
AP channel and power based on the actual country code and network planning.
[AC-wlan-view] quit
[AC] radius-server template wlan-net
[AC-radius-wlan-net] radius-server authentication 10.23.103.1 1812
[AC-radius-wlan-net] radius-server shared-key cipher huawei@123
[AC-radius-wlan-net] quit
3. Create the authentication profile wlan-net and bind it to the 802.1x access profile,
authentication scheme, and RADIUS server template.
[AC] authentication-profile name wlan-net
[AC-authentication-profile-wlan-net] dot1x-access-profile wlan-net
[AC-authentication-profile-wlan-net] authentication-scheme wlan-net
[AC-authentication-profile-wlan-net] radius-server wlan-net
[AC-authentication-profile-wlan-net] quit
# Create the security profile wlan-net and set the security policy in the profile.
[AC] wlan
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 dot1x aes
[AC-wlan-sec-prof-wlan-net] quit
# Create the SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create the VAP profile wlan-net, configure the direct data forwarding mode and
service VLANs, and bind the security profile, authentication profile, and SSID profile to
the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] authentication-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind the VAP profile wlan-net to the AP group and apply the profile to radio 0 and
radio 1 of the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
3. Add the AC so that the Aruba ClearPass can interwork with the AC.
# Choose Configuration > Network > Devices. In the pane on the right side, click Add.
Configure Name, IP or Subnet Address, RADIUS Shared Secret, and Vendor Name.
Then, click Add.
The service TEST-AAA must be added to the server so that the test-aaa test can be carried out on the
AC.
Aruba ClearPass Policy Manager 6.5.0 cannot save CHAP passwords locally. Therefore, only the PAP
protocol can be used to carry out the test-aaa test on the AC to test whether users can pass RADIUS
authentication.
# Choose Configuration > Services. In the pane on the right side, click Add.
# On the Service tab, set Type to 802.1X Wireless – Identity Only and Name to
TEST-AAA and change NAS-Port-Type in the Service Rule pane to Ethernet(15).
# On the Authentication tab, add PAP to Authentication Methods and [Local User
Respository][Local SQL DB] to Authentication Sources. Then, click Save.
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
return
MAC address authentication does not need client software, but user terminals' MAC
addresses must be registered on the authentication server. Network configuration and
management are complex. In contrast, 802.1x authentication needs client software, allowing
low networking flexibility. However, 802.1x authentication is more secure. Portal
authentication also does not need client software, allowing flexible deployment. However, it
does not provide high security.
MAC address authentication is applicable to dumb terminals such as printers and fax
machine.
For details about how to configure MAC address authentication on the AC, see Configure
MAC address authentication on the AC.
For details about how to configure MAC address authentication on the Aruba ClearPass
server, see Configure the Aruba ClearPass.
Product Version
Service Requirements
MAC address authentication is used to authenticate dumb terminals such as wireless network
printers and wireless phones that cannot have an authentication client installed.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: The AC functions as the DHCP server to assign IP addresses
to APs, and SwitchB functions as the DHCP server to assign IP addresses to STAs.
l Service data forwarding mode: direct forwarding
l Authentication mode: open system authentication
Internet
Router
GE0/0/1
Radius Server
AC SwitchB GE0/0/4 10.23.103.1:1812
GE0/0/2
GE0/0/1 GE0/0/3
GE0/0/1
GE0/0/2
SwitchA
GE0/0/1
AP
STA STA
Data Planning
Configuration Roadmap
1. Configure network interworking.
2. Configure the AC and SwitchB to assign IP addresses to APs and STAs, respectively.
3. Configure APs to go online.
4. Configure MAC address authentication on the AC.
5. Configure the Aruba ClearPass server.
Configuration Notes
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l The AC and server must have the same RADIUS shared key.
Procedure
Step 1 Configure network interworking.
# Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 100 and VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN 101, GE0/0/2 to
VLAN 100 and VLAN 102, GE0/0/3 to VLAN 103, and GE0/0/4 to VLAN104. Create
VLANIF 102, VLANIF 103, and VLANIF 104, and configure a default route with the next
hop of the address of Router.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 to 104
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk pvid vlan 103
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 103
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface gigabitethernet 0/0/4
[SwitchB-GigabitEthernet0/0/4] port link-type trunk
[SwitchB-GigabitEthernet0/0/4] port trunk pvid vlan 104
[SwitchB-GigabitEthernet0/0/4] port trunk allow-pass vlan 104
[SwitchB-GigabitEthernet0/0/4] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] quit
[SwitchB] interface vlanif 103
[SwitchB-Vlanif103] ip address 10.23.103.2 24
[SwitchB-Vlanif103] quit
[SwitchB] interface vlanif 104
[SwitchB-Vlanif104] ip address 10.23.104.1 24
[SwitchB-Vlanif104] quit
[SwitchB] ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
# Add GE0/0/1 on the AC to VLAN 100 and VLAN 102. Create VLANIF 102 and configure
the static route to the RADIUS server.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100 101 102
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 102
[AC-GigabitEthernet0/0/1] quit
[AC] interface vlanif 102
[AC-Vlanif102] ip address 10.23.102.2 24
[AC-Vlanif102] quit
[AC] ip route-static 10.23.103.0 24 10.23.102.1
# Configure the IP address of GE0/0/1 on Router and a static route to the network segment for
STAs.
<Huawei> system-view
[Huawei] sysname Router
[Router] interface gigabitethernet 0/0/1
[Router-GigabitEthernet0/0/1] ip address 10.23.104.2 24
[Router-GigabitEthernet0/0/1] quit
[Router] ip route-static 10.23.101.0 24 10.23.104.1
Step 2 Configure the AC and SwitchB to function as DHCP servers to assign IP addresses to APs
and STAs respectively.
# On the AC, configure the VLANIF 100 to assign IP addresses to APs.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and bind
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the APs offline to the AC and add the APs to the AP group ap-group1. Configure
names for the APs based on the AP locations, so that you can know where the APs are
located. For example, if the AP with MAC address 60de-4476-e360 is deployed in area 1,
name the AP area_1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 and radio 1. Radio 0 and radio 1 operate
on the 2.4 GHz and 5 GHz bands respectively.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field displays nor, the AP has gone online.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
--------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA
Uptime
--------------------------------------------------------------------------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S
--------------------------------------------------------------------------------
Total: 1
The settings of the AP channel and power in this example are for reference only. You need to configure the
AP channel and power based on the actual country code and network planning.
3. Create the authentication profile wlan-net and bind it to the MAC access profile,
authentication scheme, and RADIUS server template.
[AC] authentication-profile name wlan-net
[AC-authentication-profile-wlan-net] mac-access-profile wlan-net
[AC-authentication-profile-wlan-net] authentication-scheme wlan-net
[AC-authentication-profile-wlan-net] radius-server wlan-net
[AC-authentication-profile-wlan-net] quit
# Create the SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-wlan-net] quit
# Create the VAP profile wlan-net, configure the direct data forwarding mode and
service VLANs, and bind the security profile, authentication profile, and SSID profile to
the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] authentication-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind the VAP profile wlan-net to the AP group and apply the profile to radio 0 and
radio 1 of the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
2. Add STAs.
# Choose Configuration > Identity > Endpoints. In the pane on the right side, click
Add. In the Add Endpoint dialog box, set MAC Address and click Add.
3. Add the AC so that the Aruba ClearPass can interwork with the AC.
# Choose Configuration > Network > Devices. In the pane on the right side, click Add.
Configure Name, IP or Subnet Address, RADIUS Shared Secret, and Vendor Name.
Then, click Add.
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
return
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
interface Vlanif103
ip address 10.23.103.2 255.255.255.0
#
interface Vlanif104
ip address 10.23.104.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 102
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 103
port trunk allow-pass vlan 103
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk pvid vlan 104
port trunk allow-pass vlan 104
#
ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
#
return
l Router configuration file
#
sysname Router
#
interface GigabitEthernet0/0/1
ip address 10.23.104.2 255.255.255.0
#
ip route-static 10.23.101.0 255.255.255.0 10.23.104.1
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 102
#
authentication-profile name wlan-net
mac-access-profile wlan-net
authentication-scheme wlan-net
radius-server wlan-net
#
dhcp enable
#
radius-server template wlan-net
radius-server shared-key cipher %^%#*7d1;XNof/|Q0:DsP!,W51DIYPx}`AARBdJ'0B^$
%^%#
radius-server authentication 10.23.103.1 1812 weight 80
radius-attribute set Service-Type 10 auth-type mac
#
aaa
authentication-scheme wlan-net
authentication-mode radius
#
interface Vlanif100
When the AC is interconnected with the Aruba ClearPass, three authentication methods, that
is, Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol
(CHAP), and Extensible Authentication Protocol (EAP), can be used in 802.1x authentication.
The configurations for the three authentication methods are similar. The following uses EAP
as an example.
For details about how to configure user authorization based on ACL numbers on the AC, see
user authorization configuration on the AC.
For details about how to configure user authorization based on ACL numbers on the Aruba
ClearPass server, see Aruba ClearPass configuration.
Product Version
Service Requirements
Network access rights are controlled based on user roles when users access the WLAN
through 802.1x authentication.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to allocate IP addresses to APs.
– SwitchB functions as a DHCP server to assign IP addresses to STAs.
l Service data forwarding mode: direct forwarding
l WLAN authentication mode: WPA-WPA2+802.1x+AES
Figure 4-86 Networking for configuring user authorization based on ACL numbers or
dynamic VLANs
Data Planning
l Name: TEST-AAA
l Type: 802.1x Wireless - Identity Only
l Authentication method: PAP (only for
the test-aaa test)
l Authentication source: Local User
Respository[Local SQL DB]
Configuration Roadmap
1. Configure network interworking.
2. Configure basic WLAN services.
3. Configure the parameters for interconnecting the AC and RADIUS server and network
access rights after successful authentication.
4. Configure the Aruba ClearPass server.
– Add users.
– Add the AC.
– Configure configuration files.
– Configure policies.
– Configure services.
Configuration Notes
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l The AC and server must have the same RADIUS shared key.
l If a terminal obtains an IP address using DHCP, you need to manually trigger the DHCP
process to request an IP address after VLAN-based authorization is successful or the
authorization VLAN changes.
Procedure
Step 1 Configure network interworking.
# Add GE0/0/1 and GE0/0/3 on SwitchA (access switch) to VLAN20, VLAN 100 and VLAN
101 and GE0/0/2 to VLAN 20.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 20 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 20 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 20
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] port link-type trunk
[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 20 100 101
[SwitchA-GigabitEthernet0/0/3] quit
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN20, VLAN 100 and VLAN 101,
GE0/0/2 to VLAN 100 and VLAN 102, GE0/0/3 to VLAN 103, GE0/0/4 to VLAN104, and
GE0/0/5 to VLAN 105.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 20 100 to 105
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 20 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk pvid vlan 103
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 103
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface gigabitethernet 0/0/4
[SwitchB-GigabitEthernet0/0/4] port link-type trunk
[SwitchB-GigabitEthernet0/0/4] port trunk pvid vlan 104
[SwitchB-GigabitEthernet0/0/4] port trunk allow-pass vlan 104
[SwitchB-GigabitEthernet0/0/4] quit
[SwitchB] interface gigabitethernet 0/0/5
[SwitchB-GigabitEthernet0/0/5] port link-type trunk
[SwitchB-GigabitEthernet0/0/5] port trunk pvid vlan 105
[SwitchB-GigabitEthernet0/0/5] port trunk allow-pass vlan 105
[SwitchB-GigabitEthernet0/0/5] quit
# Create VLANIF interfaces VLANIF 102, VLANIF 103, VLANIF 104 and VLANIF 105 on
SwitchB and configure configure a default route with the next hop of the address of Router.
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] quit
[SwitchB] interface vlanif 103
[SwitchB-Vlanif103] ip address 10.23.103.2 24
[SwitchB-Vlanif103] quit
[SwitchB] interface vlanif 104
[SwitchB-Vlanif104] ip address 10.23.104.1 24
[SwitchB-Vlanif104] quit
[SwitchB] interface vlanif 105
[SwitchB-Vlanif105] ip address 10.23.105.2 24
[SwitchB-Vlanif105] quit
[SwitchB] ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
# On the AC, add GE0/0/1 connected to SwitchB to VLAN 100 and VLAN 102, create
VLANIF 102, and configure the static route to the RADIUS server.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100 102
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 102
[AC-GigabitEthernet0/0/1] quit
[AC] interface vlanif 102
[AC-Vlanif102] ip address 10.23.102.2 24
[AC-Vlanif102] quit
[AC] ip route-static 10.23.103.0 24 10.23.102.1
# Configure the IP address of GE0/0/1 on Router and a static route to the network segment for
STAs.
<Huawei> system-view
[Huawei] sysname Router
[Router] interface gigabitethernet 0/0/1
[Router-GigabitEthernet0/0/1] ip address 10.23.104.2 24
[Router-GigabitEthernet0/0/1] quit
[Router] ip route-static 10.23.101.0 24 10.23.104.1
Step 2 Configure the AC and SwitchB to function as DHCP servers to assign IP addresses to APs
and STAs respectively.
# On the AC, configure the VLANIF 100 to assign IP addresses to APs.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and bind
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the APs offline to the AC and add the APs to the AP group ap-group1. Configure
names for the APs based on the AP locations, so that you can know where the APs are
located. For example, if the AP with MAC address 60de-4476-e360 is deployed in area 1,
name the AP area_1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 and radio 1. Radio 0 and radio 1 operate
on the 2.4 GHz and 5 GHz bands respectively.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field displays nor, the AP has gone online.
[AC-wlan-view] display ap all
Total AP information:
The settings of the AP channel and power in this example are for reference only. You need to configure the
AP channel and power based on the actual country code and network planning.
Automatic channel and power calibration functions are enabled by default. The manual
channel and power configurations take effect only when these two functions are disabled.
[AC-wlan-view] rrm-profile name default
[AC-wlan-rrm-prof-default] calibrate auto-channel-select disable
[AC-wlan-rrm-prof-default] calibrate auto-txpower-select disable
[AC-wlan-rrm-prof-default] quit
3. Create the authentication profile wlan-net and bind it to the 802.1x access profile,
authentication scheme, and RADIUS server template.
[AC] authentication-profile name wlan-net
[AC-authentication-profile-wlan-net] dot1x-access-profile wlan-net
[AC-authentication-profile-wlan-net] authentication-scheme wlan-net
[AC-authentication-profile-wlan-net] radius-server wlan-net
[AC-authentication-profile-wlan-net] quit
# Create the SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create the VAP profile wlan-net, configure the direct data forwarding mode and
service VLANs, and bind the security profile, authentication profile, and SSID profile to
the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] authentication-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind the VAP profile wlan-net to the AP group and apply the profile to radio 0 and
radio 1 of the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
Step 6 Configure the authorization parameter ACL 3002 for users who pass authentication.
[AC] acl 3002
[AC-acl-adv-3002] rule 1 permit ip destination 10.23.105.1 0
[AC-acl-adv-3002] rule 2 deny ip destination any
[AC-acl-adv-3002] quit
# Choose Configuration > Identity > Local Users. In the pane on the right side, click
Add to create the account with the user name of huawei and password of huawei123.
Select Enable User and choose Role. Then, click Add.
3. Add the AC so that the Aruba ClearPass can interwork with the AC.
# Choose Configuration > Network > Devices. In the pane on the right side, click Add.
Configure Name, IP or Subnet Address, RADIUS Shared Secret, and Vendor Name.
Then, click Add.
# Choose Configuration > Services. In the pane on the right side, click Add.
# On the Service tab, set Type to 802.1X Wireless – Identity Only and Name to
Radius, and select Authorization.
The service TEST-AAA must be added to the server so that the test-aaa test can be carried out on the
AC.
Aruba ClearPass Policy Manager 6.5.0 cannot save CHAP passwords locally. Therefore, only the PAP
protocol can be used to carry out the test-aaa test on the AC to test whether users can pass RADIUS
authentication.
# Choose Configuration > Services. In the pane on the right side, click Add.
# On the Service tab, set Type to 802.1X Wireless – Identity Only and Name to
TEST-AAA and change NAS-Port-Type in the Service Rule pane to Ethernet(15).
# On the Authentication tab, add PAP to Authentication Methods and [Local User
Respository][Local SQL DB] to Authentication Sources. Then, click Save.
# On the Rules tab, click Add Rule. On the Rules Editor tab, set Type to
Authentication, Name to Username, Operator to EQUALS, Value to huawei, and
Profile Names to [RADIUS]ACLVLAN. This configuration is used to deliver the
authorization ACL and dynamic VLAN to user huawei. Then, click Save.
# On the Rules tab, click Add Rule. On the Rules Editor tab, set Type to
Authentication, Name to Username, Operator to NOT_EQUALS, Value to huawei,
and Profile Names to [RADIUS][Allow Access Profile]. This configuration is used to
allow users to pass authentication without authorization operations. Then, click Save.
Step 8 On the AC, check whether users can pass RADIUS authentication.
[AC] test-aaa huawei huawei123 radius-template wlan-net pap
Info: Account test succeed.
Status
------------------------------------------------------------------------------
460 huawei 10.23.20.254 8000-6e74-e78a Success
------------------------------------------------------------------------------
Total: 1, printed: 1
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 20 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 20 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 20
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 20 100 to 101
#
return
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 103
port trunk allow-pass vlan 103
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk pvid vlan 104
port trunk allow-pass vlan 104
#
interface GigabitEthernet0/0/5
port link-type trunk
port trunk pvid vlan 105
port trunk allow-pass vlan 105
#
ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
#
return
l Router configuration file
#
sysname Router
#
interface GigabitEthernet0/0/1
ip address 10.23.104.2 255.255.255.0
#
ip route-static 10.23.101.0 255.255.255.0 10.23.104.1
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 102
#
authentication-profile name wlan-net
dot1x-access-profile wlan-net
authentication-scheme wlan-net
radius-server wlan-net
#
dhcp enable
#
radius-server template wlan-net
radius-server shared-key cipher %^%#r2}aCaYC_5+]c@/eolcB+CNMD=m\g2HmQ1/!crRU
%^%#
radius-server authentication 10.23.103.1 1812 weight 80
#
acl number 3002
rule 1 permit ip destination 10.23.105.1 0
rule 2 deny ip
#
aaa
authentication-scheme wlan-net
authentication-mode radius
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 102
#
ip route-static 10.23.103.0 255.255.255.0 10.23.102.1
#
Service Requirements
Different user groups are created to assign network access rights to different users when they
access the WLAN through 802.1x authentication. Furthermore, users' services are not affected
during roaming in the coverage area.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: The AC and SwitchB function as DHCP servers to assign IP
addresses to APs and STAs, respectively.
l Service data forwarding mode: direct forwarding
l WLAN authentication mode: WPA-WPA2+802.1X+AES
Figure 4-87 Networking for configuring user authorization based on user groups
Internet
Router
GE0/0/1
RADIUS Server
AC SwitchB GE0/0/4 10.23.103.1:1812
GE0/0/2
GE0/0/1 GE0/0/3
GE0/0/1
GE0/0/2
SwitchA
GE0/0/1
AP
STA STA
Management VLAN:VLAN 100
Service VLAN:VLAN 101
Data Plan
Department R&D
Configuration Roadmap
1. Configure network interworking.
2. Configure the AC and SwitchB to assign IP addresses to APs and STAs, respectively.
3. Configure APs to go online.
4. Configure 802.1x authentication and user authorization on the AC.
5. Configure the Aruba ClearPass server.
Configuration Notes
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l The AC and server must have the same RADIUS shared key.
Procedure
Step 1 Configure network interworking.
# Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 100 and VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN 101, GE0/0/2 to
VLAN 100 and VLAN 102, GE0/0/3 to VLAN 103, and GE0/0/4 to VLAN104. Create
VLANIF 102, VLANIF 103, and VLANIF 104, and configure a default route with the next
hop of the address of Router.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 to 104
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk pvid vlan 103
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 103
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface gigabitethernet 0/0/4
[SwitchB-GigabitEthernet0/0/4] port link-type trunk
[SwitchB-GigabitEthernet0/0/4] port trunk pvid vlan 104
[SwitchB-GigabitEthernet0/0/4] port trunk allow-pass vlan 104
[SwitchB-GigabitEthernet0/0/4] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] quit
[SwitchB] interface vlanif 103
[SwitchB-Vlanif103] ip address 10.23.103.2 24
[SwitchB-Vlanif103] quit
[SwitchB] interface vlanif 104
[SwitchB-Vlanif104] ip address 10.23.104.1 24
[SwitchB-Vlanif104] quit
[SwitchB] ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
# Add GE0/0/1 on the AC to VLAN 100 and VLAN 102. Create VLANIF 102 and configure
the static route to the RADIUS server.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100 101 102
[AC] interface gigabitethernet 0/0/1
# Configure the IP address of GE0/0/1 on Router and a static route to the network segment for
STAs.
<Huawei> system-view
[Huawei] sysname Router
[Router] interface gigabitethernet 0/0/1
[Router-GigabitEthernet0/0/1] ip address 10.23.104.2 24
[Router-GigabitEthernet0/0/1] quit
[Router] ip route-static 10.23.101.0 24 10.23.104.1
Step 2 Configure the AC and SwitchB to function as DHCP servers to assign IP addresses to APs
and STAs respectively.
# Create an AP group to which the APs with the same configuration can be added.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and bind
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the APs offline to the AC and add the APs to the AP group ap-group1. Configure
names for the APs based on the AP locations, so that you can know where the APs are
located. For example, if the AP with MAC address 60de-4476-e360 is deployed in area 1,
name the AP area_1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 and radio 1. Radio 0 and radio 1 operate
on the 2.4 GHz and 5 GHz bands respectively.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field displays nor, the AP has gone online.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
--------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA
Uptime
--------------------------------------------------------------------------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S
--------------------------------------------------------------------------------
Total: 1
The settings of the AP channel and power in this example are for reference only. You need to configure the
AP channel and power based on the actual country code and network planning.
[AC-wlan-view] quit
[AC] radius-server template wlan-net
[AC-radius-wlan-net] radius-server authentication 10.23.103.1 1812
[AC-radius-wlan-net] radius-server shared-key cipher huawei@123
[AC-radius-wlan-net] quit
3. Create the authentication profile wlan-net and bind it to the 802.1x access profile,
authentication scheme, and RADIUS server template.
[AC] authentication-profile name wlan-net
[AC-authentication-profile-wlan-net] dot1x-access-profile wlan-net
[AC-authentication-profile-wlan-net] authentication-scheme wlan-net
[AC-authentication-profile-wlan-net] radius-server wlan-net
[AC-authentication-profile-wlan-net] quit
# Create the security profile wlan-net and set the security policy in the profile.
[AC] wlan
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 dot1x aes
[AC-wlan-sec-prof-wlan-net] quit
# Create the SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create the VAP profile wlan-net, configure the direct data forwarding mode and
service VLANs, and bind the security profile, authentication profile, and SSID profile to
the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] authentication-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind the VAP profile wlan-net to the AP group and apply the profile to radio 0 and
radio 1 of the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
NOTE
Configure the RADIUS server to authorize the user group group1 to authenticated employees.
[AC] acl 3001
[AC-acl-adv-3001] rule 1 permit ip destination 10.23.200.0 0.0.0.255
[AC-acl-adv-3001] rule 2 deny ip destination any
[AC-acl-adv-3001] quit
[AC] user-group group1
[AC-user-group-group1] acl-id 3001
[AC-user-group-group1] quit
3. Add the AC so that the Aruba ClearPass can interwork with the AC.
# Choose Configuration > Network > Devices. In the pane on the right side, click Add.
Configure Name, IP or Subnet Address, RADIUS Shared Secret, and Vendor Name.
Then, click Add.
# Choose Configuration > Services. In the pane on the right side, click Add.
# On the Service tab, set Type to 802.1X Wireless – Identity Only and Name to
Radius, and select Authorization.
NOTE
The service TEST-AAA must be added to the server so that the test-aaa test can be carried out on the
AC.
Aruba ClearPass Policy Manager 6.5.0 cannot save CHAP passwords locally. Therefore, only the PAP
protocol can be used to carry out the test-aaa test on the AC to test whether users can pass RADIUS
authentication.
# Choose Configuration > Services. In the pane on the right side, click Add.
# On the Service tab, set Type to 802.1X Wireless – Identity Only and Name to
TEST-AAA and change NAS-Port-Type in the Service Rule pane to Ethernet(15).
# On the Authentication tab, add PAP to Authentication Methods and [Local User
Respository][Local SQL DB] to Authentication Sources. Then, click Save.
# On the Attributes tab, set Type to Radius:IETF and Filter-ID to group1. Then, click
Save.
# Choose Configuration > Enforcement > Policies. In the pane on the right side, click
Add. Set Name to User-group, Enforcement Type to RADIUS, and Default Profile to
[Allow Access Profile].
# On the Rules tab, click Add Rule. On the displayed Rules Editor tab, set Type to
Authentication, Name to Username, Operator to EQUALS, Value to huawei, and
Profile Names to [RADIUS] User-group. This configuration is used to deliver rights
configured for User-group to user huawei. Click Save.
# Use the same method to add a new rule. Set Type to Authentication, Name to
Username, Operator to NOT_EQUALS, Value to huawei, Profile Names to
[RADIUS] [Allow Access Profile]. This configuration is used to allow users to pass
authentication without authorization operations. Click Save.
# Choose Configuration > Services. Click service Radius to open the edit tab. Select
the Enforcement tab, and then set Enforcement Policy to User-group. Click Save.
Step 8 On the AC, check whether users can pass RADIUS authentication.
[AC] test-aaa huawei huawei123 radius-template wlan-net pap
Info: Account test succeed.
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
return
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk pvid vlan 104
port trunk allow-pass vlan 104
#
ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
#
return
l Router configuration file
#
sysname Router
#
interface GigabitEthernet0/0/1
ip address 10.23.104.2 255.255.255.0
#
ip route-static 10.23.101.0 255.255.255.0 10.23.104.1
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 102
#
authentication-profile name wlan-net
dot1x-access-profile wlan-net
authentication-scheme wlan-net
radius-server wlan-net
#
dhcp enable
#
radius-server template wlan-net
radius-server shared-key cipher %^%#*7d1;XNof/|Q0:DsP!,W51DIYPx}`AARBdJ'0B^$
%^%#
radius-server authentication 10.23.103.1 1812 weight 80
#
acl number 3001
rule 1 permit ip destination 10.23.200.0 0.0.0.255
rule 2 deny ip
#
user-group group1
acl-id 3001
#
aaa
authentication-scheme wlan-net
authentication-mode radius
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 102
#
ip route-static 10.23.103.0 255.255.255.0 10.23.102.1
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
security wpa-wpa2 dot1x aes
ssid-profile name wlan-net
ssid wlan-net
Product V200R007C20
Service Requirements
To improve WLAN security, an enterprise performs external Portal authentication using
HTTP or HTTPS to access-control users.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: The AC functions as the DHCP server to assign IP addresses
to APs, and SwitchB functions as the DHCP server to assign IP addresses to STAs.
l Service data forwarding mode: direct forwarding
l Authentication mode: external Portal authentication
l Security policy: open system authentication
Data Planning
Department Huawei
Configuration Roadmap
1. Configure network interworking.
2. Configure the AC and SwitchB to assign IP addresses to APs and STAs, respectively.
3. Configure APs to go online.
4. Configure WLAN service parameters.
5. Configure Portal authentication on the AC.
6. Configure the Aruba ClearPass server.
Configuration Notes
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l The AC and server must have the same RADIUS shared key.
Procedure
Step 1 Configure network interworking.
# Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 100 and VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN 101, GE0/0/2 to
VLAN 100 and VLAN 102, GE0/0/3 to VLAN 103, and GE0/0/4 to VLAN104. Create
VLANIF 102, VLANIF 103, and VLANIF 104, and configure a default route with the next
hop of the address of Router.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 to 104
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk pvid vlan 103
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 103
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface gigabitethernet 0/0/4
[SwitchB-GigabitEthernet0/0/4] port link-type trunk
[SwitchB-GigabitEthernet0/0/4] port trunk pvid vlan 104
[SwitchB-GigabitEthernet0/0/4] port trunk allow-pass vlan 104
[SwitchB-GigabitEthernet0/0/4] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] quit
[SwitchB] interface vlanif 103
[SwitchB-Vlanif103] ip address 10.23.103.2 24
[SwitchB-Vlanif103] quit
[SwitchB] interface vlanif 104
[SwitchB-Vlanif104] ip address 10.23.104.1 24
[SwitchB-Vlanif104] quit
[SwitchB] ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
# Add GE0/0/1 on the AC to VLAN 100 and VLAN 102. Create VLANIF 102 and configure
the static route to the RADIUS server.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100 101 102
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 102
[AC-GigabitEthernet0/0/1] quit
[AC] interface vlanif 102
[AC-Vlanif102] ip address 10.23.102.2 24
[AC-Vlanif102] quit
[AC] ip route-static 10.23.103.0 24 10.23.102.1
# Configure the IP address of GE0/0/1 on Router and a static route to the network segment for
STAs.
<Huawei> system-view
[Huawei] sysname Router
[Router] interface gigabitethernet 0/0/1
[Router-GigabitEthernet0/0/1] ip address 10.23.104.2 24
[Router-GigabitEthernet0/0/1] quit
[Router] ip route-static 10.23.101.0 24 10.23.104.1
Step 2 Configure the AC and SwitchB to function as DHCP servers to assign IP addresses to APs
and STAs respectively.
# Create an AP group to which the APs with the same configuration can be added.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and bind
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the APs offline to the AC and add the APs to the AP group ap-group1. Configure
names for the APs based on the AP locations, so that you can know where the APs are
located. For example, if the AP with MAC address 60de-4476-e360 is deployed in area 1,
name the AP area_1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 and radio 1. Radio 0 and radio 1 operate
on the 2.4 GHz and 5 GHz bands respectively.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field displays nor, the AP has gone online.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
--------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA
Uptime
--------------------------------------------------------------------------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S
--------------------------------------------------------------------------------
Total: 1
Ensure that the Portal server IP address and URL are configured correctly and are the same as those on
the Portal server.
The Clearpass Portal URL is in format of https://10.23.103.1/guest/huawei.php?_browser=1 and can be
obtained through Step 5.2.
[AC] http secure-server ssl-policy default_policy
[AC] http secure-server enable
[AC] portal https-redirect enable
[AC] portal web-authen-server https ssl-policy default_policy port
8443 //Parse the HTTPS authentication request from users and send
authentication information to the server.
[AC] interface loopback 0
[AC-LoopBack0] ip address 10.0.0.1 32
[AC-LoopBack0] quit
[AC] free-rule-template name default
[AC-free-rule-default] free-rule 0 destination ip 10.0.0.1 mask
255.255.255.255
[AC-free-rule-default] quit
[AC] web-auth-server wlan-net
[AC-web-auth-server-wlan-net] server-ip 10.23.103.1
[AC-web-auth-server-wlan-net] url https://10.23.103.1/guest/huawei.php
[AC-web-auth-server-wlan-net] source-ip 10.23.100.1
[AC-web-auth-server-wlan-net] protocol http
[AC-web-auth-server-wlan-net] quit
3. Configure the Portal access profile wlan-net and configure Layer 3 Portal authentication.
[AC] portal-access-profile name wlan-net
[AC-portal-access-profile-wlan-net] web-auth-server wlan-net layer3
[AC-portal-access-profile-wlan-net] quit
# Create the security profile wlan-net and retain the default security policy (open system
authentication).
[AC] wlan
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] quit
# Create the SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create the VAP profile wlan-net, configure the direct data forwarding mode and
service VLANs, and bind the security profile, authentication profile, and SSID profile to
the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] authentication-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind the VAP profile wlan-net to the AP group and apply the profile to radio 0 and
radio 1 of the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Enter the access address of the Aruba ClearPass server in the address box, which is in
the format of https://Aruba ClearPass IP. Aruba ClearPass IP is the IP address of the
Aruba ClearPass server.
# On the displayed page, enter the user name and password to log in to the Aruba
ClearPass server.
2. Configure the authentication page.
# Choose Configuration > Pages > Web Logins. Click Create a new web login page
in the right pane.
# Click Test mapping huawei. Record the URL of the displayed page, for example,
https://10.23.103.1/guest/huawei.php?_browser=1.
# Choose Guest > Create Account. Set Guest's Name to test@huawei.com, Company
Name to huawei, and Email Address to test@huawei.com. Record the generated
password and select Terms of Use.
# Click Create.
4. Add the AC so that the Aruba ClearPass server can interwork with the AC.
# On the ClearPass home page, click ClearPass Policy Manager. On the page that is
displayed, enter the user name and password.
# Choose Configuration > Network > Devices. Click Add in the page. In the Add
Device dialog box that is displayed, set parameters as follows:
– Name: AC6605
– IP or Subnet Address: 10.23.102.2
– RADIUS Shared Secret and Verify: huawei@123
– Vendor Name: Huawei
Click Add.
# On the Authentication tab page, add authentication methods [CHAP] and [PAP], and
authentication sources [Guest User Repository][Local SQL DB] and [Local User
Repository][Local SQL DB].
Step 6 On the AC, check whether users can pass RADIUS authentication.
[AC] test-aaa test@huawei.com 470541 radius-template wlan-net
Info: Account test succeed.
------------------------------------------------------------------------------
Total: 1, printed: 1
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
return
l AC configuration file
#
sysname AC
#
http secure-server ssl-policy default_policy
http server enable
#
portal https-redirect enable
#
vlan batch 100 102
#
authentication-profile name wlan-net
portal-access-profile wlan-net
free-rule-template default
authentication-scheme wlan-net
radius-server wlan-net
#
portal web-authen-server https ssl-policy default_policy
#
dhcp enable
#
radius-server template wlan-net
radius-server shared-key cipher %^%#Oc6_BMCw#9gZ2@SMVtk!PAC6>Ou*eLW/"qLp+f#$
%^%#
radius-server authentication 10.23.103.1 1812 weight 80
#
free-rule-template name default
free-rule 0 destination ip 10.0.0.1 mask 255.255.255.255
#
web-auth-server wlan-net
server-ip 10.23.103.1
url https://10.23.103.1/guest/huawei.php
source-ip 10.23.100.1
protocol http
#
portal-access-profile name wlan-net
web-auth-server wlan-net layer3
#
aaa
authentication-scheme wlan-net
authentication-mode radius
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 102
#
interface LoopBack0
ip address 10.0.0.1 255.255.255.255
#
ip route-static 10.23.103.0 255.255.255.0 10.23.102.1
#
Huawei AC V200R007C20
Service Requirements
To improve WLAN security, an enterprise uses the MAC address-prioritized Portal
authentication mode to control user access.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: The AC functions as the DHCP server to assign IP addresses
to APs, and SwitchB functions as the DHCP server to assign IP addresses to STAs.
l Service data forwarding mode: direct forwarding
l Authentication mode: MAC address-prioritized Portal authentication
l Security policy: open system authentication
Data Planning
DHCP The AC functions as the DHCP server to assign IP addresses to APs, and
server SwitchB functions as the DHCP server to assign IP addresses to STAs.
Configurat Data
ion Item
Configuration Roadmap
1. Configure network interworking of the AC, AP, and other network devices.
2. Configure the AP to go online.
3. Configure MAC address-prioritized Portal authentication parameters on the AC.
a. Configure the RADIUS server parameters.
b. Configure a Portal access profile for the external Portal server to manage Portal
access control parameters.
Configuration Notes
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l The AC and server must have the same RADIUS shared key.
Procedure
Step 1 Configure network interworking.
# Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 100 and VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN 101, GE0/0/2 to
VLAN 100 and VLAN 102, GE0/0/3 to VLAN 103, and GE0/0/4 to VLAN104. Create
VLANIF 102, VLANIF 103, and VLANIF 104, and configure a default route with the next
hop of the address of Router.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 to 104
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk pvid vlan 103
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 103
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface gigabitethernet 0/0/4
[SwitchB-GigabitEthernet0/0/4] port link-type trunk
[SwitchB-GigabitEthernet0/0/4] port trunk pvid vlan 104
[SwitchB-GigabitEthernet0/0/4] port trunk allow-pass vlan 104
[SwitchB-GigabitEthernet0/0/4] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] quit
[SwitchB] interface vlanif 103
[SwitchB-Vlanif103] ip address 10.23.103.2 24
[SwitchB-Vlanif103] quit
[SwitchB] interface vlanif 104
[SwitchB-Vlanif104] ip address 10.23.104.1 24
[SwitchB-Vlanif104] quit
[SwitchB] ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
# Add GE0/0/1 on the AC to VLAN 100 and VLAN 102. Create VLANIF 102 and configure
a static route to the RADIUS server.
<AC6605> system-view
[AC6605] sysname AC
[AC] vlan batch 100 102
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 102
[AC-GigabitEthernet0/0/1] quit
[AC] interface vlanif 102
[AC-Vlanif102] ip address 10.23.102.2 24
[AC-Vlanif102] quit
[AC] ip route-static 10.23.103.0 24 10.23.102.1
# Configure the IP address of GE0/0/1 on Router and a static route to the network segment for
STAs.
<Huawei> system-view
[Huawei] sysname Router
[Router] interface gigabitethernet 0/0/1
[Router-GigabitEthernet0/0/1] ip address 10.23.104.2 24
[Router-GigabitEthernet0/0/1] quit
[Router] ip route-static 10.23.101.0 24 10.23.104.1
Step 2 Configure the AC and SwitchB to function as DHCP servers to assign IP addresses to APs
and STAs respectively.
# On the AC, configure the VLANIF 100 to assign IP addresses to APs.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online successfully.
[AC] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 1
Ensure that the RADIUS server IP address, port number, and shared key are configured correctly
on the AC and are the same as those on the RADIUS server.
# Configure a RADIUS server template and configure the encapsulation format of the
MAC address in the calling-station-id (Type 31) attribute of RADIUS packets.
[AC] radius-server template wlan-net
[AC-radius-wlan-net] radius-server authentication 10.23.103.1 1812
[AC-radius-wlan-net] radius-server shared-key cipher huawei@123
[AC-radius-wlan-net] calling-station-id mac-format unformatted
[AC-radius-wlan-net] quit
Ensure that the Portal server IP address and URL are configured correctly and are the same as those on
the Portal server.
The Clearpass Portal URL is in format of https://10.23.103.1/guest/huawei.php?_browser=1 and can be
obtained through Step 5.2.
[AC] http secure-server ssl-policy default_policy
[AC] http secure-server enable
[AC] portal https-redirect enable
[AC] portal web-authen-server https ssl-policy default_policy port
8443 //Parse the HTTPS authentication request from users and send
authentication information to the server.
[AC] interface loopback 0
[AC-LoopBack0] ip address 10.0.0.1 32
[AC-LoopBack0] quit
[AC] free-rule-template name default
[AC-free-rule-default] free-rule 0 destination ip 10.0.0.1 mask
255.255.255.255
[AC-free-rule-default] quit
[AC] web-auth-server wlan-net
[AC-web-auth-server-wlan-net] server-ip 10.23.103.1
[AC-web-auth-server-wlan-net] url https://10.23.103.1/guest/huawei.php
[AC-web-auth-server-wlan-net] source-ip 10.23.100.1
[AC-web-auth-server-wlan-net] protocol http
[AC-web-auth-server-wlan-net] quit
3. Configure the Portal access profile wlan-net and configure Layer 2 Portal authentication.
[AC] portal-access-profile name wlan-net
[AC-portal-access-profile-wlan-net] web-auth-server wlan-net direct
[AC-portal-access-profile-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, configure the data forwarding mode and service VLANs,
and apply the security profile, SSID profile, and authentication profile to the VAP
profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode tunnel
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1
of the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Click Create.
4. Add the AC so that the Aruba ClearPass server can interwork with the AC.
# On the ClearPass home page, click ClearPass Policy Manager. On the page that is
displayed, enter the user name and password.
# Choose Configuration > Network > Devices. Click Add in the page. In the Add
Device dialog box that is displayed, set parameters as follows:
– Name: AC6605
– IP or Subnet Address: 10.23.102.2
– RADIUS Shared Secret and Verify: huawei@123
– Vendor Name: Huawei
Click Add.
# On the Wireless Network Settings tab page, set Wireless SSID to wlan-net and
Select Wireless Controller to the added AC6605.
# Use the default settings on the MAC Caching Settings and Posture Settings tab
pages.
# On the Access Restrictions tab page, set Captive Portal Access to huawei,
Maximum number of devices allowed per user to 1, and Guest Access to Guest.
# Click Save.
Step 6 Verify the configuration.
l The WLAN with the SSID wlan-net is available for STAs after the configuration is
complete.
l The STAs obtain IP addresses when they successfully associate with the WLAN.
l When a user opens the browser and attempts to access the network, the user is
automatically redirected to the authentication page provided by the Portal server. After
entering the correct user name and password on the page, the user can access the
network.
l The MAC address validity period is 24 hours. When the user attempts to connect to the
WLAN 24 hours after the account is generated, the authentication page is displayed.
l After authentication succeeds, run the display access-user access-type command on the
AC. The command output shows the online user.
[AC] display access-user access-type mac-authen
------------------------------------------------------------------------------
UserID Username IP address MAC
Status
------------------------------------------------------------------------------
739 huawei 10.23.101.250 8000-6e74-e78a Success
------------------------------------------------------------------------------
Total: 1, printed: 1
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
#
mac-access-profile name wlan-net
mac-authen username macaddress format with-hyphen
#
return
Networking Requirements
A company maintains user accounts and organizations on the AD server, and wants to provide
wireless access for mobile office in its campus. Wireless 802.1X authentication can be used to
ensure security.
Authenticated users can access Internet resources.
Data Plan
Configuration Roadmap
To ensure unified user traffic control on the AC, it is recommended that tunnel forwarding be
used to forward packets between the AC and APs.
1. Configure VLANs, IP addresses, and routes on the access switch, aggregation switch,
and AC to ensure network connectivity.
2. Set RADIUS interconnection parameters and wireless access service parameters on the
AC to implement wireless 802.1X authentication.
3. Add the AC on the Agile Controller-Campus, and configure authentication and
authorization.
NOTE
In this example, AD accounts have been synchronized to the basic configuration on the Agile Controller-
Campus.
In this example, the gateway for end users is deployed on the core router. If the gateway for end users is
deployed on the AC, you only need to configure dhcp select interface in the service VLAN on the AC.
This example provides only configurations of the AC, aggregation switch, and access switch.
Procedure
Step 1 [Device] Configure IP addresses, VLANs, and routes to implement network connectivity.
1. Configure the access switch.
<HUAWEI> system-view
[HUAWEI] sysname S2700
[S2700] vlan 10
[S2700-vlan10] quit
[S2700] interface gigabitethernet 0/0/3
[S2700-GigabitEthernet0/0/3] port link-type trunk
[S2700-GigabitEthernet0/0/3] port trunk pvid vlan 10
[S2700-GigabitEthernet0/0/3] port trunk allow-pass vlan 10
[S2700-GigabitEthernet0/0/3] quit
[S2700] interface gigabitethernet 0/0/2
[S2700-GigabitEthernet0/0/2] port link-type trunk
[S2700-GigabitEthernet0/0/2] port trunk allow-pass vlan 10
[S2700-GigabitEthernet0/0/2] quit
# Configure the default route with the core router as the next hop.
[AC] ip route-static 0.0.0.0 0 172.16.21.254
Step 2 [Device] Configure AP online parameters to enable APs to go online automatically after
connecting to a network.
NOTE
If a Layer 3 network is deployed between the AP and AC, you need to configure the Option 43 field on the
DHCP server to carry the AC's IP address in advertisement packets, allowing the AP to discover the AC.
1. Run the ip pool ip-pool-name command in the system view to enter the IP address pool view.
2. Run the option 43 sub-option 2 ip-address AC-ip-address &<1-8> command to specify an IP address
for the AC.
# Create an AP group to which APs with the same configuration can be added.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulatory-domain-prof-domain1] country-code cn
[AC-wlan-regulatory-domain-prof-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to the AP group ap-group1. This example
assumes that the MAC address of the AP is 60de-4476-e360. Configure a name for the AP
based on the AP's deployment location, so that you can know where the AP is located. For
example, if the AP with MAC address 60de-4476-e360 is deployed in area 1, name the AP
area_1.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will,
clear channel, power and antenna gain configurations of the radio, Whether to
continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP has gone online properly.
[AC] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.10.10.122 AP6010DN-AGN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 1
NOTE
The accounting realtime command sets the real-time accounting interval. A short real-time
accounting interval requires high performance of the device and RADIUS server. Set a real-time
accounting interval based on the user quantity.
1 to 99 3 minutes
≥ 1000 ≥ 15 minutes
An access profile defines the 802.1X authentication protocol and packet processing parameters. By
default, EAP authentication is used.
[AC] dot1x-access-profile name acc_dot1x
[AC-dot1x-access-profile-acc_dot1x] quit
Specify the user access mode in the authentication profile through the access profile.
Bind the RADIUS authentication scheme, accounting scheme, and server template to the
authentication profile so that RADIUS authentication is used.
[AC] authentication-profile name auth_dot1x
[AC-authentication-profile-auth_dot1x] dot1x-access-profile acc_dot1x
[AC-authentication-profile-auth_dot1x] authentication-scheme auth_scheme
[AC-authentication-profile-auth_dot1x] accounting-scheme acco_scheme
[AC-authentication-profile-auth_dot1x] radius-server radius_template
[AC-authentication-profile-auth_dot1x] quit
# Create the security profile security_dot1x and set the security policy in the profile.
[AC] wlan
[AC-wlan-view] security-profile name security_dot1x
[AC-wlan-sec-prof-security_dot1x] security wpa2 dot1x aes
[AC-wlan-sec-prof-security_dot1x] quit
# Create the SSID profile wlan-ssid and set the SSID name to dot1x_access.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid dot1x_access
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create the VAP profile wlan-vap, configure the service data forwarding mode and
service VLAN, and apply the security, SSID, and authentication profiles to the VAP
profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 100
[AC-wlan-vap-prof-wlan-vap] security-profile security_dot1x
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] authentication-profile auth_dot1x
[AC-wlan-vap-prof-wlan-vap] quit
# Bind the VAP profile wlan-vap to the AP group ap-group1, and apply the VAP profile
to radio 0 and radio 1 of the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio all
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
Step 5 [Device] Configure the escape function, so services are not affected when the Agile
Controller-Campus becomes faulty.
[AC] user-group server_down
[AC-user-group-server_down] acl-id 3001 //Specify resources end users can access
after the escape function is enabled.
[AC-user-group-server_down] quit
[AC] authentication-profile name auth_dot1x
[AC-authentication-profile-auth_dot1x] authentication event authen-server-down
action authorize user-group server_down
[AC-authentication-profile-auth_dot1x] quit
Step 6 [Agile Controller-Campus] Add the SC server to the AD domain. (AD domain accounts are
used for authentication.)
If 802.1X authentication using the MSCHAPv2 protocol is performed on AD domain
accounts, add the SC server to the AD domain.
By default, the AnyOffice and the built-in 802.1X client of the operating system use the
MSCHAPv2 protocol.
Step 7 [Agile Controller-Campus] Add an access control device and connect it to the Agile
Controller-Campus through RADIUS.
Choose Resource > Device > Device Management, and add the AC.
Step 8 [Agile Controller-Campus] Configure authentication and authorization rules. End users match
the rules based on specified conditions.
1. Choose Policy > Permission Control > Authentication & Authorization >
Authentication Rule, and modify the default authentication rule or create an
authentication rule.
Add the AD server to Data Source. By default, an authentication rule takes effect only
on the local data source. If the AD server is added as a data source, AD accounts will fail
to be authenticated.
2. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Result, and add an authorization ACL.
The ACL number must be the same as that configured on the authentication control
device.
3. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Rule, and bind the authorization result to specify resources accessible to
users after successful authentication.
----End
Verification
1. Use a mobile phone to associate with the SSID dot1x_access, and enter an AD domain
user name and password.
2. Obtain an IP address on the 172.16.21.0/24 network segment after successful
authentication, and access Internet resources using this IP address.
3. Run the display access-user and display access-user user-id user-id commands on the
AC to view detailed online user information.
4. Choose Resource > User > RADIUS Log on the Agile Controller-Campus to view
RADIUS logs.
Networking Requirements
A company has about 1000 employees and needs to deploy an authentication system to
implement access control for all the wireless users who attempt to connect to the enterprise
network. Only authenticated users can connect to the enterprise network.
The company has the following requirements:
l The authentication operations must be simple. The authentication system only performs
access authorization and does not require any client software on user terminals.
l A unified identity authentication mechanism is used to authenticate all terminals
attempting to connect to the campus network and deny access from unauthorized
terminals.
l Employees can connect only to public servers (such as the DHCP and DNS servers) of
the company before authentication, and can connect to both the intranet and Internet after
being authenticated.
l If authenticated employees move out of the wireless coverage area and move in again
within a certain period (60 minutes for example), they can connect to the wireless
network directly, without entering their user names and passwords again. This ensures a
good network access experience of employees.
l Guests can connect only to public servers (such as the DHCP and DNS servers) of the
company before authentication, and can connect only to the Internet after being
authenticated.
l Different authentication pages are pushed to employees and guests.
Requirement Analysis
l The company has no specific requirement on terminal security check and requires simple
operations, without a need to install authentication clients on wireless terminals.
Considering the networking and requirements of the company, Portal authentication can
be used on the campus network.
l Tunnel forwarding is recommended for packets exchanged between the AC and APs,
because this mode can ensure that all traffic of wireless users will be pass through the
AC for unified control.
l To implement interworking on the network, configure VLANs according to the
following plan:
– Add employees to VLAN 100 and guests to VLAN 101 to isolate employees from
guests.
– Use VLAN 10 as the mVLAN of the APs.
– Add GE0/0/1, GE0/0/2, and GE0/0/3 of the access switch S2750EI to VLAN 10 so
that these interfaces can transparently transmit packets of APs' mVLAN.
– On the aggregation switch S5700HI, add GE0/0/1 to mVLAN 10, GE0/0/3 to
mVLAN 10 and service VLANs 100 and 101, and GE0/0/2 service VLANs 100 and
101. In this way, these interfaces can transparently transmit packets of the
corresponding VLANs as required.
– Add GE0/0/1 of the AC to mVLAN 10 and service VLANs 100 and 101 so that the
AC can transparently transmit packets of these VLANs.
l Employees and guests are all authenticated on the web pages pushed by the Portal server.
You need to configure different ACL rules to control access rights of employees and
guests.
l Different SSIDs need to be configured for employees and guests so that different
authentication pages can be pushed to them based on their SSIDs.
l Enable MAC address-prioritized Portal authentication to allow employees to connect the
wireless network without entering user names and passwords when they move in and out
of the wireless coverage area repeatedly within a period (60 minutes for example).
MAC address-prioritized Portal authentication is a function provided by an AC. When
the Portal server needs to authenticate a user, the AC first sends the user terminal's MAC
address to the Portal server for identity authentication. If the authentication fails, the
Portal server pushes the Portal authentication page to the terminal. The user then enters
the account and password for authentication. The RADIUS server caches a terminal's
MAC address and associated MAC address during the first authentication for the
terminal. If the terminal is disconnected and then connected to the network within the
MAC address validity period, the RADIUS server searches for the SSID and MAC
address of the terminal in the cache to authenticate the terminal.
VLAN Plan
VLAN ID Function
Configuration Roadmap
1. Configure the access switch, aggregation switch, and AC to implement interworking on
the network.
2. On the AC, configure a RADIUS server template, configure authentication, accounting,
and authorization schemes in the template, and specify the IP address of the Portal
server. In this way, the AC can communicate with the RADIUS server and Portal server
to perform MAC address-prioritized Portal authentication for employees.
3. Add the AC to the Service Manager and configure parameters for the AC to ensure that
the Agile Controller-Campus can manage the AC.
4. Configure authentication and authorization rules to grant different network access rights
to the authenticated employees and guests.
5. Customize different authentication pages for employees and guests, and configure Portal
page push rules to ensure that different web pages are pushed to employees and guests.
Prerequisites
You have configured a sub-interface, assigned an IP address to the sub-interface, and enabled
DHCP relay on the core router to enable terminals to automatically obtain IP addresses from
the DHCP server on a different network segment.
Procedure
Step 1 [Device] Configure the access switch to ensure network connectivity.
<HUAWEI> system-view
[HUAWEI] sysname S2700
[S2700] vlan 10
[S2700-vlan10] quit
[S2700] interface gigabitethernet 0/0/3
[S2700-GigabitEthernet0/0/3] port link-type trunk
[S2700-GigabitEthernet0/0/3] port trunk pvid vlan 10
[S2700-GigabitEthernet0/0/3] port trunk allow-pass vlan 10
[S2700-GigabitEthernet0/0/3] quit
[S2700] interface gigabitethernet 0/0/1
[S2700-GigabitEthernet0/0/1] port link-type trunk
[S2700-GigabitEthernet0/0/1] port trunk pvid vlan 10
[S2700-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[S2700-GigabitEthernet0/0/1] quit
[S2700] interface gigabitethernet 0/0/2
[S2700-GigabitEthernet0/0/2] port link-type trunk
[S2700-GigabitEthernet0/0/2] port trunk allow-pass vlan 10
[S2700-GigabitEthernet0/0/2] quit
# Add GE0/0/1 connected to the aggregation switch to mVLAN 10 and service VLANs 100
and 101.
<HUAWEI> system-view
[HUAWEI] sysname AC
[AC] vlan batch 10 100 101
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 100 101
[AC-GigabitEthernet0/0/1] quit
# Configure a default route that the AC uses to communicate with the server. Packets are
forwarded to the core router by default.
[AC] ip route-static 0.0.0.0 0 172.16.21.254
NOTE
If a Layer 3 network is deployed between the AP and AC, you need to configure the Option 43 field on the
DHCP server to carry the AC's IP address in advertisement packets, allowing the AP to discover the AC.
1. Run the ip pool ip-pool-name command in the system view to enter the IP address pool view.
2. Run the option 43 sub-option 2 ip-address AC-ip-address &<1-8> command to specify an IP address
for the AC.
# Create an AP group to which APs with the same configuration can be added.
[AC] wlan
[AC-wlan-view] ap-group name employee //Configure an AP group for employees.
[AC-wlan-ap-group-employee] quit
[AC-wlan-view] ap-group name guest //Configure an AP group for guests.
[AC-wlan-ap-group-guest] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulatory-domain-prof-domain1] country-code cn
[AC-wlan-regulatory-domain-prof-domain1] quit
[AC-wlan-view] ap-group name employee
[AC-wlan-ap-group-employee] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-employee] quit
[AC-wlan-view] ap-group name guest
[AC-wlan-ap-group-guest] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-guest] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to the AP group. This example assumes
that the AP type is AP6010DN-AGN, the MAC address of AP_0 serving the employee area is
60de-4476-e360, and the MAC address of AP_1 serving the guest area is 60de-4476-e380.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name ap_0
[AC-wlan-ap-0] ap-group employee
Warning: This operation may cause AP reset. If the country code changes, it will,
clear channel, power and antenna gain configurations of the radio, Whether to
continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] ap-id 1 ap-mac 60de-4476-e380
[AC-wlan-ap-1] ap-name ap_1
[AC-wlan-ap-1] ap-group guest
Warning: This operation may cause AP reset. If the country code changes, it will,
clear channel, power and antenna gain configurations of the radio, Whether to
continue? [Y/N]:y
[AC-wlan-ap-1] quit
[AC-wlan-view] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP has gone online properly.
[AC] display ap all
Total AP information:
Step 5 [Device] Configure interconnection parameters for the AC and RADIUS server as well as the
AC and Portal server, so that the AC can associate with the RADIUS and Portal servers.
address 10.10.10.254
[AC-radius-radius_template] radius-server shared-key cipher Admin@123
[AC-radius-radius_template] radius-server user-name original //Configure the AC
to send the user names entered by users to the RADIUS server.
[AC-radius-radius_template] quit
[AC] radius-server authorization 192.168.11.10 shared-key cipher Admin@123
[AC] aaa
[AC-aaa] authentication-scheme auth_scheme //Authentication scheme
[AC-aaa-authen-auth_scheme] authentication-mode radius //Set the authentication
scheme to RADIUS.
[AC-aaa-authen-auth_scheme] quit
[AC-aaa] accounting-scheme acco_scheme //Accounting scheme
[AC-aaa-accounting-acco_scheme] accounting-mode radius //Set the accounting
scheme to RADIUS.
[AC-aaa-accounting-acco_scheme] accounting realtime 15
[AC-aaa-accounting-acco_scheme] quit
[AC-aaa] quit
NOTE
The accounting realtime command sets the real-time accounting interval. A short real-time accounting
interval requires high performance of the device and RADIUS server. Set a real-time accounting interval
based on the user quantity.
1 to 99 3 minutes
≥ 1000 ≥ 15 minutes
# Check whether a user can use a RADIUS template for authentication. (User name test and
password Admin_123 have been configured on the RADIUS server.)
[AC] test-aaa test Admin_123 radius-template radius_huawei pap
Info: Account test succeed.
2. Configure parameters carried in the URL, which must be the same as those on the
authentication server.
[AC-url-template-huawei] url-parameter ssid ssid redirect-url url //Specify
the names of the parameters included in the URL. The parameter names must the
same as those on the authentication server.
//This first ssid indicates that the URL contains the SSID field, and the
second ssid indicates the parameter name.
//For example, after ssid ssid is configured, the URL redirected to the user
contains sid=guest, where ssid indicates the parameter name, and guest
indicates the SSID with which the user associates.
//The second SSID represents the transmitted parameter name only and cannot
be replaced with the actual user SSID.
//When the AC uses URL as the parameter name, the URL must be entered on the
Portal server to specify to which URL users' access request will be
redirected.
[AC-url-template-huawei] quit
3. Specify the port number used to process Portal protocol packets. The default port number
is 2000. If you change the port number on the AC, set the same port number when you
add this AC to the Agile Controller-Campus.
[AC] web-auth-server listening-port 2000
4. Configure a Portal server template, including configuring the IP address and port number
of the Portal server.
Set the destination port number in the packets sent to the Portal server to 50200. The
Portal server accepts packets with destination port 50200, but the AC uses port 50100 to
send packets to the Portal server by default. Therefore, you must change the port number
to 50200 on the AC so that the AC can communicate with the Portal server.
[AC] web-auth-server portal_huawei
[AC-web-auth-server-portal_huawei] server-ip 192.168.11.10 //IP address for
the Portal server.
[AC-web-auth-server-portal_huawei] source-ip 10.10.10.254 //The IP address
that the AC uses to communicate with the Portal server.
[AC-web-auth-server-portal_huawei] port 50200 //Set the destination port
number in the packets sent to the Portal server to 50200.
5. Configure the shared key used to communicate with the Portal server, which must be the
same as that on the Portal server. In addition, enable the AC to transmit encrypted URL
parameters to the Portal server.
[AC-web-auth-server-portal_huawei] shared-key cipher Admin@123 //Configure
the shared key used to communicate with the Portal server, which must be the
same as that on the Portal server.
[AC-web-auth-server-portal_huawei] url-template huawei //Bind the URL
template to the Portal server profile.
6. Enable the Portal server detection function.
After the Portal server detection function is enabled in the Portal server template, the
device detects all Portal servers configured in the Portal server template. If the number of
times that the device fails to detect a Portal server exceeds the upper limit, the status of
the Portal server is changed from Up to Down. If the number of Portal servers in Up state
is less than or equal to the minimum number (specified by the critical-num parameter),
the device performs the corresponding operation to allow the administrator to obtain the
real-time Portal server status. The detection interval cannot be shorter than 15s, and the
recommended value is 100s. The AC only supports Portal server detection but not Portal
escape.
[AC-web-auth-server-portal_huawei] server-detect interval 100 max-times 5
critical-num 0 action log
7. (Optional) Enable user information synchronization.
The user-sync command enables user information synchronization so that user
information on the device and Portal server is synchronized at intervals to ensure user
information consistency. Therefore, user information on the device and on the Portal
server may be inconsistent and accounting may be inaccurate. The user information
synchronization interval must be greater than 300s. (The Agile Controller-
Campusresponds to probe packets of a switch or AC at an interval of 5 minutes.) If the
synchronization interval is shorter than 300s, users may go offline after passing
authentication. You are advised to set the user information synchronization interval to
500s, that is, set interval to 100 and max-times to 5.
# Enable the Portal authentication quiet period function. With this function enabled, the AC
drops packets of an authentication user during the quiet period if the user fails Portal
authentication for the specified number of times in 60 seconds. This function protects the AC
from overloading caused by frequent authentication.
[AC] portal quiet-period
[AC] portal quiet-times 5 //Set the maximum number of authentication failures in
60 seconds before a Portal authentication is set to quiet state.
[AC] portal timer quiet-period 240 //Set the quiet period to 240 seconds.
# Create a Portal access profile, and bind the Portal server template to it.
In this example, different Portal survival solutions need to be configured for employees and
guests respectively. Therefore, configure two Portal access profiles.
[AC] portal-access-profile name acc_portal_employee //Create a Portal access
profile for employees.
[AC-portal-access-profile-acc_portal_employee] web-auth-server portal_huawei
direct //Configure the Portal server template used by the Portal access profile.
If the network between end users and the AC is a Layer 2 network, configure the
direct mode; if the network is a Layer 3 network, configure the layer3 mode.
[AC-portal-access-profile-acc_portal_employee] quit
[AC] portal-access-profile name acc_portal_guest //Create a Portal access
profile for guests.
[AC-portal-access-profile-acc_portal_guest] web-auth-server portal_huawei direct
[AC-portal-access-profile-acc_portal_guest] quit
# Configure pre-authentication and post-authentication access rules for employees and guests.
[AC] free-rule-template name default_free_rule
[AC-free-rule-default_free_rule] free-rule 1 destination ip 192.168.11.1 mask
255.255.255.255 //Configure a Portal authentication-free rule to allow users to
connect to the DNS server before authentication.
[AC-free-rule-default_free_rule] free-rule 2 destination ip 192.168.11.100 mask
255.255.255.255 //Configure a Portal authentication-free rule to allow users to
connect to the AD server before authentication.
[AC-free-rule-default_free_rule] free-rule 3 destination ip 192.168.11.2 mask
255.255.255.255 //Configure a Portal authentication-free rule to allow users to
connect to the DHCP server before authentication.
[AC-free-rule-default_free_rule] quit
[AC] acl 3001 //Configure the post-authentication domain for employees,
including the intranet and Internet.
[AC-acl-adv-3001] rule 5 permit ip
[AC-acl-adv-3001] quit
[AC] acl 3002 //Configure the post-authentication domain for guests, including
the Internet.
[AC-acl-adv-3002] rule 5 deny ip destination 192.168.11.200 255.255.255.255 //
192.168.11.200 is the service system IP address and cannot be accessed by guests.
[AC-acl-adv-3002] rule 10 permit ip
[AC-acl-adv-3002] quit
# Configure different authentication profiles for employees and guests respectively because
MAC address-prioritized Portal authentication needs to be enabled for employees.
[AC] authentication-profile name auth_portal_employee
[AC-authentication-profile-auth_portal_employee] mac-access-profile acc_mac //
Enable MAC address-prioritized authentication for employees.
[AC-authentication-profile-auth_portal_employee] portal-access-profile
acc_portal_employee
[AC-authentication-profile-auth_portal_employee] authentication-scheme auth_scheme
# Enable terminal type awareness to allow the ACs to send the option fields containing the
terminal type in DHCP packets to the authentication server. In this way, the authentication
server can push the correct Portal authentication pages to users based on their terminal types.
[AC] dhcp snooping enable
[AC] device-sensor dhcp option 12 55 60
# Configure Portal survival. Configure the device to grant network access rights of a user
group to users when the Portal server is Down so that the users can access the post-
authentication domain. In addition, configure the device to re-authenticate users when the
Portal server goes Up.
[AC] user-group group1
[AC-user-group-group1] acl 3001 //Employees' post-authentication domain
corresponding to group1.
[AC-user-group-group1] quit
[AC] portal-access-profile name acc_portal_employee
[AC-portal-access-profile-acc_portal_employee] authentication event portal-server-
down action authorize user-group group1 //Configure the network access
permission of employees when the Portal server is Down.
[AC-portal-access-profile-acc_portal_employee] authentication event portal-server-
up action re-authen //Enable the device to re-authenticate users when the Portal
server state changes from Down to Up.
[AC-portal-access-profile-acc_portal_employee] quit
[AC] user-group group2
[AC-user-group-group2] acl 3002 //Guests' post-authentication domain
corresponding to group1.
[AC-user-group-group2] quit
[AC] portal-access-profile name acc_portal_guest
[AC-portal-access-profile-acc_portal_guest] authentication event portal-server-
down action authorize user-group group2 //Configure the network access
permission of guests when the Portal server is Down.
[AC-portal-access-profile-acc_portal_guest] authentication event portal-server-up
action re-authen
[AC-portal-access-profile-acc_portal_guest] quit
# Create SSID profiles wlan-ssid-employee and wlan-ssid-guest, and set the SSID names to
employee and guest respectively.
[AC-wlan-view] ssid-profile name wlan-ssid-employee
[AC-wlan-ssid-prof-wlan-ssid-employee] ssid employee
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-wlan-ssid-employee] quit
[AC-wlan-view] ssid-profile name wlan-ssid-guest
[AC-wlan-ssid-prof-wlan-ssid-guest] ssid guest
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-wlan-ssid-guest] quit
# Create VAP profiles wlan-vap-employee and wlan-vap-guest, configure the service data
forwarding mode and service VLANs, and apply the security, SSID, and authentication
profiles to the VAP profiles.
[AC-wlan-view] vap-profile name wlan-vap-employee
[AC-wlan-vap-prof-wlan-vap-employee] forward-mode tunnel
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-vap-prof-wlan-vap-employee] service-vlan vlan-id 100
[AC-wlan-vap-prof-wlan-vap-employee] security-profile security_portal
[AC-wlan-vap-prof-wlan-vap-employee] ssid-profile wlan-ssid-employee
[AC-wlan-vap-prof-wlan-vap-employee] authentication-profile
auth_portal_employee //Bind the authentication profile of employees.
[AC-wlan-vap-prof-wlan-vap-employee] quit
[AC-wlan-view] vap-profile name wlan-vap-guest
[AC-wlan-vap-prof-wlan-vap-guest] forward-mode tunnel
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-vap-prof-wlan-vap-guest] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap-guest] security-profile security_portal
[AC-wlan-vap-prof-wlan-vap-guest] ssid-profile wlan-ssid-guest
[AC-wlan-vap-prof-wlan-vap-guest] authentication-profile auth_portal_guest //
Bind the authentication profile of guests.
[AC-wlan-vap-prof-wlan-vap-guest] quit
# Bind the VAP profile to the AP groups and apply the VAP profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name employee
[AC-wlan-ap-group-employee] vap-profile wlan-vap-employee wlan 1 radio 0
[AC-wlan-ap-group-employee] vap-profile wlan-vap-employee wlan 1 radio 1
[AC-wlan-ap-group-employee] quit
[AC-wlan-view] ap-group name guest
[AC-wlan-ap-group-guest] vap-profile wlan-vap-guest wlan 1 radio 0
[AC-wlan-ap-group-guest] vap-profile wlan-vap-guest wlan 1 radio 1
[AC-wlan-ap-group-guest] quit
Step 7 [Agile Controller-Campus] Add the AC to the Service Manager to enable the Agile
Controller-Campus to manage the AC.
1. Choose Resource > Device > Device Management.
2. Click Add.
3. Configure parameters for the AC.
Name AC -
Portal key Admin@123 It must be the same as the Portal key configured
on the AC.
4. Click OK.
Step 8 [Agile Controller-Campus] Add SSIDs on the Agile Controller-Campus, so that the Agile
Controller-Campus can authorize users through the SSIDs.
1. Choose Policy > Permission Control > Policy Element > SSID.
2. Click Add and add SSIDs for employees and guests.
The SSIDs must be the same as those configured on the AC.
2. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Result, and add authorization ACLs for employees and guests.
The ACL numbers must be the same as those configured on the authentication control
device.
3. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Rule, and bind the authorization result to specify resources accessible to
employees and guests after successful authentication.
4. Modify the default authorization rule by changing the authorization result to Deny
Access.
Choose Policy > Permission Control > Authentication and Authorization >
Authorization Rule and click on the right of Default Authorization Rule. Change
the value of Authorization Result to Deny Access.
4. Select an authentication page template for employee authentication at the bottom of the
page, and click Next.
5. Click Next, select an authentication page template for employee authentication, and
select English from the Choose the language template drop-down list box.
6. Click Next.
Employees do not need to log in using mobile phones and can therefore skip this step.
7. Click Next. Set Authentication Page, Authentication Success Page, and User Notice
Page.
4. Click Next, select an authentication page template for guest authentication, and select
English from the Choose the language template drop-down list box.
5. Click Next. Set Authentication Page, Authentication Success Page, User Notice
Page, Registration Page, and Registration Success Page.
4. Configure push rules for guests in a similar way and click OK.
5. Click OK.
Step 13 [Agile Controller-Campus] Enable MAC address-prioritized Portal authentication on the
Agile Controller-Campus.
1. Choose System > Terminal Configuration > Global Parameters.
2. On the MAC Address-prioritized Portal Authentication tab page, enable MAC
Address-prioritized Portal Authentication and set Mac Address-Prioritized Portal
Authentication to 60 minutes.
3. Click OK.
----End
Verification
If a terminal uses Internet Explorer 8 for Portal authentication, the following configuration
must be completed for the browser. Otherwise, the Portal authentication page cannot be
displayed.
1. Choose Tools > Internet Options.
2. Select options related to Use TLS on the Advanced tab.
3. Click OK.
Employee l Employee can only access the Agile Controller-Campus server, DNS
authenticatio server, AD server and DHCP server before authentication.
n l When the employee connects to the Wi-Fi hotspot employee using a
computer and attempts to visit the Internet or service system, the
employee authentication page is pushed to the user. After the employee
enters the correct user name and password, the authentication succeeds
and the requested web page is displayed automatically.
l After employees are successfully authenticated, they can access the
Internet and service system.
l After the authentication succeeds, run the display access-user command
on the AC. The command output shows that the employee account is
online.
l On the Service Manager, choose Resource > User > Online User
Management, and the employee account is displayed on the list of
online users.
l On the Service Manager, choose Resource > User > RADIUS Log, and
you can see the RADIUS authentication log for the employee account.
Guest l Guest can only access the Agile Controller-Campus server, DNS server,
authenticatio and DHCP server before authentication.
n l When the guest connects to the Wi-Fi hotspot guest using a mobile
phone and attempts to visit the Internet, the Mobile Phone authentication
page is pushed to the mobile phone. After the guest enters the correct
user name and password, the authentication succeeds and the requested
web page is displayed automatically.
l When the guest connects to the Wi-Fi hotspot guest using a laptop or
tablet, the PC/Pad authentication page is pushed to the laptop or tablet.
After the guest enters the correct user name and password, the
authentication succeeds and the requested web page is displayed
automatically.
l After guests are successfully authenticated using the accounts registered
by their mobile numbers, they can access the Internet but not the service
system.
l After the authentication succeeds, run the display access-user command
on the AC. The command output shows that the guest account is online.
l On the Service Manager, choose Resource > User > Online User
Management, and the guest account is displayed on the list of online
users.
l On the Service Manager, choose Resource > User > RADIUS Log, and
you can see the RADIUS authentication log for the guest account.
l Authorization rules or Portal page push rules are matched in descending order of priority
(ascending order of rule numbers). If the authorization condition or Portal push condition
of a user matches a rule, the Agile Controller-Campus does not check the subsequent
rules. Therefore, it is recommended that you set higher priorities for the rules defining
more precise conditions and set lower priorities for the rules defining fuzzy conditions.
l The RADIUS accounting function is configured on the AC to enable the Agile
Controller-Campus to obtain online user information by exchanging accounting packets
with the AC. The Agile Controller-Campus does not support the real accounting
function. If accounting is required, use a third-party accounting server.
Networking Requirements
As shown in Figure 4-93, dumb terminals such as printers and IP phones in the confidential
service office of a company associate with the AP through the mac_access SSID, and connect
to the intranet through the access switch S2750EI, aggregation switch S5720HI, and core
router. If unauthorized terminals access the intranet, the business system of the company may
be attacked or key information may leak. The administrator requests to control network access
permission of users on the AC to ensure intranet security. In addition, the AC functions as a
DHCP server to assign IP addresses on the 10.10.10.0/24 network segment to APs, and
centrally manages all users.
To ensure unified user traffic control on the AC, it is recommended that tunnel forwarding be
used to forward packets between the AC and APs.
AnyOffice cannot be installed on dumb terminals such as printers and IP phones in the
confidential service office. Therefore, wireless MAC address authentication can be used so
that the AC can send MAC addresses of the terminals as user information to the RADIUS
server for authentication.
Data Plan
Table 4-127 Service data plan for wireless MAC address authentication
Item Data Description
Configuration Roadmap
1. Configure VLANs, IP addresses, and routes on the access switch, aggregation switch,
and AC to ensure network connectivity.
2. Set RADIUS interconnection parameters and MAC address authentication parameters on
the AC to implement wireless MAC address authentication.
3. Add the AC on the Agile Controller-Campus, and configure authentication and
authorization.
NOTE
In this example, the gateway for dumb terminals is deployed on the core router. If the gateway for dumb
terminals is deployed on the AC, you only need to configure dhcp select interface in the service VLAN on
the AC.
This example provides only configurations of the AC, aggregation switch, and access switch.
Procedure
Step 1 [Device] Configure IP addresses, VLANs, and routes to implement network connectivity.
1. Configure the access switch.
<HUAWEI> system-view
[HUAWEI] sysname S2700
[S2700] vlan 10
[S2700-vlan10] quit
[S2700] interface gigabitethernet 0/0/3
[S2700-GigabitEthernet0/0/3] port link-type trunk
# Configure the default route with the core router as the next hop.
[AC] ip route-static 0.0.0.0 0 172.16.21.254
Step 2 [Device] Configure AP online parameters to enable APs to go online automatically after
connecting to a network.
NOTE
If a Layer 3 network is deployed between the AP and AC, you need to configure the Option 43 field on the
DHCP server to carry the AC's IP address in advertisement packets, allowing the AP to discover the AC.
1. Run the ip pool ip-pool-name command in the system view to enter the IP address pool view.
2. Run the option 43 sub-option 2 ip-address AC-ip-address &<1-8> command to specify an IP address
for the AC.
# Create an AP group to which APs with the same configuration can be added.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulatory-domain-prof-domain1] country-code cn
[AC-wlan-regulatory-domain-prof-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the AP offline on the AC and add the AP to the AP group ap-group1. This example
assumes that the MAC address of the AP is 60de-4476-e360. Configure a name for the AP
based on the AP's deployment location, so that you can know where the AP is located. For
example, if the AP with MAC address 60de-4476-e360 is deployed in area 1, name the AP
area_1.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will,
clear channel, power and antenna gain configurations of the radio, Whether to
continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP has gone online properly.
[AC] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.10.10.122 AP6010DN-AGN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 1
Step 3 [Device] Configure MAC address authentication parameters to enable MAC address
authentication for dumb terminals.
The following figure shows the process of configuring wireless MAC address authentication.
NOTE
The accounting realtime command sets the real-time accounting interval. A short real-time
accounting interval requires high performance of the device and RADIUS server. Set a real-time
accounting interval based on the user quantity.
1 to 99 3 minutes
≥ 1000 ≥ 15 minutes
Specify the user access mode in the authentication profile through the access profile.
Bind the RADIUS authentication scheme, accounting scheme, and server template to the
authentication profile so that RADIUS authentication is used.
[AC] authentication-profile name mac
[AC-authentication-profile-mac] mac-access-profile mac
[AC-authentication-profile-mac] authentication-scheme auth_scheme
[AC-authentication-profile-mac] accounting-scheme acco_scheme
[AC-authentication-profile-mac] radius-server radius_template
[AC-authentication-profile-mac] quit
# Create the security profile security-mac and set the security policy in the profile.
[AC] wlan
[AC-wlan-view] security-profile name security-mac
[AC-wlan-sec-prof-security-mac] quit
# Create the SSID profile wlan-ssid and set the SSID name to mac-access.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid mac_access
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create the VAP profile wlan-vap, configure the service data forwarding mode and
service VLAN, and apply the security, SSID, and authentication profiles to the VAP
profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 100
[AC-wlan-vap-prof-wlan-vap] security-profile security-mac
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] authentication-profile mac
[AC-wlan-vap-prof-wlan-vap] quit
# Bind the VAP profile wlan-vap to the AP group ap-group1, and apply the VAP profile
to radio 0 and radio 1 of the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio all
[AC-wlan-ap-group-ap-group1] quit
Step 4 [Agile Controller-Campus] Add an access control device and connect it to the Agile
Controller-Campus through RADIUS.
Choose Resource > Device > Device Management, and add the AC.
Step 5 [Agile Controller-Campus] Configure authentication and authorization rules. End users match
the rules based on specified conditions.
1. Add authentication rules.
# Choose Policy > Permission Control > Authentication and Authorization >
Authentication Rule.
# Click Add.
# Set the parameters of authentication rules.
– Service Type: MAC Bypass Authentication Service
# Click OK.
2. Add the devices that require MAC authentication.
# Choose Resource > Terminal > Terminal List.
# Select the first node in the Device Group list and click Add in the right-side window
to create a device group for MAC authentication, such as device group MAC.
# Select MAC in the Device Group list. On the Device List tab page in the right-side
window, click Add and enter the MAC address of the device, such as
00-11-22-33-44-55.
# Click OK.
# Repeat the preceding steps to add all devices that require MAC authentication to
device group MAC. The Agile Controller-Campus supports batch import of device MAC
addresses. For details, see Example in 4.19.12.5 Configuring MAC Address
Authentication.
3. Add authorization rules.
# Choose Policy > Permission Control > Authentication and Authorization >
Authorization Rule.
# Click Add.
# Set the parameters of authorization rules.
– Service Type: MAC Bypass Authentication Service
– Terminal Group: MAC
– Authorization Result: Permit Access
# Click OK.
# Repeat the preceding operations to create authorization rules. If MAC authentication is
not performed for the device that attempts to access the network, the device is not
allowed to access the network.
----End
Result
l After the configuration is complete, run the display mac-authen command on the AC to
view the MAC address authentication configuration.
l After a dumb terminal associates with the WLAN with the SSID mac_access, the AC
automatically obtains the dumb terminal's MAC address as the user name and password
for authentication. After successful authentication, the dumb terminal can access the
Internet.
l After the dumb terminal goes online, run the display access-user access-type mac-
authen command on the AC to view information about the online MAC address
authentication user.
l Choose Resource > User > RADIUS Log on the Agile Controller-Campus to view
RADIUS logs.
network configuration tool or configuration file. After the terminal automatically completes
network configuration, the user can access the network through 802.1X.
AP AP6010DN-AGN V200R006C20
AC AC6605 V200R006C20
Networking Requirements
To ensure network access security, an enterprise requests users to pass 802.1X certificate
authentication before they access the network. To access the network through 802.1X
certificate authentication, users need to complete complex configurations on terminals.
The Boarding deployment scheme simplifies operations and enables user terminals to
automatically complete configurations. As shown in Figure 4-94, the Boarding deployment
scheme provides two SSIDs. One is used for initializing the network and uses Portal
authentication. The other one is used for service access and uses 802.1X authentication.
When accessing a network, a user needs to associate with the initialization SSID first to
download the network configuration tool or configuration file. After the configuration is
automatically completed on the terminal, the user is automatically associated with the service
access SSID to access the network through 802.1X.
AP AC Router
RADIUS
server
GE 0/0/1 GE 0/0/2
VLAN100 VLAN 100,
101, and 102
Portal CA
802.1X
server
Data Planning
Item Data
Item Data
Configuration Roadmap
1. Configure network interworking and enable APs to go online on the AC.
2. Configure a RADIUS server template and 802.1X authentication on the AC.
3. Configure Portal authentication on the AC.
4. Configure post-authentication domain resources on the AC for users to access after
passing authentication.
5. Configure the Boarding on the Agile Controller-Campus.
6. Configure authentication and authorization on the Agile Controller-Campus.
Procedure
Step 1 Optional: Deploy the Windows CA server.
2. Configure the uplink interface on the AC to allow packets from VLAN 100, VLAN 101,
and VLAN 102 to pass through so that the AC can communicate with upper-layer
network devices.
[AC] interface gigabitethernet 0/0/2
[AC-GigabitEthernet0/0/2] port link-type trunk
[AC-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101 102
[AC-GigabitEthernet0/0/2] quit
3. Configure IP addresses for VLANIF interfaces, and configure the AC to function as the
DHCP server to allocate IP addresses for APs, Portal services, and 802.1X services.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 192.168.3.2 255.255.255.0
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.20.210.254 255.255.255.0
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
[AC] interface vlanif 102
[AC-Vlanif102] ip address 10.20.211.254 255.255.255.0
[AC-Vlanif102] dhcp select interface
[AC-Vlanif102] quit
4. Configure the default route, with the next hop pointing to the IP address of the router
interface.
[AC] ip route-static 0.0.0.0 0.0.0.0 192.168.3.254
If a Layer 3 network is deployed between the AP and AC, you need to configure the Option 43 field on
the DHCP server to carry the AC's IP address in advertisement packets, allowing the AP to discover the
AC.
1. Run the ip pool ip-pool-name command in the system view to enter the IP address pool view.
2. Run the option 43 sub-option 2 ip-address AC-ip-address &<1-8> command to specify an IP
address for the AC.
# Create the AP group to which the APs with the same configuration can be added.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and
apply the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulatory-domain-prof-domain1] country-code cn
[AC-wlan-regulatory-domain-prof-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna
gain configurations of the radio and reset the AP. Continue?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit
# Import the APs offline on the AC. Add APs to AP group ap-group1. Configure names
for the APs based on the APs' deployment locations, so that you can know where the
APs are deployed from their names. For example, if the AP with MAC address
60de-4474-9640 is deployed in area 1, name the AP area_1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained,
you do not need to run the ap auth-mode mac-auth command.
In this example, the AP6010DN-AGN is used and has two radios: radio 0 and radio 1.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation maybe cause AP reset, Whether to continue? [Y/N]y
[AC-wlan-ap-0] quit
# After an AP is powered on, run the display ap all command to check the AP state. If
the State field displays nor, the AP has gone online.
6. Define post-authentication resources in an ACL with the same number as that specified
in the authorization result on the Agile Controller-Campus.
[AC] acl 3001
[AC-acl-adv-3001] rule 1 permit ip destination 192.168.2.0 24 //Post-
authentication domain resources
[AC-acl-adv-3001] rule 2 deny ip
[AC-acl-adv-3001] quit
By default, an 802.1X access profile uses the EAP authentication mode. The authentication protocol
must be the same as that configured in the authentication rule on the Agile Controller-Campus.
[AC] dot1x-access-profile name dot1x_access
[AC-dot1x-access-profile-dot1x_access] quit
3. Configure the authentication profile dot1x_auth, and import the authentication scheme,
accounting scheme, and RADIUS server template.
[AC] authentication-profile name dot1x_auth
[AC-authentication-profile-dot1x_auth] dot1x-access-profile dot1x_access
[AC-authentication-profile-dot1x_auth] authentication-scheme auth_scheme
[AC-authentication-profile-dot1x_auth] accounting-scheme acc_scheme
[AC-authentication-profile-dot1x_auth] radius-server radius_huawei
[AC-authentication-profile-dot1x_auth] quit
# Create the SSID profile dot1x-ssid, and set the SSID name to 802.1X.
# Create the VAP profile dot1x-vap, configure the data forwarding mode and service
VLANs, and apply the security profile, SSID profile, and authentication profile to the
VAP profile.
[AC-wlan-view] vap-profile name dot1x-vap
[AC-wlan-vap-prof-dot1x-vap] forward-mode tunnel
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-vap-prof-dot1x-vap] service-vlan vlan-id 102
[AC-wlan-vap-prof-dot1x-vap] security-profile dot1x-security
[AC-wlan-vap-prof-dot1x-vap] ssid-profile dot1x-ssid
[AC-wlan-vap-prof-dot1x-vap] authentication-profile dot1x_auth
[AC-wlan-vap-prof-dot1x-vap] quit
# Bind the VAP profile dot1x-vap to an AP group and apply the profile to radio 0 and
radio 1 of the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile dot1x-vap wlan 1 radio all
[AC-wlan-ap-group-ap-group1] quit
If terminals running the iOS system need to be registered or claimed missing, the url-parameter user-
mac usermac command must be configured. This command is not required in other cases. Terminals
running the iOS system do not initiate Portal authentication when downloading configuration files, so
they are redirected to the Portal pushed page, but cannot send terminals' MAC addresses through Portal
login packets.
[AC] url-template name url_temp
[AC-url-template-url_temp] url http://192.168.1.210:8080/portal
[AC-url-template-url_temp] url-parameter user-mac usermac
[AC-url-template-url_temp] quit
2. Configure a Portal server profile and specify information about the Portal server.
[AC] web-auth-server portal_server
[AC-web-auth-server-portal_server] server-ip 192.168.1.210
[AC-web-auth-server-portal_server] source-ip 192.168.3.2
[AC-web-auth-server-portal_server] port 50200
[AC-web-auth-server-portal_server] shared-key cipher Admin@123
[AC-web-auth-server-portal_server] url-template url_temp
[AC-web-auth-server-portal_server] quit
4. Configure an authentication-free rule profile. Add the resources (patch server) that users
can access before authentication to the profile.
[AC] free-rule-template name default_free_rule
[AC-free-rule-default_free_rule] free-rule 1 destination ip 192.168.1.200
mask 32
[AC-free-rule-default_free_rule] quit
# Create the SSID profile portal-ssid, and set the SSID name to Portal.
[AC-wlan-view] ssid-profile name portal-ssid
[AC-wlan-ssid-prof-portal-ssid] ssid Portal
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-ssid-prof-portal-ssid] quit
# Create the VAP profile portal-vap, configure the data forwarding mode and service
VLANs, and apply the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name portal-vap
[AC-wlan-vap-prof-portal-vap] forward-mode tunnel
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-vap-prof-portal-vap] service-vlan 101
[AC-wlan-vap-prof-portal-vap] security-profile portal-security
[AC-wlan-vap-prof-portal-vap] ssid-profile Portal
[AC-wlan-vap-prof-portal-vap] authentication-profile portal_auth
[AC-wlan-vap-prof-portal-vap] quit
# Bind the VAP profile to an AP group and apply the VAP profile to radio 0 and radio 1
of the AP.
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile portal-vap wlan 2 radio all
[AC-wlan-ap-group-ap-group1] quit
Step 5 [Agile Controller-Campus] Configure the Boarding to enable the automatic configuration for
802.1X on user terminals.
Choose Policy > Permission Control > Boarding Management > Quick Start to perform
configurations according to the wizard.
1. Configure the network access policy and specify 802.1X access parameters.
The 802.1X network access parameters are the same as those on the AC. The commands
used to configure key parameters on the AC are as follows:
– Security mode: security wpa2 dot1x aes
– Encryption mode: security wpa2 dot1x aes
– SSID: ssid 802.1X
2. Upload a CA certificate for verification when a user certificate is used for authentication
and when the Agile Controller-Campus applies for a user certificate from the Windows
CA server.
3. Configure the SCEP certificate server to apply for user certificates from the Windows
CA server.
4. Optional: Configure OCSP to check the revocation status of user certificates online. The
revoked user certificates cannot be used. You are advised to use OCSP. If OCSP is not
configured, you can choose System > External Authentication > Certificate
Management to configure CRL synchronization or manually upload a CRL to check the
certificate revocation status.
The Agile Controller-Campus provides the default Portal page. The administrator can
modify the default Portal page or add a Portal page.
If the version of the network configuration tool needs to be updated, choose Policy >
Permission Control > Page Cunstomization > Page Customization Material to
upload the latest version.
Configure Portal page push policies for terminals running the Android OS, iOS, and
Windows OS. Set the following parameters and use the default settings for other
parameters.
– Android
n Name: Android
n Push different pages based on terminal OS: Android
n Pushed page: Android_en
– iOS
n Name: iOS
n Push different pages based on terminal OS: iOS
n Pushed page: iOS_en
– Windows
n Name: Windows
n Push different pages based on terminal OS: Windows PC
n Pushed page: Windows_en
Step 6 [Agile Controller-Campus] Add an access control device and connect it to the Agile
Controller-Campus through RADIUS.
Choose Resource > Device > Device Management to add an AC.
This example uses the default authentication rule that contains all authentication
protocols.
If a non-local data source is used for synchronization, such as the AD/LDAP server,
modify the default authentication rule or create an authentication rule.
2. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Result to configure authorization using an ACL.
The ACL number 3001 set in the ACL Number/AAA User Group area is the same as
that configured on the AC.
3. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Rule to configure an authorization rule.
----End
Verification
l Terminals running the Android OS
a. After a terminal associates with the Portal wireless network, the terminal can
access the patch server specified in the free-rule command. If the terminal access
other websites, the terminal is redirected to the Portal authentication page for
Android terminals.
b. Download the network configuration tool (in the format of *.apk) on the Portal
authentication page and install the tool.
c. Enter the account and password on the network configuration tool and click Config.
The configuration for 802.1X certificate authentication will be automatically
completed. The terminal is automatically connected to the 802.1X wireless network
and you can access post-authentication domain resources.
l Terminals running the iOS
a. Connect the terminal to the Portal wireless network and access a web page. You are
redirected to the Portal authentication page configured for terminals running the
iOS.
b. Enter the account and password on the Portal authentication page for identity
authentication.
c. After the identity authentication succeeds, the Portal authentication success page is
automatically displayed. Download the configuration file in the format of
*.mobileconfig.
d. After the configuration file is installed, the system automatically completes
configuration for 802.1X certificate authentication. After manually connecting the
terminal to the 802.1X wireless network, you can access post-authentication domain
resources.
l Terminals running the Windows OS
a. Connect the terminal to the Portal wireless network and access a web page. You are
redirected to the Portal authentication page configured for terminals running the
Windows OS.
b. Download the network configuration tool (in the format of *.exe) on the Portal
authentication page and install the tool.
c. Enter the account and password on the network configuration tool and click Config.
The configuration for 802.1X certificate authentication will be automatically
completed. The terminal is automatically connected to the 802.1X wireless network
and you can access post-authentication domain resources.
Networking Requirements
An enterprise has deployed an authentication system to implement access control for all the
wireless users who attempt to connect to the enterprise network. Only authenticated users can
connect to the enterprise network. Enterprise employees connect to the network through
personal computers (PCs) and guests connect to the network through mobile phones. The
administrator has created local accounts for the employees so that they can use the local
accounts to pass authentication. For guest accounts, the system should satisfy the following
demands:
l All guests must associate with the Wi-Fi network whose SSID is guest to connect to the
Internet. Other SSIDs are not allowed.
l All guests can use their mobile phone number to obtain passwords to access the network.
After guests send their requests to obtain passwords, passwords are sent to the guests
through SMS messages.
l After the authentication succeeds, the web page requested by the guest before the
authentication is displayed automatically.
Data Plan
SM + SC IP address: 172.18.1.1 -
(RADIUS
server +
Portal server)
Number of 3002 -
the ACL for
guests' post-
authenticatio
n domain
Configuration Roadmap
1. Configure the SMS server so that the system can send SMS messages properly.
2. Configure guest account policies. This example uses the default policy "self-
registration_obtaining passwords through mobile phones_8-hour validity period".
3. Customize the authentication page. The authentication page is automatically displayed if
an unauthenticated guest accesses the network.
4. Configure a Portal page push rule to push the customized authentication page to guests.
5. Add guest authorization results and authorization rules to assign access rights to guests
after they are successfully authenticated.
Prerequisites
Portal authentication configurations have been completed on the AC/switch and the Agile
Controller-Campus. For details, see configuration examples about Portal.
Procedure
Step 1 Enter https://172.18.1.1:8443 in the address box of a web browser to log in to the Service
Manager.
Step 2 Configure the SMS server so that the system can send SMS messages properly.
1. Choose System > Server Configuration > SMS Server Configuration.
2. Set parameters of the SMS server.
NOTE
If the SMS modem is used, no more than three guests can register per minute. If the number of
guests that need to register in a minute exceeds three, use the SMS gateway.
3. Click Test. The Test Succeeded message is displayed and the phone with the configured
mobile phone number receives a test SMS message.
4. Click Save.
Step 3 Configure guest account policies. Choose Policy > Permission Control > Guest
Management > Guest Account Policy.
This example uses the default policy "Self-registration_password through phones_valid for 8
hours". If the default policy cannot satisfy requirements, you can modify it or create a new
policy. Set the parameters marked in red rectangles according to the following figure.
Step 4 Customize the authentication page. The authentication page is automatically displayed if an
unauthenticated guest accesses the network.
1. Choose Policy > Permission Control > Page Customization > Page Customization.
2. Click .
3. Configure basic information about the authentication page.
You must select Self Register and set Guest Account Policy to the policy created in
Step 3.
authentication, authentication success, and user notice pages. You can change logos as
required.
7. Click Publish.
If Delivery succeeded is displayed, page customization succeeds.
Step 5 Configure a Portal page push rule to push the customized authentication page to guests.
1. Choose Policy > Permission Control > Page Customization > Portal Page Push Rule.
Page displayed after Continue to visit the The value of the redirect-
successful authentication original page url field specified on the
AC must be url. For
details, see 4.19.12.8 How
Do I Continue to Access
the Original Page After
Successful Portal
Authentication?.
3. Click OK.
Step 6 Add SSIDs to the Agile Controller-Campus for SSID-based user authorization.
1. Choose Policy > Permission Control > Policy Element > SSID.
2. Click Add, and add a guest SSID.
The case-sensitive SSID name must be the same as those configured on the AC.
Step 7 Add an authorization result and rule to allow guests to connect to the Internet after they are
successfully authenticated.
1. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Result and specify resources that guests can access after being
authenticated and authorized.
2. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Rule and specify the authorization conditions for guests.
----End
Verification
1. A guest uses a mobile phone to connect to a Wi-Fi network. The guest selects the hotspot
guest to connect to the Internet. The authentication page is pushed to the guest.
2. The guest enters his or her mobile phone number and clicks Get Password.
The authentication password is sent to the guest's mobile phone.
3. The guest enters the mobile phone number and password and clicks Login. The web
page requested by the guest before the authentication is displayed automatically.
4. On the Service Manager, choose Resource > User > Online User Management. The
online information about the account is displayed.
5. On the Service Manager, choose Resource > User > RADIUS Log. The RADIUS
authentication logs of the account are displayed.
Networking Requirements
An enterprise has deployed an authentication system to implement access control for all the
wireless users who attempt to connect to the enterprise network. Only authenticated users can
connect to the enterprise network. Enterprise employees connect to the network through PCs
and guests connect to the network through mobile phones. The administrator has created local
accounts for the employees so that they can use the local accounts to pass authentication. For
guest accounts, the administrator needs to configure the Service Manager to enable guests to
complete authentication using GooglePlus, Facebook or Twitter accounts.
Data Plan
Number of 3002 -
the ACL for
guests' post-
authenticatio
n domain
Configuration Roadmap
1. Configure the Agile Controller-Campus to interconnect with the Google, Facebook, and
Twitter authentication servers.
2. Customize authentication pages. The authentication page is automatically displayed if an
unauthenticated guest attempts to connect to the network.
3. Customize the portal page push rule to push the customized authentication page to
guests.
4. Configure social media as external authentication sources and add authorization results
and authorization rules to grant different access rights to guests after they are
successfully authenticated.
Prerequisites
1. Portal authentication configurations have been completed on the AC/switch and the
Agile Controller-Campus. For details, see configuration examples about Portal. Pay
attention to the following points during the configuration:
a. When configuring the Portal server's URL in the URL template, set a URL in the
domain name format.
[AC] url-template name huawei
[AC-url-template-huawei] url http://Portal server's domain name:8080/
portal
[AC-url-template-huawei] quit
b. A free rule has been configured on the AC/switch to permit social media website
addresses. This ensures that guests' terminals can access the social media
authentication page before passing authentication.
n Access to authentication-free resources is permitted by the domain name on
the AC/switch. You need to permit guests to access the following domain
names before passing authentication.
○ Google server: www.googleapis.com and apis.google.com
○ Facebook server: connect.facebook.net
○ Twitter server: api.twitter.com, abs.twimg.com, mobile.twitter.com and
twitter.com
n If the AC/switch cannot permit access to authentication-free resources by the
domain name, run the nslookup complete host name command in the CLI to
view the IP address matching the host name, and then permit the destination
server by the IP address.
c. If the enterprise uses its own DNS server and an access control device is used as the
DHCP server, you must configure the DNS server address on the VLANIF interface
of the access control device that communicates with terminals.
[AC] interface vlanif 101
[AC-Vlanif101] ip address 192.168.0.1 255.255.255.0
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] dhcp server dns-list 172.18.1.2 //Configure the DNS
server address. 172.18.1.2 is only used as an example.
[AC-Vlanif101] quit
2. The social media server and Agile Controller-Campus server are reachable to each other.
Procedure
Step 1 Configure the interconnection with the Google authentication server.
1. Apply for a googlePlus account.
To enable end users to use googlePlus accounts for guest identity authentication,
enterprises must request their own googlePlus accounts from Google to obtain the
authorization information from Google.
a. Open the Web browser.
b. Enter https://accounts.google.com/SignUp?service=oz&continue=https://
plus.google.com/?hl=en-us&gpsrc=gplp0&hl=en-us in the address box.
c. Register an account.
2. Create the googlePlus application.
a. Enter https://console.developers.google.com/project in the address box. On the
page that is displayed, log in using a Google account, and click Create Project.
f. Click Go to Credentials.
Parameter Value
Parameter Value
i. Set Email address and Product name shown to users, and click Continue.
j. Click Done.
k. On the Credentials page, click New credentials, and select API key.
m. Set the API key name, and click Create. The created API key is displayed.
c. Enter a project name, and click Create New Facebook App ID.
d. Set Contact Email, set Category to Utilities, and click Create App ID.
e. Click Skip Quick Start to skip the quick start wizard and access the application
configuration page.
f. Click Add Product in the navigation tree, then click Get Started under Facebook
Login.
Parameter Value
NOTE
Ensure that the address format of Deauthorize Callback URL and Valid OAuth redirect
URIs are the same. The domain name format is recommended. If one field is set to the IP
address format while the other is set to the domain name format, configuration error may
occur. If the IP address format is used, you are advised to use the network segment
192.168.x.x but not the segments 10.x.x.x or 172.x.x.x. Otherwise, the configuration may
fail.
h. Click Save changes.
i. Choose Settings > Basic, and save the App ID and App Secret of the corresponding
application. You need to set the two parameters when perform related configuration
on the Agile Controller-Campus.
Parameter Value
Name authtest10001
Description authtest10001
Parameter Value
d. Click Settings, select Allow this application to be used to Sign in with Twitter,
and click Update Settings.
Parameter Value
App ID *****************
Client ID *****************
Role guest
3. Click Next and select the page template and language template.
4. Click Next and customize Authentication Page, Authentication Success Page, and
User Notice Page.
5. Click Publish.
1. Choose Policy > Permission Control > Page Customization > Portal Page Push Rule
and click Add.
2. Click OK.
Step 7 Add SSIDs to the Agile Controller-Campus for SSID-based user authorization.
1. Choose Policy > Permission Control > Policy Element > SSID.
2. Click Add, and add a guest SSID.
The case-sensitive SSID name must be the same as those configured on the AC.
Parameter Value
Parameter Value
2. Click OK.
Parameter Value
ACL Number/AAA User Group 3002 (It has been configured on the
switch. The ACL determines the network
resources that the user can access after
successful authentication.)
2. Click OK.
3. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Rule. Click Add.
Parameter Value
4. Click OK.
----End
Verification
1. A guest connects to the Wi-Fi hotspot guest using a mobile phone. The guest
authentication page is pushed to the mobile phone.
2. On the authentication page, the guest presses the icon matching the guest's account type
and the web browser opens the corresponding website.
3. The guest enters the user name and password and presses Authentication. After
successful authentication, the user can visit the Internet.
4. On the Service Manager, choose Resource > User > Online User Management. The
online information about the account is displayed.
5. On the Service Manager, choose Resource > User > RADIUS Log. The RADIUS
authentication logs of the account are displayed.
Networking Requirements
An enterprise has deployed an identity authentication system to implement access control for
all the wireless users who attempt to connect to the enterprise network. Only authenticated
users can connect to the enterprise network. To allow guests to access the network in the
enterprise exhibition hall, system administrators can post a public QR code in public areas in
the exhibition hall, so that guests can access the network by scanning the public QR code.
Data Plan
SM + SC IP address: 172.18.1.1 -
(RADIUS
server +
Portal server)
Number of 3002 -
the ACL for
guests' post-
authenticatio
n domain
Configuration Roadmap
1. Enable public QR code authentication.
2. Configure a guest account policy for creating public QR codes.
3. Create and export a public QR code. Print and post it in public areas where guests can
scan it to connect to the network.
4. Customize authentication and authentication success pages. After guests pass
authentication by scanning the public QR code, the authentication success page is
automatically displayed.
5. Customize a Portal page push rule to push the customized authentication page to guests.
6. Add guest authorization results and authorization rules to assign access permission to
guests after they are authenticated.
Prerequisites
Portal authentication has been configured on the AC/switch and the Agile Controller-Campus.
For details, see configuration examples about Portal.
NOTE
When you configure URL parameters in the URL template, a value must be set for redirect-url;
otherwise, the Agile Controller-Campus fails to interconnect with the AC/switch. The recommended
value is url.
[AC] url-template name huawei
[AC-url-template-huawei] url-parameter redirect-url url
[AC-url-template-huawei] url http://172.18.1.1:8080/portal
[AC-url-template-huawei] quit
Procedure
Step 1 Enter https://172.18.1.1:8443 in the address box of a web browser to log in to the Service
Manager.
Step 2 Enable public QR code authentication.
You can use the Guest Management navigation to complete this step and the subsequent steps.
Choose Policy > Permission Control > Guest Management > Quick Start, set Guest
Account Management Mode to Public QR Code, and click Navigation. Complete the
configuration by following the navigation. The following example illustrates how to use the
GUI menus to open the configuration page and complete the configuration.
1. Choose Policy > Permission Control > Guest Management > Parameter Setting.
2. Click the Set Public QR Code Parameters tab.
3. Enable Public QR Code and set public QR code parameters.
URL prefix in the http://192.168.1.1 Use an IP address but not a domain name
link to specify the URL prefix. The URL
prefix is only used to trigger Portal
authentication. The IP address of a post-
authentication domain can be used as the
URL prefix. In other words, an IP address
that guests cannot access before
authentication can be used as the URL
prefix.
4. Click OK.
Step 3 Configure a guest account policy for creating public QR codes.
1. Choose Policy > Permission Control > Guest Management > Guest Account Policy.
2. Click Add.
3. Configure a guest account policy.
Account Fields Click Edit, select the Location Attribute fields of a public QR
field, and deselect the other code account are displayed.
fields. When creating a public QR
code, enter information about
the attribute fields that are
selected here. In this example,
the Location field is selected.
4. Click OK.
Step 4 Create a public QR code.
1. Choose Policy > Permission Control > Guest Management > Guest Account
Management.
2. Click Add to create a public QR code.
Set Account policy to the guest account policy configured in Step 3.
4. Click Export Barcode to export the public QR code to a local directory. Print and post it
in public areas.
Step 5 Customize authentication and authentication success pages.
After a guest connects to a Wi-Fi network and scans the public QR code, the authentication
page is automatically displayed to authenticate the guest.
1. Choose Policy > Permission Control > Page Customization > Page Customization.
2. Click .
3. Configure basic information about the authentication page.
Push pages using Deselect it. If you want to allow guests to use
HTTPS WeChat to scan the public QR code
for authentication, you need to
purchase a server certificate issued by
a CA to replace the default server
certificate. For details, see 4.19.12.7
Server Certificate Importing Tool.
Otherwise, deselect Push pages using
HTTPS to ensure that guests can use
WeChat to scan the public QR code.
4. Click Next and set the page template and language template.
3. Click OK.
Step 7 Add SSIDs to the Agile Controller-Campus for SSID-based user authorization.
1. Choose Policy > Permission Control > Policy Element > SSID.
2. Click Add, and add a guest SSID.
The case-sensitive SSID name must be the same as those configured on the AC.
Step 8 Add an authorization result and rule to allow guests to connect to the Internet after they are
successfully authenticated.
1. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Result and specify resources that guests can access after being
authenticated and authorized.
2. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Rule and specify the authorization conditions for guests.
----End
Verification
1. A guest uses a mobile phone to connect to the Wi-Fi hotspot guest.
Before scanning the public QR code, the guest needs to connect to the Wi-Fi hotspot for
public QR code authentication. Scanning a public QR code only triggers authentication
and authorization. It is recommended that the following information be added on the
upper side of the public QR codes posted in public areas: Connect to the Wi-Fi network
before scanning the public QR code for authentication.
2. The guest scans the public QR code posted in public areas.
NOTE
The customized public QR code authentication page is pushed only after the guest scans the public
QR code. If a guest does not scan the public QR code after connecting to the Wi-Fi network, the
guest is authenticated based on the Portal authentication process. The system matches Portal page
push rules by priority and pushes the matched authentication page but not the public QR code
authentication page to the guest.
3. The terminal automatically initiates an authentication request after the guest successfully
scans the public QR code.
If a blank page is displayed after the guest scans the public QR code using WeChat, the
possible causes are as follows:
– During customization of the authentication page, the administrator selects Push
pages using HTTPS but does not buy a trusted server certificate.
Guests can use another scanning tool to scan the public QR code for authentication.
Alternatively, the administrator re-customizes the public QR code authentication
page. During the customization, the administrator needs to deselect Push pages
using HTTPS and specify the new customized authentication page in the Portal
page push rule.
– If the guest has passed public QR code authentication and scans it again, a blank
page is displayed.
Choose Resource > User > Online User Management to check whether the
terminal is online using the public QR code account.
4. After the authentication succeeds, the authentication success page is displayed.
If the authentication fails, choose Resource > User > RADIUS Log to check RADIUS
authentication logs. Check causes of the authentication failure and whether the
authentication rule and authorization rule are correctly configured.
5. After the authentication succeeds, the guest can access the Internet.
6. On the Service Manager, choose Resource > User > Online User Management. The
online information about the public QR code account is displayed.
7. On the Service Manager, choose Resource > User > RADIUS Log. The RADIUS
authentication logs of the public QR code account are displayed.
NOTE
The same account (public QR code account) is displayed on the Service Manager for all guests
who scan the same public QR code for authentication.
Networking Requirements
To meet service requirements, a company needs to deploy an identity authentication system to
implement access control for all employees who attempt to connect to the enterprise network
in wireless mode. Only authenticated users can connect to the enterprise network.
The company has the following requirements:
l The network must be reliable because all employees need to connect to the wireless
network for work and Internet access.
l A unified identity authentication mechanism is used to authenticate all terminals
accessing the enterprise network and deny access to the enterprise network and Internet
from unauthorized terminals.
Requirement Analysis
Based on user requirements, networking design is performed as follows:
l Reliability
– AC1 and AC2 are connected to S7700A and S7700B in bypass mode, respectively.
A VRRP group is configured between AC1 and AC2, and HSB is used to determine
the active and standby ACs.
– A VRRP group is configured between S7700A and S7700B to improve reliability.
– Eth-Trunks are used to connect aggregation switches and access switches, ACs and
core switches, and ACs.
– The Agile Controller-Campus is deployed in 1+2 (one SM + two SCs) mode to
ensure reliability of the authentication server.
l Internetworking
The aggregation switch is configured as a DHCP server to assign IP addresses to APs.
Core switches serve as DHCP servers to assign IP addresses to employees and guests.
VLAN Plan
VLAN ID Function
Se SM + SC 172.22.10.2 -
rv
er SC 172.22.10.3 -
l Accounting interval: 15
minutes
l Account: tony -
l Password: Admin@123
Prerequisites
You have connected core router interfaces at 172.22.20.2/24 and 172.23.20.2/24 to S7700A
and S7700B, respectively.
Configuration Roadmap
NOTE
The active and standby nodes do no synchronize VRRP HSB configurations. Therefore, all operations must
be performed on both the active and standby nodes.
1. Configure the access switch, aggregation switch, core switches, and ACs to ensure
network connectivity and reliability.
Procedure
Step 1 [Device] Configure the access switch S2750EI to ensure network connectivity.
<HUAWEI> system-view
[HUAWEI] sysname S2700
[S2700] vlan batch 100 101 //Create VLAN 100 and VLAN 101 in a batch.
[S2700] interface gigabitethernet 0/0/1 //Enter the view of the interface
connected to an AP.
[S2700-GigabitEthernet0/0/1] port link-type trunk //Change the link type of
gigabitethernet0/0/1 to trunk.
[S2700-GigabitEthernet0/0/1] port trunk pvid vlan 100 //Set the default VLAN of
gigabitethernet0/0/1 to VLAN 100.
[S2700-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101 //Add
gigabitethernet0/0/1 to VLAN 100 and VLAN 101.
[S2700-GigabitEthernet0/0/1] quit
[S2700] interface gigabitethernet 0/0/4 //Enter the view of the interface
connected to another AP.
[S2700-GigabitEthernet0/0/4] port link-type trunk //Change the link type of
gigabitethernet0/0/4 to trunk.
[S2700-GigabitEthernet0/0/4] port trunk pvid vlan 100 //Set the default VLAN of
gigabitethernet0/0/4 to VLAN 100.
[S2700-GigabitEthernet0/0/4] port trunk allow-pass vlan 100 101 //Add
gigabitethernet0/0/4 to VLAN 100 and VLAN 101.
[S2700-GigabitEthernet0/0/4] quit
Step 2 [Device] Configure the aggregation switch S5720HI to ensure network connectivity.
<HUAWEI> system-view
[HUAWEI] sysname S5720HI
[S5720HI] dhcp enable //Enable the DHCP service.
[S5720HI] vlan batch 100 101 //Create VLAN 100 and VLAN 101 in a batch.
[S5720HI] interface vlanif 100 //Enter the view of VLANIF 100.
[S5720HI-Vlanif100] ip address 172.18.10.4 24 //Configure an IP address for
VLANIF 100 as the APs' gateway.
[S5720HI-Vlanif100] dhcp select interface
[S5720HI-Vlanif100] dhcp server excluded-ip-address 172.18.10.1 172.18.10.3 //
Exclude IP addresses in use from the DHCP address pool.
[S5720HI-Vlanif100] dhcp server excluded-ip-address 172.18.10.5 172.18.10.6
[S5720HI-Vlanif100] quit
Step 3 [Device] Configure the core switch S7700A to ensure network connectivity.
<HUAWEI> system-view
[HUAWEI] sysname S7700A
[S7700A] vlan batch 100 101 103 //Create VLAN 100, VLAN 101, and VLAN 103 in a
batch.
[S7700A-GigabitEthernet1/0/5] quit
[S7700A] interface vlanif 103
[S7700A-Vlanif103] ip address 172.22.20.1 24
[S7700A-Vlanif103] quit
[S7700A] ip route-static 0.0.0.0 0 172.22.20.2
[S7700A] quit
<S7700A> save //Save the configuration.
Step 4 [Device] Configure the core switch S7700B to ensure network connectivity.
<HUAWEI> system-view
[HUAWEI] sysname S7700B
[S7700B] vlan batch 100 101 103 //Create VLAN 100, VLAN 101, and VLAN 103 in a
batch.
# On VLANIF 101 of S7700B, create VRRP group 1 and set the priority of S7700B in the
VRRP group to 100.
<S7700B> system-view
[S7700B] interface vlanif 101
[S7700B-Vlanif101] vrrp vrid 1 virtual-ip 172.19.10.1
[S7700B-Vlanif101] quit
# Configure a default route for AC1 so that packets are forwarded to core switches by default.
# On AC2, configure network connectivity, create Eth-Trunk 1 and Eth-Trunk 2, and add Eth-
Trunk 1 to VLAN 100 and Eth-Trunk 2 to VLAN 104. Add GE0/0/1 and GE0/0/2 connecting
AC2 to S7700B to Eth-Trunk 1, and GE0/0/3 and GE0/0/4 connecting AC2 to AC1 to Eth-
Trunk 2.
<AC6605> system-view
[AC6605] sysname AC2
[AC2] vlan batch 100 101 104
[AC2] interface eth-trunk 1
[AC2-Eth-Trunk1] port link-type trunk
[AC2-Eth-Trunk1] port trunk allow-pass vlan 100
[AC2-Eth-Trunk1] trunkport GigabitEthernet 0/0/1 0/0/2 //Add GE0/0/1 and GE0/0/2
connected to the core switch S7700B to Eth-Trunk 1.
[AC2-Eth-Trunk1] quit
[AC2] interface eth-trunk 2
[AC2-Eth-Trunk2] port link-type trunk
[AC2-Eth-Trunk2] port trunk allow-pass vlan 104
[AC2-Eth-Trunk2] trunkport GigabitEthernet 0/0/3 0/0/4 //Add GE0/0/3 and GE0/0/4
connected to AC1 to Eth-Trunk 2.
[AC2-Eth-Trunk2] quit
# Configure a default route for AC2 so that packets are forwarded to core switches by default.
[AC2] ip route-static 0.0.0.0 0 172.18.10.6
# Create a management VRRP group on AC1. Set the priority of AC1 in the VRRP group to
120 and preemption delay to 1200s.
[AC1] interface vlanif 100
[AC1-Vlanif100] vrrp vrid 1 virtual-ip 172.18.10.1 //Configure a virtual IP
address for the management VRRP group.
[AC1-Vlanif100] vrrp vrid 1 priority 120 //Set the priority of AC1 in the VRRP
group.
[AC1-Vlanif100] vrrp vrid 1 preempt-mode timer delay 1200 //Set the preemption
delay for AC1 in the VRRP group.
[AC1-Vlanif100] admin-vrrp vrid 1 //Configure vrid 1 as the mVRRP group.
[AC1-Vlanif100] quit
# Create HSB service 0 on AC1. Configure the IP addresses and port numbers for the active
and standby channels. Set the retransmission time and interval of HSB service 0.
[AC1] hsb-service 0
[AC1-hsb-service-0] service-ip-port local-ip 10.10.11.1 peer-ip 10.10.11.2 local-
data-port 10241 peer-data-port 10241
[AC1-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[AC1-hsb-service-0] quit
# Create HSB group 0 on AC1, and bind it to HSB service 0 and the management VRRP
group.
[AC1] hsb-group 0
[AC1-hsb-group-0] bind-service 0
[AC1-hsb-group-0] track vrrp vrid 1 interface vlanif 100
[AC1-hsb-group-0] quit
# Enable HSB.
[AC1] hsb-group 0
[AC1-hsb-group-0] hsb enable
[AC1-hsb-group-0] quit
# Create HSB service 0 on AC2 Configure the IP addresses and port numbers for the active
and standby channels. Set the retransmission time and interval of HSB service 0.
[AC2] hsb-service 0
[AC2-hsb-service-0] service-ip-port local-ip 10.10.11.2 peer-ip 10.10.11.1 local-
data-port 10241 peer-data-port 10241
[AC2-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[AC2-hsb-service-0] quit
# Create HSB group 0 on AC2 and bind it to HSB service 0 and the management VRRP
group.
[AC2] hsb-group 0
[AC2-hsb-group-0] bind-service 0
[AC2-hsb-group-0] track vrrp vrid 1 interface vlanif 100
[AC2-hsb-group-0] quit
[AC2] hsb-group 0
[AC2-hsb-group-0] hsb enable
[AC2-hsb-group-0] quit
# Run the display hsb-service 0 command on AC1 and AC2 to check the HSB service status.
The value of the Service State field is Connected, indicating that the active and standby HSB
channels have been established.
[AC1] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 10.10.11.1
Peer IP Address : 10.10.11.2
Source Port : 10241
Destination Port : 10241
Keep Alive Times : 2
Keep Alive Interval : 1
Service State : Connected
Service Batch Modules :
----------------------------------------------------------
[AC2] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 10.10.11.2
Peer IP Address : 10.10.11.1
Source Port : 10241
# Run the display hsb-group 0 command on AC1 and AC2 to check the HSB group status.
[AC1] display hsb-group 0
Hot Standby Group Information:
----------------------------------------------------------
HSB-group ID : 0
Vrrp Group ID : 1
Vrrp Interface : Vlanif100
Service Index : 0
Group Vrrp Status : Master
Group Status : Active
Group Backup Process : Realtime
Peer Group Device Type : AC6605
Peer Group Software Version : V200R006C20
Group Backup Modules : Access-user
AP
DHCP
----------------------------------------------------------
[AC2] display hsb-group 0
Hot Standby Group Information:
----------------------------------------------------------
HSB-group ID : 0
Vrrp Group ID : 1
Vrrp Interface : Vlanif100
Service Index : 0
Group Vrrp Status : Backup
Group Status : Inactive
Group Backup Process : Realtime
Peer Group Device Type : AC6605
Peer Group Software Version : V200R006C20
Group Backup Modules : Access-user
DHCP
AP
----------------------------------------------------------
Step 11 [Device] On the ACs, configure a RADIUS server template, and configure authentication,
accounting, and authorization schemes in the template. In this way, the ACs can communicate
with the RADIUS server.
# On AC1, configure a RADIUS server template, and configure authentication, accounting,
and authorization schemes in the template.
[AC1] radius-server template radius_template
[AC1-radius-radius_template] radius-server authentication 172.22.10.2 1812 source
ip-address 172.18.10.1 weight 80 //Configure a primary RADIUS authentication
server with a higher weight than that of the secondary authentication server.
Set the authentication port to 1812 and the source IP address to communicate with
the RADIUS server to 172.16.10.1.
[AC1-radius-radius_template] radius-server authentication 172.22.10.3 1812 source
ip-address 172.18.10.1 weight 40 //Configure a secondary RADIUS authentication
server with a lower weight than that of the primary authentication server.
Set the authentication port to 1812 and the source IP address to communicate with
the RADIUS server to 172.16.10.1.
[AC1-radius-radius_template] radius-server accounting 172.22.10.2 1813 source ip-
address 172.18.10.1 weight 80 //Configure a primary RADIUS accounting server
with a higher weight than that of the secondary accounting server to obtain user
login and logout information.
Set the accounting port to 1813 and the source IP address to communicate with the
RADIUS server to 172.16.10.1.
[AC1-radius-radius_template] radius-server accounting 172.22.10.3 1813 source ip-
address 172.18.10.1 weight 40 //Configure a secondary RADIUS accounting server
with a lower weight than that of the primary accounting server to obtain user
NOTE
The accounting realtime command sets the real-time accounting interval. A short real-time accounting
interval requires high performance of the device and RADIUS server. Set a real-time accounting interval
based on the user quantity.
1 to 99 3 minutes
≥ 1000 ≥ 15 minutes
# Create an AP group to which APs with the same configuration can be added.
[AC1] wlan
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC1-wlan-view] regulatory-domain-profile name domain1
[AC1-wlan-regulatory-domain-prof-domain1] country-code cn
[AC1-wlan-regulatory-domain-prof-domain1] quit
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] quit
# Import the AP offline on the AC and add the AP to the AP group ap-group1.
[AC1] wlan
[AC1-wlan-view] ap auth-mode mac-auth
[AC1-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC1-wlan-ap-0] ap-name ap_0
[AC1-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will,
clear channel, power and antenna gain configurations of the radio, Whether to
continue? [Y/N]:y
[AC1-wlan-ap-0] quit
[AC1-wlan-view] ap-id 1 ap-mac 60de-4476-e380
[AC1-wlan-ap-1] ap-name ap_1
[AC1-wlan-ap-1] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will,
clear channel, power and antenna gain configurations of the radio, Whether to
continue? [Y/N]:y
[AC1-wlan-ap-1] quit
[AC1-wlan-view] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP has gone online properly.
[AC1] display ap all
Total AP information:
nor : normal [2]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 ap_0 ap_group 172.18.10.254 AP6010DN-AGN nor 0 10S
1 60de-4476-e380 ap_1 ap_group 172.18.10.253 AP6010DN-AGN nor 0 20S
----------------------------------------------------------------------------------
---
Total: 2
Step 13 [Device] Configure wireless 802.1X authentication on AC1. The 802.1X authentication
configuration of AC2 is the same as that of AC1 and is not provided here.
The following figure shows the process of configuring wireless 802.1X authentication.
An access profile defines the 802.1X authentication protocol and packet processing parameters. By
default, EAP authentication is used.
[AC1] dot1x-access-profile name acc_dot1x
[AC1-dot1x-access-profile-acc_dot1x] quit
2. Configure an authentication profile.
Specify the user access mode in the authentication profile through the access profile.
Bind the RADIUS authentication scheme, accounting scheme, and server template to the
authentication profile so that RADIUS authentication is used.
[AC1] authentication-profile name auth_dot1x
[AC1-authentication-profile-auth_dot1x] dot1x-access-profile acc_dot1x
[AC1-authentication-profile-auth_dot1x] authentication-scheme auth_scheme
[AC1-authentication-profile-auth_dot1x] accounting-scheme acco_scheme
[AC1-authentication-profile-auth_dot1x] radius-server radius_template
[AC1-authentication-profile-auth_dot1x] quit
3. Set wireless 802.1X authentication parameters.
# Create the security profile security_dot1x and set the security policy in the profile.
[AC1] wlan
[AC1-wlan-view] security-profile name security_dot1x
[AC1-wlan-sec-prof-security_dot1x] security wpa2 dot1x aes
[AC1-wlan-sec-prof-security_dot1x] quit
# Create the SSID profile wlan-ssid and set the SSID name to employee.
[AC1-wlan-view] ssid-profile name wlan-ssid
[AC1-wlan-ssid-prof-wlan-ssid] ssid employee
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC1-wlan-ssid-prof-wlan-ssid] quit
# Create the VAP profile wlan-vap, configure the service data forwarding mode and
service VLAN, and apply the security, SSID, and authentication profiles to the VAP
profile.
[AC1-wlan-view] vap-profile name wlan-vap
[AC1-wlan-vap-prof-wlan-vap] forward-mode direct-forward //Configure direct
forwarding
[AC1-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC1-wlan-vap-prof-wlan-vap] security-profile security_dot1x
[AC1-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC1-wlan-vap-prof-wlan-vap] authentication-profile auth_dot1x
[AC1-wlan-vap-prof-wlan-vap] quit
# Bind the VAP profile wlan-vap to the AP group ap-group1, and apply the VAP profile
to radio 0 and radio 1 of the AP.
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio all
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] quit
Step 14 [Device] Configure resources accessible to users after successful authentication on AC1 and
AC2. In this example, all resources are configured as accessible after successful
authentication.
[AC1] acl 3001
[AC1-acl-adv-3001] rule 1 permit ip
[AC1-acl-adv-3001] quit
Step 15 [Agile Controller-Campus] Add the AC to the Service Manager to enable the Agile
Controller-Campus to manage the AC.
1. Choose Resource > Device > Device Management.
2. Click Add.
3. Configure parameters for the AC.
Name AC -
4. Click OK.
Step 16 Configure authentication and authorization.
1. Optional: Choose Policy > Permission Control > Authentication & Authorization >
Authentication Rule, and modify the default authentication rule or create an
authentication rule.
By default, an authentication rule takes effect only on the local data source. If a third-
party data source such as AD data source is used, modify the default authentication rule
or create an authentication rule, and select the authentication data source correctly.
2. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Result, and add an authorization ACL.
The ACL number must be the same as that configured on the authentication control
device.
3. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Rule, and bind the authorization result to specify resources accessible to
users after successful authentication.
----End
Verification
Employee l Use a mobile phone to associate with the SSID employee, and enter an
authenticatio AD domain user name and password.
n l After successful authentication, you can access Internet resources
successfully.
l Run the display access-user and display access-user user-id user-id
commands on AC1 to view detailed online user information.
l Choose Resource > User > RADIUS Log on the Agile Controller-
Campus to view RADIUS logs.
AC1 power- Services are automatically switched to AC2, without affecting employee
off authentication. The process is not detected by user terminals.
SC power- After the network cable of an Service Controller, employees are re-
off authenticated and go online. Their access rights are normal.
Networking Requirements
A company has about 2000 employees and needs to deploy an authentication system to
implement access control for all the wireless users who attempt to connect to the enterprise
network. Only authenticated users can connect to the enterprise network.
Figure 4-96 Networking of Portal authentication for wireless users in HSB mode
Requirement Analysis
The company has no specific requirement on terminal security check and requires simple
operations, without a need to install authentication clients on wireless terminals. Considering
the networking and requirements of the company, Portal authentication can be used on the
campus network.
VLAN Plan
VLAN ID Function
Number of the ACL for guests' You need to enter this ACL
post-authentication domain: 3002 number when configuring
SSID of the guest area: guest authorization rules and results on
the Agile Controller-Campus.
l Accounting interval: 15
minutes
Portal server:
l Primary IP address:
172.22.10.2
l Secondary IP address:
172.22.10.3
l Port number that the AC uses
to listen on Portal protocol
packets: 2000
l Destination port number in the
packets that the AC sends to
the Portal server: 50200
l Shared key: Admin@123
l Encryption key for the URL
parameters that the AC sends
to the Portal server:
Admin@123
Agile Host name1: access1.example.com Users can use the domain name to
Controller- Host name2: access2.example.com access the Portal server.
Campus
Authentication port: 1812 -
Post- Internet -
authentication
domain for
guests
Prerequisites
You have connected core router interfaces at 172.22.20.2/24 and 172.23.20.2/24 to S7700A
and S7700B, respectively.
Configuration Roadmap
1. Configure the access switches, aggregation switch, core switches, and ACs to implement
interworking on the network.
2. On the ACs, configure a RADIUS server template, configure authentication, accounting,
and authorization schemes in the template, and specify the IP addresses of Portal servers.
In this way, the ACs can communicate with RADIUS servers and Portal servers.
3. Add ACs to the Service Manager and configure parameters for the ACs to ensure that the
Agile Controller-Campus can manage the ACs.
4. Add authorization results and rules to grant different access rights to employees and
guests after they are successfully authenticated.
Procedure
Step 1 [Device] Configure the access switch S2750EI to ensure network connectivity.
<HUAWEI> system-view
[HUAWEI] sysname S2700
[S2700] vlan batch 100 101 //Create VLAN 100 and VLAN 101 in a batch.
[S2700] interface gigabitethernet 0/0/1 //Enter the view of the interface
connected to an AP.
[S2700-GigabitEthernet0/0/1] port link-type trunk //Change the link type of
gigabitethernet0/0/1 to trunk.
[S2700-GigabitEthernet0/0/1] port trunk pvid vlan 100 //Set the default VLAN of
gigabitethernet0/0/1 to VLAN 100.
[S2700-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101 //Add
gigabitethernet0/0/1 to VLAN 100 and VLAN 101.
[S2700-GigabitEthernet0/0/1] quit
[S2700] interface gigabitethernet 0/0/4 //Enter the view of the interface
connected to another AP.
[S2700-GigabitEthernet0/0/4] port link-type trunk //Change the link type of
gigabitethernet0/0/4 to trunk.
[S2700-GigabitEthernet0/0/4] port trunk pvid vlan 100 //Set the default VLAN of
gigabitethernet0/0/4 to VLAN 100.
[S2700-GigabitEthernet0/0/4] port trunk allow-pass vlan 100 101 //Add
gigabitethernet0/0/4 to VLAN 100 and VLAN 101.
[S2700-GigabitEthernet0/0/4] quit
Step 2 [Device] Configure the aggregation switch S5720HI to ensure network connectivity.
<HUAWEI> system-view
[HUAWEI] sysname S5720HI
[S5720HI] dhcp enable //Enable the DHCP service.
[S5720HI] vlan batch 100 101 //Create VLAN 100 and VLAN 101 in a batch.
[S5720HI] interface vlanif 100 //Enter the view of VLANIF 100.
[S5720HI-Vlanif100] ip address 172.18.10.4 24 //Configure an IP address for
VLANIF 100 as the APs' gateway.
[S5720HI-Vlanif100] dhcp select interface
[S5720HI-Vlanif100] dhcp server excluded-ip-address 172.18.10.1 172.18.10.3 //
Exclude IP addresses in use from the DHCP address pool.
[S5720HI-Vlanif100] dhcp server excluded-ip-address 172.18.10.5 172.18.10.6
[S5720HI-Vlanif100] quit
Step 3 [Device] Configure the core switch S7700A to ensure network connectivity.
<HUAWEI> system-view
[HUAWEI] sysname S7700A
[S7700A] vlan batch 100 to 103 //Create VLAN 100, VLAN 101, VLAN 102, and VLAN
103 in a batch.
Step 4 [Device] Configure the core switch S7700B to ensure network connectivity.
<HUAWEI> system-view
[HUAWEI] sysname S7700B
[S7700B] vlan batch 100 to 103 //Create VLAN 100, VLAN 101, VLAN 102, and VLAN
103 in a batch.
[S7700B-GigabitEthernet1/0/5] quit
[S7700B] interface vlanif 103
[S7700B-Vlanif103] ip address 172.23.20.1 24
[S7700B-Vlanif103] quit
[S7700B] ip route-static 0.0.0.0 0 172.23.20.2
[S7700B] quit
<S7700B> save //Save the configuration.
# On VLANIF 102 of S7700A, create VRRP group 2, set the priority of S7700A in the VRRP
group to 120 and preemption delay to 20s, and configure the virtual IP address of VRRP
group 2 as the guest gateway address.
[S7700A] interface vlanif 102
[S7700A-Vlanif102] vrrp vrid 1 virtual-ip 172.20.10.1
[S7700A-Vlanif102] vrrp vrid 1 priority 120
[S7700A-Vlanif102] vrrp vrid 1 preempt-mode timer delay 20
[S7700A-Vlanif102] quit
[S7700A] quit
<S7700A> save //Save the configuration.
# On VLANIF 101 of S7700B, create VRRP group 1 and set the priority of S7700B in the
VRRP group to 100.
<S7700B> system-view
[S7700B] interface vlanif 101
[S7700B-Vlanif101] vrrp vrid 1 virtual-ip 172.19.10.1
[S7700B-Vlanif101] quit
# On VLANIF 102 of S7700B, create VRRP group 2 and set the priority of S7700B in the
VRRP group to 100.
[S7700B] interface vlanif 102
[S7700B-Vlanif102] vrrp vrid 1 virtual-ip 172.20.10.1
[S7700B-Vlanif102] quit
[S7700B] quit
<S7700B> save //Save the configuration.
# Configure a default route for AC1 so that packets are forwarded to core switches by default.
[AC1] ip route-static 0.0.0.0 0 172.18.10.5
# On AC2, configure network connectivity, create Eth-Trunk 1 and Eth-Trunk 2, and add Eth-
Trunk 1 to VLAN 100 and Eth-Trunk 2 to VLAN 104. Add GE0/0/1 and GE0/0/2 connecting
AC2 to S7700B to Eth-Trunk 1, and GE0/0/3 and GE0/0/4 connecting AC2 to AC1 to Eth-
Trunk 2.
<AC6605> system-view
[AC6605] sysname AC2
[AC2] vlan batch 100 101 102 104
[AC2] interface eth-trunk 1
[AC2-Eth-Trunk1] port link-type trunk
[AC2-Eth-Trunk1] port trunk allow-pass vlan 100
[AC2-Eth-Trunk1] trunkport GigabitEthernet 0/0/1 0/0/2 //Add GE0/0/1 and GE0/0/2
connected to the core switch S7700B to Eth-Trunk 1.
[AC2-Eth-Trunk1] quit
[AC2] interface eth-trunk 2
[AC2-Eth-Trunk2] port link-type trunk
[AC2-Eth-Trunk2] port trunk allow-pass vlan 104
[AC2-Eth-Trunk2] trunkport GigabitEthernet 0/0/3 0/0/4 //Add GE0/0/3 and GE0/0/4
connected to AC1 to Eth-Trunk 2.
[AC2-Eth-Trunk2] quit
# Configure a default route for AC2 so that packets are forwarded to core switches by default.
[AC2] ip route-static 0.0.0.0 0 172.18.10.6
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC1-wlan-view] regulatory-domain-profile name domain1
[AC1-wlan-regulatory-domain-prof-domain1] country-code cn
[AC1-wlan-regulatory-domain-prof-domain1] quit
# Import the AP offline on the AC and add the AP to the AP group. This example assumes
that the AP type is AP6010DN-AGN, and the MAC addresses of AP_0 and AP_1 are
60de-4476-e360 and 60de-4476-e380 respectively.
[AC1] wlan
[AC1-wlan-view] ap auth-mode mac-auth
[AC1-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC1-wlan-ap-0] ap-name ap_0
[AC1-wlan-ap-0] ap-group ap_group
Warning: This operation may cause AP reset. If the country code changes, it will,
clear channel, power and antenna gain configurations of the radio, Whether to
continue? [Y/N]:y
[AC1-wlan-ap-0] quit
[AC1-wlan-view] ap-id 1 ap-mac 60de-4476-e380
[AC1-wlan-ap-1] ap-name ap_1
[AC1-wlan-ap-1] ap-group ap_group
Warning: This operation may cause AP reset. If the country code changes, it will,
clear channel, power and antenna gain configurations of the radio, Whether to
continue? [Y/N]:y
[AC1-wlan-ap-1] quit
[AC1-wlan-view] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP has gone online properly.
[AC1] display ap all
Total AP information:
nor : normal [2]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 ap_0 ap_group 172.18.10.254 AP6010DN-AGN nor 0 20S
1 60de-4476-e380 ap_1 ap_group 172.18.10.253 AP6010DN-AGN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 2
The configuration procedure for AC2 is the same as that for AC1, and details are not provided
here.
Step 8 [Device] Configure interconnection parameters for the AC and RADIUS server as well as the
AC and Portal server, so that the AC can associate with the RADIUS and Portal servers.
# On AC1, configure a RADIUS server template, and configure authentication, accounting,
and authorization schemes in the template.
[AC1] radius-server template radius_template
[AC1-radius-radius_template] radius-server authentication 172.22.10.2 1812 source
ip-address 172.18.10.1 weight 80 //Configure a primary RADIUS authentication
server with a higher weight than that of the secondary authentication server.
Set the authentication port to 1812 and the source IP address to communicate with
the RADIUS server to 172.16.10.1.
[AC1-radius-radius_template] radius-server authentication 172.22.10.3 1812 source
NOTE
The accounting realtime command sets the real-time accounting interval. A short real-time accounting
interval requires high performance of the device and RADIUS server. Set a real-time accounting interval
based on the user quantity.
1 to 99 3 minutes
≥ 1000 ≥ 15 minutes
# Check whether a user can use a RADIUS template for authentication. (User name test and
password Admin_123 have been configured on the RADIUS server.)
[AC1] test-aaa test Admin_123 radius-template radius_huawei pap
Info: Account test succeed.
2. Configure parameters carried in the URL, which must be the same as those on the
authentication server.
[AC1-url-template-huawei1] url-parameter ssid ssid redirect-url url //
Specify the names of the parameters included in the URL. The parameter names
must the same as those on the authentication server.
//This first ssid indicates that the URL contains the SSID field, and the
second ssid indicates the parameter name.
//For example, after ssid ssid is configured, the URL redirected to the user
contains sid=guest, where ssid indicates the parameter name, and guest
indicates the SSID with which the user associates.
//The second SSID represents the transmitted parameter name only and cannot
be replaced with the actual user SSID.
//When the AC uses URL as the parameter name, the URL must be entered on the
Portal server to specify to which URL users' access request will be
redirected.
[AC1-url-template-huawei1] quit
3. Configure the URL of the secondary Portal authentication page. When the primary Portal
server is unavailable, the AC redirects the website that a user attempts to access to the
secondary Portal server.
[AC1] url-template name huawei2
[AC1-url-template-huawei2] url http://access2.example.com:8080/portal //
access2.example.com is the host name of the secondary Portal server.
[AC1-url-template-huawei2] url-parameter ssid ssid redirect-url url
[AC1-url-template-huawei2] quit
4. Specify the port number used to process Portal protocol packets. The default port number
is 2000. If you change the port number on the AC, set the same port number when you
add this AC to the Agile Controller-Campus.
[AC1] web-auth-server listening-port 2000
5. Configure a primary Portal server template, including configuring the IP address and
port number of the primary Portal server.
Set the destination port number in the packets sent to the Portal server to 50200. The
Portal server accepts packets with destination port 50200, but the AC uses port 50100 to
send packets to the Portal server by default. Therefore, you must change the port number
to 50200 on the AC so that the AC can communicate with the Portal server.
[AC1] web-auth-server portal_huawei1
[AC1-web-auth-server-portal_huawei1] server-ip 172.22.10.2 //Configure an IP
address for the primary Portal server.
[AC1-web-auth-server-portal_huawei1] source-ip 172.18.10.1 //Configure an IP
address for the device to communicate with the Portal server.
[AC1-web-auth-server-portal_huawei1] port 50200 //Set the destination port
number in the packets sent to the Portal server to 50200.
6. Configure the shared key used to communicate with the Portal server, which must be the
same as that on the Portal server. In addition, enable the AC to transmit encrypted URL
parameters to the Portal server.
[AC1-web-auth-server-portal_huawei1] shared-key cipher Admin@123 //Configure
the shared key used to communicate with the Portal server, which must be the
same as that on the Portal server.
[AC1-web-auth-server-portal_huawei1] url-template huawei1 //Bind the URL
template to the Portal server profile.
9. Configure a secondary Portal server template, including configuring the IP address, port
number, and shared key of the secondary Portal server.
[AC1] web-auth-server portal_huawei2
[AC1-web-auth-server-portal_huawei2] server-ip 172.22.10.3 //Configure an IP
address for the secondary Portal server.
[AC1-web-auth-server-portal_huawei2] source-ip 172.18.10.1
[AC1-web-auth-server-portal_huawei2] port 50200
[AC1-web-auth-server-portal_huawei2] shared-key cipher Admin@123
[AC1-web-auth-server-portal_huawei2] url-template huawei2
[AC1-web-auth-server-portal_huawei2] server-detect interval 100 max-times 5
critical-num 0 action log
(Optional)[AC1-web-auth-server-portal_huawei2] user-sync interval 100 max-
times 5
[AC1-web-auth-server-portal_huawei2] quit
# Enable the Portal authentication quiet period function. With this function enabled, the AC
drops packets of an authentication user during the quiet period if the user fails Portal
authentication for the specified number of times in 60 seconds. This function protects the AC
from overloading caused by frequent authentication.
[AC1] portal quiet-period
[AC1] portal quiet-times 5 //Set the maximum number of authentication failures
in 60 seconds before a Portal authentication is set to quiet state.
[AC1] portal timer quiet-period 240 //Set the quiet period to 240 seconds.
# Create a Portal access profile, and bind the Portal server template to it.
[AC1] portal-access-profile name acc_portal //Create a Portal access profile.
[AC1-portal-access-profile-acc_portal] web-auth-server portal_huawei1
portal_huawei2 direct //Configure the primary and secondary Portal server
templates used by the Portal access profile. If the network between end users and
the AC is a Layer 2 network, configure the direct mode; if the network is a Layer
3 network, configure the layer3 mode.
[AC1-portal-access-profile-acc_portal] quit
# Configure pre-authentication and post-authentication access rules for employees and guests.
[AC1] free-rule-template name default_free_rule
[AC1-free-rule-default_free_rule] free-rule 1 destination ip 172.22.10.4 mask
255.255.255.255 //Configure a Portal authentication-free rule to allow users to
connect to the DNS server before authentication.
[AC1-free-rule-default_free_rule] quit
[AC1] acl 3001 //Configure the post-authentication domain for employees,
including the intranet and Internet.
[AC1-acl-adv-3001] rule 5 permit ip
[AC1-acl-adv-3001] quit
[AC1] acl 3002 //Configure the post-authentication domain for guests, including
the Internet.
[AC1-acl-adv-3002] rule 5 deny ip destination 172.22.10.5 0 //172.22.10.5 is
the company's server resource and cannot be accessed by guests.
[AC1-acl-adv-3002] rule 10 permit ip
[AC1-acl-adv-3002] quit
# Enable terminal type awareness to allow the ACs to send the option fields containing the
terminal type in DHCP packets to the authentication server. In this way, the authentication
server can push the correct Portal authentication pages to users based on their terminal types.
[AC1] dhcp snooping enable
[AC1] device-sensor dhcp option 12 55 60
# Create SSID profiles wlan-ssid-employee and wlan-ssid-guest, and set the SSID names to
employee and guest respectively.
# Create VAP profiles wlan-vap-employee and wlan-vap-guest, configure the service data
forwarding mode and service VLANs, and apply the security, SSID, and authentication
profiles to the VAP profiles.
[AC1-wlan-view] vap-profile name wlan-vap-employee
[AC1-wlan-vap-prof-wlan-vap-employee] forward-mode direct-forward //Configure
direct forwarding for employees.
[AC1-wlan-vap-prof-wlan-vap-employee] service-vlan vlan-id 101
[AC1-wlan-vap-prof-wlan-vap-employee] security-profile security_portal
[AC1-wlan-vap-prof-wlan-vap-employee] ssid-profile wlan-ssid-employee
[AC1-wlan-vap-prof-wlan-vap-employee] authentication-profile auth_portal //Bind
the authentication profile.
[AC1-wlan-vap-prof-wlan-vap-employee] quit
[AC1-wlan-view] vap-profile name wlan-vap-guest
[AC1-wlan-vap-prof-wlan-vap-guest] forward-mode tunnel //Configure tunnel
forwarding for guests.
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC1-wlan-vap-prof-wlan-vap-guest] service-vlan vlan-id 102
[AC1-wlan-vap-prof-wlan-vap-guest] security-profile security_portal
[AC1-wlan-vap-prof-wlan-vap-guest] ssid-profile wlan-ssid-guest
[AC1-wlan-vap-prof-wlan-vap-guest] authentication-profile auth_portal
[AC1-wlan-vap-prof-wlan-vap-guest] quit
# Bind the VAP profile to the AP groups and apply the VAP profile to radio 0 and radio 1 of
the AP.
[AC1-wlan-view] ap-group name ap_group
[AC1-wlan-ap-group-ap_group] vap-profile wlan-vap-employee wlan 1 radio 0 //
Configure the 2.4 GHz frequency band of the AP to provide services for employees.
[AC1-wlan-ap-group-ap_group] vap-profile wlan-vap-employee wlan 1 radio 1 //
Configure the 5 GHz frequency band of the AP to provide services for employees.
[AC1-wlan-ap-group-ap_group] vap-profile wlan-vap-guest wlan 2 radio 0 //
Configure the 2.4 GHz frequency band of the AP to provide services for guests.
[AC1-wlan-ap-group-ap_group] vap-profile wlan-vap-guest wlan 2 radio 1 //
Configure the 5 GHz frequency band of the AP to provide services for guests.
[AC1-wlan-ap-group-ap_group] quit
The configuration procedure for AC2 is the same as that for AC1, and details are not provided
here.
# Create a management VRRP group on AC1. Set the priority of AC1 in the VRRP group to
120 and preemption delay to 1200s.
[AC1] interface vlanif 100
[AC1-Vlanif100] vrrp vrid 1 virtual-ip 172.18.10.1 //Configure a virtual IP
address for the management VRRP group.
[AC1-Vlanif100] vrrp vrid 1 priority 120 //Set the priority of AC1 in the VRRP
group.
[AC1-Vlanif100] vrrp vrid 1 preempt-mode timer delay 1200 //Set the preemption
delay for AC1 in the VRRP group.
[AC1-Vlanif100] admin-vrrp vrid 1 //Configure vrid 1 as the mVRRP group.
[AC1-Vlanif100] quit
# Create HSB service 0 on AC1. Configure the IP addresses and port numbers for the active
and standby channels. Set the retransmission time and interval of HSB service 0.
[AC1] hsb-service 0
[AC1-hsb-service-0] service-ip-port local-ip 10.10.11.1 peer-ip 10.10.11.2 local-
data-port 10241 peer-data-port 10241
[AC1-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[AC1-hsb-service-0] quit
# Create HSB group 0 on AC1, and bind it to HSB service 0 and the management VRRP
group.
[AC1] hsb-group 0
[AC1-hsb-group-0] bind-service 0
[AC1-hsb-group-0] track vrrp vrid 1 interface vlanif 100
[AC1-hsb-group-0] quit
# Enable HSB.
[AC1] hsb-group 0
[AC1-hsb-group-0] hsb enable
[AC1-hsb-group-0] quit
# Create HSB service 0 on AC2 Configure the IP addresses and port numbers for the active
and standby channels. Set the retransmission time and interval of HSB service 0.
[AC2] hsb-service 0
[AC2-hsb-service-0] service-ip-port local-ip 10.10.11.2 peer-ip 10.10.11.1 local-
data-port 10241 peer-data-port 10241
[AC2-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[AC2-hsb-service-0] quit
# Create HSB group 0 on AC2 and bind it to HSB service 0 and the management VRRP
group.
[AC2] hsb-group 0
[AC2-hsb-group-0] bind-service 0
[AC2-hsb-group-0] track vrrp vrid 1 interface vlanif 100
[AC2-hsb-group-0] quit
# Enable HSB.
[AC2] hsb-group 0
[AC2-hsb-group-0] hsb enable
[AC2-hsb-group-0] quit
# Run the display hsb-service 0 command on AC1 and AC2 to check the HSB service status.
The value of the Service State field is Connected, indicating that the active and standby HSB
channels have been established.
[AC1] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 10.10.11.1
Peer IP Address : 10.10.11.2
Source Port : 10241
Destination Port : 10241
Keep Alive Times : 2
# Run the display hsb-group 0 command on AC1 and AC2 to check the HSB group status.
[AC1] display hsb-group 0
Hot Standby Group Information:
----------------------------------------------------------
HSB-group ID : 0
Vrrp Group ID : 1
Vrrp Interface : Vlanif100
Service Index : 0
Group Vrrp Status : Master
Group Status : Active
Group Backup Process : Realtime
Peer Group Device Type : AC6605
Peer Group Software Version : V200R006C20
Group Backup Modules : Access-user
AP
DHCP
----------------------------------------------------------
[AC2] display hsb-group 0
Hot Standby Group Information:
----------------------------------------------------------
HSB-group ID : 0
Vrrp Group ID : 1
Vrrp Interface : Vlanif100
Service Index : 0
Group Vrrp Status : Backup
Group Status : Inactive
Group Backup Process : Realtime
Peer Group Device Type : AC6605
Peer Group Software Version : V200R006C20
Group Backup Modules : Access-user
DHCP
AP
----------------------------------------------------------
Step 13 [Agile Controller-Campus] Add the AC to the Service Manager to enable the Agile
Controller-Campus to manage the AC.
1. Choose Resource > Device > Device Management.
2. Click Add.
3. Configure parameters for the AC.
Name AC -
Enable Select -
RADIUS
4. Click OK.
Step 14 [Agile Controller-Campus] Add SSIDs on the Agile Controller-Campus, so that the Agile
Controller-Campus can authorize users through the SSIDs.
1. Choose Policy > Permission Control > Policy Element > SSID.
Step 15 [Agile Controller-Campus] Configure authorization results and rules to grant different access
rights to employees and guests after they are successfully authenticated.
1. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Result, and add authorization ACLs for employees and guests.
The ACL numbers must be the same as those configured on the authentication control
device.
2. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Rule, and bind the authorization result to specify resources accessible to
employees and guests after successful authentication.
3. Modify the default authorization rule by changing the authorization result to Deny
Access.
Choose Policy > Permission Control > Authentication and Authorization >
Authorization Rule and click on the right of Default Authorization Rule. Change
the value of Authorization Result to Deny Access.
----End
Verification
If a terminal uses Internet Explorer 8 for Portal authentication, the following configuration
must be completed for the browser. Otherwise, the Portal authentication page cannot be
displayed.
1. Choose Tools > Internet Options.
2. Select options related to Use TLS on the Advanced tab.
3. Click OK.
Employee l User account tony (employee account) can only access the Agile
authenticatio Controller-Campus server and DNS server before authentication.
n l When the employee connects to the Wi-Fi hotspot employee using a
computer and attempts to visit the Internet, the default authentication
page is pushed to the user. After the employee enters the correct user
name and password, the authentication succeeds and the requested web
page is displayed automatically.
l After the authentication succeeds, run the display access-user command
on the AC. The command output shows that the user tony is online.
l On the Service Manager, choose Resource > User > Online User
Management. The user tony is displayed in the list of online users.
l On the Service Manager, choose Resource > User > RADIUS Log. You
can see the RADIUS authentication log for the user tony.
Guest l User account susan (guest account) can only access the Agile
authenticatio Controller-Campus server and DNS server before authentication.
n l When the guest connects to the Wi-Fi hotspot guest using a mobile
phone and attempts to visit the Internet, the guest authentication page is
pushed to the user. After the guest enters the correct user name and
password, the authentication succeeds and the requested web page is
displayed automatically.
l User account susan cannot access internal servers of the company.
l After the authentication succeeds, run the display access-user command
on the AC. The command output shows that the user susan is online.
l On the Service Manager, choose Resource > User > Online User
Management. The user susan is displayed in the list of online users.
l On the Service Manager, choose Resource > User > RADIUS Log. You
can see the RADIUS authentication log for the user susan.
AC1 power- Services are automatically switched to AC2, without affecting employee
off and guest authentication. The process is not detected by user terminals.
SC power- After the network cable of an Service Controller, employees and guests are
off re-authenticated and go online. Their access rights are normal.
with the AC. The Agile Controller-Campus does not support the real accounting
function. If accounting is required, use a third-party accounting server.
Networking Requirements
A company needs to deploy an authentication system to implement access control for
employees who attempt to connect to the enterprise network. Only authenticated users can
connect to the enterprise network.
The company has the following requirements:
l All employees do office work and visit the Internet through the wireless network and
require a reliable network.
l A unified identity authentication mechanism is used to authenticate all terminals
attempting to connect to the campus network and deny access from unauthorized
terminals.
l Employees can connect only to the DNS server and Agile Controller-Campus of the
company before authentication, and can connect to both the intranet and Internet after
being authenticated.
l Guests can access the DNS server and Agile Controller-Campus of the company before
authentication, and can access the Internet after they are successfully authenticated.
Figure 4-97 Networking of Portal authentication for wireless users in an AC dual-link backup
environment
Requirement Analysis
Considering the networking and requirements of the company, Portal authentication based on
the Agile Controller-Campus can be used on the campus network. You need to configure
different ACL rules on the ACs to control access rights of employees.
Based on user requirements, the networking shown in Figure 4-97 is used, and networking
analysis is performed as follows:
l ACs are deployed in dual-link backup mode. HSB links are used to connect AC1 and
AC2 to determine the active and standby ACs, ensuring reliability of WLAN services.
l User data traffic is forwarded in direct mode, ensuring AC performance upon a large
amount of user data and ensuring network reliability.
VLAN Plan
Number of the ACL for guests' You need to enter this ACL
post-authentication domain: 3002 number when configuring
SSID: guest authorization rules and results on
the Agile Controller-Campus.
Portal server: -
l Primary IP address:
172.22.10.2
l Secondary IP address:
172.22.10.3
l Port number that the AC uses
to listen on Portal protocol
packets: 2000
l Destination port number in the
packets that the AC sends to
the Portal server: 50200
l Shared key: Admin@123
l Encryption key for the URL
parameters that the AC sends
to the Portal server:
Admin@123
Post- Internet -
authentication
domain for
guests
Configuration Roadmap
1. Configure the access switch, aggregation switch, and ACs to ensure network
connectivity.
2. On the ACs, configure a RADIUS server template, configure authentication, accounting,
and authorization schemes in the template, and specify the IP address of the Portal
server. In this way, the ACs can communicate with the RADIUS server and Portal server.
3. Configure dual-link backup for ACs to ensure reliability of WLAN services.
4. Add ACs to the Service Manager and configure parameters for the ACs to ensure that the
Agile Controller-Campus can manage the ACs.
5. Add authorization results and rules to grant different access rights to employees after
they are successfully authenticated.
Procedure
Step 1 [Device] Configure the access switch S2750EI to ensure network connectivity.
<HUAWEI> system-view
[HUAWEI] sysname S2700
[S2700] vlan batch 100 101 102 //Create VLAN 100, VLAN 101 and VLAN 102 in a
batch.
[S2700] interface gigabitethernet 0/0/1 //Enter the view of the interface
connected to the AP.
[S2700-GigabitEthernet0/0/1] port link-type trunk //Change the link type of
gigabitethernet0/0/1 to trunk.
[S2700-GigabitEthernet0/0/1] port trunk pvid vlan 100 //Set the default VLAN of
gigabitethernet0/0/1 to VLAN 100.
[S2700-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101 102 //Add
gigabitethernet0/0/1 to VLAN 100, VLAN 101 and VLAN 102.
[S2700-GigabitEthernet0/0/1] quit
[S2700] interface gigabitethernet 0/0/2 //Enter the view of the interface
connected to the aggregation switch.
[S2700-GigabitEthernet0/0/2] port link-type trunk //Change the link type of
gigabitethernet0/0/2 to trunk.
[S2700-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101 102 //Add
gigabitethernet0/0/2 to VLAN 100, VLAN 101 and VLAN 102.
[S2700-GigabitEthernet0/0/2] quit
[S2700] interface gigabitethernet 0/0/3 //Connect to AP1's interface.
[S2700-GigabitEthernet0/0/3] port link-type trunk //Change the link type of
gigabitethernet0/0/3 to trunk.
[S2700-GigabitEthernet0/0/3] port trunk pvid vlan 100 //Set the default VLAN of
gigabitethernet0/0/3 to VLAN 100
[S2700-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 101 102 //Add
gigabitethernet0/0/3 to VLAN 100, VLAN 101 and VLAN 102.
[S2700-GigabitEthernet0/0/3] quit
[S2700] quit
<S2700> save //Save the configuration.
Step 2 [Device] Configure the aggregation switch S5720HI to ensure network connectivity.
<HUAWEI> system-view
[HUAWEI] sysname S5700
[S5700] vlan batch 100 101 102 105 //Create VLAN 100, VLAN 101, VLAN 102 and
VLAN 105 in a batch.
[S5700] interface vlanif 100 //Enter the view of VLANIF 100.
[S5700-Vlanif100] ip address 172.18.10.3 16 //Configure an IP address for VLANIF
100 as the AP's gateway.
[S5700-Vlanif100] dhcp select interface
[S5700-Vlanif100] dhcp server excluded-ip-address 172.18.10.1 172.18.10.2 //
Exclude IP addresses in use from the DHCP address pool.
[S5700-Vlanif100] quit
[S5700] interface vlanif 101 //Enter the view of VLANIF 101.
[S5700-Vlanif101] ip address 172.19.10.1 16 //Configure an IP address for VLANIF
101 as the gateway for employees.
[S5700-Vlanif101] dhcp select interface
[S5700-Vlanif101] dhcp server dns-list 172.22.10.4 //Configure the DNS server
address.
[S5700-Vlanif101] quit
[S5700] interface vlanif 102 //Enter the interface view of VLANIF 102.
[S5700-Vlanif102] ip address 172.20.10.1 16 //Configure an IP address for VLANIF
102 to enable it to function as a guest gateway.
[S5700-Vlanif102] dhcp select interface
[S5700-Vlanif102] dhcp server dns-list 172.22.10.4 //Configure an IP address for
the DNS server.
[S5700-Vlanif102] quit
[S5700] interface gigabitethernet 0/0/1 //Enter the view of the interface
connected to the access switch.
[S5700-GigabitEthernet0/0/1] port link-type trunk //Change the link type of
gigabitethernet0/0/1 to trunk.
[S5700-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101 102 //Add
gigabitethernet0/0/1 to VLAN 100, VLAN 101 and VLAN 102.
[S5700-GigabitEthernet0/0/1] quit
[S5700] interface gigabitethernet 0/0/2 //Enter the view of the interface
connected to AC1.
[S5700-GigabitEthernet0/0/2] port link-type trunk //Change the link type of
gigabitethernet0/0/2 to trunk.
[S5700-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 105 //Add
gigabitethernet0/0/2 to VLAN 100 and VLAN 105.
[S5700-GigabitEthernet0/0/2] quit
[S5700] interface gigabitethernet 0/0/3 //Enter the view of the interface
connected to AC2.
[S5700-GigabitEthernet0/0/3] port link-type trunk //Change the link type of
gigabitethernet0/0/3 to trunk.
[S5700-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 105 //Add
gigabitethernet0/0/3 to VLAN 100 and VLAN 105.
[S5700-GigabitEthernet0/0/3] quit
[S5700] ip route-static 172.22.10.0 255.255.255.0 172.21.10.2
[S5700] quit
<S5700> save //Save the configuration.
Step 3 [Device] Configure the core switch S7700 to ensure network connectivity.
<HUAWEI> system-view
[HUAWEI] sysname S7700
[S7700] vlan batch 103 104 //Create VLANIF 103 and VLANIF 104 in batches.
[S7700] interface gigabitethernet 1/0/1 //Connect to the interface of the
aggregation switch.
[S7700-GigabitEthernet1/0/1] port link-type trunk
[S7700-GigabitEthernet1/0/1] port trunk allow-pass vlan 103
[S7700-GigabitEthernet1/0/1] quit
[S7700] interface vlanif 103
[S7700-Vlanif103] ip address 172.21.10.2 255.255.255.0
[S7700-Vlanif103] quit
[S7700] interface gigabitethernet 1/0/2 //Connect to the interface of the server
zone.
[S7700-GigabitEthernet1/0/2] port link-type access
[S7700-GigabitEthernet1/0/2] port default vlan 104 //Configure VLAN 104 as the
default VLAN for the gigabitethernet1/0/2 interface.
[S7700-GigabitEthernet1/0/2] quit
[S7700] interface vlanif 104
[S7700-Vlanif104] ip address 172.22.10.1 255.255.255.0 //Configure a gateway IP
address for the server zone.
[S7700-Vlanif104] quit
[S7700] ip route-static 172.19.0.0 255.255.255.0 172.21.10.1 //Configure a
static route to the employees' network segment.
[S7700] ip route-static 172.20.1.0 255.255.255.0 172.21.10.1 //Configure a
static route to the guests' network segment.
[S7700] quit
<S7700> save //Save the configuration.
# Configure a default route for AC1 so that packets are forwarded to the routing gateway by
default.
[AC1] ip route-static 0.0.0.0 0 172.18.10.3
# On AC2, ensure network connectivity, and add GE0/0/1 connecting to the S5720HI to
VLAN 100 and VLAN 105.
<AC6605> system-view
[AC6605] sysname AC2
[AC2] vlan batch 100 105
[AC2] interface gigabitethernet 0/0/1
[AC2-GigabitEthernet0/0/1] port link-type trunk
[AC2-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 105
[AC2-GigabitEthernet0/0/1] quit
# Configure a default route for AC2 so that packets are forwarded to the routing gateway by
default.
[AC2] ip route-static 0.0.0.0 0 172.18.10.3
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC1-wlan-view] regulatory-domain-profile name domain1
[AC1-wlan-regulatory-domain-prof-domain1] country-code cn
[AC1-wlan-regulatory-domain-prof-domain1] quit
[AC1-wlan-view] ap-group name ap_group
[AC1-wlan-ap-group-ap_group] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC1-wlan-ap-group-ap_group] quit
[AC1-wlan-view] quit
# Import the AP offline on the AC and add the AP to the AP group. This example assumes
that the AP type is AP6010DN-AGN, and the MAC addresses of AP_0 and AP_1 are
60de-4476-e360 and 60de-4476-e380 respectively.
[AC1] wlan
[AC1-wlan-view] ap auth-mode mac-auth
[AC1-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC1-wlan-ap-0] ap-name ap_0
[AC1-wlan-ap-0] ap-group ap_group
Warning: This operation may cause AP reset. If the country code changes, it will,
clear channel, power and antenna gain configurations of the radio, Whether to
continue? [Y/N]:y
[AC1-wlan-ap-0] quit
[AC1-wlan-view] ap-id 1 ap-mac 60de-4476-e380
[AC1-wlan-ap-1] ap-name ap_1
[AC1-wlan-ap-1] ap-group ap_group
Warning: This operation may cause AP reset. If the country code changes, it will,
clear channel, power and antenna gain configurations of the radio, Whether to
continue? [Y/N]:y
[AC1-wlan-ap-1] quit
[AC1-wlan-view] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP has gone online properly.
[AC1] display ap all
Total AP information:
nor : normal [2]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 ap_0 ap_group 172.18.10.254 AP6010DN-AGN nor 0 20S
1 60de-4476-e380 ap_1 ap_group 172.18.10.253 AP6010DN-AGN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 2
The configuration of AC2 is the same as that of AC1 and is not provided here.
Step 6 [Device] Configure interconnection parameters for the AC and RADIUS server as well as the
AC and Portal server, so that the AC can associate with the RADIUS and Portal servers.
# On AC1, configure a RADIUS server template, and configure authentication, accounting,
and authorization schemes in the template.
[AC1] radius-server template radius_template
[AC1-radius-radius_template] radius-server authentication 172.22.10.2 1812 source
ip-address 172.18.10.1 weight 80 //Configure a primary RADIUS authentication
server with a higher weight than that of the secondary authentication server.
Set the authentication port to 1812 and the source IP address to communicate with
the RADIUS server to 172.16.10.1.
[AC1-radius-radius_template] radius-server authentication 172.22.10.3 1812 source
ip-address 172.18.10.1 weight 40 //Configure a secondary RADIUS authentication
server with a lower weight than that of the primary authentication server.
Set the authentication port to 1812 and the source IP address to communicate with
the RADIUS server to 172.16.10.1.
[AC1-radius-radius_template] radius-server accounting 172.22.10.2 1813 source ip-
address 172.18.10.1 weight 80 //Configure a primary RADIUS accounting server
with a higher weight than that of the secondary accounting server to obtain user
login and logout information.
Set the accounting port to 1813 and the source IP address to communicate with the
RADIUS server to 172.16.10.1.
[AC1-radius-radius_template] radius-server accounting 172.22.10.3 1813 source ip-
address 172.18.10.1 weight 40 //Configure a secondary RADIUS accounting server
with a lower weight than that of the primary accounting server to obtain user
login and logout information.
Set the accounting port to 1813 and the source IP address to communicate with the
RADIUS server to 172.16.10.1.
[AC1-radius-radius_template] radius-server shared-key cipher Admin@123 //
Configure a shared key for the RADIUS server.
[AC1-radius-radius_template] radius-server user-name original //Configure the AC
to send the user names entered by users to the RADIUS server.
[AC1-radius-radius_template] quit
[AC1] radius-server authorization 172.22.10.2 shared-key cipher Admin@123 //
Configure a RADIUS authorization server so that the RADIUS server can deliver
authorization rules to the AC.
Set the shared key to Admin@123, which must be the same as that of the
authentication and accounting server.
[AC1] radius-server authorization 172.22.10.3 shared-key cipher Admin@123 //
Configure a RADIUS authorization server so that the RADIUS server can deliver
authorization rules to the AC.
//Set the shared key to Admin@123, which must be the same as that of the
authentication and accounting server.
//The access control device can process CoA/DM Request packets initiated by the
Agile Controller-Campus only after the authorization servers are configured.
//Authentication servers and authorization servers must have a one-to-one
mapping, that is, the number of authentication servers and authorization servers
must be the same.
//If not, the Agile Controller-Campus will fail to kick some users offline.
[AC1] aaa
[AC1-aaa] authentication-scheme auth_scheme
[AC1-aaa-authen-auth_scheme] authentication-mode radius //Set the authentication
scheme to RADIUS.
[AC1-aaa-authen-auth_scheme] quit
[AC1-aaa] accounting-scheme acco_scheme
[AC1-aaa-accounting-acco_scheme] accounting-mode radius //Set the accounting
scheme to RADIUS.
//The RADIUS accounting scheme must be used so that the RADIUS server can
maintain account state information such as login/logout information and force
users to go offline.
[AC1-aaa-accounting-acco_scheme] accounting realtime 15 //Set the real-time
accounting interval to 15 minutes.
[AC1-aaa-accounting-acco_scheme] quit
[AC1-aaa] quit
NOTE
The accounting realtime command sets the real-time accounting interval. A short real-time accounting
interval requires high performance of the device and RADIUS server. Set a real-time accounting interval
based on the user quantity.
1 to 99 3 minutes
≥ 1000 ≥ 15 minutes
# Check whether a user can use a RADIUS template for authentication. (User name test and
password Admin_123 have been configured on the RADIUS server.)
[AC1] test-aaa test Admin_123 radius-template radius_huawei pap
Info: Account test succeed.
1. Configure the URL of the primary Portal authentication page. When a user attempts to
access a website before authentication, the AC redirects the website to the primary Portal
server.
You are advised to configure the URL using a domain name to ensure secure and fast
page pushing. Before configuring the URL using a domain name, you must first
configure the mapping between the domain name and IP address of the Agile Controller-
Campus server on the DNS server.
[AC1] url-template name huawei1
[AC1-url-template-huawei1] url http://access1.example.com:8080/portal //
access1.example.com is the host name of the primary Portal server.
2. Configure parameters carried in the URL, which must be the same as those on the
authentication server.
[AC1-url-template-huawei1] url-parameter ssid ssid redirect-url url //
Specify the names of the parameters included in the URL. The parameter names
must the same as those on the authentication server.
//This first ssid indicates that the URL contains the SSID field, and the
second ssid indicates the parameter name.
//For example, after ssid ssid is configured, the URL redirected to the user
contains sid=guest, where ssid indicates the parameter name, and guest
indicates the SSID with which the user associates.
//The second SSID represents the transmitted parameter name only and cannot
be replaced with the actual user SSID.
//When the AC uses URL as the parameter name, the URL must be entered on the
Portal server to specify to which URL users' access request will be
redirected.
[AC1-url-template-huawei1] quit
3. Configure the URL of the secondary Portal authentication page. When the primary Portal
server is unavailable, the AC redirects the website that a user attempts to access to the
secondary Portal server.
[AC1] url-template name huawei2
[AC1-url-template-huawei2] url http://access2.example.com:8080/portal //
access2.example.com is the host name of the secondary Portal server.
[AC1-url-template-huawei2] url-parameter ssid ssid redirect-url url
[AC1-url-template-huawei2] quit
4. Specify the port number used to process Portal protocol packets. The default port number
is 2000. If you change the port number on the AC, set the same port number when you
add this AC to the Agile Controller-Campus.
[AC1] web-auth-server listening-port 2000
5. Configure a primary Portal server template, including configuring the IP address and
port number of the primary Portal server.
Set the destination port number in the packets sent to the Portal server to 50200. The
Portal server accepts packets with destination port 50200, but the AC uses port 50100 to
send packets to the Portal server by default. Therefore, you must change the port number
to 50200 on the AC so that the AC can communicate with the Portal server.
[AC1] web-auth-server portal_huawei1
[AC1-web-auth-server-portal_huawei1] server-ip 172.22.10.2 //Configure an IP
address for the primary Portal server.
[AC1-web-auth-server-portal_huawei1] source-ip 172.18.10.1 //Configure an IP
address for the device to communicate with the Portal server.
[AC1-web-auth-server-portal_huawei1] port 50200 //Set the destination port
number in the packets sent to the Portal server to 50200.
6. Configure the shared key used to communicate with the Portal server, which must be the
same as that on the Portal server. In addition, enable the AC to transmit encrypted URL
parameters to the Portal server.
[AC1-web-auth-server-portal_huawei1] shared-key cipher Admin@123 //Configure
the shared key used to communicate with the Portal server, which must be the
same as that on the Portal server.
9. Configure a secondary Portal server template, including configuring the IP address, port
number, and shared key of the secondary Portal server.
[AC1] web-auth-server portal_huawei2
[AC1-web-auth-server-portal_huawei2] server-ip 172.22.10.3 //Configure an IP
address for the secondary Portal server.
[AC1-web-auth-server-portal_huawei2] source-ip 172.18.10.1
[AC1-web-auth-server-portal_huawei2] port 50200
[AC1-web-auth-server-portal_huawei2] shared-key cipher Admin@123
[AC1-web-auth-server-portal_huawei2] url-template huawei2
[AC1-web-auth-server-portal_huawei2] server-detect interval 100 max-times 5
critical-num 0 action log
(Optional)[AC1-web-auth-server-portal_huawei2] user-sync interval 100 max-
times 5
[AC1-web-auth-server-portal_huawei2] quit
# Enable the Portal authentication quiet period function. With this function enabled, the AC
drops packets of an authentication user during the quiet period if the user fails Portal
authentication for the specified number of times in 60 seconds. This function protects the AC
from overloading caused by frequent authentication.
[AC1] portal quiet-period
[AC1] portal quiet-times 5 //Set the maximum number of authentication failures
in 60 seconds before a Portal authentication is set to quiet state.
[AC1] portal timer quiet-period 240 //Set the quiet period to 240 seconds.
# Create a Portal access profile, and bind the Portal server template to it.
[AC1] portal-access-profile name acc_portal //Create a Portal access profile.
[AC1-portal-access-profile-acc_portal] web-auth-server portal_huawei1
portal_huawei2 direct //Configure the primary and secondary Portal server
templates used by the Portal access profile. If the network between end users and
the AC is a Layer 2 network, configure the direct mode; if the network is a Layer
# Enable terminal type awareness to allow the ACs to send the option fields containing the
terminal type in DHCP packets to the authentication server. In this way, the authentication
server can push the correct Portal authentication pages to users based on their terminal types.
[AC1] dhcp snooping enable
[AC1] device-sensor dhcp option 12 55 60
# The Portal authentication configuration of AC2 is the same as that of AC1 and is not
provided here. However, when setting the source IP address for AC2 in the Portal server
template, set the source IP address of AC2 to 172.18.10.1.
Step 7 [Device] Set WLAN service parameters on the ACs.
# Create the security profile security_portal and set the security policy in the profile.
[AC1] wlan
[AC1-wlan-view] security-profile name security_portal
[AC1-wlan-sec-prof-security_portal] quit
# Create SSID profiles wlan-ssid-employee and wlan-ssid-guest, and set the SSID names to
employee and guest respectively.
[AC1-wlan-view] ssid-profile name wlan-ssid-employee
[AC1-wlan-ssid-prof-wlan-ssid-employee] ssid employee
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC1-wlan-ssid-prof-wlan-ssid-employee] quit
[AC1-wlan-view] ssid-profile name wlan-ssid-guest
[AC1-wlan-ssid-prof-wlan-ssid-guest] ssid guest
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC1-wlan-ssid-prof-wlan-ssid-guest] quit
# Create VAP profiles wlan-vap-employee and wlan-vap-guest, configure the service data
forwarding mode and service VLANs, and apply the security, SSID, and authentication
profiles to the VAP profiles.
[AC1-wlan-view] vap-profile name wlan-vap-employee
[AC1-wlan-vap-prof-wlan-vap-employee] forward-mode direct-forward //Configure
# Bind the VAP profile to the AP groups and apply the VAP profile to radio 0 and radio 1 of
the AP.
[AC1-wlan-view] ap-group name ap_group
[AC1-wlan-ap-group-ap_group] vap-profile wlan-vap-employee wlan 1 radio 0 //
Configure the 2.4 GHz frequency band of the AP to provide services for employees.
[AC1-wlan-ap-group-ap_group] vap-profile wlan-vap-employee wlan 1 radio 1 //
Configure the 5 GHz frequency band of the AP to provide services for employees.
[AC1-wlan-ap-group-ap_group] vap-profile wlan-vap-guest wlan 2 radio 0 //
Configure the 2.4 GHz frequency band of the AP to provide services for guests.
[AC1-wlan-ap-group-ap_group] vap-profile wlan-vap-guest wlan 2 radio 1 //
Configure the 5 GHz frequency band of the AP to provide services for guests.
[AC1-wlan-ap-group-ap_group] quit
# The WLAN service parameters configuration of AC2 is the same as that of AC1 and is not
provided here.
Step 8 [Device] Configure dual-link backup on AC1 to implement HSB.
# Configure the IP address of AC2 and the AC1 priority to implement dual-link backup.
[AC1] wlan
[AC1-wlan-view] wlan ac protect enable
Warning: This operation maybe cause ap reset or client down, continue?[Y/N]:y
[AC1-wlan-view] wlan ac protect protect-ac 172.18.10.2 priority 2
Warning: Operation successful. It will take effect after AP reset.
# Restart the AP on AC1 and deliver the dual-link backup configuration to the AP.
[AC1-wlan-view] ap-reset all
Warning: Reset AP (s), continue?[Y/N]:y
[AC1-wlan-view] quit
# Create HSB service 0 on AC1. Configure the IP addresses and port numbers for the active
and standby channels. Set the retransmission time and interval of HSB service 0.
[AC1] hsb-service 0
[AC1-hsb-service-0] service-ip-port local-ip 10.10.11.1 peer-ip 10.10.11.2 local-
data-port 10241 peer-data-port 10241
[AC1-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[AC1-hsb-service-0] quit
[AC2] wlan
[AC2-wlan-view] wlan ac protect enable
Warning: This operation maybe cause ap reset or client down, continue?[Y/N]:y
[AC2-wlan-view] wlan ac protect protect-ac 172.18.10.1 priority 5
Warning: Operation successful. It will take effect after AP reset.
[AC2-wlan-view] quit
# Create HSB service 0 on AC2 Configure the IP addresses and port numbers for the active
and standby channels. Set the retransmission time and interval of HSB service 0.
[AC2] hsb-service 0
[AC2-hsb-service-0] service-ip-port local-ip 10.10.11.2 peer-ip 10.10.11.1 local-
data-port 10241 peer-data-port 10241
[AC2-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[AC2-hsb-service-0] quit
# Run the display hsb-service 0 command on AC1 and AC2 to check the HSB service status.
The value of the Service State field is Connected, indicating that the active and standby HSB
channels have been established.
[AC1] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 10.10.11.1
Peer IP Address : 10.10.11.2
Source Port : 10241
Destination Port : 10241
Keep Alive Times : 2
Keep Alive Interval : 1
Service State : Connected
Service Batch Modules :
----------------------------------------------------------
[AC2] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 10.10.11.2
Peer IP Address : 10.10.11.1
Source Port : 10241
Destination Port : 10241
Step 11 [Agile Controller-Campus] Add the AC to the Service Manager to enable the Agile
Controller-Campus to manage the AC.
1. Choose Resource > Device > Device Management.
2. Click Add.
3. Configure parameters for the AC.
Name AC -
Enable Select -
RADIUS
4. Click OK.
Step 12 [Agile Controller-Campus] Add SSIDs on the Agile Controller-Campus, so that the Agile
Controller-Campus can authorize users through the SSIDs.
1. Choose Policy > Permission Control > Policy Element > SSID.
Step 13 [Agile Controller-Campus] Configure authorization results and rules to grant different access
rights to employees and guests after they are successfully authenticated.
1. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Result, and add authorization ACLs for employees and guests.
The ACL numbers must be the same as those configured on the authentication control
device.
2. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Rule, and bind the authorization result to specify resources accessible to
employees and guests after successful authentication.
3. Modify the default authorization rule by changing the authorization result to Deny
Access.
Choose Policy > Permission Control > Authentication and Authorization >
Authorization Rule and click on the right of Default Authorization Rule. Change
the value of Authorization Result to Deny Access.
----End
Verification
If a terminal uses Internet Explorer 8 for Portal authentication, the following configuration
must be completed for the browser. Otherwise, the Portal authentication page cannot be
displayed.
1. Choose Tools > Internet Options.
2. Select options related to Use TLS on the Advanced tab.
3. Click OK.
Employee l User account tony (employee account) can only access the Agile
authenticatio Controller-Campus server and DNS server before authentication.
n l When the employee connects to the Wi-Fi hotspot employee using a
computer and attempts to visit the Internet, the employee authentication
page is pushed to the user. After the employee enters the correct user
name and password, the authentication succeeds and the requested web
page is displayed automatically.
l After the authentication succeeds, run the display access-user command
on the AC. The command output shows that the user tony is online.
l On the Service Manager, choose Resource > User > Online User
Management. The user tony is displayed in the list of online users.
l On the Service Manager, choose Resource > User > RADIUS Log. You
can see the RADIUS authentication log for the user tony.
Guest l User account susan (guest account) can only access the Agile
authenticatio Controller-Campus server and DNS server before authentication.
n l When the guest connects to the Wi-Fi hotspot guest using a mobile
phone and attempts to visit the Internet, the guest authentication page is
pushed to the user. After the guest enters the correct user name and
password, the authentication succeeds and the requested web page is
displayed automatically.
l User account susan cannot access internal servers of the company.
l After the authentication succeeds, run the display access-user command
on the AC. The command output shows that the user susan is online.
l On the Service Manager, choose Resource > User > Online User
Management. The user susan is displayed in the list of online users.
l On the Service Manager, choose Resource > User > RADIUS Log. You
can see the RADIUS authentication log for the user susan.
AC1 power- Services are automatically switched to AC2, without affecting employee
off authentication. The process is not detected by user terminals.
Networking Requirements
A company has about 5000 employees and needs to deploy an authentication system to
implement access control for all the wireless users who attempt to connect to the enterprise
network. Only authenticated users can connect to the enterprise network.
The company has the following requirements:
l A unified identity authentication mechanism is used to authenticate all terminals
attempting to connect to the campus network and deny access from unauthorized
terminals.
l Employees and guests access the campus network using different SSIDs.
l Employees use laptops to access the network, and guests use mobile terminals to access
the network.
l Employees can connect only to the DNS server, DHCP server, and Agile Controller-
Campus of the company before authentication, and can connect to both the intranet and
Internet after being authenticated.
l Guests can connect only to the DNS server, DHCP server, and Agile Controller-Campus
of the company before authentication, and can connect only to the Internet after being
authenticated.
l There are three ACs on the network. Two ACs are deployed as the active ACs, and one
as the standby AC to improve network reliability.
Figure 4-98 Networking of Portal authentication for wireless users in N+1 mode
Requirement Analysis
l Considering the networking and requirements of the company, without specific
requirement on terminal security check. Portal authentication can be used on the campus
network to authenticate employees and guests, and authentication points are deployed on
the ACs.
l It is recommended that authentication packets be forwarded in tunnel mode and user data
packets be forwarded in local mode to release the burden on the ACs.
VLAN Plan
Number of the ACL for guests' You need to enter this ACL
post-authentication domain: 3002 number when configuring
SSID of the guest area: guest authorization rules and results on
the Agile Controller-Campus.
Portal server:
l Primary IP address:
172.22.10.2
l Secondary IP address:
172.22.10.3
l Port number that the AC uses
to listen on Portal protocol
packets: 2000
l Destination port number in the
packets that the AC sends to
the Portal server: 50200
l Shared key: Admin@123
l Encryption key for the URL
parameters that the AC sends
to the Portal server:
Admin@123
Agile Host name1: access1.example.com Users can use the domain name to
Controller- Host name2: access2.example.com access the Portal server.
Campus
IP address of the active device 1: -
172.18.10.1
IP address of the active device 2:
172.18.10.2
IP address of the standby device:
172.18.10.3
Post- Internet -
authentication
domain for
guests
Configuration Roadmap
1. Configure the access switch, aggregation switch, and core switch to ensure network
connectivity.
2. On the ACs, configure a RADIUS server template, configure authentication, accounting,
and authorization schemes in the template, and specify the IP addresses of Portal servers.
In this way, the ACs can communicate with RADIUS servers and Portal servers.
3. Configure reliability services and basic WLAN services for the ACs.
4. Add ACs to the Service Manager and configure parameters for the ACs to ensure that the
Agile Controller-Campus can manage the ACs.
5. Add authorization results and rules to grant different access rights to employees and
guests after they are successfully authenticated.
Procedure
Step 1 [Device] Configure the access switch S2750EI to ensure network connectivity.
<HUAWEI> system-view
[HUAWEI] sysname S2700
[S2700] vlan batch 100 101 102 //Create VLAN 100, VLAN 101, and VLAN 102 in a
batch.
[S2700] interface gigabitethernet 0/0/1 //Enter the view of the interface
connected to an AP.
[S2700-GigabitEthernet0/0/1] port link-type trunk //Change the link type of
gigabitethernet0/0/1 to trunk.
[S2700-GigabitEthernet0/0/1] port trunk pvid vlan 100 //Set the default VLAN of
gigabitethernet0/0/1 to VLAN 100.
[S2700-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101 102 //Add
gigabitethernet0/0/1 to VLAN 100, VLAN 101, and VLAN 102.
[S2700-GigabitEthernet0/0/1] port-isolate enable //Configure port isolation to
prevent unwanted broadcast packets in a VLAN and Layer 2 communication between
WLAN users connected to different APs.
[S2700-GigabitEthernet0/0/1] quit
[S2700] interface gigabitethernet 0/0/2 //Enter the view of the interface
connected to another AP.
[S2700-GigabitEthernet0/0/2] port link-type trunk
[S2700-GigabitEthernet0/0/2] port trunk pvid vlan 100
[S2700-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101 102
[S2700-GigabitEthernet0/0/2] port-isolate enable
[S2700-GigabitEthernet0/0/2] quit
Step 2 [Device] Configure the aggregation switch S5700 to ensure network connectivity.
<HUAWEI> system-view
[HUAWEI] sysname S5700
[S5700] vlan batch 100 101 102 //Create VLAN 100, VLAN 101, and VLAN 102 in a
batch.
[S5700] interface gigabitethernet 0/0/1 //Enter the view of the interface
connected to the access switch S2700.
[S5700-GigabitEthernet0/0/1] port link-type trunk
[S5700-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101 102
[S5700-GigabitEthernet0/0/1] quit
[S5700] interface gigabitethernet 0/0/2 //Enter the view of the interface
connected to the core switch S7700.
[S5700-GigabitEthernet0/0/2] port link-type trunk
[S5700-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101 102
[S5700-GigabitEthernet0/0/2] quit
[S5700] interface gigabitethernet 0/0/3 //Enter the view of the interface
connected to AC1.
[S5700-GigabitEthernet0/0/3] port link-type trunk
[S5700-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[S5700-GigabitEthernet0/0/3] quit
[S5700] interface gigabitethernet 0/0/4 //Enter the view of the interface
connected to AC2.
[S5700-GigabitEthernet0/0/4] port link-type trunk
[S5700-GigabitEthernet0/0/4] port trunk allow-pass vlan 100
[S5700-GigabitEthernet0/0/4] quit
[S5700] interface gigabitethernet 0/0/5 //Enter the view of the interface
connected to AC3.
[S5700-GigabitEthernet0/0/5] port link-type trunk
[S5700-GigabitEthernet0/0/5] port trunk allow-pass vlan 100
[S5700-GigabitEthernet0/0/5] quit
[S5700] quit
<S5700> save //Save the configuration.
Step 3 [Device] Configure the core switch S7700 to ensure network connectivity.
<HUAWEI> system-view
[HUAWEI] sysname S7700
[S7700] dhcp enable //Enable the DHCP service.
[S7700] vlan batch 100 to 103 //Create VLAN 100, VLAN 101, VLAN 102, and VLAN
103 in a batch.
[S7700] interface gigabitethernet 1/0/1 //Enter the view of the interface
connected to the aggregation switch S5700.
[S7700-GigabitEthernet1/0/1] port link-type trunk
[S7700-GigabitEthernet1/0/1] port trunk allow-pass vlan 100 101 102
[S7700-GigabitEthernet1/0/1] quit
[S7700] interface vlanif 100
[S7700-Vlanif100] ip address 172.18.10.4 24
[S7700-Vlanif100] dhcp select relay //Enable the DHCP relay agent.
[S7700-Vlanif100] dhcp relay server-ip 172.22.10.6 //Configure the DHCP server
connected to the DHCP relay agent.
[S7700-Vlanif100] quit
[S7700] interface vlanif 101
[S7700-Vlanif101] ip address 172.20.10.1 24
[S7700-Vlanif101] dhcp select relay
[S7700-Vlanif101] dhcp relay server-ip 172.22.10.6
[S7700-Vlanif101] quit
[S7700] interface vlanif 102
[S7700-Vlanif102] ip address 172.19.10.1 24
[S7700-Vlanif102] dhcp select relay
[S7700-Vlanif102] dhcp relay server-ip 172.22.10.6
[S7700-Vlanif102] quit
[S7700] interface gigabitethernet 1/0/2 //Enter the view of the interface
# Configure network connectivity, connect GE0/0/1 on AC2 to the S5700, and add GE0/0/1 to
mVLAN 100 and service VLANs 101 and 102.
<AC6605> system-view
[AC6605] sysname AC2
[AC2] vlan batch 100 101 102
[AC2] interface gigabitethernet 0/0/1 //Enter the view of the interface
connected to the aggregation switch S5700.
[AC2-GigabitEthernet0/0/1] port link-type trunk
[AC2-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101 102
[AC2-GigabitEthernet0/0/1] quit
[AC2] interface vlanif 100
[AC2-Vlanif100] ip address 172.18.10.2 24 //Configure a source IP address for
AC2.
[AC2-Vlanif100] quit
[AC2] ip route-static 0.0.0.0 0 172.18.10.4 //Configure a default route between
AC2 and the server zone so that packets are forwarded to the core switch by
default.
# Configure network connectivity, connect GE0/0/1 on AC3 to the S5700, and add GE0/0/1 to
mVLAN 100 and service VLANs 101 and 102. Configure AC3 as the standby AC of AC1
and AC2.
<AC6605> system-view
[AC6605] sysname AC3
[AC3] vlan batch 100 101 102
[AC3] interface gigabitethernet 0/0/1 //Enter the view of the interface
connected to the aggregation switch S7700.
[AC3-GigabitEthernet0/0/1] port link-type trunk
[AC3-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101 102
[AC3-GigabitEthernet0/0/1] quit
[AC3] interface vlanif 100
[AC3-Vlanif100] ip address 172.18.10.3 24 //Configure a source IP address for
AC3.
[AC3-Vlanif100] quit
[AC3] ip route-static 0.0.0.0 0 172.18.10.4 //Configure a default route between
AC3 and the server zone so that packets are forwarded to the core switch by
default.
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC1-wlan-view] regulatory-domain-profile name domain1
[AC1-wlan-regulatory-domain-prof-domain1] country-code cn
[AC1-wlan-regulatory-domain-prof-domain1] quit
[AC1-wlan-view] ap-group name ap_group
[AC1-wlan-ap-group-ap_group] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC1-wlan-ap-group-ap_group] quit
[AC1-wlan-view] quit
# Import the AP offline on the AC and add the AP to the AP group. This example assumes
that the AP type is AP6010DN-AGN and the MAC address of the AP is 60de-4476-e360.
[AC1] wlan
[AC1-wlan-view] ap auth-mode mac-auth
[AC1-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC1-wlan-ap-0] ap-name ap_0
[AC1-wlan-ap-0] ap-group ap_group
Warning: This operation may cause AP reset. If the country code changes, it will,
clear channel, power and antenna gain configurations of the radio, Whether to
continue? [Y/N]:y
[AC1-wlan-ap-0] quit
[AC1-wlan-view] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP has gone online properly.
[AC1] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 ap_0 ap_group 172.18.10.254 AP6010DN-AGN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 1
NOTE
The configuration process on AC2 is the same as that on AC1. The detailed process is as follows:
1. Create the AP group ap_group on AC2 and add APs managed by AC2 to this AP group.
2. Create a regulatory domain profile on AC2, configure the AC country code in the profile, and apply the
profile to the AP group.
3. Specify the IP address of VLANIF 100 on AC2 as the source address.
4. Add an AP with the type AP6010DN-AGN and MAC address 60de-4476-e380 to AC2 offline, and add
the AP to ap_group.
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC3-wlan-view] regulatory-domain-profile name domain1
[AC3-wlan-regulatory-domain-prof-domain1] country-code cn
[AC3-wlan-regulatory-domain-prof-domain1] quit
[AC3-wlan-view] ap-group name ap_group
[AC3-wlan-ap-group-ap_group] regulatory-domain-profile domain1
Warning: This operation may cause AP reset. If the country code changes, it will,
clear channel, power and antenna gain configurations of the radio, Whether to
continue? [Y/N]:y
[AC3-wlan-ap-group-ap_group] quit
[AC3-wlan-view] quit
# Import the AP offline on the AC and add the AP to the AP group. This example assumes
that the AP type is AP6010DN-AGN, and the MAC addresses of AP_0 and AP_1 are
60de-4476-e360 and 60de-4476-e380 respectively.
[AC3] wlan
[AC3-wlan-view] ap auth-mode mac-auth
[AC3-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC3-wlan-ap-0] ap-name ap_0
[AC3-wlan-ap-0] ap-group ap_group
Warning: This operation may cause AP reset. If the country code changes, it will,
clear channel, power and antenna gain configurations of the radio, Whether to
continue? [Y/N]:y
[AC3-wlan-ap-0] quit
[AC3-wlan-view] ap-id 1 ap-mac 60de-4476-e380
[AC3-wlan-ap-1] ap-name ap_1
[AC3-wlan-ap-1] ap-group ap_group
Warning: This operation may cause AP reset. If the country code changes, it will,
clear channel, power and antenna gain configurations of the radio, Whether to
continue? [Y/N]:y
[AC3-wlan-ap-1] quit
[AC3-wlan-view] quit
Step 6 [Device] Configure interconnection parameters for the AC and RADIUS server as well as the
AC and Portal server, so that the AC can associate with the RADIUS and Portal servers.
# On AC1, configure a RADIUS server template, and configure authentication, accounting,
and authorization schemes in the template.
[AC1] radius-server template radius_template
[AC1-radius-radius_template] radius-server authentication 172.22.10.2 1812 source
NOTE
The accounting realtime command sets the real-time accounting interval. A short real-time accounting
interval requires high performance of the device and RADIUS server. Set a real-time accounting interval
based on the user quantity.
1 to 99 3 minutes
≥ 1000 ≥ 15 minutes
# Check whether a user can use a RADIUS template for authentication. (User name test and
password Admin_123 have been configured on the RADIUS server.)
[AC1] test-aaa test Admin_123 radius-template radius_huawei pap
Info: Account test succeed.
2. Configure parameters carried in the URL, which must be the same as those on the
authentication server.
[AC1-url-template-huawei1] url-parameter ssid ssid redirect-url url //
Specify the names of the parameters included in the URL. The parameter names
must the same as those on the authentication server.
//This first ssid indicates that the URL contains the SSID field, and the
second ssid indicates the parameter name.
//For example, after ssid ssid is configured, the URL redirected to the user
contains sid=guest, where ssid indicates the parameter name, and guest
indicates the SSID with which the user associates.
//The second SSID represents the transmitted parameter name only and cannot
be replaced with the actual user SSID.
//When the AC uses URL as the parameter name, the URL must be entered on the
Portal server to specify to which URL users' access request will be
redirected.
[AC1-url-template-huawei1] quit
3. Configure the URL of the secondary Portal authentication page. When the primary Portal
server is unavailable, the AC redirects the website that a user attempts to access to the
secondary Portal server.
[AC1] url-template name huawei2
[AC1-url-template-huawei2] url http://access2.example.com:8080/portal //
access2.example.com is the host name of the secondary Portal server.
[AC1-url-template-huawei2] url-parameter ssid ssid redirect-url url
[AC1-url-template-huawei2] quit
4. Specify the port number used to process Portal protocol packets. The default port number
is 2000. If you change the port number on the AC, set the same port number when you
add this AC to the Agile Controller-Campus.
[AC1] web-auth-server listening-port 2000
5. Configure a primary Portal server template, including configuring the IP address and
port number of the primary Portal server.
Set the destination port number in the packets sent to the Portal server to 50200. The
Portal server accepts packets with destination port 50200, but the AC uses port 50100 to
send packets to the Portal server by default. Therefore, you must change the port number
to 50200 on the AC so that the AC can communicate with the Portal server.
[AC1] web-auth-server portal_huawei1
[AC1-web-auth-server-portal_huawei1] server-ip 172.22.10.2 //Configure an IP
address for the primary Portal server.
[AC1-web-auth-server-portal_huawei1] source-ip 172.18.10.1 //Configure an IP
address for the device to communicate with the Portal server.
[AC1-web-auth-server-portal_huawei1] port 50200 //Set the destination port
number in the packets sent to the Portal server to 50200.
6. Configure the shared key used to communicate with the Portal server, which must be the
same as that on the Portal server. In addition, enable the AC to transmit encrypted URL
parameters to the Portal server.
[AC1-web-auth-server-portal_huawei1] shared-key cipher Admin@123 //Configure
the shared key used to communicate with the Portal server, which must be the
same as that on the Portal server.
[AC1-web-auth-server-portal_huawei1] url-template huawei1 //Bind the URL
template to the Portal server profile.
9. Configure a secondary Portal server template, including configuring the IP address, port
number, and shared key of the secondary Portal server.
[AC1] web-auth-server portal_huawei2
[AC1-web-auth-server-portal_huawei2] server-ip 172.22.10.3 //Configure an IP
address for the secondary Portal server.
[AC1-web-auth-server-portal_huawei2] source-ip 172.18.10.1
[AC1-web-auth-server-portal_huawei2] port 50200
[AC1-web-auth-server-portal_huawei2] shared-key cipher Admin@123
[AC1-web-auth-server-portal_huawei2] url-template huawei2
[AC1-web-auth-server-portal_huawei2] server-detect interval 100 max-times 5
# Enable the Portal authentication quiet period function. With this function enabled, the AC
drops packets of an authentication user during the quiet period if the user fails Portal
authentication for the specified number of times in 60 seconds. This function protects the AC
from overloading caused by frequent authentication.
[AC1] portal quiet-period
[AC1] portal quiet-times 5 //Set the maximum number of authentication failures
in 60 seconds before a Portal authentication is set to quiet state.
[AC1] portal timer quiet-period 240 //Set the quiet period to 240 seconds.
# Create a Portal access profile, and bind the Portal server template to it.
[AC1] portal-access-profile name acc_portal //Create a Portal access profile.
[AC1-portal-access-profile-acc_portal] web-auth-server portal_huawei1
portal_huawei2 direct //Configure the primary and secondary Portal server
templates used by the Portal access profile. If the network between end users and
the AC is a Layer 2 network, configure the direct mode; if the network is a Layer
3 network, configure the layer3 mode.
[AC1-portal-access-profile-acc_portal] quit
# Configure pre-authentication and post-authentication access rules for employees and guests.
[AC1] free-rule-template name default_free_rule
[AC1-free-rule-default_free_rule] free-rule 1 destination ip 172.22.10.4 mask
255.255.255.255 //Configure a Portal authentication-free rule to allow users to
connect to the DNS server before authentication.
[AC1-free-rule-default_free_rule] free-rule 2 destination ip 172.22.10.6 mask
255.255.255.255 //Configure a Portal authentication-free rule to allow users to
connect to the DNS server before authentication.
[AC1-free-rule-default_free_rule] quit
[AC1] acl 3001 //Configure the post-authentication domain for employees,
including the intranet and Internet.
[AC1-acl-adv-3001] rule 5 permit ip
[AC1-acl-adv-3001] quit
[AC1] acl 3002 //Configure the post-authentication domain for guests, including
the Internet.
[AC1-acl-adv-3002] rule 5 deny ip destination 172.22.10.5 0 //172.22.10.5 is
the company's server resource and cannot be accessed by guests.
[AC1-acl-adv-3002] rule 10 permit ip
[AC1-acl-adv-3002] quit
# Enable terminal type awareness to allow the ACs to send the option fields containing the
terminal type in DHCP packets to the authentication server. In this way, the authentication
server can push the correct Portal authentication pages to users based on their terminal types.
[AC1] dhcp snooping enable
[AC1] device-sensor dhcp option 12 55 60
The configurations of AC2 and AC3 are the same as that of AC1 and are not described here.
When configuring the authentication server, specify the IP address of VLANIF 100 on a
device as the source address.
Step 7 [Device] Set WLAN service parameters.
# Create the security profile security_portal and set the security policy in the profile.
[AC1] wlan
[AC1-wlan-view] security-profile name security_portal
[AC1-wlan-sec-prof-security_portal] quit
# Create SSID profiles wlan-ssid-employee and wlan-ssid-guest, and set the SSID names to
employee and guest respectively.
[AC1-wlan-view] ssid-profile name wlan-ssid-employee
[AC1-wlan-ssid-prof-wlan-ssid-employee] ssid employee
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC1-wlan-ssid-prof-wlan-ssid-employee] quit
[AC1-wlan-view] ssid-profile name wlan-ssid-guest
[AC1-wlan-ssid-prof-wlan-ssid-guest] ssid guest
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC1-wlan-ssid-prof-wlan-ssid-guest] quit
# Create VAP profiles wlan-vap-employee and wlan-vap-guest, configure the service data
forwarding mode and service VLANs, and apply the security, SSID, and authentication
profiles to the VAP profiles.
[AC1-wlan-view] vap-profile name wlan-vap-employee
[AC1-wlan-vap-prof-wlan-vap-employee] forward-mode direct-forward //Configure
direct forwarding for employees.
[AC1-wlan-vap-prof-wlan-vap-employee] service-vlan vlan-id 101
[AC1-wlan-vap-prof-wlan-vap-employee] security-profile security_portal
[AC1-wlan-vap-prof-wlan-vap-employee] ssid-profile wlan-ssid-employee
[AC1-wlan-vap-prof-wlan-vap-employee] authentication-profile auth_portal //Bind
the authentication profile.
[AC1-wlan-vap-prof-wlan-vap-employee] quit
[AC1-wlan-view] vap-profile name wlan-vap-guest
[AC1-wlan-vap-prof-wlan-vap-guest] forward-mode direct-forward //Configure
direct forwarding for guests.
[AC1-wlan-vap-prof-wlan-vap-guest] service-vlan vlan-id 102
[AC1-wlan-vap-prof-wlan-vap-guest] security-profile security_portal
[AC1-wlan-vap-prof-wlan-vap-guest] ssid-profile wlan-ssid-guest
[AC1-wlan-vap-prof-wlan-vap-guest] authentication-profile auth_portal
[AC1-wlan-vap-prof-wlan-vap-guest] quit
# Bind the VAP profile to the AP groups and apply the VAP profile to radio 0 and radio 1 of
the AP.
[AC1-wlan-view] ap-group name ap_group
[AC1-wlan-ap-group-ap_group] vap-profile wlan-vap-employee wlan 1 radio 0 //
Configure the 2.4 GHz frequency band of the AP to provide services for employees.
[AC1-wlan-ap-group-ap_group] vap-profile wlan-vap-employee wlan 1 radio 1 //
Configure the 5 GHz frequency band of the AP to provide services for employees.
[AC1-wlan-ap-group-ap_group] vap-profile wlan-vap-guest wlan 2 radio 0 //
Configure the 2.4 GHz frequency band of the AP to provide services for guests.
[AC1-wlan-ap-group-ap_group] vap-profile wlan-vap-guest wlan 2 radio 1 //
Configure the 5 GHz frequency band of the AP to provide services for guests.
[AC1-wlan-ap-group-ap_group] quit
Set WLAN service parameters on AC2, which are the same as those on AC1.
The WLAN service configurations on the standby AC must contain all the configurations on
the active ACs. In this example, the active ACs have the same WLAN service configurations,
so the configurations on AC3 must be the same as those on AC1 or AC2.
# Create the security profile security_portal and set the security policy in the profile.
[AC3] wlan
[AC3-wlan-view] security-profile name security_portal
[AC3-wlan-sec-prof-security_portal] quit
# Create SSID profiles wlan-ssid-employee and wlan-ssid-guest, and set the SSID names to
employee and guest respectively.
[AC3-wlan-view] ssid-profile name wlan-ssid-employee
[AC3-wlan-ssid-prof-wlan-ssid-employee] ssid employee
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC3-wlan-ssid-prof-wlan-ssid-employee] quit
[AC3-wlan-view] ssid-profile name wlan-ssid-guest
[AC3-wlan-ssid-prof-wlan-ssid-guest] ssid guest
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC3-wlan-ssid-prof-wlan-ssid-guest] quit
# Create VAP profiles wlan-vap-employee and wlan-vap-guest, configure the service data
forwarding mode and service VLANs, and apply the security, SSID, and authentication
profiles to the VAP profiles.
[AC3-wlan-view] vap-profile name wlan-vap-employee
[AC3-wlan-vap-prof-wlan-vap-employee] forward-mode direct-forward //Configure
direct forwarding for employees.
[AC3-wlan-vap-prof-wlan-vap-employee] service-vlan vlan-id 101
[AC3-wlan-vap-prof-wlan-vap-employee] security-profile security_portal
[AC3-wlan-vap-prof-wlan-vap-employee] ssid-profile wlan-ssid-employee
[AC3-wlan-vap-prof-wlan-vap-employee] authentication-profile auth_portal //Bind
the authentication profile.
[AC3-wlan-vap-prof-wlan-vap-employee] quit
[AC3-wlan-view] vap-profile name wlan-vap-guest
[AC3-wlan-vap-prof-wlan-vap-guest] forward-mode direct-forward //Configure
direct forwarding for guests.
[AC3-wlan-vap-prof-wlan-vap-guest] service-vlan vlan-id 102
[AC3-wlan-vap-prof-wlan-vap-guest] security-profile security_portal
[AC3-wlan-vap-prof-wlan-vap-guest] ssid-profile wlan-ssid-guest
[AC3-wlan-vap-prof-wlan-vap-guest] authentication-profile auth_portal
[AC3-wlan-vap-prof-wlan-vap-guest] quit
# Bind the VAP profile to the AP groups and apply the VAP profile to radio 0 and radio 1 of
the AP.
[AC3-wlan-view] ap-group name ap_group
[AC3-wlan-ap-group-ap_group] vap-profile wlan-vap-employee wlan 1 radio 0 //
Configure the 2.4 GHz frequency band of the AP to provide services for employees.
[AC3-wlan-ap-group-ap_group] vap-profile wlan-vap-employee wlan 1 radio 1 //
Configure the 5 GHz frequency band of the AP to provide services for employees.
[AC3-wlan-ap-group-ap_group] vap-profile wlan-vap-guest wlan 2 radio 0 //
Configure the 2.4 GHz frequency band of the AP to provide services for guests.
[AC3-wlan-ap-group-ap_group] vap-profile wlan-vap-guest wlan 2 radio 1 //
Configure the 5 GHz frequency band of the AP to provide services for guests.
[AC3-wlan-ap-group-ap_group] quit
# On AC2, configure the global and individual priorities of the active AC2 and configure an
IP address for the standby AC3 so that the ACs work in N+1 backup mode.
[AC2] wlan
[AC2-wlan-view] ac protect protect-ac 172.18.10.3 //Configure an IP address for
the standby AC.
Warning: Operation successful. It will take effect after AP reset.
[AC2-wlan-view] ac protect priority 6 //Configure the global priority of the
active AC2.
Warning: Operation successful. It will take effect after AP reset.
[AC2-wlan-view] ap-system-profile name ap-system1 //Create an AP system profile
and enter this profile view.
[AC2-wlan-ap-system-prof-ap-system1] priority 3 //Configure the individual
priority of the active AC2.
Warning: This action will take effect after resetting AP.
[AC2-wlan-ap-system-prof-ap-system1] quit
[AC2-wlan-view] ap-group name ap_group
[AC2-wlan-ap-group-ap_group] ap-system-profile ap-system1 //Bind the AP system
profile to the AP group.
[AC2-wlan-ap-group-ap_group] quit
# On AC3, configure IP addresses for active ACs and configure the global priority of the
standby AC3 so that the ACs work in N+1 backup mode.
[AC3] wlan
[AC3-wlan-view] ac protect priority 5
Warning: Operation successful. It will take effect after AP reset.
[AC3-wlan-view] ap-system-profile name ap-system1 //Create an AP system profile
and enter this profile view.
[AC3-wlan-ap-system-prof-ap-system1] protect-ac ip-address 172.18.10.1
Warning: This action will take effect after resetting AP.
[AC3-wlan-ap-system-prof-ap-system1] quit
[AC3-wlan-view] ap-system-profile name ap-system2 //Create an AP system profile
and enter this profile view.
[AC3-wlan-ap-system-prof-ap-system2] protect-ac ip-address 172.18.10.2
Warning: This action will take effect after resetting AP.
[AC3-wlan-ap-system-prof-ap-system2] quit
[AC3-wlan-view] ap-id 0
[AC3-wlan-ap-0] ap-system-profile ap-system1
[AC3-wlan-ap-0] quit
[AC3-wlan-view] ap-id 1
[AC3-wlan-ap-1] ap-system-profile ap-system2
[AC3-wlan-ap-1] quit
# On AC1, enable N+1 backup and restart all APs to make the function take effect.
NOTE
By default, N+1 backup is enabled. To restart all APs, run the ap-reset all command on AC1 and AC2. After
the APs are restarted, N+1 backup starts to take effect.
[AC1-wlan-view] undo ac protect enable //Enable the N+1 backup function.
[AC1-wlan-view] ap-reset all
Warning: Reset AP(s), continue?[Y/N]:y
# On AC2, enable N+1 backup and restart all APs to make the function take effect.
[AC2-wlan-view] undo ac protect enable
[AC2-wlan-view] ap-reset all
Warning: Reset AP(s), continue?[Y/N]:y
Step 9 [Agile Controller-Campus] Add AC1 to the Service Manager to enable the Agile Controller-
Campus to manage the AC.
1. Choose Resource > Device > Device Management.
2. Click Add.
3. Configure parameters for AC1.
Name AC1 -
4. Click OK.
5. Click Add again and set parameters of AC2.
Step 10 [Agile Controller-Campus] Add SSIDs on the Agile Controller-Campus, so that the Agile
Controller-Campus can authorize users through the SSIDs.
1. Choose Policy > Permission Control > Policy Element > SSID.
2. Click Add and add SSIDs for employees and guests.
The SSIDs must be the same as those configured on the AC.
Step 11 [Agile Controller-Campus] Configure authorization results and rules to grant different access
rights to employees and guests after they are successfully authenticated.
1. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Result, and add authorization ACLs for employees and guests.
The ACL numbers must be the same as those configured on the authentication control
device.
2. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Rule, and bind the authorization result to specify resources accessible to
employees and guests after successful authentication.
3. Modify the default authorization rule by changing the authorization result to Deny
Access.
Choose Policy > Permission Control > Authentication and Authorization >
Authorization Rule and click on the right of Default Authorization Rule. Change
the value of Authorization Result to Deny Access.
----End
Verification
If a terminal uses Internet Explorer 8 for Portal authentication, the following configuration
must be completed for the browser. Otherwise, the Portal authentication page cannot be
displayed.
1. Choose Tools > Internet Options.
2. Select options related to Use TLS on the Advanced tab.
3. Click OK.
Employee l User account tony (employee account) can only access the Agile
authenticatio Controller-Campus server and DNS server before authentication.
n l When the employee connects to the Wi-Fi hotspot employee using a
computer and attempts to visit the Internet, the default authentication
page is pushed to the user. After the employee enters the correct user
name and password, the authentication succeeds and the requested web
page is displayed automatically.
l After the authentication succeeds, run the display access-user command
on the AC. The command output shows that the user tony is online.
l On the Service Manager, choose Resource > User > Online User
Management. The user tony is displayed in the list of online users.
l On the Service Manager, choose Resource > User > RADIUS Log. You
can see the RADIUS authentication log for the user tony.
Guest l User account susan (guest account) can only access the Agile
authenticatio Controller-Campus server and DNS server before authentication.
n l When the guest connects to the Wi-Fi hotspot guest using a mobile
phone and attempts to visit the Internet, the guest authentication page is
pushed to the user. After the guest enters the correct user name and
password, the authentication succeeds and the requested web page is
displayed automatically.
l User account susan cannot access internal servers of the company.
l After the authentication succeeds, run the display access-user command
on the AC. The command output shows that the user susan is online.
l On the Service Manager, choose Resource > User > Online User
Management. The user susan is displayed in the list of online users.
l On the Service Manager, choose Resource > User > RADIUS Log. You
can see the RADIUS authentication log for the user susan.
AC1 and Services are automatically switched to AC3, and employees and guests are
AC2 power- offline. Employees and guests are re-authenticated and go online, and their
off access rights are normal.
SC power- After the network cable of an Service Controller, employees and guests are
off re-authenticated and go online. Their access rights are normal.
4.19.12 Appendix
Modify the Button Delete Picture, Text Change the Add Links to User
Background Box, Button, and Authentication Notice Page, Page
Other Controls Mode Switching, Forget
Password and
Registration Page
Select the authentication mode you want from the drop-down list box on the
menu bar. Before adding a new authentication mode, press Delete to delete all controls used
in the original authentication mode.
l Account password authentication
Includes the Account and Password fields and Log In buttons.
l Passcode authentication
Includes the Passcode field and Log In buttons.
l Quick mobile phone authentication
Includes the Phone number and Password fields as well as Get Password and Log In
buttons.
l Mobile phone verification code authentication
Includes the Account, Password and Verification code fields, and Get Verification
Code and Log In buttons.
NOTE
l The validity period of a verification code is 10 minutes. When the validity period expires,
users need to obtain a new verification code.
l Click Get Verification Code and then Set Button Background and Verification Code
Delivery Interval to set the countdown period for receiving a verification code through a
short message and the text on the button.
l End users receive verification codes through their mobile phones when this authentication
mode is used. Therefore, end users' mobile phone numbers must be configured; otherwise,
they cannot receive verification codes.
l One-key authentication
Includes the Email field and Log In button.
l Uniform authentication
Indicates account/password authentication, passcode authentication, and social media
authentication.
Add Links to User Notice Page, Page Switching, Forget Password and
Registration Page
Select links you want to add from the drop-down list box on the menu bar.
Links to the target pages are available by default. You can add the links directly without any
special settings.
The following figure shows the link setting effect for the user notice page. Click Readme to
switch to the user notice page.
Select buttons you want to add from the drop-down list box on the menu bar.
The following figure shows the effect of adding the AutoLogin button.
NOTE
l End users need to enable the browser cookie after adding the Remember password or Auto login
button; otherwise the button does not take effect. Enabling the browser cookie may cause potential
risks. Exercise caution when you perform this operation.
l The AutoLogin button does not take effect on the automatically displayed Portal authentication
page on iPhone, because the displayed web page on iPhone cannot save cookie information. The
built-in Safari browser of iPhone can save cookie information.
customizing a registration page. Select the field you want to add from the
drop-down list box on the menu bar.
NOTE
The verification code field is not provided in the default authentication page template. You are advised
to add the field to improve login and authentication security. On the position where a verification code is
to be added, select Verification code from the Field drop-down list box.
Modify the Interval for Quickly Obtaining the Password Through Mobile Phone
Click Get Password on the quick authentication page, and then click Set Button
Background and Short Message Sending Interval. Set the parameters accordingly in the
displayed dialog box.
Context
To ensure that a page has an elegant appearance and high security, an administrator must be
capable of page editing and image processing.
Based on the screen size, terminal devices are classified into mobile phones and computers.
When you customize a page for mobile phones, the compact and simple style, small pictures,
and short texts are recommended because mobile phones have small screen size. As
computers have large screen size and can carry more information than mobile phones, you can
use large pictures and relatively long texts during page customization. You need to customize
pages for mobile phones and computers if an enterprise allows guests to access the network
using mobile phones and computers (laptops and tablet computers).
The Service Manager provides pre-defined page templates that are frequently used. You can
choose Policy > Permission Control > Page Customization > Authentication &
Registration Template to locate the templates. Administrators can select their desired page
style or modify the style of the templates.
The registration page, authentication page, authentication success page, and user notice page
make up a set of guest pages.
Procedure
Step 1 Choose Policy > Permission Control > Page Customization > Page Customization.
Step 3 Set parameters for the customized page and click Next.
Step 4 Select your desired page template and preview the effect. Select a language template and click
Next.
A customization page can be used by guests only after the page is released. The save to draft
function only saves a customization page on the Service Manager.
After you click Publish, the system automatically saves the customization page.
----End
Prerequisites
The authentication or registration page has been customized. For details, see 4.19.12.2
Customizing Pages.
Context
If guests use different authentication and registration pages, configure a unified Portal page
http://server-ip:8080/portal or http://agilecontroller.huawei.com:8080/portal for all users.
The Agile Controller-Campus automatically redirects the Portal page to the authentication or
registration page based on the defined redirection rule.
The URL using the domain name is recommended for safer and faster. However, you need to
configure the mapping between the domain name agilecontroller.huawei.com and the server
IP address on the DNS server in advance.
The redirection rules are prioritized. The rule with the highest priority is preferentially
matched with the user authentication data. If all configured rules are mismatched, the default
rule is used.
Procedure
Step 1 Choose Policy > Permission Control > Page Customization > Portal Page Push Rule.
Parameter Description
Push conditions Specifies the condition for pushing Portal pages, including the time,
terminal's IP address segment, self-defined parameter, terminal's
operating system type, and account type.
Self-defined parameters must be the same as those parameters carried
in the URL configured on the AC by running the url-parameter
command. The command format on the AC is as follows: url-
parameter { ac-ip ac-ip-value | ac-mac ac-mac-value | ap-ip ap-ip-
value | ap-mac ap-mac-value | ssid ssid-value | sysname sysname-
value | user-ipaddress user-ipaddress-value | user-mac user-mac-
value | redirect-url redirect-url-value } *
l ac-ip ac-ip-value: specifies the AC IP address carried in the URL.
If required, set ac-ip-value to ac-ip.
l ac-mac ac-mac-value: specifies the AC MAC address carried in
the URL and sets the parameter name.
l ap-ip ap-ip-value: specifies the AP IP address carried in the URL
and sets the parameter name.
l ap-mac ap-mac-value: specifies the AP MAC address carried in
the URL. If required, set ap-mac-value to apmac.
l ssid ssid-value: specifies the SSID that users associate with carried
in the URL. If required, set ssid-value to ssid.
l sysname sysname-value: specifies the device system name carried
in the URL and sets the parameter name.
l user-ipaddress user-ipaddress-value: specifies the user IP address
carried in the URL. If required, set user-ipaddress-value to userip.
l user-mac user-mac-value: specifies the user MAC address carried
in the URL. If required, set user-mac-value to usermac.
l redirect-url redirect-url-value: specifies the original URL that a
user accesses carried in the URL. If required, set redirect-url-value
to url.
For example, if the url-parameter ssid ssid command is configured
on the AC, you must set ssid-value to ssid. If users connect to the
network through the SSID example, you must set Customized
parameters to ssid=example.
NOTE
l For WeChat authentication and public QR code authentication, you must set
a value for redirect-url.
l For WeChat authentication-free, you need to set values for redirect-url and
user-mac.
l In scenarios where guests follow WeChat public account to access Wi-Fi,
ssid, redirect-url, and user-mac are mandatory.
l When configure URL parameters in the URL template view on the AC, do
not run the parameter { start-mark parameter-value | assignment-mark
parameter-value | isolate-mark parameter-value } * command to modify
symbols in the URL. If you modify the symbols in the URL, URL
resolution on the Agile Controller-Campus may fail, leading to an
interconnection failure.
Parameter Description
First page to push Specifies the page to be pushed to a guest for the first time.
Page displayed l No redirect: The authentication success page is displayed after the
after successful authentication succeeds.
authentication l Redirect to the specified address: A specified page is displayed
after the authentication succeeds. Set the URL to be switched to in
Address.
l Continue to visit the original page: The original page that the user
requests is displayed after the authentication succeeds. You need to
configure the url-parameter redirect-url url command in the
URL template on the AC or switch. For details, see 4.19.12.8 How
Do I Continue to Access the Original Page After Successful
Portal Authentication?.
Description -
----End
Example
Configure three redirection rules for the Portal page.
A guest uses a laptop to connect to the wireless network network. The laptop's IP address is
10.10.10.20. The guest accesses http://server-ip:8080/portal or or http://
agilecontroller.huawei.com:8080/portal and then is redirected to authentication page B for
authentication.
Procedure
Step 1 Choose Policy > Permission Control > Page Customization > Language Template to
create a language template for basic self-service information.
Step 2 Choose Policy > Permission Control > Page Customization > Page Customization to
customize the page containing this language template.
When you customize an authentication success page, the page must contain the Self-help
Service button.
Step 3 Choose Policy > Permission Control > Page Customization > Portal Page Push Rule to
create a Portal page push rule and choose the page customized in the preceding step as the
page to be pushed.
Step 4 Enter http://IP address of the Portal authentication server:8080/portal in the address box of
a web browser to visit the self-service page and check whether the GUI elements are
displayed in the language configured in the language template.
----End
Scenario Description
MAC address authentication controls terminal network access permission based on the device
interface and terminal MAC address. When a terminal connects to the network, the access
control device automatically detects the terminal MAC address and sends the MAC address as
the account and password to the RADIUS server for identity authentication. The RADIUS
server instructs the access control device to grant network access permission to the end user
only after the user identity is verified on the RADIUS server. MAC address authentication
applies to scenarios where dumb terminals such as printers and IP phones cannot be
authenticated using user names and passwords or scenarios where only terminal MAC
addresses but not user names and passwords need to be verified due to special requirements.
These terminals cannot trigger identity authentication and need to wait until the access control
device sends authentication requests to the RADIUS server to connect to the network.
Task Overview
Procedure
Step 1 Configure the access control device.
l Function
In MAC address authentication, the access control device sends authentication requests
to the RADIUS server. Therefore, configurations related to RADIUS authentication must
be performed on the access control device.
l Entrance
Log in to the CLI of the access control device through the console port or using SSH.
Parameter Description
Matched Policy You need to set a name for the policy when Statically
Assigned Policy is enabled. Resource > Terminal >
Identification Policy displays all policy names.
Device Group You need to set a name for the group when User-Defined
Device Group is enabled. Resource > Terminal >
Terminal List displays all group names.
differs from that used in common authentication modes. Therefore, the default
authentication rule cannot be used and an authentication rule needs to be configured
separately.
l Entrance
Choose Policy > Permission Control > Authentication & Authorization >
Authentication Rule.
l Key configuration description
Choose MAC Bypass Authentication Service for Service Type.
Step 5 Configure an authorization rule.
l Function
The Agile Controller-Campus grants network access permission to terminals using an
authorization rule. The default authorization rule does not apply to MAC address
authentication and an authorization rule needs to be configured separately.
l Entrance
Choose Policy > Permission Control > Authentication and Authorization >
Authorization Rule.
l Key configuration description
– When adding an authorization rule, choose MAC Bypass Authentication Service
for Service Type.
– According to the rule priority, the Agile Controller-Campus matches terminal
access information with authorization conditions of the authorization rule. When
access information about a terminal matches all authorization conditions of an
authorization rule, the Agile Controller-Campus grants permission defined by the
authorization result of the authorization rule to the terminal.
Step 6 A terminal accesses the network.
After a terminal connects to the network, authentication is performed automatically. After
passing the authentication, the terminal can access resources in the post-authentication
domain.
After the terminal is authenticated successfully:
l Run the display access-user command on the device. Online information about the
terminal MAC address is displayed.
l On the Service Manager, choose Resource > User > Online User Management. Online
information about the terminal is displayed.
l On the Service Manager, choose Resource > User > RADIUS Log. The RADIUS
authentication logs of the terminal are displayed.
If the terminal fails to be authenticated, create a common account on the Agile Controller-
Campus, log in to the device, and run the test-aaa user-name user-password radius-template
template-name pap command to test whether the account can pass RADIUS authentication.
l If the system displays the message "Info: Account test succeed", indicating that the
account can pass RADIUS authentication, the fault occurs in the access authentication
phase. Check the network connection between the terminal and the access control device.
l If the system displays the message "Error: Account test time out", indicating that the
account cannot pass RADIUS authentication, the fault occurs in the RADIUS
authentication phase. Check whether interconnection parameter configurations of the
RADIUS server on the Agile Controller-Campus are consistent with those on the access
control device.
The test aaa command can only test whether users can pass RADIUS authentication and the
interaction process of RADIUS accounting is not involved. Therefore, after running the test
aaa command, you can view RADIUS logs but cannot view user online information on the
Agile Controller-Campus.
----End
Example
The following example describes how to import MAC address authentication terminals in a
batch.
l How to Fill in the Excel File When You Do Not Know Device Details
When you do not know the device details, fill in only the MAC address and device group
and enter Device Group List in Unknown Device List.
l How to Fill in the Excel File When You Know Device Details
When you know the device details, you can manually configure an identification policy
to enhance the identification ratio and accuracy. The Agile Controller-Campus identifies
the device based on the configured identification policy.
In this case, specify Endpoint MAC, set Statically Assigned Policy to Enable, enter
the name of the identification policy in Matched Policy, and enter Device Group List in
Unknown Device List. The Agile Controller-Campus automatically adds the device to a
device group.
l How to Fill in the Excel File When You Manually Add the Device to a Specified Device
Group
By default, the Agile Controller-Campus classifies devices into groups based on the
device types. You can also manually add a device to a specified device group.
In this case, specify Endpoint MAC, set User-Defined Device Group to Enable, and
enter the name of a specific device group in Device Group List.
l How to Fill in the Excel File When You Need to Mark the Device Access Location
l You can use the IP address and connected interface of a device to rapidly locate the
device when a fault occurs.
In this case, specify Endpoint MAC, Access Device IP Address, and Access Device
Port and enter Device Group List in Unknown Device List.
A Windows CA certificate server supports only Windows Server 2008 Enterprise or Windows
Server 2008 R2 Enterprise.
You are advised to check the CA certificate server deployment according to the following
flowchart.
Check network
registration service and
HTTPS mode
If the following page is displayed after login using the AD domain account
administrator and its password, the CA server functions properly. Otherwise, delete and
then add the CA component again.
2. On Server Manager, right-click the root certificate. In the displayed dialog box, click
the Extensions tab and check extended fields CDP and AIA.
– CDP: Include in the CDP extension of issued certificates must be selected for
LDAP and HTTP.
– AIA: The two options in the red box must be selected for the OCSP URL.
If the page is displayed in HTTP mode but cannot be displayed in HTTPS mode, check
whether HTTPS is bound to the certificate, and whether the correct root certificate is
selected. Select the certificate the same as the full computer name for SSL certificate.
If the page cannot be displayed in HTTP mode, check whether Network Device
Enrollment Service is Installed.
4. The SCEP template must contain the Client Authentication field. Otherwise, end users
may fail the authentication. If the SCEP template does not contain the Client
Authentication field, correct the settings based on the video instruction.
5. In the registries, set the SCEP template name and disable EnforcePassword.
Find entries in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography
\MSCEP, and set their values to the SCEP template name.
Registry modification takes effect only after the operating system is restarted.
Set EnforcePassword to 0.
6. Check the permission settings in the SCEP and OCSP templates. If the settings are
incorrect, correct them based on the video instruction.
7. Check whether the SCEP and OCSP templates are issued. If SCEP and OCSP templates
are not in the list, issue the templates based on the video instruction.
8. Choose Start > Administrative Tools > Online Responder Management to check
whether OCSP is in working state. If not, delete ocsp_test and create it again based on
the video instruction.
Prerequisites
The Service Manager and Service Controller have been installed.
Context
l If the Service Manager and Service Controller are installed on the same hardware server,
both Tomcat server certificate and Portal server certificate are replaced after you run the
server certificate importing tool.
l If the Service Manager and Service Controller are installed on different hardware
servers, run the server certificate importing tool on the server where the Service Manager
is installed to replace the Tomcat server certificate, and run the tool on the server where
the Service Controller is installed to replace the Portal server certificate.
Procedure
Step 1 Log in to the server where the Service Manager or Service Controller is installed.
l Windows
Log in to the server using an administrator account.
l Linux
Log in to the server using a root account.
l Windows
Access the installation directory of the Agile Controller-Campus, which is D:\Agile
Controller by default. Change the installation directory according to the actual situation.
Double-click Upload Certificate.bat to start the certificate importing tool.
l Linux
a. Run the chmod /opt/755 **.jks command to add read and write permissions to
certificate files, so that the certificate importing tool can normally obtain certificate
files. In this command, opt specifies the directory for saving a certificate file and
755 **.jks specifies the certificate name. You need to replace them with the actual
directory and file name respectively.
b. Run the su - controller command to switch to the controller user.
c. Run the cd /opt/AgileController command to access the installation directory of the
Agile Controller-Campus. /opt/AgileController is the default installation directory
of the Agile Controller-Campus. Change the installation directory according to the
actual situation.
d. Run the ll command to check whether the Upload Certificate.sh file exists in the
installation directory of the Agile Controller-Campus.
If so, continue to perform the following steps. If not, check whether the installation
directory of the Agile Controller-Campus is correct.
e. Run the sh Upload Certificate.sh command to start the certificate importing tool.
Step 3 Click Browse. Select the path for storing the certificate and enter the Certificate Password.
Step 5 Restart the Service Manager and Service Controller services after successful upload to make
new certificates take effect.
NOTE
After a Portal server certificate is uploaded, you can only access the Portal server by the domain name
using the HTTPS protocol, and the domain name must be the same as that used during server certificate
application.
----End
4.19.12.8 How Do I Continue to Access the Original Page After Successful Portal
Authentication?
Question
How do I continue to access the original page after successful Portal authentication?
Answer
When forcible switching is disabled, the web browser switches an authenticated end user to
the URL requested before the authentication. The AC sends the URL to the Portal server,
which parses the URL to obtain the specific URL. For example, an end user wants to access
http://bbs.example.com. After you specify the URL address parameter (url) on the AC, the
Portal server receives http://Portal server IP address:8080/portal?url=http://bbs.example.com,
and the web browser pushes http://bbs.example.com to the authenticated end user.
To access the original page after successful Portal authentication, you need to perform the
following configurations on both the AC and Agile Controller-Campus.
l Configuration on the AC
When configuring the Portal server on the AC, configure the AC to send the URL that
the user accesses as the parameter to the Portal server.
<AC> system-view
[AC] url-template name myurl
[AC-url-template-myurl] url http://192.168.1.203:8080/portal
[AC-url-template-myurl] url-parameter redirect-url url
#The Portal server obtains the URL to be switched to based on the url
parameter. The AC must send the URL that the user accesses as the parameter
to the Portal server. Do not change the parameter name url.
[AC-url-template-myurl] quit
[AC-web-auth-server-portal] quit
[AC] interface vlanif 30
[AC-Vlanif30] web-auth-server portal direct
----End
Question
What Should I Do Before Connecting a GPRS Modem to the Agile Controller-Campus?
Answer
1. Ensure that the GPRS modem driver is compatible with the operating system (Microsoft
Windows Server 2008, Microsoft Windows Server 2012 or SUSE Linux 11 SP3) of the
server to be connected.
2. Obtain the baud rate (data transmission rate) of the GPRS modem.
NOTE
Refer to the Product Documentation of the GPRS modem or consult the GPRS modem's technical
support engineer.
3. Use the serial cable or USB cable to connect the GPRS modem to the server.
NOTE
l If the GPRS modem provides a console port, use the serial cable to connect to the GPRS
modem to the server with the Service Manager installed.
l If the GPRS modem provides a USB to serial converter, use the USB cable to connect to the
GPRS modem to the server with the Service Manager installed and install the USB driver for
the GPRS modem on the server.
4. Configure the baud rate (data transmission rate) of the server to be connected to ensure
that the rate is the same as that of the SMS modem.
– Windows
i. Choose Start > Administrative Tools > Computer Management.
ii. On the Computer Management page, choose System Tools > Device
Manager.
iii. In Ports (COM&LPT), right-click Communications Port (COM1) or
Communications Port (COM2) according to the console port of the SMS
modem and choose Properties.
iv. Click the Port Settings tab and check the baud rate. If the default baud rate
differs from that of the GPRS modem, change the baud rate based on the
GPRS modem's baud rate.
– Linux
In the Linux operating system, the console port identifier is ttyS*. Generally, ttyS0
matches the console port COM1 and ttyS1 matches the console port COM2 in the
Windows operating system. Perform the operation based on the console port to
which the GPRS modem connects.
When configuring a communication port on the Agile Controller-Campus, ensure
that the port is in the /dev/ttyS0 format.
i. Log in to the Linux operating system using the root account.
ii. Run the ls -lrt /dev/ttyS* command and view the console port to which the
GPRS modem connects.
Determine the console port to which the GPRS modem connects based on the
time when the GPRS modem is connected to the server port.
iii. Run the stty -a -F /dev/ttyS0 command and view the baud rate of the console
port.
The port ttyS0 is used as an example. You need to replace it with the actual
port connected to the GPRS modem.
If the baud rate is different from that of the GPRS modem, change the baud rate
based on that of the GPRS modem.
i. Run the stty -F console port speed baud rate command to change the baud
rate of the console port.
For example, you can run the stty -F /dev/ttyS0 speed 115200 command to
change the baud rate of the console port ttyS0 to 115200.
stty -F /dev/ttyS0 speed 115200 //Change the baud rate of the
console port ttyS0 to 115200.
9600 //Display the baud rate before the change.
ii. Run the stty -F /dev/ttyS0 command to check whether the baud rate has been
changed.
Service Requirements
In practice, both wired and wireless users need to access one network. For example, the PCs
and printers of a company connect to the network in wired mode, and laptops and mobile
phones connect wirelessly. After unified access for wired and wireless users is configured on
a network, users of both types can access the network and be managed in a unified manner.
A hospital needs to deploy both a wired and a wireless network. To simplify management and
maintenance, the administrator requires that wired and wireless users be centrally managed on
the AC, non-authentication and Portal authentication be configured for the wired and wireless
users respectively, and wireless users roam under the same AC.
Networking Requirements
As shown in Figure 4-99, the AC connects to the egress gateway Router in the uplink
direction. In the downlink direction, the AC connects to and manages APs through S5700-1
and S5700-2 access switches. The S5700-1 and S5700-2 are deployed in the first and second
floors, respectively. An AP2010DN is deployed in each room to provide both wired and
wireless access. The AP5030DN is deployed in the corridor to provide wireless network
coverage. The S5700-1 and S5700-2 are PoE switches directly providing power to connected
APs.
The AC functions as a DHCP server to assign IP addresses to APs, STAs, and PCs.
Data Planning
AP103 - - AP103 is an
AP5030DN and is
deployed in the
corridor on the first
floor to provide
wireless access.
AP203 - - AP203 is an
AP5030DN and is
deployed in the
corridor on the
second floor to
provide wireless
access.
l Name: ap-group2
l Referenced profiles:
VAP profile wlan-vap2,
regulatory domain
profile domain1, and
radio profiles radio-2g
and radio-5g
VLANIF 102: -
10.23.102.1/24
10.23.102.2-10.23.102.254/
24
VLANIF 202: -
10.23.202.1/24
10.23.202.2-10.23.202.254/
24
Configuration Roadmap
1. Configure network interworking of the AC, APs, S5700-1, S5700-2, and other network
devices.
2. Configure the AC as a DHCP server to assign IP addresses to APs, wired users, and
wireless users.
3. Configure a RADIUS server template, configure authentication, accounting, and
authorization in the template, and configure Portal authentication.
4. Configure basic WLAN services, including AC system parameters, AP management, and
WLAN service parameters.
5. Configure VAPs and deliver VAP parameters to APs.
6. Verify the configuration to ensure that both wired and wireless users can access the
Internet.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
Procedure
Step 1 Configure network devices to communicate with each other.
# Add GE0/0/1 to GE0/0/4 of the S5700-1 to VLAN 100 (management VLAN) and VLAN
201 (VLAN for wired service packets), and add GE0/0/1 to GE0/0/4 of the S5700-2 to VLAN
100 and VLAN 202 (VLAN for wireless service packets). Set PVIDs for interfaces directly
connected to APs. You are advised to configure port isolation on these interfaces to reduce
unnecessary broadcast traffic. The S5700-1 is used as an example here. The configuration on
the S5700-2 is similar. For details, see the configuration file of the S5700-2.
[HUAWEI] sysname S5700-1
[S5700-1] vlan batch 100 201
[S5700-1] interface gigabitethernet 0/0/1
[S5700-1-GigabitEthernet0/0/1] port link-type trunk
[S5700-1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 201
[S5700-1-GigabitEthernet0/0/1] quit
[S5700-1] interface gigabitethernet 0/0/2
[S5700-1-GigabitEthernet0/0/2] port link-type trunk
[S5700-1-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 201
[S5700-1-GigabitEthernet0/0/2] port trunk pvid vlan 100 //Set a PVID for the
interface directly connected to the AP.
[S5700-1-GigabitEthernet0/0/2] port-isolate enable //Configure port isolation
to reduce broadcast packets.
[S5700-1-GigabitEthernet0/0/2] quit
[S5700-1] interface gigabitethernet 0/0/3
[S5700-1-GigabitEthernet0/0/3] port link-type trunk
[S5700-1-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 201
[S5700-1-GigabitEthernet0/0/3] port trunk pvid vlan 100
[S5700-1-GigabitEthernet0/0/3] port-isolate enable
[S5700-1-GigabitEthernet0/0/3] quit
[S5700-1] interface gigabitethernet 0/0/4
[S5700-1-GigabitEthernet0/0/4] port link-type trunk
[S5700-1-GigabitEthernet0/0/4] port trunk allow-pass vlan 100 201
[S5700-1-GigabitEthernet0/0/4] port trunk pvid vlan 100
[S5700-1-GigabitEthernet0/0/4] port-isolate enable
[S5700-1-GigabitEthernet0/0/4] quit
# On the AC, add GE1/0/1 (connected to the S5700-1) to VLAN 100 and VLAN 201,
GE1/0/2 (connected to the S5700-2) to VLAN 100 and VLAN 202, GE1/0/4 (connected to
the upper-layer network) to VLAN 300, and GE1/0/3 (connected to the Agile Controller) to
VLAN 200.
[AC6605] sysname AC
[AC] vlan batch 100 200 201 202 300
[AC] interface gigabitethernet 1/0/1
# Configure VLANIF 200 for communication between the AC and Agile Controller.
[AC] interface vlanif 200
[AC-Vlanif200] ip address 10.23.200.2 24 //Configure an IP address for
communication between the AC and Agile Controller.
[AC-Vlanif200] quit
Step 2 Configure the AC as a DHCP server to assign IP addresses to PCs, APs, and STAs.
# Configure the AC to assign IP addresses to PCs, APs, and STAs from an interface address
pool.
[AC] dhcp enable
[AC] vlan batch 101 102
[AC] interface vlanif 100 //Configure an interface address pool to assign IP
addresses to APs.
[AC-Vlanif100] description manage_ap
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101 //Configure an interface address pool to assign IP
addresses to STAs on the first floor.
[AC-Vlanif101] description manage_floor1_sta
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
[AC] interface vlanif 102 //Configure an interface address pool to assign IP
addresses to STAs on the second floor.
[AC-Vlanif102] description manage_floor2_sta
[AC-Vlanif102] ip address 10.23.102.1 24
[AC-Vlanif102] dhcp select interface
[AC-Vlanif102] quit
[AC] interface vlanif 201 //Configure an interface address pool to assign IP
addresses to PCs on the first floor.
[AC-Vlanif201] description manage_floor1_pc
[AC-Vlanif201] ip address 10.23.201.1 24
[AC-Vlanif201] dhcp select interface
[AC-Vlanif201] quit
[AC] interface vlanif 202 //Configure an interface address pool to assign IP
addresses to PCs on the second floor.
[AC-Vlanif202] description manage_floor2_pc
[AC-Vlanif202] ip address 10.23.202.1 24
[AC-Vlanif202] dhcp select interface
[AC-Vlanif202] quit
Step 3 Configure a RADIUS server template, configure authentication, accounting, and authorization
in the template, and configure Portal authentication.
# Configure a RADIUS server template on the AC, and configure authentication, accounting,
and authorization in the template.
[AC] radius-server template radius1 //Create the RADIUS server template radius1
[AC-radius-radius1] radius-server authentication 10.23.200.1 1812 source ip-
# Enable Portal authentication for wireless users, and configure non-authentication for wired
users.
[AC] portal-access-profile name portal1
[AC-portal-acces-profile-portal1] web-auth-server portal1 direct //Bind the
Portal server template portal1 and specify Layer 2 authentication as the Portal
authentication mode.
[AC-portal-acces-profile-portal1] quit
[AC] authentication-profile name portal1
[AC-authen-profile-portal1] portal-access-profile portal1
[AC-authen-profile-portal1] access-domain portal1 force //Configure the forcible
user domain portal1.
[AC-authen-profile-portal1] quit
# Create AP groups.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] ap-group name ap-group2
[AC-wlan-ap-group-ap-group2] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP groups.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn //Configure the AC country
code. Radio features of APs managed by the AC must conform to local laws and
regulations. The default country code is CN.
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] ap-group name ap-group2
[AC-wlan-ap-group-ap-group2] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-ap-group-ap-group2] quit
[AC-wlan-view] quit
# Power on the APs and run the display ap all command to check the AP state. If the State
field is nor, the APs have gone online.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [6]
----------------------------------------------------------------------------------
---------------
ID MAC Name Group IP Type State STA
Uptime
----------------------------------------------------------------------------------
---------------
101 60de-4476-e320 ap-101 ap-group1 10.23.101.254 AP6010DN-AGN nor 0 10S
102 60de-4476-e340 ap-102 ap-group1 10.23.101.253 AP6010DN-AGN nor 0 15S
103 dcd2-fc04-b520 ap-103 ap-group1 10.23.101.252 AP6010DN-AGN nor 0 23S
201 60de-4476-e360 ap-201 ap-group2 10.23.102.254 AP6010DN-AGN nor 0 45S
202 60de-4476-e380 ap-202 ap-group2 10.23.102.253 AP6010DN-AGN nor 0 49S
203 dcd2-fc04-b540 ap-203 ap-group2 10.23.102.252 AP6010DN-AGN nor 0 55S
----------------------------------------------------------------------------------
---------------
Total: 6
# Configure an AP2010DN's uplink interface GE0/0/0 and downlink interfaces Eth0/0/0 and
Eth0/0/1 to allow wired service packets to pass.
[AC-wlan-view] wired-port-profile name wired1
[AC-wlan-wired-port-wired1] vlan pvid 201 //The downlink interface of the
AP2010DN is used to connect wired terminals, such as the PCs. Set a PVID for the
interface. VLAN 201 is used to transmit wired service packets of the first floor.
[AC-wlan-wired-port-wired1] vlan untagged 201 //The downlink interface of the
AP2010DN is used to connect wired terminals. Add the interface to VLAN 201 in
untagged mode.
[AC-wlan-wired-port-wired1] quit
[AC-wlan-view] wired-port-profile name wired2
[AC-wlan-wired-port-wired2] vlan tagged 201 //The uplink interface of the
AP2010DN is used to connect to the upper-layer devices. Add the interface to VLAN
201 in tagged mode.
[AC-wlan-wired-port-wired2] quit
[AC-wlan-view] wired-port-profile name wired3
[AC-wlan-wired-port-wired3] vlan pvid 202 //The downlink interface of the
AP2010DN is used to connect wired terminals, such as the PCs. Set a PVID for the
interface. VLAN 202 is used to transmit wired service packets of the second floor.
[AC-wlan-wired-port-wired3] vlan untagged 202
[AC-wlan-wired-port-wired3] quit
[AC-wlan-view] wired-port-profile name wired4
[AC-wlan-wired-port-wired4] vlan tagged 202
[AC-wlan-wired-port-wired4] quit
[AC-wlan-view] ap-id 101
[AC-wlan-ap-101] wired-port-profile wired1 ethernet 0
[AC-wlan-ap-101] wired-port-profile wired1 ethernet 1
[AC-wlan-ap-101] wired-port-profile wired2 gigabitethernet 0
[AC-wlan-ap-101] quit
[AC-wlan-view] ap-id 102
[AC-wlan-ap-102] wired-port-profile wired1 ethernet 0
[AC-wlan-ap-102] wired-port-profile wired1 ethernet 1
[AC-wlan-ap-102] wired-port-profile wired2 gigabitethernet 0
[AC-wlan-ap-102] quit
[AC-wlan-view] ap-id 201
# Create radio profiles radio-2g and radio-5g and bind rrm1 to the radio files.
[AC-wlan-view] radio-2g-profile name radio-2g
[AC-wlan-radio-2g-prof-radio-2g] rrm-profile rrm1
[AC-wlan-radio-2g-prof-radio-2g] quit
[AC-wlan-view] radio-5g-profile name radio-5g
[AC-wlan-radio-5g-prof-radio-5g] rrm-profile rrm1
[AC-wlan-radio-5g-prof-radio-5g] quit
# Create security profile wlan-security and set the security policy in the profile.
[AC-wlan-view] security-profile name wlan-security //Portal authentication has
been enabled on the interface. Set the security policy to OPEN (default setting),
that is, no authentication and no encryption.
[AC-wlan-sec-prof-wlan-security] quit
# Create SSID profile wlan-ssid and set the SSID name to hospital-wlan.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid hospital-wlan //Set the SSID to hospital-wlan.
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profiles wlan-vap1 and wlan-vap2, configure the data forwarding mode and
service VLANs, and apply the security profile, SSID profile, and authentication profile to the
VAP profile.
[AC-wlan-view] vap-profile name wlan-vap1
[AC-wlan-vap-prof-wlan-vap1] forward-mode tunnel //Set the service forwarding
mode to tunnel.
[AC-wlan-vap-prof-wlan-vap1] service-vlan vlan-id 101 //Set the VLAN ID to 101.
The default VLAN ID is 1.
[AC-wlan-vap-prof-wlan-vap1] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap1] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap1] authentication-profile portal1
[AC-wlan-vap-prof-wlan-vap1] traffic-profile traffic1
[AC-wlan-vap-prof-wlan-vap1] quit
[AC-wlan-view] vap-profile name wlan-vap2
[AC-wlan-vap-prof-wlan-vap2] forward-mode tunnel //Set the service forwarding
mode to tunnel.
[AC-wlan-vap-prof-wlan-vap2] service-vlan vlan-id 102
[AC-wlan-vap-prof-wlan-vap2] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap2] ssid-profile wlan-ssid
[AC-wlan-radio-203/1] quit
[AC-wlan-ap-203] quit
# Connect STAs to the WLAN with SSID hospital-wlan. After you enter the password, the
STAs can access the wireless network. Run the display station all command on the AC. The
command output shows that the STAs are connected to the WLAN hospital-wlan.
[AC-wlan-view] display station all
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
----------------------------------------------------------------------------------
------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address SSID
----------------------------------------------------------------------------------
------------------------
14cf-9208-9abf 0 ap-101 0/1 2.4G 11n 3/8 -70 10
10.23.101.254 hospital-wlan
----------------------------------------------------------------------------------
------------------------
Total: 1 2.4G: 1 5G: 0
# STAs and PCs obtain IP addresses and connect to the network properly.
----End
Configuration Files
l S5700-1 configuration file
#
sysname S5700-1
#
vlan batch 100 201
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 201
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 201
port-isolate enable group 1
#
interface GigabitEthernet0/0/3
port link-type trunk
url http://10.23.200.1:8080/portal
#
portal-access-profile name portal1
web-auth-server portal1 direct
#
aaa
authentication-scheme radius1
authentication-mode radius
accounting-scheme radius1
accounting-mode radius
domain portal1
authentication-scheme radius1
accounting-scheme radius1
radius-server radius1
#
interface Vlanif100
description manage_ap
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
description manage_floor1_sta
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface Vlanif102
description manage_floor2_sta
ip address 10.23.102.1 255.255.255.0
dhcp select interface
#
interface Vlanif200
ip address 10.23.200.2 255.255.255.0
#
interface Vlanif201
description manage_floor1_pc
ip address 10.23.201.1 255.255.255.0
dhcp select interface
#
interface Vlanif202
description manage_floor2_pc
ip address 10.23.202.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet1/0/1
port link-type trunk
port trunk allow-pass vlan 100 201
#
interface GigabitEthernet1/0/2
port link-type trunk
port trunk allow-pass vlan 100 202
#
interface GigabitEthernet1/0/3
port link-type trunk
port trunk allow-pass vlan 200
#
interface GigabitEthernet1/0/4
port link-type trunk
port trunk allow-pass vlan 300
#
capwap source interface vlanif100
#
wlan
traffic-profile name traffic1
user-isolate l2
security-profile name wlan-security
ssid-profile name wlan-ssid
ssid hospital-wlan
vap-profile name wlan-vap1
forward-mode tunnel
Application Scenario
This solution uses the core switch as the gateway and authentication point and applies to
education campus networks with less than 10,000 access users, meeting customers'
requirements of unified management and configuration for access switches.
Service Requirements
The number of users at colleges and universities is considered for campus network
construction. Users at colleges and universities access networks only after being
authenticated. To ensure network security, users of different roles must have been assigned
different network access rights.
l Access
Provide both wired and wireless access.
l Security
Assign different network access rights to students, teachers, and other roles.
l Authentication and Accounting
Use PPPoE, Portal, or 802.1X authentication for wired users, and use Portal or 802.1X
authentication for wireless users. There are accounting requirements.
l O&M
Provide unified management of wired and wireless networks.
Networking Diagram
The core switch S12700 is configured as the authentication point and gateway for users on the
entire school campus backbone network. The S12700 has the X1E card installed, supports
native AC, and carries wireless services on the entire network.
Network Design
Two S12700s constitute a Cluster Switch System (CSS) that is used as the core of a campus
network, providing high network reliability and scalability.
The S7700 is used as the aggregation switch in each office building and connects to access
switches of each floor. The S5700 is used as the access switch.
The core switch S12700 is configured with native AC to manage APs on the entire network
and transmits wireless services to implement wired and wireless convergence.
The S12700 is used as the gateway for both wired and wireless users on the entire network,
and forwards packets of users based on routes. The S12700 also functions as the
authentication point to authenticate wired and wireless users.
S12700 V200R009C00
S7700 V200R009C00
S5700 V200R009C00
USG6600 V500R001C00
AP V200R006C20
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the aggregation switch.
2. Configure the access switch.
3. Use two S12700s to set up a CSS.
4. Configure interfaces and VLANs on the core switch S12700.
5. Configure Dynamic Host COnfiguration Protocol (DHCP) on the core switch, and
configure the core switch as a DHCP server to allocate IP addresses to users.
6. Configure the WLAN service on the core switch S12700.
7. Configure wired and wireless authentication and accounting services on the core switch
S12700. Portal authentication is used as an example here.
8. Configure Extensible Messaging and Presence Protocol (XMPP) parameters on the core
switch for interworking with the Agile Controller, and enable free mobility.
9. Configure interfaces and IP addresses on the firewall.
10. Configure zones and security policies on the firewall.
11. Configure Huawei Redundancy Protocol (HRP) on the firewall.
12. Configure intelligent route selection on the firewall.
13. Configure a NAT address pool and a NAT policy on the firewall.
14. Perform agile network configurations on the firewall.
15. Log in to the Agile Controller to add user groups and user accounts.
16. Configure Remote Authentication Dial In User Service (RADIUS), Portal, and XMPP
parameters, and add a core switch and a firewall on the Agile Controller.
17. Configure and deploy security groups and inter-group policies on the Agile Controller.
18. Configure and deploy QoS policies on the Agile Controller.
19. Add a RADIUS relay agent and define customization conditions on the Agile Controller.
20. Define authentication rules on the Agile Controller and enable the RADIUS relay agent.
21. Configure authorization results and rules on the Agile Controller.
22. Add network devices on the Srun.
23. Add RADIUS attributes based on customization conditions of the Agile Controller on
the Srun.
24. Configure management of accounting and control policies on the Srun.
25. Configure user group management and create users on the Srun
Data Plan
Table 4-157 Data plan of the egress solution and USG6600 HRP
Device Interface Member VLANIF IP Remote Remote
Number Interface Address Device Interface
Number
l The Agile Controller-Campus can support the free mobility function only after a license
is loaded.
l To implement free mobility, authentication points for intranet users must be deployed on
agile switches. It is recommended that S12700 and S7700 with X1E/X2S/X2E/X2H
cards, and S5720-HI switches be used.
l Policy enforcement points for free mobility are deployed on agile switches, Next-
Generation Firewalls (NGFWs), or Secure Sockets Layer virtual private network (SVN).
l If there is a requirement for user-to-user access control, Layer 2 isolation must be
deployed on access switches to divert all traffic to authentication point switches. User
isolation for wireless service needs to be configured in the VAP profile.
l If 802.1X authentication needs to be deployed on switches and firewalls function as
policy enforcement points for free mobility, it is required to configure real-time
accounting on switches. The switches report IP addresses to the Agile Controller-
Campus for firewalls to query by sending accounting packets.
l When 802.1X authentication is used for wired users, the authentication points can be
core switches or aggregation switches. If the authentication points are core switches,
EAP packet transparent transmission must be configured on access switches and
aggregation switches. Similarly, if the authentication points are aggregation switches,
EAP packet transparent transmission must be configured on access switches.
l When a firewall functions as a policy enforcement point, the intranet user network
segment needs to be specified on the Agile Controller-Campus for the firewall to query
the security group to which an IP address belongs. When user access traffic reaches the
firewall, the firewall sends the user IP address to the Agile Controller-Campus to query
its security group. The firewall will initiate inquiries only when the IP addresses are
within the intranet segment.
l When a firewall functions as a policy enforcement point, to prevent the security group
queries sent from the firewall to the Agile Controller-Campus from being discarded, it is
recommended that the Agile Controller-Campus deliver global configurations to the
firewall and forward RADIUS packets to the Agile Controller-Campus.
l Only firewalls support the free mobility QoS policy.
l To implement free mobility, only firewalls support the application-based access
permission control, bandwidth rate limit, and priority scheduling.
# Create an Eth-Trunk connected to the core switch and add uplink interfaces to the Eth-
Trunk.
[S7700-A] interface xgigabitethernet 2/0/1
[S7700-A-XGigabitEthernet2/0/1] eth-trunk 20
[S7700-A-XGigabitEthernet2/0/1] quit
[S7700-A] interface xgigabitethernet 2/0/2
[S7700-A-XGigabitEthernet2/0/2] eth-trunk 20
[S7700-A-XGigabitEthernet2/0/2] quit
# Create VLAN 40 connected to the access switch and add downlink interfaces to VLAN 40.
[S7700-A] interface gigabitethernet 1/0/1
[S7700-A-GigabitEthernet1/0/1] port link-type trunk
[S7700-A-GigabitEthernet1/0/1] port trunk allow-pass vlan 40
[S7700-A-GigabitEthernet1/0/1] port-isolate enable
[S7700-A-GigabitEthernet1/0/1] quit
# Check the CSS configuration. After the configuration is complete, run the display css
status saved command to check whether the configuration is correct.
[S12700-1] display css status saved //Check the CSS configuration
on S12708-1.
Current Id Saved Id CSS Enable CSS Mode Priority Master Force
------------------------------------------------------------------------------
1 1 Off CSS card 100 Off
# Check whether a CSS is set up successfully. Log in to the CSS from the console port of any
MPU and run the display device command to check the CSS status. If the card status of two
member switches is displayed in the command output, the CSS is set up successfully.
GigabitEthernet1/1/1/7
GigabitEthernet2/1/1/7
XGigabitEthernet1/6/0/0
XGigabitEthernet2/6/0/0
# Create a wireless management interface VLANIF 20, and assign addresses to APs from the
interface address pool.
[CORE-SWITCH] interface vlanif 20
[CORE-SWITCH-Vlanif20] ip address 192.168.20.1 255.255.255.0
[CORE-SWITCH-Vlanif20] dhcp select interface
[CORE-SWITCH-Vlanif20] quit
# Create a wireless service interface VLANIF 30, and assign addresses to STAs from the
interface address pool.
[CORE-SWITCH] interface vlanif 30
[CORE-SWITCH-Vlanif30] ip address 172.16.30.1 255.255.255.0
[CORE-SWITCH-Vlanif30] arp-proxy inner-sub-vlan-proxy enable //Enable intra-VLAN
ARP proxy; otherwise, wireless users cannot communicate through the AC. Determine
the configuration according to the actual situation.
[CORE-SWITCH-Vlanif30] dhcp select interface
[CORE-SWITCH-Vlanif30] dhcp server dns-list 168.88.77.140 //Configure the DNS
server address for terminals.
[CORE-SWITCH-Vlanif30] quit
# Create a wired service interface VLANIF 40, and assign addresses to terminals from the
interface address pool.
[CORE-SWITCH] interface vlanif 40
[CORE-SWITCH-Vlanif40] ip address 172.16.40.1 255.255.255.0
[CORE-SWITCH-Vlanif40] arp-proxy inner-sub-vlan-proxy enable //Enable intra-VLAN
ARP proxy; otherwise, wired users cannot communicate through the AC. Determine
the configuration according to the actual situation.
[CORE-SWITCH-Vlanif40] dhcp select interface
[CORE-SWITCH-Vlanif40] dhcp server dns-list 168.88.77.140 //Configure the DNS
server address for terminals.
[CORE-SWITCH-Vlanif40] quit
# Create Eth-Trunk 20 connected to both the core switch and the aggregation switch S7700-A
in office building A, and add interfaces to the Eth-Trunk. The interconnection configuration
between the core switch and the aggregation switch in office building B is similar to that in
office building A, and is not mentioned here. (The service VLAN corresponding to office
building B is VLAN 20.)
[CORE-SWITCH] interface eth-trunk 20
[CORE-SWITCH-Eth-Trunk20] description con to S7700-A
[CORE-SWITCH-Eth-Trunk20] port link-type trunk
[CORE-SWITCH-Eth-Trunk20] port trunk allow-pass vlan 40
[CORE-SWITCH-Eth-Trunk20] quit
[CORE-SWITCH] interface xgigabitethernet 1/1/0/0
[CORE-SWITCH-XGigabitEthernet1/1/0/0] eth-trunk 20
[CORE-SWITCH-XGigabitEthernet1/1/0/0] quit
[CORE-SWITCH] interface xgigabitethernet 2/1/0/0
[CORE-SWITCH-XGigabitEthernet2/1/0/0] eth-trunk 20
[CORE-SWITCH-XGigabitEthernet2/1/0/0] quit
# Configure an authentication scheme named test01 and set the authentication mode to
RADIUS.
[CORE-SWITCH] aaa
[CORE-SWITCH-aaa] authentication-scheme test01
[CORE-SWITCH-aaa-authen-test01] authentication-mode radius
[CORE-SWITCH-aaa-authen-test01] quit
# Configure an accounting scheme named test01 and set the accounting mode to RADIUS.
[CORE-SWITCH-aaa] accounting-scheme test01
[CORE-SWITCH-aaa-accounting-test01] accounting-mode radius
[CORE-SWITCH-aaa-accounting-test01] accounting realtime 15 //Set the accounting
interval to 15 minutes.
[CORE-SWITCH-aaa-accounting-test01] quit
# Create an authentication domain named huawei, and bind the authentication scheme,
accounting scheme, and RADIUS server template to the domain.
[CORE-SWITCH-aaa] domain huawei
[CORE-SWITCH-aaa-domain-huawei] authentication-scheme test01
[CORE-SWITCH-aaa-domain-huawei] accounting-scheme test01
[CORE-SWITCH-aaa-domain-huawei] radius-server test01
[CORE-SWITCH-aaa-domain-huawei] quit
[CORE-SWITCH-aaa] quit
# Configure the Portal authentication server and create a Portal access profile named portal1.
[CORE-SWITCH] web-auth-server test01
[CORE-SWITCH-web-auth-server-test01] server-ip 168.88.77.10 //Configure the IP
address of the Portal authentication server.
[CORE-SWITCH-web-auth-server-test01] source-ip 168.88.77.157
[CORE-SWITCH-web-auth-server-test01] port 50100 //Configure the port
number of the Portal authentication server.
[CORE-SWITCH-web-auth-server-test01] shared-key cipher Admin@123 //Configure
the shared key for communication between the Portal authentication server and
switch. The shared key must be the same as that of the Agile Controller.
[CORE-SWITCH-web-auth-server-test01] url http://168.88.77.10:8080/portal //
Configure the URL of the web page.
[CORE-SWITCH-web-auth-server-test01] quit
[CORE-SWITCH] portal-access-profile name portal1
[CORE-SWITCH-portal-acces-profile-portal1] web-auth-server test01 direct
[CORE-SWITCH-portal-acces-profile-portal1] quit
Step 5 Configure the wired user interface and enable Portal authentication on the interface.
[CORE-SWITCH] interface vlanif 40
[CORE-SWITCH-Vlanif40] authentication-profile p1
[CORE-SWITCH-Vlanif40] quit
Step 6 Configure XMPP parameters for interworking with the Agile Controller, and enable free
mobility.
[CORE-SWITCH] group-policy controller 168.88.77.10 password Admin@123 src-ip
168.88.77.157
# Create an AP group and add APs with the same configuration to the AP group.
[CORE-SWITCH] wlan
[CORE-SWITCH-wlan-view] ap-group name ap-
group1
[CORE-SWITCH-wlan-ap-group-group1] quit
# Create a regulatory domain profile, configure the AC's country code in the profile, and
apply the profile to the AP group.
[CORE-SWITCH-wlan-view] regulatory-domain-profile name domain1
[CORE-SWITCH-wlan-regulate-domain-domain1] country-code CN
[CORE-SWITCH-wlan-regulate-domain-domain1] quit
[CORE-SWITCH-wlan-view] ap-group name ap-group1
[CORE-SWITCH-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continue?[Y/N]:y
[CORE-SWITCH-wlan-ap-group-ap-group1] quit
[CORE-SWITCH-wlan-view] quit
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
MAC address of the AP is ac85-3d95-d800.
[CORE-SWITCH] wlan
[CORE-SWITCH-wlan-view] ap auth-mode mac-auth
[CORE-SWITCH-wlan-view] ap-id 0 ap-mac ac85-3d95-d800
[CORE-SWITCH-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configurations of the radio, whether to
continue? [Y/N]:y
[CORE-SWITCH-wlan-ap-0] quit
# After powering on the AP, run the display ap all command on the AC to check the AP
running status. The command output shows that the AP status is normal.
[CORE-SWITCH-wlan-view] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---------------------
ID MAC Name Group IP Type State
STA Uptime
----------------------------------------------------------------------------------
---------------------
0 ac85-3d95-d800 ac85-3d95-d800 ap-group1 192.168.20.250 AP6010DN-AGN nor
0 2M:16S
----------------------------------------------------------------------------------
---------------------
Total: 1
# After the configuration, run the display vap ssid portal_test command. If the Status field
displays ON, the VAP has been successfully created on the AP radio.
[CORE-SWITCH-wlan-view] display vap ssid portal_test
WID : WLAN ID
----------------------------------------------------------------------------------
--
AP ID AP name RfID WID BSSID Status Auth type STA SSID
----------------------------------------------------------------------------------
--
0 ac85-3d95-d800 0 1 AC85-3D95-D800 ON Open 0 portal_test
Step 8 Create an Eth-Trunk between the core switch S12700 and the USG6600.
# On the S12700, create Eth-Trunk 30 and Eth-Trunk 40 connected to FW1 and FW2
respectively, and add member interfaces to Eth-Trunk 30 and Eth-Trunk 40.
[CORE-SWITCH] interface eth-trunk 30 //Create Eth-Trunk30 connected to FW1.
[CORE-SWITCH-Eth-Trunk30] port link-type access
[CORE-SWITCH-Eth-Trunk30] port default vlan 10
[CORE-SWITCH-Eth-Trunk30] quit
[CORE-SWITCH] interface gigabitethernet 1/2/0/0
[CORE-SWITCH-GigabitEthernet1/2/0/0] eth-trunk 30
[CORE-SWITCH-GigabitEthernet1/2/0/0] quit
[CORE-SWITCH] interface gigabitethernet 2/2/0/0
[CORE-SWITCH-GigabitEthernet2/2/0/0] eth-trunk 30
[CORE-SWITCH-GigabitEthernet2/2/0/0] quit
[CORE-SWITCH] interface eth-trunk 40 //Create Eth-Trunk 40 connected to FW2.
[CORE-SWITCH-Eth-Trunk40] port link-type access
[CORE-SWITCH-Eth-Trunk40] port default vlan 10
[CORE-SWITCH-Eth-Trunk40] quit
[CORE-SWITCH] interface gigabitethernet 1/2/0/1
[CORE-SWITCH-GigabitEthernet1/2/0/1] eth-trunk 40
[CORE-SWITCH-GigabitEthernet1/2/0/1] quit
[CORE-SWITCH] interface gigabitethernet 2/2/0/1
[CORE-SWITCH-GigabitEthernet2/2/0/1] eth-trunk 40
[CORE-SWITCH-GigabitEthernet2/2/0/1] quit
----End
Step 2 Add interfaces through which the firewall connects to the core switch S12700 to the Eth-
Trunk.
# Configure default routes to the ISP server. In this example, static routes are used.
[FW1] ip route-static 21.0.0.0 255.255.255.0 201.0.0.254
[FW1] ip route-static 22.0.0.0 255.255.255.0 202.0.0.254
[FW2] ip route-static 21.0.0.0 255.255.255.0 201.0.0.254
[FW2] ip route-static 22.0.0.0 255.255.255.0 202.0.0.254
# Enable the health check function, and configure health check for links of ISP1 and ISP2.
Assume that the destination server's IP address of ISP1 is 21.0.0.100 and the destination
server's IP address of ISP2 is 22.0.0.100.
[FW1] healthcheck enable
[FW1] healthcheck name isp1_health
[FW1-healthcheck-isp1_health] destination 21.0.0.100 interface GigabitEthernet
1/0/1 protocol tcp-simple destination-port 1001
[FW1-healthcheck-isp1_health] quit
[FW1] healthcheck name isp2_health
[FW1-healthcheck-isp2_health] destination 22.0.0.100 interface GigabitEthernet
1/0/2 protocol tcp-simple destination-port 1002
[FW1-healthcheck-isp2_health] quit
[FW2] healthcheck enable
[FW2] healthcheck name isp1_health
[FW2-healthcheck-isp1_health] destination 21.0.0.100 interface GigabitEthernet
1/0/1 protocol tcp-simple destination-port 1003
[FW2-healthcheck-isp1_health] quit
[FW2] healthcheck name isp2_health
[FW2-healthcheck-isp2_health] destination 22.0.0.100 interface GigabitEthernet
1/0/2 protocol tcp-simple destination-port 1004
[FW2-healthcheck-isp2_health] quit
# Set the link bandwidth and overload protection threshold for interfaces. (Assume that the
bandwidth and the overload protection threshold of ISP1 are 100 Mbit/s and 95%
respectively, and those of ISP2 are 50 Mbit/s and 90% respectively). Configure health check
for links of ISP1 and ISP2 respectively.
[FW1] interface gigabitethernet 1/0/1
[FW1-GigabitEthernet1/0/1] bandwidth ingress 100000 threshold 95
[FW1-GigabitEthernet1/0/1] bandwidth egress 100000 threshold 95
[FW1-GigabitEthernet1/0/1] healthcheck isp1_health
[FW1-GigabitEthernet1/0/1] quit
[FW1] interface gigabitethernet 1/0/2
[FW1-GigabitEthernet1/0/2] bandwidth ingress 50000 threshold 90
[FW1-GigabitEthernet1/0/2] bandwidth egress 50000 threshold 90
[FW1-GigabitEthernet1/0/2] healthcheck isp2_health
[FW1-GigabitEthernet1/0/2] quit
[FW2] interface gigabitethernet 1/0/1
[FW2-GigabitEthernet1/0/1] bandwidth ingress 100000 threshold 95
[FW2-GigabitEthernet1/0/1] bandwidth egress 100000 threshold 95
[FW2-GigabitEthernet1/0/1] healthcheck isp1_health
[FW2-GigabitEthernet1/0/1] quit
[FW2] interface gigabitethernet 1/0/2
[FW2-GigabitEthernet1/0/2] bandwidth ingress 50000 threshold 90
[FW2-GigabitEthernet1/0/2] bandwidth egress 50000 threshold 90
[FW2-GigabitEthernet1/0/2] healthcheck isp2_health
[FW2-GigabitEthernet1/0/2] quit
# Configure a global route selection policy and set the working mode of intelligent route
selection to link bandwidth-based load balancing.
[FW1] multi-interface
[FW1-multi-inter] mode proportion-of-bandwidth
[FW1-multi-inter] add interface gigabitethernet 1/0/1
[FW1-multi-inter] add interface gigabitethernet 1/0/2
[FW1-multi-inter] quit
[FW2] multi-interface
[FW2-multi-inter] mode proportion-of-bandwidth
[FW2-multi-inter] add interface gigabitethernet 1/0/1
[FW2-multi-inter] add interface gigabitethernet 1/0/2
[FW2-multi-inter] quit
# Configure quick session backup, specify the heartbeat interface, and enable HRP on FW1
and FW2.
[FW1] hrp track interface eth-trunk 30
[FW1] hrp interface gigabitethernet 1/0/5 remote 10.10.0.2
[FW1] hrp mirror session enable
[FW1] hrp enable
[FW2] hrp track interface eth-trunk 40
[FW2] hrp interface gigabitethernet 1/0/5 remote 10.10.0.2
[FW2] hrp mirror session enable
[FW2] hrp enable
# Perform agile network configurations on FW1. FW2 will automatically synchronize the
configuration of FW1.
HRP_M[FW1] agile-network
HRP_M[FW1-agile-network] radius-server test01
HRP_M[FW1-agile-network] server ip 168.88.77.10
HRP_M[FW1-agile-network] local ip 192.168.10.1
HRP_M[FW1-agile-network] password Admin@123
HRP_M[FW1-agile-network] agile-network enable
HRP_M[FW1-agile-network] xmpp connect
HRP_M[FW1-agile-network] quit
# Configure source NAT policies to allow intranet users to access the Internet by using public
IP addresses translated using NAT.
HRP_M[FW1] nat-policy
HRP_M[FW1-policy-nat] rule name policy_nat1
# Contact the ISP administrator to set destination addresses to those in the routes of
addressgroup1 and addressgroup2. The next hop is the interface address corresponding to
the USG6600.
----End
address should be added to the Agile Controller server, and its configuration is not mentioned
here).
# Click Synchronize to synchronize device data. After data synchronization, the indicator of
the communication status turns green.
# Click Synchronize to synchronize device data. After data synchronization, the indicator of
the communication status turns green.
Step 4 Create a device group named test and add two USG6600s to this group.
# Choose Resource > Device > Device Management, and then choose Device Group > Free
Mobility > Custom on the left side of the page to create a customized group named test.
# Click Add, select the S12700 and USG6600, and add them to the customized group.
Step 5 Configure two dynamic security groups group1 and group2, and two static security
groups server1 and server2.
# Choose Policy > Permission Control > Security Group > Dynamic Security Group
Management.
# Click Add and create group1 and group2.
# Choose Policy > Permission Control> Security Group > Static Security Group
Management.
# Choose Policy > Free Mobility > Policy Configuration > Permission Control and click
Add.
After the configuration is complete, group1 can access server1 and server2, group2 can only
access server1, and group1 and group2 cannot access each other.
# Click Global Deployment to deploy access control policies on the entire network.
# After the network segment of the internal network is deployed successfully, run the display
agile-network intranet-address command to check the internal network segment that is
delivered by the USG6600.
HRP_M[FW1] display agile-network intranet-address
Intranet Address 172.16.30.0-172.16.30.255
172.16.40.0-172.16.40.255
# Choose Policy > Free Mobility > Policy Configuration> QoS Policy to configure a QoS
policy.
# Click Add in Device List, select FW1 and FW2, and click OK.
# Click Deploy to deploy the QoS policy. After the QoS policy is deployed successfully, you
can view the deployment result on the USG6600. group1 is deployed as the VIP security
group.
HRP_Mdisplay agile-network security-group all
Total Security Group: 3.
-------------------------------------------------------------------------------
GroupID GroupName VIP priority
-------------------------------------------------------------------------------
0 unknown no 0
1 group1 yes 5
2 group2 no 0
# Choose Resource > User Mangement, click Add to add users teacher and student, and
configure passwords.
Step 11 Configure the RADIUS relay agent on the Agile Controller to obtain packets sent from
devices and forward the packets to the RADIUS server.
# Choose System > External Authentication > RADIUS Proxy.
# Click Add.
# Set parameters and click OK.
Parameter Description
Parameter Description
Parameter Description
# Click OK.
----End
4.20.2.6 Verification
Step 1 After the security group and the inter-group policy are successfully deployed, you can run the
following commands on the core switch to view deployment information.
# Run the display ucl-group all command on the core switch to view deployment
information of the security group.
[CORE-SWITCH] display ucl-group all
ID UCL group name
--------------------------------------------------------------------------------
1 group1
2 group2
--------------------------------------------------------------------------------
Total : 2
# Run the display acl all command on the core switch to view the access control policy.
[CORE-SWITCH] display acl all
Total nonempty ACL number is 2
Ucl-group ACL Auto_PGM_U1 9998, 3 rules
Acl's step is 5
rule 1 permit ip source ucl-group name group1 destination 21.0.0.100 0 (match-
counter 0)
rule 2 permit ip source ucl-group name group1 destination 22.0.0.100 0 (match-
counter 0)
rule 3 deny ip source ucl-group name group1 destination ucl-group name group2
(match-counter 0)
Ucl-group ACL Auto_PGM_U2 9999, 3 rules
Acl's step is 5
rule 1 permit ip source ucl-group name group2 destination 21.0.0.100 0 (match-
counter 0)
rule 2 deny ip source ucl-group name group2 destination ucl-group name group1
(match-counter 0)
rule 3 deny ip source ucl-group name group2 destination 22.0.0.100 0 (match-
counter 0)
Step 2 After the security group and the security policy are successfully deployed, you can run the
following commands on the USG6600 to check deployment information.
# Run the display agile-network security-group all command on the USG6600 to check the
security group configuration.
HRP_M[FW1] display agile-network security-group all
Total Security Group: 3.
-------------------------------------------------------------------------------
GroupID GroupName VIP priority
-------------------------------------------------------------------------------
0 unknown no 0
2 group2 no 0
1 group1 yes 5
# Run the display security-policy rule all command on the USG6600 to check the security
policy configuration.
HRP_M[FW1] display security-policy all
Total:7
RULE ID RULE NAME STATE ACTION HITTED
-------------------------------------------------------------------------------
0 default enable deny 128877
5 Auto_PGM_U2_1 enable permit 0
6 Auto_PGM_U2_2 enable deny 0
7 Auto_PGM_U2_3 enable deny 0
8 Auto_PGM_U1_1 enable permit 0
9 Auto_PGM_U1_2 enable permit 0
10 Auto_PGM_U1_3 enable deny 0
-------------------------------------------------------------------------------
# Run the display security-policy rule command on the USG6600 to check the security
policy configuration.
HRP_M[FW1] display security-policy rule name Auto_PGM_U2_1
(0 times matched)
rule name Auto_PGM_U2_1
destination-address 21.0.0.100 0.0.0.0
source-group 2
action permit
Step 3 After configuring HRP, run the display hrp state command to check the HRP status.
HRP_M[FW1] display hrp state
Role: active, peer: active
Running priority: 44998, peer: 44998
Core state: normal, peer: normal
Backup channel usage: 0.00%
Stable time: 0 days, 0 hours, 4 minutes
Last state change information: 2016-06-23 19:16:46 HRP core state changed,
old_state = abnormal(standby), new_state = normal, local_priority = 44998,
peer_priority = 44998.
Step 4 When FW1 fails, for example, a tracked interface goes Down, the role of FW2 becomes
active.
HRP_M[FW2] display hrp state
Role: active, peer: standby (should be "active-active")
Running priority: 44998, peer: 44994
Core state: abnormal(active), peer: abnormal(standby)
Backup channel usage: 0.00%
Stable time: 0 days, 0 hours, 0 minutes
Last state change information: 2016-06-23 19:24:21 HRP core state changed,
----End
S7700-A S7700-B
# #
sysname S7700-A sysname S7700-B
# #
vlan batch 40 vlan batch 20
# #
interface Eth-Trunk20 interface Eth-Trunk10
description connect to S127 description connect to S127
port link-type trunk port link-type trunk
port trunk allow-pass vlan 40 port trunk allow-pass vlan 20
# #
interface XGigabitEthernet2/0/1 interface XGigabitEthernet2/0/1
eth-trunk 20 eth-trunk 10
# #
interface XGigabitEthernet2/0/2 interface XGigabitEthernet2/0/2
eth-trunk 20 eth-trunk 10
# #
interface GigabitEthernet1/0/1 interface GigabitEthernet1/0/1
port link-type trunk port link-type trunk
port trunk allow-pass vlan 40 port trunk allow-pass vlan 20
port-isolate enable group 1 port-isolate enable group 1
# #
return return
S12700 CSS
#
sysname CORE-SWITCH
#
vlan batch 10 20 30 40 1000
#
authentication-profile name p1
portal-access-profile portal1
free-rule-template default_free_rule
access-domain huawei portal force
#
group-policy controller 168.88.77.10 password %^%#[k>:K48o,,LpDo,|-GmSlC$p/
vLsQ.nTSwS^C3I0%^%# src-ip 168.88.77.157
#
dhcp enable
#
radius-server template test01
radius-server shared-key cipher %^%#[k>:K48o,,LpDo,|-GmSlC$p/vLsQ.nTSwS^C3I0%^
%#
radius-server authentication 168.88.77.10 1812 source ip-address 168.88.77.157
weight 80
radius-server accounting 168.88.77.10 1813 source ip-address 168.88.77.157
weight 80
radius-server authorization 168.88.77.10 shared-key cipher %^%#_7zY2\gzd5na,V-
SB"P4L;(+(pVDlL(,Wf$|<a=&%^%#
#
free-rule-template name default_free_rule
free-rule 1 destination ip 168.88.77.140 mask 255.255.255.255 source any
#
web-auth-server test01
server-ip 168.88.77.10
port 50100
shared-key cipher %^%#_7zY2\gzd5na,V-SB"P4L;(+(pVDlL(,Wf$|<a=&%^%#
url http://168.88.77.10:8080/portal
source-ip 168.88.77.157
#
portal-access-profile name portal1
web-auth-server test01 direct
#
aaa
authentication-scheme test01
authentication-mode radius
accounting-scheme test01
accounting-mode radius
accounting realtime 15
domain huawei
authentication-scheme test01
accounting-scheme test01
radius-server test01
#
interface Vlanif10
ip address 192.168.10.3 255.255.255.0
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
dhcp select interface
#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
dhcp server dns-list 168.88.77.140
#
interface Vlanif40
ip address 172.16.40.1 255.255.255.0
authentication-profile p1
arp-proxy inner-sub-vlan-proxy enable
S12700 CSS
dhcp select interface
dhcp server dns-list 168.88.77.140
#
interface Vlanif1000
ip address 168.88.77.157 255.255.128.0
#
interface Eth-Trunk10
port link-type trunk
port trunk allow-pass vlan 20
#
interface Eth-Trunk20
description con to S7700-A
port link-type trunk
port trunk allow-pass vlan 40
#
interface Eth-Trunk30
port link-type access
port default vlan 10
#
interface Eth-Trunk40
port link-type access
port default vlan 10
#
interface XGigabitEthernet 1/1/0/0
eth-trunk 20
#
interface XGigabitEthernet 1/1/0/1
eth-trunk 10
#
interface GigabitEthernet1/1/1/7
mad detect mode direct
#
interface GigabitEthernet 1/2/0/0
eth-trunk 30
#
interface GigabitEthernet 1/2/0/1
eth-trunk 40
#
interface GigabitEthernet 1/3/0/0
port link-type access
port default vlan 1000
#
interface XGigabitEthernet 2/1/0/0
eth-trunk 20
#
interface XGigabitEthernet 2/1/0/1
eth-trunk 10
#
interface GigabitEthernet2/1/1/7
mad detect mode direct
#
interface GigabitEthernet 2/2/0/0
eth-trunk 30
#
interface GigabitEthernet 2/2/0/1
eth-trunk 40
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
ospf 1 router-id 3.3.3.3
area 0.0.0.0
network 168.88.0.0 0.0.127.255
network 172.16.30.0 0.0.0.255
network 172.16.40.0 0.0.0.255
network 192.168.10.0 0.0.0.255
S12700 CSS
#
capwap source interface vlanif20
#
wlan
ssid-profile name portal
ssid portal_test
vap-profile name wlan-vap
forward-mode tunnel
service-vlan vlan-id 30
ssid-profile portal
authentication-profile p1
regulatory-domain-profile name domain1
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile wlan-vap wlan 1
radio 1
vap-profile wlan-vap wlan 1
radio 2
vap-profile wlan-vap wlan 1
ap-id 0 type-id 19 ap-mac ac85-3d95-d800 ap-sn 2102354483W0DC000733
ap-group ap-group1
#
return
FW1 FW2
# #
sysname FW1 sysname FW2
# #
hrp enable hrp enable
hrp interface GigabitEthernet1/0/5 hrp interface GigabitEthernet1/0/5
remote 10.10.0.2 remote 10.10.0.1
hrp mirror session enable hrp mirror session enable
hrp track interface Eth-Trunk30 hrp track interface Eth-Trunk40
# #
healthcheck enable healthcheck enable
healthcheck name isp1_health healthcheck name isp1_health
destination 21.0.0.100 interface destination 21.0.0.100 interface
GigabitEthernet1/0/1 protocol tcp- GigabitEthernet1/0/1 protocol tcp-
simple destination-port 1001 simple destination-port 1003
healthcheck name isp2_health healthcheck name isp2_health
destination 22.0.0.100 interface destination 22.0.0.100 interface
GigabitEthernet1/0/2 protocol tcp- GigabitEthernet1/0/2 protocol tcp-
simple destination-port 1002 simple destination-port 1004
# #
radius-server template test01 radius-server template test01
radius-server shared-key cipher %^ radius-server shared-key cipher %^
%#[k>:K48o,,LpDo,|-GmSlC$p/ %#[k>:K48o,,LpDo,|-GmSlC$p/
vLsQ.nTSwS^C3I0%^%# vLsQ.nTSwS^C3I0%^%#
radius-server authentication radius-server authentication
168.88.77.10 1812 weight 80 168.88.77.10 1812 weight 80
radius-server accounting 168.88.77.10 radius-server accounting 168.88.77.10
1813 weight 80 1813 weight 80
undo radius-server user-name domain- undo radius-server user-name domain-
included included
radius-server group-filter class radius-server group-filter class
# #
interface Eth-Trunk30 interface Eth-Trunk30
ip address 192.168.10.1 255.255.255.0 #
# interface Eth-Trunk40
interface Eth-Trunk40 ip address 192.168.10.2 255.255.255.0
# #
interface GigabitEthernet1/0/1 interface GigabitEthernet1/0/1
undo shutdown undo shutdown
ip address 201.0.0.1 255.255.255.0 ip address 201.0.0.2 255.255.255.0
healthcheck isp1_health healthcheck isp1_health
gateway 201.0.0.254 gateway 201.0.0.254
bandwidth ingress 100000 threshold 95 bandwidth ingress 100000 threshold 95
bandwidth egress 100000 threshold 95 bandwidth egress 100000 threshold 95
# #
interface GigabitEthernet1/0/2 interface GigabitEthernet1/0/2
undo shutdown undo shutdown
ip address 202.0.0.2 255.255.255.0 ip address 202.0.0.1 255.255.255.0
healthcheck isp2_health healthcheck isp2_health
gateway 202.0.0.254 gateway 202.0.0.254
bandwidth ingress 50000 threshold 90 bandwidth ingress 50000 threshold 90
bandwidth egress 50000 threshold 90 bandwidth egress 50000 threshold 90
# #
interface GigabitEthernet1/0/3 interface GigabitEthernet1/0/3
undo shutdown undo shutdown
eth-trunk 30 eth-trunk 40
# #
interface GigabitEthernet1/0/4 interface GigabitEthernet1/0/4
undo shutdown undo shutdown
eth-trunk 30 eth-trunk 40
# #
interface GigabitEthernet1/0/5 interface GigabitEthernet1/0/5
undo shutdown undo shutdown
ip address 10.10.0.1 255.255.255.0 ip address 10.10.0.2 255.255.255.0
# #
interface LoopBack0 interface LoopBack0
ip address 1.1.1.1 255.255.255.255 ip address 2.2.2.2 255.255.255.255
FW1 FW2
# #
firewall zone trust firewall zone trust
add interface GigabitEthernet0/0/0 add interface GigabitEthernet0/0/0
add interface Eth-Trunk30 add interface Eth-Trunk30
add interface Eth-Trunk40 add interface Eth-Trunk40
# #
firewall zone dmz firewall zone dmz
set priority 50 set priority 50
add interface GigabitEthernet1/0/5 add interface GigabitEthernet1/0/5
# #
firewall zone name isp1 id 4 firewall zone name isp1 id 4
set priority 10 set priority 10
add interface GigabitEthernet1/0/1 add interface GigabitEthernet1/0/1
# #
firewall zone name isp2 id 5 firewall zone name isp2 id 5
set priority 20 set priority 20
add interface GigabitEthernet1/0/2 add interface GigabitEthernet1/0/2
# #
ospf 1 router-id 1.1.1.1 ospf 1 router-id 2.2.2.2
import-route static import-route static
area 0.0.0.0 area 0.0.0.0
network 192.168.10.0 0.0.0.255 network 192.168.10.0 0.0.0.255
# #
ip route-static 21.0.0.0 255.255.255.0 ip route-static 21.0.0.0 255.255.255.0
201.0.0.254 201.0.0.254
ip route-static 22.0.0.0 255.255.255.0 ip route-static 22.0.0.0 255.255.255.0
202.0.0.254 202.0.0.254
# #
nat address-group addressgroup1 0 nat address-group addressgroup1 0
mode pat mode pat
route enable route enable
section 0 201.0.0.10 201.0.0.12 section 0 201.0.0.10 201.0.0.12
# #
nat address-group addressgroup2 1 nat address-group addressgroup2 1
mode pat mode pat
route enable route enable
section 0 202.0.0.10 202.0.0.12 section 0 202.0.0.10 202.0.0.12
# #
multi-interface multi-interface
mode proportion-of-bandwidth mode proportion-of-bandwidth
add interface GigabitEthernet1/0/1 add interface GigabitEthernet1/0/1
add interface GigabitEthernet1/0/2 add interface GigabitEthernet1/0/2
# #
agile-network agile-network
agile-network enable agile-network enable
radius-server test01 radius-server test01
server ip 168.88.77.10 server ip 168.88.77.10
local ip 192.168.10.1 local ip 192.168.10.2
password %^%#[k>:K48o,,LpDo,|-GmSlC$p/ password %^%#[k>:K48o,,LpDo,|-GmSlC$p/
vLsQ.nTSwS^C3I0%^%# vLsQ.nTSwS^C3I0%^%#
xmpp connect xmpp connect
# #
security-policy security-policy
default action permit default action permit
# #
nat-policy nat-policy
rule name policy_nat1 rule name policy_nat1
source-zone trust source-zone trust
destination-zone isp1 destination-zone isp1
source-address range 172.16.30.1 source-address range 172.16.30.1
172.16.30.254 172.16.30.254
source-address range 172.16.40.1 source-address range 172.16.40.1
172.16.40.254 172.16.40.254
action nat address-group action nat address-group
addressgroup1 addressgroup1
rule name policy_nat2 rule name policy_nat2
FW1 FW2
source-zone trust source-zone trust
destination-zone isp2 destination-zone isp2
source-address range 172.16.30.1 source-address range 172.16.30.1
172.16.30.254 172.16.30.254
source-address range 172.16.40.1 source-address range 172.16.40.1
172.16.40.254 172.16.40.254
action nat address-group action nat address-group
addressgroup2 addressgroup2
# #
return return
Application Scenario
This solution uses the aggregation switch as the gateway and authentication point and applies
to higher education campus networks with more than 15,000 access users, meeting customers'
requirements of unified management and configuration for access switches.
Service Requirements
The number of users of a school campus must be considered for school campus network
construction. Users on a school campus can access the campus network only after being
authenticated. To ensure network security, users of different roles must have been assigned
different network access rights.
The education industry networks must meet the following requirements.
l Access
Provide both wired and wireless access.
l Security
Assign different network rights to students, teachers, and other roles.
l Authentication
Use PPPoE, Portal, or 802.1X authentication for wired users, and use Portal or 802.1X
authentication for wireless users.
l O&M
Uniformly manage wired and wireless networks.
Networking Diagram
The aggregation switch S12700 or S7700 is configured as the authentication point and
gateway on the entire school campus backbone network. The S12700 and S7700 have the
X1E card installed, support native AC, and carry wireless services on the entire network.
Network Design
l Two S12700s constitute a Cluster Switch System (CSS) that is used as the core of a
campus network, providing high network reliability and scalability.
l The S12700 and S7700 are used as aggregation switches in each office building and
connect to access switches of each floor. The S5700 is used as the access switch.
l The aggregation switch S12700 and S7700 are configured with native AC to manage
APs on the entire network and transmit wireless services to implement wired and
wireless convergence.
l The aggregation switch S12700 and S7700 are used as the gateway for both wired and
wireless users on the entire network, and forward packets of users based on routes. The
S12700 and S7700 also function as the authentication point to authenticate wired and
wireless users.
S5700 V200R009C00
USG6600 V500R001C00
AP V200R006C20
Configuration Roadmap
The configuration roadmap is as follows:
Data Plan
LoopBack 1 - 3.3.3.3/32
LoopBack 1 - 4.4.4.4/32
Table 4-161 Basic service data plan of the aggregation switch S12700
Item VLAN ID Network Segment
LoopBack 1 - 1.1.1.1/32
Table 4-162 Basic service data plan of the aggregation switch S7700
Item VLAN ID Network Segment
LoopBack 1 - 2.2.2.2/32
Table 4-163 Basic service data plan of the aggregation switch S12700 or S7700
Item Data
Item Data
NAS IP 168.88.77.10/1.1.1.1/2.2.2.2
DM port 3799
Vendor-ID 0
Vendor-name -
Attribute ID 11
Type Integer
Format %d
Dictionary dictionary.rfc2865
user2/Huawei123 bound to
the user group group2 and
the accounting group
group2_accounting
Table 4-165 Data plan of the egress solution and USG6600 HRP
Device Interface Member VLANIF IP Remote Remote
Number Interface Address Device Interface
Number
XGE1/4/0
/1
l The Agile Controller-Campus can support the free mobility function only after a license
is loaded.
l To implement free mobility, authentication points for intranet users must be deployed on
agile switches. It is recommended that S12700 and S7700 with X1E/X2S/X2E/X2H
cards, and S5720-HI switches be used.
l Policy enforcement points for free mobility are deployed on agile switches, Next-
Generation Firewalls (NGFWs), or Secure Sockets Layer virtual private network (SVN).
l If there is a requirement for user-to-user access control, Layer 2 isolation must be
deployed on access switches to divert all traffic to authentication point switches. User
isolation for wireless service needs to be configured in the VAP profile.
l If 802.1X authentication needs to be deployed on switches and firewalls function as
policy enforcement points for free mobility, it is required to configure real-time
accounting on switches. The switches report IP addresses to the Agile Controller-
Campus for firewalls to query by sending accounting packets.
l When 802.1X authentication is used for wired users, the authentication points can be
core switches or aggregation switches. If the authentication points are core switches,
EAP packet transparent transmission must be configured on access switches and
aggregation switches. Similarly, if the authentication points are aggregation switches,
EAP packet transparent transmission must be configured on access switches.
l When a firewall functions as a policy enforcement point, the intranet user network
segment needs to be specified on the Agile Controller-Campus for the firewall to query
the security group to which an IP address belongs. When user access traffic reaches the
firewall, the firewall sends the user IP address to the Agile Controller-Campus to query
its security group. The firewall will initiate inquiries only when the IP addresses are
within the intranet segment.
l When a firewall functions as a policy enforcement point, to prevent the security group
queries sent from the firewall to the Agile Controller-Campus from being discarded, it is
recommended that the Agile Controller-Campus deliver global configurations to the
firewall and forward RADIUS packets to the Agile Controller-Campus.
l Only firewalls support the free mobility QoS policy.
----End
# Check the CSS configuration. After the configuration is complete, run the display css
status saved command to check whether the configuration is correct.
[S12700-1] display css status saved //Check the CSS configuration
on S12708-1.
Current Id Saved Id CSS Enable CSS Mode Priority Master Force
------------------------------------------------------------------------------
1 1 Off CSS card 100 Off
# Check whether a CSS is set up successfully. Log in to the CSS from the console port of any
MPU and run the display device command to check the CSS status. If the card status of two
member switches is displayed in the command output, the CSS is set up successfully.
Step 2 Configure multi-active detection (MAD) in direct mode on cluster interfaces.
1. Configure MAD in direct mode on GE1/1/1/7.
<CSS> system-view
[CSS] interface gigabitethernet 1/1/1/7
[CSS-GigabitEthernet1/1/1/7] mad detect mode direct
Warning: This command will block the port, and no other configuration running
on this port is recommended. Continue?[Y/N]:y
[CSS-GigabitEthernet1/1/1/7] quit
GigabitEthernet1/1/1/7
GigabitEthernet2/1/1/7
XGigabitEthernet1/6/0/0
XGigabitEthernet2/6/0/0
# Create a loopback interface, and specify the IP address of this interface as the OSPF router
ID.
[core-switch] interface loopback 1
[core-switch-LoopBack1] ip address 3.3.3.3 255.255.255.255
[core-switch-LoopBack1] quit
# Configure a routing protocol based on site requirements. OSPF and static routing protocols
are used here.
[core-switch] ip ip-prefix test01 index 1 permit 172.16.30.0 24 //The route is
advertised to the firewall only.
[core-switch] ip ip-prefix test01 index 2 permit 172.16.40.0 24
[core-switch] ospf 1 router-id 3.3.3.3
[core-switch-ospf-1] filter-policy ip-prefix test01 export static //Configure
the core switch to advertise static routes to network segments of wired and
wireless users.
[core-switch-ospf-1] import-route static
[core-switch-ospf-1] area 0.0.0.0
[core-switch-ospf-1-area-0.0.0.0] network 192.168.10.0 0.0.0.255 //Configure the
core switch to advertise the network segment connected to the USG6600.
[core-switch-ospf-1-area-0.0.0.0] network 168.88.0.0 0.0.127.255 //Configure the
core switch to advertise the address segment of the Agile Controller.
[core-switch-ospf-1-area-0.0.0.0] quit
[core-switch-ospf-1] quit
[core-switch] ip route-static 1.1.1.1 255.255.255.255 192.168.11.1
[core-switch] ip route-static 2.2.2.2 255.255.255.255 192.168.12.1
[core-switch] ip route-static 4.4.4.4 255.255.255.255 192.168.9.1
[core-switch] ip route-static 172.16.30.0 255.255.255.0 192.168.11.1
[core-switch] ip route-static 172.16.40.0 255.255.255.0 192.168.12.1
[core-switch] ip route-static 172.30.100.1 255.255.255.255 192.168.9.1
[core-switch] ip route-static 172.30.100.2 255.255.255.255 192.168.11.1
[core-switch] ip route-static 172.30.100.3 255.255.255.255 192.168.12.1
[core-switch] ip route-static 172.30.101.1 255.255.255.255 192.168.9.1
----End
# Create a wireless management interface VLANIF 20, and assign IP addresses to APs from
the interface address pool.
[S12700] interface vlanif 20
[S12700-Vlanif20] ip address 192.168.20.1 255.255.255.0
[S12700-Vlanif20] dhcp select interface
[S12700-Vlanif20] quit
# Create a wireless service interface VLANIF 30, and assign IP addresses to STAs from the
interface address pool.
[S12700] interface vlanif 30
[S12700-Vlanif30] ip address 172.16.30.1 255.255.255.0
[S12700-Vlanif30] arp-proxy inner-sub-vlan-proxy enable //Enable intra-VLAN ARP
proxy; otherwise, wireless users cannot communicate through the AC. Determine the
configuration according to the actual situation.
[S12700-Vlanif30] dhcp select interface
[S12700-Vlanif30] dhcp server dns-list 168.88.77.140 //Configure the DNS server
address for terminals.
[S12700-Vlanif30] quit
# Configure an authentication scheme test01 and set the authentication mode to RADIUS.
[S12700] aaa
[S12700-aaa] authentication-scheme test01
[S12700-aaa-authen-test01] authentication-mode radius
[S12700-aaa-authen-test01] quit
# Configure an accounting scheme named test01 and set the accounting mode to RADIUS.
[S12700-aaa] accounting-scheme test01
[S12700-aaa-accounting-test01] accounting-mode radius
[S12700-aaa-accounting-test01] accounting realtime 15 //Set the accounting
interval to 15 minutes.
[S12700-aaa-accounting-test01] quit
# Create an authentication domain named huawei and bind the authentication scheme,
accounting scheme, and RADIUS server template to the domain.
[S12700-aaa] domain huawei
[S12700-aaa-domain-huawei] authentication-scheme test01
[S12700-aaa-domain-huawei] accounting-scheme test01
[S12700-aaa-domain-huawei] radius-server test01
[S12700-aaa-domain-huawei] quit
# Configure the Portal authentication server and create a Portal access profile named portal1.
# Configure an authentication-free rule to permit packets from the DNS server so that the
Portal authentication page can be redirected.
[S12700] free-rule-template name default_free_rule
[S12700-free-rule-default_free_rule] free-rule 1 destination ip 168.88.77.140
mask 32 source any
[S12700-free-rule-default_free_rule] quit
Step 4 Configure XMPP parameters for interworking with the Agile Controller, and enable free
mobility.
[S12700] group-policy controller 168.88.77.10 password Admin@123 src-ip 1.1.1.1
# Create a regulatory domain profile, configure the AC's country code in the profile, and
apply the profile to the AP group.
[S12700-wlan-view] regulatory-domain-profile name domain1
[S12700-wlan-regulate-domain-domain1] country-code CN
[S12700-wlan-regulate-domain-domain1] quit
[S12700-wlan-view] ap-group name ap-group1
[S12700-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continue?[Y/N]:y
[S12700-wlan-ap-group-ap-group1] quit
[S12700-wlan-view] quit
# Import the AP offline on the AC and add the AP to the AP group ap-group1. Assume that
the MAC address of the AP is ac85-3d95-d800.
[S12700] wlan
[S12700-wlan-view] ap auth-mode mac-auth
[S12700-wlan-view] ap-id 0 ap-mac ac85-3d95-d800
[S12700-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configurations of the radio, whether to
continue? [Y/N]:y
[S12700-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP status. If the
State field displays nor, the AP has gone online.
[S12700-wlan-view] display ap all
Total AP information:
nor : normal [1]
----------------------------------------------------------------------------------
---------------------
ID MAC Name Group IP Type State
STA Uptime
----------------------------------------------------------------------------------
---------------------
0 ac85-3d95-d800 ac85-3d95-d800 ap-group1 192.168.20.250 AP6010DN-AGN nor
0 2M:16S
----------------------------------------------------------------------------------
---------------------
Total: 1
# After the configuration, run the display vap ssid portal-test command. If the Status field
displays ON, the VAP has been successfully created on the AP radio.
[S12700] display vap ssid portal_test
WID : WLAN ID
----------------------------------------------------------------------------------
--
AP ID AP name RfID WID BSSID Status Auth type STA SSID
----------------------------------------------------------------------------------
--
0 ac85-3d95-d800 0 1 AC85-3D95-D800 ON Open 0
portal_test
0 ac85-3d95-d800 1 1 AC85-3D95-D810 ON Open 0
portal_test
----------------------------------------------------------------------------------
--
Total: 2
----End
Step 2 Add interfaces through which the firewall connects to the core switch S12700 to the Eth-
Trunk.
# Add interconnected interfaces to the Eth-Trunk on FW1.
[FW1] interface gigabitethernet 1/0/3
[FW1-GigabitEthernet1/0/3] eth-trunk 1
[FW1-GigabitEthernet1/0/3] quit
[FW1] interface gigabitethernet 1/0/4
[FW1-GigabitEthernet1/0/4] eth-trunk 1
[FW1-GigabitEthernet1/0/4] quit
# Enable the health check function, and configure health check for links of ISP1 and ISP2.
Assume that the destination server's IP address of ISP1 is 21.0.0.100 and the destination
server's IP address of ISP2 is 22.0.0.100.
[FW1] healthcheck enable
[FW1] healthcheck name isp1_health
[FW1-healthcheck-isp1_health] destination 21.0.0.100 interface gigabitethernet
1/0/1 protocol tcp-simple destination-port 1001
[FW1-healthcheck-isp1_health] quit
[FW1] healthcheck name isp2_health
[FW1-healthcheck-isp2_health] destination 22.0.0.100 interface gigabitethernet
1/0/2 protocol tcp-simple destination-port 1002
[FW1-healthcheck-isp2_health] quit
# Set the link bandwidth and overload protection threshold for interfaces. (Assume that the
bandwidth and the overload protection threshold of ISP1 are 100 Mbit/s and 95%
respectively, and those of ISP2 are 50 Mbit/s and 90% respectively). Configure health check
for links of ISP1 and ISP2 respectively.
[FW1] interface gigabitethernet 1/0/1
[FW1-GigabitEthernet1/0/1] bandwidth ingress 100000 threshold 95
[FW1-GigabitEthernet1/0/1] bandwidth egress 100000 threshold 95
[FW1-GigabitEthernet1/0/1] healthcheck isp1_health
[FW1-GigabitEthernet1/0/1] quit
[FW1] interface gigabitethernet 1/0/2
[FW1-GigabitEthernet1/0/2] bandwidth ingress 50000 threshold 90
[FW1-GigabitEthernet1/0/2] bandwidth egress 50000 threshold 90
[FW1-GigabitEthernet1/0/2] healthcheck isp2_health
[FW1-GigabitEthernet1/0/2] quit
# Configure a global route selection policy, and set the working mode of intelligent route
selection to link bandwidth-based load balancing.
[FW1] multi-interface
[FW1-multi-inter] mode proportion-of-bandwidth
[FW1-multi-inter] add interface gigabitethernet1/0/1
[FW1-multi-inter] add interface gigabitethernet1/0/2
[FW1-multi-inter] quit
# Configure quick session backup, specify the heartbeat interface, and enable HRP.
[FW1] hrp track interface eth-trunk 1
[FW1] hrp interface gigabitethernet1/0/5 remote 10.10.0.2
[FW1] hrp mirror session enable
[FW1] hrp enable
# Configure source NAT policies to allow intranet users to access the Internet by using public
IP addresses translated using NAT.
HRP_M[FW1] nat-policy
HRP_M[FW1-policy-nat] rule name policy_nat1
HRP_M[FW1-policy-nat-rule-policy_nat1] source-zone trust
HRP_M[FW1-policy-nat-rule-policy_nat1] source-address range 172.16.30.1
172.16.30.254
HRP_M[FW1-policy-nat-rule-policy_nat1] source-address range 172.16.40.1
172.16.40.254
HRP_M[FW1-policy-nat-rule-policy_nat1] destination-zone isp1
HRP_M[FW1-policy-nat-rule-policy_nat1] action nat address-group addressgroup1
HRP_M[FW1-policy-nat-rule-policy_nat1] quit
HRP_M[FW1-policy-nat] rule name policy_nat2
HRP_M[FW1-policy-nat-rule-policy_nat2] source-address range 172.16.30.1
172.16.30.254
HRP_M[FW1-policy-nat-rule-policy_nat2] source-address range 172.16.40.1
172.16.40.254
HRP_M[FW1-policy-nat-rule-policy_nat2] source-zone trust
HRP_M[FW1-policy-nat-rule-policy_nat2] destination-zone isp2
HRP_M[FW1-policy-nat-rule-policy_nat2] action nat address-group addressgroup2
HRP_M[FW1-policy-nat-rule-policy_nat2] quit
HRP_M[FW1-policy-nat] quit
# Contact the ISP administrator to set destination addresses to those in the routes of
addressgroup1 and addressgroup2. The next hop is the interface address corresponding to
the USG6600.
Step 9 Configure routes based on site requirements.
# Advertise OSPF routes.
HRP_M[FW1] ospf 1 router-id 5.5.5.5
HRP_M[FW1-ospf-1] import-route static
HRP_M[FW1-ospf-1] area 0.0.0.0
HRP_M[FW1-ospf-1-area-0.0.0.0] network 5.5.5.5 0.0.0.0
HRP_M[FW1-ospf-1-area-0.0.0.0] network 192.168.10.0 0.0.0.255
HRP_M[FW1-ospf-1-area-0.0.0.0] quit
HRP_M[FW1-ospf-1] quit
# Configure default routes to the ISP server. In this example, static routes are used.
----End
IP address of the Agile If port 80 is enabled during installation, you can access the
Controller Agile Controller by simply entering its IP address without
the port number. The Agile Controller address will
automatically change to https://Agile Controller-IP:8443.
2. Enter the administrator user name and password. If you log in to the Agile Controller for
the first time, use the super administrator user name and password. Change the password
immediately after logging in; otherwise, the Agile Controller cannot be used.
Step 2 Add the aggregation switch S12700.
1. Choose Resource > Device> Device Management and add the aggregation switch
S12700 to the authentication point device. Configure the IP address for the S12700 that
communicates with the Agile Controller. Enable RADIUS and Portal authentication, set
the RADIUS authentication and accounting keys to Admin@123, and set the real-time
accounting interval to 15 minutes. Set the Portal port to 2000, Portal key to Admin@123,
and access terminal IP address list to be within the allocation scope of terminal IP
addresses (a route for packets to be returned to the terminal IP address should be added
to the Agile Controller server, and its configuration is not mentioned here).
3. Click OK.
4. Click Synchronize to synchronize device data. After data synchronization, the indicator
of the communication status turns green.
3. Click OK.
4. Click Synchronize to synchronize device data. After data synchronization, the indicator
of the communication status turns green.
Step 4 Configure two dynamic security groups named group1 and group2, and two resource groups
named server1 and server2.
1. Choose Policy > Permission Control> Security Group > Dynamic Security Group
Management. Click Add and create group1 and group2.
2. Choose Policy > Permission Control> Security Group > Static Security Group
Management. Click Add and create server1 and server2.
3. Select the new policy and click Global Deployment to deploy the network policy on the
agile device.
1. Choose Policy > Permission Control > Security Group > Intranet Configuration to
add a network segment of the internal network, click Save. When the system asks you
whether to deploy it immediately, select Yes. The internal network segment is delivered
to the firewall.
NOTE
The firewall uses the network segment of the internal network to query the security group based
on users' IP addresses. When user access traffic reaches the firewall, it queries the security group
where users belong on the Agile Controller-Campus. Only the IP address in the network segment
of the internal network can trigger such query.
2. After the network segment of the internal network is deployed successfully, run the
display agile-network intranet-address command to check the internal network
segment that is delivered by the NGFW module.
[NGFW] display agile-network intranet-address
Intranet Address 172.16.30.0-172.16.30.255
172.16.40.0-172.16.40.255
1. Choose Policy > Free Mobility > Policy Configuration > QoS Policy. Click
next to the VIP security group configuration and select group1.
2. Click Add in Device List, select FW1 and FW2, and click OK.
3. Click Deploy to deploy the QoS policy. After the QoS policy is deployed successfully,
you can view the deployment result on the USG6600. group1 is deployed as the VIP
security group.
HRP_M[FW1] display agile-network security-group all
Total Security Group: 3.
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
0 unknown no 0
1 group1 yes 5
2 group2 no 0
4. After the service chain is successfully deployed, run the display interface tunnel
command on the aggregation switch or on the NGFW module to check the GRE tunnel
status.
[S12700] display interface Tunnel
Tunnel16382 current state : UP
Description:Controller_MSV_from_172.30.100.1
Route Port,The Maximum Transmit Unit is 1500
Internet Address is 172.30.10.5/30
Encapsulation is TUNNEL, loopback not set
Tunnel source 172.30.100.2 (LoopBack100), destination 172.30.100.1
Tunnel protocol/transport GRE/IP, key disabled
keepalive enable period 1 retry-times 3
Checksumming of packets disabled
Current system time: 2016-07-30 15:58:22+08:00
Input bandwidth utilization : --
Output bandwidth utilization : --
Tunnel16383 current state : UP
Description:Controller_MSV_to_172.30.101.1
Route Port,The Maximum Transmit Unit is 1500
Internet Address is 172.30.10.1/30
Encapsulation is TUNNEL, loopback not set
Tunnel source 172.30.101.2 (LoopBack101), destination
172.30.101.1
Tunnel protocol/transport GRE/IP, key disabled
keepalive enable period 1 retry-times 3
Checksumming of packets disabled
Current system time: 2016-07-30 15:58:22+08:00
Input bandwidth utilization : --
Output bandwidth utilization : --
5. Choose Policy > Service Chain > Service Flow Definition. Click Add to add a service
flow, and set the definition mode to ACL to add intercommunication traffic between
office building A and office building B.
2. Configure basic information about the authorization result and click OK.
Authorization Result Parameter Value
----End
4.20.3.6 Verification
Step 1 After configuring HRP, you can run the display hrp state command to check the HRP status.
Step 2 When FW1 fails, for example, a tracked interface goes Down, the role of FW2 becomes
active.
HRP_M[FW2] display hrp state
Role: active, peer: standby (should be "active-active")
Running priority: 44998, peer: 44994
Core state: abnormal(active), peer: abnormal(standby)
Backup channel usage: 0.00%
Stable time: 0 days, 0 hours, 0 minutes
Last state change information: 2016-07-30 15:05:17 HRP core state changed,
old_state = normal, new_state = abnormal(active), local_
priority = 44998, peer_priority = 44996.
Step 3 After the security group and the inter-group policy are successfully deployed, you can run the
following commands on the aggregation switch to check deployment information.
# Run the display ucl-group all command to check the security group configuration.
[S12700] display ucl-group all
ID UCL group name
--------------------------------------------------------------------------------
1 group1
2 group2
--------------------------------------------------------------------------------
Total : 2
# Run the display acl all command to check the access control policy configuration.
[S12700] display acl all
Total nonempty ACL number is 3
Advanced ACL MSV_ACL_20160730144446_D8F7 3998, 1 rule
Acl's step is 5
rule 5 permit ip source 172.16.30.0 0.0.0.255 destination 172.16.40.0
0.0.0.255
Advanced ACL Auto_PGM_OPEN_POLICY 3999, 0 rule
Acl's step is 5
Ucl-group ACL Auto_PGM_U2 9997, 3 rules
Acl's step is 5
rule 1 permit ip source ucl-group name group2 destination 21.0.0.100 0
rule 2 deny ip source ucl-group name group2 destination 22.0.0.100 0
rule 3 deny ip source ucl-group name group2 destination ucl-group name
group1
Ucl-group ACL Auto_PGM_U1 9998, 3 rules
Acl's step is 5
rule 1 permit ip source ucl-group name group1 destination 21.0.0.100 0
rule 2 deny ip source ucl-group name group1 destination 22.0.0.100 0
rule 3 deny ip source ucl-group name group1 destination ucl-group name
group2
Ucl-group ACL Auto_PGM_PREFER_POLICY 9999, 0 rule
Acl's step is 5
Step 4 After the security group and the security policy are successfully deployed, you can run the
following commands on the USG6600 and the NGFW module to check deployment
information.
# Run the display security-policy all command to check the security policy configuration.
HRP_M[FW1] display security-policy all
Total:9
RULE ID RULE NAME STATE ACTION HITTED
-------------------------------------------------------------------------------
Step 5 A wireless user is authenticated on a terminal using the user name and password that are
defined on the Srun. After the user is successfully authenticated, check the user table on the
switch. The wireless user successfully matches a security group.
AAA:
User authentication type : WEB authentication
Current authentication method : RADIUS
Current authorization method : -
Current accounting method : RADIUS
Step 6 A wired user is authenticated on a terminal using the user name and password that are defined
on the Srun. After the user is successfully authenticated, check the user table on the switch.
The wired user successfully matches a security group.
AAA:
User authentication type : WEB authentication
Current authentication method : RADIUS
Current authorization method : -
Current accounting method : RADIUS
Step 7 After the user goes online, the user packet can trigger the NGFW module to obtain a correct
security group from the Agile Controller.
[NGFW Module] display agile-network user
Total user: 4, show user: 4.
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
172.16.30.253 2016/07/30 16:36:17 0 0 2-group2
172.16.40.254 2016/07/30 16:36:17 0 0 2-group2
172.16.30.254 2016/07/30 16:37:27 0 0 1-group1
172.16.40.253 2016/07/30 16:37:27 0 0 1-group1
# The user user1 of office building A cannot communicate with the user user2 of office
building B.
C:\Users\Administrator>ping 172.16.40.254
----End
interface GigabitEthernet1/3/1/1
eth-trunk 2
#
interface GigabitEthernet2/3/1/1
eth-trunk 2
#
interface XGigabitEthernet1/4/0/0
eth-trunk 0
#
interface XGigabitEthernet1/4/0/1
eth-trunk 0
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
ospf 1 router-id 3.3.3.3
filter-policy ip-prefix test01 export static
import-route static
area 0.0.0.0
network 168.88.0.0 0.0.127.255
network 192.168.10.0 0.0.0.255
#
ip ip-prefix test01 index 1 permit 172.16.30.0 24
ip ip-prefix test01 index 2 permit 172.16.40.0 24
#
ip route-static 1.1.1.1 255.255.255.255 192.168.11.1
ip route-static 2.2.2.2 255.255.255.255 192.168.12.1
ip route-static 4.4.4.4 255.255.255.255 192.168.9.1
ip route-static 172.16.30.0 255.255.255.0 192.168.11.1
ip route-static 172.16.40.0 255.255.255.0 192.168.12.1
ip route-static 172.30.100.1 255.255.255.255 192.168.9.1
ip route-static 172.30.100.2 255.255.255.255 192.168.11.1
ip route-static 172.30.100.3 255.255.255.255 192.168.12.1
ip route-static 172.30.101.1 255.255.255.255 192.168.9.1
ip route-static 172.30.101.2 255.255.255.255 192.168.11.1
ip route-static 172.30.101.3 255.255.255.255 192.168.12.1
#
NGFW Module
#
sysname NGFW Module
#
vlan batch 9
#
radius-server template test01
radius-server shared-key cipher %@%@eJb}7fm's=:^`p5QuT<77K&]%@%@
radius-server authentication 168.88.77.10 1812 source ip-address 4.4.4.4
weight 80
radius-server accounting 168.88.77.10 1813 source ip-address 4.4.4.4 weight
80
undo radius-server user-name domain-
included
radius-server group-filter
class
#
interface Vlanif9
ip address 192.168.9.1 255.255.255.0
#
interface Eth-Trunk0
portswitch
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 9
#
interface GigabitEthernet1/0/0
undo shutdown
eth-trunk 0
#
interface GigabitEthernet1/0/1
undo shutdown
eth-trunk 0
#
interface LoopBack0
ip address 4.4.4.4 255.255.255.255
#
interface LoopBack100
ip address 172.30.100.1 255.255.255.255
#
interface LoopBack101
ip address 172.30.101.1 255.255.255.255
#
firewall zone trust
set priority 85
add interface Eth-Trunk0
add interface GigabitEthernet0/0/0
add interface Vlanif9
#
ip route-static 0.0.0.0 0.0.0.0 192.168.9.2
#
agile-network
agile-network enable
radius-server test01
server ip 168.88.77.10
local ip 4.4.4.4
password %$%$0}:jXH3"FLn__tY:4q^0Nof]%$%$
xmpp connect
#
security-policy
default action permit
#
FW1 FW2
# #
sysname FW1 sysname FW2
# #
hrp enable hrp
hrp interface GigabitEthernet1/0/5 enable
remote 10.10.0.2
hrp mirror session enable hrp interface GigabitEthernet1/0/5
hrp track interface Eth-Trunk1 remote 10.10.0.1
# hrp mirror session enable
healthcheck enable hrp track interface Eth-Trunk1
healthcheck name #
isp1_health healthcheck enable
destination 21.0.0.100 interface healthcheck name
GigabitEthernet1/0/1 protocol tcp- isp1_health
simple destination-port 1001 destination 21.0.0.100 interface
healthcheck name isp2_health GigabitEthernet1/0/1 protocol tcp-
destination 22.0.0.100 interface simple destination-port 1003
GigabitEthernet1/0/2 protocol tcp- healthcheck name
simple destination-port 1002 isp2_health
# destination 22.0.0.100 interface
radius-server template test01 GigabitEthernet1/0/2 protocol tcp-
radius-server shared-key cipher %@ simple destination-port 1004
%@YeBxR{:_6A7/`xDG-3u7#BCr%@%@ #
radius-server authentication radius-server template test01
168.88.77.10 1812 source LoopBack 0 radius-server shared-key cipher %@
weight 80 %@YeBxR{:_6A7/`xDG-3u7#BCr%@
radius-server accounting 168.88.77.10 %@
1813 source LoopBack 0 weight radius-server authentication
80 168.88.77.10 1812 source LoopBack 0
undo radius-server user-name domain- weight 80
included radius-server accounting 168.88.77.10
radius-server group-filter class 1813 source LoopBack 0 weight 80
# undo radius-server user-name domain-
interface Eth-Trunk1 included
ip address 192.168.10.1 radius-server group-filter
255.255.255.0 class
# #
interface GigabitEthernet1/0/1 interface Eth-Trunk1
undo shutdown ip address 192.168.10.2
ip address 201.0.0.1 255.255.255.0
255.255.255.0 #
healthcheck isp1_health interface GigabitEthernet1/0/1
gateway 201.0.0.254 undo shutdown
bandwidth ingress 100000 threshold ip address 201.0.0.2
95 255.255.255.0
bandwidth egress 100000 threshold healthcheck
95 isp1_health
# gateway 201.0.0.254
interface GigabitEthernet1/0/2 bandwidth ingress 100000 threshold 95
undo shutdown bandwidth egress 100000 threshold
ip address 202.0.0.2 255.255.255.0 95
healthcheck isp2_health #
gateway 202.0.0.254 interface GigabitEthernet1/0/2
bandwidth ingress 50000 threshold undo
90 shutdown
bandwidth egress 50000 threshold ip address 202.0.0.1
90 255.255.255.0
# healthcheck isp2_health
interface GigabitEthernet1/0/3 gateway
undo shutdown 202.0.0.254
eth-trunk 1 bandwidth ingress 50000 threshold
# 90
interface GigabitEthernet1/0/4 bandwidth egress 50000 threshold
undo shutdown 90
eth-trunk 1 #
# interface GigabitEthernet1/0/3
FW1 FW2
interface GigabitEthernet1/0/5 undo
undo shutdown shutdown
ip address 10.10.0.1 255.255.255.0 eth-trunk 1
# #
interface LoopBack0 interface
ip address 5.5.5.5 255.255.255.255 GigabitEthernet1/0/4
# undo shutdown
firewall zone trust eth-trunk 1
set priority 85 #
add interface GigabitEthernet0/0/0 interface GigabitEthernet1/0/5
add interface Eth-Trunk1 undo shutdown
# ip address 10.10.0.2
firewall zone dmz 255.255.255.0
set priority 50 #
add interface interface LoopBack0
GigabitEthernet1/0/5 ip address 6.6.6.6
# 255.255.255.255
#
firewall zone name isp1 id firewall zone trust
4 set priority 85
set priority 10 add interface
add interface GigabitEthernet1/0/1 GigabitEthernet0/0/0
# add interface Eth-Trunk1
firewall zone name isp2 id 5 #
set priority 20 firewall zone
add interface dmz
GigabitEthernet1/0/2 set priority 50
# add interface GigabitEthernet1/0/5
ospf 1 router-id 5.5.5.5 #
import-route firewall zone name isp1 id 4
static set priority 10
area add interface
0.0.0.0 GigabitEthernet1/0/1
network 5.5.5.5 #
0.0.0.0
network 192.168.10.0 firewall zone name isp2 id 5
0.0.0.255 set priority
# 20
add interface
ip route-static 21.0.0.0 255.255.255.0 GigabitEthernet1/0/2
201.0.0.254 #
ip route-static 22.0.0.0 255.255.255.0 ospf 1 router-id
202.0.0.254 6.6.6.6
# import-route
nat address-group addressgroup1 static
0 area
mode pat 0.0.0.0
route enable network 6.6.6.6
section 0 201.0.0.10 201.0.0.12 0.0.0.0
# network 192.168.10.0
nat address-group addressgroup2 1 0.0.0.255
mode pat #
route enable ip route-static 21.0.0.0 255.255.255.0
section 1 202.20.1.1 202.20.1.5 201.0.0.254
# ip route-static 22.0.0.0 255.255.255.0
multi-interface 202.0.0.254
mode proportion-of-bandwidth #
add interface nat address-group addressgroup1 0
GigabitEthernet1/0/1 mode pat
add interface GigabitEthernet1/0/2 route
# enable
agile- section 0 201.0.0.10
network 201.0.0.12
agile-network #
enable nat address-group addressgroup2
radius-server test01 1
FW1 FW2
server ip 168.88.77.10 mode pat
local ip 5.5.5.5 route enable
password %$%$"YrVNBu2P~I{BlL0'$8UE680% section 1 202.20.1.1 202.20.1.5
$%$ #
xmpp connect multi-interface
# mode proportion-of-bandwidth
security-policy add interface
default action permit GigabitEthernet1/0/1
# add interface
nat-policy GigabitEthernet1/0/2
rule name policy_nat1 #
source-zone trust agile-network
destination-zone isp1 agile-network
source-address range 172.16.30.1 enable
172.16.30.254 radius-server test01
source-address range 172.16.40.1 server ip 168.88.77.10
172.16.40.254 local ip 6.6.6.6
action nat address-group password %$%$_i#0Mg|T-XkLhMY&VI&WGh$_%
addressgroup1 $%$
rule name policy_nat2 xmpp connect
source-zone trust #
destination-zone isp2
source-address range 172.16.30.1 security-policy
172.16.30.254 default action permit
source-address range 172.16.40.1 #
172.16.40.254 nat-policy
action nat address-group rule name policy_nat1
addressgroup2 source-zone trust
# destination-zone isp1
return source-address range 172.16.30.1
172.16.30.254
source-address range 172.16.40.1
172.16.40.254
action nat address-group
addressgroup1
rule name
policy_nat2
source-zone
trust
destination-zone
isp2
source-address range 172.16.30.1
172.16.30.254
source-address range 172.16.40.1
172.16.40.254
action nat address-group
addressgroup2
#
return
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: The AC functions as the DHCP server to assign IP addresses
to APs, and SwitchB functions as the DHCP server to assign IP addresses to STAs.
l Service data forwarding mode: direct forwarding
l WLAN authentication mode: WPA-WPA2+802.1x+AES
Internet
Router
GE0/0/1
RADIUS Server
AC SwitchB GE0/0/4 10.23.103.1:1812
GE0/0/2
GE0/0/1 GE0/0/3
GE0/0/1
GE0/0/2
SwitchA
GE0/0/1
AP
STA STA
Management VLAN:VLAN 100
Service VLAN:VLAN 101
Data Planning
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Config Wizard to configure AC system parameters.
3. Select Config Wizard to configure the APs to go online on the AC.
4. Select Config Wizard to configure WLAN services on the AC. When configuring the
security policy, select 802.1X and RADIUS authentication, and set the RADIUS server
parameters.
5. Configure third-party server interconnection parameters.
NOTE
The AC and server must have the same RADIUS shared key.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 100 and VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN 101, GE0/0/2 to
VLAN 100 and VLAN 102, GE0/0/3 to VLAN 103, and GE0/0/4 to VLAN104. Create
VLANIF 102, VLANIF 103, and VLANIF 104, and configure a default route with the next
hop of the address of Router.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 to 104
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk pvid vlan 103
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 103
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface gigabitethernet 0/0/4
[SwitchB-GigabitEthernet0/0/4] port link-type trunk
[SwitchB-GigabitEthernet0/0/4] port trunk pvid vlan 104
[SwitchB-GigabitEthernet0/0/4] port trunk allow-pass vlan 104
[SwitchB-GigabitEthernet0/0/4] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] quit
[SwitchB] interface vlanif 103
[SwitchB-Vlanif103] ip address 10.23.103.2 24
[SwitchB-Vlanif103] quit
[SwitchB] interface vlanif 104
[SwitchB-Vlanif104] ip address 10.23.104.1 24
[SwitchB-Vlanif104] quit
[SwitchB] ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
# Configure the IP address of GE0/0/1 on Router and a static route to the network segment for
STAs.
<Huawei> system-view
[Huawei] sysname Router
[Router] interface gigabitethernet 0/0/1
[Router-GigabitEthernet0/0/1] ip address 10.23.104.2 24
[Router-GigabitEthernet0/0/1] quit
[Router] ip route-static 10.23.101.0 24 10.23.104.1
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration page is
displayed.
If the AC and AP are directly connected, set the default VLAN of the interface connected to the AP to
management VLAN 100.
NOTE
Configure the DNS server address as required.
# Click OK.
# Set the IP address of VLANIF 102 to 10.23.102.2/24 in the same way.
# Under Static Route Table, click Create. The Create Static Route Table page is
displayed.
# Set Destination IP to 10.23.103.0, Subnet Mask to 24(255.255.255.0), and Next hop
address to 10.23.102.1.
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF. Click the browse button and select Vlanif100.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.
# In the AP group list, click ap-group1. Choose Radio Management > Radio 0 > 2G
Radio Profile > RRM Profile. The RRM Profile page is displayed.
# Click next to Radio Management. The profiles under Radio Management are
displayed.
# Click Radio0. The Radio 0 Settings(2.4G) page is displayed. Set the AP channel to
20-MHz channel 6 and the transmit power to 127 dBm. The configuration of radio 1 (20-
MHz channel 149) on the Radio 1 Settings page is similar to the configuration of radio
0 and is not mentioned here.
l For interconnection with the Aruba ClearPass, see "Example for Configuring Wireless
802.1X Authentication" in the Typical Configuration Examples-WLAN and the Aruba
ClearPass Server Interoperation Configuration Examples.
l For interconnection with the Agile Controller-Campus, see "Example for Configuring
Wireless 802.1X Authentication" in the Agile Controller-Campus Typical Configuration
Examples.
l For interconnection with other third-party servers, see the corresponding product manual.
Step 8 Verify the configuration.
l The WLAN with SSID wlan-net is available for STAs connected to the AP.
l The wireless PC obtains an IP address after it associates with the WLAN.
l Use the 802.1x authentication client on a STA and enter the correct user name and
password. The STA is authenticated and can access the WLAN. You must configure the
client for PEAP authentication.
– Configuration on the Windows XP operating system:
i. On the Association tab page of the Wireless network properties dialog box,
add SSID wlan-net, set the authentication mode to WPA2, and encryption
algorithm to AES.
ii. On the Authentication tab page, set EAP type to PEAP and click Properties.
In the Protected EAP Properties dialog box, deselect Validate server
certificate and click Configure. In the displayed dialog box, deselect
Automatically use my Windows logon name and password and click OK.
– Configuration on the Windows 7 operating system:
i. Access the Manage wireless networks page, click Add, and select Manually
create a network profile. Add SSID wlan-net. Set the authentication mode to
WPA2-Enterprise, and encryption algorithm to AES. Click Next.
ii. Click Change connection settings. On the Wireless Network Properties
page that is displayed, select the Security tab page and click Settings. In the
Protected EAP Properties dialog box, deselect Validate server certificate
and click Configure. In the displayed dialog box, deselect Automatically use
my Windows logon name and password and click OK.
iii. On the Wireless Network Properties page, click Advanced settings. On the
Advanced settings page that is displayed, select Specify authentication
mode, set the identity authentication mode to User authentication, and click
OK.
----End
Networking Requirements
l AC networking mode: Layer 2 bypass mode
Data Planning
Managemen VLAN100
t VLAN for
APs
Service VLAN101
VLAN for
STAs
Item Data
IP address 10.23.100.2–10.23.100.254/24
pool for
APs
IP address 10.23.101.3–10.23.101.254/24
pool for
STAs
MAC Name:wlan-net
access
profile
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Config Wizard to configure system parameters for the AC.
3. Select Config Wizard to configure the APs to go online on the AC.
4. Configure WLAN services and MAC address-prioritized Portal authentication on the AC
using the WLAN configuration wizard.
5. Configure authentication-free rules for an AP group.
6. Complete service verification.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and GE0/0/2
and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
Step 2 Configure a DHCP server to assign IP addresses to STAs and specify the gateway for the
STAs.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] dhcp server dns-list 8.8.8.8
[SwitchB-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF. Click the browse button and select Vlanif100.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
# Configure the SSID name, forwarding mode, and service VLAN ID.
# Set Security settings to Portal (applicable to enterprise networks) and select MAC
address-prioritized. Under External Portal Server Configuration, set the server name, IP
address, shared-key, port number, and server URL. Under External RADIUS Sever
Configuration, set the server name, authentication server IP address, and shared key.
# Click Finish.
5. Click Create. On the Create Authentication-free Rule page that is displayed, set Rule
ID to 1 and the authentication-free resource to the IP address of the DNS server.
6. Click OK.
7. Select the authentication-free rule with the ID 1 and click Apply. In the dialog box that
is displayed, click OK.
Step 7 Verify the configuration.
1. The WLAN with the SSID wlan-net is available.
2. The STA can associate with the WLAN and obtain an IP address 10.23.101.x/24, and its
gateway address is 10.23.101.2.
3. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
4. When a user opens the browser and attempts to access the network, the user is
automatically redirected to the authentication page provided by the Portal server. After
entering the correct user name and password on the page, the user can access the
network.
5. Assume that the MAC address validity period configured on the server is 60 minutes. If a
user is disconnected from the wireless network for 5 minutes and reconnects to the
network, the user can directly access the network. If a user is disconnected from the
wireless network for 65 minutes and reconnects to the network, the user will be
redirected to the Portal authentication page.
----End
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: direct forwarding
Data Planning
Item Data
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure a VLAN pool for service VLANs.
3. Select Config Wizard to configure system parameters for the AC.
4. Select Config Wizard to configure the APs to go online on the AC.
5. Select Config Wizard to configure WLAN services on the AC.
6. Adjust WLAN high-density parameters.
You are advised to adjust WLAN high-density parameters according to Table 5-4.
Configure To reduce the burden on the Enable band steering. By default, band
5G-prior 2.4 GHz radio by steering is enabled.
access preferentially connecting
5G-capable STAs to the 5
GHz radio when a large
number of 2.4 GHz STAs
exist on the network.
Reduce To prevent users who Set the association aging time to 1 minute.
the user frequently disconnect from
associatio the wireless network.
n aging
time
Limit user To prevent advantaged Limit the downstream rate of each STA to
rates STAs from occupying too 2000 kbit/s in a VAP. Adjust the upstream
many rate sources and rate according to actual situations. In this
deteriorating service example, the upstream rate is set to 1000
experience of disadvantaged kbit/s.
STAs.
Configure To prevent weak-signal Enable smart roaming and set the SNR
smart STAs from degrading user threshold to 15 dB.
roaming experience.
Set the To prevent hidden STAs. Set the RTS-CTS operation mode to rts-
RTS-CTS cts and the RTS threshold to 1400 bytes.
threshold
Adjust the To improve the overall data Set the interval for sending Beacon frames
interval at traffic of APs. to 160 ms.
which
Beacon
frames
are sent
Set the To reduce extra overhead Set the GI mode to short GI.
guard and improve AP
interval transmission efficiency.
(GI)
mode to
short GI
Configure To improve the overall AP Delete low rates from the basic rate set.
the basic throughput.
rate set
Configure To improve air interface Use the default values. By default, the
the efficiency. multicast transmit rate of wireless packets
multicast is 11 Mbit/s for the 2.4 GHz radio and 6
rate Mbit/s for the 5 GHz radio.
7. Deliver the WLAN services to the APs and verify the configuration.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLANs 10, 101, and 102. The default VLAN of
GE0/0/1 and GE0/0/3 is VLAN 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 101 102
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 10
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101 102
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 101 102
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] port link-type trunk
[SwitchA-GigabitEthernet0/0/3] port trunk pvid vlan 10
[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 10 101 102
[SwitchA-GigabitEthernet0/0/3] port-isolate enable
[SwitchA-GigabitEthernet0/0/3] quit
# On SwitchB (aggregation switch), add GE0/0/1 to VLAN 10, VLAN 101, and VLAN 102,
GE0/0/2 to VLAN 100, and GE0/0/3 to VLAN 101 and VLAN 102. Create VLANIF 100 and
set its IP address to 10.23.100.2/24.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 10 100 101 102
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101 102
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
# On Router, add GE1/0/0 to VLAN 101 and VLAN 102. Create VLANIF 101 and VLANIF
102 and set the IP address of VLANIF 101 to 10.23.101.2/24 and the IP address of VLANIF
102 to 10.23.102.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101 102
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101 102
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
[Router] interface vlanif 102
[Router-Vlanif102] ip address 10.23.102.2 24
[Router-Vlanif102] quit
# On SwitchB, configure VLANIF 101 and VLANIF 102 to assign IP addresses to STAs and
set the default gateways.
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] dhcp select interface
[SwitchB-Vlanif102] dhcp server gateway-list 10.23.102.2
[SwitchB-Vlanif102] quit
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration page is
displayed.
2. Configure interfaces.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type to Trunk
and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN).
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# Click OK.
# Under Global Address Pool, click Create. The Create Global Address Pool page is
displayed.
# Click OK.
# Under Static Route Table, click Create. The Create Static Route Table page is
displayed.
# Set Destination IP to 10.23.10.0, Subnet Mask to 24(255.255.255.0), and Next hop
address to 10.23.100.2.
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF. Click the browse button and select Vlanif100.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
Step 5 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Set the SSID name, forwarding mode, and service VLAN. Set Service VLAN to VLAN
Pool. Click Create next to VLAN Pool. The Create VLAN Pool page is displayed.
# Set VLAN pool name to sta-pool and VLAN assignment mode to Hash. Add VLANs 101
and 102.
# Click OK. In the dialog box that is displayed, click OK.
# In the AP group list, click the AP group ap-group1 and click next to Radio
Management. The profiles in Radio Management are displayed.
# Click Radio 0. The Radio 0 Settings(2.4G) page is displayed. Enable the dual-5G
mode. In the dialog box that is displayed, click OK.
# In the AP group list, click ap-group1. Choose Radio Management > Radio 1 > 5G
Radio Profile. The 5G Radio Profile page is displayed.
# Click Create. On the Create 5G Radio Profile page that is displayed, enter the profile
name wlan-radio5g and click OK. The 5G radio profile configuration page is displayed.
– Set the RTS-CTS mode to rts-cts and the RTS-CTS threshold to 1400 bytes.
– Set the interval for sending Beacon frames to 160 TUs.
– Set the GI mode to short.
– Set the multicast rate to 6 Mbit/s.
– Set EDCA parameters for AC_BE packets on APs: AIFSN to 3, ECWmin to 5, and
ECWmax to 6.
4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
5. When a large number of users connect to the network in the stadium, the users still have
good Internet experience.
----End
Networking Requirements
l AC networking mode: Layer 2 networking in bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (Switch_A) functions as a DHCP server to assign IP
addresses to STAs.
Data Planning
Item Data
Item Data
l Name: wds-list2
l AP MAC address: MAC address of
AP_3 (leaf)
Item Data
l Name: wds-leaf
l WDS name: wlan-wds
l WDS working mode: leaf
l Tagged VLAN: VLAN 101
l Referenced profile: security profile wds-
security
l Name: ap-group2
l Root and leaf APs, such as AP_2, are
added to the group.
l Referenced profiles: WDS profiles wds-
root and wds-leaf, VAP profile wlan-
net, and regulatory domain profile
default
l Name: ap-group3
l Leaf APs, such as AP_3, are added to
the group.
l Referenced profiles: WDS profile wds-
leaf, VAP profile wlan-net, and
regulatory domain profile default
Configuration Roadmap
1. Configure root node AP_1 to go online on the AC.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
2. Configure WDS services so that APs in and Area C can go online through WDS wireless
virtual links.
3. Configure WLAN service parameters for STAs to access the WLAN.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
l Select proper antennas by following the WDS network planning and design, and use the
antenna calibration tool for calibration.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on Switch_B to VLAN 100 and VLAN 101. The default VLAN
of GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_B
[Switch_B] vlan batch 100 to 101
[Switch_B] interface gigabitEthernet 0/0/1
[Switch_B-GigabitEthernet0/0/1] port link-type trunk
[Switch_B-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_B-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_B-GigabitEthernet0/0/1] port-isolate enable
[Switch_B-GigabitEthernet0/0/1] quit
[Switch_B] interface gigabitEthernet 0/0/2
[Switch_B-GigabitEthernet0/0/2] port link-type trunk
[Switch_B-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 101
[Switch_B-GigabitEthernet0/0/2] quit
# Configure the aggregation switch Switch_A. Configure GE0/0/1 to allow packets from
VLAN 100 and VLAN 101 to pass through, GE0/0/2 to allow packets from VLAN 100 to
pass through, and GE0/0/3 to allow packets from VLAN 101 to pass through.
<HUAWEI> system-view
[HUAWEI] sysname Switch_A
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
NOTE
Configure the DNS server address as required.
# Click Batch Import. The Batch Import page is displayed. Click and download
the AP template file to your local PC.
# Fill in the AP template file with AP information according to the following example.
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory but the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory but the AP's
MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP file, select the AP template file, and click Import.
# Click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
NOTE
In a WDS profile, Tagged VLAN needs to be configured according to actual situations. If traffic from a
different service VLAN needs to be transmitted over the WDS link, set Tagged VLAN to the service
VLAN.
# Choose WDS > WDS Profile > wds-root > Security Profile. The Security Profile
page is displayed.
# Click Create. On the Create Security Profile page that is displayed, enter the profile
name wds-security and click OK. The security profile configuration page is displayed.
# Choose WDS > WDS Whitelist Profile. The WDS Whitelist Profile List page is
displayed.
# Click Create. On the Create WDS Whitelist Profile page that is displayed, enter the
profile name wds-list1, set Radio to 1, and click OK. The WDS Whitelist Profile List
page is displayed.
# Choose WDS > WDS Whitelist Profile > wds-list1. The WDS Whitelist Profile page
is displayed.
# Click OK.
4. Configure WDS service parameters for the root node. Set the channel parameters of
Radio1 to 40+ MHz and 157. Set the bridge distance to 4.
# Choose Configuration > AP Config > AP Config > AP Info. The AP Info page is
displayed.
# Choose Radio Management > Radio1. The Radio 1 Settings(5G) page is displayed.
# Set the channel parameters to 40+ MHz and 157. Set the bridge distance to 4. Disable
automatic channel and power calibration.
# In the AP group list, click ap-group3. Choose WDS > WDS Profile. The WDS
Profile List page is displayed.
# Click Create. On the Create WDS Profile page that is displayed, enter the profile
name wds-leaf, set Radio to 1 and Copy parameters from other profiles to wds-root,
and click OK.
# Choose WDS > WDS Profile > wds-leaf. The WDS Profile page is displayed.
# Set WDS working mode to Leaf, retain the default settings of other parameters, and
click Apply. In the dialog box that is displayed, click OK.
2. Configure WDS service parameters for the leaf node. Set parameters for Radio1. Set
Channel to 40+ MHz and 149, and WDS/Mesh bridge distance(0.1km) to 4. Disable
automatic channel and power calibration.
Configure WDS service parameters by referring to the configuration procedure on the
root node.
# In the AP group list, click ap-group2. Choose WDS > WDS Profile. The WDS
Profile List page is displayed.
# Click Add. On the Add WDS Profile page that is displayed, enter the profile name
wds-leaf, set Radio to 1, and click OK.
# Click Add. On the Add WDS Profile page that is displayed, enter the profile name
wds-root, set Radio to 0, and click OK.
2. Create WDS whitelist profile wds-list2 and add the MAC address of the leaf AP to the
WDS whitelist.
# Choose WDS > WDS Whitelist Profile. The WDS Whitelist Profile List page is
displayed.
# Click Create. On the Create WDS Whitelist Profile page that is displayed, enter the
profile name wds-list2, set Radio to 0, and click OK. The WDS Whitelist Profile List
page is displayed.
# Choose WDS > WDS Whitelist Profile > wds-list2. The WDS Whitelist Profile page
is displayed.
# Click OK.
3. Configure WDS service parameters. Configure Radio0 to switch to the 5 GHz frequency
band. Set the channel parameters of Radio0 to 40+ MHz and 149. Set the coverage
distance to 4. Set the channel parameters of Radio1 to 40+ MHz and 157. Set the bridge
distance to 4.
# Choose Configuration > AP Config > AP Config > AP Info. The AP Info page is
displayed.
Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.
# Click next to Radio Management. The profiles under Radio Management are
displayed.
# Click Radio0. The Radio 0 Settings(2.4G) page is displayed. Set the AP channel to
20-MHz channel 6 and the transmit power to 127 dBm. The configuration of radio 1 (20-
MHz channel 149) on the Radio 1 Settings page is similar to the configuration of radio
0 and is not mentioned here.
3. Choose Monitoring > SSID > VAP. In VAP List, check VAP status. You can see that
the status of the VAP in wlan-net is normal.
4. The WLAN with the SSID wlan-net is available.
5. The STA can associate with the WLAN and obtain an IP address 10.23.101.x/24, and its
gateway address is 10.23.101.2.
6. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
----End
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l Wireless backhaul mode: Mesh-based vehicle-ground fast link handover
l Backhaul radio: 5 GHz radio
Data Planning
......
.......
Item Data
Item Data
Configuration Roadmap
1. Configure the ground network to enable Layer 2 communications between trackside APs
and the AC.
2. Configure multicast services on ground network devices to enable proper multicast data
forwarding on the ground network.
3. Configure vehicle-ground fast link handover on trackside and vehicle-mounted APs so
that the vehicle-mounted AP can set up Mesh connections with the trackside APs.
4. Configure the vehicle-mounted network to enable intra-network data communications.
NOTE
l This example uses Huawei AP9132DNs in Fit AP mode as the trackside APs and AP9132DNs in
Fat AP mode as the vehicle-mounted APs.
l Switches and routers used in this example are all Huawei products.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure switches.
1. Configure Switch_A. Create VLAN 100, VLAN 101 and VLAN 200, add interfaces
GE0/0/1 to GE0/0/4 to VLAN 101, and configure these interfaces to allow packets from
VLAN 101 to pass through. Set PVIDs of GE0/0/3 and GE0/0/4 to VLAN 101. Add
GE0/0/5 to VLAN 200, set its PVID to VLAN 200, and configure GE0/0/5 to allow
packets from VLAN 200 to pass through. Configure GE0/0/1, GE0/0/2, and GE0/0/6 to
allow packets from VLAN 100 to pass through.
<HUAWEI> system-view
[HUAWEI] sysname Switch_A
[Switch_A] vlan batch 100 101 200
[Switch_A] interface gigabitEthernet 0/0/1
[Switch_A-GigabitEthernet0/0/1] port link-type trunk
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch_A-GigabitEthernet0/0/1] quit
[Switch_A] interface gigabitEthernet 0/0/2
[Switch_A-GigabitEthernet0/0/2] port link-type trunk
[Switch_A-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch_A-GigabitEthernet0/0/2] quit
[Switch_A] interface gigabitEthernet 0/0/3
[Switch_A-GigabitEthernet0/0/3] port link-type trunk
[Switch_A-GigabitEthernet0/0/3] port trunk pvid vlan 101
[Switch_A-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[Switch_A-GigabitEthernet0/0/3] quit
[Switch_A] interface gigabitEthernet 0/0/4
[Switch_A-GigabitEthernet0/0/4] port link-type trunk
[Switch_A-GigabitEthernet0/0/4] port trunk pvid vlan 101
[Switch_A-GigabitEthernet0/0/4] port trunk allow-pass vlan 101
[Switch_A-GigabitEthernet0/0/4] quit
[Switch_A] interface gigabitEthernet 0/0/5
[Switch_A-GigabitEthernet0/0/5] port link-type trunk
[Switch_A-GigabitEthernet0/0/5] port trunk pvid vlan 200
[Switch_A-GigabitEthernet0/0/5] port trunk allow-pass vlan 200
[Switch_A-GigabitEthernet0/0/5] quit
[Switch_A] interface gigabitEthernet 0/0/6
[Switch_A-GigabitEthernet0/0/6] port link-type trunk
[Switch_A-GigabitEthernet0/0/6] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/6] quit
2. On Switch_A, configure an IP address for VLANIF 101 and enable the DHCP server
function to assign IP addresses for vehicle-mounted terminals.
[Switch_A] dhcp enable
[Switch_A] interface vlanif 101
[Switch_A-Vlanif101] ip address 10.23.224.1 24
[Switch_A-Vlanif101] dhcp select interface
[Switch_A-Vlanif101] dhcp server excluded-ip-address 10.23.224.2 10.23.224.3
[Switch_A-Vlanif101] quit
3. Configure an IP address for VLANIF 200 on Switch_A and specify the IP address of
GE1/0/0 on the router as the next hop address of the default route so that packets from
the vehicle-ground communication network can be forwarded to the egress router.
[Switch_A] interface vlanif 200
[Switch_A-Vlanif200] ip address 10.23.200.2 24
[Switch_A-Vlanif200] quit
[Switch_A] ip route-static 0.0.0.0 0 10.23.200.1
4. Configure an IP address for GE1/0/0 on Router and configure routes to the internal
network segment, with the next hop address 10.23.200.2.
<Huawei> system-view
[Huawei] sysname Router
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] ip address 10.23.200.1 24
[Router-GigabitEthernet1/0/0] quit
[Router] ip route-static 10.23.224.0 24 10.23.200.2
[Router] ip route-static 10.23.100.0 24 10.23.200.2
NOTE
You can configure routes to external networks and the NAT function on the egress router according to
service requirements to ensure normal communications between internal and external networks.
5. Configure Switch_B and Switch_C to enable Layer 2 communications between trackside
APs and the ground network.
# On Switch_B, create VLAN 100 and VLAN 101, configure GE0/0/2 and GE0/0/1 to
allow packets from VLAN 100 and VLAN 101 to pass through, and set the PVID of
GE0/0/1 to VLAN 100 (management VLAN for trackside APs).
# On Switch_C, create VLAN 100 and VLAN 101, configure GE0/0/2 and GE0/0/1 to
allow packets from VLAN 100 and VLAN 101 to pass through, and set the PVID of
GE0/0/1 to VLAN 100.
NOTICE
If trackside APs are directly connected to the switches and Layer 2 multicast is
configured, enabling the fast leave function improves the quality of multicast services. If
the trackside APs are not directly connected to the switches or Layer 3 multicast is
configured, you cannot configure the fast leave function because this function may
interrupt multicast services.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration page is
displayed.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type to Trunk
and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN) and VLAN 101
(service VLAN).
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
NOTE
Configure the DNS server address as required.
– Click Edit in the Mesh whitelist area to add MAC addresses of Mesh nodes. In this
example, MAC addresses 0046-4b59-2e10 and 0046-4b59-2e20 are added. Click
OK. The Mesh whitelist are added.
Add MAC addresses of vehicle-mounted APs on other trains to the Mesh whitelist
whitelist01 according to the preceding procedure.
# After configuring Mesh parameters, click Apply.
4. Add MPPs
# In AP Group List, select the AP group mesh-mpp.
# On the AP List tab page, click Add. The Add AP page is displayed.
# Set Mode to Manually add and manually add APs.
# In this example, APs with MAC addresses 0046-4b59-1d10, 0046-4b59-1d20,
0046-4b59-1d30, 0046-4b59-1d40, 0046-4b59-1d50, and 0046-4b59-1d60 are added.
Set AP ID to 1, 2, 3, 101, 102, and 103 for the APs respectively. Set the AP names to
L1_001, L1_003, L1_010, L1_150, L1_160, and L1_170, respectively. Click OK. The
APs are added as MPPs.
# Click Create. The Create AP Wired Port Profile page is displayed. Set Profile name
to wired-port and click OK. The configuration page of the wired port profile is
displayed.
# Set Port mode to Endpoint, add the wired port to VLAN 101 in tagged mode, and set
the Port PVID to 101.
# Click OK.
# Choose Configuration > Interface > ETH Interface and click GigabitEthernet0/0/1.
The Modify Interface Settings page is displayed.
# Set Default VLAN to VLAN 101. Add GigabitEthernet0/0/1 to VLAN 101 in tagged
mode.
# Click OK.
2. Configure a Mesh profile.
# Choose Configuration > WLAN Service > WLAN Config. Click Radio1.
# Choose Mesh > Mesh Profile. The Mesh Profile page is displayed.
# Click Create. The Create Mesh Profile page is displayed.
# Set Profile name to mesh-net and click OK. The Mesh Profile page is displayed.
# Click Apply. In the dialog box that is displayed, click OK.
3. Configure a security profile.
# Choose Mesh > Mesh Profile > Security Profile. The Security Profile page is
displayed.
# Set Profile name to sp01 and click OK. The Security Profile page is displayed.
# Choose Mesh > Mesh Profile > Mesh Handover Profile. The Mesh Handover
Profile page is displayed.
# Click Create and create the Mesh handover profile hand-over. Click OK. The Mesh
profile configuration page is displayed.
# Choose Mesh > Mesh Whitelist Profile. The Mesh Whitelist Profile page is
displayed.
# Click Create and create the Mesh whitelist whitelist01. Click OK.
# Click Create, the Create MAC Address page is displayed. Choose Manually add
and add members to the MAC address whitelist. In this example, MAC addresses
0046-4b59-1d10, 0046-4b59-1d20, 0046-4b59-1d30, 0046-4b59-1d40,
0046-4b59-1d50, and 0046-4b59-1d60 are added.
# Click OK and Apply. In the dialog box that is displayed, click OK.
Step 5 Add proxied devices on the vehicle-mounted AP
# Add proxied ground devices. Add MAC addresses of Switch_A, network management
device, and multicast source on the vehicle-mounted AP.
# Choose Configuration > Proxied Device > Proxied Device > Proxied Ground Device.
Click Create and add MAC addresses of proxied ground devices. In this example, MAC
addresses 707b-e8e9-d328, 286e-d488-12cd, and 286e-d488-b6ab are added, click OK.
# Add proxied vehicle-mounted devices. Add MAC addresses of the vehicle-mounted devices
on the vehicle-mounted AP.
# Choose Configuration > Proxied Device > Proxied Device > Proxied Vehicle-mounted
Device. Click Create and add MAC addresses of proxied vehicle-mounted devices. In this
example, MAC addresses 286e-d488-d359 and 286e-d488-d270 are added, click OK.
# In the VLAN List area, set IGMP-Snooping Status of VLAN 101 to Enable.
# Choose Maintenance > Train To Ground COMM > Mesh Link Information to
view Mesh link information. Displayed information is the same as that checked on the
AC.
----End
Service Requirements
Students in dormitories need to access the Internet through WLANs.
Walls between numerous rooms in the dormitory building cause serious wireless signal
attenuation, degrading signal quality. To resolve this issue, an agile distributed WLAN is
used, with a remote unit (RU) deployed in each dormitory. RUs are connected to a central AP,
and all RUs and central APs are centrally managed by the AC, delivering high-quality WLAN
coverage for each dormitory.
Networking Requirements
l AC networking mode: Layer 2 networking in inline mode
l DHCP deployment mode: The AC functions as a DHCP server to assign IP addresses to
central APs, RUs, and STAs.
l Service data forwarding mode: tunnel forwarding
Data Planning
Item Data
IP address 10.23.100.2-10.23.100.254/24
pool for
central APs
and RUs
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs
Configuration Roadmap
1. Configure the AC, RUs, central APs, and network devices to communicate at Layer 2.
2. Select Config Wizard to configure system parameters for the AC.
3. Select Config Wizard to configure the central APs and RUs to go online on the AC.
4. Select Config Wizard to configure WLAN services on the AC.
5. Deliver the WLAN services to the central APs and RUs, and verify the configuration.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
NOTE
Configure the DNS server address as required.
# Click OK. Set the IP address of VLANIF 101 to 10.23.101.1/24 and configure the
interface address pool on VLANIF 101 in the same way.
# Click Next.
# Set AC source address to VLANIF. Click the browse button and select Vlanif100.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– MAC address of the central AP: 68a8-2845-62fd
– AP SN: 210235419610CB002287
– AP name: central_AP
– AP group: ap-group1
NOTE
– If AP authentication mode is set to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If AP authentication mode is set to SN authentication, the AP's SN is mandatory and the AP's
MAC address is optional.
You are advised to import the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
Step 4 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Configure the SSID name, forwarding mode, and service VLAN.
# Click Finish.
Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.
# In the AP group list, click ap-group1. Choose Radio Management > Radio 0 > 2G
Radio Profile > RRM Profile. The RRM Profile page is displayed.
# Click next to Radio Management. The profiles under Radio Management are
displayed.
# Click Radio0. The Radio 0 Settings(2.4G) page is displayed. Set the AP channel to
20-MHz channel 6 and the transmit power to 127 dBm. The configuration of radio 1 (20-
MHz channel 149) on the Radio 1 Settings page is similar to the configuration of radio
0 and is not mentioned here.
4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
----End
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: tunnel forwarding
Figure 5-7 Networking for configuring rogue device detection and containment
Data Planning
Item Data
Item Data
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
Configuration Roadmap
1. Configure basic WLAN services to enable STAs to connect to the WLAN.
2. Configure rogue device detection and containment so that APs can detect wireless device
information and report it to the AC. In addition, APs can contain detected rogue devices,
enabling STAs to disassociate from them.
NOTE
In this example, the authorized APs work in normal mode and have the detection function enabled. In
addition to transmitting WLAN service data, AP radios need to perform the monitoring function. Therefore,
temporary service interruption may occur when the radios periodically scan channels. In this example, the
APs can only contain rogue devices on the channel used by WLAN services. To achieve containment on all
channels, configure the APs to work in monitor mode. However, WLAN services are unavailable in this
mode.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and GE0/0/2
and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
Step 2 Configure a DHCP server to assign IP addresses to STAs and specify the gateway for the
STAs.
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the default
gateway address of STAs to 10.23.101.2.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
NOTE
Configure the DNS server address as required.
# Set AC source address to VLANIF. Click the browse button and select Vlanif100.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
Step 5 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Configure the SSID name, forwarding mode, and service VLAN.
Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.
# Click next to Radio Management. The profiles under Radio Management are
displayed.
# Click Radio0. The Radio 0 Settings(2.4G) page is displayed. Set the AP channel to
20-MHz channel 6 and the transmit power to 127 dBm. The configuration of radio 1 (20-
MHz channel 149) on the Radio 1 Settings page is similar to the configuration of radio
0 and is not mentioned here.
# Click Apply. In the Info dialog box that is displayed, click OK.
# Configure radio 1 to work in normal mode, and enable rogue device detection and
containment in the same way.
2. Create WIDS profile wlan-wids and configure the containment mode against rogue APs
using spoofing SSIDs.
# Click in front of WIDS. Under it, click WIDS Profile. The WIDS Profile page is
displayed.
# Click Create. On the Create WIDS Profile page that is displayed, enter the profile
name wlan-wids and click OK. The WIDS profile configuration page is displayed.
# Configure the containment mode against rogue APs using spoofing SSIDs.
# Click Apply. In the Info dialog box that is displayed, click OK.
Choose Monitoring > WIDS. In the Device Detection area, view the detection result.
l Click a number in the detection result list. The detected device information is displayed
in Device Detection Information.
l Select a device in the detected device list and click View Discovered APs. Information
about the APs that detect the device is displayed.
l In the list of APs that detect the device, select an AP and click View Whitelist to view
the whitelist of the AP.
----End
Networking Requirements
As shown in Figure 5-8, a Fat AP is connected to the Internet in wired mode and connects to
STAs in wireless mode. An enterprise branch needs to deploy basic WLAN services for
mobile office so that enterprise employees can access the enterprise internal network
anywhere, anytime.
Figure 5-8 Networking diagram for configuring basic Layer 2 WLAN services
Service VLAN:VLAN101
GE0/0/0
FAT AP VLAN101 Router
10.23.101.2/24
STA Internet
GE1/0/0
10.23.101.1/24
STA
Data planning
Item Data
Configuration Roadmap
1. Configure Router as a DHCP server to assign IP addresses to STAs.
2. Configure basic WLAN services using the WLAN configuration wizard.
3. Configure the AP channel and transmit power.
4. Associate STAs to the WLAN to verify services.
Configuration Notes
No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets, they
are usually sent at low rates. If a large number of such multicast packets are sent from the
network side, the air interfaces may be congested. You are advised to configure multicast
packet suppression on switch interfaces connected to APs to reduce impact of a large number
of low-rate multicast packets on the wireless network. Exercise caution when configuring the
rate limit; otherwise, the multicast services may be affected. For details on how to configure
traffic suppression, see How Do I Configure Multicast Packet Suppression to Reduce
Impact of a Large Number of Low-Rate Multicast Packets on the Wireless Network? in
the FAT AP Product Documentation.
Procedure
Step 1 Configure Router as a DHCP server to assign IP addresses to STAs.
# Configure Router as a DHCP server to assign IP addresses to STAs from the IP address pool
on GE1/0/0.
[Router] dhcp enable
[Router] interface gigabitethernet 1/0/0
# Click Finish.
3. Configure Internet connection parameters.
NOTE
If you log in to the web platform using a PC whose Ethernet interface is being modified, do not delete
the existing VLAN configuration on the interface to ensure that the PC can communicate with Fat APs.
As shown in the following figure, GigabitEthernet0/0/0 is added to VLAN 1 by default and STAs
communicate with the AP through this interface. You can use the default IP address of the AP to log in
to the web platform. If you need to use the default IP address to log in to the web platform, do not
delete VLAN 1.
# Click Finish.
Step 3 Set the AP channel and power.
1. Disable the automatic channel and power calibration functions.
NOTE
Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.
# Click before Radio Profile. Other profiles bound to the radio profile are displayed.
# Click RRM Profile. On the default RRM profile page that is displayed, disable
automatic channel calibration and automatic power calibration.
# Click Apply. In the dialog box that is displayed, click OK. Disable automatic channel
calibration and automatic power calibration for radio 1 in the similar way. The
configuration is not mentioned here.
2. Manually configure the AP channel and power.
# Choose Configuration > WLAN Service > WLAN Config > Radio0. The Radio0
page is displayed.
# Set the AP channel to 20-MHz channel 6 and the transmit power to 127 dBm. The
configuration of radio 1 (20-MHz channel 149) on the Radio 1 Settings page is similar
to the configuration of Radio 0 and is not mentioned here.
1. Choose Configuration > Interface > VLAN > VLAN. The VLAN page is displayed.
2. Select VLAN 101. On the Modify VLAN page, set the IP address of VLANIF 101 to
10.23.101.2/24.
3. Click OK.
Step 5 Verify the configuration.
1. The WLAN with the SSID wlan-net is available.
2. STAs can associate with the WLAN and obtain IP addresses on the network segment
10.23.101.x/24.
3. Choose Monitoring > Terminal Manage > STA Management. In User, you can see
that STAs go online properly and obtain IP addresses.
----End
Networking Requirements
As shown in Figure 5-9, a Fat AP is connected to the Internet in wired mode and connected to
STAs in wireless mode. An enterprise branch needs to deploy basic WLAN services for
mobile office so that enterprise employees can access the enterprise internal network
anywhere, anytime.
The requirements are as follows:
l A WLAN named wlan-net is available.
l Enterprise employees are assigned IP addresses on the network segment 10.23.101.0/24.
Figure 5-9 Networking diagram for configuring basic Layer 3 WLAN services
Service VLAN:VLAN101
GE0/0/0
FAT AP VLAN200 Router
10.23.200.1/24
STA Internet
GE1/0/0
VLAN200
10.23.200.2/24
STA
Data planning
Item Data
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure Router to communicate with the AP.
2. Configure basic WLAN services using the WLAN configuration wizard.
3. Configure the AP channel and transmit power.
4. Associate STAs to the WLAN to verify services.
Configuration Notes
No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets, they
are usually sent at low rates. If a large number of such multicast packets are sent from the
network side, the air interfaces may be congested. You are advised to configure multicast
packet suppression on switch interfaces connected to APs to reduce impact of a large number
of low-rate multicast packets on the wireless network. Exercise caution when configuring the
rate limit; otherwise, the multicast services may be affected. For details on how to configure
traffic suppression, see How Do I Configure Multicast Packet Suppression to Reduce
Impact of a Large Number of Low-Rate Multicast Packets on the Wireless Network? in
the FAT AP Product Documentation.
Procedure
Step 1 Configure the network devices.
# Add GE1/0/0 on Router to VLAN 200. Create VLANIF 200 and set its IP address to
10.23.200.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 200
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 200
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 200
[Router-Vlanif200] ip address 10.23.200.2 24
[Router-Vlanif200] quit
# Click Finish.
3. Configure Internet connections.
# Click Next. The Configure Internet Connection page is displayed.
# Add an interface to VLAN 200 in tagged mode.
NOTE
If you log in to the web platform using a PC whose Ethernet interface is being modified, do not delete
the existing VLAN configuration on the interface to ensure that the PC can communicate with Fat APs.
As shown in the following figure, GigabitEthernet0/0/0 is added to VLAN 1 by default and STAs
communicate with the AP through this interface. You can use the default IP address of the AP to log in
to the web platform. If you need to use the default IP address to log in to the web platform, do not
delete VLAN 1.
# Click Finish.
Step 3 Set the AP channel and power.
1. Disable the automatic channel and power calibration functions.
NOTE
Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.
# Click before Radio Profile. Other profiles bound to the radio profile are displayed.
# Click RRM Profile. On the default RRM profile page that is displayed, disable
automatic channel calibration and automatic power calibration.
# Click Apply. In the dialog box that is displayed, click OK. Disable automatic channel
calibration and automatic power calibration for radio 1 in the similar way. The
configuration is not mentioned here.
2. Manually configure the AP channel and power.
# Choose Configuration > WLAN Service > WLAN Config > Radio0. The Radio0
page is displayed.
# Set the AP channel to 20-MHz channel 6 and the transmit power to 127 dBm. The
configuration of radio 1 (20-MHz channel 149) on the Radio 1 Settings page is similar
to the configuration of Radio 0 and is not mentioned here.
# Choose Configuration > Interface > VLAN > VLAN. The VLAN page is displayed.
# Click Create. Create VLANIF 200, and set the IP address of VLANIF 200 to
10.23.200.1/24.
# Click OK.
2. Configure a default route.
# Choose Configuration > IP Service > Route. The Route page is displayed.
# Click Create in Static Route Configuration Table and create a static route.
# Click OK.
Step 5 Verify the configuration.
1. The WLAN with the SSID wlan-net is available.
2. The STA can associate with the WLAN and obtain an IP address 10.23.101.x/24 and its
gateway address is 10.23.101.1.
3. Choose Monitoring > Terminal Manage > STA Management. In User, you can see
that STAs go online properly and obtain IP addresses.
----End
Networking Requirements
As shown in Figure 5-10, a Fat AP is connected to the Internet in wired mode and connected
to STAs in wireless mode. An enterprise branch needs to deploy basic WLAN services for
mobile office so that enterprise employees can access the enterprise internal network
anywhere, anytime. The administrator wants enterprise employees to access the public
network using public IP addresses.
Figure 5-10 Networking diagram for configuring STAs to access the public network through
NAT
Service VLAN:VLAN101
GE0/0/0
FAT AP VLAN200
202.169.10.1/24
STA Internet
202.169.10.2/24
STA
Data planning
Item Data
Item Data
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure basic WLAN services using the WLAN configuration wizard.
2. Configure the AP channel and transmit power.
3. Configure NAT so that users can access the public network using public IP addresses.
4. Associate STAs to the WLAN to verify services.
Configuration Notes
No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets, they
are usually sent at low rates. If a large number of such multicast packets are sent from the
network side, the air interfaces may be congested. You are advised to configure multicast
packet suppression on switch interfaces connected to APs to reduce impact of a large number
of low-rate multicast packets on the wireless network. Exercise caution when configuring the
rate limit; otherwise, the multicast services may be affected. For details on how to configure
traffic suppression, see How Do I Configure Multicast Packet Suppression to Reduce
Impact of a Large Number of Low-Rate Multicast Packets on the Wireless Network? in
the FAT AP Product Documentation.
Procedure
Step 1 Configure basic WLAN services.
1. Choose Wizard > Config Wizard. The Configure Wi-Fi Signals page is displayed.
2. Configure Wi-Fi signals.
# Click Create. The Basic Information page is displayed.
# Configure basic information about an SSID.
# Click Finish.
3. Configure Internet connections.
# Click Next. The Configure Internet Connection page is displayed.
# Add an interface to VLAN 200 in tagged mode.
NOTE
If you log in to the web platform using a PC whose Ethernet interface is being modified, do not delete
the existing VLAN configuration on the interface to ensure that the PC can communicate with Fat APs.
As shown in the following figure, GigabitEthernet0/0/0 is added to VLAN 1 by default and STAs
communicate with the AP through this interface. You can use the default IP address of the AP to log in
to the web platform. If you need to use the default IP address to log in to the web platform, do not
delete VLAN 1.
# Click Finish.
Step 2 Set the AP channel and power.
1. Disable the automatic channel and power calibration functions.
NOTE
Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.
# Click before Radio Profile. Other profiles bound to the radio profile are displayed.
# Click RRM Profile. On the default RRM profile page that is displayed, disable
automatic channel calibration and automatic power calibration.
# Click Apply. In the dialog box that is displayed, click OK. Disable automatic channel
calibration and automatic power calibration for radio 1 in the similar way. The
configuration is not mentioned here.
2. Manually configure the AP channel and power.
# Choose Configuration > WLAN Service > WLAN Config > Radio0. The Radio0
page is displayed.
# Set the AP channel to 20-MHz channel 6 and the transmit power to 127 dBm. The
configuration of radio 1 (20-MHz channel 149) on the Radio 1 Settings page is similar
to the configuration of Radio 0 and is not mentioned here.
# Choose Configuration > Interface > VLAN > VLAN. The VLAN page is displayed.
# Click Create. Create VLANIF 200, and set the IP address of VLANIF 200 to
202.169.10.1/24.
# Click OK.
2. Configure a default route.
# Choose Configuration > IP Service > Route. The Route page is displayed.
# Click Create in Static Route Configuration Table and create a static route.
# Click OK.
3. Click OK.
4. In the new ACL, click Add Rule. On the Add Rule page, set ACL parameters.
5. Click OK.
3. Click OK.
2. The STA can associate with the WLAN and obtain an IP address 10.23.101.x/24 and its
gateway address is 10.23.101.1.
3. Choose Monitoring > Terminal Manage > STA Management. In User, you can see
that STAs go online properly and obtain IP addresses.
4. STAs can access the public network successfully.
----End
Networking Requirements
As shown in Figure 5-11, the device functioning as the PPPoE client connects to the PPPoE
server using GE0/0/0.
Users want the hosts to share an account. If the account is authenticated successfully on the
PPPoE server, a PPPoE session is established. Service requirements are as follows:
l The device establishes a PPPoE session with the PPPoE server using PPP authentication.
l The device automatically attempts to create a dial-up connection again at intervals after
the disconnection.
Figure 5-11 Networking diagram of the device functioning as the PPPoE client
Data Planning
NAT Enabled
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the PPPoE server.
2. Configure the PPPoE client. Use the configuration wizard to configure the PPPoE dialup
function and enable NAT to translate private IP addresses to public IP addresses.
Procedure
Step 1 Configure the PPPoE server.
# Configure the authentication mode, IP address allocation mode, and IP address or IP address
pool for PPPoE clients. For details about the configuration procedure, see the documentation
of the PPPoE server.
If you log in to the web platform using a PC whose Ethernet interface is being modified, do not delete
the existing VLAN configuration on the interface to ensure that the PC can communicate with Fat APs.
As shown in the following figure, GigabitEthernet0/0/0 is added to VLAN 1 by default and STAs
communicate with the AP through this interface. You can use the default IP address of the AP to log in
to the web platform. If you need to use the default IP address to log in to the web platform, do not
delete VLAN 1.
----End
Figure 5-12 Networking diagram for connecting a LAN to the Internet using an ADSL
modem
Data Planning
Item Data
NAT Enabled
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the PPPoE client. Use the configuration wizard to configure the PPPoE dialup
function and enable NAT to translate private IP addresses to public IP addresses.
2. Configure Router as the PPPoE server to provide RADIUS authentication and
accounting functions.
Procedure
Step 1 Configure the PPPoE server.
# Configure the global IP address pool pool1.
<AC6605> system-view
[AC6605] sysname Router
[Router] ip pool pool1
[Router-ip-pool-pool1] network 100.100.10.0 mask 255.255.255.0
[Router-ip-pool-pool1] gateway-list 100.100.10.1
[Router-ip-pool-pool1] quit
3. Configure the domain named system and apply authentication scheme 1, accounting
scheme 1, and RADIUS server template shiva to the domain.
[Router-aaa] domain system
[Router-aaa-domain-system] authentication-scheme 1
[Router-aaa-domain-system] accounting-scheme 1
[Router-aaa-domain-system] radius-server shiva
[Router-aaa-domain-system] quit
[Router-aaa] quit
If you log in to the web platform using a PC whose Ethernet interface is being modified, do not delete
the existing VLAN configuration on the interface to ensure that the PC can communicate with Fat APs.
As shown in the following figure, GigabitEthernet0/0/0 is added to VLAN 1 by default and STAs
communicate with the AP through this interface. You can use the default IP address of the AP to log in
to the web platform. If you need to use the default IP address to log in to the web platform, do not
delete VLAN 1.
----End
Networking Requirements
As shown in Figure 5-13, the device functioning as the PPPoE client connects to the PPPoE
server using GE0/0/0.
Users want the hosts to share an account. If the account is authenticated successfully on the
PPPoE server, a PPPoE session is established. Service requirements are as follows:
l The device establishes a PPPoE session with the PPPoE server using PPP authentication.
l The device automatically attempts to create a dial-up connection again at intervals after
the disconnection.
Figure 5-13 Networking diagram of the device functioning as the PPPoE client
Data Planning
Item Data
NAT Enabled
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the PPPoE server.
2. Configure the PPPoE client. Use the configuration wizard to configure the PPPoE dialup
function on the AP and enable NAT to translate private IP addresses to public IP
addresses.
Procedure
Step 1 Configure the PPPoE server.
# Configure the authentication mode, IP address allocation mode, and IP address or IP address
pool for PPPoE clients. For details about the configuration procedure, see the documentation
of the PPPoE server.
Step 2 Configure the PPPoE client.
1. Create VLAN 100 and add GE0/0/0 to VLAN 100.
# Choose Configuration > Central AP Config > VLAN > VLAN. The VLAN page is
displayed.
# Click Create. On the Create VLAN page that is displayed, set VLAN ID to 100.
# Click OK.
2. Add GE0/0/0 to the default VLAN 100.
# Choose Configuration > Central AP Config > Interface > Interface Attribute. The
Interface Attribute page is displayed.
# Click GigabitEthernet0/0/0. On the Modify Interface Settings page that is displayed,
set Default VLAN to 100.
# Click OK.
3. Create VLANIF 100 and configure the PPPoE client.
# Choose Configuration > Central AP Config > VLAN > VLANIF. The VLANIF
page is displayed.
# Click Create. On the Create VLANIF page that is displayed, set VLAN ID to 100,
Connection type to Broadband dialup, User name to user1@system, Password to
huawei123, and Enable NAT to ON.
# Click OK.
----End
Networking Requirements
As shown in Figure 5-14, AP connects to ADSL modem using GE0/0/0, and Router connects
to the DSLAM using ATM1/0/0.
The private IP addresses of hosts in the LAN are 192.168.10.0/24. Users want hosts in the
LAN to access Router using AP and to access the external network. The user name is user1,
and the password is huawei123.
Figure 5-14 Networking diagram for connecting a LAN to the Internet using an ADSL
modem
Data Planning
NAT Enabled
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the PPPoE client. Use the configuration wizard to configure the PPPoE dialup
function on the AP and enable NAT to translate private IP addresses to public IP
addresses.
2. Configure Router as the PPPoE server to provide RADIUS authentication and
accounting functions.
Procedure
Step 1 Configure the PPPoE server.
# Configure the global IP address pool pool1.
<AC6605> system-view
[AC6605] sysname Router
[Router] ip pool pool1
[Router-ip-pool-pool1] network 100.100.10.0 mask 255.255.255.0
[Router-ip-pool-pool1] gateway-list 100.100.10.1
[Router-ip-pool-pool1] quit
3. Configure the domain named system and apply authentication scheme 1, accounting
scheme 1, and RADIUS server template shiva to the domain.
[Router-aaa] domain system
[Router-aaa-domain-system] authentication-scheme 1
[Router-aaa-domain-system] accounting-scheme 1
[Router-aaa-domain-system] radius-server shiva
[Router-aaa-domain-system] quit
[Router-aaa] quit
# Choose Configuration > Central AP Config > VLAN > VLAN. The VLAN page is
displayed.
# Click Create. On the Create VLAN page that is displayed, set VLAN ID to 100.
# Click OK.
2. Add GE0/0/0 to the default VLAN 100.
# Choose Configuration > Central AP Config > Interface > Interface Attribute. The
Interface Attribute page is displayed.
# Click OK.
3. Create VLANIF 100 and configure the PPPoE client.
# Choose Configuration > Central AP Config > VLAN > VLANIF. The VLANIF
page is displayed.
# Click Create. On the Create VLANIF page that is displayed, set VLAN ID to 100,
Connection type to Broadband dialup, User name to user1@system, Password to
huawei123, and Enable NAT to ON.
# Click OK.
Step 3 Verify the configuration.
After the configuration is complete, a PPPoE dialup interface is automatically generated,
through which hosts on the LAN can connect to the Internet using dialup. When wireless
users attempt to connect to the public network, private IP addresses are translated into public
IP addresses for communication.
----End
Networking Requirements
l AC networking mode: Layer 2 networking in inline mode
l DHCP deployment mode: The AC functions as a DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: direct forwarding
Figure 5-15 Networking for configuring Layer 2 direct forwarding in inline mode
Data Planning
Item Data
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
Item Data
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Config Wizard to configure system parameters for the AC.
3. Select Config Wizard to configure the APs to go online on the AC.
4. Select Config Wizard to configure WLAN services on the AC.
5. Deliver the WLAN services to the APs and verify the configuration.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on the access switch to VLAN 100 and VLAN 101. The default
VLAN of GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/2] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
NOTE
Configure the DNS server address as required.
# Click OK. Set the IP address of VLANIF 101 to 10.23.101.1/24 and configure the
interface address pool on VLANIF 101 in the same way.
# Click Next.
# Set AC source address to VLANIF. Click the browse button and select Vlanif100.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
Step 4 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Configure the SSID name, forwarding mode, and service VLAN.
# Click Finish.
Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.
# In the AP group list, click ap-group1. Choose Radio Management > Radio 0 > 2G
Radio Profile > RRM Profile. The RRM Profile page is displayed.
# Click next to Radio Management. The profiles under Radio Management are
displayed.
# Click Radio0. The Radio 0 Settings(2.4G) page is displayed. Set the AP channel to
20-MHz channel 6 and the transmit power to 127 dBm. The configuration of radio 1 (20-
MHz channel 149) on the Radio 1 Settings page is similar to the configuration of radio
0 and is not mentioned here.
4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
----End
Networking Requirements
l AC networking mode: Layer 2 networking in inline mode
l DHCP deployment mode: The AC functions as a DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: tunnel forwarding
Figure 5-16 Networking for configuring Layer 2 tunnel forwarding in inline mode
Data Planning
Item Data
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Config Wizard to configure system parameters for the AC.
3. Select Config Wizard to configure the APs to go online on the AC.
4. Select Config Wizard to configure WLAN services on the AC.
5. Deliver the WLAN services to the APs and verify the configuration.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on the access switch to VLAN 100. The default VLAN of
GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch-GigabitEthernet0/0/2] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# Click OK. Set the IP address of VLANIF 101 to 10.23.101.1/24 and configure the
interface address pool on VLANIF 101 in the same way.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF. Click the browse button and select Vlanif100.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
# Set Security settings to Key (applicable to personnel networks), select the AES mode,
and set the key.
# Click Finish.
Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.
# In the AP group list, click ap-group1. Choose Radio Management > Radio 0 > 2G
Radio Profile > RRM Profile. The RRM Profile page is displayed.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.
# Click the ID of the AP whose channel and power need to be configured. The AP
customized settings page is displayed.
# Click next to Radio Management. The profiles under Radio Management are
displayed.
# Click Radio0. The Radio 0 Settings(2.4G) page is displayed. Set the AP channel to
20-MHz channel 6 and the transmit power to 127 dBm. The configuration of radio 1 (20-
MHz channel 149) on the Radio 1 Settings page is similar to the configuration of radio
0 and is not mentioned here.
4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
----End
Networking Requirements
l AC networking mode: Layer 2 networking in bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: direct forwarding
Figure 5-17 Networking for configuring Layer 2 direct forwarding in bypass mode
Data Planning
Item Data
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Config Wizard to configure system parameters for the AC.
3. Select Config Wizard to configure the APs to go online on the AC.
4. Select Config Wizard to configure WLAN services on the AC.
5. Deliver the WLAN services to the APs and verify the configuration.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100 and VLAN101. The default VLAN of
GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN101, GE0/0/2 to
VLAN100 and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
Step 2 Configure a DHCP server to assign IP addresses to STAs and specify the gateway for the
STAs.
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the default
gateway address of STAs to 10.23.101.2.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
NOTE
Configure the DNS server address as required.
# Set AC source address to VLANIF. Click the browse button and select Vlanif100.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
Step 5 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Configure the SSID name, forwarding mode, and service VLAN.
Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.
# Click the ID of the AP whose channel and power need to be configured. The AP
customized settings page is displayed.
# Click next to Radio Management. The profiles under Radio Management are
displayed.
# Click Radio0. The Radio 0 Settings(2.4G) page is displayed. Set the AP channel to
20-MHz channel 6 and the transmit power to 127 dBm. The configuration of radio 1 (20-
MHz channel 149) on the Radio 1 Settings page is similar to the configuration of radio
0 and is not mentioned here.
4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
----End
Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
Figure 5-18 Networking for configuring Layer 2 tunnel forwarding in bypass mode
Data Planning
Item Data
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
Item Data
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Config Wizard to configure system parameters for the AC.
3. Select Config Wizard to configure the APs to go online on the AC.
4. Select Config Wizard to configure WLAN services on the AC.
5. Deliver the WLAN services to the APs and verify the configuration.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and GE0/0/2
and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
Step 2 Configure a DHCP server to assign IP addresses to STAs and specify the gateway for the
STAs.
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the default
gateway address of STAs to 10.23.101.2.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration page is
displayed.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type to Trunk
and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN) and VLAN 101
(service VLAN).
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
NOTE
Configure the DNS server address as required.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF. Click the browse button and select Vlanif100.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
# Set Security settings to Key (applicable to personnel networks), select the AES mode,
and set the key.
# Click Finish.
Step 6 Enable radio calibration to allow APs to automatically select the optimal channels and power.
1. Create radio profiles.
NOTE
The following example configures a 2G radio profile. The configuration of a 5G radio profile is similar.
# In the AP group list, click ap-group1. Choose Radio Management > Radio 0 > 2G
Radio Profile. The 2G Radio Profile page is displayed.
# Click Create. On the Create 2G Radio Profile page that is displayed, enter the profile
name wlan-radio2g and click OK. The 2G radio profile configuration page is displayed.
# Click Apply. In the dialog box that is displayed, click OK.
2. Create an RRM profile, and configure automatic channel and power calibration.
# Click next to 2G Radio Profile, and select RRM Profile. The RRM Profile page
is displayed. Click Create. On the Create RRM Profile page that is displayed, enter the
profile name wlan-rrm and click OK. The RRM profile configuration page is displayed.
# Enable automatic channel and power calibration.
# Set Calibration mode to Manual and click Immediate Calibration. In the dialog box
that is displayed, click OK.
# Choose Monitoring > Radio. In Radio List, check the channel and power of the
radio. In this example, three APs have gone online on the AC, and the list shows that AP
channels have been automatically assigned through the radio calibration function.
# Radio calibration stops 1 hour after the radio calibration is manually triggered.
# Choose Configuration > AC Config > Basic Config > Radio Calibration. The
Radio Calibration page is displayed. On the Radio Calibration page, set Calibration
mode to Scheduled and set the start time to 3:00 am.
4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
----End
Networking Requirements
l AC networking mode: Layer 3 networking in inline mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
Figure 5-19 Networking for configuring Layer 3 direct forwarding in inline mode
Data Planning
Item Data
Item Data
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure a VLAN pool for service VLANs.
3. Select Config Wizard to configure system parameters for the AC.
4. Select Config Wizard to configure the APs to go online on the AC.
5. Select Config Wizard to configure WLAN services on the AC.
6. Deliver the WLAN services to the APs and verify the configuration.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the switches and router.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 10, VLAN 101, and VLAN 102. The
default VLAN of GE0/0/1 is VLAN 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 101 102
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 10
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101 102
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 101 102
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 on SwitchB to VLAN 10, VLAN 101, and VLAN 102, and GE0/0/2 to VLAN
100, VLAN 101, and VLAN 102. Create VLANIF 100 and set its IP address to
10.23.100.2/24.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 10 100 101 102
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101 102
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface vlanif 100
[SwitchB-Vlanif100] ip address 10.23.100.2 24
[SwitchB-Vlanif100] quit
# On Router, add GE1/0/0 to VLAN 101 and VLAN 102. Create VLANIF 101 and VLANIF
102 and set the IP address of VLANIF 101 to 10.23.101.2/24 and the IP address of VLANIF
102 to 10.23.102.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101 102
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101 102
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
[Router] interface vlanif 102
[Router-Vlanif102] ip address 10.23.102.2 24
[Router-Vlanif102] quit
# On SwitchB, configure VLANIF 101 and VLANIF 102 to assign IP addresses to STAs and
set the default gateways.
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] dhcp select interface
[SwitchB-Vlanif102] dhcp server gateway-list 10.23.102.2
[SwitchB-Vlanif102] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type to Trunk
and add GigabitEthernet0/0/1 to VLANs 100 through 102.
# Click OK.
# Under Global Address Pool, click Create. The Create Global Address Pool page is
displayed.
# Click OK.
# Under Static Route Table, click Create. The Create Static Route Table page is
displayed.
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF. Click the browse button and select Vlanif100.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
Step 5 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Set the SSID name, forwarding mode, and service VLAN. Set Service VLAN to VLAN
Pool. Click Create next to VLAN Pool. The Create VLAN Pool page is displayed.
# Set VLAN pool name to sta-pool and VLAN assignment mode to Hash. Add VLANs 101
and 102.
# Click OK. In the dialog box that is displayed, click OK.
# Set Security settings to Key (applicable to personnel networks) and set the key.
Click Finish.
Step 6 Enable radio calibration to allow APs to automatically select the optimal channels and power.
1. Create radio profiles.
NOTE
The following example configures a 2G radio profile. The configuration of a 5G radio profile is similar.
# In the AP group list, click ap-group1. Choose Radio Management > Radio 0 > 2G
Radio Profile. The 2G Radio Profile page is displayed.
# Click Create. On the Create 2G Radio Profile page that is displayed, enter the profile
name wlan-radio2g and click OK. The 2G radio profile configuration page is displayed.
# Click next to 2G Radio Profile, and select RRM Profile. The RRM Profile page
is displayed. Click Create. On the Create RRM Profile page that is displayed, enter the
profile name wlan-rrm and click OK. The RRM profile configuration page is displayed.
# Enable automatic channel and power calibration.
# Choose Monitoring > Radio. In Radio List, check the channel and power of the
radio. In this example, three APs have gone online on the AC, and the list shows that AP
channels have been automatically assigned through the radio calibration function.
# Radio calibration stops 1 hour after the radio calibration is manually triggered.
# Choose Configuration > AC Config > Basic Config > Radio Calibration. The
Radio Calibration page is displayed. On the Radio Calibration page, set Calibration
mode to Scheduled and set the start time to 3:00 am.
4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
----End
Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area. A VLAN pool is configured as service VLANs to prevent IP address insufficiency or
waste. Furthermore, this measure can reduce the number of users in each VLAN and the size
of the broadcast domain.
Networking Requirements
l AC networking mode: Layer 3 networking in inline mode
l DHCP deployment mode: The AC functions as a DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: tunnel forwarding
Figure 5-20 Networking for configuring Layer 3 tunnel forwarding in inline mode
Data Planning
Item Data
Item Data
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure a VLAN pool for service VLANs.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 10. The default VLAN of
GE0/0/1 is VLAN 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 10
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 10
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 10, and GE0/0/2 to VLAN 100.
Create VLANIF 100 and set the IP address of VLANIF 100 to 10.23.100.2/24.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 10 100
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface vlanif 100
[SwitchB-Vlanif100] ip address 10.23.100.2 24
[SwitchB-Vlanif100] quit
# On Router, add GE1/0/0 to VLAN 101 and VLAN 102. Create VLANIF 101 and VLANIF
102 and set the IP address of VLANIF 101 to 10.23.101.2/24 and the IP address of VLANIF
102 to 10.23.102.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101 102
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101 102
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
[Router] interface vlanif 102
[Router-Vlanif102] ip address 10.23.102.2 24
[Router-Vlanif102] quit
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration page is
displayed.
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type to Trunk
and add GigabitEthernet0/0/1 to VLAN 100.
# Click Apply.
# Deselect GigabitEthernet0/0/1 and then select GigabitEthernet0/0/2. Add
GigabitEthernet0/0/2 to VLAN 101 and VLAN 102 in the same way.
# Click Next. The Network Interconnection Configuration page is displayed.
3. Configuring network interconnections.
# Click Create under Interface Configuration. The Create Interface Configuration
page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24. Set DHCP status to ON and
DHCP type to Global address pool.
# Click OK.
# Set the IP address of VLANIF 101 to 10.23.101.1/24 and that of VLANIF 102 to
10.23.102.1/24, DHCP status to ON, and DHCP type to Interface address pool.
# Under Global Address Pool, click Create. The Create Global Address Pool page is
displayed.
# Configure the global IP address pool huawei.
# Click OK.
# Under Static Route Table, click Create. The Create Static Route Table page is
displayed.
# Set Destination IP to 10.23.10.0, Subnet Mask to 24(255.255.255.0), and Next hop
address to 10.23.100.2.
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF. Click the browse button and select Vlanif100.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# Set VLAN pool name to sta-pool and VLAN assignment mode to Hash. Add VLANs 101
and 102.
# Click OK. In the dialog box that is displayed, click OK.
The following example configures a 2G radio profile. The configuration of a 5G radio profile is similar.
# Click next to 2G Radio Profile, and select RRM Profile. The RRM Profile page
is displayed. Click Create. On the Create RRM Profile page that is displayed, enter the
profile name wlan-rrm and click OK. The RRM profile configuration page is displayed.
# Enable automatic channel and power calibration.
# Choose Configuration > AC Config > Basic Config > Radio Calibration. The
Radio Calibration page is displayed.
# Set Calibration mode to Manual and click Immediate Calibration. In the dialog box
that is displayed, click OK.
# Choose Monitoring > Radio. In Radio List, check the channel and power of the
radio. In this example, three APs have gone online on the AC, and the list shows that AP
channels have been automatically assigned through the radio calibration function.
# Radio calibration stops 1 hour after the radio calibration is manually triggered.
# Choose Configuration > AC Config > Basic Config > Radio Calibration. The
Radio Calibration page is displayed. On the Radio Calibration page, set Calibration
mode to Scheduled and set the start time to 3:00 am.
4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
----End
Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area. A VLAN pool is configured as service VLANs to prevent IP address insufficiency or
waste. Furthermore, this measure can reduce the number of users in each VLAN and the size
of the broadcast domain.
Networking Requirements
l AC networking mode: Layer 3 networking in bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: direct forwarding
Figure 5-21 Networking for configuring Layer 3 direct forwarding in bypass mode
Data Planning
Item Data
Item Data
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure a VLAN pool for service VLANs.
3. Select Config Wizard to configure system parameters for the AC.
4. Select Config Wizard to configure the APs to go online on the AC.
5. Select Config Wizard to configure WLAN services on the AC.
6. Deliver the WLAN services to the APs and verify the configuration.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 10, VLAN 101, and VLAN 102. The
default VLAN of GE0/0/1 is VLAN 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10 101 102
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 10
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101 102
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 101 102
[SwitchA-GigabitEthernet0/0/2] quit
# On SwitchB (aggregation switch), add GE0/0/1 to VLAN 10, VLAN 101, and VLAN 102,
GE0/0/2 to VLAN 100, and GE0/0/3 to VLAN 101 and VLAN 102. Create VLANIF 100 and
set its IP address to 10.23.100.2/24.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 10 100 101 102
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101 102
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
# On Router, add GE1/0/0 to VLAN 101 and VLAN 102. Create VLANIF 101 and VLANIF
102 and set the IP address of VLANIF 101 to 10.23.101.2/24 and the IP address of VLANIF
102 to 10.23.102.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101 102
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101 102
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
[Router] interface vlanif 102
[Router-Vlanif102] ip address 10.23.102.2 24
[Router-Vlanif102] quit
# On SwitchB, configure VLANIF 101 and VLANIF 102 to assign IP addresses to STAs and
set the default gateways.
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] dhcp select interface
[SwitchB-Vlanif102] dhcp server gateway-list 10.23.102.2
[SwitchB-Vlanif102] quit
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration page is
displayed.
2. Configure interfaces.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type to Trunk
and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN).
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# Click OK.
# Under Global Address Pool, click Create. The Create Global Address Pool page is
displayed.
# Click OK.
# Under Static Route Table, click Create. The Create Static Route Table page is
displayed.
# Set Destination IP to 10.23.10.0, Subnet Mask to 24(255.255.255.0), and Next hop
address to 10.23.100.2.
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF. Click the browse button and select Vlanif100.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
Step 5 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Set the SSID name, forwarding mode, and service VLAN. Set Service VLAN to VLAN
Pool. Click Create next to VLAN Pool. The Create VLAN Pool page is displayed.
# Set VLAN pool name to sta-pool and VLAN assignment mode to Hash. Add VLANs 101
and 102.
# Click OK. In the dialog box that is displayed, click OK.
Click Finish.
Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.
# In the AP group list, click ap-group1. Choose Radio Management > Radio 0 > 2G
Radio Profile > RRM Profile. The RRM Profile page is displayed.
# Click next to Radio Management. The profiles under Radio Management are
displayed.
# Click Radio0. The Radio 0 Settings(2.4G) page is displayed. Set the AP channel to
20-MHz channel 6 and the transmit power to 127 dBm. The configuration of radio 1 (20-
MHz channel 149) on the Radio 1 Settings page is similar to the configuration of radio
0 and is not mentioned here.
4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
----End
Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area.
Networking Requirements
l AC networking mode: Layer 3 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: tunnel forwarding
Figure 5-22 Networking for configuring Layer 3 tunnel forwarding in bypass mode
Data Planning
Item Data
Item Data
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure a VLAN pool for service VLANs.
3. Select Config Wizard to configure system parameters for the AC.
4. Select Config Wizard to configure the APs to go online on the AC.
5. Select Config Wizard to configure WLAN services on the AC.
6. Deliver the WLAN services to the APs and verify the configuration.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 10. The default VLAN of
GE0/0/1 is VLAN 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 10
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 10
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 10, GE0/0/2 to VLAN 100,
VLAN 101, and VLAN 102, and GE0/0/3 to VLAN 101 and VLAN 102. Create VLANIF
100 and set the IP address of VLANIF 100 to 10.23.100.2/24.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 10 100 101 102
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101 102
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface vlanif 100
[SwitchB-Vlanif100] ip address 10.23.100.2 24
[SwitchB-Vlanif100] quit
# On Router, add GE1/0/0 to VLAN 101 and VLAN 102. Create VLANIF 101 and VLANIF
102 and set the IP address of VLANIF 101 to 10.23.101.2/24 and the IP address of VLANIF
102 to 10.23.102.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101 102
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
# On SwitchB, configure VLANIF 101 and VLANIF 102 to assign IP addresses to STAs and
set the default gateways.
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] dhcp select interface
[SwitchB-Vlanif102] dhcp server gateway-list 10.23.102.2
[SwitchB-Vlanif102] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type to Trunk
and add GigabitEthernet0/0/1 to VLANs 100 through 102.
# Set the IP address of VLANIF 100 to 10.23.100.1/24. Set DHCP status to ON and
DHCP type to Global address pool.
# Click OK.
# Under Global Address Pool, click Create. The Create Global Address Pool page is
displayed.
NOTE
# Click OK.
# Under Static Route Table, click Create. The Create Static Route Table page is
displayed.
# Set Destination IP to 10.23.10.0, Subnet Mask to 24(255.255.255.0), and Next hop
address to 10.23.100.2.
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
# Set AC source address to VLANIF. Click the browse button and select Vlanif100.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
Step 5 Configure WLAN services.
# Click Create. The Basic Information page is displayed.
# Set the SSID name, forwarding mode, and service VLAN. Set Service VLAN to VLAN
Pool. Click Create next to VLAN Pool. The Create VLAN Pool page is displayed.
# Set VLAN pool name to sta-pool and VLAN assignment mode to Hash. Add VLANs 101
and 102.
# Click OK. In the dialog box that is displayed, click OK.
Click Finish.
Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.
# In the AP group list, click ap-group1. Choose Radio Management > Radio 0 > 2G
Radio Profile > RRM Profile. The RRM Profile page is displayed.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.
# Click the ID of the AP whose channel and power need to be configured. The AP
customized settings page is displayed.
# Click next to Radio Management. The profiles under Radio Management are
displayed.
# Click Radio0. The Radio 0 Settings(2.4G) page is displayed. Set the AP channel to
20-MHz channel 6 and the transmit power to 127 dBm. The configuration of radio 1 (20-
MHz channel 149) on the Radio 1 Settings page is similar to the configuration of radio
0 and is not mentioned here.
4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
----End
Networking Requirements
l AC networking mode: NAT traversal between the AC at the headquarters and APs in the
branch
l DHCP deployment mode: Router_1 functions as a DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: direct forwarding
Figure 5-23 Networking for configuring NAT traversal between the AC and APs
Data Planning
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure NAT for address translation.
3. Select Config Wizard to configure system parameters for the AC.
4. Select Config Wizard to configure the APs to go online on the AC.
5. Select Config Wizard to configure WLAN services on the AC.
6. Deliver the WLAN services to the APs and verify the configuration.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# On Switch, add GE0/0/1, GE0/0/2, and GE0/0/3 to VLAN 100 and VLAN 101. VLAN 100
is the default VLAN of GE0/0/1 and GE0/0/2.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/2] port-isolate enable
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type trunk
# On Router_1, add GE1/0/0 to VLAN 100 and VLAN 101. If the peer end of GE0/0/1 is at
2.2.2.2/24, set the IP address of GE0/0/1 to 2.2.2.1/24.
<Huawei> system-view
[Huawei] sysname Router_1
[Router_1] vlan batch 100 101
[Router_1] interface gigabitethernet1/0/0
[Router_1-GigabitEthernet1/0/0] port link-type trunk
[Router_1-GigabitEthernet1/0/0] port trunk allow-pass vlan 100 to 101
[Router_1-GigabitEthernet1/0/0] quit
[Router_1] interface gigabitethernet0/0/1
[Router_1-GigabitEthernet0/0/1] ip address 2.2.2.1 255.255.255.0
[Router_1-GigabitEthernet0/0/1] quit
# Configure a default route with the next hop address 2.2.2.2 on Router_1.
[Router_1] ip route-static 0.0.0.0 0.0.0.0 2.2.2.2
# On Router_2, add GE1/0/0 to VLAN 200. If the peer end of GE0/0/1 is at 3.3.3.2/24, set the
IP address of GE0/0/1 to 3.3.3.1/24. Create VLANIF 200 and set its IP address to
10.23.200.2/24.
<Huawei> system-view
[Huawei] sysname Router_2
[Router_2] vlan batch 200
[Router_2] interface GigabitEthernet1/0/0
[Router_2-GigabitEthernet1/0/0] port link-type trunk
[Router_2-GigabitEthernet1/0/0] port trunk allow-pass vlan 200
[Router_2-GigabitEthernet1/0/0] quit
[Router_2] interface gigabitethernet 0/0/1
[Router_2-GigabitEthernet0/0/1] ip address 3.3.3.1 255.255.255.0
[Router_2-GigabitEthernet0/0/1] quit
[Router_2] interface vlanif 200
[Router_2-Vlanif200] ip address 10.23.200.2 24
[Router_2-Vlanif200] quit
# Configure a default route with the next hop address 3.3.3.2 on Router_2.
[Router_2] ip route-static 0.0.0.0 0.0.0.0 3.3.3.2
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration page is
displayed.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type to Trunk
and add GigabitEthernet0/0/1 to VLAN 200 (management VLAN).
# Set the IP address of VLANIF 200 to 10.23.200.1/24. Set DHCP status to ON and
DHCP type to Interface address pool.
NOTE
Configure the DNS server address as required.
# Under Static Route Table, click Create. The Create Static Route Table page is
displayed.
# Set Destination IP to 0.0.0.0, Subnet Mask to 0(0.0.0.0), and Next hop address to
10.23.200.2.
# Click OK.
# Click Next.
# Set AC source address to VLANIF. Click the browse button and select Vlanif200.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
# Set Security settings to Key (applicable to personnel networks) and set the key.
# Click Finish.
Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.
# In the AP group list, click ap-group1. Choose Radio Management > Radio 0 > 2G
Radio Profile > RRM Profile. The RRM Profile page is displayed.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.
# Click the ID of the AP whose channel and power need to be configured. The AP
customized settings page is displayed.
# Click next to Radio Management. The profiles under Radio Management are
displayed.
# Click Radio0. The Radio 0 Settings(2.4G) page is displayed. Set the AP channel to
20-MHz channel 6 and the transmit power to 127 dBm. The configuration of radio 1 (20-
MHz channel 149) on the Radio 1 Settings page is similar to the configuration of radio
0 and is not mentioned here.
4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
----End
Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area.
APs are located in an enterprise branch, while the AC is located at the headquarters.
Administrators require unified AP management by the AC and protection on traffic
exchanged between the branch and headquarters. Therefore, an IPSec tunnel is established
between the branch and headquarters to protect traffic.
Networking Requirements
l AC networking mode: IPSec tunnel between the AC at the headquarters and APs in the
branch.
l DHCP deployment mode: Router_1 functions as a DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: direct forwarding
Figure 5-24 Networking for configuring VPN traversal between the AC and APs
Data Planning
Item Data
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure IPSec parameters to set up an IPSec tunnel.
a. Configure an IP address and a static route on each interface to implement
communication between both ends.
b. Configure ACLs and define the data flows to be protected by the IPSec tunnel.
c. Configure an IPSec proposal to define the traffic protection method.
d. Configure IKE peers and define the attributes used for IKE negotiation.
e. Configure an IPSec policy, and apply the ACL, IPSec proposal, and IKE peers to
the IPSec policy to define the data flows to be protected and protection method.
f. Apply the IPSec policy to the interface so that the interface can protect traffic.
3. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
4. Configure WLAN service parameters for STAs to access the WLAN.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# On Switch, add GE0/0/1 and GE0/0/2 to VLAN 100 and VLAN 101. VLAN 100 is the
default VLAN of GE0/0/1.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 100 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/2] quit
# On Router_1, add GE1/0/0 to VLAN 100 and VLAN 101. If the peer end of GE0/0/1 is at
202.138.162.2/24, set the IP address of GE0/0/1 to 202.138.162.1/24.
<Huawei> system-view
[Huawei] sysname Router_1
[Router_1] vlan batch 100 101
[Router_1] interface gigabitethernet 1/0/0
[Router_1-GigabitEthernet1/0/0] port link-type trunk
[Router_1-GigabitEthernet1/0/0] port trunk allow-pass vlan 100 101
[Router_1-GigabitEthernet1/0/0] quit
[Router_1] interface gigabitethernet 0/0/1
[Router_1-GigabitEthernet0/0/1] ip address 202.138.162.1 255.255.255.0
[Router_1-GigabitEthernet0/0/1] quit
# Configure a default route with the next hop address 202.138.162.2 on Router_1.
[Router_1] ip route-static 0.0.0.0 0.0.0.0 202.138.162.2
# On Router_2, add GE1/0/0 to VLAN 200. Create VLANIF 200 and set its IP address to
10.23.200.2/24. If the peer end of GE0/0/1 is at 202.138.163.2/24, set the IP address of
GE0/0/1 to 202.138.163.1/24.
<Huawei> system-view
[Huawei] sysname Router_2
[Router_2] vlan batch 200
[Router_2] interface gigabitethernet 1/0/0
[Router_2-GigabitEthernet1/0/0] port link-type trunk
[Router_2-GigabitEthernet1/0/0] port trunk allow-pass vlan 200
[Router_2-GigabitEthernet1/0/0] quit
[Router_2] interface gigabitethernet 0/0/1
[Router_2-GigabitEthernet0/0/1] ip address 202.138.163.1 255.255.255.0
[Router_2-GigabitEthernet0/0/1] quit
[Router_2] interface vlanif 200
[Router_2-Vlanif200] ip address 10.23.200.2 24
[Router_2-Vlanif200] quit
# Configure a static route from Router_2 to APs with the next hop address 202.138.162.2 on
Router_2.
Step 3 Configure ACLs and define the data flows to be protected by the IPSec tunnel.
# On Router_2, configure an ACL to protect the data flows from the AC (IP address
10.23.200.0/24) at the headquarters to the APs (IP address 10.23.100.0/24) in the branch.
[Router_2] acl number 3101
[Router_2-acl-adv-3101] rule permit ip source 10.23.200.0 0.0.0.255 destination
10.23.100.0 0.0.0.255
[Router_2-acl-adv-3101] quit
# On Router_1, configure an ACL to protect the data flows from the APs (IP address
10.23.100.0/24) in the branch to the AC (IP address 10.23.200.0/24) at the headquarters.
[Router_1] acl number 3101
[Router_1-acl-adv-3101] rule permit ip source 10.23.100.0 0.0.0.255 destination
10.23.200.0 0.0.0.255
[Router_1-acl-adv-3101] quit
# Configure an IKE peer on Router_2, and configure the pre-shared key and peer ID
based on the default settings.
[Router_2] ike peer spub
[Router_2-ike-peer-spub] undo version 2
[Router_2-ike-peer-spub] ike-proposal 5
[Router_2-ike-peer-spub] pre-shared-key cipher huawei@1234
# Configure an IKE peer on Router_1, and configure the pre-shared key and peer ID
based on the default settings.
[Router_1] ike peer spua
[Router_1-ike-peer-spub] undo version 2
[Router_1-ike-peer-spub] ike-proposal 5
[Router_1-ike-peer-spua] pre-shared-key cipher huawei@1234
[Router_1-ike-peer-spua] remote-address 202.138.163.1
[Router_1-ike-peer-spua] quit
4. Apply the IPSec policies to the interfaces of Router_2 and Router_1, so that the
interfaces can protect traffic.
# Apply the IPSec policy to the interface of Router_2.
[Router_2] interface gigabitethernet 0/0/1
[Router_2-GigabitEthernet0/0/1] ipsec policy map1
[Router_2-GigabitEthernet0/0/1] quit
2. Configure interfaces.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type to Trunk
and add GigabitEthernet0/0/1 to VLAN 200 (management VLAN).
NOTE
Configure the DNS server address as required.
# Under Static Route Table, click Create. The Create Static Route Table page is
displayed.
# Set Destination IP to 0.0.0.0, Subnet Mask to 0(0.0.0.0), and Next hop address to
10.23.200.2.
# Click OK.
# Click Next.
# Set AC source address to VLANIF. Click the browse button and select Vlanif200.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
# Set Security settings to Key (applicable to personnel networks) and set the key.
# Click Finish.
Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.
# In the AP group list, click ap-group1. Choose Radio Management > Radio 0 > 2G
Radio Profile > RRM Profile. The RRM Profile page is displayed.
# Click next to Radio Management. The profiles under Radio Management are
displayed.
# Click Radio0. The Radio 0 Settings(2.4G) page is displayed. Set the AP channel to
20-MHz channel 6 and the transmit power to 127 dBm. The configuration of radio 1 (20-
MHz channel 149) on the Radio 1 Settings page is similar to the configuration of radio
0 and is not mentioned here.
4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
----End
Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Considering the high costs of wired AP deployment, enterprises need to set up
wireless distribution system (WDS) links for wireless backhaul to provide service coverage,
ensuring that enterprise users can access the WLAN.
Networking Requirements
l AC networking mode: Layer 2 networking in bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (Switch_A) functions as a DHCP server to assign IP
addresses to STAs.
l Wireless backhaul mode: hand-in-hand WDS
Data Planning
Item Data
l Name: wds-list2
l AP MAC address: MAC address of
AP_3 (leaf)
Item Data
l Name: wds-leaf
l WDS name: wlan-wds
l WDS working mode: leaf
l Tagged VLAN: VLAN 101
l Referenced profile: security profile wds-
security
l Name: ap-group2
l Root and leaf APs, such as AP_2, are
added to the group.
l Referenced profiles: WDS profiles wds-
root and wds-leaf, VAP profile wlan-
net, and regulatory domain profile
default
l Name: ap-group3
l Leaf APs, such as AP_3, are added to
the group.
l Referenced profiles: WDS profile wds-
leaf, VAP profile wlan-net, and
regulatory domain profile default
Configuration Roadmap
1. Configure root node AP_1 to go online on the AC.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
2. Configure WDS services so that APs in and Area C can go online through WDS wireless
virtual links.
3. Configure WLAN service parameters for STAs to access the WLAN.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
l Select proper antennas by following the WDS network planning and design, and use the
antenna calibration tool for calibration.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on Switch_B to VLAN 100 and VLAN 101. The default VLAN
of GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_B
[Switch_B] vlan batch 100 to 101
[Switch_B] interface gigabitEthernet 0/0/1
[Switch_B-GigabitEthernet0/0/1] port link-type trunk
[Switch_B-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_B-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_B-GigabitEthernet0/0/1] port-isolate enable
[Switch_B-GigabitEthernet0/0/1] quit
[Switch_B] interface gigabitEthernet 0/0/2
[Switch_B-GigabitEthernet0/0/2] port link-type trunk
[Switch_B-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 101
[Switch_B-GigabitEthernet0/0/2] quit
# Configure the aggregation switch Switch_A. Configure GE0/0/1 to allow packets from
VLAN 100 and VLAN 101 to pass through, GE0/0/2 to allow packets from VLAN 100 to
pass through, and GE0/0/3 to allow packets from VLAN 101 to pass through.
<HUAWEI> system-view
[HUAWEI] sysname Switch_A
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
NOTE
Configure the DNS server address as required.
# Click Batch Import. The Batch Import page is displayed. Click and download
the AP template file to your local PC.
# Fill in the AP template file with AP information according to the following example.
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory but the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory but the AP's
MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP file, select the AP template file, and click Import.
# Click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
NOTE
In a WDS profile, Tagged VLAN needs to be configured according to actual situations. If traffic from a
different service VLAN needs to be transmitted over the WDS link, set Tagged VLAN to the service
VLAN.
# Choose WDS > WDS Profile > wds-root > Security Profile. The Security Profile
page is displayed.
# Click Create. On the Create Security Profile page that is displayed, enter the profile
name wds-security and click OK. The security profile configuration page is displayed.
# Choose WDS > WDS Whitelist Profile. The WDS Whitelist Profile List page is
displayed.
# Click Create. On the Create WDS Whitelist Profile page that is displayed, enter the
profile name wds-list1, set Radio to 1, and click OK. The WDS Whitelist Profile List
page is displayed.
# Choose WDS > WDS Whitelist Profile > wds-list1. The WDS Whitelist Profile page
is displayed.
# Click OK.
4. Configure WDS service parameters for the root node. Set the channel parameters of
Radio1 to 40+ MHz and 157. Set the bridge distance to 4.
# Choose Configuration > AP Config > AP Config > AP Info. The AP Info page is
displayed.
# Choose Radio Management > Radio1. The Radio 1 Settings(5G) page is displayed.
# Set the channel parameters to 40+ MHz and 157. Set the bridge distance to 4. Disable
automatic channel and power calibration.
# In the AP group list, click ap-group3. Choose WDS > WDS Profile. The WDS
Profile List page is displayed.
# Click Create. On the Create WDS Profile page that is displayed, enter the profile
name wds-leaf, set Radio to 1 and Copy parameters from other profiles to wds-root,
and click OK.
# Choose WDS > WDS Profile > wds-leaf. The WDS Profile page is displayed.
# Set WDS working mode to Leaf, retain the default settings of other parameters, and
click Apply. In the dialog box that is displayed, click OK.
2. Configure WDS service parameters for the leaf node. Set parameters for Radio1. Set
Channel to 40+ MHz and 149, and WDS/Mesh bridge distance(0.1km) to 4. Disable
automatic channel and power calibration.
Configure WDS service parameters by referring to the configuration procedure on the
root node.
# In the AP group list, click ap-group2. Choose WDS > WDS Profile. The WDS
Profile List page is displayed.
# Click Add. On the Add WDS Profile page that is displayed, enter the profile name
wds-leaf, set Radio to 1, and click OK.
# Click Add. On the Add WDS Profile page that is displayed, enter the profile name
wds-root, set Radio to 0, and click OK.
2. Create WDS whitelist profile wds-list2 and add the MAC address of the leaf AP to the
WDS whitelist.
# Choose WDS > WDS Whitelist Profile. The WDS Whitelist Profile List page is
displayed.
# Click Create. On the Create WDS Whitelist Profile page that is displayed, enter the
profile name wds-list2, set Radio to 0, and click OK. The WDS Whitelist Profile List
page is displayed.
# Choose WDS > WDS Whitelist Profile > wds-list2. The WDS Whitelist Profile page
is displayed.
# Click OK.
3. Configure WDS service parameters. Configure Radio0 to switch to the 5 GHz frequency
band. Set the channel parameters of Radio0 to 40+ MHz and 149. Set the coverage
distance to 4. Set the channel parameters of Radio1 to 40+ MHz and 157. Set the bridge
distance to 4.
# Choose Configuration > AP Config > AP Config > AP Info. The AP Info page is
displayed.
Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.
# Click next to Radio Management. The profiles under Radio Management are
displayed.
# Click Radio0. The Radio 0 Settings(2.4G) page is displayed. Set the AP channel to
20-MHz channel 6 and the transmit power to 127 dBm. The configuration of radio 1 (20-
MHz channel 149) on the Radio 1 Settings page is similar to the configuration of radio
0 and is not mentioned here.
3. Choose Monitoring > SSID > VAP. In VAP List, check VAP status. You can see that
the status of the VAP in wlan-net is normal.
4. The WLAN with the SSID wlan-net is available.
5. The STA can associate with the WLAN and obtain an IP address 10.23.101.x/24, and its
gateway address is 10.23.101.2.
6. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
----End
Service Requirements
On some enterprise networks, wired network deployment is restricted by construction
conditions. When obstacles exist between two networks or the distance between them is long,
APs cannot all be connected to the AC in wired mode. Back-to-back wireless distribution
system (WDS) technology can cascade APs in wired mode as trunk bridges. This networking
ensures sufficient bandwidth on wireless links for long distance data transmission.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (Switch_A) functions as a DHCP server to assign IP
addresses to STAs.
Data Planning
WDS profile l wds-net1 (WDS profile used by AP_1): WDS mode root,
referenced WDS whitelist wds-list1, permitting access only
from AP_2
l wds-net2 (WDS profile used by AP_3): WDS mode root,
referenced WDS whitelist wds-list2, permitting access only
from AP_4
l wds-net3 (WDS profile used by AP_2 and AP_4):
referencing no WDS whitelist
Item Data
Configuration Roadmap
1. Configure WDS links in Area A and Area B so that AP_1 and AP_2 can go online on the
AC.
2. Configure Switch_C to enable AP_2 and AP_3 to communicate through the wired
network.
3. Configure WDS links in Area B and Area C so that AP_4 can go online on the AC.
4. Configure wired interfaces on AP_4 to enable wired users connected to AP_4 to access
the network.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on Switch_B to VLAN 100 and VLAN 101. The default VLAN
of GE0/0/1 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_B
[Switch_B] vlan batch 100 to 101
[Switch_B] interface gigabitEthernet 0/0/1
[Switch_B-GigabitEthernet0/0/1] port link-type trunk
[Switch_B-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_B-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_B-GigabitEthernet0/0/1] port-isolate enable
[Switch_B-GigabitEthernet0/0/1] quit
[Switch_B] interface gigabitEthernet 0/0/2
[Switch_B-GigabitEthernet0/0/2] port link-type trunk
[Switch_B-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 101
[Switch_B-GigabitEthernet0/0/2] quit
# Configure the aggregation switch Switch_A. Configure GE0/0/1 to allow packets from
VLAN 100 and VLAN 101 to pass through, GE0/0/2 to allow packets from VLAN 100 to
pass through, and GE0/0/3 to allow packets from VLAN 101 to pass through.
<HUAWEI> system-view
[HUAWEI] sysname Switch_A
[Switch_A] vlan batch 100 to 101
[Switch_A] interface gigabitEthernet 0/0/1
[Switch_A-GigabitEthernet0/0/1] port link-type trunk
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_A-GigabitEthernet0/0/1] quit
[Switch_A] interface gigabitEthernet 0/0/2
[Switch_A-GigabitEthernet0/0/2] port link-type trunk
[Switch_A-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/2] quit
[Switch_A] interface gigabitEthernet 0/0/3
[Switch_A-GigabitEthernet0/0/3] port link-type trunk
[Switch_A-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[Switch_A-GigabitEthernet0/0/3] quit
# Configure the access switch Switch_C. Configure GE0/0/1 and GE0/0/2 to allow packets
from VLAN 100 and VLAN 101 to pass through.
<HUAWEI> system-view
[HUAWEI] sysname Switch_C
[Switch_C] vlan batch 100 to 101
[Switch_C] interface gigabitEthernet 0/0/1
[Switch_C-GigabitEthernet0/0/1] port link-type trunk
[Switch_C-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_C-GigabitEthernet0/0/1] quit
[Switch_C] interface gigabitEthernet 0/0/2
[Switch_C-GigabitEthernet0/0/2] port link-type trunk
[Switch_C-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 101
[Switch_C-GigabitEthernet0/0/2] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# Set the IP address of VLANIF 100 to 10.23.100.1/24. Set DHCP status to ON and
DHCP type to Interface address pool.
NOTE
Configure the DNS server address as required.
# Click Next.
# Set AC source address to VLANIF. Click the browse button and select Vlanif100.
# Click Batch Import. The Batch Import page is displayed. Click and download
the AP template file to your local PC.
# Fill in the AP template file with AP information according to the following example.
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory but the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory but the AP's
MAC address is optional.
You are advised to import the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP file, select the AP template file, and click Import.
# Click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Finish.
Step 5 Configure the root node AP_1.
1. Configure the WDS profile wds-net1 for the root node AP_1.
# Choose Configuration > AP Config > AP Group > AP Group.
# In the AP group list, click wds-root1. Choose WDS > WDS Profile. The WDS
Profile List page is displayed.
# Click Create. On the Create WDS Profile page that is displayed, enter the profile
name wds-net1 and click OK.
# Choose WDS > WDS Profile > wds-net1. The WDS Profile page is displayed.
# Set WDS network bridge name, WDS working mode, and Tagged VLAN.
NOTE
In a WDS profile, Tagged VLAN needs to be configured according to actual situations. If traffic from a
different service VLAN needs to be transmitted over the WDS link, set Tagged VLAN to the service
VLAN.
# Choose WDS > WDS Profile > wds-net1 > Security Profile. The Security Profile
page is displayed.
# Click Create. On the Create Security Profile page that is displayed, enter the profile
name wds-sec and click OK. The security profile configuration page is displayed.
# Choose WDS > WDS Whitelist Profile. The WDS Whitelist Profile List page is
displayed.
# Click Create. On the Create WDS Whitelist Profile page that is displayed, enter the
profile name wds-list1 and click OK. The WDS Whitelist Profile List page is
displayed.
# Choose WDS > WDS Whitelist Profile > wds-list1. The WDS Whitelist Profile page
is displayed.
# Click Add to add the MAC address of AP_2 60de-4474-9640 to the profile.
# Click OK.
4. Configure WDS service parameters.
# Choose Radio Management > Radio1. The Radio 1 Settings(5G) page is displayed.
# Set the channel parameters to 40+ MHz and 157. Set the bridge distance to 4.
NOTE
On a WDS network, radios used to create WDS links must work on the same channel.
# Enter the Security Profile page under the AP group wds-root2. The configuration is
similar to that under the AP group wds-root1.
# Set Security Profile to wds-sec and click Apply. In the dialog box that is displayed,
click OK.
3. Configure the WDS whitelist profile wds-list2 for AP_3 to permit access only from
AP_4 over the WDS link.
# Add the MAC address of AP_4 60de-4476-e360 to wds-list2. The configuration is
similar to that for the WDS whitelist profile wds-list1 under the AP group wds-root1.
4. Configure WDS service parameters.
# Click OK.
Step 9 Verify the configuration.
1. # Choose Configuration > AP Config > AP Config. The AP list page is displayed. If
the AP status is normal, the APs have gone online on the AC through WDS links.
2. Choose Monitoring > Mesh&WDS > WDS Network Bridge Information and check
WDS information. After the WDS links are successfully established, you can view
detailed information about the WDS links on the page.
----End
Service Requirements
An enterprise needs to establish Mesh wireless backhaul links in different areas to expand
wireless coverage and reduce wired deployment costs.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l Wireless backhaul mode: Mesh portal-node
l Backhaul radio: 5 GHz radio
Data Planning
Item Data
Item Data
Configuration Roadmap
1. Configure network connectivity and enable the AP (MPP) in Area A to go online on the
AC in wired mode.
2. Configure Mesh services to enable APs (MPs) in Area B and Area C to go online on the
AC through Mesh links.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
l On a Mesh network, radios of APs with 802.11ac chips can interconnect only with radios
of neighbors with 802.11ac chips, and radios of APs with 802.11n chips can interconnect
only with radios of neighbors with 802.11n chips. Table 5-31 lists types of chips used by
AP models.
Mesh not
AP4030TN 802.11n 802.11ac
supported
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on Switch_B to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_B
[Switch_B] vlan batch 100
[Switch_B] interface gigabitEthernet 0/0/1
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
NOTE
Configure the DNS server address as required.
– Click Edit in the Mesh whitelist area to add MAC addresses of Mesh nodes. In this
example, MAC addresses 60de-4476-e360, 60de-4474-9640, and dcd2-fc04-b500
area added to the Mesh whitelist.
# Click OK.
Step 4 Configure the MP.
1. Choose Configuration > Config Wizard > Mesh.
2. Create the AP group ap-group2 for the MP.
# In AP Group List, click Create. The Create AP Group page is displayed.
# Enter the AP group name ap-group2 and click OK.
– Click Edit in the Mesh whitelist area to add MAC addresses of Mesh nodes. In this
example, MAC addresses 60de-4476-e360, 60de-4474-9640, and dcd2-fc04-b500
area added to the Mesh whitelist.
# Click OK.
Step 5 Verify the configuration.
1. Choose Configuration > Config Wizard > Mesh. In AP Group List, select ap-group1
and ap-group2 to check whether the AP status is normal. If so, the APs have gone
online on the AC through Mesh links.
2. Choose Monitoring > Mesh&WDS > Mesh Link Information to check Mesh link
information. After the Mesh links are successfully established, you can view detailed
information about the Mesh links on the page.
----End
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l Wireless backhaul node: dual Mesh portal-node
l Backhaul radio: 5 GHz radio
Data Planning
Configuration Roadmap
1. Configure network connectivity and enable APs (MPPs) in Area A to go online on the
AC in wired mode.
2. Configure Mesh services to enable APs (MPs) in Area B to go online on the AC through
Mesh links.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
l During the configuration of a Mesh network with multiple MPPs, to enable MPs to set
up wireless links with multiple MPPs simultaneously, configure the MPPs to work on the
same channel.
l On a Mesh network, radios of APs with 802.11ac chips can interconnect only with radios
of neighbors with 802.11ac chips, and radios of APs with 802.11n chips can interconnect
only with radios of neighbors with 802.11n chips. Table 5-34 lists types of chips used by
AP models.
Mesh not
AP4030TN 802.11n 802.11ac
supported
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1, GE0/0/2, and GE0/0/3 on Switch_B to VLAN 100. The default VLAN of
GE0/0/1 and GE0/0/2 is VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname Switch_B
[Switch_B] vlan batch 100
[Switch_B] interface gigabitEthernet 0/0/1
[Switch_B-GigabitEthernet0/0/1] port link-type trunk
[Switch_B-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_B-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch_B-GigabitEthernet0/0/1] port-isolate enable
[Switch_B-GigabitEthernet0/0/1] quit
[Switch_B] interface gigabitEthernet 0/0/2
[Switch_B-GigabitEthernet0/0/2] port link-type trunk
[Switch_B-GigabitEthernet0/0/2] port trunk pvid vlan 100
[Switch_B-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[Switch_B-GigabitEthernet0/0/2] port-isolate enable
[Switch_B-GigabitEthernet0/0/2] quit
[Switch_B] interface gigabitEthernet 0/0/3
[Switch_B-GigabitEthernet0/0/3] port link-type trunk
[Switch_B-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
[Switch_B-GigabitEthernet0/0/3] quit
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration page is
displayed.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type to Trunk
and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN).
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# Set the IP address of VLANIF 100 to 10.23.100.1/24. Set DHCP status to ON and
DHCP type to Interface address pool.
NOTE
Configure the DNS server address as required.
– Click Edit in the Mesh whitelist area to add MAC addresses of Mesh nodes. In this
example, MAC addresses 60de-4474-9640, dcd2-fc04-b500, dcd2-fc96-e4c0, and
1047-80ac-cc60 are added. Click OK.
# After configuring Mesh parameters, Click Apply. In the dialog box that is displayed,
click OK.
4. Add MPPs.
# On the AP List tab page, click Add. The Add AP page is displayed.
# In this example, APs with MAC addresses 60de-4474-9640 and dcd2-fc04-b500 are
added. Set AP ID to 1 and 2 for the APs respectively. Click OK. The APs are added as
MPPs.
– Click Edit in the Mesh whitelist area to add MAC addresses of Mesh nodes. In this
example, MAC addresses 60de-4474-9640, dcd2-fc04-b500, dcd2-fc96-e4c0, and
1047-80ac-cc60 are added. Click OK.
# After configuring Mesh parameters, Click Apply. In the dialog box that is displayed,
click OK.
4. Add MPs.
# On the AP List tab page, click Add. The Add AP page is displayed.
# In this example, APs with MAC addresses dcd2-fc96-e4c0 and 1047-80ac-cc60 are
added. Set AP ID to 3 and 4 for the APs respectively. Click OK. The APs are added as
MPs.
----End
Networking Requirements
l AC networking mode: Layer 2 inline mode
l Service data forwarding mode: tunnel forwarding
Figure 5-29 Networking for configuring an Eth-Trunk on an AP's wired uplink interfaces
Data Planning
Configuration Roadmap
1. Configure an Eth-Trunk on a switch.
2. Configure an Eth-Trunk for an AP on the AC.
3. Restart the AP.
4. Connect the switch and AP physically.
Configuration Notes
l This example is applicable to an AP with two or more wired uplink interfaces.
l This example assumes that the AP has gone online and describes how to configure an
Eth-Trunk on the wired uplink interfaces of the AP. Before physical connections,
configure the Eth-Trunk. Otherwise, a loop will occur on the network, causing the AP to
go offline.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Check AP information.
Check the AP's group. Choose Monitoring > AP > AP group name: ap-group1
AP Statistics Collection. AP name: AP1
Check the AP's group in AP
List.
# Choose Configuration > AC Config > Interface > Eth-Trunk. The Eth-Trunk page
is displayed.
# In Eth-Trunk Interface List, click Create. The Create Eth-Trunk page is displayed.
# Click OK.
2. Create VLAN 100 and add Eth-Trunk0 to it.
# Choose Configuration > AC Config > VLAN > VLAN. The VLAN page is
displayed.
# Create VLAN 100. In Available Interface List, select Eth-Trunk0 and click
. On the Modify Link Type page, set Link type to Trunk and click OK.
# Click OK.
3. Create wired port profile wired-port1, and add GE0 and GE1 on the AP to Eth-Trunk0.
# Choose Configuration > AP Config > AP Group > AP Group.
# In the AP group list, select AP group ap-group1. Choose AP > AP Wired Port
Settings. The AP Wired Port Configuration List page is displayed.
# Select GE0. The GE0 configuration page is displayed.
# Click Create and create AP wired port profile wired-port1. Click OK to return to the
GE0 configuration page.
# Set Enable Eth-Trunk to ON.
The configuration on the AP's wired interfaces takes effect only after the AP is restarted.
# Select AP1 and click Restart. In the dialog box that is displayed, click OK to restart the AP.
Step 5 Connect the switch and AP physically.
----End
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: tunnel forwarding
l Authentication mode: External Portal authentication
l Security policy: open
Data Planning
Managemen VLAN100
t VLAN for
APs
Service VLAN101
VLAN for
STAs
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
Item Data
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs
Authenticati l Name:default_free_rule
on-free rule l Authentication-free resource: IP address of the DNS server (8.8.8.8)
profile
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Config Wizard to configure system parameters for the AC.
3. Select Config Wizard to configure the APs to go online on the AC.
4. Configure WLAN services and external Portal authentication on the AC using the
WLAN configuration wizard.
5. Configure authentication-free rules for an AP group.
6. Configure third-party server interconnection parameters.
7. Complete service verification.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and GE0/0/2
and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
Step 2 Configure a DHCP server to assign IP addresses to STAs and specify the gateway for the
STAs.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] dhcp server dns-list 8.8.8.8
[SwitchB-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF. Click the browse button and select Vlanif100.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
# Configure the SSID name, forwarding mode, and service VLAN ID.
# Set Security settings to Portal (applicable to enterprise networks) and deselect MAC
address-prioritized. Under External Portal Server Configuration, set the server name, IP
address, shared-key, port number, and server URL. Under External RADIUS Server
Configuration, set the server name, Port number, authentication server IP address, and shared
key.
Click Finish.
6. Click OK.
7. Select the authentication-free rule with the ID 1 and click Apply. In the dialog box that
is displayed, click OK.
Step 7 Configure third-party server interconnection parameters.
For interconnection with the Agile Controller-Campus, see "Example for Configuring Portal
Authentication (Including MAC Address-Prioritized Portal Authentication) for Wireless
Users" in the Agile Controller-Campus Typical Configuration Examples.
For interconnection with other third-party servers, see the corresponding product manual.
Step 8 Verify the configuration.
1. The WLAN with the SSID wlan-net is available.
2. The STA can associate with the WLAN and obtain an IP address 10.23.101.x/24, and its
gateway address is 10.23.101.2.
3. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
4. When a user opens the browser and attempts to access the network, the user is
automatically redirected to the authentication page provided by the Portal server. After
entering the correct user name and password on the page, the user can access the
network.
----End
Service Requirements
To improve WLAN security, an enterprise uses the Portal authentication mode. To reduce
costs, the enterprise deploys an AC as the Portal server and uses the local authentication mode
so that authentication is performed on the AC.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
Figure 5-31 Networking for configuring built-in Portal authentication for local users
Data Planning
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Config Wizard to configure system parameters for the AC.
3. Select Config Wizard to configure the APs to go online on the AC.
4. Configure WLAN services and built-in Portal authentication on the AC using the WLAN
configuration wizard.
5. Configure authentication-free rules for an AP group.
6. Complete service verification.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and GE0/0/2
and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
Step 2 Configure a DHCP server to assign IP addresses to STAs and specify the gateway for the
STAs.
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the default
gateway address of STAs to 10.23.101.2.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# Configure the default route and set its next hop address to 10.23.101.2.
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF. Click the browse button and select Vlanif100.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
# Configure the SSID name, forwarding mode, and service VLAN ID.
# Set Security settings to Portal (applicable to enterprise networks) and Portal server to
Built-in Portal server. Under Built-in Portal Server Configuration, configure the server IP
address and port number.
# Click Manage next to Local user. The Local User page is displayed
# Click Create. The Create Local User page is displayed.
# Set Creation mode to Manually add and configure the local user name and password.
# Click OK.
# On the Create Local User page, select the new user and click OK.
# Click Next. The Access Control page is displayed.
# Set Binding the AP group to ap-group1.
Click Finish.
Step 6 Configure network resources accessible to authentication-free users.
1. Choose Configuration > AP Config > AP Group.
2. In the AP group list, click ap-group1. Choose VAP Configuration > wlan-net >
Authentication Profile > Authentication-free Rule Profile. The Authentication-free
Rule Profile page is displayed.
3. Set Authentication-free Rule Profile to default_free_rule.
4. Select Authentication-free Rule in Control mode.
5. Click Create. On the Create Authentication-free Rule page that is displayed, set Rule
ID to 1 and the authentication-free resource to the IP address of the DNS server.
6. Click OK.
7. Select the authentication-free rule with the ID 1 and click Apply. In the dialog box that
is displayed, click OK.
Step 7 Verify the configuration.
1. The WLAN with the SSID wlan-net is available.
2. The STA can associate with the WLAN and obtain an IP address 10.23.101.x/24, and its
gateway address is 10.23.101.2.
3. When a user browses a web page, the browser automatically redirects the user to the
Portal authentication page. After entering the correct user name and password, the user
passes the authentication and can access the web page.
4. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
----End
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: tunnel forwarding
l Authentication mode: MAC address-prioritized Portal authentication
l Security policy: open
Data Planning
Managemen VLAN100
t VLAN for
APs
Service VLAN101
VLAN for
STAs
IP address 10.23.100.2–10.23.100.254/24
pool for
APs
Item Data
IP address 10.23.101.3–10.23.101.254/24
pool for
STAs
MAC Name:wlan-net
access
profile
Item Data
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Config Wizard to configure system parameters for the AC.
3. Select Config Wizard to configure the APs to go online on the AC.
4. Configure WLAN services and MAC address-prioritized Portal authentication on the AC
using the WLAN configuration wizard.
5. Configure authentication-free rules for an AP group.
6. Complete service verification.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and GE0/0/2
and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[SwitchB-GigabitEthernet0/0/3] quit
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 101
[Router] interface gigabitethernet 1/0/0
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router-GigabitEthernet1/0/0] quit
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
Step 2 Configure a DHCP server to assign IP addresses to STAs and specify the gateway for the
STAs.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] dhcp server dns-list 8.8.8.8
[SwitchB-Vlanif101] quit
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF. Click the browse button and select Vlanif100.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
# Configure the SSID name, forwarding mode, and service VLAN ID.
# Set Security settings to Portal (applicable to enterprise networks) and select MAC
address-prioritized. Under External Portal Server Configuration, set the server name, IP
address, shared-key, port number, and server URL. Under External RADIUS Sever
Configuration, set the server name, authentication server IP address, and shared key.
# Click Finish.
5. Click Create. On the Create Authentication-free Rule page that is displayed, set Rule
ID to 1 and the authentication-free resource to the IP address of the DNS server.
6. Click OK.
7. Select the authentication-free rule with the ID 1 and click Apply. In the dialog box that
is displayed, click OK.
Step 7 Verify the configuration.
1. The WLAN with the SSID wlan-net is available.
2. The STA can associate with the WLAN and obtain an IP address 10.23.101.x/24, and its
gateway address is 10.23.101.2.
3. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.
4. When a user opens the browser and attempts to access the network, the user is
automatically redirected to the authentication page provided by the Portal server. After
entering the correct user name and password on the page, the user can access the
network.
5. Assume that the MAC address validity period configured on the server is 60 minutes. If a
user is disconnected from the wireless network for 5 minutes and reconnects to the
network, the user can directly access the network. If a user is disconnected from the
wireless network for 65 minutes and reconnects to the network, the user will be
redirected to the Portal authentication page.
----End
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: The AC functions as the DHCP server to assign IP addresses
to APs, and SwitchB functions as the DHCP server to assign IP addresses to STAs.
l Service data forwarding mode: direct forwarding
l WLAN authentication mode: WPA-WPA2+802.1x+AES
Internet
Router
GE0/0/1
RADIUS Server
AC SwitchB GE0/0/4 10.23.103.1:1812
GE0/0/2
GE0/0/1 GE0/0/3
GE0/0/1
GE0/0/2
SwitchA
GE0/0/1
AP
STA STA
Management VLAN:VLAN 100
Service VLAN:VLAN 101
Data Planning
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Config Wizard to configure AC system parameters.
3. Select Config Wizard to configure the APs to go online on the AC.
4. Select Config Wizard to configure WLAN services on the AC. When configuring the
security policy, select 802.1X and RADIUS authentication, and set the RADIUS server
parameters.
5. Configure third-party server interconnection parameters.
NOTE
The AC and server must have the same RADIUS shared key.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 100 and VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN 101, GE0/0/2 to
VLAN 100 and VLAN 102, GE0/0/3 to VLAN 103, and GE0/0/4 to VLAN104. Create
VLANIF 102, VLANIF 103, and VLANIF 104, and configure a default route with the next
hop of the address of Router.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 to 104
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk pvid vlan 103
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 103
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface gigabitethernet 0/0/4
[SwitchB-GigabitEthernet0/0/4] port link-type trunk
[SwitchB-GigabitEthernet0/0/4] port trunk pvid vlan 104
[SwitchB-GigabitEthernet0/0/4] port trunk allow-pass vlan 104
[SwitchB-GigabitEthernet0/0/4] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] quit
[SwitchB] interface vlanif 103
[SwitchB-Vlanif103] ip address 10.23.103.2 24
[SwitchB-Vlanif103] quit
[SwitchB] interface vlanif 104
[SwitchB-Vlanif104] ip address 10.23.104.1 24
[SwitchB-Vlanif104] quit
[SwitchB] ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
# Configure the IP address of GE0/0/1 on Router and a static route to the network segment for
STAs.
<Huawei> system-view
[Huawei] sysname Router
[Router] interface gigabitethernet 0/0/1
[Router-GigabitEthernet0/0/1] ip address 10.23.104.2 24
[Router-GigabitEthernet0/0/1] quit
[Router] ip route-static 10.23.101.0 24 10.23.104.1
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration page is
displayed.
If the AC and AP are directly connected, set the default VLAN of the interface connected to the AP to
management VLAN 100.
NOTE
Configure the DNS server address as required.
# Click OK.
# Set the IP address of VLANIF 102 to 10.23.102.2/24 in the same way.
# Under Static Route Table, click Create. The Create Static Route Table page is
displayed.
# Set Destination IP to 10.23.103.0, Subnet Mask to 24(255.255.255.0), and Next hop
address to 10.23.102.1.
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF. Click the browse button and select Vlanif100.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
2. Confirm the configuration.
# Confirm the configuration and click Continue With Wireless Service Configuration.
Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.
# In the AP group list, click ap-group1. Choose Radio Management > Radio 0 > 2G
Radio Profile > RRM Profile. The RRM Profile page is displayed.
# Click next to Radio Management. The profiles under Radio Management are
displayed.
# Click Radio0. The Radio 0 Settings(2.4G) page is displayed. Set the AP channel to
20-MHz channel 6 and the transmit power to 127 dBm. The configuration of radio 1 (20-
MHz channel 149) on the Radio 1 Settings page is similar to the configuration of radio
0 and is not mentioned here.
l For interconnection with the Aruba ClearPass, see "Example for Configuring Wireless
802.1X Authentication" in the Typical Configuration Examples-WLAN and the Aruba
ClearPass Server Interoperation Configuration Examples.
l For interconnection with the Agile Controller-Campus, see "Example for Configuring
Wireless 802.1X Authentication" in the Agile Controller-Campus Typical Configuration
Examples.
l For interconnection with other third-party servers, see the corresponding product manual.
Step 8 Verify the configuration.
l The WLAN with SSID wlan-net is available for STAs connected to the AP.
l The wireless PC obtains an IP address after it associates with the WLAN.
l Use the 802.1x authentication client on a STA and enter the correct user name and
password. The STA is authenticated and can access the WLAN. You must configure the
client for PEAP authentication.
– Configuration on the Windows XP operating system:
i. On the Association tab page of the Wireless network properties dialog box,
add SSID wlan-net, set the authentication mode to WPA2, and encryption
algorithm to AES.
ii. On the Authentication tab page, set EAP type to PEAP and click Properties.
In the Protected EAP Properties dialog box, deselect Validate server
certificate and click Configure. In the displayed dialog box, deselect
Automatically use my Windows logon name and password and click OK.
– Configuration on the Windows 7 operating system:
i. Access the Manage wireless networks page, click Add, and select Manually
create a network profile. Add SSID wlan-net. Set the authentication mode to
WPA2-Enterprise, and encryption algorithm to AES. Click Next.
ii. Click Change connection settings. On the Wireless Network Properties
page that is displayed, select the Security tab page and click Settings. In the
Protected EAP Properties dialog box, deselect Validate server certificate
and click Configure. In the displayed dialog box, deselect Automatically use
my Windows logon name and password and click OK.
iii. On the Wireless Network Properties page, click Advanced settings. On the
Advanced settings page that is displayed, select Specify authentication
mode, set the identity authentication mode to User authentication, and click
OK.
----End
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: The AC functions as the DHCP server to assign IP addresses
to APs, and SwitchB functions as the DHCP server to assign IP addresses to STAs.
Internet
Router
GE0/0/1
Radius Server
AC SwitchB GE0/0/4 10.23.103.1:1812
GE0/0/2
GE0/0/1 GE0/0/3
GE0/0/1
GE0/0/2
SwitchA
GE0/0/1
AP
STA STA
Data Planning
Configuration Roadmap
1. Configure network interworking of the AC, APs, and other network devices.
2. Select Config Wizard to configure AC system parameters.
3. Select Config Wizard to configure the APs to go online on the AC.
4. Select Config Wizard to configure WLAN services on the AC. When configuring the
security policy, select MAC and RADIUS authentication, and set the RADIUS server
parameters.
5. Configure third-party server interconnection parameters.
NOTE
The AC and server must have the same RADIUS shared key.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 100 and VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN 101, GE0/0/2 to
VLAN 100 and VLAN 102, GE0/0/3 to VLAN 103, and GE0/0/4 to VLAN104. Create
VLANIF 102, VLANIF 103, and VLANIF 104, and configure a default route with the next
hop of the address of Router.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 to 104
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB] interface gigabitethernet 0/0/2
[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102
[SwitchB-GigabitEthernet0/0/2] quit
[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] port link-type trunk
[SwitchB-GigabitEthernet0/0/3] port trunk pvid vlan 103
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 103
[SwitchB-GigabitEthernet0/0/3] quit
[SwitchB] interface gigabitethernet 0/0/4
[SwitchB-GigabitEthernet0/0/4] port link-type trunk
[SwitchB-GigabitEthernet0/0/4] port trunk pvid vlan 104
[SwitchB-GigabitEthernet0/0/4] port trunk allow-pass vlan 104
[SwitchB-GigabitEthernet0/0/4] quit
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] quit
[SwitchB] interface vlanif 103
[SwitchB-Vlanif103] ip address 10.23.103.2 24
[SwitchB-Vlanif103] quit
[SwitchB] interface vlanif 104
[SwitchB-Vlanif104] ip address 10.23.104.1 24
[SwitchB-Vlanif104] quit
[SwitchB] ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
# Configure the IP address of GE0/0/1 on Router and a static route to the network segment for
STAs.
<Huawei> system-view
[Huawei] sysname Router
[Router] interface gigabitethernet 0/0/1
[Router-GigabitEthernet0/0/1] ip address 10.23.104.2 24
[Router-GigabitEthernet0/0/1] quit
[Router] ip route-static 10.23.101.0 24 10.23.104.1
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration page is
displayed.
If the AC and AP are directly connected, set the default VLAN of the interface connected to the AP to
management VLAN 100.
NOTE
Configure the DNS server address as required.
# Click OK.
# Set the IP address of VLANIF 102 to 10.23.102.2/24 in the same way.
# Under Static Route Table, click Create. The Create Static Route Table page is
displayed.
# Set Destination IP to 10.23.103.0, Subnet Mask to 24(255.255.255.0), and Next hop
address to 10.23.102.1.
# Click OK.
# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF. Click the browse button and select Vlanif100.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.
# Click OK.
Step 7 Configure MAC address authentication.
1. Create the authentication profile wlan-net.
# Choose Configuration > AP Config > AP Group. The AP Group page is displayed.
# Click AP group ap-group1. The AP group configuration page is displayed.
# Click Apply.
3. Configure the RADIUS authentication scheme wlan-net.
# Click Apply.
4. Bind the RADIUS profile wlan-net.
# Click in front of Authentication Profile. Under it, click RADIUS Profile. The
RADIUS Profile page is displayed.
# Select the RADIUS profile wlan-net and click Apply.
Step 8 Set the AP channel and power.
1. Disable the automatic channel and power calibration functions.
NOTE
Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.
# Click next to Radio Management. The profiles under Radio Management are
displayed.
# Click Radio0. The Radio 0 Settings(2.4G) page is displayed. Set the AP channel to
20-MHz channel 6 and the transmit power to 127 dBm. The configuration of radio 1 (20-
MHz channel 149) on the Radio 1 Settings page is similar to the configuration of radio
0 and is not mentioned here.
----End
Service Requirements
Dumb terminals (such as printers) in the physical access control department cannot have an
authentication client installed. To meet the enterprise's security requirements, configure MAC
address authentication on the AC and use the local authentication mode to authenticate
identities of dumb terminals.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
Figure 5-35 Networking for configuring MAC authentication for local users
Data Planning
Item Data
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure network interworking of the AC, APs, and other network devices.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type trunk
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/2] quit
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and GE0/0/2
and GE0/0/3 to VLAN 101.
<HUAWEI> system-view
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB