14 WLAN Typical Configuration Examples PDF

Typical Configuration Examples
Issue 03
Date 2017-10-31
HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2017. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://www.huawei.com
Email: support@huawei.com
Issue 03 (2017-10-31) Huawei Proprietary and Confidential i

Copyright © Huawei Technologies Co., Ltd.
Typical Configuration Examples About This Document
About This Document
Purpose
This document provides the typical configuration examples supported by the WLAN.
Intended Audience
This document is intended for:
l Data configuration engineers

l Commissioning engineers
l Network monitoring engineers
l System maintenance engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Indicates an imminently hazardous situation

which, if not avoided, will result in death or
serious injury.
Indicates a potentially hazardous situation

which, if not avoided, could result in death
or serious injury.

which, if not avoided, may result in minor
or moderate injury.

which, if not avoided, could result in
equipment damage, data loss, performance
deterioration, or unanticipated results.
NOTICE is used to address practices not
related to personal injury.
Issue 03 (2017-10-31) Huawei Proprietary and Confidential ii

Symbol Description
NOTE Calls attention to important information,

best practices and tips.
NOTE is used to address information not
related to personal injury, equipment
damage, and environment deterioration.
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention Description
Boldface The keywords of a command line are in boldface.
Italic Command arguments are in italics.
[] Items (keywords or arguments) in brackets [ ] are optional.
{ x | y | ... } Optional items are grouped in braces and separated by

vertical bars. One item is selected.
[ x | y | ... ] Optional items are grouped in brackets and separated by

vertical bars. One item is selected or no item is selected.
{ x | y | ... }* Optional items are grouped in braces and separated by

vertical bars. A minimum of one item or a maximum of all
items can be selected.
[ x | y | ... ]* Optional items are grouped in brackets and separated by

vertical bars. Several items or no item can be selected.
&<1-n> The parameter before the & sign can be repeated 1 to n

times.
# A line starting with the # sign is comments.
NOTE
The interface types, command outputs, and device models provided in this manual vary according to
device configurations and may differ from the actual information.
To obtain better user experience, you are advised to set the number of columns displayed on the
command line editor to 132 or higher.
The pages displayed on your web platform may be different from those in this example and shall prevail.
Issue 03 (2017-10-31) Huawei Proprietary and Confidential iii

Interface Numbering Conventions

Interface numbers used in this manual are examples. In device configuration, use the existing
interface numbers on devices.
Security Conventions
l Password setting
When configuring a password, the cipher text is recommended. To ensure device
security, do not disable password complexity check, and change the password
periodically.
When you configure a password in cipher text that starts and ends with %^%#......%^%#
(the password can be decrypted by the device), the password is displayed in the same
manner as the configured one in the configuration file. Do not use this setting.
l Encryption algorithm
Currently, the device uses the following encryption algorithms: DES, 3DES, AES, RSA,
SHA1, SHA-2, MD5 and SMS4. The encryption algorithm depends on the applicable
scenario. Use the recommended encryption algorithm; otherwise, security defense
requirements may be not met.
– For the symmetrical encryption algorithm, use AES with the key of 128 bits or
more.
– For the asymmetrical encryption algorithm, use RSA with the key of 2048 bits or
more.
– For the hash algorithm, use SHA2 with the key of 256 bits or more.
– For the HMAC algorithm, use HMAC-SHA2.
– The encryption algorithms DES/3DES/RSA (RSA-1024 or lower)/MD5 (in digital
signature scenarios and password encryption)/SHA1 (in digital signature scenarios)
have a low security, which may bring security risks. If protocols allowed, using
more secure encryption algorithms, such as AES/RSA (RSA-2048 or higher)/
SHA2/HMAC-SHA2, is recommended.
– SHA2 is irreversible encryption algorithm. The irreversible encryption algorithm
must be used for the administrator password.
l Personal data
Some personal data (such as the MAC or IP addresses of users) may be obtained or used
during operation or fault location of your purchased products, services, features, so you
have an obligation to make privacy policies and take measures according to the
applicable law of the country to protect personal data.
Configuration Conventions
Large-scale or batch service configuration using scripts may cause high CPU usage,
preventing the system from processing regular services.
Issue 03 (2017-10-31) Huawei Proprietary and Confidential iv

Model Declaration for Carriers Outside China

This document is provided to both enterprise and carrier users. Table 1 lists WLAN product
models supported for carriers outside China.
Table 1 WLAN product models for carriers outside China

Software Version Product Model
V200R007C20 AC6005
AC6605
ACU2
This model is released only in Russia.
AP2030DN
AP2050DN
AP2050DN-E
AP4030DN
AP4050DN
AP4050DN-E
AP4051DN
AP4130DN
AP4151DN
AP5030DN
AP5130DN
AP6050DN
AP6150DN
AP6510DN-AGN
AP7050DE
AP7050DN-E
AP8030DN
AP8050DN
AP8130DN
AP8150DN
AD9430DN-12
AD9430DN-24
Issue 03 (2017-10-31) Huawei Proprietary and Confidential v

Software Version Product Model
R230D
R240D
R250D
R250D-E
Change History
Changes between document issues are cumulative. Therefore, the latest document version
contains all updates made to previous versions.
Changes in Issue 03 (2017-10-31)

This version has the following updates:
The following information is added:

l Typical Configuration Examples (CLI)
– 4.20.1 Example for Configuring Unified Access for Wired and Wireless Users
– 4.20.2 Higher Education Campus Network Deployment Case (S12700 Used as
the Gateway and Authentication Point)
– 4.20.3 Higher Education Campus Network Deployment Case (Branch Switch
Used as the Gateway and Authentication Point)
– 4.4.1 Example for Configuring an Eth-Trunk on an AP's Wired Uplink
Interfaces
l Typical Configuration Examples (Web)
– 5.1 WLAN Common Service Configuration Examples
– 5.5 WLAN Basic Networking Configuration Examples
– 5.7 Authentication Configuration Examples
– 5.8 Reliability Configuration Examples
– 5.9 Roaming Configuration Examples
– 5.10 Agile Distributed Networking Configuration Examples
– 5.11 High-Density Configuration Examples
– 5.12 Example for Configuring Vehicle-Ground Communication
– 5.13 Radio Resource Management Configuration Examples
– 5.14 Spectrum Analysis Configuration Examples
– 5.15 WLAN Security Configuration Examples
– 5.16 WLAN QoS Configuration Examples
– 5.17 WLAN Enhanced Services Configuration Examples
– 5.18 Typical Configuration for Interconnection Between AC and Cisco ISE
Server
Issue 03 (2017-10-31) Huawei Proprietary and Confidential vi

– 5.19 Typical Configuration for Interconnection Between AC and Aruba

ClearPass Server

This version has the following updates:
The following information is added:
l Typical Configuration Examples (CLI)
– 4.5 PPPoE Configuration Examples (Fat AP and Fat Central AP)
– 4.6.8 Example for Configuring WeChat Authentication Using a Built-in Portal
Server
– 4.7.2 Example for Configuring Wireless Configuration Synchronization in
Dual-Link HSB Scenarios
– 4.7.1 Example for Configuring Wireless Configuration Synchronization in
VRRP HSB Scenarios
l Typical Configuration Examples (Web)
– 5.3 PPPoE Configuration Examples (Fat AP)
– 5.4 PPPoE Configuration Examples (Fat Central AP)
– 5.7 Authentication Configuration Examples
– 5.8 Reliability Configuration Examples

Initial commercial release.
Issue 03 (2017-10-31) Huawei Proprietary and Confidential vii

Typical Configuration Examples Contents
Contents
About This Document.....................................................................................................................ii

1 Introduction to WLAN..................................................................................................................1
2 Product Overview.......................................................................................................................... 3
2.1 AC Products Overview................................................................................................................................................... 3
2.2 AP Products Overview................................................................................................................................................... 4
3 WLAN Configuration................................................................................................................. 13
3.1 WLAN Service Configuration Procedure.....................................................................................................................13
3.1.1 Reference Relationships Between WLAN Profiles...................................................................................................13
3.1.2 WLAN Basic Service Configuration Procedure........................................................................................................15
3.1.3 AP Group and AP...................................................................................................................................................... 16
3.1.4 Regulatory Domain Profile........................................................................................................................................18
3.1.5 Radio Profile..............................................................................................................................................................18
3.1.6 Air Scan Profile......................................................................................................................................................... 18
3.1.7 RRM Profile.............................................................................................................................................................. 19
3.1.8 VAP Profile................................................................................................................................................................20
3.1.9 SSID Profile...............................................................................................................................................................21
3.1.10 Authentication Profile..............................................................................................................................................21
3.1.11 Security Profile........................................................................................................................................................ 22
3.1.12 Traffic Profile.......................................................................................................................................................... 22
3.1.13 UCC Profile............................................................................................................................................................. 23
3.1.14 Attack Defense Profile.............................................................................................................................................23
3.1.15 User Profile..............................................................................................................................................................24
3.1.16 Soft GRE profile...................................................................................................................................................... 24
3.1.17 STA Blacklist Profile............................................................................................................................................... 24
3.1.18 STA Whitelist Profile.............................................................................................................................................. 25
3.1.19 SAC Profile..............................................................................................................................................................25
3.1.20 Hotspot2.0 Profile....................................................................................................................................................25
3.1.21 AP System Profile................................................................................................................................................... 26
3.1.22 AP Wired Port Profile..............................................................................................................................................29
3.1.23 AP Wired Port Link Profile..................................................................................................................................... 29
3.1.24 WIDS Profile........................................................................................................................................................... 29
3.1.25 WIDS Spoof SSID Profile....................................................................................................................................... 30
Issue 03 (2017-10-31) Huawei Proprietary and Confidential viii

3.1.26 WIDS Whitelist Profile........................................................................................................................................... 30

3.1.27 Location Profile....................................................................................................................................................... 30
3.1.28 BLE Profile..............................................................................................................................................................31
3.1.29 WDS Profile............................................................................................................................................................ 31
3.1.30 WDS Whitelist Profile.............................................................................................................................................32
3.1.31 Mesh Profile............................................................................................................................................................ 32
3.1.32 Mesh Handover Profile............................................................................................................................................33
3.1.33 Mesh Whitelist Profile.............................................................................................................................................33
3.1.34 IoT Profile................................................................................................................................................................33
3.1.35 Serial Profile............................................................................................................................................................ 34
3.1.36 AP Provisioning Profile...........................................................................................................................................34
3.1.37 Common Operations of Profiles.............................................................................................................................. 34
3.2 Data Packet Processing.................................................................................................................................................35
4 Typical Configuration Examples (CLI)................................................................................... 46

4.1 WLAN Common Service Configuration Examples..................................................................................................... 47
4.1.1 Example for Configuring Internal Personnel to Access the WLAN (802.1x Authentication)..................................47
4.1.2 Example for Configuring Guests to Access the WLAN (MAC Address-prioritized Portal Authentication)........... 58
4.1.3 Example for Configuring High-Density WLAN Services........................................................................................ 68
4.1.4 Example for Configuring WLAN Backhaul..............................................................................................................82
4.1.5 Example for Configuring Rail Transportation WLAN Services............................................................................... 95
4.1.6 Example for Configuring Agile Distributed Wi-Fi Services................................................................................... 112
4.1.7 Example for Configuring WLAN Environment Detection and Containment (WIDS and WIPS)..........................120
4.2 WLAN Basic Networking Configuration Examples (Fat AP)................................................................................... 128
4.2.1 Example for Configuring Fat AP Layer 2 Networking........................................................................................... 128
4.2.3 Example for Configuring Users on the Fat AP to Access the Public Network Through NAT................................138
4.3 WLAN Basic Networking Configuration Examples.................................................................................................. 143
4.3.1 Example for Configuring Layer 2 Direct Forwarding in Inline Mode.................................................................... 143
4.3.2 Example for Configuring Layer 2 Tunnel Forwarding in Inline Mode...................................................................150
4.3.3 Example for Configuring Layer 2 Direct Forwarding in Bypass Mode..................................................................158
4.3.4 Example for Configuring Layer 2 Tunnel Forwarding in Bypass Mode.................................................................166
4.3.9 Example for Configuring WLAN IPv4/IPv6 Dual-Stack Services......................................................................... 213
4.3.10 Example for Configuring NAT Traversal Between the AC and APs.................................................................... 221
4.3.11 Example for Configuring VPN Traversal Between the AC and APs.................................................................... 230
4.3.12 Example for Configuring Hand-in-Hand WDS Services...................................................................................... 241
4.3.13 Example for Configuring Back-to-Back WDS......................................................................................................254
4.3.14 Example for Configuring Common Mesh Services.............................................................................................. 267
4.3.15 Example for Configuring Dual-MPP Mesh Services............................................................................................ 275
Issue 03 (2017-10-31) Huawei Proprietary and Confidential ix

4.4 AP's Wired Interface Configuration Examples...........................................................................................................286

4.4.1 Example for Configuring an Eth-Trunk on an AP's Wired Uplink Interfaces.........................................................286
4.5 PPPoE Configuration Examples (Fat AP and Fat Central AP).................................................................................. 289
4.5.1 Example for Configuring the PPPoE Client............................................................................................................ 289
4.5.2 Example for Connecting LAN to the Internet Using the ADSL Modem................................................................ 291
4.6 Authentication Configuration Examples.................................................................................................................... 295
4.6.1 Example for Configuring External Portal Authentication....................................................................................... 295
4.6.2 Example for Configuring Built-in Portal Authentication for Local Users.............................................................. 305
4.6.3 Example for Configuring MAC Address-prioritized Portal Authentication........................................................... 315
4.6.4 Example for Configuring 802.1X Authentication................................................................................................... 326
4.6.5 Example for Configuring MAC Address Authentication........................................................................................337
4.6.6 Example for Configuring MAC Authentication for Local Users............................................................................ 347
4.6.7 Example for Configuring the RADIUS Server and AC to Deliver User Group Rights to Users............................355
4.6.8 Example for Configuring WeChat Authentication Using a Built-in Portal Server................................................. 366
4.6.9 Example for Configuring Different Authentication Modes for Multiple SSIDs..................................................... 373
4.7 Reliability Configuration Examples........................................................................................................................... 386
4.7.1 Example for Configuring Wireless Configuration Synchronization in VRRP HSB Scenarios.............................. 386
4.7.2 Example for Configuring Wireless Configuration Synchronization in Dual-Link HSB Scenarios........................ 403
4.7.3 Example for Configuring Dual-link Cold Backup (Global Configuration Mode).................................................. 414
4.7.4 Example for Configuring Dual-Link HSB for ACs.................................................................................................422
4.7.5 Example for Configuring VRRP HSB.....................................................................................................................433
4.7.6 Example for Configuring N+1 Backup for ACs in the Same Network Segment....................................................449
4.7.7 Example for Configuring N+1 Backup for ACs in Different Network Segments.................................................. 465
4.8 Roaming Configuration Examples............................................................................................................................. 483
4.8.1 Example for Configuring Inter-VLAN Layer 3 Roaming....................................................................................... 483
4.8.2 Example for Configuring Intra-VLAN Roaming.................................................................................................... 495
4.8.3 Example for Configuring Inter-AC Layer 2 Roaming............................................................................................ 505
4.9 Agile Distributed Networking Configuration Examples............................................................................................ 528
4.9.1 Example for Configuring an Agile Distributed WLAN.......................................................................................... 528
4.10 High-Density Configuration Examples.................................................................................................................... 536
4.10.1 Example for Configuring High-Density WLAN Services.................................................................................... 536
4.11 Example for Configuring Vehicle-Ground Communication.....................................................................................550
4.11.1 Example for Configuring Vehicle-Ground Fast Link Handover........................................................................... 550
4.11.2 Example for Configuring Vehicle-Ground Fast Link Handover (VRRP Backup for Vehicle-Mounted APs)...... 567
4.12 Radio Resource Management Configuration Examples...........................................................................................589
4.12.1 Example for Configuring Dynamic Load Balancing.............................................................................................589
4.12.2 Example for Configuring Static Load Balancing.................................................................................................. 593
4.12.3 Example for Configuring Band Steering............................................................................................................... 596
4.12.4 Example for Configuring Smart Roaming.............................................................................................................600
4.13 Spectrum Analysis Configuration Examples............................................................................................................603
4.13.1 Example for Configuring Spectrum Analysis....................................................................................................... 603
Issue 03 (2017-10-31) Huawei Proprietary and Confidential x

4.14 WLAN Security Configuration Examples................................................................................................................610

4.14.1 Example for Configuring Rogue Device Detection and Containment.................................................................. 610
4.14.2 Example for Configuring Attack Detection...........................................................................................................619
4.14.3 Example for Configuring the STA Blacklist and Whitelist................................................................................... 629
4.15 WLAN QoS Configuration Examples...................................................................................................................... 637
4.15.1 Common Misconfigurations.................................................................................................................................. 637
4.15.1.1 Multicast Packet Suppression Is Not Configured, Causing Slow Network Access of STAs............................. 637
4.15.2 Example for Configuring WMM and Priority Mapping....................................................................................... 639
4.15.3 Example for Configuring Traffic Policing.............................................................................................................645
4.15.4 Example for Configuring Airtime Fair Scheduling............................................................................................... 648
4.15.5 Example for Configuring ACL-based Packet Filtering......................................................................................... 651
4.15.6 Example for Configuring Optimization for Voice and Video Services................................................................. 655
4.15.7 Example for Configuring Priorities for Lync Packets........................................................................................... 657
4.16 WLAN Enhanced Services Configuration Examples...............................................................................................661
4.16.1 Example for Configuring WLAN-based E-schoolbag.......................................................................................... 661
4.16.2 Example for Configuring WLAN Hotspot2.0 Services.........................................................................................672
4.16.3 Example for Configuring Service Holding upon CAPWAP Link Disconnection.................................................684
4.16.4 Example for Configuring Channel Switching Without Service Interruption........................................................ 691
4.16.5 Example for Configuring an AP to Go Online Using a Static IP Address............................................................ 699
4.16.6 Example for Configuring the Soft GRE Service................................................................................................... 702
4.16.7 Example for Configuring the WLAN BYOD Service...........................................................................................712
4.16.8 Example for Configuring the Bonjour Gateway....................................................................................................722
4.16.9 Example for Configuring Bandwidth-based Multicast CAC................................................................................ 732
4.16.10 Example for Configuring CAC Based on the Number of Multicast Group Memberships................................. 741
4.16.11 Example for Interconnecting an AC with a Network Management Server.........................................................749
4.16.12 Example for Configuring Wireless Packet Obtaining......................................................................................... 758
4.17 Typical Configuration for Interconnection Between AC and Cisco ISE Server...................................................... 766
4.17.1 Example for Configuring 802.1x Authentication (CLI)........................................................................................ 766
4.17.2 Example for Configuring MAC Address Authentication (CLI)............................................................................780
4.17.3 Example for Configuring User Authorization Based on ACL Numbers or Dynamic VLANs (CLI)...................794
4.17.4 Example for Configuring User Authorization Based on User Groups (CLI)........................................................810
4.17.5 Example for Configuring External Portal Authentication..................................................................................... 826
4.18 Typical Configuration for Interconnection Between AC and Aruba ClearPass Server............................................840
4.18.6 Example for Configuring MAC Address-Prioritized Portal Authentication (CLI)............................................... 911
4.19 Typical Configuration for Interconnection Between AC and Huawei Agile Controller-Campus Server................ 927
4.19.1 Example for Configuring Wireless 802.1X Authentication.................................................................................. 927
4.19.2 Example for Configuring Portal Authentication (Including MAC Address-Prioritized Portal Authentication) for
Wireless Users.................................................................................................................................................................. 939
Issue 03 (2017-10-31) Huawei Proprietary and Confidential xi

4.19.3 Example for Configuring Wireless MAC Address Authentication....................................................................... 974

4.19.4 Example for Configuring Wireless Network Access Using a Terminal Running the Android, iOS, or Windows
OS..................................................................................................................................................................................... 986
4.19.5 Example for Configuring Guests to Obtain Passwords Through Mobile Phones to Pass Authentication Quickly
........................................................................................................................................................................................ 1000
4.19.6 Example for Configuring Guest Access Using Social Media Accounts (GooglePlus, Facebook, or Twitter
Accounts)........................................................................................................................................................................1010
4.19.7 Example for Configuring Guests Connect to Networks by Scanning Public QR Codes.................................... 1033
4.19.8 Example for Configuring 802.1X Authentication for Wireless Users in a VRRP HSB Environment................1049
4.19.9 Example for Configuring Portal Authentication for Wireless Users in a VRRP HSB Environment..................1071
4.19.10 Example for Configuring Portal Authentication for Wireless Users in an AC Dual-Link Backup Environment
........................................................................................................................................................................................ 1105
4.19.11 Example for Configuring Portal Authentication for Wireless Users in an AC N+1 Environment....................1132
4.19.12 Appendix............................................................................................................................................................1163
4.19.12.1 Common Page Customization Operations Using the Editor.......................................................................... 1163
4.19.12.2 Customizing Pages..........................................................................................................................................1174
4.19.12.3 Defining a Redirection Rule for the Portal Page............................................................................................ 1175
4.19.12.4 Example: Adding Language Templates.......................................................................................................... 1178
4.19.12.5 Configuring MAC Address Authentication....................................................................................................1180
4.19.12.6 Deploying a CA Certificate Server.................................................................................................................1185
4.19.12.7 Server Certificate Importing Tool...................................................................................................................1192
4.19.12.8 How Do I Continue to Access the Original Page After Successful Portal Authentication?...........................1194
4.19.12.9 What Should I Do Before Connecting a GPRS Modem to the Agile Controller-Campus?........................... 1195
4.20 Comprehensive Case...............................................................................................................................................1198
4.20.1 Example for Configuring Unified Access for Wired and Wireless Users........................................................... 1198
4.20.2 Higher Education Campus Network Deployment Case (S12700 Used as the Gateway and Authentication Point)
........................................................................................................................................................................................ 1216
4.20.2.1 Application Scenario and Service Requirements............................................................................................. 1216
4.20.2.2 Solution Design................................................................................................................................................ 1217
4.20.2.3 Configuration Roadmap and Data Plan............................................................................................................ 1218
4.20.2.4 Configuration Notes......................................................................................................................................... 1221
4.20.2.5 Configuration Procedure...................................................................................................................................1222
4.20.2.5.1 Configuring the Aggregation Switch S7700-A in Office Building A........................................................... 1222
4.20.2.5.2 Configuring the Access Switch S5700-A in Office Building A....................................................................1223
4.20.2.5.3 Configuring the Core Switch S12700............................................................................................................1223
4.20.2.5.4 Configuring the Egress Firewall USG6600...................................................................................................1230
4.20.2.5.5 Configuring the Agile Controller.................................................................................................................. 1234
4.20.2.6 Verification....................................................................................................................................................... 1248
4.20.2.7 Configuration Script......................................................................................................................................... 1250
4.20.3 Higher Education Campus Network Deployment Case (Branch Switch Used as the Gateway and Authentication
Point).............................................................................................................................................................................. 1256
4.20.3.2 Solution Design................................................................................................................................................ 1256
Issue 03 (2017-10-31) Huawei Proprietary and Confidential xii


4.20.3.5.2 Configuring Core Switches........................................................................................................................... 1265
4.20.3.5.3 Configuring the Aggregation Switch S12700 in Office Building A............................................................. 1270
4.20.3.5.4 Configuring the Firewalls.............................................................................................................................. 1274
4.20.3.6 Verification....................................................................................................................................................... 1288
5 Typical Configuration Examples (Web)..............................................................................1304

5.1 WLAN Common Service Configuration Examples................................................................................................. 1305
5.1.1 Example for Configuring Internal Personnel to Access the WLAN (802.1x Authentication)..............................1305
5.1.2 Example for Configuring Guests to Access the WLAN (MAC Address-prioritized Portal Authentication)....... 1315
5.1.4 Example for Configuring WLAN Backhaul..........................................................................................................1343
5.1.5 Example for Configuring Rail Transportation WLAN Services........................................................................... 1357
5.1.6 Example for Configuring Agile Distributed Wi-Fi Services................................................................................. 1374
5.2 WLAN Basic Networking Configuration Examples (FAT AP)............................................................................... 1392
5.2.1 Example for Configuring Fat AP Layer 2 Networking......................................................................................... 1392
5.2.3 Example for Configuring Users on the Fat AP to Access the Public Network Through NAT..............................1405
5.3 PPPoE Configuration Examples (Fat AP)................................................................................................................ 1413
5.3.1 Example for Configuring the Device as a PPPoE Client.......................................................................................1413
5.3.2 Example for Connecting LAN to the Internet Using the ADSL Modem.............................................................. 1416
5.4 PPPoE Configuration Examples (Fat Central AP)................................................................................................... 1419
5.5 WLAN Basic Networking Configuration Examples................................................................................................ 1426
5.5.1 Example for Configuring Layer 2 Direct Forwarding in Inline Mode.................................................................. 1426
5.5.2 Example for Configuring Layer 2 Tunnel Forwarding in Inline Mode.................................................................1435
5.5.3 Example for Configuring Layer 2 Direct Forwarding in Bypass Mode................................................................1443
5.5.4 Example for Configuring Layer 2 Tunnel Forwarding in Bypass Mode...............................................................1452
5.5.10 Example for Configuring VPN Traversal Between the AC and APs.................................................................. 1516
5.5.11 Example for Configuring Hand-in-Hand WDS Services.................................................................................... 1528
5.5.12 Example for Configuring Back-to-Back WDS....................................................................................................1542
5.5.13 Example for Configuring Common Mesh Services............................................................................................ 1554
Issue 03 (2017-10-31) Huawei Proprietary and Confidential xiii

5.5.14 Example for Configuring Dual-MPP Mesh Services.......................................................................................... 1564

5.6 AP's Wired Interface Configuration Examples.........................................................................................................1575
5.6.1 Example for Configuring an Eth-Trunk on an AP's Wired Uplink Interfaces.......................................................1575
5.7 Authentication Configuration Examples.................................................................................................................. 1579
5.7.2 Example for Configuring Built-in Portal Authentication for Local Users............................................................ 1589
5.7.3 Example for Configuring MAC Address-prioritized Portal Authentication......................................................... 1599
5.7.4 Example for Configuring 802.1X Authentication................................................................................................. 1609
5.7.5 Example for Configuring MAC Address Authentication......................................................................................1619
5.7.6 Example for Configuring MAC Authentication for Local Users.......................................................................... 1631
5.7.7 Example for Configuring the RADIUS Server and AC to Deliver User Group Rights to Users..........................1640
5.7.8 Example for Configuring Built-in Portal WeChat Authentication........................................................................ 1653
5.7.9 Example for Configuring Different Authentication Modes for Multiple SSIDs................................................... 1660
5.8 Reliability Configuration Examples......................................................................................................................... 1673
5.8.1 Example for Configuring Wireless Configuration Synchronization in VRRP HSB Scenarios............................ 1673
5.8.2 Example for Configuring Wireless Configuration Synchronization in Dual-Link HSB Scenarios...................... 1686
5.8.3 Example for Configuring Dual-link Cold Backup (Global Configuration Mode)................................................ 1698
5.8.4 Example for Configuring Dual-Link Hot Standby (HSB) for ACs.......................................................................1705
5.8.5 Example for Configuring VRRP HSB...................................................................................................................1714
5.8.6 Example for Configuring N+1 Backup for ACs on the Same Network Segment................................................. 1726
5.8.7 Example for Configuring N+1 Backup for ACs on Different Network Segments................................................1737
5.9 Roaming Configuration Examples........................................................................................................................... 1749
5.9.1 Example for Configuring Inter-VLAN Layer 3 Roaming..................................................................................... 1749
5.9.2 Example for Configuring Intra-VLAN Roaming.................................................................................................. 1761
5.9.3 Example for Configuring Inter-AC Layer 2 Roaming.......................................................................................... 1772
5.10 Agile Distributed Networking Configuration Examples........................................................................................ 1797
5.10.1 Example for Configuring an Agile Distributed WLAN...................................................................................... 1797
5.11 High-Density Configuration Examples.................................................................................................................. 1805
5.11.1 Example for Configuring High-Density WLAN Services...................................................................................1805
5.12 Example for Configuring Vehicle-Ground Communication.................................................................................. 1824
5.12.1 Example for Configuring Vehicle-Ground Fast Link Handover......................................................................... 1824
5.13 Radio Resource Management Configuration Examples.........................................................................................1841
5.13.1 Example for Configuring Dynamic Load Balancing...........................................................................................1841
5.13.2 Example for Configuring Static Load Balancing................................................................................................ 1843
5.13.3 Example for Configuring Band Steering............................................................................................................. 1846
5.13.4 Example for Configuring Smart Roaming...........................................................................................................1850
5.14 Spectrum Analysis Configuration Examples..........................................................................................................1853
5.14.1 Example for Configuring Spectrum Analysis..................................................................................................... 1853
5.15 WLAN Security Configuration Examples..............................................................................................................1858
5.15.1 Example for Configuring Rogue Device Detection and Containment................................................................ 1858
5.15.2 Example for Configuring Attack Detection.........................................................................................................1868
Issue 03 (2017-10-31) Huawei Proprietary and Confidential xiv

5.15.3 Example for Configuring the STA Blacklist and Whitelist................................................................................. 1879
5.16 WLAN QoS Configuration Examples.................................................................................................................... 1889
5.16.1 Example for Configuring WMM and Priority Mapping..................................................................................... 1889
5.16.2 Example for Configuring Traffic Policing...........................................................................................................1893
5.16.3 Example for Configuring Airtime Fair Scheduling............................................................................................. 1896
5.16.4 Example for Configuring ACL-based Packet Filtering....................................................................................... 1898
5.16.5 Example for Configuring Optimization for Voice and Video Services............................................................... 1901
5.16.6 Example for Configuring Priorities for Lync Packets......................................................................................... 1904
5.17 WLAN Enhanced Services Configuration Examples.............................................................................................1907
5.17.1 Example for Configuring WLAN-based E-Schoolbag........................................................................................1907
5.17.2 Example for Configuring WLAN Hotspot2.0 Services.......................................................................................1923
5.17.3 Example for Configuring Service Holding upon WLAN CAPWAP Link Disconnection..................................1936
5.17.4 Example for Configuring Channel Switching Without Service Interruption...................................................... 1946
5.17.5 Example for Configuring an AP to Go Online Using a Static IP Address.......................................................... 1954
5.17.6 Example for Configuring the Soft GRE Service................................................................................................. 1959
5.18 Typical Configuration for Interconnection Between AC and Cisco ISE Server.................................................... 1980
5.18.1 Example for Configuring 802.1x Authentication (Web)..................................................................................... 1980
5.18.2 Example for Configuring User Authorization Based on ACL Numbers or Dynamic VLANs (Web)................ 1995
5.18.3 Example for Configuring User Authorization Based on User Groups (Web)..................................................... 2013
5.19 Typical Configuration for Interconnection Between AC and Aruba ClearPass Server..........................................2030
Contents

Issue 03 (2017-10-31) Huawei Proprietary and Confidential xv


3.1.3 AP Group and AP...................................................................................................................................................... 16
3.1.5 Radio Profile..............................................................................................................................................................18
3.1.6 Air Scan Profile......................................................................................................................................................... 18
3.1.7 RRM Profile.............................................................................................................................................................. 19
3.1.8 VAP Profile................................................................................................................................................................20
3.1.9 SSID Profile...............................................................................................................................................................21
3.1.12 Traffic Profile.......................................................................................................................................................... 22
3.1.13 UCC Profile............................................................................................................................................................. 23
3.1.15 User Profile..............................................................................................................................................................24
3.1.16 Soft GRE profile...................................................................................................................................................... 24
3.1.19 SAC Profile..............................................................................................................................................................25
3.1.20 Hotspot2.0 Profile....................................................................................................................................................25
3.1.24 WIDS Profile........................................................................................................................................................... 29
3.1.28 BLE Profile..............................................................................................................................................................31
3.1.29 WDS Profile............................................................................................................................................................ 31
3.1.31 Mesh Profile............................................................................................................................................................ 32
3.1.34 IoT Profile................................................................................................................................................................33
3.1.35 Serial Profile............................................................................................................................................................ 34

Issue 03 (2017-10-31) Huawei Proprietary and Confidential xvi


Issue 03 (2017-10-31) Huawei Proprietary and Confidential xvii

Issue 03 (2017-10-31) Huawei Proprietary and Confidential xviii


Wireless Users.................................................................................................................................................................. 939
OS..................................................................................................................................................................................... 986
........................................................................................................................................................................................ 1000
Accounts)........................................................................................................................................................................1010
........................................................................................................................................................................................ 1105
4.19.12 Appendix............................................................................................................................................................1163
Issue 03 (2017-10-31) Huawei Proprietary and Confidential xix


........................................................................................................................................................................................ 1216
4.20.2.2 Solution Design................................................................................................................................................ 1217
4.20.2.6 Verification....................................................................................................................................................... 1248
Point).............................................................................................................................................................................. 1256
4.20.3.2 Solution Design................................................................................................................................................ 1256
4.20.3.6 Verification....................................................................................................................................................... 1288

Issue 03 (2017-10-31) Huawei Proprietary and Confidential xx


Issue 03 (2017-10-31) Huawei Proprietary and Confidential xxi


Issue 03 (2017-10-31) Huawei Proprietary and Confidential xxii

Contents

3.1.3 AP Group and AP...................................................................................................................................................... 16
3.1.5 Radio Profile..............................................................................................................................................................18
3.1.6 Air Scan Profile......................................................................................................................................................... 18
3.1.7 RRM Profile.............................................................................................................................................................. 19
3.1.8 VAP Profile................................................................................................................................................................20
3.1.9 SSID Profile...............................................................................................................................................................21
3.1.12 Traffic Profile.......................................................................................................................................................... 22
3.1.13 UCC Profile............................................................................................................................................................. 23
3.1.15 User Profile..............................................................................................................................................................24
3.1.16 Soft GRE profile...................................................................................................................................................... 24
3.1.19 SAC Profile..............................................................................................................................................................25
Issue 03 (2017-10-31) Huawei Proprietary and Confidential xxiii

3.1.20 Hotspot2.0 Profile....................................................................................................................................................25

3.1.24 WIDS Profile........................................................................................................................................................... 29
3.1.28 BLE Profile..............................................................................................................................................................31
3.1.29 WDS Profile............................................................................................................................................................ 31
3.1.31 Mesh Profile............................................................................................................................................................ 32
3.1.34 IoT Profile................................................................................................................................................................33
3.1.35 Serial Profile............................................................................................................................................................ 34

Issue 03 (2017-10-31) Huawei Proprietary and Confidential xxiv

Issue 03 (2017-10-31) Huawei Proprietary and Confidential xxv


Issue 03 (2017-10-31) Huawei Proprietary and Confidential xxvi

Wireless Users.................................................................................................................................................................. 939
OS..................................................................................................................................................................................... 986
........................................................................................................................................................................................ 1000
Accounts)........................................................................................................................................................................1010
........................................................................................................................................................................................ 1105
4.19.12 Appendix............................................................................................................................................................1163
........................................................................................................................................................................................ 1216
4.20.2.2 Solution Design................................................................................................................................................ 1217
Issue 03 (2017-10-31) Huawei Proprietary and Confidential xxvii

4.20.2.6 Verification....................................................................................................................................................... 1248

Point).............................................................................................................................................................................. 1256
4.20.3.2 Solution Design................................................................................................................................................ 1256
4.20.3.6 Verification....................................................................................................................................................... 1288

Issue 03 (2017-10-31) Huawei Proprietary and Confidential xxviii


Issue 03 (2017-10-31) Huawei Proprietary and Confidential xxix


Issue 03 (2017-10-31) Huawei Proprietary and Confidential xxx

Typical Configuration Examples Figures
Figures
Figure 1-1 WLAN Networking................................................................................................................................2

Figure 3-1 Reference relationships between WLAN profiles............................................................................... 14
Figure 3-2 WLAN basic service configuration flowchart..................................................................................... 16
Figure 3-3 AP group.............................................................................................................................................. 17
Figure 3-4 AP group and AP................................................................................................................................. 17
Figure 3-5 Management packet forwarding...........................................................................................................36
Figure 3-6 Direct forwarding of service data packets............................................................................................37
Figure 3-7 Forwarding service data packets over a CAPWAP tunnel................................................................... 38
Figure 3-8 Forwarding service data packets over a soft GRE tunnel.................................................................... 39
Figure 3-9 Forwarding service data packets during Layer 2 roaming................................................................... 40
Figure 3-10 Tunnel forwarding of service data packets during Layer 3 roaming................................................. 41
Figure 3-11 Direct forwarding of service data packets during Layer 3 roaming...................................................43
Figure 4-1 Networking diagram for configuring 802.1x authentication............................................................... 48
Figure 4-2 Networking for configuring MAC address-prioritized Portal authentication...................................... 58
Figure 4-3 Networking diagram for configuring a high-density WLAN.............................................................. 69
Figure 4-4 Networking diagram for configuring hand-in-hand WDS services..................................................... 83
Figure 4-5 Networking for configuring vehicle-ground fast link handover.......................................................... 96
Figure 4-6 Networking for configuring an agile distributed WLAN...................................................................113
Figure 4-7 Networking for configuring rogue device detection and containment.............................................. 120
Figure 4-8 Networking diagram for configuring basic Layer 2 WLAN services................................................129
Figure 4-10 Networking diagram for configuring STAs to access the public network through NAT.................138
Figure 4-11 Networking for configuring Layer 2 direct forwarding in inline mode........................................... 143
Figure 4-12 Networking for configuring Layer 2 tunnel forwarding in inline mode.......................................... 151
Figure 4-13 Networking for configuring Layer 2 direct forwarding in bypass mode......................................... 158
Figure 4-14 Networking for configuring Layer 2 tunnel forwarding in bypass mode........................................ 166
Figure 4-19 Networking for configuring WLAN IPv4/IPv6 dual-stack services................................................213
Figure 4-20 Networking for configuring NAT traversal between the AC and APs............................................ 221
Figure 4-21 Networking for configuring VPN traversal between the AC and APs............................................ 230
Issue 03 (2017-10-31) Huawei Proprietary and Confidential xxxi

Figure 4-22 Networking diagram for configuring hand-in-hand WDS services................................................. 242
Figure 4-23 Networking for configuring back-to-back WDS............................................................................. 255
Figure 4-24 Networking for configuring mesh services...................................................................................... 267
Figure 4-25 Networking for configuring dual-MPP Mesh services.................................................................... 275
Figure 4-26 Networking for configuring an Eth-Trunk on an AP's wired uplink interfaces...............................286
Figure 4-27 Networking diagram of the device functioning as the PPPoE client............................................... 289
Figure 4-28 Networking diagram for connecting a LAN to the Internet using an ADSL modem...................... 292
Figure 4-29 Networking for configuring external Portal authentication............................................................. 296
Figure 4-30 Networking for configuring built-in Portal authentication for local users.......................................306
Figure 4-31 Networking for configuring MAC address-prioritized Portal authentication.................................. 316
Figure 4-32 Networking diagram for configuring 802.1x authentication........................................................... 327
Figure 4-33 Networking diagram for configuring MAC address authentication................................................ 338
Figure 4-34 Networking for configuring MAC authentication for local users....................................................348
Figure 4-35 Networking for configuring user authorization based on user groups.............................................356
Figure 4-36 Networking diagram for configuring WeChat authentication using a built-in Portal server........... 366
Figure 4-37 Networking diagram for configuring different authentication modes for multiple SSIDs.............. 374
Figure 4-38 Networking for configuring wireless configuration synchronization in VRRP HSB scenarios (direct
forwarding)........................................................................................................................................................... 387
Figure 4-39 Networking diagram for configuring dual-link HSB....................................................................... 404
Figure 4-40 Networking for configuring dual-link cold backup......................................................................... 415
Figure 4-41 Networking for configuring dual-link HSB for ACs....................................................................... 423
Figure 4-42 Configuring VRRP HSB (direct forwarding).................................................................................. 434
Figure 4-43 Networking for configuring N+1 backup.........................................................................................450
Figure 4-45 Networking for configuring inter-VLAN Layer 3 roaming.............................................................484
Figure 4-46 Networking for configuring intra-VLAN roaming.......................................................................... 496
Figure 4-47 Networking for configuring inter-AC Layer 2 roaming.................................................................. 506
Figure 4-49 Networking for configuring an agile distributed WLAN.................................................................529
Figure 4-50 Networking diagram for configuring a high-density WLAN.......................................................... 537
Figure 4-51 Networking for configuring vehicle-ground fast link handover...................................................... 551
Figure 4-53 Networking for configuring dynamic load balancing...................................................................... 590
Figure 4-54 Networking for configuring static load balancing........................................................................... 594
Figure 4-55 Networking for configuring Band Steering..................................................................................... 597
Figure 4-56 Networking for configuring smart roaming..................................................................................... 600
Figure 4-57 Networking for configuring spectrum analysis................................................................................604
Figure 4-58 Networking for configuring rogue device detection and containment.............................................611
Figure 4-59 Networking for configuring attack detection................................................................................... 620
Figure 4-60 Networking for configuring the STA blacklist and whitelist........................................................... 629
Figure 4-61 Networking for configuring WMM and priority mapping...............................................................639
Figure 4-62 Networking for configuring traffic policing.................................................................................... 645
Figure 4-63 Networking for configuring airtime fair scheduling........................................................................ 648
Issue 03 (2017-10-31) Huawei Proprietary and Confidential xxxii

Figure 4-64 Networking for configuring ACL-based packet filtering................................................................ 652

Figure 4-65 Networking for configuring optimization for voice and video services.......................................... 655
Figure 4-66 Networking for configuring priorities for Lync packets.................................................................. 658
Figure 4-67 Networking for configuring the WLAN-based e-schoolbag service............................................... 662
Figure 4-68 Networking for configuring WLAN Hotspot2.0 services................................................................673
Figure 4-69 Networking for configuring service holding upon WLAN CAPWAP link disconnection.............. 684
Figure 4-70 Networking for configuring channel switching without service interruption..................................692
Figure 4-71 Networking for configuring an AP to go online using a static IP address.......................................699
Figure 4-72 Networking for configuring the soft GRE service........................................................................... 703
Figure 4-73 Networking for configuring the WLAN BYOD service..................................................................713
Figure 4-74 Networking for configuring the Bonjour gateway........................................................................... 723
Figure 4-75 Networking for configuring bandwidth-based multicast CAC........................................................ 733
Figure 4-76 Networking for configuring CAC based on the number of multicast group memberships............. 741
Figure 4-77 Networking for interconnecting an AC with a network management server.................................. 749
Figure 4-78 Networking for configuring wireless packet obtaining....................................................................759
Figure 4-81 Networking for configuring user authorization based on ACL numbers or dynamic VLANs........796
Figure 4-83 Networking diagram for configuring external Portal authentication............................................... 827
Figure 4-89 Networking for MAC address-prioritized Portal authentication......................................................913
Figure 4-90 Networking diagram........................................................................................................................ 928
Figure 4-91 Networking of Portal authentication for wireless users................................................................... 941
Figure 4-92 Configuration flow for Portal authentication service.......................................................................948
Figure 4-93 Networking of MAC address authentication................................................................................... 975
Figure 4-95 Networking diagram...................................................................................................................... 1050
Figure 4-96 Networking of Portal authentication for wireless users in HSB mode.......................................... 1072
Figure 4-97 Networking of Portal authentication for wireless users in an AC dual-link backup environment.1106
Figure 4-98 Networking of Portal authentication for wireless users in N+1 mode........................................... 1133
Figure 4-99 Networking for unified wired and wireless access.........................................................................1199
Issue 03 (2017-10-31) Huawei Proprietary and Confidential xxxiii

Figure 5-7 Networking for configuring rogue device detection and containment............................................ 1383
Figure 5-8 Networking diagram for configuring basic Layer 2 WLAN services..............................................1392
Figure 5-10 Networking diagram for configuring STAs to access the public network through NAT...............1406
Figure 5-11 Networking diagram of the device functioning as the PPPoE client............................................. 1414
Figure 5-12 Networking diagram for connecting a LAN to the Internet using an ADSL modem.................... 1416
Figure 5-15 Networking for configuring Layer 2 direct forwarding in inline mode......................................... 1427
Figure 5-16 Networking for configuring Layer 2 tunnel forwarding in inline mode........................................ 1436
Figure 5-17 Networking for configuring Layer 2 direct forwarding in bypass mode....................................... 1444
Figure 5-18 Networking for configuring Layer 2 tunnel forwarding in bypass mode...................................... 1453
Figure 5-23 Networking for configuring NAT traversal between the AC and APs.......................................... 1507
Figure 5-24 Networking for configuring VPN traversal between the AC and APs.......................................... 1517
Figure 5-25 Networking diagram for configuring hand-in-hand WDS services............................................... 1529
Figure 5-26 Networking for configuring back-to-back WDS........................................................................... 1543
Figure 5-27 Networking for configuring mesh services.................................................................................... 1554
Figure 5-28 Networking for configuring dual-MPP Mesh services.................................................................. 1564
Figure 5-29 Networking for configuring an Eth-Trunk on an AP's wired uplink interfaces.............................1575
Figure 5-30 Networking for configuring external Portal authentication........................................................... 1580
Figure 5-31 Networking for configuring built-in Portal authentication for local users.....................................1590
Figure 5-32 Networking for configuring MAC address-prioritized Portal authentication................................ 1600
Figure 5-33 Networking diagram for configuring 802.1x authentication......................................................... 1610
Figure 5-34 Networking diagram for configuring MAC address authentication.............................................. 1621
Figure 5-35 Networking for configuring MAC authentication for local users..................................................1632
Figure 5-36 Networking for configuring user authorization based on user groups...........................................1641
Figure 5-37 Networking diagram for configuring WeChat authentication using a built-in Portal server......... 1653
Figure 5-38 Networking diagram for configuring different authentication modes for multiple SSIDs............ 1661
forwarding)......................................................................................................................................................... 1674
Figure 5-40 Networking diagram for configuring dual-link HSB..................................................................... 1687
Figure 5-41 Networking for configuring dual-link cold backup....................................................................... 1698
Figure 5-42 Networking for configuring dual-link HSB for ACs..................................................................... 1706
Figure 5-43 Configuring VRRP HSB (direct forwarding)................................................................................ 1715
Figure 5-44 Networking for configuring N+1 backup.......................................................................................1727
Figure 5-46 Networking for configuring inter-VLAN Layer 3 roaming...........................................................1750
Figure 5-47 Networking for configuring intra-VLAN roaming........................................................................ 1762
Figure 5-48 Networking for configuring inter-AC Layer 2 roaming................................................................ 1773
Issue 03 (2017-10-31) Huawei Proprietary and Confidential xxxiv


Figure 5-50 Networking for configuring an agile distributed WLAN...............................................................1798
Figure 5-51 Networking diagram for configuring a high-density WLAN........................................................ 1806
Figure 5-52 Networking for configuring vehicle-ground fast link handover.................................................... 1825
Figure 5-53 Networking for configuring dynamic load balancing.................................................................... 1841
Figure 5-54 Networking for configuring static load balancing......................................................................... 1844
Figure 5-55 Networking for configuring Band Steering................................................................................... 1847
Figure 5-56 Networking for configuring smart roaming................................................................................... 1850
Figure 5-57 Networking for configuring spectrum analysis..............................................................................1853
Figure 5-58 Networking for configuring rogue device detection and containment.......................................... 1859
Figure 5-59 Networking for configuring attack detection................................................................................. 1869
Figure 5-60 Networking for configuring the STA blacklist and whitelist......................................................... 1880
Figure 5-61 Networking for configuring WMM and priority mapping.............................................................1889
Figure 5-62 Networking for configuring traffic policing.................................................................................. 1894
Figure 5-63 Networking for configuring airtime fair scheduling...................................................................... 1896
Figure 5-64 Networking for configuring ACL-based packet filtering.............................................................. 1899
Figure 5-65 Networking for configuring optimization for voice and video services........................................ 1902
Figure 5-66 Networking for configuring priorities for Lync packets................................................................ 1904
Figure 5-67 Networking for configuring the WLAN-based e-schoolbag service............................................. 1908
Figure 5-68 Networking for configuring WLAN Hotspot2.0 services..............................................................1923
Figure 5-69 Networking for configuring service holding upon WLAN CAPWAP link disconnection............ 1937
Figure 5-70 Networking for configuring channel switching without service interruption................................1947
Figure 5-71 Networking for configuring an AP to go online using a static IP address.....................................1954
Figure 5-72 Networking for configuring the soft GRE service......................................................................... 1959
Figure 5-73 Networking for configuring CAC based on the number of multicast group memberships........... 1971
Figure 5-75 Networking for configuring user authorization based on ACL numbers or dynamic VLANs......1997
Figures
Figure 1-1 WLAN Networking................................................................................................................................2

Figure 3-1 Reference relationships between WLAN profiles............................................................................... 14
Figure 3-2 WLAN basic service configuration flowchart..................................................................................... 16
Issue 03 (2017-10-31) Huawei Proprietary and Confidential xxxv

Figure 3-3 AP group.............................................................................................................................................. 17

Figure 3-4 AP group and AP................................................................................................................................. 17
Figure 3-5 Management packet forwarding...........................................................................................................36
Figure 3-6 Direct forwarding of service data packets............................................................................................37
Figure 3-7 Forwarding service data packets over a CAPWAP tunnel................................................................... 38
Figure 3-8 Forwarding service data packets over a soft GRE tunnel.................................................................... 39
Figure 3-9 Forwarding service data packets during Layer 2 roaming................................................................... 40
Figure 3-10 Tunnel forwarding of service data packets during Layer 3 roaming................................................. 41
Figure 3-11 Direct forwarding of service data packets during Layer 3 roaming...................................................43
Figure 4-1 Networking diagram for configuring 802.1x authentication............................................................... 48
Figure 4-2 Networking for configuring MAC address-prioritized Portal authentication...................................... 58
Figure 4-3 Networking diagram for configuring a high-density WLAN.............................................................. 69
Figure 4-4 Networking diagram for configuring hand-in-hand WDS services..................................................... 83
Figure 4-5 Networking for configuring vehicle-ground fast link handover.......................................................... 96
Figure 4-6 Networking for configuring an agile distributed WLAN...................................................................113
Figure 4-7 Networking for configuring rogue device detection and containment.............................................. 120
Figure 4-10 Networking diagram for configuring STAs to access the public network through NAT.................138
Figure 4-19 Networking for configuring WLAN IPv4/IPv6 dual-stack services................................................213
Figure 4-20 Networking for configuring NAT traversal between the AC and APs............................................ 221
Figure 4-21 Networking for configuring VPN traversal between the AC and APs............................................ 230
Figure 4-23 Networking for configuring back-to-back WDS............................................................................. 255
Figure 4-24 Networking for configuring mesh services...................................................................................... 267
Figure 4-25 Networking for configuring dual-MPP Mesh services.................................................................... 275
Figure 4-26 Networking for configuring an Eth-Trunk on an AP's wired uplink interfaces...............................286
Figure 4-27 Networking diagram of the device functioning as the PPPoE client............................................... 289
Figure 4-28 Networking diagram for connecting a LAN to the Internet using an ADSL modem...................... 292
Figure 4-29 Networking for configuring external Portal authentication............................................................. 296
Figure 4-30 Networking for configuring built-in Portal authentication for local users.......................................306
Issue 03 (2017-10-31) Huawei Proprietary and Confidential xxxvi

Figure 4-34 Networking for configuring MAC authentication for local users....................................................348
Figure 4-36 Networking diagram for configuring WeChat authentication using a built-in Portal server........... 366
Figure 4-37 Networking diagram for configuring different authentication modes for multiple SSIDs.............. 374
forwarding)........................................................................................................................................................... 387
Figure 4-39 Networking diagram for configuring dual-link HSB....................................................................... 404
Figure 4-40 Networking for configuring dual-link cold backup......................................................................... 415
Figure 4-41 Networking for configuring dual-link HSB for ACs....................................................................... 423
Figure 4-42 Configuring VRRP HSB (direct forwarding).................................................................................. 434
Figure 4-45 Networking for configuring inter-VLAN Layer 3 roaming.............................................................484
Figure 4-46 Networking for configuring intra-VLAN roaming.......................................................................... 496
Figure 4-53 Networking for configuring dynamic load balancing...................................................................... 590
Figure 4-54 Networking for configuring static load balancing........................................................................... 594
Figure 4-55 Networking for configuring Band Steering..................................................................................... 597
Figure 4-56 Networking for configuring smart roaming..................................................................................... 600
Figure 4-57 Networking for configuring spectrum analysis................................................................................604
Figure 4-58 Networking for configuring rogue device detection and containment.............................................611
Figure 4-59 Networking for configuring attack detection................................................................................... 620
Figure 4-60 Networking for configuring the STA blacklist and whitelist........................................................... 629
Figure 4-61 Networking for configuring WMM and priority mapping...............................................................639
Figure 4-62 Networking for configuring traffic policing.................................................................................... 645
Figure 4-63 Networking for configuring airtime fair scheduling........................................................................ 648
Figure 4-64 Networking for configuring ACL-based packet filtering................................................................ 652
Figure 4-65 Networking for configuring optimization for voice and video services.......................................... 655
Figure 4-66 Networking for configuring priorities for Lync packets.................................................................. 658
Figure 4-67 Networking for configuring the WLAN-based e-schoolbag service............................................... 662
Figure 4-68 Networking for configuring WLAN Hotspot2.0 services................................................................673
Figure 4-69 Networking for configuring service holding upon WLAN CAPWAP link disconnection.............. 684
Figure 4-70 Networking for configuring channel switching without service interruption..................................692
Figure 4-71 Networking for configuring an AP to go online using a static IP address.......................................699
Figure 4-72 Networking for configuring the soft GRE service........................................................................... 703
Figure 4-73 Networking for configuring the WLAN BYOD service..................................................................713
Figure 4-74 Networking for configuring the Bonjour gateway........................................................................... 723
Figure 4-75 Networking for configuring bandwidth-based multicast CAC........................................................ 733
Issue 03 (2017-10-31) Huawei Proprietary and Confidential xxxvii

Figure 4-76 Networking for configuring CAC based on the number of multicast group memberships............. 741
Figure 4-77 Networking for interconnecting an AC with a network management server.................................. 749
Figure 4-78 Networking for configuring wireless packet obtaining....................................................................759
Figure 4-89 Networking for MAC address-prioritized Portal authentication......................................................913
Figure 4-91 Networking of Portal authentication for wireless users................................................................... 941
Figure 4-92 Configuration flow for Portal authentication service.......................................................................948
Figure 4-93 Networking of MAC address authentication................................................................................... 975
Figure 4-95 Networking diagram...................................................................................................................... 1050
Figure 4-96 Networking of Portal authentication for wireless users in HSB mode.......................................... 1072
Figure 4-97 Networking of Portal authentication for wireless users in an AC dual-link backup environment.1106
Figure 4-98 Networking of Portal authentication for wireless users in N+1 mode........................................... 1133
Figure 4-99 Networking for unified wired and wireless access.........................................................................1199
Figure 5-7 Networking for configuring rogue device detection and containment............................................ 1383
Figure 5-10 Networking diagram for configuring STAs to access the public network through NAT...............1406
Issue 03 (2017-10-31) Huawei Proprietary and Confidential xxxviii

Figure 5-23 Networking for configuring NAT traversal between the AC and APs.......................................... 1507
Figure 5-24 Networking for configuring VPN traversal between the AC and APs.......................................... 1517
Figure 5-25 Networking diagram for configuring hand-in-hand WDS services............................................... 1529
Figure 5-26 Networking for configuring back-to-back WDS........................................................................... 1543
Figure 5-27 Networking for configuring mesh services.................................................................................... 1554
Figure 5-28 Networking for configuring dual-MPP Mesh services.................................................................. 1564
Figure 5-29 Networking for configuring an Eth-Trunk on an AP's wired uplink interfaces.............................1575
Figure 5-30 Networking for configuring external Portal authentication........................................................... 1580
Figure 5-31 Networking for configuring built-in Portal authentication for local users.....................................1590
Figure 5-32 Networking for configuring MAC address-prioritized Portal authentication................................ 1600
Figure 5-34 Networking diagram for configuring MAC address authentication.............................................. 1621
Figure 5-35 Networking for configuring MAC authentication for local users..................................................1632
Figure 5-37 Networking diagram for configuring WeChat authentication using a built-in Portal server......... 1653
Figure 5-38 Networking diagram for configuring different authentication modes for multiple SSIDs............ 1661
forwarding)......................................................................................................................................................... 1674
Figure 5-40 Networking diagram for configuring dual-link HSB..................................................................... 1687
Figure 5-41 Networking for configuring dual-link cold backup....................................................................... 1698
Figure 5-42 Networking for configuring dual-link HSB for ACs..................................................................... 1706
Figure 5-43 Configuring VRRP HSB (direct forwarding)................................................................................ 1715
Figure 5-46 Networking for configuring inter-VLAN Layer 3 roaming...........................................................1750
Figure 5-47 Networking for configuring intra-VLAN roaming........................................................................ 1762
Figure 5-50 Networking for configuring an agile distributed WLAN...............................................................1798
Figure 5-51 Networking diagram for configuring a high-density WLAN........................................................ 1806
Figure 5-52 Networking for configuring vehicle-ground fast link handover.................................................... 1825
Figure 5-53 Networking for configuring dynamic load balancing.................................................................... 1841
Figure 5-54 Networking for configuring static load balancing......................................................................... 1844
Figure 5-55 Networking for configuring Band Steering................................................................................... 1847
Figure 5-56 Networking for configuring smart roaming................................................................................... 1850
Figure 5-57 Networking for configuring spectrum analysis..............................................................................1853
Figure 5-58 Networking for configuring rogue device detection and containment.......................................... 1859
Figure 5-59 Networking for configuring attack detection................................................................................. 1869
Figure 5-60 Networking for configuring the STA blacklist and whitelist......................................................... 1880
Issue 03 (2017-10-31) Huawei Proprietary and Confidential xxxix

Figure 5-61 Networking for configuring WMM and priority mapping.............................................................1889

Figure 5-62 Networking for configuring traffic policing.................................................................................. 1894
Figure 5-63 Networking for configuring airtime fair scheduling...................................................................... 1896
Figure 5-64 Networking for configuring ACL-based packet filtering.............................................................. 1899
Figure 5-65 Networking for configuring optimization for voice and video services........................................ 1902
Figure 5-66 Networking for configuring priorities for Lync packets................................................................ 1904
Figure 5-67 Networking for configuring the WLAN-based e-schoolbag service............................................. 1908
Figure 5-68 Networking for configuring WLAN Hotspot2.0 services..............................................................1923
Figure 5-69 Networking for configuring service holding upon WLAN CAPWAP link disconnection............ 1937
Figure 5-70 Networking for configuring channel switching without service interruption................................1947
Figure 5-71 Networking for configuring an AP to go online using a static IP address.....................................1954
Figure 5-72 Networking for configuring the soft GRE service......................................................................... 1959
Figure 5-73 Networking for configuring CAC based on the number of multicast group memberships........... 1971
Issue 03 (2017-10-31) Huawei Proprietary and Confidential xl

Typical Configuration Examples Tables
Tables
Table 1 WLAN product models for carriers outside China..................................................................................... v

Table 2-1 Indoor settled APs....................................................................................................................................5
Table 2-2 Indoor wall plate APs...............................................................................................................................7
Table 2-3 Indoor distributed APs............................................................................................................................. 8
Table 2-4 Outdoor settled APs................................................................................................................................. 9
Table 2-5 Rail transportation APs.......................................................................................................................... 11
Table 3-1 Description of the parameter profiles.................................................................................................... 26
Table 4-1 Data planning on the AC........................................................................................................................49
Table 4-2 AC data planning................................................................................................................................... 59
Table 4-3 Data planning......................................................................................................................................... 69
Table 4-4 Adjustment recommendations............................................................................................................... 71
Table 4-5 AP data planning....................................................................................................................................83
Table 4-7 AP information.......................................................................................................................................97
Table 4-9 AC data planning................................................................................................................................. 113
Table 4-10 AC data planning............................................................................................................................... 121
Table 4-11 AC data planning................................................................................................................................144
Table 4-22 AP data planning................................................................................................................................242
Issue 03 (2017-10-31) Huawei Proprietary and Confidential xli


Table 4-30 Chips used by AP radios.................................................................................................................... 277
Table 4-35 Data planning on the AC....................................................................................................................328
Table 4-41 AC Data planning.............................................................................................................................. 404
Table 4-44 AC Data Planning.............................................................................................................................. 434
Table 4-52 Data planning..................................................................................................................................... 537
Table 4-53 Adjustment recommendations........................................................................................................... 539
Table 4-54 AP information...................................................................................................................................552
Issue 03 (2017-10-31) Huawei Proprietary and Confidential xlii


Table 4-84 Applicable products and versions...................................................................................................... 766
Table 4-86 Data planning on the Cisco ISE......................................................................................................... 770
Table 4-100 Data planning on the AC..................................................................................................................843
Table 4-101 Data planning on the Aruba ClearPass............................................................................................ 844
Table 4-102 Applicable products and versions.................................................................................................... 854
Table 4-110 Data planning on the Aruba ClearPass.............................................................................................886
Issue 03 (2017-10-31) Huawei Proprietary and Confidential xliii

Table 4-111 Applicable products and versions.....................................................................................................898

Table 4-117 Wireless VLAN plan........................................................................................................................ 928
Table 4-118 Wireless network data plan.............................................................................................................. 928
Table 4-119 802.1X service data plan.................................................................................................................. 930
Table 4-120 Accounting interval..........................................................................................................................933
Table 4-121 Wireless VLAN plan........................................................................................................................942
Table 4-123 Portal service data plan.................................................................................................................... 944
Table 4-127 Service data plan for wireless MAC address authentication........................................................... 977
Table 4-129 Network data planning.....................................................................................................................988
Table 4-130 Service data planning.......................................................................................................................988
Table 4-131 Data plan........................................................................................................................................ 1001
Table 4-132 Data Plan........................................................................................................................................ 1011
Table 4-133 Data plan........................................................................................................................................ 1033
Table 4-134 VLAN plan.....................................................................................................................................1051
Table 4-135 Network data plan.......................................................................................................................... 1051
Table 4-136 Service data plan............................................................................................................................ 1053
Table 4-137 Accounting interval........................................................................................................................1064
Table 4-138 VLAN plan.....................................................................................................................................1073
Table 4-142 VLAN plan.....................................................................................................................................1107
Table 4-145 Accounting interval........................................................................................................................ 1115
Table 4-146 VLAN plan.....................................................................................................................................1133
Table 4-150 Set push rule related parameters.................................................................................................... 1175
Table 4-151 Network data planning................................................................................................................... 1199
Table 4-152 Service data planning.....................................................................................................................1201
Issue 03 (2017-10-31) Huawei Proprietary and Confidential xliv

Table 4-153 Radio channel data planning..........................................................................................................1204

Table 4-154 Basic service data plan of the core switch..................................................................................... 1218
Table 4-155 Authentication service data plan of the core switch...................................................................... 1219
Table 4-156 Service data plan of the Agile Controller...................................................................................... 1220
Table 4-157 Data plan of the egress solution and USG6600 HRP.................................................................... 1220
Table 4-158 Information about authorization results......................................................................................... 1248
Table 4-160 Basic service data plan of the NGFW module...............................................................................1259
Table 4-161 Basic service data plan of the aggregation switch S12700............................................................ 1259
Table 4-162 Basic service data plan of the aggregation switch S7700.............................................................. 1259
Table 4-163 Basic service data plan of the aggregation switch S12700 or S7700............................................ 1260
Table 5-10 AC data planning............................................................................................................................. 1383
Table 5-11 AC data planning..............................................................................................................................1414
Table 5-25 AP data planning..............................................................................................................................1529
Issue 03 (2017-10-31) Huawei Proprietary and Confidential xlv


Table 5-31 Chips used by AP radios.................................................................................................................. 1556
Table 5-45 AC Data planning............................................................................................................................ 1687
Table 5-48 AC Data Planning............................................................................................................................ 1715
Table 5-56 Data planning................................................................................................................................... 1806
Table 5-57 Adjustment recommendations......................................................................................................... 1808
Table 5-58 AP information.................................................................................................................................1826
Issue 03 (2017-10-31) Huawei Proprietary and Confidential xlvi


Table 5-83 Data planning on the Cisco ISE....................................................................................................... 1984
Tables
Table 1 WLAN product models for carriers outside China..................................................................................... v

Table 2-1 Indoor settled APs....................................................................................................................................5
Table 2-2 Indoor wall plate APs...............................................................................................................................7
Table 2-3 Indoor distributed APs............................................................................................................................. 8
Table 2-4 Outdoor settled APs................................................................................................................................. 9
Table 2-5 Rail transportation APs.......................................................................................................................... 11
Table 3-1 Description of the parameter profiles.................................................................................................... 26
Issue 03 (2017-10-31) Huawei Proprietary and Confidential xlvii

Table 4-1 Data planning on the AC........................................................................................................................49

Table 4-4 Adjustment recommendations............................................................................................................... 71
Table 4-5 AP data planning....................................................................................................................................83
Table 4-7 AP information.......................................................................................................................................97
Table 4-9 AC data planning................................................................................................................................. 113
Table 4-11 AC data planning................................................................................................................................144
Table 4-30 Chips used by AP radios.................................................................................................................... 277
Table 4-41 AC Data planning.............................................................................................................................. 404
Issue 03 (2017-10-31) Huawei Proprietary and Confidential xlviii


Table 4-44 AC Data Planning.............................................................................................................................. 434
Issue 03 (2017-10-31) Huawei Proprietary and Confidential xlix


Table 4-111 Applicable products and versions.....................................................................................................898
Table 4-117 Wireless VLAN plan........................................................................................................................ 928
Table 4-119 802.1X service data plan.................................................................................................................. 930
Table 4-123 Portal service data plan.................................................................................................................... 944
Issue 03 (2017-10-31) Huawei Proprietary and Confidential l

Table 4-127 Service data plan for wireless MAC address authentication........................................................... 977
Table 4-129 Network data planning.....................................................................................................................988
Table 4-130 Service data planning.......................................................................................................................988
Table 4-131 Data plan........................................................................................................................................ 1001
Table 4-132 Data Plan........................................................................................................................................ 1011
Table 4-133 Data plan........................................................................................................................................ 1033
Table 4-134 VLAN plan.....................................................................................................................................1051
Table 4-138 VLAN plan.....................................................................................................................................1073
Table 4-142 VLAN plan.....................................................................................................................................1107
Table 4-145 Accounting interval........................................................................................................................ 1115
Table 4-146 VLAN plan.....................................................................................................................................1133
Table 4-150 Set push rule related parameters.................................................................................................... 1175
Table 4-151 Network data planning................................................................................................................... 1199
Table 4-152 Service data planning.....................................................................................................................1201
Table 4-153 Radio channel data planning..........................................................................................................1204
Table 4-155 Authentication service data plan of the core switch...................................................................... 1219
Table 4-158 Information about authorization results......................................................................................... 1248
Table 4-160 Basic service data plan of the NGFW module...............................................................................1259
Table 4-161 Basic service data plan of the aggregation switch S12700............................................................ 1259
Table 4-162 Basic service data plan of the aggregation switch S7700.............................................................. 1259
Table 4-163 Basic service data plan of the aggregation switch S12700 or S7700............................................ 1260
Issue 03 (2017-10-31) Huawei Proprietary and Confidential li


Table 5-11 AC data planning..............................................................................................................................1414
Table 5-45 AC Data planning............................................................................................................................ 1687
Issue 03 (2017-10-31) Huawei Proprietary and Confidential lii


Table 5-48 AC Data Planning............................................................................................................................ 1715
Table 5-57 Adjustment recommendations......................................................................................................... 1808
Table 5-58 AP information.................................................................................................................................1826
Issue 03 (2017-10-31) Huawei Proprietary and Confidential liii


Issue 03 (2017-10-31) Huawei Proprietary and Confidential liv

Typical Configuration Examples 1 Introduction to WLAN
1 Introduction to WLAN
Introduction to WLAN
Wired transmission media are usually used on a local area network (LAN), but these wired
media bring some problems in specific scenarios. For example, dial-up lines have low
transmission rates, and leased lines are expensive. Twisted pairs and coaxial cables also have
problems of high installation fees, long construction periods and inconvenient deployment.
As wireless network technologies develop fast, wireless media can transmit text, voice,
images, and even voice and images at the same time. The transmission distance of a wireless
network can reach tens of kilometers. Wireless networks are more widely used currently, and
the cost of wireless network construction is acceptable to most enterprises. Therefore,
wireless networks can compete with wired networks in performance, transmission distance,
and cost, even better than wired networks in some aspects.
WLAN Deployment
WLAN deployment is affected by technical factors and non-technical factors. Technical
factors include signal interference and wired network quality. Non-technical factors include
local laws and property management policies. Before deploying a WLAN, ensure that:
l The 2.4 GHz and 5 GHz frequency bands are allowed by local laws.
l The property management policy permits WLAN deployment.
Issue 03 (2017-10-31) Huawei Proprietary and Confidential 1

Typical Configuration Examples 1 Introduction to WLAN
WLAN Infrastructure
Figure 1-1 WLAN Networking
RADIUS
Server MAN NMS
AC AC
CAPWAP CAPWAP
tunnel tunnel
Aggregation Aggregation Aggregation
switch switch switch
Data flow Management Data flow Management Data flow Management AC

flow flow flow
Access Access Access
switch switch switch
AP AP AP
Chain networking
Chain networking Branched networking
(tunnel
(direct forwarding) (local forwarding)
forwarding)
As shown in Figure 1-1, a WLAN consists of access points (APs), PoE switches, access
controllers (ACs), Remote Authentication Dial In User Service (RADIUS) server, and
network management system (NMS).
l AP: WLAN access device. Huawei provides a series of fit APs to meet indoor and
outdoor networking requirements.
l PoE switch: upstream devices for APs. It provides data switching and power for APs. If
only one AC is required and the AC has PoE ports, the PoE switch is not required.
l AC: manages APs and controls the rights of WLAN users.
l RADIUS server: authenticates WLAN users and assigns rights to them. The RADIUS
server is installed on the SPES server.
l NMS: manages APs and ACs. It monitors status of ACs and APs in real time, processes
alarms, and analyzes data.

Typical Configuration Examples 2 Product Overview
2 Product Overview
About This Chapter
2.1 AC Products Overview

2.2 AP Products Overview
2.1 AC Products Overview

Introduction to ACU2
An ACU2 is a WLAN service card installed on a chassis switch such as an
S7700&S9700&S12700 switch.
WLAN ACU2 provides the following functions:

l Centralized configuration and management of APs
l WLAN user access control (authentication and authorization)
l WLAN service configuration and delivery
l Integrated DHCP server to assign addresses to STAs
l Traffic management, congestion control, forwarding and scheduling of data packets
Introduction to AC6605
Huawei AC6605-26-PWR (AC6605 for short) is access controller (AC) applicable to MANs
and enterprise networks for wireless access. AC6605 has a large capacity and high
performance. It is highly reliable, easy to install and maintain, and features such advantages as
flexible networking and energy conservation.
The AC6605 has the following features:

l Has the access and aggregation functions.
l Provides PoE power (15.4 W) or PoE+ power (30 W) on 24 interfaces, and can directly
connect to APs.

l Has various user policy management and authority control capabilities.

l Supports redundancy backup and hot swapping of AC or DC power supplies, ensuring
long-term operation.
l Can be maintained using the eSight, web system, or command line interface.
Introduction to AC6005
Huawei AC6005 series (AC6005 for short) is access controllers (AC) applicable to MANs
and enterprise networks for wireless access. AC6005 has a large capacity and high
performance. It is highly reliable, easy to install and maintain, and features such advantages as
flexible networking and energy conservation.
Huawei AC6005 series has two models: AC6005-8 and AC6005-8-PWR.
The AC6005 has the following features:

l AC6005-8-PWR provides PoE power (15.4 W) for 8 interfaces or PoE+ power (30 W)
for 4 interfaces so that APs can directly connect to these interfaces.
l Has various user policy management and authority control capabilities.
l Can be managed using the eSight, web system, or command line interface.
Version
Device Version
ACU2 V200R007
AC6605 V200R007
AC6005 V200R007
NOTICE
Before WLAN configurations, ensure that the AC and AP versions match. Otherwise, APs
cannot go online. When the AC and AP versions do not match, upgrade the AC or AP. For
details about the upgrade, see related product upgrade guides.
2.2 AP Products Overview

Huawei offers many WLAN AP products, and you can select AP products according to
project requirements or customer demands. This section describes mainstream AP products.
For details about specifications and features of various AP products, see the documentation of
the specific products.
WLAN APs are classified into three types depending on their usage scenarios:
l Indoor settled APs: applicable to small to medium coverage scenarios, for example,
multimedia classrooms, open office areas, and meeting rooms.

Table 2-1 Indoor settled APs

Model IEEE Frequency Transmit Antenna PoE-In
Standards Band Power Type Mode
Complian Supported (Combine
ce d Power in
dBm)
AP3030DN 802.11a/b/g 2.4G/5G l 2.4G: 23 Built-in 802.3af/at

/n/ac l 5G: 23 antenna

-AGN /n l 5G: 20 antenna

AP4030TN 802.11a/b/g 2.4G/5G l 2.4G: 23 Built-in 802.3at

/n/ac l 5G: 23 omnidirecti
onal
antenna
AP4050DN 802.11a/b/g 2.4G/5G l 2.4G: 23 Built-in 802.3at

-E /n/ac/ac l 5G: 23 omnidirecti
wave2 onal dual-
band
antenna

/n/ac/ac l 5G: 23 omnidirecti
wave2 onal dual-
band
antenna

-S /n/ac/ac l 5G: 23 omnidirecti
wave2 onal dual-
band
antenna

wave2 onal dual-
band
antenna

-HD /n/ac/ac l 5G: 22 dual-band
wave2 directional
antenna
AP4130DN 802.11a/b/g 2.4G/5G l 2.4G: 23 External 802.3af/at

/n/ac l 5G: 23 dual-band
combined
antenna


ce d Power in
dBm)

/n/ac/ac l 5G: 23 dual-band
wave2 combined
antenna

AP5010SN- 802.11b/g/n 2.4G 20 Built-in 802.3af/at

GN antenna


combined
antenna

AP6010SN- 802.11b/g/n 2.4G 23 Built-in 802.3af/at

GN antenna

wave2 onal dual-
band
antenna
AP6150DN 802.11a/b/g 2.4G/5G l 2.4G: 26 External 802.3at

wave2 onal dual-
band
antenna
AP7030DE 802.11a/b/g 2.4G/5G l 2.4G: 25 Built-in 802.3at

AP7050DE 802.11a/b/g 2.4G/5G l 2.4G: 26 Built-in 802.3at

/n/ac/ac l 5G: 27 dual-band
wave2 smart
antenna


ce d Power in
dBm)
AP7050DN 802.11a/b/g 2.4G/5G l 2.4G: 23 Built-in UPoE

-E /n/ac/ac l 5G: 27 dual-band
wave2 omnidirecti
onal
antenna
AP7110DN 802.11a/b/g 2.4G/5G l 2.4G: 25 Removable 802.3at

-AGN /n l 5G: 25 RP-SMA
antenna
AP7110SN- 802.11b/g/n 2.4G 25 Removable 802.3af/at

GN RP-SMA
antenna
l Indoor wall plate APs: applicable to hotels, apartments, and offices.
Table 2-2 Indoor wall plate APs

ce d Power in
dBm)

/n (working l 5G: 17 antenna
only on one
frequency
band at one
time)


/n/ac/ac l 5G: 20 antenna
wave2

-E /n/ac/ac l 5G: 20 antenna
wave2
l Indoor distributed APs: applicable to medium-scale coverage scenarios that are subject
to coverage holes or important public places, such as hotels, airports, and conference
halls. Indoor distributed APs are not applicable to networks that require high capacities.

Table 2-3 Indoor distributed APs

ce d Power
in dBm)
AP6310SN- 802.11b/g/n 2.4G 27 dBm External 802.3af/at

GN antennas
(depending
on the
antenna
type used
by the
indoor
antenna
system)

/n/ac l 5G: 21 antennas
The AP has
a total of
twelve
antenna
ports which
use RP-
SMA-K
connectors
(outside
thread,
central pin),
applicable
to indoor
distribution
scenarios.
AD9430DN 802.11a/b/g 2.4G/5G l 2.4G: 20 Built-in 802.3af

(used /n/ac l 5G: 18 antenna
together
with the
R230D)
AD9430DN 802.11a/b/g 2.4G/5G l 2.4G: 21 Built-in 802.3af/at

together
with the
R240D)

together
with the
R250D)


ce d Power
in dBm)

together
with the
R250D-E)
l Outdoor settled APs: applicable to open outdoor areas with high user densities, such as
squares, residential communities, schools, dormitories, and enterprise campus, or
outdoor places that have high demands for wireless access, such as pedestrian malls.
Table 2-4 Outdoor settled APs

ce d Power
in dBm)
AP6510DN 802.11a/b/g 2.4G/5G l 2.4G: 26 Dipole 802.3at

-AGN /n l 5G: 20 antennas or
common
outdoor
antennas
AP6610DN 802.11a/b/g 2.4G/5G l 2.4G: 27 Dipole —

-AGN /n l 5G: 24 antennas or
common
outdoor
antennas

/n/ac l 5G: 26 directional
antenna
l Horizont
al lobe:
60°
l Vertical
lobe:
30°


ce d Power
in dBm)

/n/ac/ac l 5G: 26 directional
wave2 antenna
l Horizont
al lobe:
60°
l Vertical
lobe:
30°

-S /n/ac/ac l 5G: 26 directional
wave2 antenna
l Horizont
al lobe:
60°
l Vertical
lobe:
30°
AP8130DN 802.11a/b/g 2.4G/5G l 2.4G: 28 Outdoor 802.3at

/n/ac The AP l 5G: 26 external
supports antenna
2.4G-to-5G
switchover
and works
on dual 5
GHz
frequency
bands.

-W /n/ac The 4.9 l 5G: 26 external
GHz antenna
frequency
band is
contained in
5 GHz
radios.


ce d Power
in dBm)

/n/ac/ac The AP l 5G: 24 external
wave2 supports antenna
2.4G-to-5G
switchover
and works
on dual 5
GHz
frequency
bands.
AT815SN 802.11a/n 5G 5G: 26 Built-in 802.3af/at

directional
antenna
l Horizont
al lobe:
45°
l Vertical
lobe:
15°
l Rail transportation APs: applicable to train-ground backhaul and compartment coverage

scenarios.
Table 2-5 Rail transportation APs

ce d Power
in dBm)

combined
antenna
(QMA x 3)


ce d Power
in dBm)

/n/ac l 5G: 25 antennas
l Split
mode:
2.4G
antenna
(QMA x
3), 5G
antenna
(QMA x
3)
l Combin
ed
mode:
dual-
band
combine
d
antenna
(QMA x
3)
NOTE
The actual transmit power depends on local laws and regulations.

You can adjust the transmit power from the maximum transmit power to 1 dBm, with an increment of 1 dB.
Product Versions
NOTICE
Before performing WLAN configurations, ensure that the versions of the AC and APs match;
otherwise, the APs may fail to go online. If the versions of the AC and APs do not match,
upgrade the AC or APs. For the detailed upgrade procedure, see the upgrade guide of the
related products.

Typical Configuration Examples 3 WLAN Configuration
3 WLAN Configuration
About This Chapter
3.1 WLAN Service Configuration Procedure

3.2 Data Packet Processing
3.1 WLAN Service Configuration Procedure

3.1.1 Reference Relationships Between WLAN Profiles
Various profiles are designed based on different functions and features of WLAN networks to
help users configure and maintain functions of WLAN networks. These profiles are called
WLAN profiles. Figure 3-1 shows the referencing relationships between WLAN profiles. By
getting to know the referencing relationships, users can easily grasp the configuration
roadmap of WLAN profiles and complete their configurations.
As shown in Figure 3-1, the following profiles can be bound to the AP group and AP:
regulatory domain profile, radio profile, VAP profile, AP system profile, WIDS profile,
Location profile, AP wired port profile, WDS profile, and Mesh profile. Some of the listed
profiles can further reference other profiles, for example, the radio profile can reference an air
scan profile and an RRM profile.

Figure 3-1 Reference relationships between WLAN profiles
Regulatory domain profile*
Air scan profile*

Radio profile*
RRM profile*
802.1x access profile*
SSID profile* Portal access profile*
Authentication
profile* MAC access profile*
Security profile*
Authentication-free
Traffic profile* rule profile*
URL-filter profile
UCC profile
Attack defense Antivirus profile
profile
VAP profile* User profile Intrusion prevention
profile
Soft-GRE profile
STA blacklist profile Cellular network profile

AP
STA whitelist profile Roaming consortium profile
NAI realm profile

SAC profile
Connection capability profile
AP group Hotspot2.0 profile
Operator domain profile
STA blacklist profile Operator name profile

AP system
profile * Venue name profile
STA whitelist profile
Operating class profile
AP wired port
AP wired port link profile*
profile*
WIDS spoof SSID profile
WIDS profile*
WIDS whitelist profile
Location profile
BLE profile
Security profile*
WDS profile*
WDS whitelist profile
Security profile*
Mesh profile* Mesh handover profile*
Mesh whitelist profile

NOTE
l The profiles marked with * can be configured as default profiles.

l AP provisioning profiles cannot be referenced by other profiles and are only used to deliver
configurations to specified APs or AP groups. Therefore, this figure does not show AP provisioning
profiles.
l An AP radio can directly reference some profiles, including the radio profile, VAP profile, WDS profile,
WDS whitelist profile, Mesh profile, and Mesh whitelist profile.
l The IoT profile and serial profile are directly referenced in the IoT card interface view and are not
displayed.
WLAN profiles are designed to facilitate configuration and maintenance of WLAN functions.
When configuring WLAN service functions, users need to configure parameters in matching
WLAN profiles. After completing the configurations, they need to bind the profiles to upper-
level profiles, AP groups, or APs, and the configurations will be automatically delivered to
APs. After that, the configured functions automatically take effect on the APs.
NOTE
l If a WLAN profile is bound to an upper-level profile, this upper-level profile should be bound to an AP
group or AP.
l Configurations in an AP provisioning profile take effect only after they are manually delivered to APs.
Configurations in other WLAN profiles are automatically delivered to APs.
For example, to configure air interface scan parameters, you can configure the parameters in
an air scan profile and bind the air scan profile to a radio profile, which is then bound to an
AP group or AP, as shown in Figure 3-1. The configurations of air interface scan parameters
are automatically delivered to APs and take effect. If referencing relationships between
profiles are set in advance, parameter configurations in the air scan profile are automatically
delivered to APs.
3.1.2 WLAN Basic Service Configuration Procedure

You can follow the procedure in Figure 3-2 to configure WLAN basic services.
The WLAN basic service configuration procedure includes the following steps:
1. Create an AP group.
2. Configure network interconnection.
3. Configure system parameters for the AC.
4. Configure the AC to deliver WLAN services to Fit APs.

Figure 3-2 WLAN basic service configuration flowchart

Create an AP group
Configure network Configure the DHCP server

interconnection Configure device connectivity
Configure the AC to
manage Fit APs Configure a country code (in a regulatory
domain profile)
Configure system
Configure the AC’s source interface
parameters for the AC
Set the AP authentication mode and
configure APs to go online
Configure the AC to
Configure basic radio parameters (on
deliver WLAN services to
radios)
Fit APs
Create an SSID Create a security

Create a radio profile
profile profile
Bind
Create a VAP profile
Bind
AP or AP group
3.1.3 AP Group and AP

There are a large number of APs on a WLAN. Usually, you need to perform the same
configurations on many APs. To simplify the AP configurations, you can add these APs to an
AP group and perform configurations uniformly in the AP group.
However, APs may have different configurations. These configurations cannot be uniformly
performed but can be directly performed on each AP.
Each AP must and can only join one AP group when going online. If an AP obtains both AP
group and specific configurations from an AC, the AP specific configurations are
preferentially used.
l If no configuration is available on each AP, the AP uses the configurations in the AP
group.
l If configurations are available on the AP, the AP uses the configurations preferentially.
However, if the configurations are incomplete, the AP obtains the configurations that do
not exist on itself from the AP group.
l Performance of APs in an AP group may vary according to the model. If the unified
configuration delivered to the AP group is not supported by an AP in the group, the
configuration does not take effect for this AP.

As shown in Figure 3-3, the AP with ID 1 does not find any configurations on itself;
therefore, the AP uses all WLAN configurations in the AP group a to which it belongs.
Figure 3-3 AP group
AP group name: a
Regulatory domain profile name: a

Country code: CN
VAP profile name: a
SSID profile: a
AP system profile: a
Other profiles...
AP 1 does not find any

configurations on itself, so it uses
all configurations in the AP group.
AP ID: 1
Name of the AP group
to which it belongs: a
As shown in Figure 3-4, the AP with ID 101 finds configurations on itself so the AP
preferentially uses the configurations. Since there is only regulatory domain profile
configuration on the AP, the AP acquires other configurations in AP group a to which it
belongs, for example, VAP profile, AP system profile, and other profiles shown in the
following figure.
Figure 3-4 AP group and AP
AP ID: 101 AP group name: a
Regulatory domain profile name: a

Country code: CN
Regulatory domain profile name: b VAP profile name: a
Country code: US SSID profile: a
AP system profile: a
Other profiles...
The AP finds regulatory domain

1 profile configuration on itself and
preferentially uses the The configurations on the AP
configuration. 2 are incomplete. The AP
acquires the other
configurations in the AP group.
AP ID: 101
Name of the AP group to
which it belongs: a

3.1.4 Regulatory Domain Profile
A regulatory domain profile provides configurations of country code, calibration channel, and
calibration bandwidth for an AP.
l A country code identifies the country to which AP radios belong. Different countries
support different AP radio attributes, including the transmit power and supported
channels. Correct country code configuration ensures that radio attributes of APs comply
with laws and regulations of countries and regions to which the APs are delivered. For
details, see Configuring Country Codes in the Configuration-WLAN Service
Configuration Guide.
l A calibration channel set limits the dynamic AP channel adjustment range when the
radio calibration function is configured. Radar channels and the channels that are not
supported by STAs are avoided. For details, see Radio Resource Management
Configuration Guide in the Configuration.
l The 5 GHz frequency band has richer spectrum resources. In addition to 20 MHz
channels, APs working on the 5 GHz frequency band support 40 MHz and 80 MHz
channels, Different calibration bandwidths support different calibration channels. Larger-
bandwidth channels mean higher transmission rates. However, at least three channels are
required in radio calibration to achieve the optimal calibration effect. When configuring
the calibration bandwidth, ensure that enough calibration channels are available for use.
For details, see Radio Resource Management Configuration Guide in the Configuration.
3.1.5 Radio Profile
Radio profiles are used to optimize radio parameters, and control the in-service channel
switching function. For details, see Configuring a Radio in the Configuration-WLAN Service
Radio profiles are divided into 2G and 5G radio profiles. 2G and 5G radio profiles apply to
2.4 GHz and 5 GHz radios respectively. The differences between configurations of 2G and 5G
radio profiles are as follows:
l 2G radio profiles allow you to configure the 802.11bg basic rate set and supported rate
set.
l 5G radio profiles allow you to configure the 802.11a basic rate set and supported rate set,
and perform 802.11ac-related configurations.
Radio profiles can reference air scan profiles and RRM profiles.
l Air scan profiles are designed for radio calibration, spectrum analysis, location, and
WIDS data analysis. APs periodically scan radio signals in their surrounding
environment and report the collected information to ACs or servers.
l RRM profiles are designed to maintain optimal radio resource utilization. They enable
APs to check the surrounding radio environment, dynamically adjust working channels
and transmit power, and evenly distribute access users. This function helps adjust radio
coverage, reduce radio signal interference, and enable a wireless network to quickly
adapt to changes in the radio environment. With the radio resource management
function, the wireless network can provide high service quality for wireless users. For
details, see Radio Resource Management Configuration Guide in the Configuration.
3.1.6 Air Scan Profile

The air scan profile is used for radio calibration, spectrum analysis, WLAN device location,
and Wireless Intrusion Detection System (WIDS) data analysis. An AP periodically scans
surrounding radio signals and reports the collected information to an AC or server.
l Radio calibration
An authorized AP scans surrounding radio signals, collects information about
surrounding authorized APs, rogue APs, and non-Wi-Fi devices, and reports the
information to an AC.
For the detailed configuration, see Configuring Radio Calibration in the Configuration-
Radio Resource Management Configuration Guide.
l Spectrum analysis
An AP detects different types of interference resources on wireless networks, and
displays the information to users. Users can then use the information to locate these
interference sources. This function improves user experience.
For the detailed configuration, see Configuring Spectrum Analysis in the Configuration-
Spectrum Analysis Configuration Guide.
l WLAN device location
An AP collects radio signals, and reports the location information to the positioning
server. Alternatively, the AP can send the location information to the AC, which filters
the information and sends the filtered information to the positioning server. An AP can
collect radio signals in either of the two modes:
– The AP collects Received Signal Strength Indicator (RSSI) information of WLAN
terminals and rogue APs and reports the information to the positioning server. The
information is then used to locate WLAN terminals or rogue APs
– An AP scans spectrums and reports fast Fourier transform (FFT) results of radio
signals to an AC. The information is then used to identify and locate non-Wi-Fi
interference sources.
For the detailed configuration, see Configuring WLAN Tag Location in the
Configuration.
l WIDS data analysis
A monitor AP scans channels to monitor information about neighboring wireless
devices, collects information about neighboring wireless devices by listens on WLAN
packets sent from neighboring wireless devices, and periodically reports collected
information to an AC. The AC then uses the information to determine rogue devices.
For the detailed configuration, see Configuring Rogue Device Detection in the
Configuration-WLAN Security Configuration Guide.
The air scan profile takes effect only after it is referenced by the radio profile.
3.1.7 RRM Profile

WLAN technology uses radio signals (such as 2.4 GHz or 5 GHz radio waves) as
transmission medium. Radio waves will attenuate when they are transmitted over air,
degrading service quality for wireless users. Radio resource management enables a WLAN to
adapt to changes in the radio environment by dynamically adjusting radio resources. This
improves service quality for wireless users.
Radio resource management (RRM) enables APs to check the surrounding radio environment,
dynamically adjust channels and transmit power, and evenly distribute access users. This
function helps reduce radio signal interference, adjust radio coverage, and enable a wireless

network to quickly adapt to changes in the radio environment. With the RRM profile, the
wireless network can provide high service quality for wireless users and maintain an optimal
radio resource utilization. For the detailed configuration, see Radio Resource Management
Configuration Guide in the Configuration.
The RRM profile takes effect only after it is referenced by the radio profile.
3.1.8 VAP Profile

After parameters in a VAP profile are configured, and the VAP profile is bound to an AP
group or AP, virtual access points (VAPs) are created on APs. VAPs provide wireless access
services for STAs. You can configure parameters in the VAP profile to enable APs to provide
different wireless services.
A VAP profile can reference the following profiles:
l SSID profile: used to configure SSIDs of WLANs. In the profile, you can also disable
access of non-HT STAs and configure the association aging time of STAs and delivery
traffic indication message (DTIM) interval. For details, see Configuring an SSID Profile
in the Configuration-WLAN Service Configuration Guide.
l Security profile: used to configure security policies of WLANs, including policies for
authentication and encryption of STAs. Security policies include open system
authentication, WEP, WPA/WPA2-PSK, WPA/WPA2-802.1X, WAPI-PSK, and WAPI-
certificate. For details, see Configuring a WLAN Security Policy in the Configuration-
WLAN Security Configuration Guide.
l Traffic profile: used to configure priority mapping and traffic policing functions of
WLANs. After the WMM function is enabled on the STA and AP, the priority mapping
function allows you to configure methods for mapping upstream priorities of packets,
upstream tunnel priorities, and downstream priorities. The traffic policing function limits
packet sending rates of wireless STAs. For details, see Configuring Priority Mapping and
Configuring Traffic Policing in the Configuration-QoS Configuration Guide.
l Attack defense profile: used to configure various security functions such as URL
filtering, antivirus, and intrusion prevention. For details, see Configuring URL Filtering
Profile, Configuring Intrusion Prevention, and Configuring Antivirus in the
l User profile: used to reference a QoS CAR profile. You can bind the user profile that has
QoS CAR profile referenced to a VAP profile to limit the rate of a STA using the VAP
profile. For details, see Configuring Traffic Policing in the Configuration-QoS
l Authentication profile: used to manage network admission control (NAC)
configurations. You can bind access profiles (including the 802.1x access profile, MAC
access profile, and Portal access profile) to authentication profiles to determine
configurations of the access protocols. After the authentication profile configuration is
complete, bind it to an interface or VAP profile to authenticate and control access users.
For details, see Configuring NAC in the Configuration-WLAN Security Configuration
Guide.
l Hotspot2.0 profile: used to configure parameters of Hotspot2.0 networks, such as
location, operator, and roaming consortium information, so that STAs can identify
networks and access proper networks. For details, see Hotspot2.0 Configuration Guide in
the Configuration.
l SAC profile: used to identify and classify application protocols. The SAC feature can use
the service awareness technology to detect and identify packets and protocols so that the

system can classify applications intelligently and identify key services to provide
sufficient bandwidths for them and limit traffic rates of non-critical services, thereby
providing refined QoS policy control. For details, see Configuring SAC in the
Configuration-QoS Configuration Guide.
l UCC profile: used to configure priorities for Microsoft Lync voice, video, desktop
sharing, and file transfer packets. For details, see Configuring Lync in the Configuration-
QoS Configuration Guide.
3.1.9 SSID Profile

SSIDs identify different wireless networks. When you search for available wireless networks
on your laptop, the displayed wireless network names are SSIDs.
An SSID profile is used to configure the SSID name and other access parameters of a WLAN.
The following configurations are performed in an SSID profile:
l SSID hiding: When creating a WLAN, configure an AP to hide the SSID of the WLAN
to ensure security. Only the users who know the SSID can connect to the WALN.
l Maximum number of STAs: More access users on a VAP indicate fewer network
resources that each user can occupy. To ensure Internet experience of users, you can
configure a proper maximum number of access users on a VAP according to actual
network situations.
l SSID hiding when the number of STAs reaches the maximum: When this function is
enabled and the number of access users on a WLAN reaches the maximum, the SSID of
the WLAN is hidden and new users cannot search for the SSID.
l Denying access of non-HT STAs: Non-HT STAs that support only 802.11a, 802.11b, and
802.11g protocols cannot access a wireless network. These terminals provide a rate far
smaller than 802.11n and 802.11ac terminals. If the non-HT STAs access the wireless
network, data transmission rates of the 802.11n and 802.11ac terminals are decreased. To
ensure data transmission rates of the 802.11n and 802.11ac terminals, access of non-HT
STAs is denied.
l STA association timeout period: If an AP receives no data packet from an STA in a
continuous period of time, the STA goes offline after the association timeout period
expires.
l DTIM interval: The DTIM interval specifies how many Beacon frames are sent by an AP
before the Beacon frame that contains the DTIM. The Beacon frame carrying DTIM
wakes an STA in power-saving mode, and transmits the broadcast and multicast frames
saved on the AP to the STA.
For details about how to configure an SSID profile, see Configuring an SSID Profile in the
Configuration-WLAN Service Configuration Guide.
3.1.10 Authentication Profile
NAC implements access control on users. To facilitate NAC function configuration, the
device uses authentication profiles to uniformly manage NAC configuration. You can
configure parameters in an authentication profile to provide different access control modes for
users. For example, you can configure the access profile bound to the authentication profile to
determine the authentication mode for the authentication profile. The device then uses the
authentication mode to authenticate users on the VAP profile to which the authentication
profile is applied.

For the configuration, see Configuring an Authentication Profile in the Configuration-

Security Configuration Guide.
3.1.11 Security Profile

You can configure WLAN security policies to authenticate identities of wireless terminals and
encrypt user packets, protecting the security of the WLAN and users. The supported WLAN
security policies include open system authentication, WEP, WPA/WPA2-PSK, WPA/
WPA2-802.1x, WAPI-PSK, and WAPI-certificate. You can configure one of them in a
security profile. Open system authentication and WPA/WPA2-802.1x need to be configured
together with NAC to manage user access.
To connect a STA to the WLAN, bind the security profile to a VAP profile. The STA can
connect to the WLAN through an SSID only after it completes identity authentication
according to the security policy configured in the VAP profile. For the detailed configuration,
see Configuring a WLAN Security Policy in the Configuration-WLAN Security Configuration
Guide.
For WDS services, bind the security profile to the WDS profile. To ensure WDS security, set
the security policy to WPA2+PSK+AES. For the detailed configuration, see Configuring a
Security Profile in the Configuration-WDS and Mesh Configuration Guide.
For Mesh services, bind the security profile to the Mesh profile. To ensure Mesh security, set
the security policy to WPA2+PSK+AES. For the detailed configuration, see Configuring a
Security Profile in the Configuration-WDS and Mesh Configuration Guide.
3.1.12 Traffic Profile

In a traffic profile, you can configure priority mapping on the wireless side, air interface
performance optimization, traffic policing, and ACL-based packet filtering. The
configurations in a traffic profile take effect only after it is bound to a VAP profile.
l Priority mapping
Packets of different types have different priorities. For example, 802.11 packets sent by
STAs carry user priorities or DSCP priorities, VLAN packets on wired networks carry
802.1p priorities, and IP packets carry DSCP priorities. Priority mapping must be
configured on network devices to retain the priorities of packets that traverse different
networks.
For details, see Configuring Priority Mapping in the Configuration-QoS Configuration
Guide-WLAN QoS Configuration.
l Traffic policing
To protect network resources and prevent network congestion, you can configure traffic
policing to limit the rate of traffic entering a WLAN. In a traffic profile, you can
configure rate limiting for upstream and downstream packets of all STAs or each STA on
a VAP.
For details, see Configuring Traffic Policing in the Configuration-QoS Configuration
Guide-WLAN QoS Configuration.
l Traffic optimization
On a WLAN, a large number of wireless packets need to be forwarded, which may easily
cause network congestion and degrade network performance. WLAN traffic optimization
measures, such as traffic limit and multicast optimization, can be taken to adjust network

traffic in real time, significantly reducing impact of burst data on the network and
improving network performance.
For details, see WLAN Traffic Optimization Configuration Guide in the Configuration.
l ACL-based packet priority re-marking
You can configure ACL-based packet filtering to enable a device to permit or deny
packets matching ACL rules to control network traffic.
For details, see Configuring ACL-based Packet Filtering in the Configuration-QoS
Configuration Guide-WLAN QoS Configuration.
l ACL-based packet priority re-marking
You can configure ACL-based packet re-marking priorities of packets matching ACL
rules to implement differentiated services for wireless packets.
For details, see Configuring ACL-based Priority Remarking in the Configuration-QoS
3.1.13 UCC Profile

A Unified Communication and Collaboration (UCC) profile is used to configure priorities for
Microsoft Lync voice, video, desktop sharing, and file transfer packets.
After creating a UCC profile, you can configure the DSCP priorities or 802.1p priorities for
Microsoft Lync voice, video, desktop sharing, and file transfer packets, so that a WLAN
device can process packets according to the new priorities. The configurations in a UCC
profile take effect only after it is bound to a VAP profile. For details, see Configuring Lync in
the Configuration-QoS Configuration Guide-SAC Configuration.
3.1.14 Attack Defense Profile

As the network develops continuously, there are various types of potential risks such as
Trojan horses, worms, and viruses in packets. After an attack defense profile is created,
various security functions are available, such as URL filtering, intrusion prevention, and
antivirus.
The profile of URL filtering defines actions for URLs matching the blacklist and whitelist to
allow or block access to the URLs.
For the detailed configuration, see Configuring URL Filtering Profile in the Configuration-
Before you configure intrusion prevention, update the intrusion prevention signature database
or, if necessary, configure user-defined signatures, create intrusion prevention profiles,
reference signatures matching the specified conditions in the intrusion prevention profiles,
and apply the intrusion prevention profiles in the attack defense profiles.
For the detailed configuration, see Configuring Intrusion Prevention in the Configuration-
The AV function identifies the files transmitted using the specified protocols and processes
the virus-infected files based on the predefined response actions to prevent virus-infected files
from entering the protected network.
To use the AV function, you must configure an antivirus profile and reference the profile in an
attack defense profile.

For the detailed configuration, see Configuring Antivirus in the Configuration-Security

3.1.15 User Profile

A user profile is used to configure traffic policing and internal priorities for users' service
packets. The configurations in a user profile take effect only after it is bound to a VAP profile.
l Traffic policing
To protect network resources and prevent network congestion, you can configure traffic
policing to limit the rate of traffic entering a WLAN. You can configure QoS CAR
parameters and apply them to a user profile, so that traffic policing can be implemented
on upstream and downstream packets of users on the VAPs to which the user profile is
applied. For details, see Configuring Traffic Policing in the Configuration-QoS
l Internal priority
When users' service packets reach a WLAN device, the WLAN device maps priorities of
the packets to internal priorities. After creating a user profile, you can modify priorities
of users' service packets in the user profile, so that the device can process users' service
packets according to the new internal priorities.
3.1.16 Soft GRE profile

Before configuring soft GRE tunnel forwarding, configure a soft GRE profile first so that data
packets can be forwarded according to parameters configured in the profile. For details, see
(Optional) Configuring a Soft GRE Profile in the Configuration-WLAN Service Configuration
Guide.
l In a soft GRE profile, the destination address of the soft GRE tunnel must be configured
to specify the destination to which service data is forwarded.
l A soft GRE tunnel is not capable of detecting tunnel status. If the remote interface is
unreachable, the soft GRE tunnel cannot be immediately tore down. As a result, the
source end continues sending data to the remote end, wasting device resources and
bandwidth of the intermediate network.
The Keepalive detection function can monitor the soft GRE tunnel status to check
whether the remote end is reachable. If the remote end is unreachable, the source end
tears down the tunnel immediately to reduce resource waste and bandwidth occupation.
3.1.17 STA Blacklist Profile

A STA blacklist profile contains MAC addresses of wireless terminals forbidden to connect to
the WLAN. To forbid some STAs to connect to the WLAN, configure a STA blacklist profile
and apply the STA blacklist profile to an AP system profile or a VAP profile.
The effective scope of the STA blacklist profile differs according to the profiles to which it is
applied.
l AP system profile: The STA blacklist profile takes effect based on the AP. APs using the
AP system profile will use the STA blacklist profile. The STA blacklist profile takes
effect on all STAs connected to the APs (all VAPs).
l VAP profile: The STA blacklist profile takes effect based on the VAP. If the STA
blacklist profile is applied to an AP, the STA blacklist profile applies only to STAs
connected to the corresponding VAPs.

For the detailed configuration, see Configuring a STA Blacklist Profile in the Configuration-
3.1.18 STA Whitelist Profile
A STA whitelist profile contains MAC addresses of wireless terminals allowed to connect to
the WLAN. To allow only some STAs to connect to the WLAN, configure a STA whitelist
profile and apply the STA whitelist profile to an AP system profile or a VAP profile.
The effective scope of the STA whitelist profile differs according to the profiles to which it is
applied.
l AP system profile: The STA whitelist profile takes effect based on the AP. APs using the
AP system profile will use the STA whitelist. The STA whitelist profile takes effect on
all STAs connected to the APs (all VAPs).
l VAP profile: The STA whitelist profile takes effect based on the VAP. If the STA
whitelist profile is applied to an AP, the STA whitelist profile applies only to STAs
connected to the corresponding VAPs.
For the detailed configuration, see Configuring a STA Whitelist Profile in the Configuration-
3.1.19 SAC Profile
Smart Application Control (SAC) is a smart engine that can identify and classify application
protocols. It uses service awareness technology to identify packets of dynamic protocols such
as HTTP and RTP by checking Layer 4 to Layer 7 information in the packets. SAC helps
implement fine-granular QoS policy control.
An SAC profile is used to configure policies for re-marking packet priorities, discarding
packets, and limiting packet rates based on applications or application groups, so as to control
different types of applications and ensure stable and highly efficient running of key services.
The configurations in an SAC profile take effect only after it is bound to a VAP profile or a
user group. For details, see Configuring SAC in the Configuration-QoS Configuration Guide-
SAC Configuration.
3.1.20 Hotspot2.0 Profile
Hotspot2.0 networks are usually provided by network service providers who can set network
parameters in compliance with Hotspot2.0 standards to identify the networks. Wireless
terminals can obtain network information and automatically select and access the desired
networks based on the preset identity credentials. The administrator needs to configure the
APs through Hotspot2.0 profiles according to the parameters provided by the network service
providers so that the APs can provide Hotspot2.0 network information to the wireless
terminals. After the Hotspot2.0 profiles are applied to VAP profiles, the configuration takes
effect.
If a Hotspot2.0 network parameter carries multiple data entries, you need to configure the
parameter using a profile. In the profile, you can configure the entries of the parameter and
then bind the profile to a Hotspot2.0 profile.

Table 3-1 Description of the parameter profiles

Parameter Profile Description
Cellular network profile You can configure Hotspot 2.0 services on cellular
networks. When connecting to the networks, user terminals
can obtain network information from APs, which helps
them to select desired networks.
NAI realm profile A NAI realm profile is used to configure the network access
identifier (NAI) realm name, authentication mode, and
authentication parameters for networks accessible to users.
Roaming consortium profile If the user terminals need to roam among Hotspot2.0
networks of different operators, configure a roaming
consortium profile and add the organization identifiers
(OIs) of the operators to the roaming consortium profile. In
this way, after the user terminals connect to a network of an
operator in the profile, they can roam to networks of the
other operators while maintaining online.
Connection capability You can configure Hotspot2.0 services for networks. When
profile user terminals connect to the networks, they can obtain
network connection capability information from APs,
including allowed protocols and ports, which helps them to
select desired networks.
Operating class profile The operating class profile is used to configure the
operating class indication of AP in on the hotspot2.0
network. When a STA accesses the network, it can obtain
channel information used to access a Wi-Fi frequency from
AP so that the STA can set up a connection.
Operator domain profile A network domain name profile is used to configure the
operator domain profile. STAs can obtain the domain name
information through ANQP, which is used as a basis for
network selection.
Operator name profile You can specify different friendly names for different
languages so that users can select networks.
Venue name profile When configuring Hotspot2.0 services, configure network

parameters according to operator requirements. When
connecting to networks, user terminals can obtain the
network parameters to select desired networks. The venue
name describes physical locations of a network and is an
optional parameter.
For details, see Hotspot2.0 Configuration Guide.
3.1.21 AP System Profile

An AP system profile is used to configure AP system parameters and can reference STA
blacklist and whitelist profiles as well as spectrum analysis configuration. The following
configurations are performed in an AP system profile:
l Manage AP login modes.

A user can log in to an AP through the console port, STelnet, SFTP, and Telnet in wired
mode, or through Telnet in wireless mode. These login modes can be disabled in an AP
system profile to ensure AP login security. For details, see Managing AP Wired Login
and Managing AP Wireless Login in the Configuration - AP Management Configuration
Guide.
l Configure the offline management VAP and antenna alignment VAP for an AP.
When an AP goes offline unexpectedly, the AC cannot manage the AP. In this case, you
can enable the management VAP and log in to the AP using Telnet to troubleshoot the
fault. This prevents complex operations.
You can associate a mobile phone on which the antenna alignment APP is installed with
the wireless network with SSID hw_manage_xxxx (xxxx is the last four bits of the AP
MAC address) and use the phone to receive packets sent by the antenna alignment VAP.
For details, see Configuring Antenna Alignment VAPs in the Configuration - AP
Management Configuration Guide.
l A management VLAN is configured for an AP.
In practice, the PVID of an AP wired interface is usually set to the management VLAN
ID. For details, see Configuration Precautions in the Configuration - WLAN Service
Configuration Guide. When management packets from the AP or data packets forwarded
in tunnel mode reach the access device through the CAPWAP tunnel, the access device
tags the packets with the PVID.
If the PVID of the access device has been used for other purposes (for example, as the
default VLAN ID of wired users), the PVID cannot be configured as the management
VLAN ID on the access device interface. In this case, configure CAPWAP packets sent
from an AP wired interface to carry the management VLAN tag. The AP then adds the
management VLAN ID to the CAPWAP packets sent to the AC. You only need to
configure the access device to allow the packets carrying the management VLAN ID to
pass.
For details, see Configuring a Management VLAN on an AP in the Configuration - AP
l Configure service holding upon CAPWAP link disconnection.
To mitigate impact of link disconnections on users in direct forwarding mode and
improve service reliability, you can configure the function of service holding upon
CAPWAP link disconnection. To allow new users to access APs after CAPWAP link
disconnection, you can configure the function of user access upon CAPWAP link
disconnection. After the disconnected CAPWAP link is restored, the AP forces all online
STAs to go offline and reassociate with the AP and reports information about the STAs
through logs.
For details, see Configuring Service Holding upon CAPWAP Link Disconnection in the
Configuration - AP Management Configuration Guide.
l Configure PoE parameters for an AP.
PoE parameters include PoE power, parameters that are configured to allow high inrush
current during power-on, and PoE standard used by the AP. For details, see Managing
the PoE Function of an AP in the Configuration - AP Management Configuration Guide.

l Configure AP indicators.
Blinking indicators of indoor APs deployed in hospitals and hotels may affect people's
nighttime rest. Therefore, you can turn off AP indicators after APs are installed and run
properly.
l Configure the alarm function on an AP.
– You can configure alarm thresholds on an AP to monitor the AP in real time. When
the configured thresholds are exceeded, the AP generates alarms or logs to notify
the AC of AP status.
– If a STA cannot go online due to security type mismatch, UAC, or access user
upper limit exceeding, the STA will automatically re-connect to the AP. During this
period, the AP sends a large number of STA association failure alarms to the AC,
which degrades the system performance.
To solve this problem, enable alarm suppression for the AP. The AP then does not report
alarms repeatedly in the alarm suppression period, preventing alarm storms.
For details, see Configuring the Alarm Function on an AP in the Configuration - AP
l Configure the log backup and log suppression functions on an AP.
– Logs record user operations and system running information. After logs are backed
up to a server, network administrators can summarize and analyze AP logs to learn
about the operations performed on APs for fault location.
The device supports automatic log backup. After automatic log backup is
configured, logs generated by an AP are automatically sent to the log server.
– If a STA keeps attempting to connect to an AP because of signal interference or
instability, the AP sends a large number of duplicate login and logout logs to the AC
in a short period, causing a huge waste of resources.
To address this problem, enable log suppression. The AP sends only one log about a
user to the AC within the log suppression period.
For details, see Configuring the Log Backup and Log Suppression Functions on an AP in
the Configuration - AP Management Configuration Guide.
l Configure LLDP on an AP.
The Link Layer Discovery Protocol (LLDP) helps the NMS obtain detailed Layer 2
information, such as the network topology, device interface status, and management
address.
After LLDP is configured on an AP, the AP can send LLDP packets carrying local
system status information to directly connected neighbors and parse LLDP packets
received from neighbors. After the AP discovers a neighbor, the AP sends neighbor
information to the AC. The NMS then obtains AP's LLDP information from the AC to
learn about the network topology.
For details, see Configuring LLDP on an AP in the Configuration - AP Management
l Configure the effective scope of a STA blacklist or whitelist.
If a STA blacklist or whitelist is applied to an AP system profile, the STA blacklist or
whitelist takes effect on all APs using the AP system profile. For details, see Applying
the Configuration to a VAP Profile or an AP System Profile in the Configuration -
l Configure some parameters for spectrum analysis.
The parameters include the IP address and port number of a spectrum server and aging
time of information about non-Wi-Fi devices on an AC during spectrum analysis. For

details, see Configuring Spectrum Analysis on an AC in the Configuration - Spectrum

Analysis Configuration Guide.
3.1.22 AP Wired Port Profile

An AP wired port profile provides configurations of AP wired ports. AP wired port link
profiles can be bound to AP wired port profiles. AP wired port link profiles are used to
configure link-layer parameters of AP wired ports. For details, see Managing an AP's Wired
Interface in the Configuration - AP Management Configuration Guide.
The following configurations are performed in an AP wired port profile:
l Add an AP's wired port to an Eth-Trunk.
l Configure STP, working mode, and DHCP and ND trusted port on an AP's wired port.
l Configure STA address learning, IP source guard, and dynamic ARP probing on an AP's
wired port.
l Specify the maximum broadcast, multicast, and unknown unicast traffic allowed by an
AP's wired port.
l Associate STP with the error-triggered shutdown function on an AP's wired port.
l Configure IGMP Snooping for an AP's wired port.
3.1.23 AP Wired Port Link Profile

An AP wired port link profile provides link layer configurations on an AP's wired port.
The following configurations are performed in an AP wired port link profile:
l Enable or disable an AP's wired port.
Enable an AP's wired port before using the port. Disable the AP's wired port when a user
connected to the AP's wired port attacks the network. For details, see Managing an AP's
Wired Interface in the Configuration - AP Management Configuration Guide.
l Configure LLDP and the types of advertise TLVs on an AP's wired port.
You can obtain the network topology of an AP through LLDP. For details, see
Configuring LLDP on an AP in the Configuration - AP Management Configuration
Guide.
l Configure PoE for an AP's wired port.
Some APs can function as PSE devices to supply PoE power for PDs. Configure PoE for
an AP's wired port, so that the AP can provide PDs with PoE power through this port.
For details, see Managing the PoE Function of an AP in the Configuration - AP
l Configure the alarm function for CRC errors on an AP's wired port.
For details, see Managing an AP's Wired Interface in the Configuration - AP
3.1.24 WIDS Profile

WIDS profiles provide mechanisms to protect WLAN networks. WIDS profiles are bound to
AP groups or APs so that they can take effect. For details, see Configuring Rogue Device
Detection and Containment and Configuring Attack Detection and Dynamic Blacklist in the

A WIDS profile supports the following functions:

l WIDS device detection and countering
– APs detect Wi-Fi devices within their coverage range and determine whether they
are authorized.
– You can configure a WIDS spoof SSID profile and a WIDS whitelist profile to
identify spoofing SSIDs and add the trusted devices to the whitelist. After
configuring these profiles, you bind them to the WIDS profile.
– Countermeasures are taken on the detected rogue device so that rogue STAs cannot
access the network or authorized STAs will not access rogue APs.
l WIDS attack detection and dynamic blacklist
– APs detect Wi-Fi devices on a network that launch attacks, including flood attacks,
weak IV attacks, spoofing attacks, and Brute force PSK cracking attacks.
– After the dynamic blacklist function is enabled, attacking devices are added to the
dynamic blacklist and packets from these devices are discarded.
3.1.25 WIDS Spoof SSID Profile

WLAN services are available in public places, such as banks and airports. Users can connect
to the WLANs after associating with corresponding SSIDs. If a rogue AP is deployed and
provides spoofing SSIDs similar to authorized SSIDs, the users may be misled and connect to
the rogue AP, which brings security risks. To address this problem, configure a fuzzy
matching rule to identify spoofing SSIDs. The device compares a detected SSID with the
matching rule. If the SSID matches the rule, the SSID is considered a spoofing SSID. The AP
using the spoofing SSID is a rogue AP. After rogue AP containment is configured, the device
contains the rogue AP and disconnects users from the spoofing SSID.
For the detailed configuration, see (Optional) Configuring Fuzzy Matching Rules for
Identifying Spoofing SSIDs in the Configuration-WLAN Security Configuration Guide.
3.1.26 WIDS Whitelist Profile

After the rogue device containment function is enabled, rogue APs can be detected and
contained. However, there may be APs of other vendors or on other networks working in the
existing signal coverage areas. If these APs are contained, their services will be affected. To
prevent this situation, you can configure the WIDS whitelist profile to add these APs to a
WIDS whitelist which includes an authorized MAC address list, OUI list, and SSID list.
When a rogue AP is detected but the AP's MAC address is in the authorized MAC address
list, the AP is considered an authorized AP. However, if the AP's MAC address is not in the
authorized MAC address list, the AP's OUI and SSID must be both in the authorized OUI and
SSID lists; otherwise, the AP is a rogue AP.
For the detailed configuration, see (Optional) Configuring a WIDS Whitelist in the
3.1.27 Location Profile

A location profile is used to enable the WLAN location function and configure location server
parameters and the mode used by APs to report location information. For details, see Wi-Fi
Tag Location Configuration in the Configuration, Bluetooth Location Configuration in the
Configuration and Terminal Location Configuration in the Configuration

3.1.28 BLE Profile

l Bluetooth terminal location technology uses Bluetooth Low Energy (BLE) devices and a
location system to locate Bluetooth terminals through the iBeacon protocol. An AP with
a built-in Bluetooth module collects information about BLE devices and sends the
information to a server through an AC. The server sends data about maps and BLE
device locations to a Bluetooth terminal through an app server. The Bluetooth terminal
then works with the location app to calculate its own location.Alternatively, the AP
collects information carried in Bluetooth terminal location packets and sends the
information to the AC or location server for server-side location.
l Bluetooth tag location technology uses Bluetooth tags and a location system to locate
Bluetooth tags through the BLE protocol. An AP with a built-in Bluetooth module
collects information about Bluetooth tags and sends the information to a location server
to locate the Bluetooth tags. The AP also monitors battery power of Bluetooth tags and
checks whether Bluetooth tags are disconnected.
l Bluetooth data transparent transmission technology is used to enable an AP with a built-
in Bluetooth module to collect data from Bluetooth clients (such as Bluetooth
thermometers, blood pressure monitors, and heart rate monitors) and upload the data to a
server.
For the detailed configuration, see Bluetooth Location Configuration in the Configuration.
3.1.29 WDS Profile

A WDS profile contains major parameters required for configuring the WDS function. To
enable radios of an AP group or a specified AP to set up Mesh links, a WDS profile must be
applied to the radios.
When configuring WDS services, use the WDS profile with the following profiles:
l Security profile: After a security profile is bound to a WDS profile, parameters in the
security profile will be used for WDS link setup to ensure security of WDS links, The
WPA2+PSK+AES security policy is recommended for a WDS security profile.
l WDS whitelist profile: A WDS whitelist profile contains MAC addresses of neighboring
APs allowed to set up WDS links with an AP. After a WDS whitelist profile is applied to
an AP radio, only APs with MAC addresses in the whitelist can access the AP, and other
APs are denied. In the WDS, only APs with radios working in root mode and middle
mode can have a whitelist configured. APs in leaf mode require no whitelist.
NOTE
l A neighboring AP with the MAC address in the whitelist can set up a wireless virtual link with the
local AP only after passing security authentication.
l If no WDS whitelist profile is used, all neighboring APs can access the local AP.
l AP group radio or AP radio: You can configure major feature parameters for radios in an
AP group or a specified AP radio, including the working channel and bandwidth,
antenna gain, transmit power, and radio coverage distance. For example, when
configuring the WDS function, configure the same channel for radios of WDS APs.
l Radio profile: The radio profile is classified into the 2G and 5G radio profiles. You can
configure other radio parameters for WDS links through a radio profile.
By default, the system provides the WDS profile default. By default, the security profile
default-wds with the security policy WPA2+PSK+AES and the security key huawei_secwds
is referenced by a WDS profile regardless of whether the WDS profile is the default profile

provided by the system or a WDS profile created by users. If the default security profile
default-wds is used, you are advised to change the security key of the profile to ensure
security.
3.1.30 WDS Whitelist Profile

A WDS whitelist profile contains MAC addresses of neighboring APs allowed to set up WDS
links with an AP. After a WDS whitelist profile is applied to an AP radio, only APs with
MAC addresses in the whitelist can access the AP, and other APs are denied. In the WDS,
only APs with radios working in root mode and middle mode can have a whitelist configured.
APs in leaf mode require no whitelist.
NOTE
l A neighboring AP with the MAC address in the whitelist can set up a wireless virtual link with the local
AP only after passing security authentication.
l If no WDS whitelist profile is used, all neighboring APs can access the local AP.
3.1.31 Mesh Profile

A Mesh profile contains major parameters required for configuring the Mesh function. To
enable radios of an AP group or a specified AP to set up Mesh links, a Mesh profile must be
applied to the radios.
When configuring Mesh services, use the Mesh profile with the following profiles:
l Security profile: After a security profile is bound to a Mesh profile, parameters in the
security profile will be used for Mesh link setup to ensure security of Mesh links, The
WPA2+PSK+AES security policy is recommended for a Mesh security profile.
NOTE
The security policy can be set to open system authentication only for the Mesh network in rail
transportation scenarios.
l Mesh whitelist profile: A Mesh whitelist profile contains MAC addresses of neighboring
APs allowed to set up Mesh links with an AP. After a Mesh whitelist profile is applied to
an AP radio, only APs with MAC addresses in the whitelist can access the AP, and other
APs are denied. On common Mesh networks, a Mesh whitelist must be configured for a
Mesh node.
NOTE
l A neighboring AP with the MAC address in the whitelist can set up a wireless virtual link with the
local AP only after passing security authentication.
l On a Mesh network where ATs are deployed, after FWA is enabled in a Mesh profile, you do not
need to configure a Mesh whitelist for a Mesh node. All ATs are allowed to access the Mesh node.
l AP group radio or AP radio: You can configure major feature parameters for radios in an
AP group or a specified AP radio, including the working channel and bandwidth,
antenna gain, transmit power, and radio coverage distance. For example, when
configuring the Mesh function, configure the same channel for radios of Mesh APs.
l Radio profile: The radio profile is classified into the 2G and 5G radio profiles. You can
configure other radio parameters for Mesh links through a radio profile.
l AP wired port profile: The AP wired port profile is used to configure AP wired port
parameters and Mesh roles. When configuring Mesh services, you need to configure AP
wired port parameters according to actual situations, enabling the Mesh network to
transmit user services. For example, if direct forwarding is used on a Mesh network, you
need to configure wired ports of Mesh APs to allow service VLANs to pass through.

l Mesh handover profile: After a Mesh handover profile is bound to a Mesh profile, the
Mesh profile can provide the fast Mesh link handover function and apply to train-ground
communication scenarios. A Mesh handover profile and the FWA mode of a Mesh
profile are mutually exclusive. A Mesh handover profile cannot be referenced by the
Mesh profile in which the FWA mode is enabled.
By default, the system provides the Mesh profile default. Both the default Mesh profile
default and a self-defined Mesh profile have the security profile default-mesh referenced by
default. In the security profile default-mesh, the security policy is set to WPA2+PSK+AES
and the security key to huawei_secmesh. If the default security profile default-mesh is used,
you are advised to change the security key of the profile to ensure security.
3.1.32 Mesh Handover Profile

After a Mesh handover profile is bound to a Mesh profile, the Mesh profile can provide the
fast Mesh link handover function and apply to train-ground communication scenarios. A
Mesh handover profile and the FWA mode of a Mesh profile are mutually exclusive. A Mesh
handover profile cannot be referenced by the Mesh profile in which the FWA mode is
enabled.
3.1.33 Mesh Whitelist Profile

Mesh whitelist profile: A Mesh whitelist profile contains MAC addresses of neighboring APs
allowed to set up Mesh links with an AP. After a Mesh whitelist profile is applied to an AP
radio, only APs with MAC addresses in the whitelist can access the AP, and other APs are
denied. On common Mesh networks, a Mesh whitelist must be configured for a Mesh node.
NOTE
l A neighboring AP with the MAC address in the whitelist can set up a wireless virtual link with the local
AP only after passing security authentication.
l On a Mesh network where ATs are deployed, after FWA is enabled in a Mesh profile, you do not need to
configure a Mesh whitelist for a Mesh node. All ATs are allowed to access the Mesh node.
3.1.34 IoT Profile
An IoT profile provides the following communication parameters between an AP and a host
computer:
l IP address and port number of the host computer:

Before the AP reports data to the host computer, configure the IP address and port
number for the host computer. If these parameters are not configured, serial port data
reported by the AP will be discarded.
l Host computer trusted by the AP:
Configure a trusted host computer. So that only hosts with specified IP addresses can
communicate with the AP and deliver configurations, protecting the AP against attacks.
If no trusted host computer is configured, other hosts can also deliver IoT card
configurations to the AP.
l Shared key:
To enhance communication security, you can configure a shared key for encrypting
communication data between the AP and host computers. The shared key must be the
same on the AP and host computers.

l Local port number:

The UDP port number identifies an IoT card slot and is used for the AP to communicate
with host computers.
For details, see Configuring Communication Parameters Between an AP and a Host

Computer in the Configuration - IoT AP Configuration Guide.
3.1.35 Serial Profile
An AP communicates with an IoT card through a serial port. Each IoT card interface uses
independent serial communication parameters and framing parameters. By default, an IoT
card interface is bound to the preset serial profile preset-enjoyor-toeap. The default values of
the parameters are as follows:
An AP communicates with an IoT card through a serial port. Each IoT card interface uses
independent serial communication parameters and framing parameters. The serial
communication parameters and framing parameters can be set in a serial profile.
For details, see Configuring Communication Parameters Between an AP and an IoT Card in
the Configuration - IoT AP Configuration Guide.
3.1.36 AP Provisioning Profile
To facilitate maintenance and management, an AP provisioning profile is designed so that you

can run commands on a Fit AP after logging in to the Fit AP. You can also configure
parameters in an AP provisioning profile and manually deliver configurations to specified
APs or AP groups. For details, see Configuring AP Online Parameters(AP Provisioning View)
or Switching the Working Mode of an AP in the Configuration-AP Management
Parameters in an AP provisioning profile are configured for an AP to go online, including

l the AP name, group to which an AP belongs, mode of obtaining an IP address, static IP
address, gateway address, and AC IP address list.
l Configure the running mode of the AP. Set the running mode of the AP to switch
between the Fat AP and cloud AP modes.
3.1.37 Common Operations of Profiles
Copying Profiles
To improve configuration efficiency, you can copy configurations in one profile to another
profile and then modify specific parameters.
For example, if you need to copy the configurations in VAP profile b to VAP profile a, you
only need to run the copy-from profile-name command in VAP profile a. The detailed
procedure is as follows:
<AC6605> system-view
[AC6605] wlan
[AC6605-wlan-view] vap-profile name a
[AC6605-wlan-vap-prof-a] copy-from b

NOTE
l You can perform this operation only between profiles of the same type. For example, you can copy the
configurations in a VAP profile to another VAP profile other than a radio profile.
l If a profile is bound to another profile, you cannot perform this operation in this profile. For example, if
VAP profile a is bound to an AP group, you cannot perform this operation in VAP profile a.
Viewing Reference Information About a Profile

After configuring a profile, you can run the display references profile-type name profile-
name command to view to which profiles it is bound. profile-type indicates the name of a
profile type. You can run the display references ? command in any view to view all profile-
type available for viewing and description. For example, you can run the display references
radio-2g-profile name default command to view the profiles to which 2G radio profile
default is bound.
3.2 Data Packet Processing

Packets transmitted on a WLAN include management packets and service data packets.
Management packets must be transmitted over Control and Provisioning of Wireless Access
Points (CAPWAP) tunnels, and service data packets can be transmitted over CAPWAP
tunnels, soft GRE tunnels, or directly.
Management packets transmit management data between an AC and AP. Data packets
transmit data from STAs and the upper-layer network when WLAN users surf on the Internet.
On a WLAN, packets transmitted between STAs and APs are 802.11 packets. APs are bridges
between STAs and the upper layer wired network. They convert 802.11 packets into 802.3
packets and forward 802.3 packets to the wired network.
Management packets and service data packets are marked with different VLAN tags on a
WLAN.The following describes the forwarding process of management and service data
packets. Here, VLAN m and VLAN m' represent management VLANs, while VLAN s and
VLAN s' represent service VLANs.
l When an AP connects to an AC through a Layer 2 network, VLAN m is the same as
VLAN m', and VLAN s is the same as VLAN s'.
l When an AP connects to an AC through a Layer 3 network, VLAN m is different from
VLAN m', and VLAN s is different from VLAN s'.
WLAN roaming is categorized as Layer 2 and Layer 3 roaming depending on whether a STA
roams within the same subnet. In roaming scenarios, management packets are forwarded
through the CAPWAP tunnel, while service data packets can be forwarded through the
CAPWAP tunnel or using direct forwarding mode.
Management Packet Forwarding Process

As shown in Figure 3-5:
l In the uplink direction (from the AP to the AC): When receiving management packets,
the AP encapsulates the packets in CAPWAP packets. The switch tags the packets with
VLAN m. The AC decapsulates the CAPWAP packets and removes the tag VLAN m'.
l In the downlink direction (from the AC to the AP): When receiving downstream
management packets, the AC encapsulates the packets in CAPWAP packets and tags

them with VLAN m'. The switch removes VLAN m from the packets. The AP
decapsulates the CAPWAP packets.
The devices between an AC and AP must be configured to allow VLAN m and transparently
transmit packets of VLAN m.
Figure 3-5 Management packet forwarding
AC VLAN m 802.3 UDP/IP CAPWAP
VLAN m 802.3 UDP/IP CAPWAP

Switch
VLAN m 802.3 UDP/IP CAPWAP
AP 802.3 UDP/IP CAPWAP
Direct Forwarding of Service Data Packets

Figure 3-6 shows the direct forwarding process of service data packets. In direct forwarding
mode, service data packets are not encapsulated with CAPWAP.
l In the uplink direction (from the STA to the Internet): When upstream service data
packets in 802.11 format are sent from the STA to the AP, the AP converts the packets
into 802.3 packets, tags the packets with VLAN s, and forwards the packets to the
destination.
l In the downlink direction (from the Internet to the STA): When downstream service data
packets in 802.3 format reach the AP (the packets are tagged with VLAN s' by upstream
devices), the AP converts the 802.3 packets into 802.11 packets and forwards them to the
STA.
The devices between an AC and AP must be configured to allow service VLAN s and
transparently transmit packets of VLAN s.
In direct forwarding mode, an AC is connected to a core or aggregation switch in bypass
mode. The AC does not forward service data and only manages APs. If an AC is connected to
an upstream switch in inline mode, the AC forwards data packets. In this networking, the AC
acts as an aggregation switch.

Figure 3-6 Direct forwarding of service data packets
IP
Network
VLAN s 802.3 Payload

Switch

AP
802.11 Payload
802.11 Payload
STA
Payload
Forwarding Service Data Packets over a CAPWAP Tunnel

In tunnel forwarding mode, APs set up control tunnels and data tunnels with an AC. Data
packets of WLAN users and management packets are encapsulated in CAPWAP data packets
and control packets, and forwarded over the CAPWAP tunnels. As shown in Figure 3-7:
l In the uplink direction (from the STA to the Internet): When upstream service data
packets in 802.11 format are sent from the STA to the AP, the AP converts the packets
into 802.3 packets, tags the packets with VLAN s, and encapsulates them in CAPWAP
packets. The upstream switch tags the packets with VLAN m. The AC decapsulates the
CAPWAP packets and removes the tag VLAN m' from the packets.
l In the downlink direction (from the Internet to the STA): When downstream service data
packets reach the AC, the AC encapsulates the packets in CAPWAP packets, allows the
packets carrying VLAN s to pass through, and tags the packets with VLAN m'. The
switch removes VLAN m from the packets. The AP decapsulates the CAPWAP packets,
removes VLAN s, converts the 802.3 packets into 802.11 packets, and forwards them to
the STA.
Management VLAN tag VLAN m is the outer tag of CAPWAP-encapsulated packets. The
intermediate devices between the AC and AP can only transparently transmit packets carrying
VLAN m and cannot be configured with VLAN s encapsulated in the CAPWAP packets.
All encapsulated data packets are processed and forwarded by the AC, regardless of whether
the AC is connected to the upstream switch in inline or bypass mode.

Figure 3-7 Forwarding service data packets over a CAPWAP tunnel
IP
Network

AC
VLAN m 802.3 UDP/IP CAPWAP VLAN s 802.3 Payload

Switch
802.3 UDP/IP CAPWAP VLAN s 802.3 Payload

AP
802.11 Payload
802.11 Payload
STA
Payload
Forwarding Service Data Packets over a Soft GRE Tunnel

As shown in Figure 3-8, service data packets can be transmitted over a soft GRE tunnel.
l When receiving upstream service data packets in 802.11 format from the STA, the AP
converts the packets into 802.3 packets, encapsulates the packets into a soft GRE tunnel,
and forwards the packets to the BRAS. The BRAS decapsulates the packets and
implements unified accounting and authentication.
l The BRAS encapsulates downlink service data packets into a soft GRE tunnel and
forwards the packets to the AP. The AP then decapsulates the packets, converts the
packets into 802.11 packets, and sends them to the STA.
The route between the AP and BRAS must be reachable so that service data packets can be
transmitted properly over the soft GRE tunnel.

Figure 3-8 Forwarding service data packets over a soft GRE tunnel
IP
Network

BRAS
Soft-GRE VLAN s 802.3 Payload

Switch

AP
802.11 Payload
802.11 Payload
STA
Payload
VLAN s: service VLAN

Data packet
Forwarding Service Data Packets During Layer 2 Roaming

As shown in Figure 3-9, during Layer 2 roaming, the STA stays within the same subnet. The
FAP/FAC processes packets of a Layer 2 roaming STA in the same way as it processes
packets of a newly online STA. The FAP/FAC forwards the packets on the local network but
not send the packets back to the HAP/HAC over the inter-AC tunnel.
l Before roaming: When receiving upstream service data packets from a STA, the HAP
forwards the packets to the HAC. The HAC then directly forwards the packets to the
destination. When receiving downstream service data packets from the HAC, the HAP
forwards the packets to the STA.
l After roaming: When receiving upstream service data packets from a STA, the FAP
forwards the packets to the FAC. The FAC then directly forwards the packets to the
destination. When receiving downstream service data packets from the FAC, the FAP
forwards the packets to the STA.

Figure 3-9 Forwarding service data packets during Layer 2 roaming
Internet
HAC FAC
Inter-AC roaming
HAP VLAN s VLAN s FAP
Roaming
STA STA
Packet forwarding before roaming

Packet forwarding after roaming
Forwarding Service Data Packets During Layer 3 Roaming

The STA stays in different subnets before and after Layer 3 roaming. To ensure that the STA
can still access the original network after roaming, user traffic is forwarded to the original
subnet over tunnels.
l As shown in Figure 3-10, in tunnel forwarding mode, service packets exchanged
between the HAP and HAC are encapsulated through a CAPWAP tunnel, and the HAP
and HAC can be considered in the same subnet. Instead of forwarding the packets back
to the HAP, the HAC directly forwards the packets to the upper-layer network.

Figure 3-10 Tunnel forwarding of service data packets during Layer 3 roaming
Internet
HAC FAC
CAPWAP tunnel
CAPWAP tunnel
Inter-AC roaming
HAP VLAN s VLAN n FAP
Roaming
STA STA

Service Data Packet Before Roaming After Roaming

Type
Upstream service data 1. The STA sends a 1. The STA sends a

service packet to the service packet to the
HAP. FAP.
2. After receiving the 2. After receiving the
service packet, the service packet, the FAP
HAP sends it to the sends it to the FAC.
HAC. 3. The FAC forwards the
3. The HAC forwards the service packet to the
service packet to the HAC through a tunnel
upper-layer network. between them.
4. The HAC forwards the
service packet to the
upper-layer network.

Service Data Packet Before Roaming After Roaming

Type
Downstream service data 1. The HAC encapsulates 1. The HAC encapsulates

downstream service downstream service
data in a CAPWAP data in a CAPWAP
packet, and sends it to packet.
the HAP. 2. The HAC forwards the
2. The HAP receives the service packet to the
CAPWAP packet and FAC through a tunnel
decapsulates it. between them.
3. The HAP sends the 3. The FAP receives the
service packet to the CAPWAP packet and
STA. decapsulates it.
4. The FAP sends the
service packet to the
STA.
l As shown in Figure 3-11, in direct forwarding mode, service packets exchanged between
the HAP and HAC are not encapsulated through the CAPWAP tunnel; therefore, whether
the HAP and HAC reside in the same subnet is unknown. Packets are forwarded back to
the HAP by default. If the HAP and HAC are located in the same subnet, configure the
HAC with higher performance as the home agent. This reduces the load on the HAP and
improves the forwarding efficiency.

Figure 3-11 Direct forwarding of service data packets during Layer 3 roaming
Internet
HAC FAC
HAP VLAN s VLAN n FAP
Roaming
STA STA
Inter AC roaming
CAPWAP tunnel
Packet forwarding after AC is
specified as the home agent

Service Data Before Roaming After Roaming Configuring the

Packet Type AC as the Home
Agent
Upstream service 1. The STA sends 1. The STA sends 1. The STA sends
data a service packet a service packet a service packet
to the HAP. to the FAP. to the FAP.
2. After receiving 2. After receiving 2. After receiving
the service the service the service
packet, the packet, the FAP packet, the FAP
HAP forwards sends it to the sends it to the
the service FAC over the FAC over the
packet to the CAPWAP CAPWAP
upper-layer tunnel. tunnel.
network 3. The FAC 3. The FAC
directly. forwards the forwards the
service packet service packet
to the HAC to the HAC
through a tunnel through a tunnel
between them. between them.
4. The HAC sends 4. The HAC
the service forwards the
packet to the service packet
HAP over the to the upper-
CAPWAP layer network.
tunnel.
5. The HAP
forwards the
service packet
to the upper-
layer network.

Service Data Before Roaming After Roaming Configuring the

Packet Type AC as the Home
Agent
Downstream 1. The upper-layer 1. The upper-layer 1. The upper-layer

service data network sends a network sends a network sends a
service packet service packet service packet
to the HAC. to the HAP. to the HAC.
2. The HAC sends 2. The HAP sends 2. The HAC
the service the service forwards the
packet to the packet to the service packet
HAP. HAC over the to the FAC
3. After receiving CAPWAP through a tunnel
the service tunnel. between them.
packet, the 3. The HAC 3. After receiving
HAP sends it to forwards the the service
the STA. service packet packet, the FAC
to the FAC sends it to the
through a tunnel FAP over the
between them. CAPWAP
4. After receiving tunnel.
the service 4. The FAP sends
packet, the FAC the service
sends it to the packet to the
FAP over the STA.
CAPWAP
tunnel.
5. The FAP sends
the service
packet to the
STA.

Typical Configuration Examples 4 Typical Configuration Examples (CLI)
4 Typical Configuration Examples (CLI)
About This Chapter
4.1 WLAN Common Service Configuration Examples

4.2 WLAN Basic Networking Configuration Examples (Fat AP)
4.3 WLAN Basic Networking Configuration Examples
4.4 AP's Wired Interface Configuration Examples
4.5 PPPoE Configuration Examples (Fat AP and Fat Central AP)
4.6 Authentication Configuration Examples
4.7 Reliability Configuration Examples
4.8 Roaming Configuration Examples
4.9 Agile Distributed Networking Configuration Examples
4.10 High-Density Configuration Examples
4.11 Example for Configuring Vehicle-Ground Communication
4.12 Radio Resource Management Configuration Examples
4.13 Spectrum Analysis Configuration Examples
4.14 WLAN Security Configuration Examples
4.15 WLAN QoS Configuration Examples
4.16 WLAN Enhanced Services Configuration Examples
4.17 Typical Configuration for Interconnection Between AC and Cisco ISE Server
4.18 Typical Configuration for Interconnection Between AC and Aruba ClearPass Server
4.19 Typical Configuration for Interconnection Between AC and Huawei Agile Controller-
Campus Server
4.20 Comprehensive Case


4.1.1 Example for Configuring Internal Personnel to Access the
WLAN (802.1x Authentication)
Service Requirements
When users attempt to access the WLAN, they can use 802.1x clients for authentication. After
entering the correct user names and passwords, users can connect to the Internet. Furthermore,
users' services are not affected during roaming in the coverage area.
Networking Requirements
l AC networking mode: Layer 2 bypass mode
l DHCP deployment mode: The AC functions as the DHCP server to assign IP addresses
to APs, and SwitchB functions as the DHCP server to assign IP addresses to STAs.
l Service data forwarding mode: direct forwarding
l WLAN authentication mode: WPA-WPA2+802.1x+AES

Figure 4-1 Networking diagram for configuring 802.1x authentication
Internet
Router
GE0/0/1
RADIUS Server
AC SwitchB GE0/0/4 10.23.103.1:1812
GE0/0/2
GE0/0/1 GE0/0/3
GE0/0/1
GE0/0/2
SwitchA
GE0/0/1
AP
STA STA
Management VLAN：VLAN 100
Service VLAN：VLAN 101

Data Planning
Table 4-1 Data planning on the AC

Configuration Item Data
Management VLAN VLAN 100
Service VLAN VLAN 101
AC's source interface VLANIF 100: 10.23.100.1/24
DHCP server The AC functions as the DHCP server to assign IP

addresses to APs, and SwitchB functions as the DHCP
server to assign IP addresses to STAs.
IP address pool for APs 10.23.100.2-10.23.100.254/24
IP address pool for the STAs 10.23.101.2-10.23.101.254/24
RADIUS authentication l RADIUS server template name: wlan-net

parameters l IP address: 10.23.103.1
l Authentication port number: 1812
l Shared key: huawei@123
l Authentication scheme: wlan-net
802.1x access profile l Name: wlan-net

l Authentication mode: EAP
Authentication profile l Name: wlan-net

l Bound profile and authentication scheme: 802.1x
access profile wlan-net, RADIUS server template
wlan-net, and RADIUS authentication scheme
wlan-net
AP group l Name: ap-group1

l Bound profile: VAP profile wlan-net and
regulatory domain profile default
Regulatory domain profile l Name: default

l Country code: China
SSID profile l Name: wlan-net

l SSID name: wlan-net
Security profile l Name: wlan-net

l Security policy: WPA-WPA2+802.1x+AES

VAP profile l Name: wlan-net

l Forwarding mode: direct forwarding
l Service VLAN: VLAN 101
l Bound profiles: SSID profile wlan-net, security
profile wlan-net, and authentication profile wlan-
net
Configuration Roadmap
1. Configure network interworking.
2. Configure the AC and SwitchB to assign IP addresses to APs and STAs, respectively.
3. Configure APs to go online.
4. Configure 802.1X authentication on the AC.
5. Configure third-party server interconnection parameters.
NOTE
The AC and server must have the same RADIUS shared key.
Configuration Notes
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see 4.15.1.1 Multicast Packet
Suppression Is Not Configured, Causing Slow Network Access of STAs.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Configure network interworking.
# Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 100 and VLAN 101.

<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100 101
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchA-GigabitEthernet0/0/1] port-isolate enable
[SwitchA-GigabitEthernet0/0/1] quit
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN 101, GE0/0/2 to
VLAN 100 and VLAN 102, GE0/0/3 to VLAN 103, and GE0/0/4 to VLAN104. Create
VLANIF 102, VLANIF 103, and VLANIF 104, and configure a default route with the next
hop of the address of Router.
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 to 104
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB-GigabitEthernet0/0/3] port trunk pvid vlan 103
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 103
[SwitchB] interface vlanif 102
[SwitchB-Vlanif102] ip address 10.23.102.1 24
[SwitchB-Vlanif102] quit
[SwitchB] ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
# Add GE0/0/1 on the AC to VLAN 100 and VLAN 102. Create VLANIF 102 and configure
the static route to the RADIUS server.
[AC6605] sysname AC
[AC] vlan batch 100 101 102
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 102
[AC-GigabitEthernet0/0/1] quit
[AC] interface vlanif 102
[AC-Vlanif102] ip address 10.23.102.2 24
[AC-Vlanif102] quit
[AC] ip route-static 10.23.103.0 24 10.23.102.1
# Configure the IP address of GE0/0/1 on Router and a static route to the network segment for
STAs.
<Huawei> system-view
[Huawei] sysname Router

[Router] interface gigabitethernet 0/0/1

[Router-GigabitEthernet0/0/1] ip address 10.23.104.2 24
[Router-GigabitEthernet0/0/1] quit
[Router] ip route-static 10.23.101.0 24 10.23.104.1
Step 2 Configure the AC and SwitchB to function as DHCP servers to assign IP addresses to APs
and STAs respectively.
# On the AC, configure the VLANIF 100 to assign IP addresses to APs.
[AC] dhcp enable
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
# On SwitchB, configure the VLANIF 101 to assign IP addresses to STAs.

[SwitchB] dhcp enable
[SwitchB-Vlanif101] dhcp select interface
Step 3 Configure APs to go online.

# Create an AP group to which the APs with the same configuration can be added.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and bind
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-view] quit
# Configure the AC's source interface.

[AC] capwap source interface vlanif 100
# Import the APs offline to the AC and add the APs to the AP group ap-group1. Configure
names for the APs based on the AP locations, so that you can know where the APs are
located. For example, if the AP with MAC address 60de-4476-e360 is deployed in area 1,
name the AP area_1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 and radio 1. Radio 0 and radio 1 operate
on the 2.4 GHz and 5 GHz bands respectively.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration

s of the radio, Whether to continue? [Y/N]:y

[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field displays nor, the AP has gone online.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
--------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA
Uptime
--------------------------------------------------------------------------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S
--------------------------------------------------------------------------------
Total: 1
Step 4 Configure the AP channel and power.

NOTE
The settings of the AP channel and power in this example are for reference only. You need to configure the
AP channel and power based on the actual country code and network planning.
# Disable the automatic channel and power calibration functions.
Automatic channel and power calibration functions are enabled by default. The manual
channel and power configurations take effect only when these two functions are disabled.
[AC-wlan-view] rrm-profile name default
[AC-wlan-rrm-prof-default] calibrate auto-channel-select disable
[AC-wlan-rrm-prof-default] calibrate auto-txpower-select disable
[AC-wlan-rrm-prof-default] quit
# Configure the channel and power for radio 0.

[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit

[AC-wlan-ap-0] quit
Step 5 Configure 802.1x authentication on the AC.

1. Configure RADIUS authentication parameters.
# Create a RADIUS server template.

[AC-wlan-view] quit
[AC] radius-server template wlan-net
[AC-radius-wlan-net] radius-server authentication 10.23.103.1 1812
[AC-radius-wlan-net] radius-server shared-key cipher huawei@123
[AC-radius-wlan-net] quit
# Create a RADIUS authentication scheme.

[AC] aaa
[AC-aaa] authentication-scheme wlan-net
[AC-aaa-authen-wlan-net] authentication-mode radius
[AC-aaa-authen-wlan-net] quit
[AC-aaa] quit

2. Configure an 802.1x access profile to manage 802.1x access control parameters.

# Create the 802.1x access profile wlan-net.
[AC] dot1x-access-profile name wlan-net
# Configure EAP relay authentication.

[AC-dot1x-access-profile-wlan-net] dot1x authentication-method eap
[AC-dot1x-access-profile-wlan-net] quit
3. Create the authentication profile wlan-net and bind it to the 802.1x access profile,
authentication scheme, and RADIUS server template.
[AC] authentication-profile name wlan-net
[AC-authentication-profile-wlan-net] dot1x-access-profile wlan-net
[AC-authentication-profile-wlan-net] authentication-scheme wlan-net
[AC-authentication-profile-wlan-net] radius-server wlan-net
[AC-authentication-profile-wlan-net] quit
4. Configure WLAN service parameters.

# Create the security profile wlan-net and set the security policy in the profile.
[AC] wlan
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 dot1x aes
[AC-wlan-sec-prof-wlan-net] quit
# Create the SSID profile wlan-net and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create the VAP profile wlan-net, configure the direct data forwarding mode and
service VLANs, and bind the security profile, authentication profile, and SSID profile to
the VAP profile.
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] authentication-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind the VAP profile wlan-net to the AP group and apply the profile to radio 0 and
radio 1 of the AP.
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC-wlan-view] quit
Step 6 Configure third-party server interconnection parameters.

l For interconnection with the Cisco ISE, see "Example for Configuring Wireless 802.1X
Authentication" in the Typical Configuration Examples-WLAN and the Cisco ISE Server
Interoperation Configuration Examples.
l For interconnection with the Aruba ClearPass, see "Example for Configuring Wireless
802.1X Authentication" in the Typical Configuration Examples-WLAN and the Aruba
ClearPass Server Interoperation Configuration Examples.
l For interconnection with the Agile Controller-Campus, see "Example for Configuring
Wireless 802.1X Authentication" in the Agile Controller-Campus Typical Configuration
Examples.

l For interconnection with other third-party servers, see the corresponding product manual.
Step 7 Verify the configuration.
l The WLAN with SSID wlan-net is available for STAs connected to the AP.
l The wireless PC obtains an IP address after it associates with the WLAN.
l Use the 802.1x authentication client on a STA and enter the correct user name and
password. The STA is authenticated and can access the WLAN. You must configure the
client for PEAP authentication.
– Configuration on the Windows XP operating system:
i. On the Association tab page of the Wireless network properties dialog box,
add SSID wlan-net, set the authentication mode to WPA2, and encryption
algorithm to AES.
ii. On the Authentication tab page, set EAP type to PEAP and click Properties.
In the Protected EAP Properties dialog box, deselect Validate server
certificate and click Configure. In the displayed dialog box, deselect
Automatically use my Windows logon name and password and click OK.
– Configuration on the Windows 7 operating system:
i. Access the Manage wireless networks page, click Add, and select Manually
create a network profile. Add SSID wlan-net. Set the authentication mode to
WPA2-Enterprise, and encryption algorithm to AES. Click Next.
ii. Click Change connection settings. On the Wireless Network Properties
page that is displayed, select the Security tab page and click Settings. In the
Protected EAP Properties dialog box, deselect Validate server certificate
and click Configure. In the displayed dialog box, deselect Automatically use
my Windows logon name and password and click OK.
iii. Click OK. On the Wireless Network Properties page, click Advanced
settings. On the Advanced settings page that is displayed, select Specify
authentication mode, set the identity authentication mode to User
authentication, and click OK.
l After wireless users connect to the network, run the display access-user access-type
dot1x command on the AC to view users in 802.1x authentication mode. The user
huawei has gone online successfully.
[AC] display access-user access-type dot1x
------------------------------------------------------------------------------
UserID Username IP address MAC
Status
------------------------------------------------------------------------------
460 huawei 10.23.101.254 8000-6e74-e78a Success
------------------------------------------------------------------------------
Total: 1, printed: 1
----End
Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 to 101
#
interface GigabitEthernet0/0/1
port link-type trunk

port trunk pvid vlan 100

port trunk allow-pass vlan 100 to 101
port-isolate enable group 1
#
#
return
l SwitchB configuration file
#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select interface
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
interface Vlanif103
ip address 10.23.103.2 255.255.255.0
#
interface Vlanif104
ip address 10.23.104.1 255.255.255.0
#
#
port trunk allow-pass vlan 100 102
#
port trunk allow-pass vlan 103
#
#
ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
#
return
l Router configuration file
#
sysname Router
#
ip address 10.23.104.2 255.255.255.0
#
ip route-static 10.23.101.0 255.255.255.0 10.23.104.1
#
return
l AC configuration file
#
sysname AC
#
#

authentication-profile name wlan-net

dot1x-access-profile wlan-net
authentication-scheme wlan-net
radius-server wlan-net
#
dhcp enable
#
radius-server template wlan-net
radius-server shared-key cipher %^%#*7d1;XNof/|Q0:DsP!,W51DIYPx}ÀARBdJ'0B^$
%^%#
radius-server authentication 10.23.103.1 1812 weight 80
#
aaa
authentication-mode radius
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
#
ip route-static 10.23.103.0 255.255.255.0 10.23.102.1
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-net
security wpa-wpa2 dot1x aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
authentication-profile wlan-net
regulatory-domain-profile name default
rrm-profile name default
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
dot1x-access-profile name wlan-net
#
return

4.1.2 Example for Configuring Guests to Access the WLAN (MAC

Address-prioritized Portal Authentication)
To improve WLAN security, an enterprise uses the MAC address-prioritized Portal
authentication mode to control user access.
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (SwitchB) functions as a DHCP server to assign IP
addresses to STAs.
l Service data forwarding mode: tunnel forwarding
l Authentication mode: MAC address-prioritized Portal authentication
l Security policy: open
Figure 4-2 Networking for configuring MAC address-prioritized Portal authentication

Data Planning
Table 4-2 AC data planning

Item Data
Managemen VLAN100
t VLAN for
APs
Service VLAN101
VLAN for
STAs
DHCP The AC functions as a DHCP server to assign IP addresses to APs.

server SwitchB functions as a DHCP server to assign IP addresses to STAs. The
default gateway address of STAs is 10.23.101.2.
IP address 10.23.100.2–10.23.100.254/24
pool for
APs
IP address 10.23.101.3–10.23.101.254/24
pool for
STAs
AC's source VLANIF100: 10.23.100.1/24

interface
address

l Referenced profile: VAP profile wlan-net and regulatory domain profile
default
Regulatory l Name: default

domain l Country code: China
profile
SSID l Name: wlan-net

profile l SSID name: wlan-net
Security l Name: wlan-net

profile l Security policy: open
RADIUS Name of the RADIUS authentication scheme: wlan-net

authenticati Name of the RADIUS accounting scheme: wlan-net
on
parameters Name of the RADIUS server template: wlan-net
l IP address: 10.23.102.1
l Shared key: Huawei123

Item Data
Portal l Name: wlan-net

server l IP address: 10.23.103.1
template
l Destination port number in the packets that the AC sends to the Portal
server: 50200
l Portal shared key: Huawei123

access l Referenced profile: Portal server template wlan-net
profile
MAC Name:wlan-net
access
profile
Authenticati l Name: default_free_rule

on-free rule l Authentication-free resource: IP address of the DNS server(8.8.8.8)
profile
Authenticati l Name: wlan-net

on Profile l Referenced profile: Portal access profile wlan-net, MAC access profile
wlan-net, RADIUS server template wlan-net, authentication-free rule
profile default_free_rule and authentication scheme wlan-net

l Forwarding mode: tunnel forwarding
l Referenced profile: SSID profile wlan-net, security profile wlan-net and
Authentication profile wlan-net
1. Configure network interworking of the AC, APs, and other network devices.
2. Configure the APs to go online.
3. Configure MAC address-prioritized Portal authentication.
a. Configure RADIUS server parameters.
b. Configure a Portal access profile to manage Portal access control parameters.
c. Configure a MAC access profile for MAC address-prioritized Portal authentication.
d. Configure an authentication-free rule profile so that the AC allows packets to the
DNS server to pass through.
e. Configure an authentication profile to manage MAC address-prioritized Portal
authentication configuration.

Configuration Notes
user experience.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
[SwitchA] vlan batch 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
# Add GE0/0/1 and GE0/0/2 on SwitchB (aggregation switch) to VLAN 100, and GE0/0/2
and GE0/0/3 to VLAN 101.
[SwitchB] vlan batch 100 101

# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.
[Router] vlan batch 101
[Router-GigabitEthernet1/0/0] port link-type trunk
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[Router] interface vlanif 101
[Router-Vlanif101] ip address 10.23.101.2 24
[Router-Vlanif101] quit
Step 2 Configure the AC to communicate with the network devices.

NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
# Add GE0/0/1 on the AC to VLAN 100 and VLAN 101.

[AC6605] sysname AC
[AC] vlan batch 100 101
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On the AC, configure VLANIF 100 to assign IP addresses to APs.
[AC] dhcp enable
[AC-Vlanif100] quit
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the default
gateway address of STAs to 10.23.101.2.
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] dhcp server dns-list 8.8.8.8
Step 4 Configure a default route on AC with the outbound interface as the router's VLANIF 101.
[AC] ip route-static 0.0.0.0 0.0.0.0 10.23.101.2
Step 5 Configure an AP to go online.

[AC] wlan
# Create a regulatory domain profile, configure the AC country code in the profile, and apply

e?[Y/N]:y
[AC-wlan-view] quit

# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
Warning: This operation may cause AP reset. Continue? [Y/N]y
[AC-wlan-ap-0] quit
[AC-wlan-view] quit
State field is displayed as nor, the AP goes online successfully.
[AC] display ap all
nor : normal [1]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
----------------------------------------------------------------------------------
---
Total: 1
Step 6 Configure a RADIUS server template, a RADIUS authentication scheme and a RADIUS
accounting scheme.
NOTE
Ensure that the RADIUS server IP address, port number, and shared key are configured correctly and are
the same as those on the RADIUS server.
# Configure a RADIUS server template.

[AC-radius-wlan-net] radius-server shared-key cipher Huawei123
# Create an authentication scheme and configure the RADIUS authentication mode.

[AC] aaa


[AC-aaa] accounting-scheme wlan-net
[AC-aaa-accounting-wlan-net] accounting-mode radius
[AC-aaa-accounting-wlan-net] accounting realtime 15
[AC-aaa-accounting-wlan-net] quit
[AC-aaa] quit
NOTE
l In this example, the device is connected to the Agile Controller-Campus. The accounting function is not
implemented for accounting purposes, and is used to maintain terminal online information through
accounting packets.
l The accounting realtime command sets the real-time accounting interval. A shorter real-time accounting
interval requires higher performance of the device and RADIUS server. Set the real-time accounting
interval based on the user quantity.
User Quantity Real-Time Accounting Interval
1-99 3 minutes
100-499 6 minutes
500-999 12 minutes
≥ 1000 ≥ 15 minutes
Step 7 Configure the URL of the Portal authentication page. When a user attempts to access a
website before authentication, the AC redirects the website to the Portal server.
You are advised to configure the URL using a domain name to ensure secure and fast page
pushing. Before configuring the URL using a domain name, you must first configure the
mapping between the domain name and IP address of the Portal server on the DNS server.
NOTE
Configure parameters carried in the URL, which must be the same as those on the authentication server.
[AC] url-template name wlan-net
[AC-url-template-wlan-net] url http://portal.com:8080/portal
[AC-url-template-wlan-net] url-parameter ssid ssid redirect-url url
[AC-url-template-wlan-net] quit
Step 8 Configure a Portal server template.

NOTE
Ensure that the Portal server IP address, URL address, port number, and shared key are configured
correctly and are the same as those on the Portal server.
[AC] web-auth-server wlan-net
[AC-web-auth-server-wlan-net] server-ip 10.23.103.1
[AC-web-auth-server-wlan-net] shared-key cipher Huawei123
[AC-web-auth-server-wlan-net] port 50200
[AC-web-auth-server-wlan-net] url-template wlan-net ciphered-parameter-name
cpname iv-parameter-name iv-value key cipher Huawei123
[AC-web-auth-server-wlan-net] quit
Step 9 Configure the Portal access profile wlan-net and configure Layer 2 Portal authentication.
[AC] portal-access-profile name wlan-net
[AC-portal-access-profile-wlan-net] web-auth-server wlan-net direct
[AC-portal-access-profile-wlan-net] quit
Step 10 Configure a MAC access profile for MAC address-prioritized Portal authentication.
[AC] mac-access-profile name wlan-net
[AC-mac-access-profile-wlan-net] quit

Step 11 Configure an authentication-free rule profile.

[AC] free-rule-template name default_free_rule
[AC-free-rule-default_free_rule] free-rule 1 destination ip 8.8.8.8 mask 32
[AC-free-rule-default_free_rule] quit
Step 12 Configure the authentication profile wlan-net and enable MAC address-prioritized Portal
authentication.
[AC-authentication-profile-wlan-net] portal-access-profile wlan-net
[AC-authentication-profile-wlan-net] mac-access-profile wlan-net
[AC-authentication-profile-wlan-net] free-rule-template default_free_rule
Step 13 Configure WLAN service parameters.
# Create security profile wlan-net and set the security policy in the profile. By default, the
security policy is open system.
[AC] wlan
# Create SSID profile wlan-net and set the SSID name to wlan-net.
# Create VAP profile wlan-net, configure the data forwarding mode and service VLANs, and
apply the security profile, SSID profile, and authentication profile to the VAP profile.
[AC-wlan-vap-prof-wlan-net] forward-mode tunnel
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] quit
For interconnection with the Agile Controller-Campus, see "Example for Configuring Portal
Authentication (Including MAC Address-Prioritized Portal Authentication) for Wireless
Users" in the Agile Controller-Campus Typical Configuration Examples.
For interconnection with other third-party servers, see the corresponding product manual.

l The WLAN with the SSID wlan-net is available for STAs after the configuration is
complete.
l The STAs obtain IP addresses when they successfully associate with the WLAN.

l When a user opens the browser and attempts to access the network, the user is
automatically redirected to the authentication page provided by the Portal server. After
entering the correct user name and password on the page, the user can access the
network.
l Assume that the MAC address validity period configured on the server is 60 minutes. If a
user is disconnected from the wireless network for 5 minutes and reconnects to the
network, the user can directly access the network. If a user is disconnected from the
wireless network for 65 minutes and reconnects to the network, the user will be
redirected to the Portal authentication page.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
return

#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp server gateway-list 10.23.101.2
dhcp server dns-list 8.8.8.8
#
#
#
#
return

#
sysname Router
#
vlan batch 101

#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
#
return
#
sysname AC
#
#
mac-access-profile wlan-net
portal-access-profile wlan-net
free-rule-template default_free_rule
#
dhcp enable
#
aaa
accounting-scheme wlan-net
accounting-mode radius
accounting realtime 15
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
ip route-static 0.0.0.0 0.0.0.0 10.23.101.2
#
#
radius-server shared-key cipher %^%#Oc6_BMCw#9gZ2@SMVtk!PAC6>Ou*eLW/"qLp+f#$
%^%#
#
free-rule-template name default_free_rule
free-rule 1 destination ip 8.8.8.8 mask 255.255.255.255
#
url-template name wlan-net
url http://portal.com:8080/portal
#
web-auth-server wlan-net
server-ip 10.23.103.1
port 50200
shared-key cipher %^%#4~ZXE3]6@BXu;2;aw}hA{rSb,@"L@T#e{%6G1AiD%^%#
url-template wlan-net ciphered-parameter-name cpname iv-parameter-name iv-
value key cipher %^%#4~ZXE3]6@BXu;2;aw}hA{rSb,@"L@T#e{%6G1AiD%^%#
#
portal-access-profile name wlan-net
web-auth-server wlan-net direct
#
wlan
ssid wlan-net

forward-mode tunnel
regulatory-domain-profile default
radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
mac-access-profile name wlan-net
#
return
4.1.3 Example for Configuring High-Density WLAN Services

The WLAN of a stadium needs to provide access for a large number of users; therefore, APs
are placed in close proximity, causing severe interference. The IT department of the stadium
requires that the interference be eliminated to maximize Internet experience for users.
addresses to STAs.

Figure 4-3 Networking diagram for configuring a high-density WLAN
Data Planning
Table 4-3 Data planning

Item Data
Management VLAN for APs VLAN 10 and VLAN 100
Service VLAN for STAs VLAN pool

l Name: sta-pool
l VLANs in the VLAN pool: VLAN 101
and VLAN 102
DHCP server The AC functions as a DHCP server to

assign IP addresses to APs.
The aggregation switch (SwitchB) functions
as a DHCP server to assign IP addresses to
STAs.

Item Data
IP address pool for STAs 10.23.101.3-10.23.101.254/24

10.23.102.3-10.23.102.254/24
AC's source interface address VLANIF 100: 10.23.100.1/24

l Referenced profiles: VAP profile wlan-
net, regulatory domain profile default,
2G radio profile default, and 5G radio
profile wlan-radio5g



l Security policy: WPA-WPA2+PSK
+AES
l Password: a1234567

l Service VLAN: VLANs in the VLAN
pool
l Referenced profiles: SSID profile wlan-
net, security profile wlan-net, and traffic
profile wlan-traffic
RRM profile l Name: wlan-rrm

l Automatic channel calibration: disabled
l Automatic power calibration: disabled
l Airtime fair scheduling: enable
l Smart roaming: enable
2G radio profile l Name: wlan-radio2g

l Referenced profile: RRM profile wlan-
rrm

rrm
Traffic profile l Name: wlan-traffic

1. Configure network interworking of the APs, AC, and other network devices.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.
3. Configure WLAN service parameters for STAs to access the WLAN.
4. Adjust WLAN high-density parameters.
You are advised to adjust WLAN high-density parameters according to Table 4-4.
Table 4-4 Adjustment recommendations

Adjustm Purpose Recommendation
ent Item
Configure To reduce the burden on the Enable band steering. By default, band
5G-prior 2.4 GHz radio by steering is enabled.
access preferentially connecting
5G-capable STAs to the 5
GHz radio when a large
number of 2.4 GHz STAs
exist on the network.
Remove To make an AP offer Increase the maximum number of access

the limit wireless services to more users to 128 for an SSID profile.
on the users.
number of
access
users
Reduce To prevent users who Set the association aging time to 1 minute.
the user frequently disconnect from
associatio the wireless network.
n aging
time
User To prevent mobile terminals Enable user isolation on the AC.

isolation from exchanging a large
number of ARP packets.
Limit user To prevent advantaged Limit the downstream rate of each STA to
rates STAs from occupying too 2000 kbit/s in a VAP. Adjust the upstream
many rate sources and rate according to actual situations. In this
deteriorating service example, the upstream rate is set to 1000
experience of disadvantaged kbit/s.
STAs.


ent Item
Adjust To reduce interference l Channel: Prevent adjacent APs from

AP between APs. working on overlapping channels. It is
channel recommended that you configure
and channels 1, 9, 5, and 13 in a high-
power density WLAN environment.
l Power: Minimize AP power while
ensuring that the RSSI is greater than
-65 dBm at the edge of the AP's
coverage area.
Configure To prevent weak-signal Enable smart roaming and set the SNR
smart STAs from degrading user threshold to 15 dB.
roaming experience.
Enable To ensure that wireless Enable airtime fair scheduling.

airtime channel resources can be
fair equally allocated to users.
schedulin
g
Set the To prevent hidden STAs. Set the RTS-CTS operation mode to rts-
RTS-CTS cts and the RTS threshold to 1400 bytes.
threshold
Adjust the To improve the overall data Set the interval for sending Beacon frames
interval at traffic of APs. to 160 ms.
which
Beacon
frames
are sent
Set the To reduce extra overhead Set the GI mode to short GI.
guard and improve AP
interval transmission efficiency.
(GI)
mode to
short GI
Configure To improve the overall AP Delete low rates from the basic rate set.
the basic throughput.
rate set
Configure To improve air interface Use the default values. By default, the
the efficiency. multicast transmit rate of wireless packets
multicast is 11 Mbit/s for the 2.4 GHz radio and 6
rate Mbit/s for the 5 GHz radio.
Configure To improve the network Configure the short preamble. If some

the short synchronization legacy NICs exist on the network, disable
preamble performance. the short preamble function.
for a radio


ent Item
Adjust To improve user experience. Set the EDCA parameters of AC_BE

EDCA packets as follows:
parameter l AP:
s
– ecwmin: 5
– ecwmax: 6
– aifsn: 3
l Client:
– ecwmin: 7
– ecwmax: 10
– aifsn: 3
5. Deliver WLAN services to the APs and verify the configuration.
Configuration Notes
user experience.
Procedure
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLANs 10, 101, and 102. The default VLAN of
GE0/0/1 and GE0/0/3 is VLAN 10.
[SwitchA] vlan batch 10 101 102


[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101 102
# On SwitchB (aggregation switch), add GE0/0/1 to VLAN 10, VLAN 101, and VLAN 102,
GE0/0/2 to VLAN 100, and GE0/0/3 to VLAN 101 and VLAN 102. Create VLANIF 100 and
set its IP address to 10.23.100.2/24.
[SwitchB] vlan batch 10 100 101 102
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 101 102
# On Router, add GE1/0/0 to VLAN 101 and VLAN 102. Create VLANIF 101 and VLANIF
102 and set the IP address of VLANIF 101 to 10.23.101.2/24 and the IP address of VLANIF
102 to 10.23.102.2/24.
[Router] vlan batch 101 102
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101 102

# Add GE0/0/1 on the AC to VLAN 100 and create VLANIF 100.
[AC6605] sysname AC
[AC] vlan 100
[AC-vlan100] quit
[AC-Vlanif100] quit
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100

# Configure a route from the AC to the APs with the next hop as SwitchB's VLANIF 100.
# Configure DHCP relay on SwitchB.
[SwitchB-Vlanif10] dhcp select relay
[SwitchB-Vlanif10] dhcp relay server-ip 10.23.100.1
# On SwitchB, configure VLANIF 101 and VLANIF 102 to assign IP addresses to STAs and
set the default gateways.
# On the AC, create a global IP address pool to assign IP addresses to APs.

[AC] dhcp enable
[AC] ip pool huawei
[AC-ip-pool-huawei] network 10.23.10.0 mask 24
[AC-ip-pool-huawei] gateway-list 10.23.10.1
[AC-ip-pool-huawei] option 43 sub-option 3 ascii 10.23.100.1
[AC-ip-pool-huawei] quit
[AC-Vlanif100] dhcp select global
[AC-Vlanif100] quit
Step 4 Configure a VLAN pool for service VLANs.

# On the AC, create a VLAN pool, add VLAN 101 and VLAN 102 to the pool, and set the
VLAN assignment algorithm to hash in the VLAN pool.
NOTE
This example uses the VLAN assignment algorithm hash (default) as an example. If the default setting is not
changed before, you do not need to run the assignment hash command.
In this example, only VLAN 101 and VLAN 102 are added to the VLAN pool. You can use the similar
method to add multiple VLANs to a VLAN pool.
[AC] vlan pool sta-pool
[AC-vlan-pool-sta-pool] vlan 101 102
[AC-vlan-pool-sta-pool] assignment hash
[AC-vlan-pool-sta-pool] quit

[AC] wlan


e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
----------------------------------------------------------------------------------
---
Total: 1

# Create security profile wlan-net and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.


[AC-wlan-vap-prof-wlan-net] service-vlan vlan-pool sta-pool
the AP.
Step 7 Adjust WLAN high-density parameters.

1. Adjust VAP profile parameters.
# Enable the band steering function. By default, the band steering function is enabled.
[AC-wlan-net-prof-wlan-net] undo band-steer disable
# Enable the broadcast flood detection function and set a broadcast flood threshold. By
default, the broadcast flood detection function is enabled.
[AC-wlan-net-prof-wlan-net] undo anti-attack broadcast-flood disable
[AC-wlan-net-prof-wlan-net] quit
2. Adjust SSID profile parameters.
# Set the maximum number of STAs associated with a VAP to 128, association timeout
period to 1 minute, and EDCA parameters for AC_BE packets of STAs.
[AC-wlan-ssid-prof-wlan-net] max-sta-number 128
[AC-wlan-ssid-prof-wlan-net] association-timeout 1
[AC-wlan-ssid-prof-wlan-net] wmm edca-client ac-be aifsn 3 ecw ecwmin 7
ecwmax 10
3. Create a traffic profile and adjust traffic profile parameters.
# Create traffic profile wlan-traffic and set the rate limit for upstream and downstream
traffic to 4000 kbit/s.
[AC-wlan-view] traffic-profile name wlan-traffic
[AC-wlan-traffic-prof-wlan-traffic] rate-limit client down 4000
[AC-wlan-traffic-prof-wlan-traffic] rate-limit client up 4000
[AC-wlan-traffic-prof-wlan-traffic] quit
# Bind the traffic profile to the VAP profile.

[AC-wlan-net-prof-wlan-net] traffic-profile wlan-traffic
4. Create an RRM profile, disable automatic calibration, enable airtime fair scheduling and
smart roaming, and set the SNR-based threshold for smart roaming to 15 dB.
[AC-wlan-rrm-prof-wlan-rrm] calibrate auto-channel-select disable
[AC-wlan-rrm-prof-wlan-rrm] calibrate auto-txpower-select disable
[AC-wlan-rrm-prof-wlan-rrm] airtime-fair-schedule enable
[AC-wlan-rrm-prof-wlan-rrm] smart-roam enable
[AC-wlan-rrm-prof-wlan-rrm] smart-roam roam-threshold check-snr
[AC-wlan-rrm-prof-wlan-rrm] smart-roam roam-threshold snr 15
[AC-wlan-rrm-prof-wlan-rrm] quit
5. Create a 2G radio profile and adjust 2G radio profile parameters.

Create 2G radio profile wlan-radio2g and set the parameters as follows:

– Set the RTS-CTS operation mode to rts-cts and the RTS threshold to 1400 bytes.
– Set the interval for sending Beacon frames to 160 TUs.
– Enable the short preamble function. By default, the short preamble function is
supported by a radio profile.
– Set the GI mode to short GI.
– Set the 802.11bg basic rate to 6 Mbit/s, 9 Mbit/s, 12 Mbit/s, 18 Mbit/s, 24 Mbit/s,
36 Mbit/s, 48 Mbit/s, or 54 Mbit/s.
– Set the multicast rate to 11 Mbit/s.
– Set EDCA parameters for AC_BE packets: AIFSN (3); ECWmin (5); ECWmax (6).
[AC-wlan-view] radio-2g-profile name wlan-radio2g
[AC-wlan-radio-2g-prof-wlan-radio2g] rts-cts-mode rts-cts
[AC-wlan-radio-2g-prof-wlan-radio2g] rts-cts-threshold 1400
[AC-wlan-radio-2g-prof-wlan-radio2g] beacon-interval 160
[AC-wlan-radio-2g-prof-wlan-radio2g] undo short-preamble disable
[AC-wlan-radio-2g-prof-wlan-radio2g] guard-interval-mode short
[AC-wlan-radio-2g-prof-wlan-radio2g] dot11bg basic-rate 6 9 12 18 24 36 48 54
[AC-wlan-radio-2g-prof-wlan-radio2g] multicast-rate 11
[AC-wlan-radio-2g-prof-wlan-radio2g] wmm edca-ap ac-be aifsn 3 ecw ecwmin 5
ecwmax 6
# Bind RRM profile wlan-rrm to the radio profile.

[AC-wlan-radio-2g-prof-wlan-radio2g] rrm-profile wlan-rrm
[AC-wlan-radio-2g-prof-wlan-radio2g] quit

ecwmax 6


NOTE





[AC-wlan-ap-0] quit

WLAN service configuration is automatically delivered to the APs. After the service
configuration is complete, run the display vap ssid wlan-net command. If Status in the
command output displays as ON, the VAPs have been successfully created on AP radios.
[AC-wlan-view] display vap ssid wlan-net
WID : WLAN ID
--------------------------------------------------------------------------------
AP ID AP name RfID WID BSSID Status Auth type STA SSID
--------------------------------------------------------------------------------
0 area_1 0 1 60DE-4476-E360 ON WPA/WPA2-PSK 0 wlan-net
-------------------------------------------------------------------------------
Total: 2
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
When a large number of users connect to the network in the stadium, the users still have good
Internet experience.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 101 to 102
#

port trunk allow-pass vlan 10 101 to 102
port-isolate enable
#
#
port-isolate enable
#
return
#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif10
ip address 10.23.10.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.23.100.1
#
interface Vlanif100
ip address 10.23.100.2 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
#
#
#
return
#
sysname Router
#
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#

#
return
#
sysname AC
#
#
vlan pool sta-pool
vlan 101 to 102
#
dhcp enable
#
ip pool huawei
gateway-list 10.23.10.1
network 10.23.10.0 mask 255.255.255.0
option 43 sub-option 3 ascii 10.23.100.1
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
ip route-static 10.23.10.0 24 10.23.100.2
#
#
wlan
traffic-profile name wlan-traffic
rate-limit client up 4000
rate-limit client down 4000
security wpa-wpa2 psk pass-phrase %^%#wQ}eV*m'Y#f6Mj@h#DxTLrKaYm|)pBm@w$
(jpeqE%^%# aes
ssid wlan-net
association-timeout 1
max-sta-number 128
wmm edca-client ac-be aifsn 3 ecw ecwmin 7 ecwmax 10 txoplimit 0
service-vlan vlan-pool sta-pool
traffic-profile wlan-traffic
anti-attack broadcast-flood sta-rate-threshold 50
rrm-profile name wlan-rrm
airtime-fair-schedule enable
smart-roam enable
smart-roam roam-threshold snr 15
radio-2g-profile name wlan-radio2g
dot11bg basic-rate 6 9 12 18 24 36 48 54
beacon-interval 160
guard-interval-mode short
multicast-rate 11
wmm edca-ap ac-be aifsn 3 ecw ecwmin 5 ecwmax 6 txoplimit 0 ack-policy
normal
rrm-profile wlan-rrm
rts-cts-threshold 1400
rts-cts-mode rts-cts
beacon-interval 160

normal
multicast-rate 6
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return
4.1.4 Example for Configuring WLAN Backhaul

Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Considering the high costs of wired AP deployment, enterprises need to set up
wireless distribution system (WDS) links for wireless backhaul to provide service coverage,
ensuring that enterprise users can access the WLAN.
l AC networking mode: Layer 2 networking in bypass mode
– The aggregation switch (Switch_A) functions as a DHCP server to assign IP
addresses to STAs.
l Wireless backhaul mode: hand-in-hand WDS
l Backhaul radio: 5 GHz

Figure 4-4 Networking diagram for configuring hand-in-hand WDS services
Data Planning
Table 4-5 AP data planning
AP Type MAC Address
AP_1 AP8130DN 60de-4474-9640
AP_2 AP8130DN dcd2-fc04-b500
AP_3 AP8130DN dcd2-fc96-e4c0
Item Data
Management VLAN for APs VLAN 100
Service VLAN for STAs VLAN 101

assign IP addresses to APs. Switch_A
functions as a DHCP server to assign IP
addresses to STAs.

Item Data
AC's source interface address VLANIF 100
WDS mode l Radio 1 on AP_1: root

l Radio 1 on AP_2: leaf
l Radio 0 on AP_2: root

l Country code: CN

Wireless service security profile l Name: wlan-net

+AES

net and security profile wlan-net
WDS link security profile l Name: wds-security

l Security policy: WPA2+PSK+AES
l Password type: PASS-PHRASE
WDS whitelist profile l Name: wds-list1

l AP MAC address: MAC address of
AP_2 (leaf)
l Name: wds-list2
AP_3 (leaf)
WDS profile l Name: wds-root

l WDS name: wlan-wds
l WDS working mode: root
l Tagged VLAN: VLAN 101
l Referenced profile: security profile wds-
security

Item Data
l Name: wds-leaf
l WDS working mode: leaf
security

l Root APs, such as AP_1, are added to
the group.
l Referenced profiles: WDS profile wds-
root, VAP profile wlan-net, and
l Name: ap-group2
l Root and leaf APs, such as AP_2, are
added to the group.
l Referenced profiles: WDS profiles wds-
root and wds-leaf, VAP profile wlan-
net, and regulatory domain profile
default
l Name: ap-group3
l Leaf APs, such as AP_3, are added to
the group.
leaf, VAP profile wlan-net, and
1. Configure root node AP_1 to go online on the AC.
to go online.
2. Configure WDS services so that APs in and Area C can go online through WDS wireless
virtual links.
Configuration Notes

user experience.
l Select proper antennas by following the WDS network planning and design, and use the
antenna calibration tool for calibration.
Procedure
# Add GE0/0/1 and GE0/0/2 on Switch_B to VLAN 100 and VLAN 101. The default VLAN
of GE0/0/1 is VLAN 100.
[HUAWEI] sysname Switch_B
[Switch_B] vlan batch 100 to 101
[Switch_B] interface gigabitEthernet 0/0/1
[Switch_B-GigabitEthernet0/0/1] port link-type trunk
[Switch_B-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_B-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_B-GigabitEthernet0/0/1] port-isolate enable
[Switch_B-GigabitEthernet0/0/1] quit
# Configure the aggregation switch Switch_A. Configure GE0/0/1 to allow packets from
VLAN 100 and VLAN 101 to pass through, GE0/0/2 to allow packets from VLAN 100 to
pass through, and GE0/0/3 to allow packets from VLAN 101 to pass through.
[HUAWEI] sysname Switch_A
[Switch_A] vlan batch 100 to 101
[Switch_A] interface gigabitEthernet 0/0/1
[Switch_A-GigabitEthernet0/0/1] port link-type trunk
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_A-GigabitEthernet0/0/1] quit
[Switch_A-GigabitEthernet0/0/2] port trunk allow-pass vlan 100


10.23.101.2/24.

# On the AC, configure GE0/0/1 to allow packets from VLAN 100 to pass through.
[AC6605] sysname AC
[AC] vlan batch 100
[AC] interface gigabitEthernet 0/0/1
# Configure Switch_A as a DHCP server to assign IP addresses to STAs from the interface
address pool.
[Switch_A] dhcp enable
[Switch_A] interface vlanif 101
[Switch_A-Vlanif101] ip address 10.23.101.1 24
[Switch_A-Vlanif101] dhcp select interface
[Switch_A-Vlanif101] dhcp server gateway-list 10.23.101.2
[Switch_A-Vlanif101] quit
# Enable DHCP on the AC to assign IP addresses to the APs from the interface address pool.
[AC] dhcp enable
[AC] interface vlanif 100 101
[AC-Vlanif100] quit

# Create AP groups ap-group1, ap-group2, and ap-group3.
[AC] wlan


e?[Y/N]:y
e?[Y/N]:y
e?[Y/N]:y
[AC-wlan-view] quit

# Add AP_1, AP_2, and AP_3 to AP group ap-group1, ap-group2, and ap-group3,
respectively.
NOTE
In this example, the AP8130DN is used and has two radios: radio 0 and radio 1.
[AC] wlan
[AC-wlan-view] ap-id 1 ap-mac 60de-4474-9640
[AC-wlan-ap-1] ap-name AP_1
[AC-wlan-ap-1] quit
[AC-wlan-view] ap-id 2 ap-mac dcd2-fc04-b500
[AC-wlan-ap-2] quit
[AC-wlan-view] ap-id 3 ap-mac dcd2-fc96-e4c0
[AC-wlan-ap-3] quit
Step 5 Set WDS service parameters.
# Set key radio parameters for the WDS nodes. In this example, AP_1 and AP_3 use radio 1,
and AP_2 uses radio 0 and radio 1. Configure radio 0 of AP_2 to work on the 5 GHz
frequency band. To reduce channel interference, configure radio 0 and radio 1 of AP_2 to
work on different channels. Radio 1 and radio 0 are used to establish WDS links with AP_1
and AP_3 respectively. The coverage distance parameter specifies the radio coverage
distance, which is 3 by default, in 100 m. In this example, 4 is used. Set this parameter based
on actual situations.
NOTE
On a WDS network, radios used to create WDS links must work on the same channel.

[AC-wlan-radio-2/0] frequency 5g
Warning: Modifying the frequency band will delete the channel, power, and antenn
a gain configurations of the current radio on the AP and reboot the AP. Continue
?[Y/N]:y
[AC-wlan-ap-2] quit
[AC-wlan-radio-1/1] channel 40mhz-plus 157
[AC-wlan-radio-1/1] coverage distance 4
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit
[AC-wlan-ap-3] quit
# Configure security profile wds-security for WDS links. The security policy for the security
profile is WPA2+PSK+AES.
[AC-wlan-view] security-profile name wds-security
[AC-wlan-sec-prof-wds-security] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wds-security] quit
# Configure a WDS whitelist profile. Bind WDS whitelist profile wds-list1 to AP_1, and
allow access of only AP_2. Bind WDS whitelist profile wds-list2 to AP_2, and allow access
of only AP_3.
[AC-wlan-view] wds-whitelist-profile name wds-list1
[AC-wlan-wds-whitelist-wds-list1] peer-ap mac dcd2-fc04-b500
[AC-wlan-wds-whitelist-wds-list1] quit
[AC-wlan-wds-whitelist-wds-list2] peer-ap mac dcd2-fc96-e4c0
# Configure WDS profile wds-root. Set the WDS name to wlan-wds, and the WDS mode to
root. Bind security profile wds-security to the WDS profile and permit packets from VLAN
101 to pass through in tagged mode.
[AC-wlan-view] wds-profile name wds-root
[AC-wlan-wds-prof-wds-root] wds-name wlan-wds
[AC-wlan-wds-prof-wds-root] wds-mode root
[AC-wlan-wds-prof-wds-root] security-profile wds-security
[AC-wlan-wds-prof-wds-root] vlan tagged 101
[AC-wlan-wds-prof-wds-root] quit
# Configure WDS profile wds-leaf. Set the WDS name to wlan-wds, and the WDS mode to
leaf. Bind security profile wds-security to the WDS profile and permit packets from VLAN

[AC-wlan-view] wds-profile name wds-leaf

[AC-wlan-wds-prof-wds-leaf] wds-name wlan-wds
[AC-wlan-wds-prof-wds-leaf] wds-mode leaf
[AC-wlan-wds-prof-wds-leaf] security-profile wds-security
[AC-wlan-wds-prof-wds-leaf] vlan tagged 101
[AC-wlan-wds-prof-wds-leaf] quit
# Bind WDS whitelist profile wds-list1 to radio 1 of AP group ap-group1. # Bind WDS
whitelist profile wds-list2 to radio 1 of AP group ap-group2.
[AC-wlan-ap-group-ap-group1] radio 1
[AC-wlan-group-radio-ap-group1/1] wds-whitelist-profile wds-list1
[AC-wlan-group-radio-ap-group1/1] quit
Step 6 Bind required profiles to the AP groups to make WDS services take effect.
# Bind WDS profile wds-root to AP group ap-group1.
[AC-wlan-ap-group-ap-group1] wds-profile wds-root radio 1
# Bind WDS profiles wds-root and wds-leaf to AP group ap-group2.

[AC-wlan-ap-group-ap-group2] wds-profile wds-leaf radio 1
# Bind WDS profile wds-leaf to AP group ap-group3.


NOTE


# Bind the VAP profile to the AP groups. In this example, radio 1 on AP_1 and AP_3 is used
for WDS backhaul, and radio 0 for wireless service coverage. Apply VAP profile wlan-net to
radio 0 of the AP_1 and AP_3.
Step 8 Configure the channel and power for the 2.4 GHz radio.
NOTE


[AC-wlan-ap-1]quit

# After the configuration is complete, run the display ap all command to check whether WDS
nodes go online successfully. If State is displayed as nor, APs have gone online successfully.
nor : normal [3]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
1 60de-4474-9640 AP_1 ap-group1 10.23.100.254 AP8130DN nor 0 20M:
16S
2 dcd2-fc04-b500 AP_2 ap-group2 10.23.100.253 AP8130DN nor 0
17S
3 dcd2-fc96-e4c0 AP_3 ap-group3 10.23.100.252 AP8130DN nor 0 3M:
55S
----------------------------------------------------------------------------------
---
Total: 3
Run the display wlan wds link all command to display information about WDS links.
[AC-wlan-view] display wlan wds link all
Rf : radio ID Dis : coverage distance(100m)
Ch : channel Per : drop percent(%)
TSNR : total SNR(dB) P- : peer

WDS : WDS mode Re : retry ratio(%)

RSSI : RSSI(dBm) MaxR : max RSSI(dBm)
----------------------------------------------------------------------------------
---------------
APName P-APName Rf Dis Ch WDS P-Status RSSI MaxR Per Re TS
NR SNR(Ch0~2:dB)
----------------------------------------------------------------------------------
---------------
AP_1 AP_2 1 4 157 root normal -39 -30 0 5
55 42/57/-
AP_2 AP_3 0 4 149 root normal -56 -40 0 9
59 45/40/60
AP_2 AP_1 1 4 157 leaf normal -32 -30 0 15
58 41/36/60
AP_3 AP_2 1 4 149 leaf normal -33 -32 0 7
59 51/59/-
----------------------------------------------------------------------------------
-----------------
Total: 4
The AC automatically delivers WLAN service configuration to the AP. After the service
command output is displayed as ON, the VAPs have been successfully created on AP radios.
WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
1 AP_1 0 1 60DE-4474-9640 ON WPA/WPA2-PSK 0 wlan-net
3 AP_3 0 3 DCD2-FC96-E4C0 ON WPA/WPA2-PSK 0 wlan-net
-------------------------------------------------------------------------------
Total: 2
---------------------------------------------------------------------------------
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 1 AP_1 0/1 2.4G 11n 3/34 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 1 5G: 0
----End
Configuration Files
l Switch_A configuration file
#
sysname Switch_A
#
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#


#
#
#
return
l Switch_B configuration file
#
sysname Switch_B
#
#
#
#
return
#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
#
wlan
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/
Mc!,}s`X*B]}A%^%# aes
security-profile name wds-security
security wpa2 psk pass-phrase %^%#n}5+DgC3wLB.hJ34j5;*QMv<8"9#{Bq@ghBI3L9K%^

%# aes
ssid wlan-net
wds-whitelist-profile name wds-list1
peer-ap mac dcd2-fc04-b500
peer-ap mac dcd2-fc96-e4c0
wds-profile name wds-leaf
security-profile wds-security
vlan tagged 101
wds-name wlan-wds
wds-profile name wds-root
vlan tagged 101
wds-name wlan-wds
wds-mode root
radio 0
radio 1
wds-profile wds-root
wds-whitelist-profile wds-list1
radio 0
radio 1
wds-profile wds-leaf
radio 0
radio 1
ap-id 1 type-id 39 ap-mac 60de-4474-9640 ap-sn 210235554710CB000042
ap-name AP_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 40mhz-plus 157
coverage distance 4
ap-id 2 type-id 39 ap-mac dcd2-fc04-b500 ap-sn 210235555310CC000094
ap-name AP_2
ap-group ap-group2
radio 0
frequency 5g
eirp 127
coverage distance 4
radio 1
eirp 127
coverage distance 4
ap-id 3 type-id 39 ap-mac dcd2-fc96-e4c0 ap-sn 210235557610DB000046
ap-name AP_3
ap-group ap-group3
radio 0
channel 20mhz 11
eirp 127
radio 1


coverage distance 4
#
return
4.1.5 Example for Configuring Rail Transportation WLAN

Services
To reduce network deployment costs and better serve passengers, a rail transportation
enterprise wants to use WLAN technology to implement vehicle-ground communications and
expects that multicast servers on the ground network can deliver multimedia information
services to passengers.
l Wireless backhaul mode: Mesh-based vehicle-ground fast link handover
l Backhaul radio: 5 GHz radio

Figure 4-5 Networking for configuring vehicle-ground fast link handover

Data Planning
Table 4-7 AP information

AP Type MAC Address
Trackside AP AP9132DN 0046-4b59-1d10

(L1_001)

(L1_003)

(L1_010)

(L1_150)

(L1_160)

(L1_170)
......
Vehicle-mounted AP9132DN 0046-4b59-2e10

AP (in the front)

AP (in the rear)
.......

Item Data
Multicast service VLAN VLAN 101
DHCP server l Configure the AC as a DHCP server to assign IP

addresses to trackside APs.
l Configure Switch_A as a DHCP server to assign IP
addresses to vehicle-mounted terminals.

address
Gateway address IP address of VLANIF 101 on Switch_A: 10.23.224.1/24

Item Data
IP address pool for 10.23.100.2-10.23.100.254/24

trackside APs
IP address pool for vehicle- 10.23.224.4-10.23.224.254/24

mounted terminals
AP group to which Name: mesh-mpp

trackside APs belong
IDs of trackside APs l Trackside AP (L1_001): 1

l Trackside AP (L1_003): 2
AP wired port profile l Name: wired-port
Security profile l Name: sp01

l Authentication key: a1234567
AP system profile l Name: mesh-sys

l Mesh role: Mesh-portal
Mesh profile Trackside APs:

l Name: mesh-net
l Identifier: mesh-net
Vehicle-mounted APs:
l Name: mesh-net
Mesh handover profile Trackside APs:

l Name: hand-over
l Name: hand-over
Mesh whitelist on trackside Name: whitelist01

APs Add MAC addresses of all vehicle-mounted APs on trains
running on the rail to the whitelist according to actual
situations.
Mesh whitelist on vehicle- Name: whitelist01

mounted APs Add MAC addresses of all trackside APs along the rail line
to the whitelist according to actual situations.

Item Data
MAC address of the l Gateway: 707b-e8e9-d328

proxied ground device l Network management device: 286e-d488-12cd
l Multicast source: 286e-d488-b6ab
MAC address of the l Vehicle-mounted terminal_1: 286e-d488-d359

proxied vehicle-mounted l Vehicle-mounted terminal_2: 286e-d488-d270
device
Multicast group 225.1.1.1-225.1.1.3
1. Configure the ground network to enable Layer 2 communications between trackside APs
and the AC.
2. Configure multicast services on ground network devices to enable proper multicast data
forwarding on the ground network.
3. Configure vehicle-ground fast link handover on trackside and vehicle-mounted APs so
that the vehicle-mounted AP can set up Mesh connections with the trackside APs.
4. Configure the vehicle-mounted network to enable intra-network data communications.
NOTE
l This example uses Huawei AP9132DNs in Fit AP mode as the trackside APs and AP9132DNs in
Fat AP mode as the vehicle-mounted APs.
l Switches and routers used in this example are all Huawei products.
Configuration Notes
user experience.

Procedure
l Configure ground network devices.
a. Configure Switch_A. Create VLAN 100, VLAN 101 and VLAN 200, add
interfaces GE0/0/1 to GE0/0/4 to VLAN 101, and configure these interfaces to
allow packets from VLAN 101 to pass through. Set PVIDs of GE0/0/3 and GE0/0/4
to VLAN 101. Add GE0/0/5 to VLAN 200, set its PVID to VLAN 200, and
configure GE0/0/5 to allow packets from VLAN 200 to pass through. Configure
GE0/0/1, GE0/0/2, and GE0/0/6 to allow packets from VLAN 100 to pass through.
[Switch_A] vlan batch 100 101 200
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch_A-GigabitEthernet0/0/3] port trunk pvid vlan 101
b. On Switch_A, configure an IP address for VLANIF 101 and enable the DHCP
server function to assign IP addresses for vehicle-mounted terminals.
[Switch_A-Vlanif101] dhcp server excluded-ip-address 10.23.224.2
10.23.224.3
c. Configure an IP address for VLANIF 200 on Switch_A and specify the IP address
of GE1/0/0 on the router as the next hop address of the default route so that packets
from the vehicle-ground communication network can be forwarded to the egress
router.
[Switch_A] ip route-static 0.0.0.0 0 10.23.200.1
d. Configure an IP address for GE1/0/0 on Router and configure routes to the internal
network segment, with the next hop address 10.23.200.2.


NOTE
You can configure routes to external networks and the NAT function on the egress router
according to service requirements to ensure normal communications between internal and
external networks.
e. Configure Switch_B and Switch_C to enable Layer 2 communications between
trackside APs and the ground network.
# On Switch_B, create VLAN 100 and VLAN 101, configure GE0/0/2 and GE0/0/1
to allow packets from VLAN 100 and VLAN 101 to pass through, and set the PVID
of GE0/0/1 to VLAN 100 (management VLAN for trackside APs).
# Configure other interfaces connected to trackside APs on Switch_B according to

GE0/0/1: allow packets from VLAN 100 and VLAN 101 to pass through and set
their PVIDs to VLAN 100.
[Switch_B] vlan batch 100 101
[Switch_B-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
# On Switch_C, create VLAN 100 and VLAN 101, configure GE0/0/2 and GE0/0/1
of GE0/0/1 to VLAN 100.
# Configure other interfaces connected to trackside APs on Switch_C according to

[HUAWEI] sysname Switch_C
[Switch_C] vlan batch 100 101
[Switch_C] interface gigabitEthernet 0/0/2
[Switch_C-GigabitEthernet0/0/2] port link-type trunk
[Switch_C-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch_C-GigabitEthernet0/0/2] quit
[Switch_C-GigabitEthernet0/0/1] port trunk pvid vlan 100
f. Enable Layer 2 multicast on Switch_A, Switch_B, and Switch_C to allow them to

properly forward multicast data.
# Enable IGMP snooping globally on Switch_A.

[Switch_A] igmp-snooping enable
# Enable IGMP snooping in VLAN 101 on Switch_A.

[Switch_A] vlan 101
[Switch_A-vlan101] igmp-snooping enable
[Switch_A-vlan101] quit

# Configure multicast group filter policies on Switch_A.

[Switch_A] acl 2000
[Switch_A-acl-basic-2000] rule permit source 225.1.1.1 0
[Switch_A-acl-basic-2000] quit
# Apply the multicast group filter policies in VLAN 101 on Switch_A.

[Switch_A] vlan 101
[Switch_A-vlan101] igmp-snooping group-policy 2000
[Switch_A] quit
# Complete multicast configuration on Switch_B and Switch_C according to the

multicast configuration procedure of Switch_A.
# Configure the fast leave function on Switch_B and Switch_C.
NOTICE
If trackside APs are directly connected to the switches and Layer 2 multicast is
configured, enabling the fast leave function improves the quality of multicast
services. If the trackside APs are not directly connected to the switches or Layer 3
multicast is configured, you cannot configure the fast leave function because this
function may interrupt multicast services.
[Switch_B] vlan 101

[Switch_B-vlan101] igmp-snooping prompt-leave group-policy 2000
[Switch_C] vlan 101
[Switch_C-vlan101] igmp-snooping prompt-leave group-policy 2000
g. Configure the AC to enable it to communicate with trackside APs at Layer 2.
# Create VLAN 100 on the AC and configure GE0/0/1 to allow packets from
VLAN 100 to pass through.
[AC6605] sysname AC
[AC] vlan batch 100
# Configure the AC as a DHCP server to assign IP addresses to trackside APs.

[AC] dhcp enable
[AC-Vlanif100] quit
h. Configure the AP group, country code, and AC's source interface.
# Create the AP group mesh-mpp and add trackside APs that require the same
configuration to the group.
[AC] wlan
[AC-wlan-view] ap-group name mesh-mpp
[AC-wlan-ap-group-mesh-mpp] quit

# Create a regulatory domain profile, configure the AC country code in the profile,
and apply the profile to the AP group.
[AC-wlan-ap-group-mesh-mpp] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and
antenna gain configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-view] quit

# Add trackside APs to the AP group mesh-mpp.

NOTE
The default AP authentication mode is MAC address authentication. If the default settings are
retained, you do not need to run the ap auth-mode mac-auth command.
[AC] wlan
[AC-wlan-view] ap-id 1 ap-mac 0046-4b59-1d10
[AC-wlan-ap-1] ap-name L1_001
[AC-wlan-ap-1] ap-group mesh-mpp
Warning: This operation may cause AP reset. If the country code changes,
it will clear channel, power and antenna gain configuration
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit
[AC-wlan-ap-3] quit
[AC-wlan-ap-101] quit

i. Configure the trackside APs' uplink wired interfaces to allow packets from VLAN
101 to pass through.
# Configure the wired port profile wired-port and add the wired interfaces to
VLAN 101 in tagged mode.
[AC-wlan-view] wired-port-profile name wired-port
[AC-wlan-wired-port-wired-port] vlan tagged 101
[AC-wlan-wired-port-wired-port] quit
# Bind the wired port profile wired-port to the AP group mesh-mpp.

[AC-wlan-ap-group-mesh-mpp] wired-port-profile wired-port
gigabitethernet 0
j. Configure Mesh parameters.

# Create the Mesh whitelist whitelist01 and add MAC addresses of vehicle-
mounted APs to the Mesh whitelist.
[AC-wlan-view] mesh-whitelist name whitelist01
[AC-wlan-mesh-whitelist-whitelist01] peer-ap mac 0046-4b59-2e10
[AC-wlan-mesh-whitelist-whitelist01] quit
# Add MAC addresses of vehicle-mounted APs on other trains to the Mesh whitelist
whitelist01 according to the preceding procedure.
# Configure the security profile sp01 used by Mesh links. The sp01 supports the
security policy WPA2+PSK+AES.
[AC-wlan-view] security-profile name sp01
[AC-wlan-sec-prof-sp01] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-sp01] quit
# Configure the Mesh role. Set the Mesh role of trackside APs to Mesh-portal
through the AP system profile.
[AC-wlan-view] ap-system-profile name mesh-sys
[AC-wlan-ap-system-prof-mesh-sys] mesh-role Mesh-portal
[AC-wlan-ap-system-prof-mesh-sys] quit
# Configure the Mesh handover profile hand-over and enable the location-based
fast link handover algorithm.
[AC-wlan-view] mesh-handover-profile name hand-over
[AC-wlan-mesh-handover-hand-over] location-based-algorithm enable
[AC-wlan-mesh-handover-hand-over] quit
# Configure the Mesh profile. Set the ID of the Mesh network to mesh-net and
apply the security profile and Mesh handover profile.
[AC-wlan-view] mesh-profile name mesh-net
[AC-wlan-mesh-prof-mesh-net] mesh-id mesh-net
[AC-wlan-mesh-prof-mesh-net] security-profile sp01
[AC-wlan-mesh-prof-mesh-net] mesh-handover-profile hand-over
[AC-wlan-mesh-prof-mesh-net] quit
k. Apply the Mesh parameters to radios of trackside APs.

# Configure the radio and channel used by trackside APs and apply the Mesh
whitelist, Mesh profile, and AP system profile.
[AC-wlan-ap-group-mesh-mpp] ap-system-profile mesh-sys

[AC-wlan-ap-group-mesh-mpp] radio 1
[AC-wlan-group-radio-mesh-mpp/1] channel 40mhz-plus 157
[AC-wlan-group-radio-mesh-mpp/1] mesh-whitelist-profile whitelist01
[AC-wlan-group-radio-mesh-mpp/1] mesh-profile mesh-net
[AC-wlan-group-radio-mesh-mpp/1] quit
[AC-wlan-view] quit
[AC] quit
l Configure vehicle-mounted network devices.

NOTE
This example provides the detailed configuration procedure of the vehicle-mounted AP in the front of
the train. The configuration procedure of the vehicle-mounted AP in the rear is similar to that of the
vehicle-mounted AP in the front.
a. Create VLAN 101 on the vehicle-mounted APs, configure GE0/0/1 to allow packets
from VLAN 101 to pass through, and set the PVID of GE0/0/1 to VLAN 101.
<Huawei> sysname AP
[AP] vlan batch 101
[AP] interface gigabitethernet 0/0/1
[AP-GigabitEthernet0/0/1] port link-type trunk
[AP-GigabitEthernet0/0/1] port trunk pvid vlan 101
[AP-GigabitEthernet0/0/1] port trunk allow-pass vlan 101
[AP-GigabitEthernet0/0/1] quit
b. Configure system parameters for the vehicle-mounted APs.

# Configure the AP country code.
[AP] wlan
[AP-wlan-view] country-code cn
c. Configure vehicle-ground fast link handover parameters.

# Create the Mesh whitelist whitelist01 and add MAC addresses of all trackside
APs along the rail line to the Mesh whitelist.
[AP-wlan-view] mesh-whitelist-profile name whitelist01
[AP-wlan-mesh-whitelist-whitelist01] peer-ap mac 0046-4b59-1d10
[AP-wlan-mesh-whitelist-whitelist01] quit
# Add MAC addresses of all trackside APs along the rail line to the Mesh whitelist
of vehicle-mounted APs on the other trains according to the preceding configuration
procedure.
[AP-wlan-view] security-profile name sp01
[AP-wlan-sec-prof-sp01] security wpa2 psk pass-phrase a1234567 aes
[AP-wlan-sec-prof-sp01] quit
# Configure the Mesh handover profile hand-over, enable the location-based fast
link handover algorithm, and set the moving direction of the vehicle-mounted AP to
forward.
[AP-wlan-view] mesh-handover-profile name hand-over
[AP-wlan-mesh-handover-hand-over] location-based-algorithm enable moving-
direction forward
[AP-wlan-mesh-handover-hand-over] quit

NOTE
In this example, the moving direction of the vehicle-mounted AP in the rear must be set to
backward.
[AP-wlan-view] mesh-profile name mesh-net
[AP-wlan-mesh-prof-mesh-net] mesh-id mesh-net
[AP-wlan-mesh-prof-mesh-net] security-profile sp01
[AP-wlan-mesh-prof-mesh-net] mesh-handover-profile hand-over
[AP-wlan-mesh-prof-mesh-net] quit
[AP-wlan-view] quit
d. Apply the Mesh parameters to radios of vehicle-mounted APs.

# Configure the radio and channel used by vehicle-mounted APs and apply the
Mesh whitelist and Mesh profile.
[AP] interface wlan-radio 0/0/1
[AP-Wlan-Radio0/0/1] channel 40mhz-plus 157
[AP-Wlan-Radio0/0/1] mesh-whitelist-profile whitelist01
[AP-Wlan-Radio0/0/1] mesh-profile mesh-net
[AP-Wlan-Radio0/0/1] quit
# Configure Mesh VAPs for other vehicle-mounted APs according to the preceding
configuration procedure.
e. Add proxied devices on the vehicle-mounted APs.
# Add proxied ground devices. Add MAC addresses of Switch_A, the network
management device, and multicast source on the vehicle-mounted APs.
[AP] wlan
[AP-wlan-view] mesh-proxy trackside-equip mac-address 707b-e8e9-d328
vlan 101
[AP-wlan-view] mesh-proxy trackside-equip mac-address 286e-d488-12cd
vlan 101
[AP-wlan-view] mesh-proxy trackside-equip mac-address 286e-d488-b6ab
vlan 101
# Add proxied vehicle-mounted devices. Add MAC addresses of the vehicle-

mounted terminals on the vehicle-mounted APs.
[AP-wlan-view] mesh-proxy onboard-equip mac-address 286e-d488-d359 vlan
101
101
[AP-wlan-view] quit
f. Enable IGMP snooping on the vehicle-mounted APs.

[AP] igmp-snooping enable
[AP] vlan 101
[AP-vlan101] igmp-snooping enable
[AP-vlan101] quit
[AP] quit
l Verify the configuration.

# After vehicle-ground fast link handover configuration is complete, run the display
wlan mesh link all command on the AC to view Mesh connections between trackside
and vehicle-mounted APs.
<AC> display wlan mesh link all
Rf : radio ID Dis : coverage
distance(100m)

Ch : channel Per : drop

percent(%)
TSNR : total SNR(dB) P- :
peer
Mesh : Mesh mode Re : retry
ratio(%)
RSSI : RSSI(dBm) MaxR : max
RSSI(dBm)
------------------------------------------------------------------------------
--
-----------------
APName P-APName Rf Dis Ch Mesh P-Status RSSI MaxR Per Re

TS
NR
SNR(Ch0~2:dB)
------------------------------------------------------------------------------
--
-----------------
L1_001 1 3 157 portal - -51 -38 0 0

47
39/47/-
L1_003 1 3 157 portal - -59 -7 0 0
50
19/14/37
L1_010 1 3 157 portal - -45 -33 0 0
37
20/17/17
L1_150 1 3 157 portal - -54 -39 0 0
46
34/43/-
L1_160 1 3 157 portal - -52 -7 0 0
32
21/18/35
L1_170 1 3 157 portal - -42 -33 0 0
29
26/14/19
------------------------------------------------------------------------------
--
-----------------
Total: 6
# Run the display mesh-neighbor-rssi command on the AC to view RSSI information

of trackside APs.
<AC> display mesh-neighbor-rssi
Info: This operation may take a few seconds, please wait.done.
AP name/MAC/Radio/Location-ID Neighbor AP/MAC/Location-ID RSSI Update
Time
------------------------------------------------------------------------------
L1_001/0046-4b59-1d10/1/1 -/0046-4b59-2e10/- -44

18:08:21
L1_003/0046-4b59-1d20/1/3 -/0046-4b59-2e10/- -50
18:08:20
L1_010/0046-4b59-1d30/1/10 -/0046-4b59-2e10/- -28
18:08:21
L1_150/0046-4b59-1d40/1/150 -/0046-4b59-2e10/- -43
18:08:20
L1_160/0046-4b59-1d50/1/160 -/0046-4b59-2e10/- -47
18:08:21
L1_170/0046-4b59-1d6s0/1/170 -/0046-4b59-2e10/- -38

18:08:21
------------------------------------------------------------------------------
Total: 6
# Run the display mesh-handover-trace command on the vehicle-mounted AP to view

roaming traces of the vehicle-mounted AP.
<AP> display mesh-handover-trace
Index Timestamp From AP MAC/RSSI/Location-ID To AP MAC/RSSI/Location-ID
------------------------------------------------------------------------------
1 18:52:27 0046-4b59-1d50/-95/160 0046-4b59-1d60/-15/170
2 18:50:46 0046-4b59-1d40/-95/150 0046-4b59-1d50/-34/160
3 18:49:25 0046-4b59-1d30/-95/10 0046-4b59-1d40/-11/150
4 18:48:56 0046-4b59-1d20/-95/3 0046-4b59-1d30/-40/10
5 18:47:39 0046-4b59-1d10/-47/1 0046-4b59-1d20/-36/3
------------------------------------------------------------------------------
----End
Configuration Files
l Ground network devices
– Router configuration file
#
sysname Router
#
ip address 10.23.200.1 255.255.255.0
#
ip route-static 10.23.100.0 255.255.255.0 10.23.200.2
ip route-static 10.23.224.0 255.255.255.0 10.23.200.2
#
return
– Switch_A configuration file

#
sysname Switch_A
#
vlan batch 100 to 101 200
#
igmp-snooping enable
#
dhcp enable
#
vlan 101
igmp-snooping group-policy 2000
#
acl number 2000
rule 5 permit source 225.1.1.1 0
#
interface Vlanif101
ip address 10.23.224.1 255.255.255.0
dhcp server excluded-ip-address 10.23.224.2 10.23.224.3
#
interface Vlanif200
ip address 10.23.200.2 255.255.255.0
#


#
#
#
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.23.200.1
#
return
– Switch_B configuration file

#
sysname Switch_B
#
#
#
vlan 101
igmp-snooping prompt-leave group-policy 2000
#
acl number 2000
#
#
#
#
#
return
– Switch_C configuration file

#
sysname Switch_C
#
#
#
vlan 101
#
acl number 2000
#
#
#
#
#
return
– AC configuration file
#
sysname AC
#
vlan batch 100
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
#
wlan
security-profile name
sp01
security wpa2 psk pass-phrase %^%#yUrI$*AU}-T<aI*$21X8,wdZ>"Q
%NVibT@S@ITs<%^%#
aes
mesh-handover-profile name hand-
over
location-based-algorithm enable
mesh-whitelist-profile name whitelist01
peer-ap mac 0046-4b59-2e10
mesh-profile name mesh-
net

mesh-handover-profile hand-
over
security-profile
sp01
mesh-id mesh-net
ap-system-profile name mesh-sys
mesh-role Mesh-portal
wired-port-profile name wired-port
vlan tagged 101
ap-group name mesh-
mpp
ap-system-profile mesh-
sys
wired-port-profile wired-port gigabitethernet
0
radio
1
mesh-profile mesh-
net
mesh-whitelist-profile
whitelist01
channel 40mhz-plus
157
ap-id 1 type-id 48 ap-mac 0046-4b59-1d10 ap-sn
210235554710CB000042
ap-name
L1_001
ap-group mesh-
mpp
210235555310CC000094
ap-name
L1_003
ap-group mesh-
mpp
210235419610CB002287
ap-name
L1_010
ap-group mesh-mpp
210235555310CC00AC69
ap-name
L1_150
ap-group mesh-mpp
210235555310CC003587
ap-name
L1_160
ap-group mesh-mpp
210235449210CB000011
ap-name
L1_170
ap-group mesh-mpp
#
return
l Vehicle-mounted network devices

– Vehicle-mounted AP (in the front) configuration file
#
sysname AP
#
#
vlan batch 101
#
vlan 101

#
#
wlan
sp01
%NVibT@S@ITs<%^%#
aes
over
location-based-algorithm enable moving-direction
forward
peer-ap mac 0046-4b59-1d10
mesh-proxy trackside-equip mac-address 707b-e8e9-d328 vlan 101
mesh-proxy trackside-equip mac-address 286e-d488-12cd vlan 101
mesh-proxy trackside-equip mac-address 286e-d488-b6ab vlan 101
mesh-proxy onboard-equip mac-address 286e-d488-d359 vlan 101
mesh-profile name mesh-net
mesh-handover-profile hand-over
security-profile sp01
mesh-id mesh-net
#
interface Wlan-
Radio0/0/1
mesh-profile mesh-
net
whitelist01
#
return
4.1.6 Example for Configuring Agile Distributed Wi-Fi Services
Students in dormitories need to access the Internet through WLANs.
Walls between numerous rooms in the dormitory building cause serious wireless signal
attenuation, degrading signal quality. To resolve this issue, an agile distributed WLAN is
used, with a remote unit (RU) deployed in each dormitory. RUs are connected to a central AP,
and all RUs and central APs are centrally managed by the AC, delivering high-quality WLAN
coverage for each dormitory.
l AC networking mode: Layer 2 networking in inline mode
l DHCP deployment mode: The AC functions as a DHCP server to assign IP addresses to
central APs, RUs, and STAs.

Figure 4-6 Networking for configuring an agile distributed WLAN
Data Planning
Item Data
DHCP The AC functions as a DHCP server to assign IP addresses to central APs,

server RUs, and STAs.
IP address 10.23.100.2-10.23.100.254/24
pool for
central APs
and RUs
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs
AC's source VLANIF 100: 10.23.100.1/24

interface
address

Item Data

l Referenced profiles: VAP profile wlan-net and regulatory domain profile
default

profile


profile l Security policy: WPA-WPA2+PSK+AES

l Referenced profiles: SSID profile wlan-net and security profile wlan-
net
1. Configure the AC, RUs, central APs, and network devices to communicate at Layer 2.
2. Configure the AC as a DHCP server to assign IP addresses to central APs, RUs, and
STAs.
3. Configure the central APs and RUs to go online.
a. Create an AP group and add central APs and RUs that require the same
configuration to the group for unified configuration.
used by the AC to communicate with the central APs and RUs.
c. Configure the AP authentication mode and import the central APs and RUs offline
to allow them to go online.
Configuration Notes


user experience.
Procedure
10.23.101.2/24.

NOTE
# On the AC, add GE0/0/1 to VLAN 100, and GE0/0/2 to VLAN 101.
[AC6605] sysname AC
[AC-GigabitEthernet0/0/1] port trunk pvid vlan 100
[AC-GigabitEthernet0/0/1] port-isolate enable
Step 3 Configure a DHCP server to assign IP addresses to central APs, RUs, and STAs.
# Configure the AC as a DHCP server to assign IP addresses to central APs and RUs from the
IP address pool on VLANIF 100, and assign IP addresses to STAs from the IP address pool
on VLANIF 101.
[AC] dhcp enable
[AC-Vlanif100] quit


[AC-Vlanif101] quit
Step 4 Configure a central AP and RUs to go online.

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

# Import the central AP and RUs offline on the AC and add the central AP and RUs to AP
group ap-group1. Assume that the central AP's MAC address is 68a8-2845-62fd, name the
central AP central_AP; the RU's MAC addresses are fcb6-9897-c520 and fcb6-9897-ca40,
name the RUs ru_1 and ru_2, respectively.
NOTE
[AC] wlan
[AC-wlan-view] ap-id 0 ap-mac 68a8-2845-62fd
[AC-wlan-ap-0] ap-name central_AP
[AC-wlan-ap-0] quit
[AC-wlan-view] ap-id 1 ap-mac fcb6-9897-c520
[AC-wlan-ap-1] ap-name ru_1
[AC-wlan-ap-1] quit
[AC-wlan-view] ap-id 2 ap-mac fcb6-9897-ca40
[AC-wlan-ap-2] quit
# After the central AP is powered on, run the display ap all command to check the AP state.
If the State field is displayed as nor, the RUs go online successfully.

nor : normal [3]

----------------------------------------------------------------------------------
-----
Uptime
----------------------------------------------------------------------------------
-----
0 68a8-2845-62fd central_AP ap-group1 10.23.100.254 AD9430DN-24 nor 0
2M:25S
1 fcb6-9897-c520 ru_1 ap-group1 10.23.100.253 R240D nor 0
3M:5S
2 fcb6-9897-ca40 ru_2 ap-group1 10.23.100.252 R240D nor 0
3M:14S
----------------------------------------------------------------------------------
-----
Total: 3
NOTE
the AP.
Step 6 Set channels and power for the RU radios.

NOTE
The settings of the RU channel and power in this example are for reference only. You need to configure the
RU channel and power based on the actual country code and network planning.


[AC-wlan-ap-1] quit

The AC automatically delivers WLAN service configuration to the RUs. After the
configuration is complete, run the display vap ssid wlan-net command. If the Status field is
displayed as ON, the VAPs have been successfully created on RU radios.
WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
1 ru_1 0 1 FCB6-9897-C520 ON WPA/WPA2-PSK 0 wlan-net
2 ru_2 0 1 FCB6-9897-CA40 ON WPA/WPA2-PSK 0 wlan-net
--------------------------------------------------------------------------------
Total: 4
----------------------------------------------------------------------------------
-------
address
----------------------------------------------------------------------------------
-------
e019-1dc7-1e08 1 ru_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
----------------------------------------------------------------------------------
-------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#


#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
port-isolate enable
#
#
#
wlan
ssid wlan-net
forward-mode tunnel
radio 0
radio 1
ap-id 0 type-id 52 ap-mac 68a8-2845-62fd ap-sn 2102350KGF10F8000012
ap-name central_AP
ap-group ap-group1
ap-id 1 type-id 54 ap-mac fcb6-9897-c520 ap-sn 21500826402SF4900166
ap-name ru_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
ap-id 2 type-id 54 ap-mac fcb6-9897-ca40 ap-sn 21500826402SF4900207
ap-name ru_2
ap-group ap-group1
#
return

4.1.7 Example for Configuring WLAN Environment Detection and

Containment (WIDS and WIPS)
An enterprise branch needs to deploy WLAN services for mobile office so that branch users
can access the enterprise network from anywhere at any time. Furthermore, users' services are
not affected during roaming in the coverage area.
The branch is located in an open place, making the WLAN vulnerable to attacks. For
example, an attacker deploys a rogue AP (area_2) with SSID wlan-net on the WLAN to
establish connections with STAs to intercept enterprise information, posing great threats to the
enterprise network. To prevent such attack, the detection and containment function can be
configured for authorized APs. In this way, the AC can detect rogue AP area_2 (neither
managed by the AC nor in the authorized AP list), preventing STAs from associating with the
rogue AP.
addresses to STAs.
Figure 4-7 Networking for configuring rogue device detection and containment

Data Planning

Item Data
Managemen VLAN 100

t VLAN for
APs
Service VLAN 101

VLAN for
STAs

IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

interface
address

l Referenced profiles: VAP profile wlan-net, regulatory domain profile
default, and WIDS profile wlan-wids
l Working mode of the AP radio: normal
l Rogue device detection and containment: enabled

profile



Item Data

net
WIDS l Name: wlan-wids

profile l Rogue device containment mode: containment against rogue APs using
spoofing SSIDs
1. Configure basic WLAN services to enable STAs to connect to the WLAN.
2. Configure rogue device detection and containment so that APs can detect wireless device
information and report it to the AC. In addition, APs can contain detected rogue devices,
enabling STAs to disassociate from them.
NOTE
In this example, the authorized APs work in normal mode and have the detection function enabled. In
addition to transmitting WLAN service data, AP radios need to perform the monitoring function. Therefore,
temporary service interruption may occur when the radios periodically scan channels. In this example, the
APs can only contain rogue devices on the channel used by WLAN services. To achieve containment on all
channels, configure the APs to work in monitor mode. However, WLAN services are unavailable in this
mode.
Configuration Notes
user experience.

Procedure
VLAN 100.
10.23.101.2/24.

NOTE

[AC6605] sysname AC


[AC] dhcp enable
[AC-Vlanif100] quit
[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit


nor : normal [1]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
----------------------------------------------------------------------------------
---
Total: 1

NOTE
the AP.

NOTE





[AC-wlan-ap-0] quit
Step 7 Configure rogue device detection and containment.

# Configure radio 0 of AP group ap-group1 to work in normal mode, and enable rogue
device detection and containment.
[AC-wlan-group-radio-ap-group1/0] work-mode normal
[AC-wlan-group-radio-ap-group1/0] wids device detect enable
[AC-wlan-group-radio-ap-group1/0] wids contain enable
# Create WIDS profile wlan-wids and configure the containment mode against rogue APs
using spoofing SSIDs.
[AC-wlan-view] wids-profile name wlan-wids
[AC-wlan-wids-prof-wlan-wids] contain-mode spoof-ssid-ap
[AC-wlan-wids-prof-wlan-wids] quit
# Bind WIDS profile wlan-wids to AP group ap-group1.

[AC-wlan-ap-group-ap-group1] wids-profile wlan-wids

Run the display wlan ids contain ap command. The command output shows information
about the contained AP2.
[AC-wlan-view] display wlan ids contain ap
#Rf: Number of monitor radios that have contained the device
CH: Channel number
-------------------------------------------------------------------------------
MAC address CH Authentication Last detected time #Rf SSID
-------------------------------------------------------------------------------
000b-6b8f-fc6a 11 wpa-wpa2 2014-11-20/16:16:57 1 wlan-net
-------------------------------------------------------------------------------
STAs attempt to connect to the network through AP2. Countermeasures are taken on AP2, so
traffic between STAs and AP2 is stopped and then STAs connect to AP1.
C:\Documents and Settings\huawei> ping 10.23.101.22
Pinging 10.23.101.22 with 32 bytes of data:
Request timed out.

Request timed out.
Request timed out.

Request timed out.

Reply from 10.23.101.22: bytes=32 time=1433ms TTL=255
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
return
#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
return
#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
#
return

#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
#
wlan
ssid wlan-net
forward-mode tunnel
wids-profile name wlan-
wids
contain-mode spoof-ssid-ap
wids-profile wlan-wids
radio 0
wids device detect enable
wids contain enable
radio 1
wids contain enable
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return
4.2 WLAN Basic Networking Configuration Examples (Fat

AP)
4.2.1 Example for Configuring Fat AP Layer 2 Networking

As shown in Figure 4-8, a Fat AP is connected to the Internet in wired mode and connects to
STAs in wireless mode. An enterprise branch needs to deploy basic WLAN services for
mobile office so that enterprise employees can access the enterprise internal network
anywhere, anytime.
The requirements are as follows:

l A WLAN named wlan-net is available.
l Router functions as a DHCP server to assign IP addresses to STAs.
Figure 4-8 Networking diagram for configuring basic Layer 2 WLAN services
Service VLAN:VLAN101
GE0/0/0
FAT AP VLAN101 Router
10.23.101.2/24
STA Internet
GE1/0/0
10.23.101.1/24
STA
Data planning
Item Data
DHCP server Router functions as a DHCP server to assign

IP addresses to STAs.
IP address pool for STAs 10.23.101.3 to 10.23.101.254/24


+AES


The configuration roadmap is as follows:
1. Configure the AP and upper-layer devices to communicate at Layer 2.
2. Configure Router as a DHCP server to assign IP addresses to STAs from an IP address
pool on an interface.
3. Configure the AP's system parameters, including the country code.
4. Configure a VAP so that STAs can access the WLAN.
Configuration Notes
No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets, they
are usually sent at low rates. If a large number of such multicast packets are sent from the
network side, the air interfaces may be congested. You are advised to configure multicast
packet suppression on switch interfaces connected to APs to reduce impact of a large number
of low-rate multicast packets on the wireless network. Exercise caution when configuring the
rate limit; otherwise, the multicast services may be affected. For details on how to configure
traffic suppression, see 4.15.1.1 Multicast Packet Suppression Is Not Configured, Causing
Slow Network Access of STAs.
Procedure
Step 1 Configure the AP to communicate with the network devices.
NOTE
Configure the AP's uplink interfaces to transparently transmit packets of service VLANs as required.
# Add GE0/0/0 on the AP to VLAN 101.

[Huawei] sysname AP
[AP] vlan batch 101
# Create VLANIF 101 and configure its IP address for communication with Router.
[AP] interface vlanif 101
[AP-Vlanif101] ip address 10.23.101.2 24
[AP-Vlanif101] quit
Step 2 Configure Router as a DHCP server to assign IP addresses to STAs.

# Configure Router as a DHCP server to assign IP addresses to STAs from the IP address pool
on GE1/0/0.
[Router] dhcp enable
[Router-GigabitEthernet1/0/0] dhcp select interface
[Router-GigabitEthernet1/0/0] dhcp server excluded-ip-address 10.23.101.2

Step 3 Configure the AP's system parameters.
# Configure the country code for the AP.

[AP] wlan
NOTE
[AP-wlan-view] security-profile name wlan-net

[AP-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AP-wlan-sec-prof-wlan-net] quit
[AP-wlan-view] ssid-profile name wlan-net
[AP-wlan-ssid-prof-wlan-net] ssid wlan-net
[AP-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the service VLAN, and apply the security profile and
SSID profile to the VAP profile.
[AP-wlan-view] vap-profile name wlan-net
[AP-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AP-wlan-vap-prof-wlan-net] security-profile wlan-net
[AP-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AP-wlan-vap-prof-wlan-net] quit
Step 5 Configure radio parameters for the VAP and AP.
[AP-wlan-view] rrm-profile name default
[AP-wlan-rrm-prof-default] calibrate auto-channel-select disable
[AP-wlan-rrm-prof-default] calibrate auto-txpower-select disable
[AP-wlan-rrm-prof-default] quit
[AP-wlan-view] quit
NOTE
[AP] interface wlan-radio0/0/0
[AP-Wlan-Radio0/0/0] vap-profile wlan-net wlan 1
[AP-Wlan-Radio0/0/0] channel 20mhz 6
[AP-Wlan-Radio0/0/0] eirp 127

The configuration automatically takes effect after it is completed. Run the display vap ssid
wlan-net command. If Status in the command output is displayed as ON, the VAP has been
successfully created on the AP radios.
[AP] display vap ssid wlan-net
WID : WLAN ID
--------------------------------------------------------------------------------
AP MAC RfID WID BSSID Status Auth type STA SSID
--------------------------------------------------------------------------------
00bc-da3f-e900 0 1 00BC-DA3F-E900 ON WPA/WPA2-PSK 0 wlan-net
-------------------------------------------------------------------------------
Total: 2
[AP] display station all
----------------------------------------------------------------------------------
----------------
STA MAC Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address SSID
----------------------------------------------------------------------------------
----------------
14cf-9202-13dc 00bc-da3f-e900 0/1 2.4G 11n 19/13 -63 101
10.23.101.254 wlan-net
----------------------------------------------------------------------------------
----------------
Total: 1 2.4G: 1 5G: 0
----End
Configuration Files
#
sysname Router
#
dhcp enable
#
ip address 10.23.101.1
255.255.255.0
dhcp server excluded-ip-address 10.23.101.2
#
return
l AP configuration file
#
sysname AP
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
#
wlan

security wpa-wpa2 psk pass-phrase %^%#(yk#Q+M[\CMK]1)AWMX7MjZ)=e`fy@fA+.J

\ht3Y%^%# aes
ssid wlan-net
#
interface Wlan-Radio0/0/0
channel 20mhz 6
#
channel 20mhz 149
#
return
As shown in Figure 4-9, a Fat AP is connected to the Internet in wired mode and connected to
anywhere, anytime.
l Enterprise employees are assigned IP addresses on the network segment 10.23.101.0/24.
GE0/0/0
10.23.200.1/24
STA Internet
GE1/0/0
VLAN200
10.23.200.2/24
STA

Data planning
Item Data
DHCP server The AP functions as a DHCP server to

assign IP addresses to STAs.


+AES

1. Configure the AP and upper-layer devices to communicate with each other.
2. Configure the AP as a DHCP server to assign IP addresses to STAs from an IP address
Configuration Notes
Procedure
10.23.200.2/24.

# Add the AP's uplink interface GE0/0/1 to VLAN 200.Create VLANIF 200 and set its IP
address to 10.23.200.1/24.
[Huawei] sysname AP
[AP] vlan batch 200
[AP-Vlanif200] quit
# Configure a default route with the next hop IP address 10.23.200.2/24 on the AP.
[AP] ip route-static 0.0.0.0 0.0.0.0 10.23.200.2
Step 3 Configure the DHCP server to assign IP addresses to STAs.
# Configure the AP as a DHCP server to assign IP addresses to STAs from the IP address pool
on VLANIF 101.
[AP] dhcp enable
[AP] vlan batch 101
[AP-Vlanif101] dhcp select interface
[AP-Vlanif101] quit

[AP] wlan
NOTE

[AP-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes


[AP-wlan-view] quit
NOTE

The configuration automatically takes effect after it is completed. Run the display vap ssid
[AP] display vap ssid wlan-net
WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Total: 2
[AP] display station all
----------------------------------------------------------------------------------
----------------
address SSID
----------------------------------------------------------------------------------
----------------

14cf-9202-13dc 00bc-da3f-e900 0/1 2.4G 11n 19/13 -63 101

10.23.101.254 wlan-net
----------------------------------------------------------------------------------
----------------
Total: 1 2.4G: 1 5G: 0
----End
Configuration Files
#
sysname Router
#
vlan batch 200
#
interface Vlanif200
ip address 10.23.200.2 255.255.255.0
#
#
return
#
sysname AP
#
vlan batch 101 200
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
interface Vlanif200
ip address 10.23.200.1 255.255.255.0
#
#
ip route-static 0.0.0.0 0.0.0.0 10.23.200.2
#
wlan
\ht3Y%^%# aes
ssid wlan-net
#
channel 20mhz 6
#
channel 20mhz 149
#
return

4.2.3 Example for Configuring Users on the Fat AP to Access the

Public Network Through NAT
As shown in Figure 4-10, a Fat AP is connected to the Internet in wired mode and connected
to STAs in wireless mode. An enterprise branch needs to deploy basic WLAN services for
anywhere, anytime. The administrator wants enterprise employees to access the public
network using public IP addresses.

l Enterprise employees are assigned IP addresses on 10.23.101.0/24. These IP addresses
are translated to the IP address of the Fat AP outbound interface using Easy-IP for
employees to access the public network.
Figure 4-10 Networking diagram for configuring STAs to access the public network through
NAT
GE0/0/0
FAT AP VLAN200
202.169.10.1/24
STA Internet
202.169.10.2/24
STA
Data planning
Item Data



Item Data

+AES

NAT Outbound The private IP address segment

10.23.101.0/24 is mapped to the public IP
address 202.169.10.1.
1. Configure the AP as a DHCP server to assign IP addresses to STAs from an IP address
4. Configure NAT so that users can access the public network using public IP addresses.
Configuration Notes
Procedure
# On the AP, create VLANIF 200, set its IP address to 202.169.10.1/24, and add GE0/0/0 to
VLAN 200.
[Huawei] sysname AP
[AP] vlan batch 200
[AP-Vlanif200] quit


# Configure a default route. The following assumes that the public IP address of the peer end
is 202.169.10.2/24.
[AP] ip route-static 0.0.0.0 0.0.0.0 202.169.10.2
# Configure the AP as a DHCP server to assign IP addresses to STAs from the IP address pool
on VLANIF 101.
[AP] dhcp enable
[AP] vlan batch 101
[AP-Vlanif101] dhcp select interface
[AP-Vlanif101] quit

[AP] wlan
NOTE

[AP-wlan-sec-prof-wlan-net] security wpa2 psk pass-phrase a1234567 aes
[AP-wlan-view] quit

NOTE
Step 6 Configure the NAT function.

# Configure NAT outbound on the AP.
[AP] acl 2000
[AP-acl-basic-2000] rule 5 permit source 10.23.101.0 0.0.0.255
[AP-acl-basic-2000] quit
[AP-Vlanif200] nat outbound 2000
[AP-Vlanif200] quit
[AP] quit

# The configuration automatically takes effect after it is completed. Run the display vap ssid
<AP> display vap ssid wlan-net
WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Total: 1
<AP> display station all
----------------------------------------------------------------------------------
-------------------
address SSID
----------------------------------------------------------------------------------
-------------------
14cf-9202-13dc 00bc-da3f-e900 0/1 2.4G 11n 19/13 -63 101
10.23.101.254 wlan-net
----------------------------------------------------------------------------------
-------------------
Total: 1 2.4G: 1 5G: 0
# Run the display nat outbound command on the AP to check the IP address translation
result.
<AP> display nat outbound
NAT Outbound Information:

--------------------------------------------------------------------------------
Interface Acl Address-group/IP/Interface Type
--------------------------------------------------------------------------------
Vlanif200 2000 1 no-pat
--------------------------------------------------------------------------------
Total : 1
# Run the ping command on the AP to verify that users on the private network can access the
public network.
<AP> ping -a 10.23.101.1 202.169.10.2
PING 202.169.10.2: 56 data bytes, press CTRL_C to break
Reply from 202.169.10.2: bytes=56 Sequence=1 ttl=255 time=1 ms
-- 202.169.10.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/1/2 ms
----End
Configuration Files
#
sysname AP
#
vlan batch 101 200
#
dhcp enable
#
acl number 2000
rule 5 permit source 10.23.101.0 0.0.0.255
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
interface Vlanif200
ip address 202.169.10.1 255.255.255.0
nat outbound 2000
#
#
ip route-static 0.0.0.0 0.0.0.0 202.169.10.2
#
wlan
\ht3Y%^%# aes
ssid wlan-net
#
channel 20mhz 6
#

channel 20mhz 149
#
return

4.3.1 Example for Configuring Layer 2 Direct Forwarding in
Inline Mode
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area.
APs and STAs.
Figure 4-11 Networking for configuring Layer 2 direct forwarding in inline mode

Data Planning

Item Data
Managemen VLAN 100

t VLAN for
APs
Service VLAN 101

VLAN for
STAs
DHCP The AC functions as a DHCP server to assign IP addresses to APs and

server STAs.
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

interface
address

default

profile



net

to go online.
Configuration Notes
user experience.
Procedure
# Add GE0/0/1 and GE0/0/2 on the access switch to VLAN 100 and VLAN 101. The default
VLAN of GE0/0/1 is VLAN 100.
[HUAWEI] sysname Switch
[Switch] vlan batch 100 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit

10.23.101.2/24.

NOTE
# On the AC, add GE0/0/1 to VLAN 100 and VLAN 101, and GE0/0/2 to VLAN 101.
[AC6605] sysname AC
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit


NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
----------------------------------------------------------------------------------
---
Total: 1

NOTE
the AP.



NOTE


[AC-wlan-ap-0] quit
WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Total: 2
---------------------------------------------------------------------------------
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254

---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
l Switch configuration file
#
sysname Switch
#
#
#
#
return

#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
wlan


ssid wlan-net
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return
4.3.2 Example for Configuring Layer 2 Tunnel Forwarding in

Inline Mode
area.
APs and STAs.

Figure 4-12 Networking for configuring Layer 2 tunnel forwarding in inline mode
Data Planning
Item Data
Managemen VLAN 100

t VLAN for
APs
Service VLAN 101

VLAN for
STAs

server STAs.
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

interface
address

Item Data

default

profile



net
to go online.
Configuration Notes

user experience.
Procedure
# Add GE0/0/1 and GE0/0/2 on the access switch to VLAN 100. The default VLAN of
GE0/0/1 is VLAN 100.
[Switch] vlan batch 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
10.23.101.2/24.

NOTE
[AC6605] sysname AC

[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
----------------------------------------------------------------------------------
---

Uptime
----------------------------------------------------------------------------------
---
----------------------------------------------------------------------------------
---
Total: 1

NOTE
the AP.

NOTE





[AC-wlan-ap-0] quit

WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Total: 2
---------------------------------------------------------------------------------
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
#
sysname Switch
#
vlan batch 100
#
#
#
return

#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0

#
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
wlan
ssid wlan-net
forward-mode tunnel
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return


Bypass Mode
area.
addresses to STAs.
Figure 4-13 Networking for configuring Layer 2 direct forwarding in bypass mode

Data Planning

Item Data
Managemen VLAN 100

t VLAN for
APs
Service VLAN 101

VLAN for
STAs

IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

interface
address

default

profile



net

to go online.
Configuration Notes
user experience.
Procedure
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100 and VLAN101. The default VLAN of

# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN101, GE0/0/2 to
VLAN100 and GE0/0/3 to VLAN 101.
10.23.101.2/24.

NOTE
# Add GE0/0/1 on the AC to VLAN 100.

[AC6605] sysname AC
[AC] dhcp enable
[AC-Vlanif100] quit


[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
----------------------------------------------------------------------------------
---
Total: 1
NOTE


the AP.

NOTE



[AC-wlan-ap-0] quit

WID : WLAN ID
--------------------------------------------------------------------------------

--------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Total: 2
---------------------------------------------------------------------------------
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
#
sysname SwitchA
#
#
#
#
return

#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#

#
return

#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
#
wlan
ssid wlan-net
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return


Bypass Mode
area.
addresses to STAs.
Figure 4-14 Networking for configuring Layer 2 tunnel forwarding in bypass mode

Data Planning

Item Data
Managemen VLAN 100

t VLAN for
APs
Service VLAN 101

VLAN for
STAs

IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

interface
address

default, 2G radio profile wlan-radio2g, and 5G radio profile wlan-
radio5g

domain l Country code: CN
profile
l Calibration channel set: calibration bandwidth and channels for 2.4 GHz
and 5 GHz radios



net

Item Data
Air scan l Name: wlan-airscan

profile l Probe channel set: calibration channels
l Air scan interval: 60000 ms
l Air scan period: 60 ms
RRM l Name: wlan-rrm

profile l Automatic channel calibration: enabled
l Automatic power calibration: enabled
2G radio l Name: wlan-radio2g

profile l Referenced profiles: air scan profile wlan-airscan and RRM profile
wlan-rrm

wlan-rrm
to go online.
NOTE
During AP deployment, you can manually specify the working channels of the APs according to network
planning situations or configure the radio calibration function to enable the APs to automatically select the
optimal channels.
Configuration Notes

user experience.
Procedure
VLAN 100.
10.23.101.2/24.

NOTE

[AC6605] sysname AC
[AC] dhcp enable
[AC-Vlanif100] quit

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).

[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
----------------------------------------------------------------------------------
---
Total: 1

NOTE
the AP.
Step 6 Set channels and power for the AP radios.

# Create the RRM profile wlan-rrm and enable automatic channel selection and automatic
transmit power selection in the RRM profile. By default, automatic channel selection and
automatic transmit power selection are enabled.
[AC-wlan-view] rrm-profile name wlan-rrm
[AC-wlan-rrm-prof-wlan-rrm] undo calibrate auto-channel-select disable

[AC-wlan-rrm-prof-wlan-rrm] undo calibrate auto-txpower-select disable

# Configure a calibration channel set in the regulatory domain profile.

[AC-wlan-regulate-domain-default] dca-channel 2.4g channel-set 1,6,11
[AC-wlan-regulate-domain-default] dca-channel 5g bandwidth 20mhz
[AC-wlan-regulate-domain-default] dca-channel 5g channel-set 149,153,157,161
# Create the air scan profile wlan-airscan and configure the scan channel set, scan interval,
and scan duration.
[AC-wlan-view] air-scan-profile name wlan-airscan
[AC-wlan-air-scan-prof-wlan-airscan] scan-channel-set dca-channel
[AC-wlan-air-scan-prof-wlan-airscan] scan-period 60
[AC-wlan-air-scan-prof-wlan-airscan] scan-interval 60000
[AC-wlan-air-scan-prof-wlan-airscan] quit
# Create the 2G radio profile wlan-radio2g and bind the RRM profile wlan-rrm and air scan
profile wlan-airscan to the 2G radio profile.
[AC-wlan-radio-2g-prof-wlan-radio2g] air-scan-profile wlan-airscan
# Bind the 5G radio profile wlan-radio5g and 2G radio profile wlan-radio2g to the AP group
ap-group1.
[AC-wlan-ap-group-ap-group1] radio-5g-profile wlan-radio5g radio 1
# Set the radio calibration mode to manual and trigger radio calibration.
[AC-wlan-view] calibrate enable manual
[AC-wlan-view] calibrate manual startup
# Radio calibration stops one hour after the radio calibration is manually triggered. Set the
radio calibration mode to scheduled. Configure the APs to perform radio calibration in off-
peak hours, for example, between 00:00 am and 06:00 am.
[AC-wlan-view] calibrate enable schedule time 03:00:00

WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------


-------------------------------------------------------------------------------
Total: 2
---------------------------------------------------------------------------------
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
return

#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
return


#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
#
wlan
calibrate enable schedule time 03:00:00
ssid wlan-net
forward-mode tunnel
dca-channel 5g channel-set 149,153,157,161
air-scan-profile name wlan-airscan
scan-channel-set dca-channel
air-scan-profile wlan-airscan
radio 0
radio-2g-profile wlan-radio2g
radio 1
ap-name area_1
ap-group ap-group1
#
return


Bypass Mode
area. A VLAN pool is configured as service VLANs to prevent IP address insufficiency or
waste. Furthermore, this measure can reduce the number of users in each VLAN and the size
of the broadcast domain.
addresses to STAs.

Data Planning

Item Data

SwitchB functions as a DHCP server to
assign IP addresses to STAs. The default
gateway IP addresses of STAs are
10.23.101.2 and 10.23.102.2.

10.23.102.3-10.23.102.254/24
VLAN pool l Name: sta-pool

and VLAN 102

net and regulatory domain profile
default



+AES

pool

2. Configure a VLAN pool for service VLANs.
to go online.
Configuration Notes
user experience.
Procedure
# Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 10. The default VLAN of
GE0/0/1 is VLAN 10.


# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 10, GE0/0/2 to VLAN 100,
VLAN 101, and VLAN 102, and GE0/0/3 to VLAN 101 and VLAN 102. Create VLANIF
100 and set the IP address of VLANIF 100 to 10.23.100.2/24.
102 to 10.23.102.2/24.
# Add GE0/0/1on the AC to VLAN 100, VLAN 101, and VLAN 102 and create VLANIF
100.
[AC6605] sysname AC
[AC] vlan 100
[AC-vlan100] quit
[AC-Vlanif100] quit
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101 102




[AC] dhcp enable
[AC] ip pool huawei
[AC-Vlanif100] quit

NOTE

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit


NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
----------------------------------------------------------------------------------
---
Total: 1

NOTE
the AP.



NOTE


[AC-wlan-ap-0] quit
WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Total: 2
---------------------------------------------------------------------------------
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254

---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
#
#
return

#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif10
ip address 10.23.10.1 255.255.255.0
dhcp select relay
#
interface Vlanif100
ip address 10.23.100.2 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
#
#
#
return

#
sysname Router

#
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
#
return
#
sysname AC
#
#
vlan pool sta-pool
vlan 101 to 102
#
dhcp enable
#
ip pool huawei
network 10.23.10.0 mask 255.255.255.0
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
ip route-static 10.23.10.0 24 10.23.100.2
#
#
wlan
ssid wlan-net
forward-mode tunnel
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149

eirp 127
#
return

Bypass Mode
addresses to STAs.

Data Planning

Item Data
Management VLANs for APs VLAN 10 and VLAN 100

l Name: sta-pool
and VLAN 102

The aggregation switch functions as a
DHCP server for STAs. The default
10.23.101.2 and 10.23.102.2.

10.23.102.3-10.23.102.254/24

default



+AES

pool

to go online.
Configuration Notes
user experience.
Procedure
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 10, VLAN 101, and VLAN 102. The
default VLAN of GE0/0/1 is VLAN 10.


102 to 10.23.102.2/24.

[AC6605] sysname AC
[AC] vlan 100
[AC-vlan100] quit
[AC-Vlanif100] quit




[AC] dhcp enable
[AC] ip pool huawei
[AC-Vlanif100] quit
NOTE
[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit


NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
----------------------------------------------------------------------------------
---
Total: 1

NOTE
the AP.



NOTE


[AC-wlan-ap-0] quit
WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Total: 2
---------------------------------------------------------------------------------
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254

---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
#
sysname SwitchA
#
#
#
#
return

#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif10
ip address 10.23.10.1 255.255.255.0
dhcp select relay
#
interface Vlanif100
ip address 10.23.100.2 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
#
#
#
return

#
sysname Router

#
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
#
return
#
sysname AC
#
#
vlan pool sta-pool
vlan 101 to 102
#
dhcp enable
#
ip pool huawei
network 10.23.10.0 mask 255.255.255.0
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select global
#
#
ip route-static 10.23.10.0 24 10.23.100.2
#
#
wlan
ssid wlan-net
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149

eirp 127
#
return

Inline Mode
addresses to STAs.

Data Planning

Item Data

l Name: sta-pool
and VLAN 102

10.23.101.2 and 10.23.102.2.

10.23.102.3-10.23.102.254/24

net, 2G radio profile wlan-radio2g, and
5G radio profile wlan-radio5g

l Calibration channel set: calibration
bandwidth and channels for 2.4 GHz and
5 GHz radios


+AES

Item Data

pool
Air scan profile l Name: wlan-airscan

l Probe channel set: calibration channels

l Automatic channel calibration: enabled

l Referenced profiles: air scan profile
wlan-airscan and RRM profile wlan-
rrm

rrm
to go online.
NOTE
optimal channels.

Configuration Notes
user experience.
Procedure
# Add GE0/0/1 on SwitchB to VLAN 10, VLAN 101, and VLAN 102, and GE0/0/2 to VLAN
100, VLAN 101, and VLAN 102. Create VLANIF 100 and set its IP address to
10.23.100.2/24.


102 to 10.23.102.2/24.

# On the AC, add GE0/0/1 to VLAN 100, VLAN 101, and VLAN 102, and GE0/0/2 to
VLAN 101 and VLAN 102. Create VLANIF 100.
[AC6605] sysname AC
[AC] vlan batch 100
[AC-Vlanif100] quit

[AC] dhcp enable
[AC] ip pool huawei


[AC-Vlanif100] quit

NOTE

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan


[AC-wlan-ap-0] quit
nor : normal [1]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
----------------------------------------------------------------------------------
---
Total: 1

NOTE
the AP.




and scan duration.
ap-group1.
WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Total: 2

---------------------------------------------------------------------------------
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
#
sysname SwitchA
#
#
#
#
return

#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif10
ip address 10.23.10.1 255.255.255.0
dhcp select relay
#
interface Vlanif100
ip address 10.23.100.2 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#

#
#
return
#
sysname Router
#
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
#
return
#
sysname AC
#
#
vlan pool sta-pool
vlan 101 to 102
#
dhcp enable
#
ip pool huawei
network 10.23.10.0 mask 255.255.255.0
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
#
#
wlan
ssid wlan-net


radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
return

Inline Mode
APs and STAs.

Data Planning
Item Data

l Name: sta-pool
and VLAN 102

assign IP addresses to APs and STAs.

10.23.102.3-10.23.102.254/24


Item Data

5 GHz radios


+AES

pool



rrm

rrm

to go online.
NOTE
optimal channels.
Configuration Notes
user experience.
Procedure
GE0/0/1 is VLAN 10.

# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 10, and GE0/0/2 to VLAN 100.
Create VLANIF 100 and set the IP address of VLANIF 100 to 10.23.100.2/24.
102 to 10.23.102.2/24.
# Configure GE0/0/1 on the AC to VLAN 100, and GE0/0/2 to VLAN 101 and VLAN 102.
[AC6605] sysname AC
[AC-Vlanif100] quit

# Create VLANIF 101 and VLANIF 102 on the AC to assign IP addresses to STAs.


[AC-Vlanif101] quit
[AC-Vlanif102] quit
# On the AC, create a global IP address pool to allocate IP addresses to APs.

[AC] dhcp enable
[AC] ip pool huawei

NOTE

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).

[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
----------------------------------------------------------------------------------
---
Total: 1

NOTE
the AP.




and scan duration.
ap-group1.

WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------


-------------------------------------------------------------------------------
Total: 2
---------------------------------------------------------------------------------
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
#
#
return

#
sysname SwitchB
#
vlan batch 10 100
#
dhcp enable
#
interface Vlanif10
ip address 10.23.10.1 255.255.255.0
dhcp select relay
#
interface Vlanif100
ip address 10.23.100.2 255.255.255.0
#
#
#
return


#
sysname Router
#
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
#
return
#
sysname AC
#
#
vlan pool sta-pool
vlan 101 to 102
#
dhcp enable
#
ip pool huawei
network 10.23.10.0 mask 255.255.255.0
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
#
#
#
wlan
ssid wlan-net
forward-mode tunnel


radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
return
4.3.9 Example for Configuring WLAN IPv4/IPv6 Dual-Stack

Services
area. IPv4/IPv6 dual-stack needs to be configured on the AC so that users can access the
network using different protocol stacks.
l AC networking mode: Layer 2 inline mode
l DHCP deployment mode: The AC functions as a DHCP server to allocate IP addresses
to APs and STAs.
Figure 4-19 Networking for configuring WLAN IPv4/IPv6 dual-stack services

Data Planning
Item Data

server STAs.
IP address FC01::/64
pool for
APs
IP address IPv4 address pool: 10.23.101.2-10.23.101.254/24

pool for IPv6 address pool: FC02::/64
STAs
AC's source VLANIF 100: FC01::1/64

interface
address

default

profile



net
2. On the AC, configure a DHCPv6 server to assign IP addresses to APs, and a DHCPv4
and DHCPv6 server to assign IP addresses to STAs.

to go online.
Configuration Notes
user experience.
Procedure
VLAN 100.
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IPv4 address to
10.23.101.2/24 and IPv6 address to FC02::2/64.
[Router] ipv6


[Router-Vlanif101] ipv6 enable
[Router-Vlanif101] ipv6 address fc02::2/64

NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs
to management VLAN 100.
# On the AC, add GE0/0/1 to VLAN 100 and GE0/0/2 to VLAN 101.
[AC6605] sysname AC

[AC] ipv6
[AC] dhcp enable
[AC] dhcpv6 pool ap_pool
[AC-dhcpv6-pool-ap_pool] address prefix fc01::/64
[AC-dhcpv6-pool-ap_pool] quit
[AC-Vlanif100] ipv6 enable
[AC-Vlanif100] ipv6 address fc01::1/64
[AC-Vlanif100] undo ipv6 nd ra halt
[AC-Vlanif100] ipv6 nd autoconfig managed-address-flag
[AC-Vlanif100] ipv6 nd autoconfig other-flag
[AC-Vlanif100] dhcpv6 server ap_pool
[AC-Vlanif100] quit
# Configure the DHCPv4 and DHCPv6 servers on VLANIF 101 to assign IP addresses to
STAs.
[AC] dhcpv6 pool sta_pool
[AC-dhcpv6-pool-sta_pool] address prefix fc02::/64
[AC-dhcpv6-pool-sta_pool] quit
[AC-Vlanif101] ipv6 enable
[AC-Vlanif101] ipv6 address fc02::1/64
[AC-Vlanif101] undo ipv6 nd ra halt
[AC-Vlanif101] ipv6 nd autoconfig managed-address-flag
[AC-Vlanif101] ipv6 nd autoconfig other-flag
[AC-Vlanif101] dhcpv6 server sta_pool
[AC-Vlanif101] quit
[AC] wlan

e?[Y/N]:y
[AC-wlan-view] quit

[AC] capwap ipv6 enable
NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP status. If the
nor : normal [1]
------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime
------------------------------------------------------------------------------
0 60de-4476-e360 area_1 ap-group1 FC01::3 AP5030DN nor 0 27S
------------------------------------------------------------------------------
Total: 1
# Enable the function of processing STA IPv6 services.

[AC-wlan-view] sta-ipv6-service enable
NOTE

the AP.

NOTE



[AC-wlan-ap-0] quit

WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Total: 2

----------------------------------------------------------------------------------
-----------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IPv4
address IPv6 address
----------------------------------------------------------------------------------
-----------------------------------
14cf-9202-13dc 0 area_1 0/1 2.4G 11n 5/1 -62 101
10.23.101.254 FC02::546E:C25C:F4C7:B2AD
----------------------------------------------------------------------------------
-----------------------------------
Total: 1 2.4G: 1 5G: 0
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
return
l #Router configuration file

sysname Router
#
ipv6
#
vlan batch 101
#
interface Vlanif101
ipv6 enable
ip address 10.23.101.2 255.255.255.0
ipv6 address FC02::2/64
#
#
return
#
sysname AC
#
ipv6
#
#
dhcp enable
#

dhcpv6 pool ap_pool

address prefix FC01::/64
#
dhcpv6 pool sta_pool
address prefix FC02::/64
#
interface Vlanif100
ipv6 enable
undo ipv6 nd ra halt
ipv6 nd autoconfig managed-address-flag
ipv6 nd autoconfig other-flag
dhcpv6 server ap_pool
#
interface Vlanif101
ipv6 enable
ip address 10.23.101.1 255.255.255.0
undo ipv6 nd ra halt
ipv6 nd autoconfig managed-address-flag
ipv6 nd autoconfig other-flag
dhcpv6 server sta_pool
#
#
#
capwap ipv6 enable
#
wlan
sta-ipv6-service enable
ssid wlan-net
forward-mode tunnel
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return

4.3.10 Example for Configuring NAT Traversal Between the AC

and APs
area.
APs are located in an enterprise branch, while the AC is located at the headquarters.
Administrators require unified AP management by the AC. Therefore, NAT traversal is
configured between the AC and APs to save the enterprise's public IP addresses.
l AC networking mode: NAT traversal between the AC at the headquarters and APs in the
branch
l DHCP deployment mode: Router_1 functions as a DHCP server to assign IP addresses to
APs and STAs.
Figure 4-20 Networking for configuring NAT traversal between the AC and APs

Data Planning

Item Data
DHCP server Router_1 functions as a DHCP server to


default



+AES

NAT Outbound Router_1: translates the private IP addresses

in the network segment 10.23.100.0/24 to
the public IP addresses in the network
segment 2.2.2.1.
Static NAT Router_2: translates the private IP addresses

in the network segment 10.23.200.1 to the
public IP addresses in the network segment
3.3.3.3.

2. Configure NAT for address translation.
to go online.
Configuration Notes
user experience.
Procedure
# On Switch, add GE0/0/1, GE0/0/2, and GE0/0/3 to VLAN 100 and VLAN 101. VLAN 100
is the default VLAN of GE0/0/1 and GE0/0/2.


# On Router_1, add GE1/0/0 to VLAN 100 and VLAN 101. If the peer end of GE0/0/1 is at
2.2.2.2/24, set the IP address of GE0/0/1 to 2.2.2.1/24.
[Huawei] sysname Router_1
[Router_1] vlan batch 100 101
[Router_1] interface gigabitethernet1/0/0
[Router_1-GigabitEthernet1/0/0] port link-type trunk
[Router_1-GigabitEthernet1/0/0] port trunk allow-pass vlan 100 to 101
[Router_1-GigabitEthernet1/0/0] quit
[Router_1-GigabitEthernet0/0/1] ip address 2.2.2.1 255.255.255.0
# Configure a default route with the next hop address 2.2.2.2 on Router_1.
[Router_1] ip route-static 0.0.0.0 0.0.0.0 2.2.2.2
# On Router_2, add GE1/0/0 to VLAN 200. If the peer end of GE0/0/1 is at 3.3.3.2/24, set the
IP address of GE0/0/1 to 3.3.3.1/24. Create VLANIF 200 and set its IP address to
10.23.200.2/24.
[Router_2] vlan batch 200
[Router_2] interface GigabitEthernet1/0/0
[Router_2-GigabitEthernet1/0/0] port trunk allow-pass vlan 200
[Router_2] interface gigabitethernet 0/0/1
[Router_2] interface vlanif 200
[Router_2-Vlanif200] ip address 10.23.200.2 24
[Router_2-Vlanif200] quit

# On the AC, add GE0/0/1 to VLAN 200. Create VLANIF 200 and set its IP address to
10.23.200.1/24.
[AC6605] sysname AC
[AC-Vlanif200] quit
# Configure a default route with the next hop address 10.23.200.2 on the AC.
Step 3 Configure a DHCP server to assign IP addresses to APs and STAs.

# Configure Router_1 as a DHCP server to assign IP addresses to APs and STAs. The AC's
source interface address is translated into the public IP address 3.3.3.3 after NAT mapping.

[Router_1] dhcp enable

[Router_1-Vlanif100] ip address 10.23.100.1 255.255.255.0
[Router_1-Vlanif100] dhcp select global
[Router_1] ip pool ap
[Router_1-ip-pool-ap] gateway-list 10.23.100.1
[Router_1-ip-pool-ap] network 10.23.100.0 mask 24
[Router_1-ip-pool-ap] option 43 sub-option 3 ascii 3.3.3.3
[Router_1-ip-pool-ap] quit
[Router_1-Vlanif101] dhcp select interface
Step 4 Configure NAT.

# Configure outbound NAT on Router_1.
[Router_1] acl 2000
[Router_1-acl-basic-2000] rule 5 permit source 10.23.100.0 0.0.0.255
[Router_1-acl-basic-2000] quit
[Router_1-GigabitEthernet0/0/1] nat outbound 2000
# Configure static NAT on Router_2.

[Router_2-GigabitEthernet0/0/1] nat static global 3.3.3.3 inside 10.23.200.1

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

NOTE
on the 2.4 GHz and 5 GHz bands, respectively.
[AC] wlan


[AC-wlan-ap-0] quit
[AC-wlan-ap-1] quit
nor : normal [1]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
1 60de-4474-9640 area_2 ap-group1 10.23.100.253 AP5030DN nor 0 11S
----------------------------------------------------------------------------------
---
Total: 2
NOTE
the AP.

NOTE


[AC-wlan-ap-0] quit
The AC automatically delivers WLAN service configuration to the AP. After the
displayed as ON, the VAPs have been successfully created on AP radios.
WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
0 area_2 0 1 60DE-4474-9640 ON WPA/WPA2-PSK 0 wlan-net
-------------------------------------------------------------------------------
Total: 4
---------------------------------------------------------------------------------
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End

Configuration Files
#
sysname Switch
#
#
#
#
#
return
l Router_1 configuration file

#
sysname Router_1
#
#
dhcp enable
#
acl number 2000
#
ip pool ap
network 10.23.100.0 mask 255.255.255.0
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select global
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
port-isolate enable
#
ip address 2.2.2.1 255.255.255.0
nat outbound 2000
#
ip route-static 0.0.0.0 0.0.0.0 2.2.2.2
#
return
l Router_2 configuration file.

#
sysname Router_2
#
vlan batch 200
#

interface Vlanif200
ip address 10.23.200.2 24
#
#
ip address 3.3.3.1 255.255.255.0
nat static global 3.3.3.3 inside 10.23.200.1
#
ip route-static 0.0.0.0 0.0.0.0 3.3.3.2
#
return
#
sysname AC
#
vlan batch 101 200
#
interface Vlanif200
ip address 10.23.200.1 255.255.255.0
#
#
ip route-static 0.0.0.0 0.0.0.0 10.23.200.2
#
#
wlan
ssid wlan-net
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
ap-name area_2
ap-group ap-group1
#
return

4.3.11 Example for Configuring VPN Traversal Between the AC

and APs
area.
Administrators require unified AP management by the AC and protection on traffic
exchanged between the branch and headquarters. Therefore, an IPSec tunnel is established
between the branch and headquarters to protect traffic.
l AC networking mode: IPSec tunnel between the AC at the headquarters and APs in the
branch.
APs and STAs.
Figure 4-21 Networking for configuring VPN traversal between the AC and APs

Data Planning

Item Data
WLAN service data planning on the AC


default



+AES

IPSec data planning on Router_2

Item Data
IKE parameters l IKE version: IKEv1

l Negotiation mode: main
l Peer IP address: 202.138.162.1
l Authentication mode: pre-shared key
authentication
l Pre-shared key: huawei@1234
l Authentication algorithm: SHA2-256
l Encryption algorithm: AES-128
l DH group number: group14
IPSec parameters l Security protocol: ESP

l ESP negotiation mode: main
l ESP authentication algorithm:
SHA2-256
l ESP encryption algorithm: AES-128
l Encapsulation mode: tunnel
IPSec policy Connection name: map1

l Interface name: gigabitethernet 0/0/1
l Networking mode: branch site
l Connection number: 10
l ACL number: 3101
2. Configure IPSec parameters to set up an IPSec tunnel.
a. Configure an IP address and a static route on each interface to implement
communication between both ends.
b. Configure ACLs and define the data flows to be protected by the IPSec tunnel.
c. Configure an IPSec proposal to define the traffic protection method.
d. Configure IKE peers and define the attributes used for IKE negotiation.
e. Configure an IPSec policy, and apply the ACL, IPSec proposal, and IKE peers to
the IPSec policy to define the data flows to be protected and protection method.
f. Apply the IPSec policy to the interface so that the interface can protect traffic.
to go online.

Configuration Notes
user experience.
Procedure
# On Switch, add GE0/0/1 and GE0/0/2 to VLAN 100 and VLAN 101. VLAN 100 is the
default VLAN of GE0/0/1.
[Router_1-GigabitEthernet1/0/0] port trunk allow-pass vlan 100 101

# On Router_2, add GE1/0/0 to VLAN 200. Create VLANIF 200 and set its IP address to
10.23.200.2/24. If the peer end of GE0/0/1 is at 202.138.163.2/24, set the IP address of
GE0/0/1 to 202.138.163.1/24.
# Configure a static route from Router_2 to APs with the next hop address 202.138.162.2 on
Router_2.

10.23.200.1/24.
<AC> system-view
[AC] sysname AC
[AC-Vlanif200] quit
# Configure a static route from the AC to APs with the next hop address 10.23.200.2 on the
AC.

# Configure Router_1 as a DHCP server to assign IP addresses to APs and STAs.
Step 4 Configure ACLs and define the data flows to be protected by the IPSec tunnel.
# On Router_2, configure an ACL to protect the data flows from the AC (IP address
10.23.200.0/24) at the headquarters to the APs (IP address 10.23.100.0/24) in the branch.
[Router_2] acl number 3101
[Router_2-acl-adv-3101] rule permit ip source 10.23.200.0 0.0.0.255 destination

10.23.100.0 0.0.0.255
[Router_2-acl-adv-3101] quit
# On Router_1, configure an ACL to protect the data flows from the APs (IP address
10.23.100.0/24) in the branch to the AC (IP address 10.23.200.0/24) at the headquarters.
10.23.200.0 0.0.0.255
Step 5 Configure IPSec.

1. Create an IPSec proposal on Router_2 and Router_1.
# Create an IPSec proposal on Router_2.

[Router_2] ipsec proposal tran1
[Router_2-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[Router_2-ipsec-proposal-tran1] esp encryption-algorithm aes-128
[Router_2-ipsec-proposal-tran1] quit

2. Create IKE peers on Router_2 and Router_1.
# Create an IKE proposal on Router_2.

[Router_2] ike proposal 5
[Router_2-ike-proposal-5] authentication-algorithm sha2-256
[Router_2-ike-proposal-5] encryption-algorithm aes-128
[Router_2-ike-proposal-5] dh group14
[Router_2-ike-proposal-5] quit
# Configure an IKE peer on Router_2, and configure the pre-shared key and peer ID
based on the default settings.
[Router_2] ike peer spub
[Router_2-ike-peer-spub] undo version 2
[Router_2-ike-peer-spub] ike-proposal 5
[Router_2-ike-peer-spub] pre-shared-key cipher huawei@1234
[Router_2-ike-peer-spub] remote-address 202.138.162.1
[Router_2-ike-peer-spub] quit

[Router_1] ike peer spua
[Router_1-ike-peer-spua] pre-shared-key cipher huawei@1234
[Router_1-ike-peer-spua] remote-address 202.138.163.1
[Router_1-ike-peer-spua] quit
3. Create IPSec policies on Router_2 and Router_1.
# Configure an IPSec policy in IKE negotiation mode on Router_2.

[Router_2] ipsec policy map1 10 isakmp
[Router_2-ipsec-policy-isakmp-map1-10] ike-peer spub
[Router_2-ipsec-policy-isakmp-map1-10] proposal tran1
[Router_2-ipsec-policy-isakmp-map1-10] security acl 3101
[Router_2-ipsec-policy-isakmp-map1-10] quit


[Router_1] ipsec policy use1 10 isakmp
[Router_1-ipsec-policy-isakmp-use1-10] ike-peer spua
[Router_1-ipsec-policy-isakmp-use1-10] proposal tran1
[Router_1-ipsec-policy-isakmp-use1-10] security acl 3101
[Router_1-ipsec-policy-isakmp-use1-10] quit
4. Apply the IPSec policies to the interfaces of Router_2 and Router_1, so that the
interfaces can protect traffic.
# Apply the IPSec policy to the interface of Router_2.
[Router_2-GigabitEthernet0/0/1] ipsec policy map1

[Router_1-GigabitEthernet0/0/1] ipsec policy use1

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit


nor : normal [1]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
----------------------------------------------------------------------------------
---
Total: 1

NOTE
[AC-wlan-net-prof-wlan-net] forward-mode direct-forward
[AC-wlan-net-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-net-prof-wlan-net] security-profile wlan-net
[AC-wlan-net-prof-wlan-net] ssid-profile wlan-net
the AP.

NOTE





[AC-wlan-ap-0] quit
WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Total: 2
---------------------------------------------------------------------------------
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
# After the configurations are complete, the AC can ping the APs successfully and the data
transmitted between them is encrypted. You can run the display ipsec statistics esp command
to view packet statistics.
Run the display ike sa command on Router_2, and the following information is displayed:
<Router_2> display ike sa
Conn-ID Peer VPN Flag(s) Phase
---------------------------------------------------------
16 202.138.162.1 0 RD|ST v1:2
14 202.138.162.1 0 RD|ST v1:1
Number of SA entries : 2
Number of SA entries of all cpu : 2
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING
----End

Configuration Files
#
sysname AC
#
vlan batch 101 200
#
interface Vlanif200
ip address 10.23.200.1 255.255.255.0
#
#
ip route-static 10.23.100.0 255.255.255.0 10.23.200.2
#
#
wlan
ssid wlan-net
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return

#
sysname Router_1
#
#
dhcp enable
#
acl number 3101
rule 5 permit ip source 10.23.100.0 0.0.0.255 destination 10.23.200.0
0.0.0.255
#
ipsec proposal tran1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
#
ike proposal 5
encryption-algorithm aes-128
dh group14

authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer spua
undo version 2
pre-shared-key cipher %@%@HCf#WZWU9A;yLoD#V$8G*i_/%@%@
ike-proposal 5
remote-address 202.138.163.1
#
ipsec policy use1 10 isakmp
security acl 3101
ike-peer spua
proposal tran1
#
ip pool ap
network 10.23.100.0 mask 255.255.255.0
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select global
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
ip address 202.138.162.1 255.255.255.0
ipsec policy use1
#
#
ip route-static 0.0.0.0 0.0.0.0 202.138.162.2
#
return
l Router_2 configuration file.
#
sysname Router_2
#
vlan batch 200
#
acl number 3101
0.0.0.255
#
ipsec proposal tran1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128
#
ike proposal 5
encryption-algorithm aes-128
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer spub v1
undo version 2
pre-shared-key cipher %@%@HCf#WZWU9A;yLoD#V$8G*i_/%@%@
ike-proposal 5
remote-address 202.138.162.1
#
ipsec policy map1 10 isakmp

security acl 3101

ike-peer spub
proposal tran1
#
interface Vlanif200
ip address 10.23.200.2 255.255.255.0
#
ip address 202.138.163.1 255.255.255.0
ipsec policy map1
#
#
ip route-static 10.23.100.0 255.255.255.0 202.138.163.2
ip route-static 202.138.162.0 255.255.255.0 202.138.163.2
#
return

#
sysname Switch
#
#
#
#
return
4.3.12 Example for Configuring Hand-in-Hand WDS Services
addresses to STAs.

Data Planning
AP Type MAC Address
AP_1 AP8130DN 60de-4474-9640
Item Data

addresses to STAs.

Item Data


l Country code: CN


+AES



AP_2 (leaf)
l Name: wds-list2
AP_3 (leaf)

security

Item Data
l Name: wds-leaf
security

the group.
l Name: ap-group2
added to the group.
default
l Name: ap-group3
the group.
to go online.
virtual links.
Configuration Notes

user experience.
Procedure


10.23.101.2/24.

# On the AC, configure GE0/0/1 to allow packets from VLAN 100 to pass through.
[AC6605] sysname AC
[AC] vlan batch 100
address pool.
# Enable DHCP on the AC to assign IP addresses to the APs from the interface address pool.
[AC] dhcp enable
[AC] interface vlanif 100 101
[AC-Vlanif100] quit

# Create AP groups ap-group1, ap-group2, and ap-group3.
[AC] wlan


e?[Y/N]:y
e?[Y/N]:y
e?[Y/N]:y
[AC-wlan-view] quit

# Add AP_1, AP_2, and AP_3 to AP group ap-group1, ap-group2, and ap-group3,
respectively.
NOTE
[AC] wlan
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit
[AC-wlan-ap-3] quit
Step 5 Set WDS service parameters.
# Set key radio parameters for the WDS nodes. In this example, AP_1 and AP_3 use radio 1,
and AP_2 uses radio 0 and radio 1. Configure radio 0 of AP_2 to work on the 5 GHz
frequency band. To reduce channel interference, configure radio 0 and radio 1 of AP_2 to
work on different channels. Radio 1 and radio 0 are used to establish WDS links with AP_1
and AP_3 respectively. The coverage distance parameter specifies the radio coverage
distance, which is 3 by default, in 100 m. In this example, 4 is used. Set this parameter based
on actual situations.
NOTE

[AC-wlan-radio-2/0] frequency 5g
Warning: Modifying the frequency band will delete the channel, power, and antenn
a gain configurations of the current radio on the AP and reboot the AP. Continue
?[Y/N]:y
[AC-wlan-ap-2] quit
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit
[AC-wlan-ap-3] quit
# Configure security profile wds-security for WDS links. The security policy for the security
profile is WPA2+PSK+AES.
[AC-wlan-view] security-profile name wds-security
[AC-wlan-sec-prof-wds-security] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wds-security] quit
# Configure a WDS whitelist profile. Bind WDS whitelist profile wds-list1 to AP_1, and
allow access of only AP_2. Bind WDS whitelist profile wds-list2 to AP_2, and allow access
of only AP_3.
[AC-wlan-wds-whitelist-wds-list1] peer-ap mac dcd2-fc04-b500
[AC-wlan-wds-whitelist-wds-list2] peer-ap mac dcd2-fc96-e4c0
# Configure WDS profile wds-root. Set the WDS name to wlan-wds, and the WDS mode to
root. Bind security profile wds-security to the WDS profile and permit packets from VLAN
[AC-wlan-view] wds-profile name wds-root
[AC-wlan-wds-prof-wds-root] wds-name wlan-wds
[AC-wlan-wds-prof-wds-root] wds-mode root
[AC-wlan-wds-prof-wds-root] security-profile wds-security
[AC-wlan-wds-prof-wds-root] vlan tagged 101
[AC-wlan-wds-prof-wds-root] quit
# Configure WDS profile wds-leaf. Set the WDS name to wlan-wds, and the WDS mode to
leaf. Bind security profile wds-security to the WDS profile and permit packets from VLAN

[AC-wlan-view] wds-profile name wds-leaf

[AC-wlan-wds-prof-wds-leaf] wds-name wlan-wds
[AC-wlan-wds-prof-wds-leaf] wds-mode leaf
[AC-wlan-wds-prof-wds-leaf] security-profile wds-security
[AC-wlan-wds-prof-wds-leaf] vlan tagged 101
[AC-wlan-wds-prof-wds-leaf] quit
# Bind WDS whitelist profile wds-list1 to radio 1 of AP group ap-group1. # Bind WDS
whitelist profile wds-list2 to radio 1 of AP group ap-group2.
# Bind WDS profile wds-root to AP group ap-group1.
# Bind WDS profiles wds-root and wds-leaf to AP group ap-group2.

# Bind WDS profile wds-leaf to AP group ap-group3.


NOTE


# Bind the VAP profile to the AP groups. In this example, radio 1 on AP_1 and AP_3 is used
for WDS backhaul, and radio 0 for wireless service coverage. Apply VAP profile wlan-net to
radio 0 of the AP_1 and AP_3.
Step 8 Configure the channel and power for the 2.4 GHz radio.
NOTE


[AC-wlan-ap-1]quit

nor : normal [3]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
1 60de-4474-9640 AP_1 ap-group1 10.23.100.254 AP8130DN nor 0 20M:
16S
2 dcd2-fc04-b500 AP_2 ap-group2 10.23.100.253 AP8130DN nor 0
17S
3 dcd2-fc96-e4c0 AP_3 ap-group3 10.23.100.252 AP8130DN nor 0 3M:
55S
----------------------------------------------------------------------------------
---
Total: 3
Run the display wlan wds link all command to display information about WDS links.
[AC-wlan-view] display wlan wds link all


----------------------------------------------------------------------------------
---------------
APName P-APName Rf Dis Ch WDS P-Status RSSI MaxR Per Re TS
NR SNR(Ch0~2:dB)
----------------------------------------------------------------------------------
---------------
AP_1 AP_2 1 4 157 root normal -39 -30 0 5
55 42/57/-
AP_2 AP_3 0 4 149 root normal -56 -40 0 9
59 45/40/60
AP_2 AP_1 1 4 157 leaf normal -32 -30 0 15
58 41/36/60
AP_3 AP_2 1 4 149 leaf normal -33 -32 0 7
59 51/59/-
----------------------------------------------------------------------------------
-----------------
Total: 4
WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
1 AP_1 0 1 60DE-4474-9640 ON WPA/WPA2-PSK 0 wlan-net
3 AP_3 0 3 DCD2-FC96-E4C0 ON WPA/WPA2-PSK 0 wlan-net
-------------------------------------------------------------------------------
Total: 2
---------------------------------------------------------------------------------
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 1 AP_1 0/1 2.4G 11n 3/34 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 1 5G: 0
----End
Configuration Files
#
sysname Switch_A
#
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#


#
#
#
return
#
sysname Switch_B
#
#
#
#
return
#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
#
wlan
security-profile name wds-security

%# aes
ssid wlan-net
wds-profile name wds-leaf
vlan tagged 101
wds-name wlan-wds
wds-profile name wds-root
vlan tagged 101
wds-name wlan-wds
wds-mode root
radio 0
radio 1
radio 0
radio 1
radio 0
radio 1
ap-name AP_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
coverage distance 4
ap-name AP_2
ap-group ap-group2
radio 0
frequency 5g
eirp 127
coverage distance 4
radio 1
eirp 127
coverage distance 4
ap-id 3 type-id 39 ap-mac dcd2-fc96-e4c0 ap-sn 210235557610DB000046
ap-name AP_3
ap-group ap-group3
radio 0
channel 20mhz 11
eirp 127
radio 1


coverage distance 4
#
return
4.3.13 Example for Configuring Back-to-Back WDS

On some enterprise networks, wired network deployment is restricted by construction
conditions. When obstacles exist between two networks or the distance between them is long,
APs cannot all be connected to the AC in wired mode. Back-to-back wireless distribution
system (WDS) technology can cascade APs in wired mode as trunk bridges. This networking
ensures sufficient bandwidth on wireless links for long distance data transmission.
addresses to STAs.
l Wireless backhaul mode: WDS back-to-back

Figure 4-23 Networking for configuring back-to-back WDS
Data Planning

AP Name Type MAC Address
AP_1 AP8130DN dcd2-fcf6-76a0
AP_2 AP8130DN 60de-4474-9640
AP_4 AP8130DN 60de-4476-e360


Item Data
Management VLAN for VLAN 100

APs
DHCP server The AC functions as a DHCP server to assign IP addresses to

APs, and Switch_A functions as a DHCP server to assign IP
addresses to STAs.
IP address of the AC's VLANIF 100: 10.23.100.1/24

source interface
WDS profile l wds-net1 (WDS profile used by AP_1): WDS mode root,
referenced WDS whitelist wds-list1, permitting access only
from AP_2
l wds-net2 (WDS profile used by AP_3): WDS mode root,
from AP_4
l wds-net3 (WDS profile used by AP_2 and AP_4):
referencing no WDS whitelist
WDS role l AP_1: root

l AP_2: leaf
l AP_3: root
l AP_4: leaf
WDS name wds-net
WDS whitelist l wds-list1: contains MAC address of AP_2 and is bound to

AP_1
l wds-list2: contains MAC address of AP_4 and is bound to
AP_3
Radio used by WDS Radio 1 (AP_1 and AP_2):

l Bandwidth: 40 MHz-plus
l Channel: 157
l Radio coverage distance parameter: 4 (unit: 100 m)
Radio 1 (AP_3 and AP_4):
l Channel: 149

Item Data
Security profile l Name: wds-sec

AP group l wds-root1: AP_1

l wds-root2: AP_3
l wds-leaf1: AP_2
l wds-leaf2: AP_4. If a wired interface of AP_4 is connected
to a Layer 2 network, a wired port profile needs to be
configured for AP_4. Therefore, AP_2 and AP_4 are added
to two separate AP groups.
1. Configure WDS links in Area A and Area B so that AP_1 and AP_2 can go online on the
AC.
2. Configure Switch_C to enable AP_2 and AP_3 to communicate through the wired
network.
3. Configure WDS links in Area B and Area C so that AP_4 can go online on the AC.
4. Configure wired interfaces on AP_4 to enable wired users connected to AP_4 to access
the network.
Configuration Notes
user experience.

Procedure
# Configure the access switch Switch_C. Configure GE0/0/1 and GE0/0/2 to allow packets
from VLAN 100 and VLAN 101 to pass through.
[Switch_C] vlan batch 100 to 101
[Switch_C-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
10.23.101.2/24.


NOTE
# Configure GE0/0/1 of the AC to allow packets from VLAN 100 to pass through.
[AC6605] sysname AC
[AC] vlan batch 100 to 101
# Configure Switch_A as a DHCP server to assign IP addresses to STAs from an interface
address pool.

# Enable the DHCP function on the AC to allow it to assign IP addresses to APs from an
interface address pool.
[AC] dhcp enable
[AC-Vlanif100] quit
Step 4 Configure the AP groups, country code, and AC's source interface.
# Create AP group wds-root1 and AP group wds-root2 for root APs and AP group wds-leaf1
and AP group wds-leaf2 for leaf APs.
[AC] wlan
[AC-wlan-view] ap-group name wds-root1
[AC-wlan-ap-group-wds-root1] quit
[AC-wlan-view] ap-group name wds-leaf1
[AC-wlan-ap-group-wds-leaf1] quit
the profile to the AP groups.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-ap-group-wds-root1] regulatory-domain-profile domain1
e?[Y/N]:y
[AC-wlan-ap-group-wds-root2] regulatory-domain-profile domain1

e?[Y/N]:y
[AC-wlan-ap-group-wds-leaf1] regulatory-domain-profile domain1
e?[Y/N]:y
[AC-wlan-ap-group-wds-leaf2] regulatory-domain-profile domain1
e?[Y/N]:y
[AC-wlan-view] quit

# Add AP_1 to AP group wds-root1, AP_3 to AP group wds-root2, AP_2 to AP group wds-
leaf1, and AP_4 to AP group wds-leaf2.
NOTE
[AC] wlan
[AC-wlan-view] ap-id 1 ap-mac dcd2-fcf6-76a0
[AC-wlan-ap-1] ap-group wds-root1
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] ap-group wds-leaf1
[AC-wlan-ap-2] quit
[AC-wlan-ap-3] ap-group wds-root2
[AC-wlan-ap-3] quit
[AC-wlan-ap-4] ap-group wds-leaf2
[AC-wlan-ap-4] quit
Step 5 Configure WDS service parameters.
# Configure radio parameters for WDS nodes. This example uses radio 1 of the AP8130DN.
The coverage distance parameter indicates the radio coverage distance parameter. By default,
the radio coverage distance parameter is 3 (unit: 100 meters). This example sets the radio
coverage distance parameter is 4. You can configure the parameter according to actual
situations.

NOTE
[AC-wlan-ap-group-wds-root1] radio 1
[AC-wlan-group-radio-wds-root1/1] channel 40mhz-plus 157
[AC-wlan-group-radio-wds-root1/1] coverage distance 4
[AC-wlan-group-radio-wds-root1/1] quit
[AC-wlan-group-radio-wds-root2/1] channel 40mhz-plus 149
[AC-wlan-group-radio-wds-root2/1] coverage distance 4
[AC-wlan-ap-group-wds-leaf1] radio 1
[AC-wlan-group-radio-wds-leaf1/1] channel 40mhz-plus 157
[AC-wlan-group-radio-wds-leaf1/1] coverage distance 4
[AC-wlan-group-radio-wds-leaf1/1] quit
[AC-wlan-ap-group-wds-leaf2] radio 1
[AC-wlan-group-radio-wds-leaf2/1] channel 40mhz-plus 149
[AC-wlan-group-radio-wds-leaf2/1] coverage distance 4
[AC-wlan-group-radio-wds-leaf2/1] quit
# Configure the security profile wds-sec used by WDS links. The profile wds-sec supports the
[AC-wlan-view] security-profile name wds-sec
[AC-wlan-sec-prof-wds-sec] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wds-sec] quit
# Configure the WDS whitelist. Configure the WDS whitelist wds-list1 bound to AP_1 to
permit access only from AP_2. Configure the WDS whitelist wds-list2 bound to AP_3 to
permit access only from AP_4.
[AC-wlan-wds-whitelist-wds-list1] peer-ap mac 60de-4474-9640
[AC-wlan-wds-whitelist-wds-list2] peer-ap mac 60de-4476-e360
# Configure the WDS profile wds-net1. Set the WDS name to wds-net and WDS mode to
root. Apply the security profile wds-sec and allow packets from service VLAN 101 to pass
through in tagged mode.
[AC-wlan-view] wds-profile name wds-net1
[AC-wlan-wds-prof-wds-net1] wds-name wds-net
[AC-wlan-wds-prof-wds-net1] wds-mode root
[AC-wlan-wds-prof-wds-net1] security-profile wds-sec
[AC-wlan-wds-prof-wds-net1] vlan tagged 101
[AC-wlan-wds-prof-wds-net1] quit
root. Apply the security profile wds-sec and allow packets from service VLAN 101 to pass
through in tagged mode.

[AC-wlan-wds-prof-wds-net2] wds-mode root

leaf. Bind the security profile wds-sec to the WDS profile, allowing packets from service
VLAN 101 to pass through in tagged mode.
[AC-wlan-wds-prof-wds-net3] wds-mode leaf
# Bind the WDS whitelist wds-list1 to radio 1 in AP group wds-root1 to permit access only
from AP_2. # Bind the WDS whitelist wds-list2 to radio 1 in AP group wds-root2 to permit
access only from AP_4.
[AC-wlan-group-radio-wds-root1/1] wds-whitelist-profile wds-list1
[AC-wlan-group-radio-wds-root2/1] wds-whitelist-profile wds-list2
Step 6 Configure the wired port profile used by the wired interfaces on AP_4 and set the wired
interface mode to endpoint. In this example, the PVID of the wired interface is set to VLAN
101 and the wired interface is added to VLAN 101 in tagged mode.
[AC-wlan-wired-port-wired-port] mode endpoint
Warning: If the AP goes online through a wired port, the incorrect port mode con
figuration will cause the AP to go out of management. This fault can be recovere
d only by modifying the configuration on the AP. Continue? [Y/N]:y
[AC-wlan-wired-port-wired-port] vlan pvid 101
# Configure the AP group wds-root1 and bind the WDS profile wds-net1 to the group.
[AC-wlan-ap-group-wds-root1] wds-profile wds-net1 radio 1
# Configure the AP group wds-root2 and bind the WDS profile wds-net2 to the group.
[AC-wlan-ap-group-wds-root2] wds-profile wds-net2 radio 1
# Configure the AP group wds-leaf1 and bind the WDS profile wds-net3 to the group.
[AC-wlan-ap-group-wds-leaf1] wds-profile wds-net3 radio 1
# Configure the AP group wds-leaf2, and bind the WDS profile wds-net3 and wired port
profile wired-port to the group.


[AC-wlan-ap-group-wds-leaf2] wds-profile wds-net3 radio 1
[AC-wlan-ap-group-wds-leaf2] wired-port-profile wired-port gigabitethernet 0
[AC-wlan-view] quit
[AC] quit

<AC> display ap all
nor : normal [4]
----------------------------------------------------------------------------------
----
ID MAC Name Group IP Type State STA Upt
ime
----------------------------------------------------------------------------------
----
1 60de-4474-9640 AP_1 wds-root1 10.23.100.250 AP8130DN nor 0 20M:
16S
4 60de-4476-e360 AP_4 wds-leaf2 10.23.100.251 AP8130DN nor 0
17S
2 dcd2-fc04-b500 AP_2 wds-leaf1 10.23.100.253 AP8130DN nor 0 3M:
55S
3 dcd2-fcf6-76a0 AP_3 wds-root2 10.23.100.252 AP8130DN nor 0 2M:
55S
----------------------------------------------------------------------------------
--
Total: 4
Run the display wlan wds link all command to check information about the WDS links.
<AC> display wlan wds link all
----------------------------------------------------------------------------------
---------------
APName P-APName Rf Dis Ch WDS P-Status RSSI MaxR Per Re
TS NR SNR(Ch0~2:dB)
----------------------------------------------------------------------------------
---------------
AP_1 AP_2 1 4 157 root normal -44 -40 0 3
50 45/49/-
AP_2 AP_1 1 4 157 leaf normal -38 -36 0 49
57 36/31/57
AP_3 AP_4 1 4 149 root normal -11 -7 0 1
83 81/80/-
AP_4 AP_3 1 4 149 leaf normal -4 -4 0 0
91 90/85/-
----------------------------------------------------------------------------------
---------------
Total: 4
----End
Configuration Files
#
sysname Switch_A
#


#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
return
#
sysname Switch_B
#
#
#
#
return
l Switch_C configuration file
#
sysname Switch_C
#
#
#
#
return
#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
#
return

#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
#
wlan
security-profile name wds-

sec
%# aes
wds-whitelist-profile name wds-
list1
peer-ap mac 60de-4474-9640
wds-whitelist-profile name wds-
list2
peer-ap mac 60de-4476-
e360
wds-profile name wds-
net1
security-profile wds-
sec
vlan tagged
101
wds-name wds-
net
wds-mode
root
net2
sec
vlan tagged
101
wds-name wds-
net
wds-mode
root
net3
sec
vlan tagged
101
wds-name wds-
net
regulatory-domain-profile name
domain1
wired-port-profile name wired-
port
mode
endpoint
vlan pvid
101
vlan tagged
101

ap-group name wds-

leaf1
regulatory-domain-profile
domain1
radio 1
wds-profile wds-net3
channel 40mhz-plus
157
coverage distance 4
ap-group name wds-
leaf2
0
domain1
radio
1
wds-profile wds-
net3
channel 40mhz-plus
149
coverage distance 4
ap-group name wds-
root1
domain1
radio
1
wds-profile wds-
net1
wds-whitelist-profile wds-
list1
channel 40mhz-plus
157
coverage distance 4
ap-group name wds-
root2
domain1
radio
1
wds-profile wds-
net2
wds-whitelist-profile wds-
list2
channel 40mhz-plus
149
coverage distance
4
ap-name AP_1
ap-group wds-root1
ap-name AP_2
ap-group wds-leaf1
ap-id 3 type-id 39 ap-mac dcd2-fcf6-76a0 ap-sn 210235419610D2000097
ap-name AP_3
ap-group wds-root2
ap-id 4 type-id 39 ap-mac 60de-4476-e360 ap-sn 210235557610DB000046
ap-name AP_4
ap-group wds-leaf2
#
return

4.3.14 Example for Configuring Common Mesh Services
An enterprise needs to establish Mesh wireless backhaul links in different areas to expand
wireless coverage and reduce wired deployment costs.
l Wireless backhaul mode: Mesh portal-node
Figure 4-24 Networking for configuring mesh services
Data Planning
AP Type MAC Address
area_1 AP8130DN 60de-4476-e360
area_2 AP8130DN dcd2-fc04-b500
area_3 AP8130DN 60de-4474-9640
Item Data

APs

Item Data

addresses to STAs.
Mesh profile name Name: mesh-net
Mesh role l area_1: Mesh-portal (MPP)

l area_2: Mesh-node (MP)
Mesh ID Name: mesh-net
Mesh whitelist Name: mesh-list
AP system profile Name: mesh-sys
Radio used by Mesh Radio 1:

services l Bandwidth: 40 MHz-plus
l Channel: 157
Security profile l Name: mesh-sec

AP group l mesh-mpp: area_1

l mesh-mp: area_2 and area_3
1. Configure network connectivity and enable the AP (MPP) in Area A to go online on the
AC in wired mode.
2. Configure Mesh services to enable APs (MPs) in Area B and Area C to go online on the
AC through Mesh links.
Configuration Notes


user experience.
Procedure
# Add GE0/0/1 and GE0/0/2 on Switch_B to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
[Switch_B] vlan batch 100
[Switch_B-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
# Add GE0/0/1 on Switch_A to VLANs 100, and GE0/0/2 to VLAN 100.

[Switch_A] vlan batch 100

NOTE
[AC6605] sysname AC
[AC] vlan batch 100


Step 3 Configure the DHCP server to assign IP addresses to APs.

# Enable DHCP on the AC and configure the AC to assign IP addresses to APs through an
[AC] dhcp enable
[AC-Vlanif100] quit
# Create AP groups for MPPs and MPs respectively and add APs that require the same
configuration to the same group.
[AC] wlan
[AC-wlan-view] ap-group name mesh-mp
[AC-wlan-ap-group-mesh-mp] quit
[AC-wlan-ap-group-mesh-mpp] regulatory-domain-profile domain1
e?[Y/N]:y
[AC-wlan-ap-group-mesh-mp] regulatory-domain-profile domain1
e?[Y/N]:y
[AC-wlan-view] quit

# Add area_1 to the AP group mesh-mpp and area_2 and area_3 to the AP group mesh-mp.
NOTE
[AC] wlan
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] ap-group mesh-mp

[AC-wlan-ap-2] quit
[AC-wlan-ap-3] quit
Step 5 Configure Mesh parameters.

# Configure radio parameters for Mesh nodes. Radio 1 of the AP8130DN is used as an
example. The coverage distance parameter indicates the radio coverage distance, which is 3
(unit: 100 m) by default. This example sets the radio coverage distance parameter to 4. You
can configure the parameter according to your service needs.
[AC-wlan-group-radio-mesh-mpp/1] coverage distance 4
[AC-wlan-ap-group-mesh-mp] radio 1
[AC-wlan-group-radio-mesh-mp/1] channel 40mhz-plus 157
[AC-wlan-group-radio-mesh-mp/1] coverage distance 4
[AC-wlan-group-radio-mesh-mp/1] quit
# Configure the security profile mesh-sec used by Mesh links. The Mesh network supports
only the security policy WPA2+PSK+AES.
[AC-wlan-view] security-profile name mesh-sec
[AC-wlan-sec-prof-mesh-sec] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-mesh-sec] quit
# Configure a Mesh whitelist.

[AC-wlan-view] mesh-whitelist-profile name mesh-list
[AC-wlan-mesh-whitelist-mesh-list] peer-ap mac 60de-4476-e360
[AC-wlan-mesh-whitelist-mesh-list] peer-ap mac dcd2-fc04-b500
[AC-wlan-mesh-whitelist-mesh-list] peer-ap mac 60de-4474-9640
[AC-wlan-mesh-whitelist-mesh-list] quit
# Configure Mesh roles. Set the Mesh role of area_1 to Mesh-portal. area_2 and area_3 use
the default Mesh role Mesh-node. Mesh roles are configured through the AP system profile.
# Configure a Mesh profile. Set the Mesh network ID to mesh-net, aging time of Mesh links
to 30s, and bind the security profile and Mesh whitelist to the Mesh profile.
[AC-wlan-mesh-prof-mesh-net] link-aging-time 30
[AC-wlan-mesh-prof-mesh-net] security-profile mesh-sec
# Bind the Mesh whitelist profile to AP radios.


[AC-wlan-group-radio-mesh-mpp/1] mesh-whitelist-profile mesh-list

[AC-wlan-group-radio-mesh-mp/1] mesh-whitelist-profile mesh-list
Step 6 Bind required profiles to the AP groups to make Mesh services take effect.
# Bind the AP wired port profile wired-port to AP groups mesh-mpp and mesh-mp to make
AP wired port parameters take effect on Mesh nodes. This example assumes that all APs
connect to Switch_B through GE0.
[AC-wlan-ap-group-mesh-mpp] wired-port-profile wired-port gigabitethernet 0
[AC-wlan-ap-group-mesh-mp] wired-port-profile wired-port gigabitethernet 0
# Bind the AP system profile mesh-sys to the AP group mesh-mpp to make the MPP role
take effect on area_1.
# Bind the Mesh profile mesh-net to AP groups mesh-mpp and mesh-mp to make Mesh
services take effect.
[AC-wlan-ap-group-mesh-mpp] mesh-profile mesh-net radio 1
[AC-wlan-ap-group-mesh-mp] mesh-profile mesh-net radio 1
[AC-wlan-view] quit
[AC] quit
Step 7 Verify the Mesh service configuration.
# After the configuration is complete, run the display ap all command to check whether Mesh
<AC> display ap all
nor : normal [3]
--------------------------------------------------------------------------------
----------
ime
--------------------------------------------------------------------------------
----------
1 60de-4476-e360 area_1 mesh-mpp 10.23.100.254 AP8130DN nor 0
13M:45S
2 dcd2-fc04-b500 area_2 mesh-mp 10.23.100.251 AP8130DN nor 0
5M:22S
3 60de-4474-9640 area_3 mesh-mp 10.23.100.253 AP8130DN nor 0
4M:14S
--------------------------------------------------------------------------------
---
Total: 3
# After Mesh services take effect, run the display wlan mesh link all command to check
Mesh link information.


Mesh : Mesh mode Re : retry ratio(%)
--------------------------------------------------------------------------------
-----------------
APName P-APName Rf Dis Ch Mesh P-Status RSSI MaxR Per Re TS
NR SNR(Ch0~2:dB)
--------------------------------------------------------------------------------
-----------------
area_1 area_2 1 4 157 portal normal -30 -27 0 12
67
62/65/-
area_1 area_3 1 4 157 portal normal -26 -24 0 12
71
67/68/-
area_3 area_2 1 4 157 node normal -19 -3 0 5
77
66/76/-
64
55/63/-
64
62/61/-
82
71/82/-
--------------------------------------------------------------------------------
-----------------
Total: 6
----End
Configuration Files
l Configuration file of the Switch_A
#
sysname Switch_A
#
vlan batch 100
#
dhcp enable
#
#
#
return
l Configuration file of the Switch_B

#
sysname Switch_B
#
vlan batch 100
#
#

#
return
l Configuration file of the AC

#
sysname AC
#
vlan batch 100
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
#
wlan
security-profile name mesh-sec
%# aes
mesh-whitelist-profile name mesh-list
peer-ap mac 60de-4476-e360
security-profile mesh-sec
mesh-id mesh-net
link-aging-time 30
regulatory-domain-profile name domain1
ap-group name mesh-mp
regulatory-domain-profile domain1
radio 1
mesh-profile mesh-net
mesh-whitelist-profile mesh-list
coverage distance 4
ap-group name mesh-mpp
ap-system-profile mesh-sys
radio 1
coverage distance 4
ap-name area_1
ap-group mesh-mpp
ap-id 2 type-id 39 ap-mac dcd2-fc04-b500 ap-sn 210235557610DB000046
ap-name area_2
ap-group mesh-mp
ap-id 3 type-id 39 ap-mac 60de-4474-9640 ap-sn 210235419610D2000097
ap-name area_3
ap-group mesh-mp
#
return

4.3.15 Example for Configuring Dual-MPP Mesh Services
If an enterprise needs to provide wireless network access services for different areas, multiple
Mesh Portal Points (MPPs) can be configured to work on different channels. This can reduce
MP contention for wireless channels, thus improving coverage performance.
l Wireless backhaul node: dual Mesh portal-node
Figure 4-25 Networking for configuring dual-MPP Mesh services
Data Planning

AP_1 AP8130DN 60de-4474-9640

AP_4 AP8130DN 1047-80ac-cc60

Item Data

APs

APs.
Mesh profile l Name: mesh-net

l Aging time of Mesh links: 30 (unit: s)
Mesh role l AP_1: Mesh-portal (MPP)

l AP_2: Mesh-portal (MPP)
l AP_3: Mesh-node (MP)
Mesh whitelist Name: mesh-list
Regulatory domain l Name: default

profile l Country code: CN
AP system profile Name: mesh-sys

l Channel: 157
Security profile l Name: mesh-sec

AP group l mesh-mpp: AP_1 and AP_2

l mesh-mp: AP_3 and AP_4

1. Configure network connectivity and enable APs (MPPs) in Area A to go online on the
AC in wired mode.
2. Configure Mesh services to enable APs (MPs) in Area B to go online on the AC through
Mesh links.
Configuration Notes
user experience.
l During the configuration of a Mesh network with multiple MPPs, to enable MPs to set
up wireless links with multiple MPPs simultaneously, configure the MPPs to work on the
same channel.
l On a Mesh network, radios of APs with 802.11ac chips can interconnect only with radios
of neighbors with 802.11ac chips, and radios of APs with 802.11n chips can interconnect
only with radios of neighbors with 802.11n chips. Table 4-30 lists types of chips used by
AP models.
Table 4-30 Chips used by AP radios
AP Model Radio 0 Radio 1 Radio 2
R250D-E Mesh not supported Mesh not supported N/A
R250D Mesh not supported Mesh not supported N/A
AP9330DN Mesh not supported Mesh not supported N/A
AP9132DN 802.11n 802.11ac N/A

AP9131DN 802.11n 802.11ac N/A
AP9130DN 802.11ac 802.11ac N/A
AP8150DN 802.11ac 802.11ac N/A
AP8130DN-W 802.11ac 802.11ac N/A
AP8130DN 802.11ac 802.11ac N/A
AP8050DN-S 802.11ac 802.11ac N/A
AP8050DN 802.11ac 802.11ac N/A
AP8030DN 802.11ac 802.11ac N/A
AP7110SN-GN 802.11n N/A N/A
AP7110DN-AGN 802.11n 802.11n N/A
AP7050DN-E 802.11ac 802.11ac N/A
AP7050DE 802.11ac 802.11ac N/A
AP7030DE Mesh not supported Mesh not supported N/A
AP6610DN-AGN 802.11n 802.11n N/A
AP6510DN-AGN 802.11n 802.11n N/A
AP6310SN-GN Mesh not supported N/A N/A
AP6150DN 802.11ac 802.11ac N/A
AP6050DN 802.11ac 802.11ac N/A
AP6010DN-AGN 802.11n 802.11n N/A
AP5130DN 802.11n 802.11ac N/A
AP5030DN 802.11n 802.11ac N/A
AP5010DN-AGN 802.11n 802.11n N/A
AP4151DN 802.11ac 802.11ac N/A
AP4130DN 802.11n 802.11ac N/A
AP4051DN 802.11ac 802.11ac N/A
AP4050DN-HD 802.11ac 802.11ac N/A
AP4050DN-E 802.11ac 802.11ac N/A
AP4050DN-S 802.11ac 802.11ac N/A

AP4050DN 802.11ac 802.11ac N/A
Mesh not
AP4030TN 802.11n 802.11ac
supported
AP4030DN 802.11n 802.11ac N/A
AP2050DN-E Mesh not supported Mesh not supported N/A
AD9430DN-24 Mesh not supported Mesh not supported N/A
Procedure
# Add GE0/0/1 and GE0/0/2 on Switch_A to VLAN 100.

# Add GE0/0/1, GE0/0/2, and GE0/0/3 on Switch_B to VLAN 100. The default VLAN of


NOTE
[AC6605] sysname AC
[AC] vlan batch 100
Step 3 Configure the DHCP server to assign IP addresses to APs.
# Enable DHCP on the AC and configure the AC to assign IP addresses to APs through an
[AC] dhcp enable
[AC-Vlanif100] quit
# Create AP groups for MPPs and MPs respectively. You can add APs that require the same
configuration to the same group.
[AC] wlan
[AC-wlan-ap-group-mesh-mpp] regulatory-domain-profile domain1
e?[Y/N]:y
[AC-wlan-ap-group-mesh-mp] regulatory-domain-profile domain1
e?[Y/N]:y
[AC-wlan-view] quit

# Add AP_1 and AP_2 to the AP group mesh-mpp and AP_3 and AP_4 to the AP group
mesh-mp.

NOTE
[AC] wlan
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit
[AC-wlan-ap-3] quit
[AC-wlan-view] ap-id 4 ap-mac 1047-80ac-cc60
[AC-wlan-ap-4] quit
Step 5 Configure Mesh parameters.
# Configure radio parameters for Mesh nodes. Radio 1 of the AP8130DN is used as an
example. The radio coverage distance parameter is 3 (unit: 100 m) by default. This example
sets the radio coverage distance parameter to 4. You can configure the parameter according to
your service needs.
NOTE
During the configuration of a Mesh network with multiple MPPs, to enable MPs to set up wireless links with
multiple MPPs simultaneously, configure the MPPs to work on the same channel.

[AC-wlan-group-radio-mesh-mpp/1] coverage distance 4
[AC-wlan-group-radio-mesh-mp/1] channel 40mhz-plus 157
[AC-wlan-group-radio-mesh-mp/1] coverage distance 4
# Configure the security profile mesh-sec used by Mesh links. The profile mesh-sec supports
the security policy WPA2+PSK+AES.

[AC-wlan-view] security-profile name mesh-sec

[AC-wlan-sec-prof-mesh-sec] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-mesh-sec] quit
# Configure a Mesh whitelist.

[AC-wlan-view] mesh-whitelist-profile name mesh-list
[AC-wlan-mesh-whitelist-mesh-list] peer-ap mac 60de-4474-9640
[AC-wlan-mesh-whitelist-mesh-list] peer-ap mac dcd2-fc04-b500
[AC-wlan-mesh-whitelist-mesh-list] peer-ap mac dcd2-fc96-e4c0
[AC-wlan-mesh-whitelist-mesh-list] peer-ap mac 1047-80ac-cc60
[AC-wlan-mesh-whitelist-mesh-list] quit
# Configure Mesh roles. Set Mesh roles of AP_1 and AP_2 to Mesh-portal. AP_3 and AP_4
use the default Mesh role Mesh-node. Mesh roles are configured through the AP system
profile.
# Configure a Mesh profile. Set the Mesh network ID to mesh-net, aging time of Mesh links
to 30s, and bind the security profile to the Mesh profile.
[AC-wlan-mesh-prof-mesh-net] link-aging-time 30
[AC-wlan-mesh-prof-mesh-net] security-profile mesh-sec
# Bind the Mesh whitelist profile to AP radios.

[AC-wlan-group-radio-mesh-mpp/1] mesh-whitelist-profile mesh-list
[AC-wlan-group-radio-mesh-mp/1] mesh-whitelist-profile mesh-list
Step 6 Bind required profiles to the AP groups to make Mesh services take effect.
# Bind the AP wired port profile wired-port to AP groups mesh-mpp and mesh-mp to make
AP wired port parameters take effect on Mesh nodes. This example assumes that all APs
connect to Switch_B through GE0.
[AC-wlan-ap-group-mesh-mpp] wired-port-profile wired-port gigabitethernet 0
[AC-wlan-ap-group-mesh-mp] wired-port-profile wired-port gigabitethernet 0
# Bind the AP system profile mesh-sys to the AP group mesh-mpp to make the MPP role
take effect on AP_1 and AP_2.
# Bind the Mesh profile mesh-net to AP groups mesh-mpp and mesh-mp to make Mesh
services take effect.
[AC-wlan-ap-group-mesh-mpp] mesh-profile mesh-net radio 1

[AC-wlan-ap-group-mesh-mp] mesh-profile mesh-net radio 1

# After the configuration is complete, run the display ap all command to check whether Mesh
nor : normal [4]
----------------------------------------------------------------------------------
---
ime
----------------------------------------------------------------------------------
---
1 60de-4474-9640 AP_1 mesh-mpp 10.23.100.254 AP8130DN nor 0 5M:44S
2 dcd2-fc04-b500 AP_2 mesh-mpp 10.23.100.253 AP8130DN nor 0 6M:15S
3 dcd2-fc96-e4c0 AP_3 mesh-mp 10.23.100.252 AP8130DN nor 0 1M:35S
4 1047-80ac-cc60 AP_4 mesh-mp 10.23.100.251 AP8130DN nor 0 3M:56S
----------------------------------------------------------------------------------
---
Total: 4
# After dual-MPP Mesh services take effect, run the display wlan mesh link all command to
check Mesh link information.
[AC-wlan-view] display wlan mesh link all
Mesh : Mesh mode Re : retry ratio(%)
----------------------------------------------------------------------------------
---------------
APName P-APName Rf Dis Ch Mesh P-Status RSSI MaxR Per Re TS
NR SNR(Ch0~2:dB)
----------------------------------------------------------------------------------
---------------
AP_1 AP_4 1 4 157 portal normal -28 -27 0 25 70
62/69/-
73/77/-
57/49/80
58/54/72
AP_4 AP_1 1 4 157 node normal -29 -29 0 0 65
64/58/-
AP_4 AP_2 1 4 157 node normal -21 -19 0 10 76
76/64/-
AP_4 AP_3 1 4 157 node normal -7 -1 0 0 89
88/82/-
AP_3 AP_2 1 4 157 node normal -35 -32 0 35 61
51/60/-
AP_3 AP_1 1 4 157 node normal -27 -23 0 0 70
68/66/-
AP_3 AP_4 1 4 157 node normal -13 -11 0 23 83
80/81/-
----------------------------------------------------------------------------------
---------------
Total: 10
# Run the display wlan mesh route all command to check Mesh routes on the Mesh network.
[AC-wlan-view] display wlan mesh route all
--------------------------------------------------------------------------

AP name/MAC/Mesh role/Radio Next-hop name/MAC/Mesh role/Radio

--------------------------------------------------------------------------
AP_4 /1047-80ac-cc60/MP /1 AP_2 /dcd2-fc04-b500/MPP/1
AP_3 /dcd2-fc96-e4c0/MP /1 AP_4 /1047-80ac-cc60/MP /1
--------------------------------------------------------------------------
Total: 2
# When the link between AP_2 and AC is faulty, AP_2 automatically changes to an MP and
goes online through Mesh links. Run the display wlan mesh route all command. The
command output shows that AP_2, AP_3, and AP_4 go online on AP_1.
[AC-wlan-view] display wlan mesh route all
--------------------------------------------------------------------------
AP name/MAC/Mesh role/Radio Next-hop name/MAC/Mesh role/Radio
--------------------------------------------------------------------------
AP_4 /1047-80ac-cc60/MP /1 AP_1 /60de-4474-9640/MPP/1
AP_2 /dcd2-fc04-b500/MP /1 AP_4 /1047-80ac-cc60/MP /1
AP_3 /dcd2-fc96-e4c0/MP /1 AP_1 /60de-4474-9640/MPP/1
--------------------------------------------------------------------------
Total: 3
----End
Configuration Files
#
sysname Switch_A
#
vlan batch 100
#
#
#
return

#
sysname Switch_B
#
vlan batch 100
#
#
#
#
return
#
sysname AC

#
vlan batch 100
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
#
wlan
security-profile name mesh-sec
security wpa2 psk pass-phrase %^%#WXq~51G1^G;~|`C\G$v-`XoiIe4z$CNAM#@TeN^+%^
%# aes
mesh-whitelist-profile name mesh-list
peer-ap mac 1047-80ac-cc60
security-profile mesh-sec
mesh-id mesh-net
link-aging-time 30
ap-group name mesh-mp
wired-port-profile wired-port gigabitethernet 0
radio 1
coverage distance 4
ap-group name mesh-mpp
ap-system-profile mesh-sys
wired-port-profile wired-port gigabitethernet 0
radio 1
coverage distance 4
ap-id 1 ap-mac 60de-4474-9640
ap-name
AP_1
ap-group mesh-mpp
ap-id 2 ap-mac dcd2-fc04-b500
ap-name
AP_2
ap-group mesh-mpp
ap-id 3 ap-mac dcd2-fc96-e4c0
ap-name
AP_3
ap-group mesh-mp
ap-id 4 ap-mac 1047-80ac-cc60
ap-name
AP_4
ap-group mesh-mp
#
return


4.4.1 Example for Configuring an Eth-Trunk on an AP's Wired
Uplink Interfaces
The administrator wants to configure an Eth-Trunk on an AP's wired uplink interfaces to
ensure uplink reliability.
Figure 4-26 Networking for configuring an Eth-Trunk on an AP's wired uplink interfaces
Data Planning
Item Data
AP wired port profile l Name: wired-port1

l Eth-Trunk: Eth-Trunk0

l Referenced profile: AP wired port
profile wired-port1

1. Configure an Eth-Trunk on a switch.
2. Configure an Eth-Trunk for an AP on the AC.
3. Restart the AP.
4. Connect the switch and AP physically.
Configuration Notes
l This example is applicable to an AP with two or more wired uplink interfaces.
l This example assumes that the AP has gone online and describes how to configure an
Eth-Trunk on the wired uplink interfaces of the AP. Before physical connections,
configure the Eth-Trunk. Otherwise, a loop will occur on the network, causing the AP to
go offline.
user experience.
Procedure
Step 1 Check AP information.
Check Item Command Data
Check the AP group to display ap all AP group: ap-group1

which an AP belongs. AP name: AP1
Step 2 Configure an Eth-Trunk on the switch.

# Create Eth-Trunk1, and add GE0/0/1 and GE0/0/2 to Eth-Trunk1.
[Switch] interface eth-trunk 1
[Switch-Eth-Trunk1] description Connect to AP1
[Switch-Eth-Trunk1] port link-type trunk
[Switch-Eth-Trunk1] port trunk pvid vlan 100
[Switch-Eth-Trunk1] port trunk allow-pass vlan 100
[Switch-Eth-Trunk1] undo port trunk allow-pass vlan 1
[Switch-Eth-Trunk1] port-isolate enable
[Switch-Eth-Trunk1] quit
[Switch-GigabitEthernet0/0/1] eth-trunk 1
Step 3 Configure an Eth-Trunk for the AP on the AC.

# Configure Eth-Trunk0.
[AC6605] sysname AC

[AC] vlan batch 100

[AC] interface eth-trunk 0
[AC-Eth-Trunk0] description Connect to switch
[AC-Eth-Trunk0] port link-type trunk
[AC-Eth-Trunk0] port trunk allow-pass vlan 100
[AC-Eth-Trunk0] undo port trunk allow-pass vlan 1
[AC-Eth-Trunk0] quit
# Create the AP wired port profile wired-port1. Add GE0 and GE1 on the AP to Eth-Trunk0.
[AC] wlan
[AC-wlan-view] wired-port-profile name wired-port1
[AC-wlan-wired-port-wired-port1] eth-trunk 0
[AC-wlan-wired-port-wired-port1] quit
[AC-wlan-ap-group-ap-group1] wired-port-profile wired-port1 gigabitethernet 0
[AC-wlan-ap-group-ap-group1] wired-port-profile wired-port1 gigabitethernet 1
# Run the display wired-port-profile name wired-port1 command to check the

configuration of the AP wired port profile.
[AC-wlan-view] display wired-port-profile name wired-port1
----------------------------------------------------------------------------
Port link profile : default
Description :
Ethernet trunk ID : 0
----------------------------------------------------------------------------
Step 5 Restart the AP.

NOTE
The configuration on the AP's wired interfaces takes effect only after the AP is restarted.
[AC-wlan-view] ap-reset ap-name AP1
Warning: Reset AP(s), continue?[Y/N]:y
Step 6 Connect the switch and AP physically.
----End
Configuration Files
#
sysname Switch
#
vlan batch 100
#
interface Eth-Trunk1
description Connect to AP1
undo port trunk allow-pass vlan 1
#
eth-trunk 1
#
eth-trunk 1
#
return

#
sysname AC
#
vlan batch 100
#
description Connect to switch
#
wlan
wired-port-profile name wired-port1
eth-trunk 0
wired-port-profile wired-port1 gigabitethernet 0
wired-port-profile wired-port1 gigabitethernet 1
#
return
4.5 PPPoE Configuration Examples (Fat AP and Fat Central

AP)
4.5.1 Example for Configuring the PPPoE Client
As shown in Figure 4-27, the device functioning as the PPPoE client connects to the PPPoE
server using GE0/0/0.
Users want the hosts to share an account. If the account is authenticated successfully on the
PPPoE server, a PPPoE session is established. Service requirements are as follows:
l The device establishes a PPPoE session with the PPPoE server using PPP authentication.
l The device automatically attempts to create a dial-up connection again at intervals after
the disconnection.
Figure 4-27 Networking diagram of the device functioning as the PPPoE client

1. Configure Challenge Handshake Authentication Protocol (CHAP) authentication on the

dialer interface so that the device can establish a PPPoE session with the PPPoE server
using PPP authentication.
2. Configure the dial-up mode to automatic dial-up so that the device will automatically
attempt to create a dial-up connection again at intervals after the disconnection.
Procedure
Step 1 Configure the PPPoE server.
# Configure the authentication mode, IP address allocation mode, and IP address or IP address
pool for the PPPoE client. For details about the configuration procedure, see the
documentation of the PPPoE server.
Step 2 Configure a dialer interface.
[Huawei] sysname AP
[AP] interface dialer 1
[AP-Dialer1] ppp chap user user1@system
[AP-Dialer1] ppp chap password cipher huawei123
[AP-Dialer1] ip address ppp-negotiate
[AP-Dialer1] quit
Step 3 Create a PPPoE session.

[AP] vlan batch 100
[AP-Vlanif100] pppoe-client dial-bundle-number 1
[AP-Vlanif100] quit
Step 4 Configure NAT to translate private addresses of hosts in the LAN to public addresses so that
the hosts can dial up to the Internet.
[AP] acl number 3002
[AP-acl-adv-3002] rule 5 permit ip source 192.168.10.0 0.0.0.255
[AP-acl-adv-3002] quit
[AP-Dialer1] nat outbound 3002
[AP-Dialer1] quit
Step 5 Configure a static route from the local host to the PPPoE server.
[AP] ip route-static 0.0.0.0 0 dialer 1
[AP] quit
Step 6 Verify the configurations.

# Run the display pppoe-client session summary command to check the PPPoE session
status and configuration. The following command output shows that the PPPoE session status
is Up and the session configuration is consistent with the data plan and networking.
<AP> display pppoe-client session summary
PPPoE Client Session:
ID Bundle Dialer Intf Client-MAC Server-MAC State
1 1 1 vlanif00 00e0fc030201 0819a6cd0680 UP
----End
Configuration Files
Configuration file of the PPPoE client

#
sysname AP
#
vlan batch 100
#
acl number 3002
rule 5 permit ip source 192.168.10.0 0.0.0.255
#
interface Dialer1
link-protocol ppp
ppp chap user user1@system
ppp chap password cipher %^%#LHG2'Q8n%8NSLn'4-i'Z18)-%eT"v*||t1Mh;NbH%^%#
ip address ppp-negotiate
nat outbound 3002
#
interface Vlanif100
pppoe-client dial-bundle-number 1
#
#
ip route-static 0.0.0.0 0.0.0.0 Dialer1
#
return
4.5.2 Example for Connecting LAN to the Internet Using the

ADSL Modem
As shown in Figure 4-28, AP connects to ADSL modem using GE0/0/0, and Router connects
to the DSLAM using ATM1/0/0.
The private IP addresses of hosts in the LAN are 192.168.10.0/24. Users want hosts in the
LAN to access Router using AP and to access the external network. The user name is user1,
and the password is huawei123.

Figure 4-28 Networking diagram for connecting a LAN to the Internet using an ADSL
modem
1. Configure AP as the PPPoE client so that hosts in the LAN can access the Internet
without installing PPPoE client software.
2. Configure Router as the PPPoE server to provide RADIUS authentication and
accounting functions.
3. Configure NAT so that LAN users can access the external network.
Procedure
Step 1 Configure the PPPoE client.
# Configure the dialer interface.
[Huawei] sysname AP
[AP-Dialer1] ppp chap user user1
[AP-Dialer1] ppp chap password cipher huawei123
[AP-Dialer1] dialer timer idle 300
[AP-Dialer1] dialer queue-length 8
[AP-Dialer1] ip address ppp-negotiate
[AP-Dialer1] quit
# Create a PPPoE session.

[AP] vlan batch 100


[AP-Vlanif100] pppoe-client dial-bundle-number 1
[AP-Vlanif100] quit
# Configure NAT to translate private addresses of hosts in the LAN to public addresses so that
the hosts can dial up to the Internet.
[AP] acl number 3002
[AP-acl-adv-3002] rule 5 permit ip source 192.168.10.0 0.0.0.255
[AP-acl-adv-3002] quit
[AP-Dialer1] nat outbound 3002
[AP-Dialer1] quit
# Configure a static route from the PPPoE client to the PPPoE server.
[AP] ip route-static 0.0.0.0 0 dialer 1
[AP] quit

# Configure the global IP address pool pool1.
[AC6605] sysname Router
[Router] ip pool pool1
[Router-ip-pool-pool1] network 100.100.10.0 mask 255.255.255.0
[Router-ip-pool-pool1] gateway-list 100.100.10.1
[Router-ip-pool-pool1] quit
# Configure a PPPoE user.

[Router] aaa
[Router-aaa] local-user user1 password
Please configure the login password (8-128)
It is recommended that the password consist of at least 2 types of characters, i
ncluding lowercase letters, uppercase letters, numerals and special characters.
Please enter password:
Please confirm password:
Info: Add a new user.
[Router-aaa] local-user user1 service-type ppp
[Router-aaa] quit
# Configure RADIUS authentication.

1. Configure a RADIUS server template.
[Router] radius-server template shiva
[Router-radius-shiva] radius-server authentication 129.6.6.66 1812
[Router-radius-shiva] radius-server accounting 129.6.6.66 1813
[Router-radius-shiva] radius-server shared-key cipher hello@123
[Router-radius-shiva] quit
2. Configure authentication and accounting schemes.

[Router] aaa
[Router-aaa] authentication-scheme 1
[Router-aaa-authen-1] authentication-mode radius
[Router-aaa-authen-1] quit
[Router-aaa] accounting-scheme 1
[Router-aaa-accounting-1] accounting-mode radius
[Router-aaa-accounting-1] quit
3. Configure the domain named system and apply authentication scheme 1, accounting
scheme 1, and RADIUS server template shiva to the domain.
[Router-aaa] domain system
[Router-aaa-domain-system] authentication-scheme 1
[Router-aaa-domain-system] accounting-scheme 1

[Router-aaa-domain-system] radius-server shiva

[Router-aaa-domain-system] quit
[Router-aaa] quit
# Create and configure a VT.

[Router] interface virtual-template 1
[Router-Virtual-Template1] ppp authentication-mode chap domain system
[Router-Virtual-Template1] ip address 100.100.10.1 255.255.255.0
[Router-Virtual-Template1] remote address pool pool1
[Router-Virtual-Template1] quit
# Enable the PPPoE server function on the virtual Ethernet interface.

[Router] interface virtual-ethernet 0/0/1
[Router-Virtual-Ethernet0/0/1] pppoe-server bind virtual-template 1
[Router-Virtual-Ethernet0/0/1] quit
# Configure the ATM interface.

[Router] interface atm 1/0/0
[Router-Atm1/0/0] pvc 0/32
[Router-atm-pvc-Atm1/0/0-0/32] map bridge virtual-ethernet 0/0/1
[Router-atm-pvc-Atm1/0/0-0/32] quit

# Run the display pppoe-client session summary command to check the PPPoE session
status and configuration. The following command output shows that the PPPoE session status
is Up and the session configuration is consistent with the data plan and networking.
<AP> display pppoe-client session summary
PPPoE Client Session:
ID Bundle Dialer Intf Client-MAC Server-MAC State
0 1 1 vlanif100 54899874dbc7 000000000000 PADI
# AP can successfully ping server Router.
----End
Configuration Files
l Configuration file of AP
#
sysname AP
#
vlan batch 100
#
acl number 3002
rule 5 permit ip source 192.168.10.0 0.0.0.255
#
interface Dialer1
link-protocol ppp
ppp chap user user1
ppp chap password cipher %^%#D]<B>${2C"o|jLLQwm<#=FP[~\b3P!w0Vr6BLp4A%^%#
ip address ppp-negotiate
dialer queue-length 8
dialer timer idle 300
nat outbound 3002
#
interface Vlanif100
pppoe-client dial-bundle-number 1
#
#

ip route-static 0.0.0.0 0.0.0.0 Dialer1

#
return
l Configuration file of Router

#
sysname Router
#
radius-server template shiva
radius-server shared-key cipher %^%#s2BY1Z1+yAE}!(X0JTHB64T#,K$SFIfN5D!RjIGI
%^%#
radius-server accounting 129.6.6.66 1813 weight 80
#
ip pool pool1
network 100.100.10.0 mask 255.255.255.0
#
aaa
authentication-scheme 1
accounting-scheme 1
domain system
authentication-scheme 1
accounting-scheme 1
radius-server shiva
local-user user1 password cipher %^%#9T`|L}K(4#J3k=+I8SiJrsM:RO[iy@Uuc:LTQJ,
1%^%#
local-user user1 privilege level 0
local-user user1 service-type ppp
#
interface Virtual-Template1
ppp authentication-mode chap domain system
remote address pool pool1
ppp keepalive retry-times 2
timer hold 30
ip address 100.100.10.1 255.255.255.0
#
interface Atm1/0/0
pvc 0/32
map bridge Virtual-Ethernet0/0/1
#
interface Virtual-Ethernet0/0/1
pppoe-server bind Virtual-Template 1
#
return

4.6.1 Example for Configuring External Portal Authentication
To improve WLAN security, an enterprise uses the external Portal authentication mode to
control user access.


addresses to STAs.
l Authentication mode: External Portal authentication
Figure 4-29 Networking for configuring external Portal authentication
Data Planning
Item Data
Managemen VLAN100
t VLAN for
APs
Service VLAN101
VLAN for
STAs

Item Data

IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

interface
address

default

profile



on

template
server: 50200

profile
Authenticati l Name:default_free_rule
on-free rule l Authentication-free resource: IP address of the DNS server (8.8.8.8)
profile

Item Data

on Profile l Referenced profile: Portal access profile wlan-net, RADIUS Server
profile wlan-net, authentication-free rule profile default_free_rule and
authentication scheme wlan-net

3. Configure external Portal authentication.
c. Configure an authentication-free rule profile so that the AC allows packets to the
d. Configure an authentication profile to manage external Portal authentication
configuration.
Configuration Notes
user experience.

Procedure
VLAN 100.
10.23.101.2/24.

NOTE

[AC6605] sysname AC


[AC] dhcp enable
[AC-Vlanif100] quit

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan


[AC-wlan-ap-0] quit
[AC-wlan-view] quit
[AC] display ap all
nor : normal [1]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
----------------------------------------------------------------------------------
---
Total: 1
accounting scheme.
NOTE


[AC] aaa

[AC-aaa] quit
NOTE
accounting packets.
1-99 3 minutes
100-499 6 minutes

500-999 12 minutes
≥ 1000 ≥ 15 minutes
NOTE

NOTE

Step 11 Configure the authentication profile wlan-net.


[AC] wlan


the AP.
[AC-wlan-view] quit

complete.
network.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
return


#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
return

#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
#
return
#
sysname AC
#
#
#
dhcp enable
#
aaa
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#


#
ip route-static 0.0.0.0 0.0.0.0 10.23.101.2
#
#
%^%#
#
#
#
server-ip 10.23.103.1
port 50200
#
#
wlan
ssid wlan-net
forward-mode tunnel
radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
return
4.6.2 Example for Configuring Built-in Portal Authentication for

Local Users
To improve WLAN security, an enterprise uses the Portal authentication mode. To reduce
costs, the enterprise deploys an AC as the Portal server and uses the local authentication mode
so that authentication is performed on the AC.


addresses to STAs.
l Authentication mode: built-in Portal authentication
Figure 4-30 Networking for configuring built-in Portal authentication for local users
Data Planning

Item Data

gateway address of STAs is 10.23.101.2.

Item Data
AC's source interface VLANIF100: 10.23.100.1/24

l Referenced profile: VAP profile wlan-
default

l Country code: CN


Local user l User name: guest

l Password: guest@123
Authentication scheme l Name: wlan-net

l Authentication scheme: local
Portal access profile l Name: wlan-net

l The built-in Portal server is used.
– Server IP: 10.23.101.1/24
– SSL policy: default_policy
– Port number: 20000
Authentication-free rule profile l Name: default_free_rule

l Authentication-free resource: IP address
of the DNS server (8.8.8.8)
Authentication Profile l Name: wlan-net

l Referenced profile: Portal access profile
wlan-net, Authentication-free rule
profile default_free_rule, authentication
scheme wlan-net

l Referenced profile: SSID profile wlan-
net, security profile wlan-net and

3. Configure built-in Portal authentication for local users.
a. Configure local authentication parameters.
b. Configure a Portal access profile for the built-in Portal server to manage Portal
access control parameters.
c. Configure an authentication-free rule profile so that the AC allows packets to the
d. Configure an authentication profile to manage built-in Portal authentication
configuration.
4. Configure WLAN service parameters to control access from STAs.
Configuration Notes
user experience.
Procedure
VLAN 100.


10.23.101.2/24.

NOTE

[AC6605] sysname AC
[AC] dhcp enable
[AC-Vlanif100] quit

Step 4 Configure a route from the AC to DNS server.

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
[AC-wlan-view] quit
[AC] display ap all
nor : normal [1]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
----------------------------------------------------------------------------------
---
Total: 1

Step 6 Configure local authentication.

# Configure the local authentication scheme wlan-net.
[AC] aaa
[AC-aaa-authen-wlan-net] authentication-mode local
# Configure the user name, password, and service type of the local user.
[AC-aaa] local-user guest password cipher guest@123
[AC-aaa] local-user guest service-type web
[AC-aaa] quit
Step 7 Configure SSL policy default_policy and load a digital certificate.

# Load certificates and the RSA key pair.
NOTE
The local certificate abc_local.pem, CA certificate abc_ca.pem, and RSA key pair privatekey.pem have
been requested, obtained, and uploaded to the storage medium of the device. If multiple CA certificates are
requested, perform the same operation to load the certificates to the memory of the device. When
privatekey.pem is generated, the key is Huawei@123.
[AC] pki realm abc
[AC-pki-realm-abc] quit
[AC] pki import-certificate local realm abc pem filename abc_local.pem
[AC] pki import-certificate ca realm abc pem filename abc_ca.pem
[AC] pki import rsa-key-pair key1 pem privatekey.pem password Huawei@123
# Configure the SSL policy default_policy and load the digital certificate.
[AC] ssl policy default_policy type server
[AC-ssl-policy-default_policy] pki-realm abc
[AC-ssl-policy-default_policy] version tls1.0 tls1.1 tls1.2
[AC-ssl-policy-default_policy] ciphersuite rsa_aes_128_sha256 rsa_aes_256_sha256
[AC-ssl-policy-default_policy] quit
[AC] http secure-server ssl-policy default_policy
[AC] http secure-server enable
# Check the configuration of the SSL policy. The status of the CA and local certificates must
be loaded.
[AC] display ssl policy default_policy
------------------------------------------------------------------------------
Policy name :
default_policy
Policy ID : 2
Policy type : Server
Cipher suite : rsa_aes_128_sha256
rsa_aes_256_sha256
PKI realm : abc
Version : tls1.0 tls1.1 tls1.2
Cache number : 32
Time out(second) : 3600
Server certificate load status : loaded
CA certificate chain load status : loaded
SSL renegotiation status : enable
Bind number : 1
SSL connection number : 0
------------------------------------------------------------------------------
Step 8 Configure the Portal access profile wlan-net

# Enable the built-in Portal server function.
[AC] interface loopback 1
[AC-LoopBack1] ip address 10.23.101.1 24

[AC-LoopBack1] quit
[AC] portal local-server ip 10.23.101.1
[AC] portal local-server https ssl-policy default_policy port 20000
# Create the Portal access profile wlan-net and configure it to use the built-in Portal server.
[AC-portal-access-profile-wlan-net] portal local-server enable
Step 9 Configure an authentication-free rule profile to allow users to access the DNS server before
authentication.


[AC] wlan
the AP.
[AC-wlan-view] quit

complete.

network.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
return

#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
return

#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
#
return

#
sysname AC
#
http secure-server ssl-policy

default_policy
http server enable
#
portal local-server ip 10.23.101.1
portal local-server https ssl-policy default_policy port 20000
#
#
#
dhcp enable
#
pki realm
abc
pki import-certificate local realm abc pem filename abc_local.pem
pki import-certificate ca realm abc pem filename abc_ca.pem
pki import rsa-key-pair key1 pem privatekey.pem password Huawei@123
#
ssl policy default_policy type

server
pki-realm
abc
version tls1.0 tls1.1
tls1.2
ciphersuite rsa_aes_128_sha256 rsa_aes_256_sha256
#
#
portal local-server enable
#
aaa
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
ip route-static 0.0.0.0 0.0.0.0 10.23.101.2
#
#
wlan
ssid wlan-net
forward-mode tunnel


radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
return
4.6.3 Example for Configuring MAC Address-prioritized Portal

Authentication
addresses to STAs.

Data Planning

Item Data
Managemen VLAN100
t VLAN for
APs
Service VLAN101
VLAN for
STAs

IP address 10.23.100.2–10.23.100.254/24
pool for
APs

Item Data
IP address 10.23.101.3–10.23.101.254/24
pool for
STAs

interface
address

default

profile



on

template
server: 50200

profile
MAC Name:wlan-net
access
profile

profile

Item Data


3. Configure MAC address-prioritized Portal authentication.
c. Configure a MAC access profile for MAC address-prioritized Portal authentication.
d. Configure an authentication-free rule profile so that the AC allows packets to the
e. Configure an authentication profile to manage MAC address-prioritized Portal
authentication configuration.
Configuration Notes
user experience.

Procedure
VLAN 100.
10.23.101.2/24.

NOTE

[AC6605] sysname AC


[AC] dhcp enable
[AC-Vlanif100] quit

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan


[AC-wlan-ap-0] quit
[AC-wlan-view] quit
[AC] display ap all
nor : normal [1]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
----------------------------------------------------------------------------------
---
Total: 1
accounting scheme.
NOTE


[AC] aaa

[AC-aaa] quit
NOTE
accounting packets.
1-99 3 minutes
100-499 6 minutes

500-999 12 minutes
≥ 1000 ≥ 15 minutes
NOTE

NOTE

Step 12 Configure the authentication profile wlan-net and enable MAC address-prioritized Portal
authentication.


[AC] wlan
the AP.
[AC-wlan-view] quit

complete.
network.
l Assume that the MAC address validity period configured on the server is 60 minutes. If a
----End
Configuration Files
#
sysname SwitchA
#

vlan batch 100

#
#
#
return
#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
return
#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
#
return
#
sysname AC
#
#
#

dhcp enable
#
aaa
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
ip route-static 0.0.0.0 0.0.0.0 10.23.101.2
#
#
%^%#
#
#
#
server-ip 10.23.103.1
port 50200
#
#
wlan
ssid wlan-net
forward-mode tunnel
radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
#
return

4.6.4 Example for Configuring 802.1X Authentication


Internet
Router
GE0/0/1
RADIUS Server
AC SwitchB GE0/0/4 10.23.103.1:1812
GE0/0/2
GE0/0/1 GE0/0/3
GE0/0/1
GE0/0/2
SwitchA
GE0/0/1
AP
STA STA

Data Planning





wlan-net






net
4. Configure 802.1X authentication on the AC.
NOTE
Configuration Notes
user experience.
Procedure

[AC6605] sysname AC
[AC-Vlanif102] quit
STAs.


[AC] dhcp enable
[AC-Vlanif100] quit


[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

name the AP area_1.
NOTE
[AC] wlan


[AC-wlan-ap-0] quit
nor : normal [1]
--------------------------------------------------------------------------------
Uptime
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Total: 1

NOTE


[AC-wlan-ap-0] quit


[AC-wlan-view] quit

[AC] aaa
[AC-aaa] quit




[AC] wlan
the VAP profile.
radio 1 of the AP.
[AC-wlan-view] quit

Examples.

algorithm to AES.
------------------------------------------------------------------------------
Status
------------------------------------------------------------------------------
------------------------------------------------------------------------------
----End
Configuration Files
#
sysname SwitchA
#
#


#
#
return
#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
interface Vlanif103
ip address 10.23.103.2 255.255.255.0
#
interface Vlanif104
ip address 10.23.104.1 255.255.255.0
#
#
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
#
return
#
sysname Router
#
ip address 10.23.104.2 255.255.255.0
#
ip route-static 10.23.101.0 255.255.255.0 10.23.104.1
#
return
#
sysname AC
#
#


#
dhcp enable
#
%^%#
#
aaa
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
#
ip route-static 10.23.103.0 255.255.255.0 10.23.102.1
#
#
wlan
ssid wlan-net
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
#
return

4.6.5 Example for Configuring MAC Address Authentication

MAC address authentication is used to authenticate dumb terminals such as wireless network
printers and wireless phones that cannot have an authentication client installed.
l Authentication mode: open system authentication

Figure 4-33 Networking diagram for configuring MAC address authentication
Internet
Router
GE0/0/1
Radius Server
AC SwitchB GE0/0/4 10.23.103.1:1812
GE0/0/2
GE0/0/1 GE0/0/3
GE0/0/1
GE0/0/2
SwitchA
GE0/0/1
AP
STA STA


Data Planning



MAC access profile Name: wlan-net

l Bound profile and authentication scheme: MAC
wlan-net, and authentication scheme wlan-net


l Country code: CN


l Security policy: open system authentication


net
4. Configure MAC address authentication on the AC.
NOTE
Configuration Notes
user experience.
Procedure

[AC6605] sysname AC
[AC-Vlanif102] quit
STAs.


[AC] dhcp enable
[AC-Vlanif100] quit


[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

name the AP area_1.
NOTE
[AC] wlan


[AC-wlan-ap-0] quit
nor : normal [1]
--------------------------------------------------------------------------------
Uptime
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Total: 1

NOTE



[AC-wlan-ap-0] quit
Step 5 Configure MAC address authentication on the AC.

[AC-wlan-view] quit
[AC-radius-wlan-net] radius-attribute set Service-Type 10 auth-type mac

[AC] aaa
[AC-aaa] quit

2. Configure a MAC access profile.

NOTE
In a MAC access profile, a MAC address without hyphens (-) is used as the user name and password for
MAC address authentication.
# Create the MAC access profile wlan-net.

3. Create the authentication profile wlan-net and bind it to the MAC access profile,
# Create the security profile wlan-net and set the security policy in the profile. By
default, the security policy is open system authentication.
[AC] wlan
the VAP profile.
radio 1 of the AP.
[AC-wlan-view] quit

l For interconnection with the Cisco ISE, see "Example for Configuring MAC Address
l For interconnection with the Aruba ClearPass, see "Example for Configuring MAC
Address Authentication" in the Typical Configuration Examples-WLAN and the Aruba

Wireless AC Address Authentication" in the Agile Controller-Campus Typical
Configuration Examples.
l After dumb terminals associate with the WLAN, authentication is performed
automatically. After the terminals pass authentication, they can access the network.
l After dumb terminals associate with the WLAN, run the display access-user access-
type mac-authen command on the AC. The command output shows that user huawei
using the mac-authen authentication mode has successfully gone online.
[AC] display access-user access-type mac-authen
------------------------------------------------------------------------------
Status
------------------------------------------------------------------------------
------------------------------------------------------------------------------
----End
Configuration Files
#
sysname SwitchA
#
#
#
#
return

#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
interface Vlanif103
ip address 10.23.103.2 255.255.255.0
#
interface Vlanif104
ip address 10.23.104.1 255.255.255.0
#


#
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
#
return
#
sysname Router
#
ip address 10.23.104.2 255.255.255.0
#
ip route-static 10.23.101.0 255.255.255.0 10.23.104.1
#
return
#
sysname AC
#
#
#
dhcp enable
#
%^%#
radius-attribute set Service-Type 10 auth-type mac
#
aaa
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
#
ip route-static 10.23.103.0 255.255.255.0 10.23.102.1
#
#

wlan
ssid wlan-net
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
#
return
4.6.6 Example for Configuring MAC Authentication for Local

Users
Dumb terminals (such as printers) in the physical access control department cannot have an
authentication client installed. To meet the enterprise's security requirements, configure MAC
address authentication on the AC and use the local authentication mode to authenticate
identities of dumb terminals.
addresses to STAs.
l Authentication mode: MAC authentication
l Security policy:open

Figure 4-34 Networking for configuring MAC authentication for local users
Data Planning
Item Data

AC's source interface VLANIF 100:10.23.100.1/24

default

l Country code: CN

Item Data


Local authentication parameters l Name of the local authentication

scheme: wlan-net
l User name and password of the local
user: 0011-2233-4455 and guest@123,
respectively, which must be consistent
with those in the MAC access profile
l Access type of the local user: MAC
MAC access profile l Name: wlan-net

l User name and password for MAC
address authentication: A MAC address
is used as the user name and the
password is guest@123, which must be
consistent with those in the local
authentication parameters

l Referenced profiles: MAC access profile
wlan-net and authentication scheme
wlan-net

3. Configure MAC authentication for local users.
a. Configure AAA local authentication.
b. Configure a MAC access profile to manage MAC access control parameters.
c. Configure an authentication profile to manage MAC configuration.
4. Configure WLAN service parameters to control access from STAs.
NOTE

Configuration Notes
user experience.
Procedure
VLAN 100.

10.23.101.2/24.

NOTE

[AC6605] sysname AC
[AC] dhcp enable
[AC-Vlanif100] quit

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
[AC-wlan-view] quit
[AC] display ap all
nor : normal [1]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
----------------------------------------------------------------------------------
---
Total: 1
Step 5 Configure local authentication.

# Configure the local authentication scheme wlan-net.
[AC] aaa
[AC-aaa-authen-wlan-net] authentication-mode local
# Configure the user name, password, and service type of the local user. (When AAA local
authentication is used for MAC address authentication users, the service type of the local user
is not matched and checked.)
[AC-aaa] local-user 0011-2233-4455 password cipher guest@123
[AC-aaa] local-user 0011-2233-4455 service-type 8021x
[AC-aaa] quit
Step 6 Configure the MAC access profile wlan-net.

NOTE
When AAA local authentication and authorization are used, the user name and password for MAC address
authentication must be the same as those of the AAA local user. In this example, the user name of the local
user is the terminal's MAC address without hyphens (-) and the password is guest@123.
[AC-mac-access-profile-wlan-net] mac-authen username macaddress format without-

hyphen password cipher guest@123



[AC] wlan
the AP.
[AC-wlan-view] quit

After dumb terminals associate with the WLAN, authentication is performed automatically.
Users can directly access the network after the authentication succeeds.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#

#
return

#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
return

#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
#
return
#
sysname AC
#
#
#
dhcp enable
#
aaa
local-user 0011-2233-4455 password cipher %^%#UOqb<rt$CW%80lUOh;xKLN;s~Îcp!
s7MZ.8(Y|5%^%#
local-user 0011-2233-4455 privilege level 0
local-user 0011-2233-4455 service-type 8021x
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0

#
#
#
wlan
ssid wlan-net
forward-mode tunnel
radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
mac-authen username macaddress format without-hyphen password cipher %^
%#PW~_5m;sAFFI.cEB"%^@6@4$96ds_5+O'28+d3:A%^%#
#
return
4.6.7 Example for Configuring the RADIUS Server and AC to

Deliver User Group Rights to Users
Different user groups are created to assign network access rights to different users when they
access the WLAN through 802.1x authentication. Furthermore, users' services are not affected
during roaming in the coverage area.
l DHCP deployment mode: The AC and SwitchB function as DHCP servers to assign IP
addresses to APs and STAs, respectively.
l WLAN authentication mode: WPA-WPA2+802.1X+AES

Figure 4-35 Networking for configuring user authorization based on user groups
Internet
Router
GE0/0/1
RADIUS Server
AC SwitchB GE0/0/4 10.23.103.1:1812
GE0/0/2
GE0/0/1 GE0/0/3
GE0/0/1
GE0/0/2
SwitchA
GE0/0/1
AP
STA STA

Data Planning

DHCP server The AC functions as a DHCP server to assign IP

addresses to APs, and SwitchB functions as a DHCP



wlan-net




l Security policy: WPA-WPA2+802.1X+AES


net
User group l Name: group1

l Bound ACL number: 3001
l User group right: Only members in the user group
can access network resources on 10.23.200.0/24.
4. Configure 802.1x authentication and user authorization on the AC.
NOTE
Configuration Notes
user experience.

Procedure
[AC6605] sysname AC
[AC-Vlanif102] quit

STAs.
[AC] dhcp enable
[AC-Vlanif100] quit


[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

name the AP area_1.
NOTE
[AC] wlan


[AC-wlan-ap-0] quit
nor : normal [1]
--------------------------------------------------------------------------------
Uptime
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Total: 1

NOTE



[AC-wlan-ap-0] quit

[AC-wlan-view] quit

[AC] aaa


[AC-aaa] quit



[AC] wlan
the VAP profile.
radio 1 of the AP.
[AC-wlan-view] quit
Step 6 Configure a user group.

# Configure the user group group1 that can access the post-authentication domain. Enable
users in group1 to access network resources on the network segment 10.23.200.0/24.
NOTE
Configure the RADIUS server to authorize the user group group1 to authenticated employees.
[AC] acl 3001
[AC-acl-adv-3001] rule 1 permit ip destination 10.23.200.0 0.0.0.255

[AC-acl-adv-3001] rule 2 deny ip destination any

[AC-acl-adv-3001] quit
[AC] user-group group1
[AC-user-group-group1] acl-id 3001
[AC-user-group-group1] quit

l For interconnection with the Cisco ISE, see "EExample for Configuring User
Authorization Based on User Groups" in the Typical Configuration Examples-WLAN and
the Cisco ISE Server Interoperation Configuration Examples.
l For interconnection with the Aruba ClearPass, see "Example for Configuring User
Authorization Based on User Groups" in the Typical Configuration Examples-WLAN and
the Aruba ClearPass Server Interoperation Configuration Examples.
complete.
l A user can use the 802.1x authentication client on an STA for authentication. After
entering the correct user name and password, the user is successfully authenticated and
can access resources on the network segment 10.23.200.0/24. You need to configure the
802.1x authentication client based on the configured authentication mode PEAP.
algorithm to AES.
----End
Configuration Files
#
sysname SwitchA

#
#
#
#
return

#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
interface Vlanif103
ip address 10.23.103.2 255.255.255.0
#
interface Vlanif104
ip address 10.23.104.1 255.255.255.0
#
#
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
#
return

#
sysname Router
#
ip address 10.23.104.2 255.255.255.0
#
ip route-static 10.23.101.0 255.255.255.0 10.23.104.1
#
return

#
sysname AC
#
vlan batch 100 102
#
#
dhcp enable
#
%^%#
#
acl number 3001
rule 1 permit ip destination 10.23.200.0 0.0.0.255
rule 2 deny ip
#
user-group group1
acl-id 3001
#
aaa
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
#
ip route-static 10.23.103.0 255.255.255.0 10.23.102.1
#
#
wlan
ssid wlan-net
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127

radio 1
channel 20mhz 149
eirp 127
#
#
return
4.6.8 Example for Configuring WeChat Authentication Using a

Built-in Portal Server
As shown in Figure 4-36, the AC of a shop directly connects to an AP. The shop deploys a
WLAN wlan-net to provide wireless network access for consumers. The AC functions as a
DHCP server to assign IP addresses on the network segment 10.23.101.0/24 to wireless users.
To improve its brand popularity and image, the shop allows consumers to connect to the open
Wi-Fi network using WeChat. Users can obtain access to the Internet by simply following the
WeChat public account of the shop, without the need to enter a user name or password.
Figure 4-36 Networking diagram for configuring WeChat authentication using a built-in
Portal server
Management VLAN:
VLAN 100
Service VLAN: VLAN 101
WeChat server
AP
area_1 GE0/0/1 GE0/0/2
STA VLAN100 VLAN101
Intranet
AC
STA Built-in Portal server
10.1.1.1/24 DNS server
10.23.200.2
1. Configure basic WLAN services so that the AC can communicate with upstream and
downstream network devices, and the AP can go online.
2. Set the AAA authentication mode to none.
3. Configure a Portal access profile for the built-in Portal server to manage Portal access
control parameters.
4. Configure WeChat authentication for WeChat users.
5. Configure an authentication profile to manage NAC configuration.
6. Configure WLAN service parameters, and bind a security policy profile and the
authentication profile to a VAP profile to control access of STAs.

Data Plan
Item Data
Portal l Name: portal1

access l The built-in Portal server is used.
profile
– IP address of the built-in portal server: 10.1.1.1/24
– HTTP port number: 1025
WeChat l WeChat public account ID: wxappid123

authenticati l WeChat public account key: huawei@123
on profile
l The AC automatically obtains shop information from the WeChat server.
Parameter settings of the WeChat server are:
– PKI domain: pki-wechat
– Default domain name: api.weixin.qq.com
– SSL policy name and type: ssl-wechat and client
– Default port number: 443
DNS server IP address: 10.23.200.2

profile
Authenticati l Name: p1
on profile l Bound profile and authentication scheme: Portal access profile portal1
and authentication scheme wechat
DHCP The AC functions as a DHCP server to assign IP addresses to the AP and

server STAs.
IP address 10.23.100.2 to 10.23.100.254/24

pool for the
AP:
IP address 10.23.101.2 to 10.23.101.254/24

pool for
STAs
IP address VLANIF 100: 10.23.100.1/24

of the AC's
source
interface

l Bound profiles: VAP profile wlan-vap and regulatory domain profile
domain1
Regulatory l Name: domain1

profile

Item Data
SSID l Name: wlan-ssid

Security l Name: wlan-security

profile l Security policy: open system authentication
VAP profile l Name: wlan-vap

l Bound profiles: SSID profile wlan-ssid, security profile wlan-security,
and authentication profile p1
Procedure
Step 1 Configure the AC to enable exchange of CAPWAP packets between the AP and AC.
# Add AC interface GE0/0/1 to VLAN 100 (management VLAN).
NOTE
In this example, tunnel forwarding is used to transmit service data. If direct forwarding is used,
configure port isolation on GE0/0/1 that connects the AC to the AP. If port isolation is not configured, a
large number of broadcast packets will be transmitted over the VLAN or WLAN users on different APs
will be able to directly communicate at Layer 2.
In tunnel forwarding mode, the management VLAN and service VLAN cannot be the same.
[AC6605] sysname AC
Step 2 Configure the AC to communicate with upper-layer network devices.

# Add GE0/0/2 that connects the AC to the upper-layer device to VLAN 101 (service VLAN).
Step 3 Configure the AC as a DHCP server to assign IP addresses to the AP and STAs.
# Configure the AC as a DHCP server to allocate an IP address to the AP from the IP address
pool on VLANIF 100, and allocate IP addresses to STAs from the IP address pool on
VLANIF 101.
[AC] dhcp enable
[AC-Vlanif100] quit


[AC-Vlanif101] dhcp server dns-list 10.23.200.2
[AC-Vlanif101] quit
Step 4 Configure a route from the AC to the server area (Assume that the IP address of the upper-
layer device connected to the AC is 10.23.101.2).
Step 5 Configure the AP to go online.

# Create an AP group and add the AP to the AP group.
[AC] wlan
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
e?[Y/N]:y
[AC-wlan-view] quit

# Import the APs offline on the AC and add the APs to AP group ap-group1. Configure a
name for the AP based on the AP's deployment location, so that you can know where the AP
is deployed from its name. This example assumes that the AP's MAC address is 60de-4476-
e360 and the AP is deployed in area 1. Name the AP area_1.
NOTE
In this example, the AP6010DN-AGN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-ap-0] quit
[AC-wlan-view] quit
[AC] display ap all
nor : normal [1]
----------------------------------------------------------------------------------
---
Uptime

----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP6010DN-AGN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 1
Step 6 Configure an AAA scheme.

[AC] aaa
[AC-aaa] authentication-scheme wechat
[AC-aaa-authen-wechat] authentication-mode none
Warning: The configured authentication modes include none authentication, and so
security risks exist. Continue?[Y/N]y
[AC-aaa-authen-wechat] quit
[AC-aaa] quit
Step 7 Configure the Portal access profile portal1.
# Enable the built-in Portal server function.

[AC-LoopBack1] quit
[AC] portal local-server ip 10.1.1.1
[AC] portal local-server http port 1025
# Create the Portal access profile portal1 and configure it to use the built-in Portal server and
WeChat authentication function.
[AC] portal-access-profile name portal1
[AC-portal-access-profile-portal1] portal local-server enable
[AC-portal-access-profile-portal1] portal local-server wechat
[AC-portal-access-profile-portal1] quit
Step 8 Configure WeChat authentication.
# Configure the WeChat account.

[AC] portal local-server wechat-authen
[AC-wechat-authen] public-account appid wxappid123 appsecret hauwei@123
[AC-wechat-authen] quit
# Enable dynamic domain name resolution.

[AC] dns resolve
[AC] dns server 10.23.200.2
# Disable certificate authentication for the SSL server.

[AC] pki realm pki-wechat
[AC-pki-realm-pki-wechat] quit
[AC] ssl policy ssl-wechat type client
[AC-ssl-policy-ssl-wechat] pki-realm pki-wechat
[AC-ssl-policy-ssl-wechat] undo server-verify enable
[AC-ssl-policy-ssl-wechat] quit
# Configure the AC to automatically obtain shop information from the WeChat server.
[AC] portal local-server wechat-authen
[AC-wechat-authen] wechat-server-ip ssl-policy ssl-wechat
[AC-wechat-authen] polling-time 4800
[AC-wechat-authen] quit


Step 10 Configure the authentication profile p1.

[AC] authentication-profile name p1
[AC-authentication-profile-p1] portal-access-profile portal1
[AC-authentication-profile-p1] free-rule-template default_free_rule
[AC-authentication-profile-p1] authentication-scheme wechat
[AC-authentication-profile-p1] quit

# Create security profile wlan-security and set the security policy in the profile. By default,
the security policy is open system.
[AC] wlan
[AC-wlan-view] security-profile name wlan-security
[AC-wlan-sec-prof-wlan-security] quit
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profile wlan-vap, configure the data forwarding mode and service VLANs, and
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] authentication-profile p1
[AC-wlan-vap-prof-wlan-vap] quit
# Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 1

NOTE
The channel and power configuration for the AP radios in this example is for reference only. In actual
scenarios, configure channels and power for AP radios based on country codes of APs and network planning
results.

# Set a channel and power for radio 0 of the AP.

# Set a channel and power for radio 1 of the AP.

[AC-wlan-ap-0] quit

l After the configuration is complete, STAs can discover the wireless network with the
SSID wlan-net.
l STAs can be assigned IP addresses after they associate with the wireless network.
l When a user opens WeChat, the Portal authentication page is displayed automatically on
the STA. After the user can be authenticated, the user can connect to the Internet.
----End
Configuration Files
AC configuration file
#
sysname AC
#
portal local-server ip 10.1.1.1
portal local-server http port 1025
#
#
authentication-profile name p1
portal-access-profile portal1
authentication-scheme wechat
#
dns resolve
dns server 10.23.200.2
#
dhcp enable
#
pki realm pki-wechat
#
ssl policy ssl-wechat type client
pki-realm pki-wechat
undo server-verify enable
#
free-rule-template name
default_free_rule
free-rule 1 destination ip 10.23.200.2 mask

255.255.255.0
#
portal-access-profile name portal1
portal local-server enable
portal local-server wechat
#
aaa
authentication-scheme wechat
authentication-mode none
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0


#
#
#
interface LoopBack1
ip address 10.1.1.1 255.255.255.0
#
ip route-static 10.23.200.0 255.255.255.0 10.23.101.2
#
#
wlan
security-profile name wlan-security
ssid-profile name wlan-ssid
ssid wlan-net
vap-profile name wlan-vap
forward-mode tunnel
ssid-profile wlan-ssid
security-profile wlan-security
authentication-profile p1
radio 0
vap-profile wlan-vap wlan 1
radio 1
ap-id 0 ap-mac 60de-4476-e360
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
portal local-server wechat-authen
public-account appid wxappid123 appsecret %^%#/]:uVmjLj%zfx+%f5$*-6uV>6e8W`
$ZT"iEq)zNY%^%#
polling-time 4800
wechat-server-ip ssl-policy ssl-wechat
#
return
4.6.9 Example for Configuring Different Authentication Modes

for Multiple SSIDs
Enterprise users can access the Internet through the WLAN to meet basic mobile office
requirements. When roaming occurs in the coverage area, user services will not be
interrupted.

Administrators want to deploy different SSIDs for WLAN access of guests and employees,
and different authentication modes for them to ensure WLAN security.
addresses to STAs.
Figure 4-37 Networking diagram for configuring different authentication modes for multiple
SSIDs

Data Planning

Item Data
Managemen VLAN 100

t VLAN for
APs
Service l Employees: VLAN 101

VLAN for l Guests: VLAN 102
STAs

default gateways for STAs are 10.23.101.2 and 10.23.102.2.
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for 10.23.102.3-10.23.102.254/24
STAs

of the AC's
source
interface
RADIUS l RADIUS server template name: wlan-net

authenticati l IP address: 10.23.102.1
on
parameters l Authentication port number: 1812
l Accounting scheme: wlan-net

template
l Port number: 50200
l Referenced template: URL template wlan-net

access l Referenced template: Portal server template wlan-net
profile
MAC Name: wlan-net

access
profile

Item Data

on-free rule l Authentication-free resource: DNS server with IP address 8.8.8.8
profile
802.1x l Name: wlan-net

access l Authentication mode: EAP
profile
Authenticati l Name: employee

on profile l Referenced profiles and authentication schemes: 802.1x access profile
wlan-net, RADIUS server template wlan-net, and authentication
scheme wlan-net
l Name: guest
l Referenced profiles and authentication schemes: Portal access profile
wlan-net, MAC access profile wlan-net, RADIUS server template
wlan-net, authentication scheme wlan-net, accounting scheme wlan-
net, and authentication-free rule template default_free_rule

l Referenced profiles: VAP profiles employee and guest, and regulatory
domain profile default

profile
SSID l Name: employee

profile l SSID name: employee
l Name: guest
l SSID name: guest
Security l Name: employee

profile l Security policy: WPA-WPA2+802.1x+AES
l Name: guest
VAP profile l Name: employee

l Referenced profiles: SSID profile employee, security profile employee,
and authentication profile employee
l Name: guest
l Referenced profiles: SSID profile guest, security profile guest, and
authentication profile guest

3. Configure 802.1x authentication and MAC address-prioritized Portal authentication.
Configuration Notes
user experience.
Procedure
VLAN 100.
# Add GE0/0/1 and GE0/0/2 on SwitchB to VLAN 100, and GE0/0/2 and GE0/0/3 to VLAN
101 and VLAN 102, respectively.

[SwitchB] vlan batch 100 101 102
# Add GE1/0/0 on the router to VLAN 101 and VLAN 102. Create interfaces VLANIF 101
and VLANIF 102, and set the IP addresses of VLANIF 101 and VLANIF 102 to
10.23.101.2/24 and 10.23.102.2/24, respectively.

NOTE
# Add GE0/0/1 on the AC to VLAN 100, VLAN 101, and VLAN 102.
[AC6605] sysname AC
# On the AC, configure VLANIF 100 to provide IP addresses to APs.
[AC] dhcp enable
[AC-Vlanif100] quit
# On SwitchB, configure VLANIF 101 and VLANIF 102 address pools to assign IP addresses
to employees and guests, respectively. Set the default gateway address for employees and
guests to 10.23.101.2 and 10.23.102.2, respectively. Specify the DNS server address 8.8.8.8
for VLANIF 101 and VLANIF 102 address pools.

Step 4 Configure the AC's default routes with VLANIF 101 and VLANIF 102 on the router as the
next hops.

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
[AC-wlan-view] quit
[AC] display ap all
nor : normal [1]
----------------------------------------------------------------------------------
---


Uptime
----------------------------------------------------------------------------------
---
----------------------------------------------------------------------------------
---
Total: 1
accounting scheme.
NOTE


[AC] aaa

[AC-aaa] quit
NOTE
accounting packets.
1-99 3 minutes
100-499 6 minutes
500-999 12 minutes
≥ 1000 ≥ 15 minutes

NOTE

NOTE

Step 12 Configure an 802.1x access profile to manage 802.1x access control parameters.
# Create 802.1x access profile wlan-net.

# Set the authentication mode to EAP relay.

Step 13 Configure authentication profiles employee and guest.

[AC] authentication-profile name employee
[AC-authentication-profile-employee] dot1x-access-profile wlan-net
[AC-authentication-profile-employee] authentication-scheme wlan-net
[AC-authentication-profile-employee] radius-server wlan-net
[AC-authentication-profile-employee] quit
[AC] authentication-profile name guest
[AC-authentication-profile-guest] portal-access-profile wlan-net
[AC-authentication-profile-guest] mac-access-profile wlan-net
[AC-authentication-profile-guest] free-rule-template default_free_rule
[AC-authentication-profile-guest] authentication-scheme wlan-net
[AC-authentication-profile-guest] accounting-scheme wlan-net
[AC-authentication-profile-guest] radius-server wlan-net
[AC-authentication-profile-guest] quit
# Create security profiles employee and guest, and set the security policies to WPA-
WPA2+802.1X+AES and open, respectively.

[AC] wlan
[AC-wlan-view] security-profile name employee
[AC-wlan-sec-prof-employee] security wpa-wpa2 dot1x aes
[AC-wlan-sec-prof-employee] quit
[AC-wlan-view] security-profile name guest
[AC-wlan-sec-prof-guest] quit
# Create SSID profiles employee and guest, and set the SSID names to employee and guest,
respectively.
[AC-wlan-view] ssid-profile name employee
[AC-wlan-ssid-prof-employee] ssid employee
[AC-wlan-ssid-prof-employee] quit
[AC-wlan-view] ssid-profile name guest
[AC-wlan-ssid-prof-guest] ssid guest
[AC-wlan-ssid-prof-guest] quit
# Create VAP profiles employee and guest, set the data forwarding mode and service
VLANs, and bind the security, SSID, and authentication profiles to the VAP profiles.
[AC-wlan-view] vap-profile name employee
[AC-wlan-vap-prof-employee] forward-mode tunnel
[AC-wlan-vap-prof-employee] service-vlan vlan-id 101
[AC-wlan-vap-prof-employee] security-profile employee
[AC-wlan-vap-prof-employee] ssid-profile employee
[AC-wlan-vap-prof-employee] authentication-profile employee
[AC-wlan-vap-prof-employee] quit
[AC-wlan-view] vap-profile name guest
[AC-wlan-vap-prof-guest] forward-mode tunnel
[AC-wlan-vap-prof-guest] service-vlan vlan-id 102
[AC-wlan-vap-prof-guest] security-profile guest
[AC-wlan-vap-prof-guest] ssid-profile guest
[AC-wlan-vap-prof-guest] authentication-profile guest
[AC-wlan-vap-prof-guest] quit
# Bind the VAP profiles to the AP groups, and apply configurations of VAP profiles employee
and guest to radio 0 and radio 1 of the APs.
[AC-wlan-ap-group-ap-group1] vap-profile employee wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile employee wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] vap-profile guest wlan 2 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile guest wlan 2 radio 1

NOTE



[AC-wlan-ap-0] quit

l An employee can use a STA to find the WLAN with SSID employee. After being
associated with the WLAN, the STA is assigned an IP address. After the employee uses
an 802.1x client on the STA for authentication and enter the correct user name and
password, the STA is authenticated and can access the WLAN. The configuration
method on the 802.1x client is as follows:
add SSID employee, set the authentication mode to WPA2, and encryption
algorithm to AES.
create a network profile. Add SSID employee. Set the authentication mode
to WPA2-Enterprise, and encryption algorithm to AES. Click Next.
iii. On the Wireless Network Properties page, click Advanced settings. On the
Advanced settings page that is displayed, select Specify authentication
mode, set the identity authentication mode to User authentication, and click
OK.
l A guest can use a STA to find the WLAN with SSID guest. After being associated with
the WLAN, the STA is assigned an IP address. When the STA accesses the Internet
through a browser, the authentication page provided by the Portal server is automatically
displayed. After the correct user name and password are entered on the page, the STA is
authenticated and can access the WLAN. Assume that the MAC address configured on
the Portal server is valid for 60 minutes. When the STA is disconnected from the WLAN
for 5 minutes, the STA can access the Internet directly when reconnecting to the WLAN.
When the STA is disconnected from the WLAN for 65 minutes, it will be redirected to
the Portal authentication page when reconnecting to the WLAN.
----End
Configuration Files
#
sysname SwitchA
#

vlan batch 100

#
#
#
return
#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
#
#
#
return
#
sysname Router
#
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
#
return
#
sysname AC
#


#
authentication-profile name employee
authentication-profile name guest
#
dhcp enable
#
%^%#
#
#
url-parameter ssid ssid redirect-url url
#
server-ip 10.23.103.1
port 50200
#
#
aaa
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
ip route-static 0.0.0.0 0.0.0.0 10.23.101.2
ip route-static 0.0.0.0 0.0.0.0 10.23.102.2
#
#
wlan
security-profile name guest
security-profile name employee
ssid-profile name guest
ssid guest
ssid-profile name employee
ssid employee
vap-profile name guest
forward-mode tunnel

ssid-profile guest
security-profile guest
authentication-profile guest
vap-profile name employee
forward-mode tunnel
ssid-profile employee
security-profile employee
authentication-profile employee
radio 0
vap-profile employee wlan 1
vap-profile guest wlan 2
radio 1
vap-profile employee wlan 1
vap-profile guest wlan 2
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
#
#
return

4.7.1 Example for Configuring Wireless Configuration
Synchronization in VRRP HSB Scenarios
To ensure that services are running normally, an enterprise wants to improve network
reliability while reducing the configuration maintenance workload. Wireless configuration
synchronization can be deployed in VRRP HSB to meet this requirement. In this solution, the
master and backup ACs are often deployed in the same location, and the service switchover is
fast and has higher reliability than dual-link HSB.
APs and STAs.
l Switch cluster: A cluster is set up using a CSS card, containing SwitchB and SwitchC at
the core layer. SwitchB is the active switch and SwitchC is the standby switch.

Figure 4-38 Networking for configuring wireless configuration synchronization in VRRP

HSB scenarios (direct forwarding)
Data Planning

Item Data
AC1's source interface Virtual IP address: 10.23.100.3/24
AC2's source interface Virtual IP address: 10.23.100.3/24
Virtual IP address of the 10.23.100.3/24

management VRRP group

Item Data
Virtual IP address of the service 10.23.101.3/24

VRRP group

l Referenced profiles: SSID profile wlan-net and
security profile wlan-net

l Referenced profiles: VAP profile wlan-net and



l Security policy: WPA-WPA2+PSK+AES

addresses to APs and STAs.
APs' gateway VLANIF 100: 10.23.100.3/24
IP address pool for APs 10.23.100.4 to 10.23.100.254/24
STAs' gateway VLANIF 101: 10.23.101.3/24
IP addresses and port numbers for IP address of VLANIF 102: 10.23.102.1/24

the active and standby channels Port number: 10241
of AC1
IP addresses and port numbers for IP address of VLANIF 102: 10.23.102.2/24

of AC2
1. Configure a cluster between SwitchB and SwitchC through cluster cards to improve the
core layer reliability and configure SwitchB as the master switch.
2. Set up connections between the AP, ACs, and other network devices.
3. Configure a VRRP group on AC1 and AC2 and configure a high priority for AC1 as the
active device to forward traffic, and a low priority for AC2 as the standby device.

4. Configure basic WLAN services to ensure that users can access the Internet through
WLAN.
5. Configure the hot standby (HSB) function so that service information on AC1 is backed
up to AC2 in batches in real time, ensuring seamless service switchover from the active
device to the standby device.
6. Configure the wireless configuration synchronization function in VRRP HSB scenarios.
Configuration Notes
user experience.
l Check whether loops occur on the wired network. If loops occur, configure MSTP on
corresponding NEs.
Procedure
Step 1 Establish a cluster through cluster cards.
# Set the CSS ID, CSS priority, and CSS connection mode to 1, 100, and CSS card connection
for SwitchB.
[SwitchB] set css mode css-card
[SwitchB] set css id 1
[SwitchB] set css priority 100
for SwitchC.
[HUAWEI] sysname SwitchC
[SwitchC] set css mode css-card
[SwitchC] set css id 2
[SwitchC] set css priority 10
# Check the CSS configuration on SwitchB.

[SwitchB] display css status saved

Current Id Saved Id CSS Enable CSS Mode Priority Master force
------------------------------------------------------------------------------
1 1 Off CSS card 100 Off
# Check the CSS configuration on SwitchC.

[SwitchC] display css status saved
------------------------------------------------------------------------------
# Enable the CSS function on SwitchB and restart SwitchB.

[SwitchB] css enable
Warning: The CSS configuration will take effect only after the system is
rebooted. T
he next CSS mode is CSS card. Reboot now? [Y/N]:y
# Enable the CSS function on SwitchC and restart SwitchC.

[SwitchC] css enable
rebooted. T
# Log in to the CSS through the console port on any MPU to check whether the CSS is
established successfully.
<SwitchB> display device
Chassis 1 (Master Switch)
S12708's Device status:
Slot Sub Type Online Power Register Status Role
-------------------------------------------------------------------------------
1 - ET1D2SFUD000 Present PowerOn Registered Normal NA
1 EH1D2VS08000 Present PowerOn Registered Normal NA
5 - ET1D2G48SEC0 Present PowerOn Registered Normal NA
7 - ET1D2X16SSC0 Present PowerOn Registered Normal NA
9 - ET1D2MPUA000 Present PowerOn Registered Normal Slave
10 - ET1D2MPUA000 Present PowerOn Registered Normal Master
PWR1 - - Present PowerOn Registered Normal NA
CMU2 - EH1D200CMU00 Present PowerOn Registered Normal Master
FAN1 - - Present PowerOn Registered Normal NA
Chassis 2 (Standby Switch)
-------------------------------------------------------------------------------


<SwitchB> display css status
CSS Enable switch On
Chassis Id CSS Enable CSS Status CSS Mode Priority Master Force
------------------------------------------------------------------------------
1 On Master CSS card 100 Off
2 On Standby CSS card 10 Off
The command output shows card status and CSS status of both member switches, indicating
that the CSS is established successfully.
# Check whether the cluster links are normal.

<SwitchB> display css channel
Chassis 1 || Chassis 2
--------------------------------------------------------------------------------
Num [Port] [Speed] || [Speed] [Port]
1 1/1/0/1 10G 10G 2/1/0/1
2 1/1/0/2 10G 10G 2/1/0/2
3 1/1/0/3 10G 10G 2/1/0/3
4 1/1/0/4 10G 10G 2/1/0/4
5 1/1/0/5 10G 10G 2/1/0/5
6 1/1/0/6 10G 10G 2/1/0/6
7 1/1/0/7 10G 10G 2/1/0/7
8 1/1/0/8 10G 10G 2/1/0/8
9 1/12/0/1 10G 10G 2/12/0/1
10 1/12/0/2 10G 10G 2/12/0/2
11 1/12/0/3 10G 10G 2/12/0/3
12 1/12/0/4 10G 10G 2/12/0/4
13 1/12/0/5 10G 10G 2/12/0/5
14 1/12/0/6 10G 10G 2/12/0/6
15 1/12/0/7 10G 10G 2/12/0/7
16 1/12/0/8 10G 10G 2/12/0/8
17 1/13/0/1 10G 10G 2/13/0/1
18 1/13/0/2 10G 10G 2/13/0/2
19 1/13/0/3 10G 10G 2/13/0/3
20 1/13/0/4 10G 10G 2/13/0/4
21 1/13/0/5 10G 10G 2/13/0/5
22 1/13/0/6 10G 10G 2/13/0/6
23 1/13/0/7 10G 10G 2/13/0/7
24 1/13/0/8 10G 10G 2/13/0/8
25 1/14/0/1 10G 10G 2/14/0/1
26 1/14/0/2 10G 10G 2/14/0/2
27 1/14/0/3 10G 10G 2/14/0/3
28 1/14/0/4 10G 10G 2/14/0/4
29 1/14/0/5 10G 10G 2/14/0/5
30 1/14/0/6 10G 10G 2/14/0/6
31 1/14/0/7 10G 10G 2/14/0/7
32 1/14/0/8 10G 10G 2/14/0/8
--------------------------------------------------------------------------------
The command output shows that all the cluster links are in Up state, indicating that the CSS
has been established successfully.
Step 2 Configure SwitchA, SwitchB, SwitchC, AC1, and AC2 so that CAPWAP packets can be
transmitted between the AP and ACs.
NOTE
If direct forwarding is used, configure port isolation on GE0/0/1 of the SwitchA (connecting to the AP).
If port isolation is not configured, many broadcast packets will be transmitted in the VLANs or WLAN
users on different APs can directly communicate at Layer 2.

# Set the PVID of GE0/0/1 on SwitchA connected to the AP to management VLAN 100 and
add GE0/0/1 to VLAN 100 and service VLAN 101. Add GE0/0/2 on SwitchA connected to
SwitchB to VLAN 100 and VLAN 101 and GE0/0/3 on SwitchA connected to SwitchC to
VLAN 100 and VLAN 101.
[SwitchA-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
# Add GE1/1/0/2 that connects SwitchB to SwitchA to VLAN 100 and VLAN 101 (service
VLAN), and add GE1/1/0/1 that connects SwitchB to AC1 to VLAN 100 and VLAN 101.
Add GE2/1/0/2 that connects SwitchC to SwitchA to VLAN 100 and VLAN 101 (service
VLAN), and add GE2/1/0/1 that connects SwitchC to AC1 to VLAN 100 and VLAN 101.
[SwitchB] sysname CSS
[CSS] vlan batch 100 101
[CSS] interface gigabitethernet 1/1/0/1
[CSS-GigabitEthernet1/1/0/1] port link-type trunk
[CSS-GigabitEthernet1/1/0/1] undo port trunk allow-pass vlan 1
[CSS-GigabitEthernet1/1/0/1] port trunk allow-pass vlan 100 101
[CSS-GigabitEthernet1/1/0/1] quit
# Add GE0/0/1 that connects AC1 to SwitchB to VLAN 100 and VLAN 101, and configure
VLANIF 100 and VLANIF 101.
[AC6605] sysname AC1
[AC1] vlan batch 100 101
[AC1] interface gigabitethernet 0/0/1
[AC1-GigabitEthernet0/0/1] port link-type trunk
[AC1-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[AC1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[AC1-GigabitEthernet0/0/1] quit
[AC1] interface vlanif 100
[AC1-Vlanif100] ip address 10.23.100.1 24
[AC1-Vlanif100] quit


# Add GE0/0/1 that connects AC2 to SwitchC to VLAN 100 and VLAN 101, and configure
Step 3 Configure AC1 to communicate with AC2.

# Add GE0/0/2 on AC1 (connecting to AC2) to VLAN 102.
[AC1] vlan batch 102
[AC1-GigabitEthernet0/0/2] port trunk allow-pass vlan 102

Step 4 Configure a DHCP server.

# Configure AC1 as the DHCP server to assign IP addresses to the AP and STA.
[AC1] dhcp enable
[AC1] dhcp server database enable
[AC1] dhcp server database recover
[AC1-Vlanif100] dhcp select interface
[AC1-Vlanif100] dhcp server excluded-ip-address 10.23.100.2
The configuration for AC2 is similar to that for AC1 and is not mentioned here.
Step 5 Configure VRRP on AC1 to implement AC hot standby.
# Set the recovery delay of the VRRP group to 60 seconds.

[AC1] vrrp recover-delay 60
# Create a management VRRP group on AC1, set AC1's VRRP priority to 120, and set the
preemption delay to 1800s.
[AC1-Vlanif100] vrrp vrid 1 virtual-ip 10.23.100.3
[AC1-Vlanif100] vrrp vrid 1 priority 120
[AC1-Vlanif100] vrrp vrid 1 preempt-mode timer delay 1800
[AC1-Vlanif100] admin-vrrp vrid 1
# Create a service VRRP group on AC1 and set the preemption delay to 1800s.
[AC1-Vlanif101] vrrp vrid 2 track admin-vrrp interface vlanif 100 vrid 1
unflowdown
# Create HSB service 0 on AC1, configure the IP addresses and port numbers for the active
and standby channels, and set the retransmission times and interval of HSB packets.
[AC1] hsb-service 0
[AC1-hsb-service-0] service-ip-port local-ip 10.23.102.1 peer-ip 10.23.102.2
local-data-port 10241 peer-data-port 10241
[AC1-hsb-service-0] service-keep-alive detect retransmit 3 interval 6
[AC1-hsb-service-0] quit
# Create HSB group 0 on AC1, and bind it to HSB service 0 and the management VRRP
group.
[AC1] hsb-group 0
[AC1-hsb-group-0] bind-service 0
[AC1-hsb-group-0] track vrrp vrid 1 interface vlanif 100
[AC1-hsb-group-0] quit
# Bind the NAC service to the HSB group.

[AC1] hsb-service-type access-user hsb-group 0
# Bind the WLAN service to the HSB group.

[AC1] hsb-service-type ap hsb-group 0
# Bind the DHCP service to the HSB group.

[AC1] hsb-service-type dhcp hsb-group 0
# Enable the HSB function.

[AC1] hsb-group 0
[AC1-hsb-group-0] hsb enable

# Create a management VRRP group on AC2.

# Create a service VRRP group on AC2.


unflowdown
[AC2] hsb-service 0
group.
[AC2] hsb-group 0




[AC2] hsb-group 0
Step 7 Configure WLAN services on AC1.

1. Configure system parameters for AC1.
[AC1] wlan
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] quit
[AC1-wlan-view] regulatory-domain-profile name default
[AC1-wlan-regulate-domain-default] country-code cn
[AC1-wlan-regulate-domain-default] quit
[AC1-wlan-ap-group-ap-group1] regulatory-domain-profile default
Warning: Modifying the country code will clear channel, power and antenna
gain configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC1-wlan-view] quit
[AC1] capwap source ip-address 10.23.100.3
2. Import an AP offline on AC1.

[AC1] wlan
[AC1-wlan-view] ap auth-mode mac-auth
[AC1-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC1-wlan-ap-0] ap-name area_1
[AC1-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it
will clear channel, power and antenna gain configuration
[AC1-wlan-ap-0] quit

[AC1-wlan-view] display ap all

nor : normal [1]
------------------------------------------------------------------------------
-------
ID MAC Name Group IP Type State
STA Uptime
------------------------------------------------------------------------------
-------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor
0 10S
------------------------------------------------------------------------------
-------
Total: 1
3. Configure WLAN service parameters on AC1.

NOTE
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In
actual situations, the security policy must be configured according to service requirements.
[AC1-wlan-view] security-profile name wlan-net
[AC1-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC1-wlan-sec-prof-wlan-net] quit
[AC1-wlan-view] ssid-profile name wlan-net
[AC1-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC1-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and
apply the security profile and SSID profile to the VAP profile.
[AC1-wlan-view] vap-profile name wlan-net
[AC1-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC1-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC1-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC1-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC1-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1
of the AP.
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
Step 8 Configure private WLAN services on AC2.

# Configure the source address of AC2.
Step 9 Configure the wireless configuration synchronization function in VRRP HSB scenarios.
# Configure the wireless configuration synchronization function on AC1.
[AC1] wlan
[AC1-wlan-view] master controller
[AC1-master-controller] master-redundancy peer-ip ip-address 10.23.102.2 local-ip
ip-address 10.23.102.1 psk H@123456
[AC1-master-controller] master-redundancy track-vrrp vrid 1 interface vlanif 100
[AC1-master-controller] quit

# Configure the wireless configuration synchronization function on AC2.

[AC2] wlan
[AC2-master-controller] master-redundancy peer-ip ip-address 10.23.102.1 local-ip
ip-address 10.23.102.2 psk H@123456
[AC2-master-controller] master-redundancy track-vrrp vrid 1 interface vlanif 100
Step 10 Trigger wireless configuration synchronization manually.

# Run the display sync-configuration status command to check the wireless configuration
synchronization status. The command output displays cfg-mismatch. Wireless configuration
synchronization must be manually triggered from the master AC to the backup master AC.
Wait until the backup master AC completes automatic restart.
[AC1] display sync-configuration status
Controller role:Master/Backup/Local
----------------------------------------------------------------------------------
--
Controller IP Role Device Type Version
Status
----------------------------------------------------------------------------------
--
10.23.102.2 Backup AC6605 V200R007C20 cfg-mismatch(config check
fail)
----------------------------------------------------------------------------------
--
Total: 1
[AC1] synchronize-configuration
Warning: This operation may reset the remote AC, synchronize configurations to
it, and save all its configurations. Whether to conti
nue? [Y/N]:y

1. Verify VRRP.
# After the configurations are complete, run the display vrrp command on AC1 and
AC2. In the command output, the State field of AC1 is Master and that of AC2 is
Backup.
[AC1] display vrrp
Vlanif100 | Virtual Router 1
State : Master
Virtual IP : 10.23.100.3
Master IP : 10.23.100.1
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 1800 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : admin-vrrp
Backup-forward : disabled
Create time : 2016-11-17 16:58:22
Last change time : 2016-11-17 16:58:25

State : Master
Virtual IP : 10.23.101.3
Master IP : 10.23.101.1
PriorityRun : 100

TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Config type : member-vrrp
Create time : 2016-11-17 16:58:35
Last change time : 2016-11-17 16:58:38
[AC2] display vrrp
State : Backup
Virtual IP : 10.23.100.3
Master IP : 10.23.100.1
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2016-11-17 02:31:42 UTC-07:00
Last change time : 2016-11-17 02:32:21 UTC-07:00

State : Backup
Virtual IP : 10.23.101.3
Master IP : 0.0.0.0
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Create time : 2016-11-17 02:31:42 UTC-07:00
Last change time : 2016-11-17 02:32:21 UTC-07:00
# Run the display hsb-service 0 command on AC1 and AC2 to check the HSB service
status. In the command output, the Service State field is Connected, indicating that the
HSB channel has been established.
[AC1] display hsb-service 0
Hot Standby Service Information:
----------------------------------------------------------
Local IP Address : 10.23.102.1
Peer IP Address : 10.23.102.2
Source Port : 10241
Destination Port : 10241
Keep Alive Times : 3
Keep Alive Interval : 6
Service State : Connected
Service Batch Modules :
----------------------------------------------------------
----------------------------------------------------------
Source Port : 10241


----------------------------------------------------------
# Run the display hsb-group 0 command on AC1 and AC2 to check the HSB group
status.
[AC1] display hsb-group 0
Hot Standby Group Information:
----------------------------------------------------------
HSB-group ID : 0
Vrrp Group ID : 1
Vrrp Interface : Vlanif100
Service Index : 0
Group Vrrp Status : Master
Group Status : Active
Group Backup Process : Realtime
Peer Group Device Name : AC6605
Peer Group Software Version : V200R007C20
Group Backup Modules : Access-user
AP
DHCP
----------------------------------------------------------
----------------------------------------------------------
HSB-group ID : 0
Vrrp Group ID : 1
Service Index : 0
Group Vrrp Status : Backup
Group Status : Inactive
AP
DHCP
---------------------------------------------------------
2. Verify wireless configuration synchronization.

# Run the display sync-configuration status command on the master AC and backup
master AC to view the wireless configuration synchronization status. If the status is up,
the wireless configuration synchronization function is properly working.
-------------------------------------------------------------------------
Controller IP Role Device Type Version Status
-------------------------------------------------------------------------
10.23.102.2 Backup AC6605 V200R007C20 up
-------------------------------------------------------------------------
Total: 1
-------------------------------------------------------------------------
-------------------------------------------------------------------------
10.23.102.1 Master AC6605 V200R007C20 up
-------------------------------------------------------------------------
Total: 1
3. The WLAN with SSID wlan-net is available for STAs connected to AP, and these STAs
can connect to the WLAN.
When the links between SwitchA and SwitchB and between AC1 and SwitchB are
disconnected, AC2 switches to the active AC. This ensures service transmission stability.
----End

Configuration Files
#
sysname SwitchA
#
#
#
#
#
return

#
sysname SwitchB
#
#
interface GigabitEthernet1/1/0/1
#
#
return
l SwitchC configuration file

#
sysname SwitchC
#
#
#
#
return
l AC1 configuration file

#
sysname AC1
#
vrrp recover-delay 60
#


#
dhcp enable
#
dhcp server database enable
dhcp server database recover
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
vrrp vrid 1 virtual-ip 10.23.100.3
admin-vrrp vrid 1
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 1800
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
vrrp vrid 2 track admin-vrrp interface Vlanif100 vrid 1 unflowdown
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
#
#
capwap source ip-address 10.23.100.3
#
hsb-service 0
service-ip-port local-ip 10.23.102.1 peer-ip 10.23.102.2 local-data-port
10241 peer-data-port 10241
service-keep-alive detect retransmit 3 interval 6
#
hsb-group 0
track vrrp vrid 1 interface Vlanif100
bind-service 0
hsb enable
#
hsb-service-type access-user hsb-group 0
#
hsb-service-type dhcp hsb-group 0
#
hsb-service-type ap hsb-group 0
#
wlan
security wpa-wpa2 psk pass-phrase %^%#l{2<+jk#}MLoI!
=wMR^@U")pIh<wUY3&FbIb(>"P%^%# aes
ssid wlan-net
radio 0

radio 1
ap-id 0 type-id 46 ap-mac 60de-4476-e360 ap-sn 21500826402SF6902787
ap-name area_1
ap-group ap-group1
master controller
master-redundancy track-vrrp vrid 1 interface Vlanif100
master-redundancy peer-ip ip-address 10.23.102.2 local-ip ip-address
10.23.102.1 psk %^%#`P0}*pN+2P=Qf%V={&JQX(NhE"MP,/rC"F6%vqZF%^%#
#
return
#
sysname AC2
#
#
#
dhcp enable
#
#
interface Vlanif100
ip address 10.23.100.2 255.255.255.0
admin-vrrp vrid 1
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
#
#
#
hsb-service 0
hsb-group 0
bind-service 0
hsb enable
#
#
#
#
wlan
security wpa-wpa2 psk pass-phrase %^%#l{2<+jk#}MLoI!

=wMR^@U")pIh<wUY3&FbIb(>"P%^%# aes
ssid wlan-net
radio 0
radio 1
ap-id 0 type-id 46 ap-mac 60de-4476-e360 ap-sn 21500826402SF6902787
ap-name area_1
ap-group ap-group1
master controller
master-redundancy track-vrrp vrid 1 interface Vlanif100
master-redundancy peer-ip ip-address 10.23.102.1 local-ip ip-address
10.23.102.2 psk %^%#7KXNDf(-X/No\4)i&z|./NQ@)WDlUT'`K33Mef47%^%#
#
return
4.7.2 Example for Configuring Wireless Configuration

Synchronization in Dual-Link HSB Scenarios
To ensure that services are running normally, an enterprise wants to improve network
reliability while reducing the configuration maintenance workload. Wireless configuration
synchronization can be deployed in dual-link HSB to meet this requirement. This solution
frees active and standby ACs from location restrictions and allows both ACs to be flexibly
deployed.
l DHCP deployment mode: The router functions as a DHCP server to assign IP addresses
to APs and STAs.

Figure 4-39 Networking diagram for configuring dual-link HSB
Data Planning
Table 4-41 AC Data planning

Item Data
AC's backup VLAN VLAN 102

Item Data
DHCP server The Router functions as the DHCP server

for the APs and STAs.
STAs' gateway: 10.23.101.1/24
APs' gateway: 10.23.100.1/24
AC's source interface VLANIF 100
AC1's management IP address VLANIF 100: 10.23.100.2/24
Active AC AC1
Standby AC AC2
Master AC AC1
Local AC AC2

default



+AES

AP system profile l Name: wlan-net

l Primary AC's IP address: 10.23.100.2
l Backup AC's IP address: 10.23.100.3

1. Configure network interworking of the AC1, AC2, and other network devices. Configure
the Router as a DHCP server to assign IP addresses to APs and STAs.
2. Configure basic WLAN services on AC1 and only private WLAN service parameters on
AC2.
3. Configure AC1 as the active AC and AC2 as the standby AC. Configure dual-link HSB
on the active AC first and then on the standby AC. When dual-link HSB is enabled, all
APs are restarted.
4. Configure wireless configuration synchronization in the dual-link HSB scenarios.
Configuration Notes
user experience.
Procedure
Step 1 Configure SwitchA, SwitchB, AC1, and AC2 to ensure that the APs and ACs can exchange
CAPWAP packets.
NOTE
In this example, tunnel forwarding is used. If direct forwarding is used, configure port isolation on
GE0/0/1 that connects SwitchA to the AP. If port isolation is not configured, many broadcast packets
will be transmitted in the VLANs or WLAN users on different APs can directly communicate at Layer
2.
# Set the PVID on GE0/0/1 of SwitchA to management VLAN 100 and add the interface to
VLAN 100. Add GE0/0/2 of SwitchA to VLAN 100.


# Add GE0/0/1 (connecting to SwitchA) of SwitchB, GE0/0/2 (connecting to AC1) of

SwitchB, and GE0/0/3 (connecting to AC2) of SwitchB to VLAN 100.
[SwitchB] vlan batch 100
# Add GE0/0/1 (connecting to SwitchB) of AC1 to VLAN 100.


Step 2 Configure the communication between AC1, AC2, and Router.

# Add GE0/0/1 of AC1 to service VLAN 101, and backup VLAN 102.
# Add GE0/0/1 of AC2 to VLAN 101, and VLAN 102.



# Add GE0/0/2 and GE0/0/3 of SwitchB to both VLAN 101 and VLAN 102 and add GE0/0/4
of SwitchB connecting to Router to both VLAN 100 and VLAN 101.
Step 3 Configure Router to assign IP addresses to STAs and APs.

[Router] ip pool sta
[Router-ip-pool-sta] network 10.23.101.0 mask 24
[Router-ip-pool-sta] gateway-list 10.23.101.1
[Router-ip-pool-sta] quit
[Router] ip pool ap
[Router-ip-pool-ap] network 10.23.100.0 mask 24
[Router-ip-pool-ap] excluded-ip-address 10.23.100.2
[Router-ip-pool-ap] gateway-list 10.23.100.1
[Router-ip-pool-ap] quit
[Router-Vlanif100] dhcp select global
Step 4 Configure basic WLAN services on AC1.

[AC1] wlan
e?[Y/N]:y
[AC1] capwap source interface vlanif 100
[AC1] wlan
2. Configure AC1 to manage APs.



nor : normal [1]
------------------------------------------------------------------------------
-------
Uptime
------------------------------------------------------------------------------
-------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
10S
------------------------------------------------------------------------------
-------
Total: 1

NOTE
[AC1-wlan-vap-prof-wlan-net] forward-mode tunnel
of the AP.
Step 5 Configure private WLAN service parameters on AC2.

# Configure the source interface of AC2.
[AC2] wlan
Step 6 Configure dual-link backup for AC1 and AC2.

# On AC1, configure the IP address of the primary AC as the source IP address of AC1, and
the IP address of the backup AC as the source IP address of AC2.

NOTE
By default, dual-link backup is disabled, and running the ac protect enable command restarts all APs. After
the APs are restarted, the dual-link backup function takes effect.
If dual-link backup is enabled, running the ac protect enable command does not restart APs. You need to run
the ap-reset command on the active AC to restart all APs and make the dual-link backup function take effect.
[AC1-wlan-view] ap-system-profile name wlan-net
[AC1-wlan-ap-system-prof-wlan-net] primary-access ip-address 10.23.100.2
[AC1-wlan-ap-system-prof-wlan-net] backup-access ip-address 10.23.100.3
[AC1-wlan-ap-system-prof-wlan-net] quit
[AC1-wlan-ap-group-ap-group1] ap-system-profile wlan-net
[AC1-wlan-view] undo ac protect restore disable
[AC1-wlan-view] ac protect enable
Warning: This operation maybe cause AP reset, continue?[Y/N]: y
# On AC2, configure the IP address of the primary AC as the source IP address of AC1, and
the IP address of the backup AC as the source IP address of AC2.
[AC2-wlan-view] ap-system-profile name wlan-net
[AC2-wlan-ap-system-prof-wlan-net] primary-access ip-address 10.23.100.2
[AC2-wlan-ap-system-prof-wlan-net] backup-access ip-address 10.23.100.3
[AC2-wlan-ap-system-prof-wlan-net] quit
[AC2-wlan-ap-group-ap-group1] ap-system-profile wlan-net
# Restart the AP on AC1 and deliver the dual-link backup configuration to the AP.
[AC1-wlan-view] ap-reset all
Step 7 Configure the hot standby function.

# Create HSB service 0 on AC1 and configure the IP addresses and port numbers for the
active and standby channels.
[AC1] hsb-service 0
# Bind the WLAN and NAC services to AC1.

[AC1] hsb-service-type ap hsb-service 0
[AC1] hsb-service-type access-user hsb-service 0
[AC2] hsb-service 0

Step 8 Configure the master AC and local AC.

# Configure AC1 as the master AC and specify the IP address of a local AC.

[AC1] wlan
[AC1-master-controller] local-controller ip-address 10.23.100.3 psk H@123456
# Configure AC2 as a local AC and specify the IP address of the master AC.
[AC2] wlan
[AC2-wlan-view] master-controller ip-address 10.23.100.2 psk H@123456
Step 9 Trigger wireless configuration synchronization manually.

# Run the display sync-configuration status command to check the wireless configuration
synchronization status. The command output displays cfg-mismatch. Wireless configuration
synchronization must be manually triggered from the master AC to the local AC. Wait until
the local AC completes automatic restart.
[AC1-wlan-view] display sync-configuration status
----------------------------------------------------------------------------------
--
Controller IP Role Device Type Version
Status
----------------------------------------------------------------------------------
--
10.23.100.3 Local AC6605 V200R007C20 cfg-mismatch(config check
fail)
----------------------------------------------------------------------------------
--
Total: 1
[AC1-wlan-view] synchronize-configuration
Warning: This operation may reset the remote AC, synchronize configurations to
it, and save all its configurations. Whether to conti
nue? [Y/N]:y

# Run the display sync-configuration status command on the master AC and local AC to
view the wireless configuration synchronization status. If the status is up, the wireless
configuration synchronization function is properly working.
-------------------------------------------------------------------------
-------------------------------------------------------------------------
10.23.100.3 Local AC6605 V200R007C20 up
-------------------------------------------------------------------------
Total: 1
-------------------------------------------------------------------------
-------------------------------------------------------------------------
10.23.100.2 Master AC6605 V200R007C20 up
-------------------------------------------------------------------------
Total: 1
# When public configurations are modified on the master AC, the public configurations are
automatically synchronized to the local AC. When the AP detects a fault on the link
connected to AC1, it instructs AC2 to take the active role. This ensures service stability.
----End
Configuration Files

#
sysname SwitchA
#
vlan batch 100
#
#
#
return
#
sysname SwitchB
#
#
#
#
#
#
return
#
sysname Router
#
#
dhcp enable
#
ip pool sta
network 10.23.101.0 mask 255.255.255.0
#
ip pool ap
network 10.23.100.0 mask 255.255.255.0
excluded-ip-address 10.23.100.2 10.23.100.3
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select global
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select global
#
#
return


#
sysname AC1
#
#
interface Vlanif100
ip address 10.23.100.2 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
#
#
hsb-service 0
#
hsb-service-type access-user hsb-service 0
#
hsb-service-type ap hsb-service 0
#
wlan
ac protect enable
security wpa-wpa2 psk pass-phrase %^%#DmLbQP`BNIa6M}<rK3J>%m9$2xA+y-
fNA<TAP&}F%^%# aes
ssid wlan-net
forward-mode tunnel
ap-system-profile name wlan-net
primary-access ip-address 10.23.100.2
backup-access ip-address 10.23.100.3
ap-system-profile wlan-net
radio 0
radio 1
ap-name area_1
ap-group ap-group1
master controller
local-controller ip-address 10.23.100.3 psk %^%#/
q6ITBsonPkeDGXiV;!'^htAMm[n"(Z{ÊS|5[^.%^%#
#
return

#
sysname AC2
#
#
interface Vlanif100
ip address 10.23.100.3 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#

#
#
hsb-service 0
#
#
#
wlan
ac protect enable
fNA<TAP&}F%^%# aes
ssid wlan-net
forward-mode tunnel
ap-system-profile name wlan-net
primary-access ip-address 10.23.100.2
backup-access ip-address 10.23.100.3
master-controller ip-address 10.23.100.2 psk %^%#mh|sYMl/}'U|"W/rBd
\9HICmNy{,BIi0c^F:z;V#%^%#
ap-system-profile wlan-net
radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
return
4.7.3 Example for Configuring Dual-link Cold Backup (Global

Configuration Mode)
An enterprise uses two APs to deploy WLAN area A to provide WLAN services. The
enterprise requires that dual-link backup be configured to improve data transmission
reliability.
l DHCP deployment mode: The switch functions as a DHCP server to assign IP addresses
to APs and STAs.

Figure 4-40 Networking for configuring dual-link cold backup
Data Planning

Item Data
DHCP server The switch functions as a DHCP server to

STAs' gateway: 10.23.101.1/24
APs' gateway: 10.23.100.1/24
Active AC AC1
Local priority: 0
Standby AC AC2
Local priority: 1

Item Data

default



+AES

1. Configure network interworking of AC1, AC2, and other network devices. Configure the
switch as a DHCP server to assign IP addresses to APs and STAs.
2. Configure AC1 as the active AC and configure basic WLAN services on AC1.
3. Configure AC2 as the standby AC and configure basic WLAN services on AC2. Ensure
that service configurations on AC1 and AC2 are the same.
4. Configure dual-link backup on the active AC first and then on the standby AC. When
dual-link backup is enabled, all APs are restarted. After dual-link backup configurations
are complete, the standby AC replaces the active AC to manage APs if the CAPWAP
tunnel between the active AC and APs is disconnected.
Configuration Notes

user experience.
l Dual-link backup cannot back up DHCP information. When the AC functions as the
DHCP server to assign IP addresses to APs and STAs, APs and STAs need to re-obtain
IP addresses if the active AC is faulty. It is recommended that the switch function as the
DHCP server. If the AC must be used as the DHCP server, configure address pools
containing different IP addresses on the active and standby ACs to prevent IP address
conflicts.
Procedure
Step 1 Configure the switch and ACs to enable the ACs to communicate with the APs.
# Create VLAN 100 (management VLAN) and VLAN 101 (service VLAN) on the switch. Set
the link type of GE0/0/1 and GE0/0/4 that connect the switch to the APs to trunk and PVID of
the interfaces to 100, and configure the interfaces to allow packets of VLAN 100 and VLAN
101 to pass through. Set the link type of GE0/0/2 and GE0/0/3 on the switch to trunk, and
configure the interfaces to allow packets of VLAN 100 to pass through.
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
# Add GE0/0/1 that connects AC1 to the switch to VLAN 100.

# Add GE0/0/1 that connects AC2 to the switch to VLAN 100.

Step 2 Configure the DHCP function on the switch to assign IP addresses to APs and STAs.
# Configure VLANIF 100 to use the interface address pool to assign IP addresses to APs.
[Switch] dhcp enable
[Switch] interface vlanif 100
[Switch-Vlanif100] ip address 10.23.100.1 255.255.255.0
[Switch-Vlanif100] dhcp select interface
[Switch-Vlanif100] dhcp server excluded-ip-address 10.23.100.2 10.23.100.3
[Switch-Vlanif100] quit
# Configure VLANIF 101 to use the interface address pool to assign IP addresses to STAs.

[AC1] wlan
# Create a regulatory domain profile, configure the AC country code in the profile, and
apply the profile to the AP group.
e?[Y/N]:y

[AC1-Vlanif100] ip address 10.23.100.2 255.255.255.0
# Import the APs offline on the AC and add the APs to the AP group ap-group1.
Assume that the APs' MAC addresses are 60de-4476-e360 and 60de-4474-9640.
Configure names for the APs based on the APs' deployment locations, so that you can
know where the APs are deployed from their names. For example, if the AP with MAC
address 60de-4476-e360 is deployed in area 1, name the AP area_1, the AP with MAC
address 60de-4474-9640 is deployed in area 2, name the AP area_2.

NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained,
you do not need to run the ap auth-mode mac-auth command.
[AC1] wlan
[AC1-wlan-view] ap-id 1 ap-mac 60de-4474-9640
# After the APs are powered on, run the display ap all command to check the AP state.
If the State field displays nor, the APs have gone online.
nor : normal [2]
------------------------------------------------------------------------------
-------
Uptime
------------------------------------------------------------------------------
-------
10S
1 60de-4474-9640 area_2 ap-group1 10.23.100.254 AP5030DN nor 0
10S
------------------------------------------------------------------------------
-------
Total: 2

NOTE


# Bind VAP profile wlan-net to the AP group, and apply the profile to radio 0 and radio
1 of the APs.
# Configure basic parameters for AC2 according to the configurations of AC1. The
configuration of AC2 is similar to that of AC1 except the source interface address.
# Configure the source interface of AC2.

[AC2-Vlanif100] ip address 10.23.100.3 255.255.255.0
[AC2] wlan
Step 5 Configure dual-link backup on AC1 and AC2.
# Configure the AC1 priority and AC2 IP address on AC1. Enable dual-link backup and
revertive switchover globally, and restart all APs to make the dual-link backup function take
effect.
NOTE
By default, dual-link backup is disabled, and running the ac protect enable command restarts all APs. After
the APs are restarted, the dual-link backup function takes effect.
If dual-link backup is enabled, running the ac protect enable command does not restart APs. You need to run
the ap-reset command on the active AC to restart all APs and make the dual-link backup function take effect.
[AC1-wlan-view] ac protect protect-ac 10.23.100.3 priority 0
# Configure the AC2 priority and AC1 IP address on AC2.

Run the display ac protect command on the active and standby ACs to check the dual-link
information and priority on the two ACs.
[AC1-wlan-view] display ac protect
------------------------------------------------------------
Protect state : enable
Protect AC : 10.23.100.3
Priority : 0
Protect restore : enable
...
------------------------------------------------------------
[AC2-wlan-view] display ac protect
------------------------------------------------------------
Protect AC : 10.23.100.2
Priority : 1

...
------------------------------------------------------------
# When the link between the AP and AC1 is faulty, AC2 takes the active role. This ensures
service stability.
----End
Configuration Files
#
sysname Switch
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
#
return

#
sysname AC1
#
#
interface Vlanif100
ip address 10.23.100.2 255.255.255.0
#
#
#
wlan
ac protect enable protect-ac 10.23.100.3

ssid wlan-net
radio 0
radio 1
ap-name area_1
ap-group ap-group1
ap-name area_2
ap-group ap-group1
#
return

#
sysname AC2
#
#
interface Vlanif100
ip address 10.23.100.3 255.255.255.0
#
#
#
wlan
ac protect enable protect-ac 10.23.100.2 priority 1
ssid wlan-net
radio 0
radio 1
ap-name area_1
ap-group ap-group1
ap-name area_2
ap-group ap-group1
#
return
4.7.4 Example for Configuring Dual-Link HSB for ACs

An enterprise deploys a WLAN to provide WLAN services to users. The enterprise requires
dual-link HSB to improve data transmission reliability.
l DHCP deployment mode: The router functions as a DHCP server to assign IP addresses
to APs and STAs.
Figure 4-41 Networking for configuring dual-link HSB for ACs

Data Planning
Item Data
AC's backup VLAN VLAN 102
DHCP server The router functions as a DHCP server to

STAs' gateway: 10.23.101.1/24
APs' gateway: 10.23.100.1/24
Active AC AC1
Local priority: 0
Standby AC AC2
Local priority: 1
IP addresses and port numbers for the active IP address: VLANIF 102, 10.23.102.1/24
and standby channels of AC1 Port number: 10241
IP addresses and port numbers for the active IP address: VLANIF 102, 10.23.102.2/24
and standby channels of AC2 Port number: 10241

default



+AES

Item Data

1. Configure network interworking of the AP1, AC2, and other network devices.
2. Configure basic WLAN services to ensure that users can access the enterprise network.
3. Configure global dual-link backup on the ACs.
4. Configure hot standby on the ACs so that the WLAN and NAC services on AC1 are
backed up to AC2 in real time or in a batch. If AC1 is faulty, AC2 takes over services
from AC1. User services are not interrupted.
Configuration Notes
user experience.
l Dual-link backup cannot back up DHCP information. When the AC functions as the
DHCP server to assign IP addresses to APs and STAs, APs and STAs need to re-obtain
IP addresses if the active AC is faulty. It is recommended that Router function as the
DHCP server. If the AC must be used as the DHCP server, configure address pools
containing different IP addresses on the active and standby ACs to prevent IP address
conflicts.

Procedure
Step 1 Configure SwitchA, SwitchB, AC1, and AC2 to ensure that the APs and ACs can exchange
CAPWAP packets.
NOTE
In this example, tunnel forwarding is used. If direct forwarding is used, configure port isolation on
GE0/0/1 that connects SwitchA to the AP. If port isolation is not configured, many broadcast packets
will be transmitted in the VLANs or WLAN users on different APs can directly communicate at Layer
2.
# Set the PVID on GE0/0/1 of SwitchA to management VLAN 100 and add the interface to
VLAN 100. Add GE0/0/2 of SwitchA to VLAN 100.
# Add GE0/0/1 (connecting to SwitchA) of SwitchB, GE0/0/2 (connecting to AC1) of

SwitchB, and GE0/0/3 (connecting to AC2) of SwitchB to VLAN 100.
[SwitchB] vlan batch 100


Step 2 Configure the communication between AC1, AC2, and Router.

# Add GE0/0/1 of AC1 to service VLAN 101, and backup VLAN 102.
# Add GE0/0/1 of AC2 to VLAN 101, and VLAN 102.

# Add GE0/0/2 and GE0/0/3 of SwitchB to both VLAN 101 and VLAN 102 and add GE0/0/4
of SwitchB connecting to Router to both VLAN 100 and VLAN 101.
Step 3 Configure Router to assign IP addresses to STAs and APs.

[Router] ip pool sta
[Router-ip-pool-sta] network 10.23.101.0 mask 24
[Router-ip-pool-sta] gateway-list 10.23.101.1
[Router-ip-pool-sta] quit
[Router] ip pool ap
[Router-ip-pool-ap] network 10.23.100.0 mask 24
[Router-ip-pool-ap] gateway-list 10.23.100.1
[Router-ip-pool-ap] quit

Step 4 Configure WLAN service parameters on AC1 and AC2.

NOTE
Only the configurations on AC1 are provided here. The configurations on AC2 are the same as those on
AC1.
[AC1] wlan
e?[Y/N]:y
[AC1] wlan
2. Configure AC1 to manage APs.

nor : normal [1]
------------------------------------------------------------------------------
-------
Uptime
------------------------------------------------------------------------------
-------
10S
------------------------------------------------------------------------------
-------
Total: 1
NOTE



[AC1-wlan-vap-prof-wlan-net] forward-mode tunnel
# Bind VAP profile wlan-net to the AP group, and apply the profile to radio 0 and radio
1 of the AP.
Step 5 Configure dual-link backup on AC1 and AC2.

# Configure the AC1 priority and AC2 IP address on AC1 to implement dual-link backup.
Warning: This operation maybe cause AP reset, continue?[Y/N]:y
# Configure the AC2 priority and AC1 IP address on AC2 to implement dual-link backup.
Warning: This operation maybe cause AP reset, continue?[Y/N]:y
Step 6 Configure the hot standby function.

[AC1] hsb-service 0

[AC2] hsb-service 0


# Run the display ac protect command on AC1 and AC2 to view dual-link backup
information.

[AC1] display ac protect

------------------------------------------------------------
Protect AC : 10.23.100.3
Priority : 0
...
------------------------------------------------------------
------------------------------------------------------------
Protect AC : 10.23.100.2
Priority : 1
...
------------------------------------------------------------
# Run the display hsb-service 0 command on AC1 and AC2 to check the HSB service status.
The value of the Service State field is Connected, which indicates that the HSB channels are
set up.
----------------------------------------------------------
Source Port : 10241
Service Batch Modules : AP
Access-user
----------------------------------------------------------
----------------------------------------------------------
Source Port : 10241
Service Batch Modules : AP
Access-user
----------------------------------------------------------
The WLAN with SSID wlan-net is available for STAs connected to AP1, and these STAs can
connect to the WLAN.
When the AP detects a fault on the link connected to AC1, it instructs AC2 to take the active
role. User services are not interrupted.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#


#
#
return
#
sysname SwitchB
#
#
#
#
#
#
return
#
sysname Router
#
#
dhcp enable
#
ip pool sta
network 10.23.101.0 mask 255.255.255.0
#
ip pool ap
network 10.23.100.0 mask 255.255.255.0
excluded-ip-address 10.23.100.2 10.23.100.3
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select global
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select global
#
#
return
#
sysname AC1
#
#
interface Vlanif100

ip address 10.23.100.2 255.255.255.0

#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
#
#
hsb-service 0
#
#
#
wlan
fNA<TAP&}F%^%# aes
ssid wlan-net
forward-mode tunnel
radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
return
#
sysname AC2
#
#
interface Vlanif100
ip address 10.23.100.3 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
#
#
hsb-service 0
#
#
#
wlan


fNA<TAP&}F%^%# aes
ssid wlan-net
forward-mode tunnel
radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
return
4.7.5 Example for Configuring VRRP HSB
An enterprise deploys a WLAN to provide WLAN services to users. The enterprise requires
VRRP HSB to improve data transmission reliability.
APs and STAs.
l Switch cluster: A cluster is set up using a CSS card, containing SwitchB and SwitchC at
the core layer. SwitchB is the active switch and SwitchC is the standby switch.

Figure 4-42 Configuring VRRP HSB (direct forwarding)
Data Planning
Table 4-44 AC Data Planning
Item Configuration
AC1's source interface VLANIF 100: 10.23.100.3/24
AC2's source interface VLANIF 100: 10.23.100.3/24
Virtual IP address of the 10.23.100.3/24

Virtual IP address of the service 10.23.101.3/24

VRRP group

Item Configuration


l Referenced profiles: VAP profile wlan-net and



DHCP server AC functions as the DHCP server to assign IP

addresses to the AP and STA
AP's gateway VLANIF 100: 10.23.100.3/24
IP address pool for the AP 10.23.100.4 to 10.23.100.254/24
STA's gateway VLANIF 101: 10.23.101.3/24
IP address pool for STA 10.23.101.4 to 10.23.101.254/24
IP addresses and port numbers for IP address: VLANIF 102, 10.23.102.1/24

of AC1
IP addresses and port numbers for IP address: VLANIF 102, 10.23.102.2/24

of AC2
1. Configure a cluster between SwitchB and SwitchC through cluster cards to improve the
core layer reliability and configure SwitchB as the master switch.
2. Set up connections between the AP, ACs, and other network devices.
3. Configure basic WLAN services to ensure that users can access the Internet through
WLAN.

4. Configure a VRRP group on AC1 and AC2 and configure a high priority for AC1 as the
active device to forward traffic, and a low priority for AC2 as the standby device.
5. Configure the hot standby (HSB) function so that service information on AC1 is backed
up to AC2 in batches in real time, ensuring seamless service switchover from the active
device to the standby device.
NOTE
Check whether loops occur on the wired network. If loops occur, configure MSTP on corresponding NEs.
Configuration Notes
user experience.
Procedure
Step 1 Establish a cluster through cluster cards.
for SwitchB.
[SwitchB] set css mode css-card
[SwitchB] set css id 1
[SwitchB] set css priority 100
for SwitchC.
[HUAWEI] sysname SwitchC
[SwitchC] set css mode css-card
[SwitchC] set css id 2
[SwitchC] set css priority 10
# Check the CSS configuration on SwitchB.

[SwitchB] display css status saved

------------------------------------------------------------------------------
# Check the CSS configuration on SwitchC.

[SwitchC] display css status saved
------------------------------------------------------------------------------
# Enable the CSS function on SwitchB and restart SwitchB.

[SwitchB] css enable
rebooted. T
# Enable the CSS function on SwitchC and restart SwitchC.

[SwitchC] css enable
rebooted. T
# Log in to the CSS through the console port on any MPU to check whether the CSS is
established successfully.
<SwitchB> display device
Chassis 1 (Master Switch)
-------------------------------------------------------------------------------
Chassis 2 (Standby Switch)
-------------------------------------------------------------------------------


<SwitchB> display css status
CSS Enable switch On
Chassis Id CSS Enable CSS Status CSS Mode Priority Master Force
------------------------------------------------------------------------------
1 On Master CSS card 100 Off
2 On Standby CSS card 10 Off
The command output shows card status and CSS status of both member switches, indicating
that the CSS is established successfully.
# Check whether the cluster links are normal.

<SwitchB> display css channel
Chassis 1 || Chassis 2
--------------------------------------------------------------------------------
Num [Port] [Speed] || [Speed] [Port]
1 1/1/0/1 10G 10G 2/1/0/1
2 1/1/0/2 10G 10G 2/1/0/2
3 1/1/0/3 10G 10G 2/1/0/3
4 1/1/0/4 10G 10G 2/1/0/4
5 1/1/0/5 10G 10G 2/1/0/5
6 1/1/0/6 10G 10G 2/1/0/6
7 1/1/0/7 10G 10G 2/1/0/7
8 1/1/0/8 10G 10G 2/1/0/8
9 1/12/0/1 10G 10G 2/12/0/1
10 1/12/0/2 10G 10G 2/12/0/2
11 1/12/0/3 10G 10G 2/12/0/3
12 1/12/0/4 10G 10G 2/12/0/4
13 1/12/0/5 10G 10G 2/12/0/5
14 1/12/0/6 10G 10G 2/12/0/6
15 1/12/0/7 10G 10G 2/12/0/7
16 1/12/0/8 10G 10G 2/12/0/8
17 1/13/0/1 10G 10G 2/13/0/1
18 1/13/0/2 10G 10G 2/13/0/2
19 1/13/0/3 10G 10G 2/13/0/3
20 1/13/0/4 10G 10G 2/13/0/4
21 1/13/0/5 10G 10G 2/13/0/5
22 1/13/0/6 10G 10G 2/13/0/6
23 1/13/0/7 10G 10G 2/13/0/7
24 1/13/0/8 10G 10G 2/13/0/8
25 1/14/0/1 10G 10G 2/14/0/1
26 1/14/0/2 10G 10G 2/14/0/2
27 1/14/0/3 10G 10G 2/14/0/3
28 1/14/0/4 10G 10G 2/14/0/4
29 1/14/0/5 10G 10G 2/14/0/5
30 1/14/0/6 10G 10G 2/14/0/6
31 1/14/0/7 10G 10G 2/14/0/7
32 1/14/0/8 10G 10G 2/14/0/8
--------------------------------------------------------------------------------
The command output shows that all the cluster links are in Up state, indicating that the CSS
has been established successfully.
Step 2 Configure SwitchA, SwitchB, SwitchC, AC1, and AC2 so that CAPWAP packets can be
transmitted between the AP and ACs.
NOTE
If direct forwarding is used, configure port isolation on GE0/0/1 of the SwitchA (connecting to the AP).
If port isolation is not configured, many broadcast packets will be transmitted in the VLANs or WLAN
users on different APs can directly communicate at Layer 2.

# Set the PVID of GE0/0/1 on SwitchA connected to the AP to management VLAN 100 and
add GE0/0/1 to VLAN 100 and service VLAN 101. Add GE0/0/2 on SwitchA connected to
SwitchB to VLAN 100 and VLAN 101 and GE0/0/3 on SwitchA connected to SwitchC to
# Add GE1/1/0/2 that connects SwitchB to SwitchA to VLAN 100 and VLAN 101 (service
VLAN), and add GE1/1/0/1 that connects SwitchB to AC1 to VLAN 100 and VLAN 101.
Add GE2/1/0/2 that connects SwitchC to SwitchA to VLAN 100 and VLAN 101 (service
VLAN), and add GE2/1/0/1 that connects SwitchC to AC1 to VLAN 100 and VLAN 101.
[SwitchB] sysname CSS
[CSS] vlan batch 100 101
# Add GE0/0/1 that connects AC1 to SwitchB to VLAN 100 and VLAN 101, and configure


# Add GE0/0/1 that connects AC2 to SwitchC to VLAN 100 and VLAN 101, and configure
Step 3 Configure AC1 to communicate with AC2.


Step 4 Configure a DHCP server.

# Configure AC1 as the DHCP server to assign IP addresses to the AP and STA.
[AC1] dhcp enable
[AC1] dhcp server database enable
[AC1] dhcp server database recover
The configuration for AC2 is similar to that for AC1 and is not mentioned here.

# Create a management VRRP group on AC1, set AC1's VRRP priority to 120, and set the
preemption delay to 1800s.
[AC1-Vlanif100] vrrp vrid 1 priority 120
# Create a service VRRP group on AC1 and set the preemption delay to 1800s.
unflowdown
[AC1] hsb-service 0
group.
[AC1] hsb-group 0




[AC1] hsb-group 0


# Create a service VRRP group on AC2.


unflowdown
[AC2] hsb-service 0
group.
[AC2] hsb-group 0




[AC2] hsb-group 0
Step 7 Configure WLAN services on AC1. The configurations on AC2 are similar to those on AC1.
An AP in normal state on the active AC is in standby state on AC2.
[AC1] wlan
e?[Y/N]:y
2. Import an AP offline on AC1.

[AC1] wlan

nor : normal [1]
------------------------------------------------------------------------------
-------
STA Uptime
------------------------------------------------------------------------------
-------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor
0 10S
------------------------------------------------------------------------------
-------
Total: 1

NOTE
of the AP.

# After the configurations are complete, run the display vrrp command on AC1 and AC2.
The command output displays that the State field of AC1 is Master and that of AC2 is
Backup.
[AC1] display vrrp
State : Master
Virtual IP : 10.23.100.3
Master IP : 10.23.100.1
PriorityRun : 120

TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2005-07-31 01:25:55 UTC+08:00
Last change time : 2005-07-31 02:48:22 UTC+08:00

State : Master
Virtual IP : 10.23.101.3
Master IP : 10.23.101.1
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Create time : 2005-07-30 23:45:50 UTC+08:00
[AC2] display vrrp
State : Backup
Virtual IP : 10.23.100.3
Master IP : 10.23.100.1
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2005-07-31 02:11:07 UTC+08:00

State : Backup
Virtual IP : 10.23.101.3
Master IP : 0.0.0.0
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Create time : 2005-07-31 00:32:33 UTC+08:00
The command output displays that the Service State field is Connected, indicating that the
HSB channel has been established.


----------------------------------------------------------
Source Port : 10241
----------------------------------------------------------
----------------------------------------------------------
Source Port : 10241
----------------------------------------------------------
# Run the display hsb-group 0 command on AC1 and AC2 to check the HSB group status.
----------------------------------------------------------
HSB-group ID : 0
Vrrp Group ID : 1
Service Index : 0
DHCP
AP
----------------------------------------------------------
----------------------------------------------------------
HSB-group ID : 0
Vrrp Group ID : 1
Service Index : 0
DHCP
AP
----------------------------------------------------------
The WLAN with SSID wlan-net is available for STAs connected to AP, and these STAs can
When the links between SwitchA and SwitchB and between AC1 and SwitchB are
disconnected, AC2 switches to the active AC. This ensures service transmission stability.
----End

Configuration Files
#
sysname SwitchA
#
#
#
#
#
return
l •CSS configuration file

#
sysname CSS
#
#
#
#
#
#
return

#
sysname AC1
#
#
#
dhcp enable
#
#
interface Vlanif100

ip address 10.23.100.1 255.255.255.0

admin-vrrp vrid 1
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
#
#
#
hsb-service 0
#
hsb-group 0
bind-service 0
hsb enable
#
#
#
#
wlan
security wpa-wpa2 psk pass-phrase %^%#G.DGWgjG./fvyr*oM)KMgc*sR}!
GUWLa"%G_E.^B%^%# aes
ssid wlan-net
radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
return

#
sysname AC2
#
#
#
dhcp enable
#
#
interface Vlanif100
ip address 10.23.100.2 255.255.255.0
admin-vrrp vrid 1
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
#
#
#
hsb-service 0
#
hsb-group 0
bind-service 0
hsb enable
#
#
#
#
wlan
security wpa-wpa2 psk pass-phrase %^%#G.DGWgjG./fvyr*oM)KMgc*sR}!
GUWLa"%G_E.^B%^%# aes
ssid wlan-net
radio 0

radio 1
ap-name area_1
ap-group ap-group1
#
return
4.7.6 Example for Configuring N+1 Backup for ACs in the Same
Network Segment
In public places where a large number of users exist in a large area, many APs are deployed
and managed by multiple ACs to provide free-of-charge WLAN access services. These
services are value-added services that require low network reliability and allow temporary
service interruption. An AC is required to be a backup of all ACs to save costs. To meet this
requirement, build an N+1 backup wireless LAN to provide reliable services and reduce
device purchase costs. ACs of different models can work in N+1 backup mode, but versions
of the ACs must be the same.
l DHCP deployment mode: Switch_1 functions as a DHCP server to assign IP addresses
to APs and STAs.

Figure 4-43 Networking for configuring N+1 backup
Data Planning
Item Data

VLAN 102
DHCP server Switch_1 functions as a DHCP server to

STAs' gateway:
l 10.23.101.1/24
l 10.23.102.1/24
APs' gateway: 10.23.100.1/24
IP address pool for STAs STA1: 10.23.101.3-10.23.101.254/24

STA2: 10.23.102.3-10.23.102.254/24

Item Data
AC_1's management IP address VLANIF 100: 10.23.100.2/24
AP group AC_1 (active AC):

l Name: ap-group1
l Referenced profiles: AP system profile
ap-system, VAP profile wlan-net, and
AC_2 (active AC):

l Name: ap-group2
ap-system1, VAP profile wlan-net1, and
AC_3 (standby AC):

l Name: ap-group1
– Referenced profiles: AP system
profile ap-system, VAP profile wlan-
default
l Name: ap-group2
profile ap-system1, VAP profile
wlan-net1, and regulatory domain
profile default

SSID profile AC_1:

l Name: wlan-net
AC_2:
l Name: wlan-net1
l SSID name: wlan-net1
AC_3:
l Names: wlan-net and wlan-net1
l SSID names: wlan-net and wlan-net1

Item Data
Security profile AC_1:

l Name: wlan-net
+AES
AC_2:
l Name: wlan-net1
+AES
AC_3:
l Name: wlan-net
– Security policy: WPA-WPA2+PSK
+AES
– Password: a1234567
l Name: wlan-net1
– Security policy: WPA-WPA2+PSK
+AES
– Password: a1234567
VAP profile AC_1:

l Name: wlan-net
AC_1:
l Name: wlan-net1
net1 and security profile wlan-net1

Item Data
AC_3:
l Name: wlan-net
– Forwarding mode: direct forwarding
– Service VLAN: VLAN 101
– Referenced profiles: SSID profile
wlan-net and security profile wlan-
net
l Name: wlan-net1
wlan-net1 and security profile wlan-
net1
AP system profile l AC_1: ap-system

l AC_2: ap-system1
l AC_3: ap-system and ap-system1
Global priority AC_1: 6

AC_2: 6
AC_3: 5
Individual priority AP1: 3

AP2: 3
1. Configure network interworking of each AC and other network devices. Configure
Switch_1 as a DHCP server to assign IP addresses to APs and STAs.
2. Configure AC_1 and AC_2 as the active ACs of AP_1 and AP_2 respectively, and
configure basic WLAN services on AC_1 and AC_2.
3. Configure AC_3 as the standby AC and configure basic WLAN services on AC_3.
Ensure that service configurations on AC_3 are the same as those on AC_1 and AC_2.
4. Configure N+1 backup on the active ACs first and then on the standby AC. When N+1
backup is enabled, all APs are restarted.
Configuration Notes


user experience.
Procedure
Step 1 Configure the switches and ACs to enable the ACs to communicate with the APs.
# On Switch_1, create VLAN 100, VLAN 101, and VLAN 102. Configure VLAN 100 as the
management VLAN, VLAN 101 and VLAN 102 as service VLANs. Add GE0/0/1 connected
to AC_1 to VLAN 100 and VLAN 101, GE0/0/2 connected to AC_2 to VLAN 100 and
VLAN 102, GE0/0/3 and GE0/0/4 respectively connected to AC_3 and Switch_2 to VLAN
100, VLAN 101, and VLAN 102.
[HUAWEI] sysname Switch_1
[Switch_1] vlan batch 100 to 102
[Switch_1] interface gigabitethernet 0/0/1
[Switch_1-GigabitEthernet0/0/1] port link-type trunk
[Switch_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_1-GigabitEthernet0/0/1] quit
[Switch_1-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102
# On Switch_2, add GE0/0/3 connected to Switch_1 to VLAN 100, VLAN 101, and VLAN
102, GE0/0/1 connected to AP_1 to VLAN 100 and VLAN 101, and GE0/0/2 connected to
AP_2 to VLAN 100 and VLAN 102. Set the PVID of GE0/0/1 and GE0/0/2 to VLAN 100.
[Switch_2] vlan batch 100 to 102
[Switch_2-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_2-GigabitEthernet0/0/1] port-isolate enable


# On AC_1, add GE0/0/1 connected to Switch_1 to VLAN 100 and VLAN 101.
[AC6605] sysname AC_1
[AC_1] vlan batch 100 101
[AC_1] interface gigabitethernet 0/0/1
[AC_1-GigabitEthernet0/0/1] port link-type trunk
[AC_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[AC_1-GigabitEthernet0/0/1] quit
[AC_1] interface vlanif 100
[AC_1-Vlanif100] ip address 10.23.100.2 255.255.255.0
[AC_1-Vlanif100] quit
# On AC_2, add GE0/0/1 connected to Switch_1 to VLAN 100 and VLAN 102.
[AC_2-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 102
# On AC_3, add GE0/0/1 connected to Switch_1 to VLAN 100, VLAN 101, and VLAN 102.
[AC_3] vlan batch 100 to 102
[AC_3-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 102
Step 2 Configure Switch_1 as a DHCP server to assign IP addresses to STAs and APs. Switch_1
allocates IP addresses to APs from the IP address pool on VLANIF 100, and allocates IP
addresses to STA_1 and STA_2 from the IP address pool on VLANIF 101 and VLANIF 102
respectively.
[Switch_1] dhcp enable
[Switch_1] interface vlanif 100
[Switch_1-Vlanif100] ip address 10.23.100.1 255.255.255.0
[Switch_1-Vlanif100] dhcp select interface
[Switch_1-Vlanif100] dhcp server excluded-ip-address 10.23.100.2 10.23.100.4
[Switch_1-Vlanif100] quit
Step 3 Configure basic WLAN services on AC_1.


[AC_1] wlan
[AC_1-wlan-view] ap-group name ap-group1
[AC_1-wlan-ap-group-ap-group1] quit
[AC_1-wlan-view] regulatory-domain-profile name default
[AC_1-wlan-regulate-domain-default] country-code cn
[AC_1-wlan-regulate-domain-default] quit
[AC_1-wlan-ap-group-ap-group1] regulatory-domain-profile default
e?[Y/N]:y
[AC_1-wlan-view] quit

[AC_1] capwap source interface vlanif 100
# Import the APs offline on the AC and add the APs to the AP group ap-group1. In this
example, the AP's MAC address is 60de-4476-e360. Configure a name for the AP based
on the AP's deployment location, so that you can know where the AP is located. For
example, if the AP with MAC address 60de-4476-e360 is deployed in area 1, name the
AP area_1.
NOTE
[AC_1] wlan
[AC_1-wlan-view] ap auth-mode mac-auth
[AC_1-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC_1-wlan-ap-0] ap-name area_1
[AC_1-wlan-ap-0] ap-group ap-group1
[AC_1-wlan-ap-0] quit
[AC_1-wlan-view] display ap all
nor : normal [1]
------------------------------------------------------------------------------
-------
Uptime
------------------------------------------------------------------------------
-------
10S
------------------------------------------------------------------------------
-------
Total: 1

NOTE
[AC_1-wlan-view] security-profile name wlan-net
[AC_1-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC_1-wlan-sec-prof-wlan-net] quit
[AC_1-wlan-view] ssid-profile name wlan-net
[AC_1-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC_1-wlan-ssid-prof-wlan-net] quit
# Create AP system profile ap-system and configure the AP's individual priority.
[AC_1-wlan-view] ap-system-profile name ap-system
[AC_1-wlan-ap-system-prof-ap-system] priority 3
Warning: This action will take effect after resetting AP.
[AC_1-wlan-ap-system-prof-ap-system] quit
[AC_1-wlan-view] vap-profile name wlan-net
[AC_1-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC_1-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC_1-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC_1-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC_1-wlan-vap-prof-wlan-net] quit
# Bind the VAP profile and AP system profile to the AP group and apply the VAP profile
wlan-net to radio 0 and radio 1 of the APs.
[AC_1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC_1-wlan-ap-group-ap-group1] ap-system-profile ap-system
Step 4 Configure basic WLAN services and AP priority for AC_2.

# Configure basic parameters for AC_2 according to the configurations of AC_1.
# Configure the source interface of AC_2.
[AC_2] wlan
# Create AP group ap-group2.

example, the AP's MAC address is 60de-4474-9640. Configure a name for the AP based on
the AP's deployment location, so that you can know where the AP is located. For example, if
the AP with MAC address 60de-4474-9640 is deployed in area 2, name the AP area_2.
[AC_2-wlan-view] ap-id 1 ap-mac 60de-4474-9640

# Create security profile wlan-net1 and set the security policy in the profile.
[AC_2-wlan-view] security-profile name wlan-net1
[AC_2-wlan-sec-prof-wlan-net1] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC_2-wlan-sec-prof-wlan-net1] quit
# Create an SSID profile and set the SSID name to wlan-net1.

[AC_2-wlan-view] ssid-profile name wlan-net1
[AC_2-wlan-ssid-prof-wlan-net1] ssid wlan-net1
[AC_2-wlan-ssid-prof-wlan-net1] quit
# Create AP system profile ap-system1 and configure the AP priority.

[AC_2-wlan-view] ap-system-profile name ap-system1
[AC_2-wlan-ap-system-prof-ap-system1] priority 3
[AC_2-wlan-ap-system-prof-ap-system1] quit
# Create VAP profile wlan-net1, set the data forwarding mode and service VLAN, and apply
[AC_2-wlan-view] vap-profile name wlan-net1
[AC_2-wlan-vap-prof-wlan-net1] forward-mode direct-forward
[AC_2-wlan-vap-prof-wlan-net1] service-vlan vlan-id 102
[AC_2-wlan-vap-prof-wlan-net1] security-profile wlan-net1
[AC_2-wlan-vap-prof-wlan-net1] ssid-profile wlan-net1
[AC_2-wlan-vap-prof-wlan-net1] quit
wlan-net1 to radio 0 and radio 1 of the APs.
[AC_2-wlan-ap-group-ap-group2] vap-profile wlan-net1 wlan 1 radio 0
[AC_2-wlan-ap-group-ap-group2] ap-system-profile ap-system1
# Set other parameters similarly as those of AC_1.

[AC_3] wlan
e?[Y/N]:y
e?[Y/N]:y


NOTE
[AC_3] wlan
The command output shows that the status of the APs is both fault.
fault : fault [2]
------------------------------------------------------------------------------
---------
Uptime
------------------------------------------------------------------------------
---------
0 60de-4476-e360 area_1 ap-group1 - AP5030DN fault 0 -
1 60de-4474-9640 area_2 ap-group2 - AP5030DN fault 0 -
------------------------------------------------------------------------------
---------
Total: 2

# Create security profiles wlan-net and wlan-net1, and configure security policies.
# Create SSID profile wlan-net1 and set the SSID name to wlan-net1.
# Create AP system profile ap-system and configure the IP address of the standby AC.


[AC_3-wlan-ap-system-prof-ap-system] protect-ac ip-address 10.23.100.2
# Create AP system profile ap-system1 and configure the IP address of the standby AC.
[AC_3-wlan-ap-system-prof-ap-system1] protect-ac ip-address 10.23.100.3
# Create VAP profile wlan-net1, set the data forwarding mode and service VLAN, and
[AC_3-wlan-vap-prof-wlan-net1] security-profile wlan-net
wlan-net to radio 0 and radio 1 of the APs.
Step 6 Enable N+1 backup on AC_1, AC_2, and AC_3.
# On AC_1, configure the AC's global priority and IP address of AC_3.

NOTE
AC priorities determine the AC roles. The AC with a higher priority is the active AC, and the AC with a
lower priority is the standby AC. A smaller value indicates a higher priority. If the AC priorities are the same,
the AC that connects to more APs is the active AC. If the ACs connect to the same number of APs, the AC
that connects to more STAs is the active AC. If the ACs connect to the same number of STAs, the AC with a
smaller IP address is the active AC.
[AC_1-wlan-view] ac protect priority 6 protect-ac 10.23.100.4

# Configure the global priority of AC_3.

[AC_3-wlan-view] ac protect priority 5
# On AC_1, enable N+1 backup and restart all APs to make the function take effect.

NOTE
By default, N+1 backup is enabled. The system displays an Info message if you run the undo ac protect
enable command. You need to run the ap-reset all command to restart all APs. After the APs are restarted, N
+1 backup starts to take effect.
[AC_1-wlan-view] undo ac protect enable
Info: Backup function has already disabled.
[AC_1-wlan-view] ap-reset all
# Enable revertive switchover and N+1 backup on AC_3.

NOTE
By default, global revertive switchover is enabled. The system displays an Info message if you run the undo
ac protect restore disable command.
[AC_3-wlan-view] undo ac protect restore disable
Info: Protect restore has already enabled.
# Run the display ac protect and display ap-system-profile commands on AC_1 to check N
+1 backup information.
[AC_1-wlan-view] display ac protect
------------------------------------------------------------
Protect state : disable
Protect AC : 10.23.100.4
Priority : 6
...
------------------------------------------------------------
[AC_1-wlan-view] display ap-system-profile name ap-system
------------------------------------------------------------------------------
AC priority : 3
Protect AC IP address : 10.23.100.4
Primary AC : -
Backup AC : -
...
------------------------------------------------------------------------------
------------------------------------------------------------
Protect AC : 10.23.100.4
Priority : 6
...
------------------------------------------------------------
[AC_2-wlan-view] display ap-system-profile name ap-system1
------------------------------------------------------------------------------
AC priority : 3
Primary AC : -
Backup AC : -

...
------------------------------------------------------------------------------
------------------------------------------------------------
Protect AC : -
Priority : 5
...
------------------------------------------------------------
------------------------------------------------------------------------------
AC priority : -
Primary AC : -
Backup AC : -
...
------------------------------------------------------------------------------
------------------------------------------------------------------------------
AC priority : -
Primary AC : -
Backup AC : -
...
------------------------------------------------------------------------------
The WLAN with the SSID wlan-net or wlan-net1 is available for STAs connected to the
APs, and these STAs can connect to the WLAN and go online normally.
When the link between an AP and AC_1 or AC_2 fails, AC_3 takes over the active role. This
ensures accelerate service recovery.
----End
Configuration Files
l Switch_1 configuration file
#
sysname Switch_1
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
#


#
#
#
return
#
sysname Switch_2
#
#
#
#
#
return
l AC_1 configuration file
#
sysname AC_1
#
#
interface Vlanif100
ip address 10.23.100.2 255.255.255.0
#
#
#
wlan
ac protect protect-ac 10.23.100.4 priority 6
ssid wlan-net
ap-system-profile name ap-system
priority 3
ap-system-profile ap-system
radio 0

radio 1
ap-name area_1
ap-group ap-group1
#
return
#
sysname AC_2
#
vlan batch 100 102
#
interface Vlanif100
ip address 10.23.100.3 255.255.255.0
#
#
#
wlan
ac protect protect-ac 10.23.100.4 priority 6
security-profile name wlan-net1
ssid-profile name wlan-net1
ssid wlan-net1
vap-profile name wlan-net1
ssid-profile wlan-net1
security-profile wlan-net1
ap-system-profile name ap-system1
priority 3
ap-system-profile ap-system1
radio 0
vap-profile wlan-net1 wlan 1
radio 1
ap-name area_2
ap-group ap-group2
#
return
#
sysname AC_3
#
#
interface Vlanif100
ip address 10.23.100.4 255.255.255.0
#
#
#
wlan
ac protect priority 5


ssid wlan-net
ssid wlan-net1
protect-ac ip-address 10.23.100.2
radio 0
radio 1
radio 0
radio 1
ap-name area_1
ap-group ap-group1
ap-name area_2
ap-group ap-group2
#
return
4.7.7 Example for Configuring N+1 Backup for ACs in Different

Network Segments
A large enterprise has branches in different areas. ACs are deployed in the branches to
manage APs and provide WLAN access and e-mail services. These services require low
network reliability and allow temporary service interruption. An AC is required to be a
backup of all ACs to save costs. In this scenario, the enterprise can deploy a high performance
AC at the headquarters as a standby AC to provide backup services for active ACs in the
branches.
APs and STAs.

Figure 4-44 Networking for configuring N+1 backup
Data Planning

Item Data
Management VLAN for APs AC_1 (active AC): VLAN 99
AC_2 (active AC): VLAN 100
Service VLAN for STAs AC_1: VLAN 101
AC_2: VLAN 102

Item Data

STAs' gateway:
l STA_1: 10.23.101.1/24
l STA_2: 10.23.102.1/24
APs' gateway:
l AP_1: 10.23.99.1/24
l AP_2: 10.23.100.1/24
IP address pool for APs AP_1: 10.23.99.2-10.23.99.254/24

AP_2: 10.23.100.2-10.23.100.254/24
IP address pool for STAs STA1: 10.23.101.2-10.23.101.254/24

STA2: 10.23.102.2-10.23.102.254/24
AC's source interface AC_1: VLANIF 201

AC_2: VLANIF 202
AC_3: VLANIF 203
AP group AC_1: (active AC):

l Name: ap-group1
ap-system, VAP profile wlan-net, and
AC_2: (active AC):

l Name: ap-group2
ap-system, VAP profile wlan-net1, and

Item Data
AC_3 (standby AC):

l Name: ap-group1
default
l Name: ap-group2
net1, and regulatory domain profile
default

SSID profile AC_1:

l Name: wlan-net
AC_2:
l Name: wlan-net1
AC_3:
l Name: wlan-net
l Name: wlan-net1
Security profile AC_1, AC_3:

l Name: wlan-net
+AES
AC_2, AC_3:
l Name: wlan-net1
+AES
AP system profile AC_3 (standby AC): ap-system and ap-

system1

Item Data
VAP profile AC_1:

l Name: wlan-net
AC_2:
l Name: wlan-net1
net1 and security profile wlan-net1
AC_3:
l Name: wlan-net
wlan-net and security profile wlan-
net
l Name: wlan-net1
wlan-net1 and security profile wlan-
net1
Global priority: AC_1: 0

AC_2: 0
AC_3: 5
1. Configure network interworking of each AC and other network devices. Configure
Router_3 as a DHCP server to assign IP addresses to APs and STAs.
2. Configure AC_1 and AC_2 as the active ACs of AP_1 and AP_2 respectively, and
configure basic WLAN services on AC_1 and AC_2.
3. Configure AC_3 as the standby AC and configure basic WLAN services on AC_3.
Ensure that service configurations on AC_3 are the same as those on AC_1 and AC_2.
4. Configure N+1 backup on the active ACs first and then on the standby AC. When N+1
backup is enabled, all APs are restarted.

Configuration Notes
user experience.
Procedure
Step 1 Configure the routers, switches, and ACs to ensure communications among them.
# On Router_1, create VLAN 99, VLAN 101 and VLAN 201. VLAN 99 is used as the
management VLAN and VLAN 101 is used as the service VLAN. Add Eth2/0/0 connected to
Switch_1 to VLAN 99 and VLAN 101, and Eth2/0/1 connected to AC_1 to VLAN 201.
Configure the IP address 10.23.99.1/24 for VLANIF 99, 10.23.101.1/24 for VLANIF 101 and
10.23.201.2/24 for VLANIF 201.
[Router_1] vlan batch 99 101 201
[Router_1] interface ethernet 2/0/0
[Router_1-Ethernet2/0/0] port link-type trunk
[Router_1-Ethernet2/0/0] port trunk allow-pass vlan 99 101
[Router_1-Ethernet2/0/0] quit
[Router_1] interface ethernet 2/0/1
[Router_1-Ethernet2/0/1] port link-type trunk
[Router_1-Ethernet2/0/1] port trunk allow-pass vlan 201
[Router_1-Ethernet2/0/1] quit
# On Router_2, create VLAN 100, VLAN 102 and VLAN 202. VLAN 100 is used as the
management VLAN and VLAN 102 is used as the service VLAN. Add Eth2/0/0 connected to
Switch_2 to VLAN 100 and VLAN 102, and Eth2/0/1 connected to AC_2 to VLAN 202.
Configure the IP address 10.23.100.1/24 for VLANIF 100, 10.23.102.1/24 for VLANIF 102
and 10.23.202.2/24 for VLANIF 202. See Router_1 for the detailed configuration procedure.

# On Router_3, create VLAN 200, VLAN 203, and add Eth2/0/0 connected to the Network to
VLAN 200, and Eth2/0/1 connected to AC_3 to VLAN 203. Configure the IP address
10.23.200.1/24 for VLANIF 200. Configure the IP address 10.23.203.2/24 for VLANIF 203.
See Router_1 for the detailed configuration procedure.
# On Switch_1, create VLAN 99 and VLAN 101. Add GE0/0/2 connected to Router_1 and
GE0/0/1 connected to AP_1 to VLAN 99 and VLAN 101, and the PVID of GE0/0/1 is VLAN
99.
[Switch_1] vlan batch 99 101
# On Switch_2, create VLAN 100 and VLAN 102. Add GE0/0/2 connected to Router_2 and
GE0/0/1 connected to AP_2 to VLAN 100 and VLAN 102, and the PVID of GE0/0/1 is
VLAN 100. See Switch_1 for the detailed configuration procedure.
# On AC_1, create VLAN 101 and VLAN 201, and add GE0/0/1 connected to Router_1 to
VLAN 201. Configure the IP address 10.23.201.1/24 for VLANIF 201.
[AC_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 201
# On AC_2, create VLAN 102, and VLAN 202, and add GE0/0/1 connected to Router_2 to
VLAN 202. Configure the IP address 10.23.202.1/24 for VLANIF 202. See AC_1 for the
detailed configuration procedure.
# On AC_3, create VLAN 101, VLAN 102, and VLAN 203, and add GE0/0/1 connected to
Router_3 to VLAN 203. Configure the IP address 10.23.203.1/24 for VLANIF 203. See
AC_1 for the detailed configuration procedure.
# Configure reachable routes between AC_1 and AC_3, AP_1 and AC_3, AC_2 and AC_3,
and between AP_2 and AC_3. Perform the configurations according to networking
requirements. The configuration procedure is not provided here.
# Configure the route between AC_1 and AP_1 with the next hop as Router_1's VLANIF 201.
[AC_1] ip route-static 10.23.99.0 24 10.23.201.2
# Configure the route between AC_2 and AP_2 with the next hop as Router_2's VLANIF 202.

# Configure Router_1 as a DHCP relay agent.

[Router_1-Vlanif99] dhcp select relay

[Router_1-Vlanif99] dhcp relay server-ip 10.23.200.1
# Configure Router_2 as a DHCP relay agent.

# Configure Router_3 as the DHCP server to assign IP addresses to APs and STAs, and
configure the Option 43 field to advertise the IP addresses of AC_1 and AC_3 to AP_1, and
to advertise the IP addresses of AC_2 and AC_3 to AP_2. Configure the DHCP server to
assign IP address to AP_1 from the IP address pool ap_1_pool, to AP_2 from ap_2_pool, to
STA1 from sta_1_pool, and to STA2 from sta_2_pool.
NOTE
In this example, AP_1 and AP_2 cannot share an IP address pool; otherwise, AP_1 can discover AC_2 and
AP_2 can discover AC_1, which will cause APs unable to connect to the correct AC based on AC priority.
[Router_3] ip pool ap_1_pool
[Router_3-ip-pool-ap_1_pool] network 10.23.99.0 mask 24
[Router_3-ip-pool-ap_1_pool] gateway-list 10.23.99.1
[Router_3-ip-pool-ap_1_pool] option 43 sub-option 2 ip-address 10.23.201.1
10.23.203.1
[Router_3-ip-pool-ap_1_pool] quit
[Router_3] ip pool ap_2_pool
[Router_3-ip-pool-ap_2_pool] network 10.23.100.0 mask 24
[Router_3-ip-pool-ap_2_pool] gateway-list 10.23.100.1
[Router_3-ip-pool-ap_2_pool] option 43 sub-option 2 ip-address 10.23.202.1
10.23.203.1
[Router_3-ip-pool-ap_2_pool] quit
[Router_3] ip pool sta_1_pool
[Router_3-ip-pool-sta_1_pool] network 10.23.101.0 mask 24
[Router_3-ip-pool-sta_1_pool] gateway-list 10.23.101.1
[Router_3-ip-pool-sta_1_pool] quit
[Router_3] ip pool sta_2_pool
[Router_3-ip-pool-sta_2_pool] network 10.23.102.0 mask 24
[Router_3-ip-pool-sta_2_pool] gateway-list 10.23.102.1
[Router_3-ip-pool-sta_2_pool] quit

[AC_1] wlan


e?[Y/N]:y

example, the AP's MAC address is 60de-4476-e360. Configure a name for the AP based
on the AP's deployment location, so that you can know where the AP is located. For
example, if the AP with MAC address 60de-4476-e360 is deployed in area 1, name the
AP area_1.
NOTE
[AC_1] wlan
will clear channel, power and antenna gain configurati
ons of the radio, Whether to continue? [Y/N]:y
nor : normal [1]
------------------------------------------------------------------------------
--
Uptime
------------------------------------------------------------------------------
--
10S
------------------------------------------------------------------------------
--
Total: 1
NOTE



# Bind the VAP profile to the AP group and apply the VAP profile wlan-net to radio 0
and radio 1 of the APs.
# Configure basic parameters for AC_2 according to the configurations of AC_1.

# Create AP group ap-group2.

[AC_2] wlan
example, the AP's MAC address is 60de-4474-9640. Configure a name for the AP based on
the AP's deployment location, so that you can know where the AP is located. For example, if
the AP with MAC address 60de-4474-9640 is deployed in area 2, name the AP area_2.
[AC_2] wlan
clear channel, power and antenna gain configurati
ons of the radio, Whether to continue? [Y/N]:y
NOTE

# Create an SSID profile and set the SSID name to wlan-net1.


# Bind the VAP profile to the AP group and apply the VAP profile wlan-net1 to radio 0 and
radio 1 of the APs.
# Set other parameters similarly as those of AC_1.

[AC_3] wlan
e?[Y/N]:y
e?[Y/N]:y

[AC_3] capwap source interface Vlanif 203
NOTE
[AC_3] wlan

# Run the display ap all command on the AC to check the AP running status. The
command output shows that the state of area_1 and area_2 is both fault.
idle : idle [2]
------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime
------------------------------------------------------------------------
0 60de-4476-e360 area_1 ap-group1 - - fault 0 -
1 60de-4474-9640 area_2 ap-group2 - - fault 0 -
------------------------------------------------------------------------
Total: 2
# Create security profiles wlan-net and wlan-net1, and configure security policies.
# Create AP system profile ap-system and configure the IP address of the standby AC.
[AC_3-wlan-ap-system-prof-ap-system] protect-ac ip-address 10.23.201.1
# Create AP system profile ap-system1 and configure the IP address of the standby AC.
[AC_3-wlan-ap-system-prof-ap-system1] protect-ac ip-address 10.23.202.1

# Create VAP profile wlan-net1, set the data forwarding mode and service VLAN, and
to radio 0 and radio 1 of the APs.
Step 6 Enable N+1 backup on AC_1, AC_2, and AC_3.

NOTE
the AC that connects to more APs is the active AC. If the ACs connect to the same number of APs, the AC
that connects to more STAs is the active AC. If the ACs connect to the same number of STAs, the AC with a
smaller IP address is the active AC.

# Configure the global priority of AC_3.

[AC_3-wlan-view] ac protect priority 5
NOTE
By default, N+1 backup is enabled. The system displays an Info message if you run the undo ac protect
enable command. You need to run the ap-reset all command to restart all APs. After the APs are restarted, N
+1 backup starts to take effect.
# Enable revertive switchover and N+1 backup on AC_3.

NOTE
By default, global revertive switchover is enabled. The system displays an Info message if you run the undo
ac protect restore disable command.
[AC_3-wlan-view] undo ac protect restore disable
Info: Protect restore has already enabled.



# Run the display ac protect command on AC_1 to check N+1 backup information.
------------------------------------------------------------
Protect AC : 10.23.203.1
Priority : 0
...
------------------------------------------------------------
# Run the display ac protect command on AC_2 to check N+1 backup information.
------------------------------------------------------------
Protect AC : 10.23.203.1
Priority : 0
...
------------------------------------------------------------
------------------------------------------------------------
Protect AC : -
Priority : 5
...
------------------------------------------------------------
------------------------------------------------------------------------------
AC priority : -
Primary AC : -
Backup AC : -
...
------------------------------------------------------------------------------
------------------------------------------------------------------------------
AC priority : -
Primary AC : -
Backup AC : -
...
------------------------------------------------------------------------------
The WLAN with the SSID wlan-net or wlan-net1 is available for STAs connected to the
APs, and these STAs can connect to the WLAN and go online normally.
When the link between an AP and AC_1 or AC_2 fails, AC_3 takes over the active role. This
ensures accelerate service recovery.
----End

Configuration Files
#
sysname Switch_1
#
vlan batch 99 101
#
#
#
return

#
sysname Switch_2
#
vlan batch 100 102
#
#
#
return

#
sysname AC_1
#
vlan batch 101 201
#
interface Vlanif201
ip address 10.23.201.1 255.255.255.0
#
#
ip route-static 10.23.99.0 255.255.255.0 10.23.201.2
#
#
wlan
ac protect protect-ac 10.23.203.1
ssid wlan-net
radio 0


radio 1
ap-name area_1
ap-group ap-group1
#
return
#
sysname AC_2
#
vlan batch 102 202
#
interface Vlanif202
ip address 10.23.202.1 255.255.255.0
#
#
ip route-static 10.23.101.0 255.255.255.0 10.23.202.2
#
#
wlan
ac protect protect-ac 10.23.203.1
ssid wlan-net1
radio 0
radio 1
ap-name area_2
ap-group ap-group2
#
return
#
sysname AC_3
#
#
interface Vlanif203
ip address 10.23.203.1 255.255.255.0
#
#
#
wlan
ac protect priority 5


ssid wlan-net
ssid wlan-net1
radio 0
radio 1
radio 0
radio 1
ap-name area_1
ap-group ap-group1
ap-name area_2
ap-group ap-group2
#
return
#
sysname Router_1
#
vlan batch 99 101 201
#
dhcp enable
#
interface Vlanif99
ip address 10.23.99.1 255.255.255.0
dhcp select relay
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select relay
#
interface Vlanif201
ip address 10.23.201.2 255.255.255.0
#
interface Ethernet2/0/0
#
#
return


#
sysname Router_2
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select relay
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
dhcp select relay
#
interface Vlanif202
ip address 10.23.202.2 255.255.255.0
#
#
#
return

#
sysname Router_3
#
vlan batch 200 203
#
dhcp enable
#
ip pool ap_1_pool
network 10.23.99.0 mask 255.255.255.0
option 43 sub-option 2 ip-address 10.23.201.1 10.23.203.1
#
ip pool ap_2_pool
network 10.23.100.0 mask 255.255.255.0
option 43 sub-option 2 ip-address 10.23.202.1 10.23.203.1
#
ip pool sta_1_pool
network 10.23.101.0 mask 255.255.255.0
#
ip pool sta_2_pool
network 10.23.102.0 mask 255.255.255.0
#
interface Vlanif200
ip address 10.23.200.1 255.255.255.0
#
interface Vlanif203
ip address 10.23.203.2 255.255.255.0
#
#


#
return

4.8.1 Example for Configuring Inter-VLAN Layer 3 Roaming
mobile office. To differentiate department management, employees are assigned different
subnets by department. Furthermore, users' services are not affected during roaming in the
coverage area.
Networking Requirement
addresses to STAs.

Figure 4-45 Networking for configuring inter-VLAN Layer 3 roaming
Data Planning
Item Data
Service VLAN for STAs l area_1: VLAN 101

l area_2: VLAN 102

10.23.101.2/24 and 10.23.102.2/24.

Item Data
IP address pool for STAs l area_1: 10.23.101.3-10.23.101.254/24

l area_2: 10.23.102.3-10.23.102.254/24

net1, regulatory domain profile default,
2G radio profile wlan-radio2g, and 5G
radio profile wlan-radio5g
l Name: ap-group2
net2, regulatory domain profile default,
2G radio profile wlan-radio2g, and 5G
radio profile wlan-radio5g

5 GHz radios


+AES
VAP profile l Name: wlan-net1

l Name: wlan-net2

Item Data



rrm

rrm
to go online.
NOTE
optimal channels.
Configuration Notes


user experience.
Procedure
# On SwitchA, add GE0/0/1 to VLAN 10 and VLAN 101, GE0/0/2 to VLAN 10, VLAN 101,
and VLAN102, and GE0/0/3 to VLAN 10 and VLAN 102. The default VLAN of GE0/0/1
and GE0/0/3 is VLAN 10.

102 to 10.23.102.2/24.

[AC6605] sysname AC
[AC] vlan 100
[AC-vlan100] quit
[AC-Vlanif100] quit

[AC] dhcp enable
[AC] ip pool huawei
[AC-Vlanif100] quit



[AC] dhcp enable
[AC] ip pool huawei
[AC-Vlanif100] quit
[AC] wlan
e?[Y/N]:y
e?[Y/N]:y
[AC-wlan-view] quit

# Import the APs offline on the AC and add area_1 and area_2 to AP groups ap-group1 and
ap-group2, respectively. Assume that the MAC address of area_1 is 60de-4476-e360.

Configure a name for the AP based on the AP's deployment location, so that you can know
where the AP is deployed from its name. For example, name the AP area_1 if it is deployed
in Area 1.
NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
[AC] wlan
[AC-wlan-ap-1] quit
nor : normal [1]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
1 dcd2-fc04-b500 area_2 ap-group2 10.23.10.253 AP5030DN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 2

NOTE
# Create VAP profiles wlan-net1 and wlan-net2, set the data forwarding mode and service
VLAN, and apply the security profile and SSID profile to the VAP profile.

[AC-wlan-view] vap-profile name wlan-net1

[AC-wlan-vap-prof-wlan-net1] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net1] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net1] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net1] quit
[AC-wlan-vap-prof-wlan-net2] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net2] ssid-profile wlan-net
# Bind the VAP profiles to the AP groups. Apply VAP profile wlan-net1 to radio 1 and radio
1 of area_1, and VAP profile wlan-net2 to radio 0 and radio 1 of area_2.
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net1 wlan 1 radio 0


and scan duration.
# Bind 5G radio profile wlan-radio5g and 2G radio profile wlan-radio2g to AP groups ap-
group1 and ap-group2.



Info: This operation may take a few seconds, please wait.
WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Total: 4
---------------------------------------------------------------------------------
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
# When the STA moves from the coverage area of AP_1 to that of AP_2, run the display
station ssid wlan-net command on AC_2. The command output shows that the STA has
associated with AP_2.
----------------------------------------------------------------------------------
------

address
----------------------------------------------------------------------------------
------
e019-1dc7-1e08 1 area_2 1/1 5G 11n 46/59 -58 101
10.23.101.254
----------------------------------------------------------------------------------
------
Total: 1 2.4G: 0 5G: 1
# Run the display station roam-track sta-mac e019-1dc7-1e08 command on AC_2 to check
the STA roaming track.
[AC-wlan-view] display station roam-track sta-mac e019-1dc7-1e08
Access SSID:wlan-net
Rx/Tx:link receive rate/link transmit rate(Mbps)
z:Zero Roam c:PMK Cache Roam r:802.11r Roam
------------------------------------------------------------------------------
L2/L3 AC IP AP name Radio ID
BSSID TIME In/Out RSSI Out Rx/Tx
------------------------------------------------------------------------------
-- 10.23.100.1 area_1 1
60DE-4476-E370 2016/01/12 16:52:58 -51/-48 46/13
L3 10.23.100.1 area_2 1
60DE-4474-9650 2016/01/12 16:55:45 -58/- -/-
------------------------------------------------------------------------------
Number: 1
----End
Configuration Files
#
sysname SwitchA
#
#
port-isolate enable
#
#
port-isolate enable
#
return

#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif10
ip address 10.23.10.1 255.255.255.0
dhcp select relay
#
interface Vlanif100

ip address 10.23.100.2 255.255.255.0

#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
#
#
#
return
#
sysname Router
#
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
#
return
#
sysname AC
#
#
dhcp enable
#
ip pool huawei
network 10.23.10.0 mask 255.255.255.0
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
ip route-static 10.23.10.0 24 10.23.100.2
#
#
wlan


security wpa2 psk pass-phrase %^%#]:krYrz_r<ee}|Cq@9V(W{ZD$"\-R-HD_y.4#U4,%^
%# aes
ssid wlan-net
radio 0
radio 1
radio 0
radio 1
ap-name area_1
ap-group ap-group1
ap-id 1 type-id 35 ap-mac dcd2-fc04-b500 ap-sn 210235554710CB000078
ap-name area_2
ap-group ap-group2
#
return
4.8.2 Example for Configuring Intra-VLAN Roaming
area.
addresses to STAs.

Figure 4-46 Networking for configuring intra-VLAN roaming
Data Planning

Item Data
Managemen VLAN 100

t VLAN for
APs
Service VLAN 101

VLAN for
STAs

Item Data

IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

interface
address

radio5g

profile
and 5 GHz radios



net



Item Data

wlan-rrm

wlan-rrm
to go online.
NOTE
optimal channels.
Configuration Notes
user experience.

Procedure
# Add GE0/0/1, GE0/0/2, and GE0/0/3 on SwitchA to VLAN 100. The default VLAN of
10.23.101.2/24.

NOTE

[AC6605] sysname AC



[AC] dhcp enable
[AC-Vlanif100] quit
[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit

[AC] wlan
[AC-wlan-ap-1] quit
nor : normal [1]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
----------------------------------------------------------------------------------
---
Total: 2

NOTE
the AP.




and scan duration.
ap-group1.

Info: This operation may take a few seconds, please wait.
WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------


-------------------------------------------------------------------------------
Total: 4
---------------------------------------------------------------------------------
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
When the STA moves from the coverage area of AP_1 to that of AP_2, run the display
station ssid wlan-net command on AC. The command output shows that the STA has
----------------------------------------------------------------------------------
------
address
----------------------------------------------------------------------------------
------
e019-1dc7-1e08 1 area_2 1/1 5G 11n 46/59 -58 101
10.23.101.254
----------------------------------------------------------------------------------
------
Total: 1 2.4G: 0 5G: 1
Run the display station roam-track sta-mac e019-1dc7-1e08 command on AC to check the
STA roaming track.
[AC-wlan-view] display station roam-track sta-mac e019-1dc7-1e08
Rx/Tx:link receive rate/link transmit rate(Mbps)
------------------------------------------------------------------------------
------------------------------------------------------------------------------
-- 10.23.100.1 area_1 1
60DE-4476-E370 2016/01/12 16:52:58 -51/-48 46/13
L2 10.23.100.1 area_2 1
60DE-4474-9650 2016/01/12 16:55:45 -58/- -/-
------------------------------------------------------------------------------
Number: 1
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100

#
port-isolate enable
#
#
port-isolate enable
#
return
#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
return
#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100

ip address 10.23.100.1 255.255.255.0

#
#
#
wlan
ssid wlan-net
forward-mode tunnel
radio 0
radio 1
ap-name area_1
ap-group ap-group1
ap-name area_2
ap-group ap-group1
#
return
4.8.3 Example for Configuring Inter-AC Layer 2 Roaming
area.
l AC networking mode: AC_1 and AC_2 in a mobility group
l DHCP deployment mode: AC_1 functions as a DHCP server to assign IP addresses to
APs and STAs.

Figure 4-47 Networking for configuring inter-AC Layer 2 roaming
Data Planning

Item Data
DHCP AC_1 functions as a DHCP server to allocate IP addresses to APs and STAs.
server
IP address 10.23.100.3-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

Item Data

interface l AC_1: 10.23.100.1/24
address
l AC_2: 10.23.100.2/24

radio5g

profile
and 5 GHz radios



net



wlan-rrm

wlan-rrm
Mobility l Name: mobility

group l Members: AC_1 and AC_2

to go online.
4. Configure WLAN roaming on AC_1 and AC_2 to achieve inter-AC roaming.
NOTE
optimal channels.
Configuration Notes
user experience.
Procedure
# Add GE0/0/1 and GE0/0/2 on Switch_1 to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
[Switch_1] vlan batch 100


[Switch_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
# Add GE0/0/1 and GE0/0/2 on Switch_2 to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.
[Switch_2] vlan batch 100

# On AC_1, add GE0/0/1 to VLAN 100 and GE0/0/2 to VLAN 100 and VLAN 101.
# On AC_2, add GE0/0/1 to VLAN 100 and GE0/0/2 to VLAN 100 and VLAN 101.
# On AC_1, configure VLANIF 100 and VLANIF 101 to assign IP addresses to APs and
STAs, respectively.
[AC_1] dhcp enable

[AC_1-Vlanif100] dhcp select interface

[AC_1-Vlanif100] dhcp server excluded-ip-address 10.23.100.2
[AC_1-Vlanif101] dhcp server excluded-ip-address 10.23.100.2
Step 4 Configure the AP to go online on AC_1.
[AC_1] wlan
e?[Y/N]:y

NOTE
radio).
[AC_1] wlan
nor : normal [1]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
----------------------------------------------------------------------------------

---
Total: 1

NOTE
[AC_1-wlan-vap-prof-wlan-net] forward-mode tunnel
the AP.
Step 6 Configure AP_2 to go online and basic WLAN services on AC_2.

Configure AP_2 to go online and basic WLAN services on AC_2 according to the
configuration of AC_1. For details, see the configuration file of AC_2. The following lists
configuration differences between AC_1 and AC_2.
l The type of AP added on AC_2 is AP5030DN with MAC address dcd2-fc04-b500. The
AP name is set to area_2.
[AC_1-wlan-view] rrm-profile name wlan-rrm
[AC_1-wlan-rrm-prof-wlan-rrm] undo calibrate auto-channel-select disable
[AC_1-wlan-rrm-prof-wlan-rrm] undo calibrate auto-txpower-select disable
[AC_1-wlan-rrm-prof-wlan-rrm] quit

[AC_1-wlan-regulate-domain-default] dca-channel 2.4g bandwidth 20mhz
[AC_1-wlan-regulate-domain-default] dca-channel 2.4g channel-set 1,6,11
[AC_1-wlan-regulate-domain-default] dca-channel 5g bandwidth 20mhz
[AC_1-wlan-regulate-domain-default] dca-channel 5g channel-set 149,153,157,161
and scan duration. By default, an air scan channel set contains all channels supported by the
corresponding country code of an AP.


[AC_1-wlan-air-scan-prof-wlan-airscan] scan-channel-set dca-channel
[AC_1-wlan-air-scan-prof-wlan-airscan] scan-period 60
[AC_1-wlan-air-scan-prof-wlan-airscan] scan-interval 60000
[AC_1-wlan-air-scan-prof-wlan-airscan] quit
[AC_1-wlan-view] radio-2g-profile name wlan-radio2g
[AC_1-wlan-radio-2g-prof-wlan-radio2g] rrm-profile wlan-rrm
[AC_1-wlan-radio-2g-prof-wlan-radio2g] air-scan-profile wlan-airscan
[AC_1-wlan-radio-2g-prof-wlan-radio2g] quit
ap-group1.
[AC_1-wlan-ap-group-ap-group1] radio-5g-profile wlan-radio5g radio 1
[AC_1-wlan-view] calibrate enable manual
[AC_1-wlan-view] calibrate manual startup
Step 8 Configure WLAN roaming on AC_1.

# Create a mobility group on AC_1, and add AC_1 and AC_2 to the mobility group.
[AC_1-wlan-view] mobility-group name mobility
[AC_1-mc-mg-mobility] member ip-address 10.23.100.1
[AC_1-mc-mg-mobility] quit


# The ACs automatically deliver WLAN service configuration to the APs. After the service
configuration is complete, run the display vap ssid wlan-net command on AC_1 and AC_2
to check VAP information. If Status in the command output is displayed as ON, the VAPs
have been successfully created on AP radios.
[AC_1-wlan-view] display vap ssid wlan-net
WID : WLAN ID
----------------------------------------------------------------------------------

----
AP ID AP name RfID WID BSSID Status Auth type STA
SSID
----------------------------------------------------------------------------------
----
0 area_1 0 1 60DE-4476-E360 ON WPA/WPA2-PSK 0
wlan-net
0 area_1 1 1 60DE-4476-E370 ON WPA/WPA2-PSK 0
wlan-net
----------------------------------------------------------------------------------
-----
Total: 2
[AC_2-wlan-view] display vap ssid wlan-net
WID : WLAN ID
----------------------------------------------------------------------------------
----
----------------------------------------------------------------------------------
----
1 area_2 0 1 DCD2-FC04-B500 ON WPA/WPA2-PSK 0
wlan-net
1 area_2 1 1 DCD2-FC04-B510 ON WPA/WPA2-PSK 0
wlan-net
----------------------------------------------------------------------------------
---
Total: 2
# Run the display mobility-group name mobility command on AC_1 to check the state of
AC_1 and AC_2 in the mobility group. If the State field is displayed as normal, AC_1 and
AC_2 are in normal state.
[AC_1-wlan-view] display mobility-group name mobility
--------------------------------------------------------------------------------
State IP address Description
--------------------------------------------------------------------------------
normal 10.23.100.1 -
normal 10.23.100.2 -
--------------------------------------------------------------------------------
Total: 2
# In the coverage area of AP_1, connect the STA to the wireless network with SSID wlan-net
and enter the password a1234567. After the STA successfully associates with the network,
run the display station ssid wlan-net command on AC_1. The command output shows that
the STA with MAC address e019-1dc7-1e08 has associated with AP_1.
[AC_1-wlan-view] display station ssid wlan-net
----------------------------------------------------------------------------------
--
address
----------------------------------------------------------------------------------
--
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -57 101
10.23.101.254
----------------------------------------------------------------------------------
--
Total: 1 2.4G: 0 5G: 1
----------------------------------------------------------------------------------
--

address
----------------------------------------------------------------------------------
--
e019-1dc7-1e08 1 area_2 1/1 5G 11n 46/59 -58 101
10.23.101.254
----------------------------------------------------------------------------------
--
Total: 1 2.4G: 0 5G: 1
[AC_2-wlan-view] display station roam-track sta-mac e019-1dc7-1e08
------------------------------------------------------------------------------
------------------------------------------------------------------------------
-- 10.23.100.1 area_1 1
60de-4476-e360 2015/02/09 16:11:51 -57/-57 22/3
L2 10.23.100.2 area_2 1
dcd2-fc04-b500 2015/02/09 16:13:53 -58/- -/-
------------------------------------------------------------------------------
Number: 1
----End
Configuration Files
#
sysname Switch_1
#
vlan batch 100
#
#
#
return

#
sysname Switch_2
#
vlan batch 100
#
#
#
return

#
sysname AC_1
#


#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
wlan
%# aes
ssid wlan-net
forward-mode tunnel
mobility-group name mobility
member ip-address 10.23.100.1
scan-period 60
scan-interval 60000
radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
return
#
sysname AC_2
#
#
interface Vlanif100

ip address 10.23.100.2 255.255.255.0

#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
#
#
#
wlan
%# aes
ssid wlan-net
forward-mode tunnel
radio 0
radio 1
ap-name area_2
ap-group ap-group1
#
return
4.8.4 Example for Configuring Inter-AC Layer 3 Roaming

mobile office. To differentiate department management, employees are assigned different
subnets by department. Furthermore, users' services are not affected during roaming in the
coverage area.

l AC networking mode: AC_1 and AC_2 in a mobility group
– AC_1 functions as a DHCP server to assign IP addresses to APs and STAs
connected to it.
– AC_2 functions as a DHCP server to assign IP addresses to APs and STAs
connected to it.
Figure 4-48 Networking for configuring inter-AC Layer 3 roaming

Data Planning

Item Data
DHCP AC_1 functions as a DHCP server to allocate IP addresses to STAs and APs
server connected to it.
AC_2 functions as a DHCP server to allocate IP addresses to STAs and APs
connected to it.
IP address 10.23.100.2-10.23.100.254/24
pool for the 10.23.200.2-10.23.200.254/24
APs
IP address 10.23.101.2-10.23.101.254/24
pool for the 10.23.102.2-10.23.102.254/24
STAs
AC_1's VLANIF 100: 10.23.100.1/24

source
interface
address
AC_2's VLANIF 200: 10.23.200.1/24

source
interface
address

l Referenced profile: VAP profile wlan-net1 and regulatory domain
profile default, 2G radio profile wlan-radio2g, and 5G radio profile
wlan-radio5g
l Name: ap-group2
l Referenced profile: VAP profile wlan-net2 and regulatory domain
profile default, 2G radio profile wlan-radio2g, and 5G radio profile
wlan-radio5g

profile
and 5 GHz radios



Item Data

net
l Name: wlan-net2
net



wlan-rrm

wlan-rrm
Mobility l Name: mobility

group l Members: AC_1 and AC_2
to go online.
4. Configure WLAN roaming on AC_1 and AC_2 to achieve inter-AC roaming.

NOTE
optimal channels.
Configuration Notes
user experience.
Procedure
# Add GE0/0/1 and GE0/0/2 on Switch_1 to VLAN 100 and VLAN 101. The default VLAN
[Switch_1] interface GigabitEthernet 0/0/1
# Add GE0/0/1 and GE0/0/2 on Switch_2 to VLAN 200 and VLAN 102. The default VLAN


# Configure Router.
[HUAWEI] sysname Router
[Router-GigabitEthernet0/0/1] ip address 10.23.100.2 255.255.255.0
[Router-GigabitEthernet0/0/2] ip address 10.23.200.2 255.255.255.0

# On AC_1, add GE0/0/1 to VLAN 100 and VLAN 101.
[AC_1] dhcp enable
[AC_1] vlan batch 100 101 102
# On AC_2, add GE0/0/1 to VLAN 200 and VLAN 102.

[AC_2] dhcp enable
[AC_2] vlan batch 200 101 102
Step 3 Configure network interworking of ACs.

# Add GE0/0/2 on AC_1 to VLAN 100.
# On AC_1, configure a route to AC_2 with the next hop as 10.23.100.2.

# Add GE0/0/2 on AC_2 to VLAN 200.

# On AC_2, configure a route to AC_1 with the next hop as 10.23.200.2.

STAs, respectively.
[AC_1] dhcp enable


STAs, respectively.
[AC_2] dhcp enable
Step 5 Configure the AP to go online on AC_1.

[AC_1] wlan
e?[Y/N]:y

NOTE
radio).
[AC_1] wlan
nor : normal [1]
----------------------------------------------------------------------------------

---
Uptime
----------------------------------------------------------------------------------
---
----------------------------------------------------------------------------------
---
Total: 1

NOTE
[AC_1-wlan-net-prof-wlan-net] quit
[AC_1-wlan-vap-prof-wlan-net1] security-profile wlan-net
[AC_1-wlan-vap-prof-wlan-net1] ssid-profile wlan-net
the AP.
Step 7 Configure AP_2 to go online and basic WLAN services on AC_2.

Configure AP_2 to go online and basic WLAN services on AC_2 according to the
configuration of AC_1. For details, see the configuration file of AC_2. The following lists
configuration differences between AC_1 and AC_2.
l The source interface of AC_2 is VLANIF 200.
l The type of AP added on AC_2 is AP6010DN-AGN with MAC address dcd2-fc04-
b500. The AP name is set to ap2.
l The service VLAN is set to VLAN 102 in the VAP profile on AC_2.
[AC_1-wlan-view] rrm-profile name wlan-rrm
[AC_1-wlan-rrm-prof-wlan-rrm] undo calibrate auto-channel-select disable
[AC_1-wlan-rrm-prof-wlan-rrm] undo calibrate auto-txpower-select disable
[AC_1-wlan-rrm-prof-wlan-rrm] quit


[AC_1-wlan-regulate-domain-default] dca-channel 2.4g bandwidth 20mhz
[AC_1-wlan-regulate-domain-default] dca-channel 2.4g channel-set 1,6,11
[AC_1-wlan-regulate-domain-default] dca-channel 5g bandwidth 20mhz
[AC_1-wlan-regulate-domain-default] dca-channel 5g channel-set 149,153,157,161
and scan duration. By default, an air scan channel set contains all channels supported by the
corresponding country code of an AP.
[AC_1-wlan-air-scan-prof-wlan-airscan] scan-channel-set dca-channel
[AC_1-wlan-air-scan-prof-wlan-airscan] scan-period 60
[AC_1-wlan-air-scan-prof-wlan-airscan] scan-interval 60000
[AC_1-wlan-air-scan-prof-wlan-airscan] quit
ap-group1.
[AC_1-wlan-view] calibrate enable manual
[AC_1-wlan-view] calibrate manual startup
Step 9 Configure radio calibration on AC_2.

Configure radio calibration on AC_2 according to the configuration of AC_1. For details, see
the configuration file of AC_2.




# Run the display mobility-group name mobility command on AC_1 to check the state of
AC_1 and AC_2 in the mobility group. If the State field is displayed as normal, AC_1 and
AC_2 are in normal state.
[AC_1-wlan-view] display mobility-group name mobility
--------------------------------------------------------------------------------
State IP address Description
--------------------------------------------------------------------------------
normal 10.23.100.1 -
normal 10.23.200.1 -
--------------------------------------------------------------------------------
Total: 2
# In the coverage area of AP_1, connect the STA to the wireless network with SSID wlan-net
and enter the password a1234567. After the STA successfully associates with the network,
run the display station ssid wlan-net command on AC_1. The command output shows that
the STA with MAC address e019-1dc7-1e08 has associated with AP_1.
----------------------------------------------------------------------------------
--
address
----------------------------------------------------------------------------------
--
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -57 101
10.23.101.254
----------------------------------------------------------------------------------
--
Total: 1 2.4G: 0 5G: 1
----------------------------------------------------------------------------------
--
address
----------------------------------------------------------------------------------
--
e019-1dc7-1e08 1 area_2 1/1 5G 11n 46/59 -58 101
10.23.101.254
----------------------------------------------------------------------------------
--
Total: 1 2.4G: 0 5G: 1
[AC_2-wlan-view] display station roam-track sta-mac e019-1dc7-1e08
------------------------------------------------------------------------------
------------------------------------------------------------------------------
-- 10.23.100.1 area_1 1

60de-4476-e360 2015/02/09 16:11:51 -57/-57 22/3

L3 10.23.100.2 area_2 1
dcd2-fc04-b500 2015/02/09 16:13:53 -58/- -/-
------------------------------------------------------------------------------
Number: 1
----End
Configuration Files
#
sysname Switch_1
#
#
#
#
return

#
sysname Switch_2
#
vlan batch 102 200
#
#
#
return

#
sysname Router
#
ip address 10.23.100.2 255.255.255.0
#
ip address 10.23.200.2 255.255.255.0
#
return

#
sysname AC_1
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#

interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
ip route-static 10.23.200.0 255.255.255.0 10.23.100.2
#
#
wlan
security wpa-wpa2 psk pass-phrase %^%#]:krYrz_r<ee}|Cq@9V(W{ZD$"\-R-HD_y.
4#U4,%^%# aes
ssid wlan-net
forward-mode direct-forward
radio 0
radio 1
ap-name ap1
ap-group ap-group1
#
return
#
sysname AC_2
#
#
dhcp enable
#
interface Vlanif200
ip address 10.23.200.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#

#
#
ip route-static 10.23.100.0 255.255.255.0 10.23.200.2
#
#
wlan
security wpa-wpa2 psk pass-phrase %^%#]:krYrz_r<ee}|Cq@9V(W{ZD$"\-R-HD_y.
4#U4,%^%# aes
ssid wlan-net
radio 0
radio 1
ap-name ap2
ap-group ap-group2
#
return
4.9 Agile Distributed Networking Configuration

Examples
4.9.1 Example for Configuring an Agile Distributed WLAN

Data Planning
Item Data


Item Data
IP address 10.23.100.2-10.23.100.254/24
pool for
central APs
and RUs
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs

interface
address

default

profile



net
2. Configure the AC as a DHCP server to assign IP addresses to central APs, RUs, and
STAs.
3. Configure the central APs and RUs to go online.
a. Create an AP group and add central APs and RUs that require the same
configuration to the group for unified configuration.
used by the AC to communicate with the central APs and RUs.
c. Configure the AP authentication mode and import the central APs and RUs offline
to allow them to go online.

Configuration Notes
user experience.
Procedure
10.23.101.2/24.

NOTE
[AC6605] sysname AC
[AC-GigabitEthernet0/0/1] port-isolate enable


Step 3 Configure a DHCP server to assign IP addresses to central APs, RUs, and STAs.
# Configure the AC as a DHCP server to assign IP addresses to central APs and RUs from the
IP address pool on VLANIF 100, and assign IP addresses to STAs from the IP address pool
on VLANIF 101.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

# Import the central AP and RUs offline on the AC and add the central AP and RUs to AP
group ap-group1. Assume that the central AP's MAC address is 68a8-2845-62fd, name the
central AP central_AP; the RU's MAC addresses are fcb6-9897-c520 and fcb6-9897-ca40,
name the RUs ru_1 and ru_2, respectively.
NOTE
[AC] wlan
[AC-wlan-view] ap-id 0 ap-mac 68a8-2845-62fd
[AC-wlan-ap-0] ap-name central_AP
[AC-wlan-ap-0] quit
[AC-wlan-view] ap-id 1 ap-mac fcb6-9897-c520

[AC-wlan-ap-1] quit
[AC-wlan-view] ap-id 2 ap-mac fcb6-9897-ca40
[AC-wlan-ap-2] quit
# After the central AP is powered on, run the display ap all command to check the AP state.
If the State field is displayed as nor, the RUs go online successfully.
nor : normal [3]
----------------------------------------------------------------------------------
-----
Uptime
----------------------------------------------------------------------------------
-----
0 68a8-2845-62fd central_AP ap-group1 10.23.100.254 AD9430DN-24 nor 0
2M:25S
1 fcb6-9897-c520 ru_1 ap-group1 10.23.100.253 R240D nor 0
3M:5S
2 fcb6-9897-ca40 ru_2 ap-group1 10.23.100.252 R240D nor 0
3M:14S
----------------------------------------------------------------------------------
-----
Total: 3
NOTE
the AP.

Step 6 Set channels and power for the RU radios.

NOTE
The settings of the RU channel and power in this example are for reference only. You need to configure the
RU channel and power based on the actual country code and network planning.


[AC-wlan-ap-1] quit
The AC automatically delivers WLAN service configuration to the RUs. After the
displayed as ON, the VAPs have been successfully created on RU radios.
WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Total: 4
----------------------------------------------------------------------------------
-------
address
----------------------------------------------------------------------------------
-------
e019-1dc7-1e08 1 ru_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
----------------------------------------------------------------------------------

-------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
port-isolate enable
#
#
#
wlan
ssid wlan-net
forward-mode tunnel
radio 0

radio 1
ap-id 0 type-id 52 ap-mac 68a8-2845-62fd ap-sn 2102350KGF10F8000012
ap-name central_AP
ap-group ap-group1
ap-id 1 type-id 54 ap-mac fcb6-9897-c520 ap-sn 21500826402SF4900166
ap-name ru_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
ap-id 2 type-id 54 ap-mac fcb6-9897-ca40 ap-sn 21500826402SF4900207
ap-name ru_2
ap-group ap-group1
#
return

addresses to STAs.

Data Planning

Item Data

l Name: sta-pool
and VLAN 102

STAs.

Item Data

10.23.102.3-10.23.102.254/24




+AES

pool


rrm

rrm

1. Configure network interworking of the APs, AC, and other network devices.
to go online.

ent Item

on the users.
number of
access
users
n aging
time

STAs.


ent Item

coverage area.
roaming experience.

schedulin
g
threshold
which
Beacon
frames
are sent
(GI)
mode to
short GI
rate set

for a radio


ent Item

parameter l AP:
s
– ecwmin: 5
– ecwmax: 6
– aifsn: 3
l Client:
– ecwmin: 7
– ecwmax: 10
– aifsn: 3
5. Deliver WLAN services to the APs and verify the configuration.
Configuration Notes
user experience.
Procedure


102 to 10.23.102.2/24.

[AC6605] sysname AC
[AC] vlan 100
[AC-vlan100] quit
[AC-Vlanif100] quit


[AC] dhcp enable
[AC] ip pool huawei
[AC-Vlanif100] quit

NOTE

[AC] wlan


e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
----------------------------------------------------------------------------------
---
Total: 1

NOTE


the AP.

[AC-wlan-net-prof-wlan-net] undo band-steer disable
# Enable the broadcast flood detection function and set a broadcast flood threshold. By
default, the broadcast flood detection function is enabled.
[AC-wlan-net-prof-wlan-net] undo anti-attack broadcast-flood disable
# Set the maximum number of STAs associated with a VAP to 128, association timeout
period to 1 minute, and EDCA parameters for AC_BE packets of STAs.
[AC-wlan-ssid-prof-wlan-net] association-timeout 1
ecwmax 10
# Create traffic profile wlan-traffic and set the rate limit for upstream and downstream
traffic to 4000 kbit/s.
# Bind the traffic profile to the VAP profile.

[AC-wlan-net-prof-wlan-net] traffic-profile wlan-traffic
4. Create an RRM profile, disable automatic calibration, enable airtime fair scheduling and
smart roaming, and set the SNR-based threshold for smart roaming to 15 dB.
[AC-wlan-rrm-prof-wlan-rrm] calibrate auto-channel-select disable
[AC-wlan-rrm-prof-wlan-rrm] calibrate auto-txpower-select disable
[AC-wlan-rrm-prof-wlan-rrm] smart-roam roam-threshold check-snr


supported by a radio profile.
– Set the 802.11bg basic rate to 6 Mbit/s, 9 Mbit/s, 12 Mbit/s, 18 Mbit/s, 24 Mbit/s,
36 Mbit/s, 48 Mbit/s, or 54 Mbit/s.
ecwmax 6


ecwmax 6


NOTE





[AC-wlan-ap-0] quit

WLAN service configuration is automatically delivered to the APs. After the service
command output displays as ON, the VAPs have been successfully created on AP radios.
WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Total: 2
---------------------------------------------------------------------------------
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
When a large number of users connect to the network in the stadium, the users still have good
----End
Configuration Files
#
sysname SwitchA
#
#

port-isolate enable
#
#
port-isolate enable
#
return
#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif10
ip address 10.23.10.1 255.255.255.0
dhcp select relay
#
interface Vlanif100
ip address 10.23.100.2 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
#
#
#
return
#
sysname Router
#
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#

#
return
#
sysname AC
#
#
vlan pool sta-pool
vlan 101 to 102
#
dhcp enable
#
ip pool huawei
network 10.23.10.0 mask 255.255.255.0
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
ip route-static 10.23.10.0 24 10.23.100.2
#
#
wlan
(jpeqE%^%# aes
ssid wlan-net
association-timeout 1
max-sta-number 128
smart-roam enable
dot11bg basic-rate 6 9 12 18 24 36 48 54
beacon-interval 160
multicast-rate 11
normal
beacon-interval 160

normal
multicast-rate 6
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return
4.11 Example for Configuring Vehicle-Ground

Communication
4.11.1 Example for Configuring Vehicle-Ground Fast Link

Handover


Data Planning

AP Type MAC Address

(L1_001)

(L1_003)

(L1_010)

(L1_150)

(L1_160)

(L1_170)
......

AP (in the front)

AP (in the rear)
.......

Item Data


address

Item Data

trackside APs

mounted terminals





l Name: mesh-net
l Name: mesh-net

l Name: hand-over
l Name: hand-over

situations.


Item Data


device
and the AC.
NOTE
Configuration Notes
user experience.

Procedure
b. On Switch_A, configure an IP address for VLANIF 101 and enable the DHCP
server function to assign IP addresses for vehicle-mounted terminals.
[Switch_A-Vlanif101] dhcp server excluded-ip-address 10.23.224.2
10.23.224.3
router.
d. Configure an IP address for GE1/0/0 on Router and configure routes to the internal


NOTE
external networks.
e. Configure Switch_B and Switch_C to enable Layer 2 communications between


f. Enable Layer 2 multicast on Switch_A, Switch_B, and Switch_C to allow them to



[Switch_A] vlan 101


[Switch_A] acl 2000

[Switch_A] vlan 101
[Switch_A] quit

NOTICE
[Switch_B] vlan 101

[Switch_C] vlan 101
g. Configure the AC to enable it to communicate with trackside APs at Layer 2.
[AC6605] sysname AC
[AC] vlan batch 100

[AC] dhcp enable
[AC-Vlanif100] quit
h. Configure the AP group, country code, and AC's source interface.
[AC] wlan

e?[Y/N]:y
[AC-wlan-view] quit


NOTE
[AC] wlan
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit
[AC-wlan-ap-3] quit

i. Configure the trackside APs' uplink wired interfaces to allow packets from VLAN

gigabitethernet 0
j. Configure Mesh parameters.

k. Apply the Mesh parameters to radios of trackside APs.


[AC-wlan-view] quit
[AC] quit

NOTE
vehicle-mounted AP in the front.
a. Create VLAN 101 on the vehicle-mounted APs, configure GE0/0/1 to allow packets
<Huawei> sysname AP
[AP] vlan batch 101

[AP] wlan

procedure.
forward.
direction forward

NOTE
backward.
[AP-wlan-view] quit

[AP] wlan
vlan 101
vlan 101
vlan 101

101
101
[AP-wlan-view] quit

[AP] vlan 101
[AP-vlan101] quit
[AP] quit

distance(100m)


percent(%)
peer
ratio(%)
RSSI(dBm)
------------------------------------------------------------------------------
--
-----------------

TS
NR
SNR(Ch0~2:dB)
------------------------------------------------------------------------------
--
-----------------
L1_001 1 3 157 portal - -51 -38 0 0

47
39/47/-
L1_003 1 3 157 portal - -59 -7 0 0
50
19/14/37
L1_010 1 3 157 portal - -45 -33 0 0
37
20/17/17
L1_150 1 3 157 portal - -54 -39 0 0
46
34/43/-
L1_160 1 3 157 portal - -52 -7 0 0
32
21/18/35
L1_170 1 3 157 portal - -42 -33 0 0
29
26/14/19
------------------------------------------------------------------------------
--
-----------------
Total: 6

of trackside APs.
Time
------------------------------------------------------------------------------
L1_001/0046-4b59-1d10/1/1 -/0046-4b59-2e10/- -44

18:08:21
L1_003/0046-4b59-1d20/1/3 -/0046-4b59-2e10/- -50
18:08:20
L1_010/0046-4b59-1d30/1/10 -/0046-4b59-2e10/- -28
18:08:21
L1_150/0046-4b59-1d40/1/150 -/0046-4b59-2e10/- -43
18:08:20
L1_160/0046-4b59-1d50/1/160 -/0046-4b59-2e10/- -47
18:08:21
L1_170/0046-4b59-1d6s0/1/170 -/0046-4b59-2e10/- -38

18:08:21
------------------------------------------------------------------------------
Total: 6

------------------------------------------------------------------------------
1 18:52:27 0046-4b59-1d50/-95/160 0046-4b59-1d60/-15/170
2 18:50:46 0046-4b59-1d40/-95/150 0046-4b59-1d50/-34/160
3 18:49:25 0046-4b59-1d30/-95/10 0046-4b59-1d40/-11/150
4 18:48:56 0046-4b59-1d20/-95/3 0046-4b59-1d30/-40/10
5 18:47:39 0046-4b59-1d10/-47/1 0046-4b59-1d20/-36/3
------------------------------------------------------------------------------
----End
Configuration Files
#
sysname Router
#
ip address 10.23.200.1 255.255.255.0
#
ip route-static 10.23.100.0 255.255.255.0 10.23.200.2
ip route-static 10.23.224.0 255.255.255.0 10.23.200.2
#
return

#
sysname Switch_A
#
#
#
dhcp enable
#
vlan 101
#
acl number 2000
#
interface Vlanif101
ip address 10.23.224.1 255.255.255.0
#
interface Vlanif200
ip address 10.23.200.2 255.255.255.0
#


#
#
#
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.23.200.1
#
return

#
sysname Switch_B
#
#
#
vlan 101
#
acl number 2000
#
#
#
#
#
return

#
sysname Switch_C
#
#
#
vlan 101
#
acl number 2000
#
#
#
#
#
return
#
sysname AC
#
vlan batch 100
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
#
wlan
sp01
%NVibT@S@ITs<%^%#
aes
over
net

over
security-profile
sp01
mesh-id mesh-net
vlan tagged 101
ap-group name mesh-
mpp
sys
0
radio
1
mesh-profile mesh-
net
whitelist01
channel 40mhz-plus
157
210235554710CB000042
ap-name
L1_001
ap-group mesh-
mpp
210235555310CC000094
ap-name
L1_003
ap-group mesh-
mpp
210235419610CB002287
ap-name
L1_010
ap-group mesh-mpp
210235555310CC00AC69
ap-name
L1_150
ap-group mesh-mpp
210235555310CC003587
ap-name
L1_160
ap-group mesh-mpp
210235449210CB000011
ap-name
L1_170
ap-group mesh-mpp
#
return

#
sysname AP
#
#
vlan batch 101
#
vlan 101

#
#
wlan
sp01
%NVibT@S@ITs<%^%#
aes
over
location-based-algorithm enable moving-direction
forward
mesh-id mesh-net
#
interface Wlan-
Radio0/0/1
mesh-profile mesh-
net
whitelist01
#
return
4.11.2 Example for Configuring Vehicle-Ground Fast Link

Handover (VRRP Backup for Vehicle-Mounted APs)
services to passengers. If a vehicle-mounted AP is faulty, the network is faulty, affecting
vehicle-ground communication. To prevent such an issue, the customer requires a redundancy
for the two vehicle-mounted APs. The VRRP function is recommended.


Data Planning

AP Type MAC Address

(L1_001)

(L1_003)

(L1_010)

(L1_150)

(L1_160)

(L1_170)
......

AP (in the front)

AP (in the rear)
.......

Item Data

l Configure Switch_D as a DHCP server to assign IP

address

Item Data

trackside APs

mounted terminals





l Name: mesh-net
l Name: mesh-net

l Name: hand-over
l Name: hand-over

situations.


Item Data


device
Virtual IP address of the 10.23.161.4

Virtual IP address of the 10.23.165.4

service VRRP group 10.23.224.4
and the AC.
that the vehicle-mounted APs can set up Mesh connections with the trackside APs.
4. Configure the vehicle-mounted network to enable intra-network data communications
and configure VRRP and BFD between the vehicle-mounted APs.
NOTE
Configuration Notes

user experience.
Procedure
b. On Switch_A, configure an IP address for VLANIF 101.
router.

d. Set the next hop of Switch_A to vehicle terminals to 10.23.224.4.

e. Configure an IP address for GE1/0/0 on Router and configure routes to the internal
NOTE
external networks.
f. Configure Switch_B and Switch_C to enable Layer 2 communications between
g. Enable Layer 2 multicast on Switch_A, Switch_B, and Switch_C to allow them to



[Switch_A] vlan 101

[Switch_A] acl 2000

[Switch_A] vlan 101
[Switch_A] quit

NOTICE
[Switch_B] vlan 101

[Switch_C] vlan 101
h. Configure the AC to enable it to communicate with trackside APs at Layer 2.
[AC6605] sysname AC
[AC] vlan batch 100

[AC] dhcp enable
[AC-Vlanif100] quit
i. Configure the AP group, country code, and AC's source interface.

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit


NOTE
[AC] wlan
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit
[AC-wlan-ap-3] quit


j. Configure the trackside APs' uplink wired interfaces to allow packets from VLAN

gigabitethernet 0
k. Configure Mesh parameters.

l. Apply the Mesh parameters to radios of trackside APs.

[AC-wlan-view] quit
[AC] quit
m. Configure Switch_D.
# Create VLANs and configure IP addresses for the VLANIF interfaces.
[HUAWEI] sysname Switch_D
[Switch_D] vlan batch 101 161 165
[Switch_D] interface gigabitethernet 0/0/1
[Switch_D-GigabitEthernet0/0/1] port trunk allow-pass vlan 161 165
[Switch_D-GigabitEthernet0/0/1] port link-type trunk
[Switch_D-GigabitEthernet0/0/1] quit
[Switch_D-GigabitEthernet0/0/2] port trunk allow-pass vlan 161 165
[Switch_D-GigabitEthernet0/0/3] port trunk pvid vlan 101
[Switch_D-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
[Switch_D-GigabitEthernet0/0/4] port trunk pvid vlan 101
[Switch_D-GigabitEthernet0/0/4] port trunk allow-pass vlan 101
[Switch_D] interface vlanif 101
[Switch_D-Vlanif101] ip address 10.23.224.2 24
[Switch_D-Vlanif101] quit
# Configure Layer 2 multicast on Switch_D.

[Switch_D] igmp-snooping enable
[Switch_D] vlan 101
[Switch_D-vlan101] igmp-snooping enable
[Switch_D-vlan101] quit
# Configure Switch_D as a DHCP server to assign IP addresses to vehicle-mounted

terminals.
[Switch_D] dhcp enable
[Switch_D-Vlanif101] dhcp select interface
[Switch_D-Vlanif101] dhcp server excluded-ip-address 10.23.224.1
[Switch_D-Vlanif101] dhcp server excluded-ip-address 10.23.224.3
10.23.224.6
# Set the default next hop of Switch_D to 10.23.165.4.

[Switch_D] ip route-static 0.0.0.0 0 10.23.165.4


NOTE
vehicle-mounted AP in the front. The configuration differences are described in the subsequent steps.
a. Create VLAN 101 on the vehicle-mounted APs.
<Huawei> sysname AP
[AP] vlan batch 101

[AP] wlan
procedure.
forward.
direction forward
NOTE
backward.
[AP-wlan-view] quit


[AP] wlan
vlan 101
vlan 101
vlan 101

101
101
[AP-wlan-view] quit

[AP] vlan 101
[AP-vlan101] quit
g. Configure VRRP and BFD on the vehicle-mounted AP in the front.

NOTE
The preceding configurations for the two vehicle-mounted APs are the same except the AP name.
Name the vehicle-mounted AP in the rear AP2. Configurations for the two APs are different from
this step.

[AP] vlan batch 161 165
[AP-GigabitEthernet0/0/1] port trunk allow-pass vlan 161 165
[AP-Vlanif101] quit
[AP-Vlanif161] quit
[AP-Vlanif165] quit
# Configure VRRP.

[AP] interface Vlanif 161

[AP-Vlanif161] vrrp vrid 1 virtual-ip 10.23.161.4
[AP-Vlanif161] admin-vrrp vrid 1
[AP-Vlanif161] vrrp vrid 1 priority 120
[AP-Vlanif161] quit
[AP-Vlanif165] vrrp vrid 2 track admin-vrrp interface vlanif 161 vrid 1
unflowdown
[AP-Vlanif165] quit
[AP-Vlanif101] vrrp vrid 3 track admin-vrrp interface vlanif 161 vrid 1
unflowdown
[AP-Vlanif101] quit
# Configure BFD and one-arm BFD echo.

[AP] bfd
[AP-bfd] quit
[AP] bfd atob bind peer-ip 10.23.161.3 interface vlanif161
[AP-bfd-session-atob] discriminator local 1
[AP-bfd-session-atob] discriminator remote 2
[AP-bfd-session-atob] commit
[AP-bfd-session-atob] min-rx-interval 50
[AP-bfd-session-atob] min-tx-interval 50
[AP-bfd-session-atob] quit
[AP] bfd atob2 bind peer-ip 10.23.161.1 interface vlanif161 one-arm-echo
[AP-bfd-session-atob2] discriminator local 11
[AP-bfd-session-atob2] commit
[AP-bfd-session-atob2] quit
[AP-Vlanif161] vrrp vrid 1 track bfd-session 11 link
[AP-Vlanif161] quit
# Configure a route from the AP to vehicle terminals.

[AP] ip route-static 10.23.224.0 24 10.23.165.1
h. Configure VRRP and BFD on the vehicle-mounted AP in the rear.

[AP2] vlan batch 161 165
[AP2] interface gigabitethernet 0/0/1
[AP2-GigabitEthernet0/0/1] port link-type trunk
[AP2-GigabitEthernet0/0/1] port trunk allow-pass vlan 161 165
[AP2-GigabitEthernet0/0/1] quit
[AP2] interface vlanif 101
[AP2-Vlanif101] ip address 10.23.224.6 24
[AP2-Vlanif101] quit
# Configure VRRP.
[AP2] interface Vlanif 161
[AP2-Vlanif161] vrrp vrid 1 virtual-ip 10.23.161.4
[AP2-Vlanif161] admin-vrrp vrid 1
[AP2-Vlanif161] vrrp vrid 1 priority 110
[AP2-Vlanif165] vrrp vrid 2 track admin-vrrp interface vlanif 161 vrid 1
unflowdown


[AP2-Vlanif101] vrrp vrid 3 track admin-vrrp interface vlanif 161 vrid 1
unflowdown
# Configure BFD and one-arm BFD echo.

[AP2] bfd
[AP2-bfd] quit
[AP2] bfd atob bind peer-ip 10.23.161.2 interface vlanif161
[AP2-bfd-session-atob] discriminator local 2
[AP2-bfd-session-atob] discriminator remote 1
[AP2-bfd-session-atob] commit
[AP2-bfd-session-atob] min-rx-interval 50
[AP2-bfd-session-atob] min-tx-interval 50
[AP2-bfd-session-atob] quit
[AP2] bfd atob3 bind peer-ip 10.23.161.1 interface vlanif161 one-arm-echo
[AP2-bfd-session-atob3] discriminator local 12
[AP2-bfd-session-atob3] commit
[AP2-bfd-session-atob3] quit
[AP2-Vlanif161] vrrp vrid 1 track bfd-session 2 link increased 50
[AP2-Vlanif161] vrrp vrid 1 track bfd-session 12 link
# Configure a route from the AP to vehicle terminals.

[AP2] ip route-static 10.23.224.0 24 10.23.165.1
distance(100m)
percent(%)
peer
ratio(%)
RSSI(dBm)
------------------------------------------------------------------------------
--
-----------------

TS
NR
SNR(Ch0~2:dB)
------------------------------------------------------------------------------
--
-----------------
L1_001 1 3 157 portal - -51 -38 0 0

47
39/47/-
L1_003 1 3 157 portal - -59 -7 0 0
50
19/14/37
L1_010 1 3 157 portal - -45 -33 0 0
37
20/17/17

L1_150 1 3 157 portal - -54 -39 0 0

46
34/43/-
L1_160 1 3 157 portal - -52 -7 0 0
32
21/18/35
L1_170 1 3 157 portal - -42 -33 0 0
29
26/14/19
------------------------------------------------------------------------------
--
-----------------
Total: 6

of trackside APs.
Time
------------------------------------------------------------------------------
L1_001/0046-4b59-1d10/1/1 -/0046-4b59-2e10/- -44

18:08:21
L1_003/0046-4b59-1d20/1/3 -/0046-4b59-2e10/- -50
18:08:20
L1_010/0046-4b59-1d30/1/10 -/0046-4b59-2e10/- -28
18:08:21
L1_150/0046-4b59-1d40/1/150 -/0046-4b59-2e10/- -43
18:08:20
L1_160/0046-4b59-1d50/1/160 -/0046-4b59-2e10/- -47
18:08:21
L1_170/0046-4b59-1d6s0/1/170 -/0046-4b59-2e10/- -38
18:08:21
------------------------------------------------------------------------------
Total: 6

------------------------------------------------------------------------------
1 18:52:27 0046-4b59-1d50/-95/160 0046-4b59-1d60/-15/170
2 18:50:46 0046-4b59-1d40/-95/150 0046-4b59-1d50/-34/160
3 18:49:25 0046-4b59-1d30/-95/10 0046-4b59-1d40/-11/150
4 18:48:56 0046-4b59-1d20/-95/3 0046-4b59-1d30/-40/10
5 18:47:39 0046-4b59-1d10/-47/1 0046-4b59-1d20/-36/3
------------------------------------------------------------------------------
# Check information about BFD sessions.

<AP> display bfd session all
------------------------------------------------------------------------------
--
Local Remote PeerIpAddr State Type InterfaceName
------------------------------------------------------------------------------
--
1 2 10.23.161.3 Up S_IP_IF
Vlanif161
11 - 10.23.161.1 Up S_IP_IF Vlanif161

------------------------------------------------------------------------------
--
Total UP/DOWN Session Number : 2/0
----End
Configuration Files
#
sysname Router
#
ip address 10.23.200.1 255.255.255.0
#
ip route-static 10.23.100.0 255.255.255.0 10.23.200.2
ip route-static 10.23.224.0 255.255.255.0 10.23.200.2
#
return

#
sysname Switch_A
#
#
#
dhcp enable
#
vlan 101
#
acl number 2000
#
interface Vlanif101
ip address 10.23.224.1 255.255.255.0
#
interface Vlanif200
ip address 10.23.200.2 255.255.255.0
#
#
#
#
#

#
#
ip route-static 0.0.0.0 0.0.0.0 10.23.200.1
ip route-static 10.23.224.0 255.255.255.0 10.23.224.4
#
return
#
sysname Switch_B
#
#
#
vlan 101
#
acl number 2000
#
#
#
#
#
return
#
sysname Switch_C
#
#
#
vlan 101
#
acl number 2000
#


#
#
#
#
return
– Switch_D configuration file
#
sysname Switch_D
#
#
#
dhcp enable
#
vlan 101
#
interface Vlanif101
ip address 10.23.224.2 255.255.255.0
#
interface Vlanif161
ip address 10.23.161.1 255.255.255.0
#
interface Vlanif165
ip address 10.23.165.1 255.255.255.0
#
#
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.23.165.4
#
return
#
sysname AC
#
vlan batch 100

#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
#
wlan
sp01
%NVibT@S@ITs<%^%#
aes
over
net
over
security-profile
sp01
mesh-id mesh-net
vlan tagged 101
ap-group name mesh-
mpp
sys
0
radio
1
mesh-profile mesh-
net
whitelist01
channel 40mhz-plus
157
210235554710CB000042
ap-name
L1_001
ap-group mesh-
mpp
210235555310CC000094
ap-name
L1_003
ap-group mesh-
mpp
210235419610CB002287
ap-name
L1_010
ap-group mesh-mpp

210235555310CC00AC69
ap-name
L1_150
ap-group mesh-mpp
210235555310CC003587
ap-name
L1_160
ap-group mesh-mpp
210235449210CB000011
ap-name
L1_170
ap-group mesh-mpp
#
return

#
sysname AP
#
#
#
vlan 101
#
interface Vlanif101
ip address 10.23.224.5 255.255.255.0
#
interface Vlanif161
ip address 10.23.161.2 255.255.255.0
admin-vrrp vrid 1
vrrp vrid 1 track bfd-session 2 link increased 50
vrrp vrid 1 track bfd-session 12 link
#
interface Vlanif165
ip address 10.23.165.2 255.255.255.0
#
#
bfd atob bind peer-ip 10.23.161.3 interface Vlanif161
discriminator local 1
discriminator remote 2
min-tx-interval 50
min-rx-interval 50
commit
#
bfd atob2 bind peer-ip 10.23.161.1 interface Vlanif161 one-arm-echo
commit
#
ip route-static 10.23.224.0 255.255.255.0 10.23.165.1
#
wlan
security-profile name sp01

%NVibT@S@ITs<%^%#
aes
mesh-handover-profile name hand-over
location-based-algorithm enable moving-direction forward
mesh-id mesh-net
#
mesh-whitelist-profile whitelist01
#
return
– Vehicle-mounted AP (in the rear) configuration file
#
sysname AP2
#
#
#
vlan 101
#
interface Vlanif101
ip address 10.23.224.6 255.255.255.0
#
interface Vlanif161
ip address 10.23.161.3 255.255.255.0
admin-vrrp vrid 1
vrrp vrid 1 track bfd-session 2 link increased 50
vrrp vrid 1 track bfd-session 12 link
#
interface Vlanif165
ip address 10.23.165.3 255.255.255.0
#
#
bfd atob bind peer-ip 10.23.161.2 interface Vlanif161
discriminator remote 1
min-tx-interval 50
min-rx-interval 50
commit
#

bfd atob3 bind peer-ip 10.23.161.1 interface Vlanif161 one-arm-echo

commit
#
ip route-static 10.23.224.0 255.255.255.0 10.23.165.1
#
wlan
security-profile name sp01
%NVibT@S@ITs<%^%#
aes
mesh-handover-profile name hand-over
location-based-algorithm enable moving-direction forward
mesh-id mesh-net
#
mesh-whitelist-profile whitelist01
#
return
4.12 Radio Resource Management Configuration

Examples
4.12.1 Example for Configuring Dynamic Load Balancing
mobile office. The enterprises also need to prevent one AP radio from being heavily loaded.
Furthermore, users' services are not affected during roaming in the coverage area.
As shown in Figure 4-53, before load balancing is configured, 30 users are connected to AP
area_1, and 10 users are connected to AP area_2.
AP area_1 and AP area_2 form a dynamic load balancing group to balance loads on the APs
to prevent excessive user access to a single AP. A dynamic load balancing group can be set up
only when:
l AP area_1 and AP area_2 are managed by the same AC.
l STAs can detect SSIDs of both the APs.

Figure 4-53 Networking for configuring dynamic load balancing
Data Planning

Item Data
RRM profile l Name: wlan-net

l Start threshold for dynamic load
balancing: 15
l Load difference threshold for dynamic
load balancing: 25%

net

net
Configure dynamic load balancing to prevent one AP from being heavily loaded.

Configuration Notes
l Currently, the load balancing function is implemented in the STA access phase. In
scenarios with complex user service types and unstable traffic, the expected load
balancing effect cannot be achieved. In this case, you are not advised to enable load
balancing based on the channel usage.
user experience.
Procedure
Step 1 Check the basic configuration of the WLAN.

which an AP belongs.
Check all profiles display ap-group name ap- VAP profile: wlan-net
referenced by the AP group. group1
Check all profiles display vap-profile name SSID profile: wlan-net

referenced by the VAP wlan-net
profile.
Step 2 Configure dynamic load balancing.
# Create the RRM profile wlan-net, and enable dynamic load balancing in the RRM profile
wlan-net and set the start threshold for dynamic load balancing to 15 and load difference
threshold to 25%.
[AC6605] sysname AC
[AC] wlan
[AC-wlan-view] rrm-profile name wlan-net

[AC-wlan-rrm-prof-wlan-net] sta-load-balance dynamic enable

[AC-wlan-rrm-prof-wlan-net] sta-load-balance dynamic sta-number start-threshold
15
[AC-wlan-rrm-prof-wlan-net] sta-load-balance dynamic sta-number gap-threshold 25
[AC-wlan-rrm-prof-wlan-net] quit
# Create the 2G radio profile wlan-radio2g and bind the RRM profile wlan-net to the 2G
radio profile.
[AC-wlan-radio-2g-prof-wlan-radio2g] rrm-profile wlan-net
# Create the 5G radio profile wlan-radio5g and bind the RRM profile wlan-net to the 5G
radio profile.
[AC-wlan-radio-5g-prof-wlan-radio5g] rrm-profile wlan-net
ap-group1.

# Run the display rrm-profile name wlan-net command on the AC to check the dynamic
load balancing configuration.
[AC-wlan-view] display rrm-profile name wlan-net
------------------------------------------------------------
...
Station load balance : enable
Station load balance start threshold : 15
Station load balance gap threshold(%) : 25
...
------------------------------------------------------------
# Run the display station load-balance sta-mac e019-1dc7-1e08 command on the AC to

check AP radios participating in dynamic load balancing.
[AC-wlan-view] display station load-balance sta-mac e019-1dc7-1e08
Station load balance status: balance
------------------------------------------------------------------------------
AP name Radio ID
------------------------------------------------------------------------------
area_1 1
area_1 0
area_2 1
area_2 0
------------------------------------------------------------------------------
Total: 2
# When a new STA requests to connect to AP area_1, the AC uses a dynamic load balancing
algorithm to redirect the STA to the AP area_2 with a light load according to the information
reported by APs.
----End
Configuration Files

#
sysname AC
#
wlan
rrm-profile name wlan-net
sta-load-balance dynamic enable
sta-load-balance dynamic start-threshold 15
sta-load-balance dynamic gap-threshold 25
rrm-profile wlan-net
rrm-profile wlan-net
radio 0
radio 1
#
return
4.12.2 Example for Configuring Static Load Balancing

mobile office. The enterprises also need to prevent one AP radio from being heavily loaded.
Furthermore, users' services are not affected during roaming in the coverage area.
As shown in Figure 4-54, before load balancing is configured, 30 users are connected to AP
area_1, and 10 users are connected to AP area_2.
AP area_1 and AP area_2 form a static load balancing group to balance loads on the APs to
prevent excessive user access to a single AP. A static load balancing group can be set up only
when:
l AP area_1 and AP area_2 are managed by the same AC.
l STAs can detect SSIDs of both the APs.

Figure 4-54 Networking for configuring static load balancing
Data Planning

Item Data
Static load balancing group l Name: wlan-static

l Start threshold for load balancing based
on the number of users: 10
l Load difference threshold for load
balancing based on the number of users:
5%
Configure static load balancing based on the number of users to prevent one AP from being
heavily loaded.
Configuration Notes
l Load balancing takes effect during the STA association stage. In scenarios with complex
user service types and unstable traffic, loads cannot be balanced as expected. In this case,
load balancing based on the channel utilization is not recommended.

l If dual-band APs are used, traffic is load balanced among APs working on the same
frequency band.
l Each load balancing group supports a maximum of 16 AP radios.
l Under the agile distributed network architecture composed of the central AP and RUs,
you only need to add radios of the RUs to a static load balancing group.
user experience.
Procedure
Step 1 Configure static load balancing.
1. Create a static load balancing group, and add AP area_1 and AP area_2 to it.
[AC6605] sysname AC
[AC] wlan
[AC-wlan-view] sta-load-balance static-group name wlan-static
[AC-wlan-sta-lb-static-wlan-static] member ap-name area_1
[AC-wlan-sta-lb-static-wlan-static] member ap-name area_2
2. Configure the static load balancing mode and related parameters.

# Configure static load balancing based on the number of users.
[AC-wlan-sta-lb-static-wlan-static] mode sta-number
# Set the start threshold for static load balancing based on the number of users to 15 and
load difference threshold to 5%.
[AC-wlan-sta-lb-static-wlan-static] sta-number start-threshold 15
[AC-wlan-sta-lb-static-wlan-static] sta-number gap-threshold 5
[AC-wlan-sta-lb-static-wlan-static] quit

l Run the display sta-load-balance static-group name wlan-static command on the AC
to check the static load balancing configuration.
[AC-wlan-view] display sta-load-balance static-group name wlan-static
------------------------------------------------------------
Group name : wlan-static

Load-balance status : balance

Load-balance mode : sta-number
Deny threshold : 3
Sta-number start threshold : 15
Sta-number gap threshold(%) : 5
Channel-utilization start threshold(%): 50
Channel-utilization gap threshold(%): 20
------------------------------------------------------------------------
RfID: Radio ID
CurEIRP: Current EIRP (dBm)
Act CH: Actual channel, Cfg CH: Config channel, CU: Channel utilization
-----------------------------------------------------------------------
AP ID AP Name RfID Act CH/Cfg CH CurEIRP/MaxEIRP Client CU
-----------------------------------------------------------------------
0 area_1 0 6/- 20/28 10 37%
0 area_1 1 153/- 29/29 20 45%
1 area_2 0 1/- 20/28 5 15%
1 area_2 1 149/- 29/29 5 5%
-----------------------------------------------------------------------
Total: 4
l When a new STA requests to connect to AP area_1, the AC uses a static load balancing
algorithm to redirect the STA to the AP area_2 with a light load based on the configured
load balancing group.
----End
Configuration Files
#
sysname AC
#
wlan
sta-load-balance static-group name wlan-static
sta-number gap-threshold 5
member ap-id 0 radio 0
sta-number start-threshold 15
#
return
4.12.3 Example for Configuring Band Steering

area. To relieve pressure on the 2.4 GHz frequency band, enable STAs to connect to the 5
GHz frequency band.
Use APs that support both 5 GHz and 2.4 GHz frequency bands.

Figure 4-55 Networking for configuring Band Steering
Data Planning
Item Data

l Band steering function: enabled
net

profile l Start threshold for load balancing between radios: 15
l Load difference threshold for load balancing between radios: 25

profile l Referenced profiles: RRM profile wlan-rrm
Configure the band steering function and proper band steering parameters so that STAs can
preferentially access the 5 GHz frequency band.

Configuration Notes
l Use APs that support both 5 GHz and 2.4 GHz frequency bands and configure the same
SSID and security policy on the 5 GHz and 2.4 GHz radios.
l To allow a STA to preferentially associate with the 5 GHz radio and achieve a better
access effect, configure larger power for the 5 GHz radio than the 2.4 GHz radio.
user experience.
Procedure


profile.
Step 2 Configure the band steering function.

# Enable the band steering function in the VAP profile wlan-net. By default, the band steering
function is enabled.
NOTE
When band steering is enabled on one radio of an AP, the function takes effect on the SSID of the AP. If
different VAP profiles are applied to two radios of the AP, you only need to enable the band steering function
in the VAP profile of one radio.

[AC6605] sysname AC
[AC] wlan
[AC-wlan-vap-prof-wlan-vap] undo band-steer disable
# Create the RRM profile wlan-rrm and configure load balancing between radios in the
profile to prevent heavy load on a single radio. The start threshold for load balancing between
radios is 15, and the load difference threshold is 25%.
[AC-wlan-rrm-prof-wlan-rrm] band-steer balance start-threshold 15
[AC-wlan-rrm-prof-wlan-rrm] band-steer balance gap-threshold 25
# Create the 2G radio profile radio2g and bind the RRM profile wlan-rrm to the 2G radio
profile.
NOTE
If different RRM profiles are bound to the 2G and 5G radio profiles and configured with different band
steering parameters, parameters in the 2G radio profile preferentially take effect.
[AC-wlan-view] radio-2g-profile name radio2g
[AC-wlan-radio-2g-prof-radio2g] rrm-profile wlan-rrm
[AC-wlan-radio-2g-prof-radio2g] quit
# Bind the 2G radio profile radio2g to the AP group ap-group1.

[AC-wlan-ap-group-ap-group1] radio-2g-profile radio2g radio 0

# Run the display vap-profile name wlan-net command on the AC. The command output
shows that the band steering function is enabled in the VAP profile.
[AC-wlan-view] display vap-profile name wlan-net
--------------------------------------------------------------------------------
...
Band steer : enable
...
--------------------------------------------------------------------------------
# Run the display rrm-profile name wlan-rrm command on the AC to check the band
steering configuration.
[AC-wlan-view] display rrm-profile name wlan-rrm
------------------------------------------------------------
...
Band balance start threshold : 15
Band balance gap threshold(%) : 25
...
------------------------------------------------------------
# In the conference hall, most STAs connect to the 5 GHz frequency band, and users enjoy
good service experience.
----End
Configuration Files
#
sysname AC

#
wlan
band-steer balance gap-threshold 25
band-steer balance start-threshold 15
radio 0
radio 1
#
return
4.12.4 Example for Configuring Smart Roaming
To ensure optimal user experience, a stadium requires that users associate with the nearest
APs when moving on the stadium stand. Furthermore, users' services are not affected during
roaming in the coverage area.
Figure 4-56 Networking for configuring smart roaming

Data Planning

Item Data

l Smart roaming threshold type: SNR-
based and rate percentage-based
l SNR threshold for smart roaming: 30
l Rate percentage threshold for smart
roaming: 30

rrm

rrm
Configure smart roaming and proper smart roaming parameters to forcibly disconnect weak-
signal users (especially sticky terminals) so that the users can reconnect or roam to APs with
strong signals.
NOTE
Some terminals on live networks have low roaming aggressiveness. As a result, they stick to the initially
connected APs regardless of whether they move far from the APs, and have weak signals or low rates. The
terminals fail to roam to neighbor APs with better signals. They are called sticky terminals.
Configuration Notes

user experience.
Procedure


profile.
Step 2 Configure smart roaming.
# Create the RRM profile wlan-rrm, enable smart roaming in the RRM profile, configure
SNR-based and rate-based roaming trigger modes and their roaming thresholds to 30 dB and
30%, respectively.
[AC6605] sysname AC
[AC] wlan
[AC-wlan-rrm-prof-wlan-rrm] smart-roam roam-threshold check-snr check-rate
[AC-wlan-rrm-prof-wlan-rrm] smart-roam roam-threshold rate 30
# Create the 2G radio profile wlan-radio2g and bind the RRM profile wlan-rrm to the 2G
radio profile.
# Create the 5G radio profile wlan-radio5g and bind the RRM profile wlan-rrm to the 5G
radio profile.
ap-group1.


# Run the display rrm-profile name wlan-rrm command on the AC to check the smart
roaming configuration.
------------------------------------------------------------
...
Smart-roam : enable
Smart-roam check SNR : enable
Smart-roam standing SNR threshold(dB) : 30
Smart-roam SNR quick-kickoff-threshold(dB) : 0
Smart-roam check rate : enable
AMC policy : auto-balance
Smart-roam rate threshold(%) : 30
Smart-roam rate quick-kickoff-threshold(%) : 0
Smart-roam high level SNR margin(dB) : 15
Smart-roam low level SNR margin(dB) : 6
Smart-roam SNR check interval(s) : 3
Smart-roam unable roam client expire time(m) : 120
...
------------------------------------------------------------
# When a large number of users in the stadium access the WLAN, they can still enjoy good
----End
Configuration Files
#
sysname AC
#
wlan
smart-roam enable
smart-roam roam-threshold check-snr check-rate
smart-roam roam-threshold rate 30
radio-2g-profile name radio2g
radio-5g-profile name radio5g
radio 0
radio 1
#
return

4.13.1 Example for Configuring Spectrum Analysis

area. The enterprise is located in an open place, and the WLAN is vulnerable to interference.
When discovering severe interference on the WLAN, the network administrator can detect
whether non-Wi-Fi interference exists on the WLAN through the spectrum analysis function.
Figure 4-57 Networking for configuring spectrum analysis
Data Planning
Item Data

default, 2G radio profile wlan-radio2g, 5G radio profile wlan-radio5g,
and AP system profile wlan-spectrum

profile l Air scan interval: 8000 ms
l Air scan duration: 100 ms

profile l Referenced profiles: air scan profile wlan-airscan

Item Data

profile l Referenced profiles: air scan profile wlan-airscan
AP system l Name: wlan-spectrum

profile l IP address of the spectrum server: 10.137.43.4
l Port number of the spectrum server: 55555
l Port number used by the AC to receive spectrum information
(encapsulated in UDP packets) from APs when the AC is used to send
data to the spectrum server: 5001
l Aging time of non-Wi-Fi devices on an AC during spectrum analysis: 5
minutes
Configure spectrum analysis so that the APs can detect non-Wi-Fi devices and send alarms to
the AC.
Configuration Notes
l If air scan related functions are enabled for a radio in normal mode, such as WIDS,
spectrum analysis, and terminal location, the radio transmits common WLAN service
data and provides the monitoring function that may affect transmission of common
WLAN service data.
l In spectrum analysis scenarios, to obtain enough sampling data, it is recommended that
the scanning interval be set no more than 10 seconds and the scanning duration to 100
ms.
l The channels to be scanned for spectrum analysis are fixed as all channels supported by
the corresponding country code of an AP and are irrelevant to the configuration in an air
scan profile.
user experience.

Procedure


profile.
Step 2 Configure spectrum analysis.

# Create AP system profile wlan-spectrum, and configure the spectrum server information
and aging time of non-Wi-Fi device information on the AC during spectrum analysis.
[AC6605] sysname AC
[AC] wlan
[AC-wlan-view] ap-system-profile name wlan-spectrum
[AC-wlan-ap-system-prof-wlan-spectrum] spectrum-analysis server ip-address
10.137.43.4 port 55555 via-ac ac-port 5001
[AC-wlan-ap-system-prof-wlan-spectrum] spectrum-analysis non-wifi-device aging-
time 5
[AC-wlan-ap-system-prof-wlan-spectrum] quit
# Create the air scan profile wlan-airscan and configure the scan interval and scan duration.
# Create the 2G radio profile wlan-radio2g and bind the air scan profile wlan-airscan to the
2G radio profile.
# Create the 5G radio profile wlan-radio5g and bind the air scan profile wlan-airscan to the
5G radio profile.
ap-group1.


# Bind the AP system profile wlan-spectrum to the AP group ap-group1 and enable
spectrum analysis in the AP group.
[AC-wlan-ap-group-ap-group1] ap-system-profile wlan-spectrum
[AC-wlan-group-radio-ap-group1/0] spectrum-analysis enable
[AC-wlan-group-radio-ap-group1/1] spectrum-analysis enable
# Enable the function of reporting spectrum analysis data on AP radios. The spectrum server
performs spectrum analysis and draws spectrum graphs based on the data reported by the APs.
The spectrum-report command becomes invalid after a restart, and needs to be configured
again.
[AC-wlan-view] spectrum-report ap-name area_1 radio 0
[AC-wlan-view] spectrum-report ap-name area_1 radio 1

# Run the display ap-system-profile name wlan-spectrum command on the AC to check
spectrum analysis configuration.
[AC-wlan-view] display ap-system-profile name wlan-spectrum
------------------------------------------------------------------------------
...
AP report to : AC
Server IP : 10.137.43.4
Server port : 55555
AC port : 5001
Device aging-time(minute) : 5
...
------------------------------------------------------------------------------
# Run the display spectrum-analysis server-reporter command on the AC to check the APs
that report spectrum packets to the spectrum server.
[AC-wlan-view] display spectrum-analysis server-reporter
------------------------------------------------------------
ID AP name Radio ID
------------------------------------------------------------
1 area_1 0
1 area_1 1
------------------------------------------------------------
Total: 2
# Run the display wlan non-wifi-device all command on the AC to check the detected non-
Wi-Fi devices.
[AC-wlan-view] display wlan non-wifi-device all
----------------------------------------------------------------
Detect AP name : area_1
Detect AP radio ID : 1
Detect AP channel : 36
Non-Wi-Fi device type : 9
Non-Wi-Fi device name : Unknown fix freq device
Non-Wi-Fi device frequency type : Narrow bandwidth
Non-Wi-Fi device channel : 149,150
Non-Wi-Fi device RSSI : -62,-66
Non-Wi-Fi device detect time last : 2017-07-02/08:16:56
Non-Wi-Fi device center frequency(MHz) : 5749

Non-Wi-Fi device bandwidth(KHz) : 70

Non-Wi-Fi device duty(%) : 100
Non-Wi-Fi device interfere level : 3
----------------------------------------------------------------
Total: 1
# View AP spectrum on the web platform to learn AP channel interference in deployment

sites.
1. Choose Monitoring > Spectrum Analysis. The Radio List page is displayed.
2. Select an AP and click Start.

3. In the AP radio list, click View Drawing in the Operation column. The related spectrum
charts are displayed. A maximum of four spectrum charts can be displayed.
4. Select your desired spectrum chart from the drop-down list box in the upper left corner.
You can select Lower or Upper on the spectrum charts of a 5G radio to view spectrum
charts of different frequencies.
5. The Real-Time FFT chart shows that the signal strength of interference is mostly within
the range of -80 dBm to -40 dBm. On the Swept Spectrogram chart, click Modify, set
the signal strength scope at both ends of the color bar, and click Apply. The Swept
Spectrogram chart shows that channel 149 has the most severe interference.
6. On the Active Devices chart, click . A list of the detected non-Wi-Fi devices is
displayed.

----End
Configuration Files
#
sysname AC
#
wlan
scan-period 100
scan-interval 8000
ap-system-profile name wlan-spectrum
spectrum-analysis server ip-address 10.137.43.4 port 55555 via-ac ac-port
5001
spectrum-analysis non-wifi-device aging-time 5
ap-system-profile wlan-spectrum
radio 0
spectrum-analysis enable
radio 1
spectrum-analysis enable
#
return


4.14.1 Example for Configuring Rogue Device Detection and
Containment
rogue AP.
addresses to STAs.

Data Planning
Item Data
Managemen VLAN 100

t VLAN for
APs
Service VLAN 101

VLAN for
STAs

IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

Item Data

interface
address


profile



net

spoofing SSIDs
NOTE
mode.

Configuration Notes
user experience.
Procedure
VLAN 100.

10.23.101.2/24.

NOTE

[AC6605] sysname AC
[AC] dhcp enable
[AC-Vlanif100] quit

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
----------------------------------------------------------------------------------
---
Total: 1
NOTE

the AP.

NOTE


[AC-wlan-ap-0] quit
# Create WIDS profile wlan-wids and configure the containment mode against rogue APs
[AC-wlan-wids-prof-wlan-wids] contain-mode spoof-ssid-ap
# Bind WIDS profile wlan-wids to AP group ap-group1.



Run the display wlan ids contain ap command. The command output shows information
about the contained AP2.
[AC-wlan-view] display wlan ids contain ap
#Rf: Number of monitor radios that have contained the device
CH: Channel number
-------------------------------------------------------------------------------
MAC address CH Authentication Last detected time #Rf SSID
-------------------------------------------------------------------------------
000b-6b8f-fc6a 11 wpa-wpa2 2014-11-20/16:16:57 1 wlan-net
-------------------------------------------------------------------------------
STAs attempt to connect to the network through AP2. Countermeasures are taken on AP2, so
traffic between STAs and AP2 is stopped and then STAs connect to AP1.
C:\Documents and Settings\huawei> ping 10.23.101.22
Request timed out.

Request timed out.
Request timed out.
Request timed out.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
return

#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0


#
#
#
#
return
#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
#
wlan
ssid wlan-net
forward-mode tunnel
wids-profile name wlan-
wids
contain-mode spoof-ssid-ap
radio 0


wids contain enable
radio 1
wids contain enable
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return
4.14.2 Example for Configuring Attack Detection

area.
To ensure network stability and security, network administrators can configure attack
detection and dynamic blacklist to prevent flood attacks and brute force PSK cracking.
Detected attack devices are added to the dynamic blacklist, and packets from them are
discarded, preventing attacks.
addresses to STAs.

Figure 4-59 Networking for configuring attack detection
Data Planning

Item Data
Managemen VLAN 100

t VLAN for
APs
Service VLAN 101

VLAN for
STAs

IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

Item Data

interface
address

default, WIDS profile wlan-wids, and AP system profile wlan-system
l Attack detection type of the AP radio: brute force PSK cracking attack
detection for WPA2-PSK authentication and flood attack detection

profile



net

profile l Interval for brute force PSK cracking attack detection: 70s
l Quiet time for brute force PSK cracking attack detection: 700s
l Maximum number of key negotiation failures allowed within a brute
force PSK cracking attack detection period: 25
l Flood attack detection interval: 70s
l Quiet time for flood attack detection: 700s
l Flood attack detection threshold: 350
l Dynamic blacklist: enabled
AP system l Name: wlan-system

profile l Aging time of a dynamic blacklist: 200s
1. Configure basic WLAN services to ensure that users can access the WLAN.
2. Configure brute force PSK cracking attack detection for WPA2-PSK authentication and
flood attack detection so that WLAN devices can detect attack devices.

3. Configure the dynamic blacklist function to add attack devices to the dynamic blacklist
and to reject packets from these devices within the aging time of the dynamic blacklist.
Configuration Notes
user experience.
Procedure
VLAN 100.

10.23.101.2/24.

NOTE

[AC6605] sysname AC
[AC] dhcp enable
[AC-Vlanif100] quit

[AC] wlan


e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
----------------------------------------------------------------------------------
---
Total: 1

NOTE


the AP.

NOTE


[AC-wlan-ap-0] quit
Step 7 Configure attack detection.
# Enable brute force PSK cracking attack detection for WPA2-PSK authentication and flood
attack detection.
[AC-wlan-group-radio-ap-group1/0] wids attack detect enable wpa2-psk
[AC-wlan-group-radio-ap-group1/0] wids attack detect enable flood
[AC-wlan-group-radio-ap-group1/1] wids attack detect enable wpa2-psk
[AC-wlan-group-radio-ap-group1/1] wids attack detect enable flood
# Create the WIDS profile wlan-wids.

# Set the interval for brute force attack detection to 70 seconds in WPA2-PSK authentication,
the maximum number of key negotiation failures allowed within the detection period to 25,
and quiet time to 700s.

[AC-wlan-wids-prof-wlan-wids] brute-force-detect interval 70

[AC-wlan-wids-prof-wlan-wids] brute-force-detect threshold 25
[AC-wlan-wids-prof-wlan-wids] brute-force-detect quiet-time 700
# Set the interval for flood attack detection to 70 seconds, flood attack detection threshold to
350, and quiet time to 700s.
[AC-wlan-wids-prof-wlan-wids] flood-detect interval 70
[AC-wlan-wids-prof-wlan-wids] flood-detect threshold 350
[AC-wlan-wids-prof-wlan-wids] flood-detect quiet-time 700
Step 8 Configure the dynamic blacklist function.

# Enable the dynamic blacklist function.
[AC-wlan-wids-prof-wlan-wids] dynamic-blacklist enable
# Create AP system profile wlan-system, and set the aging time of the dynamic blacklist to
200s.
[AC-wlan-view] ap-system-profile name wlan-system
[AC-wlan-ap-system-prof-wlan-system] dynamic-blacklist aging-time 200
[AC-wlan-ap-system-prof-wlan-system] quit
Step 9 Bind WIDS profile wlan-wids and AP system profile wlan-system to AP group ap-group1.
[AC-wlan-ap-group-ap-group1] ap-system-profile wlan-system

After the configurations are complete, run the display wlan ids attack-detected all command
to view detected attack devices.
[AC-wlan-view] display wlan ids attack-detected all
#AP: Number of monitor APs that have detected the device
AT: Last detcted attack type
CH: Channel number
act: Action frame asr: Association request
aur: Authentication request daf: Deauthentication frame
dar: Disassociation request wiv: Weak IV detected
pbr: Probe request rar: Reassociation request
eaps: EAPOL start frame eapl: EAPOL logoff frame
saf: Spoofed disassociation frame
sdf: Spoofed deauthentication frame
otsf: Other types of spoofing frames
-------------------------------------------------------------------------------
MAC address AT CH RSSI(dBm) Last detected time #AP
-------------------------------------------------------------------------------
000b-c002-9c81 pbr 165 -87 2014-11-20/15:51:13 1
0024-2376-03e9 pbr 165 -84 2014-11-20/15:51:13 1
0046-4b74-691f act 165 -67 2014-11-20/15:51:13 1
-------------------------------------------------------------------------------
The display wlan dynamic-blacklist command displays information about attack devices in
the dynamic blacklist.
[AC-wlan-view] display wlan dynamic-blacklist all
#AP: Number of monitor APs that have detected the device
act: Action frame asr: Association request
aur: Authentication request daf: Deauthentication frame
dar: Disassociation request eapl: EAPOL logoff frame
pbr: Probe request rar: Reassociation request
eaps: EAPOL start frame
-------------------------------------------------------------------------------

MAC address Last detected time Reason #AP LAT

-------------------------------------------------------------------------------
000b-c002-9c81 2014-11-20/16:15:53 pbr 1 100
0024-2376-03e9 2014-11-20/16:15:53 pbr 1 100
0046-4b74-691f 2014-11-20/16:15:53 act 1 100
-------------------------------------------------------------------------------
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
return

#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
return

#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#


#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
#
wlan
ssid wlan-net
forward-mode tunnel
wids-profile name wlan-wids
flood-detect interval 70
flood-detect threshold 350
flood-detect quiet-time 700
brute-force-detect interval 70
brute-force-detect threshold 25
brute-force-detect quiet-time 700
dynamic-blacklist enable
ap-system-profile name wlan-system
dynamic-blacklist aging-time 200
ap-system-profile wlan-system
radio 0
wids attack detect enable flood
wids attack detect enable wpa2-psk
radio 1
wids attack detect enable flood
wids attack detect enable wpa2-psk
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return

4.14.3 Example for Configuring the STA Blacklist and Whitelist

An enterprise needs to provide WLAN services for management personnel so that they can
connect to the enterprise network from anywhere at any time. Furthermore, users' services are
Due to a small number of management personnel in the enterprise, MAC addresses of their
STAs can be added to a STA whitelist. In this manner, STAs of other employees cannot
In addition, network administrators have detected unauthorized access of some STAs and
need to deny access of them. The administrators can add MAC addresses of these STAs to the
blacklist, while other authorized STAs can still connect to the WLAN.
addresses to STAs.
Figure 4-60 Networking for configuring the STA blacklist and whitelist

Data Planning

Item Data
Managemen VLAN 100

t VLAN for
APs
Service VLAN 101

VLAN for
STAs

IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

interface
address

default, and AP system profile wlan-system

profile



l Referenced profiles: SSID profile wlan-net, security profile wlan-net,
and STA whitelist profile sta-whitelist

Item Data
STA l Name: sta-whitelist

whitelist l STAs added to the STA whitelist: STA1 (0011-2233-4455) and STA2
profile (0011-2233-4466)
STA l Name: sta-blacklist

blacklist l STAs added to the STA blacklist: STA3 (0011-2233-4477) and STA4
profile (0011-2233-4488)

profile l Referenced profile: STA blacklist profile sta-blacklist
2. Configure a STA whitelist. Add MAC addresses of management personnel's wireless
terminals to the whitelist. To prevent configuration impacts on other VAPs, configure the
STA whitelist for a VAP, instead of an AP.
3. Configure a STA blacklist for an AP. Add MAC addresses of some STAs to the blacklist
to prevent the STAs from associating with the AP, ensuing WLAN network security.
NOTE
The STA whitelist and blacklist cannot be configured simultaneously for a VAP or an AP, that is, the STA
whitelist and blacklist cannot take effect at the same time in a VAP profile or an AP system profile.
Configuration Notes
user experience.

Procedure
VLAN 100.
10.23.101.2/24.

NOTE

[AC6605] sysname AC


[AC] dhcp enable
[AC-Vlanif100] quit
[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit


nor : normal [1]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
----------------------------------------------------------------------------------
---
Total: 1

NOTE
the AP.

NOTE





[AC-wlan-ap-0] quit
Step 7 Configure a STA whitelist in a VAP profile.

# Create STA whitelist profile sta-whitelist and add MAC addresses of STA1 and STA2 to
the whitelist.
[AC-wlan-view] sta-whitelist-profile name sta-whitelist
[AC-wlan-whitelist-prof-sta-whitelist] sta-mac 0011-2233-4455
[AC-wlan-whitelist-prof-sta-whitelist] sta-mac 0011-2233-4466
[AC-wlan-whitelist-prof-sta-whitelist] quit
# Create the VAP profile wlan-net and bind the STA whitelist profile to the VAP profile.
[AC-wlan-vap-prof-wlan-net] sta-access-mode whitelist sta-whitelist
Step 8 Configure a global STA blacklist.

# Create STA blacklist profile sta-blacklist and add MAC addresses of STA3 and STA4 to the
blacklist.
[AC-wlan-view] sta-blacklist-profile name sta-blacklist
[AC-wlan-blacklist-prof-sta-blacklist] sta-mac 0011-2233-4477
[AC-wlan-blacklist-prof-sta-blacklist] sta-mac 0011-2233-4488
[AC-wlan-blacklist-prof-sta-blacklist] quit
# Create the AP system profile wlan-system and bind the STA blacklist profile to the AP
system profile.
[AC-wlan-ap-system-prof-wlan-system] sta-access-mode blacklist sta-blacklist
# Bind AP system profile wlan-system to AP group ap-group1.


The WLAN with SSID wlan-net is available for STAs connected to the AP.
STA1 and STA2 can connect to the WLAN. STA3 and STA4 cannot connect to the WLAN.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#


#
#
return
#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
return
#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#

#
wlan
sta-blacklist-profile name sta-blacklist
sta-mac 0011-2233-4477
sta-mac 0011-2233-4488
sta-whitelist-profile name sta-whitelist
sta-mac 0011-2233-4455
sta-mac 0011-2233-4466
ssid wlan-net
forward-mode tunnel
sta-access-mode whitelist sta-whitelis
sta-access-mode blacklist sta-blacklist
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return

4.15.1 Common Misconfigurations
4.15.1.1 Multicast Packet Suppression Is Not Configured, Causing Slow Network

Access of STAs
Symptom
are usually sent at low rates. If a large amount of abnormal multicast traffic is received on the
network side, the air interfaces may be congested, and STAs may suffer from slow network
access. You are advised to configure multicast packet suppression to reduce impact of a large
number of low-rate multicast packets on the wireless network. Exercise caution when
configuring the rate limit; otherwise, the multicast services may be affected.

l In direct forwarding mode, you are advised to configure multicast packet suppression on
switch interfaces connected to APs.
l In tunnel forwarding mode, you are advised to configure multicast packet suppression on
WLAN-ESS interfaces of the AC.
Procedure
l Configure multicast packet suppression in direct forwarding mode.
a. Create the traffic classifier test and define a matching rule.
[SwitchA] traffic classifier test
[SwitchA-classifier-test] if-match destination-mac 0100-5e00-0000 mac-
address-mask ffff-ff00-0000 //Match the destination MAC address of
multicast packets.
[SwitchA-classifier-test] quit
b. Create the traffic behavior test, enable traffic statistics collection, and set the traffic
rate limit.
[SwitchA] traffic behavior test
[SwitchA-behavior-test] statistic enable
[SwitchA-behavior-test] car cir 100 //Set the rate limit to 100
kbit/s. If multicast services are available, you are advised to set the
rate limit according to the service traffic.
[SwitchA-behavior-test] quit
c. Create the traffic policy test and bind the traffic classifier and traffic behavior to the
traffic policy.
[SwitchA] traffic policy test
[SwitchA-trafficpolicy-test] classifier test behavior test
[SwitchA-trafficpolicy-test] quit
d. Apply the traffic policy to inbound or outbound directions of interfaces.

[SwitchA-GigabitEthernet0/0/1] traffic-policy test inbound
[SwitchA-GigabitEthernet0/0/1] traffic-policy test outbound
l Configure multicast packet suppression in tunnel forwarding mode.

a. Create the traffic profile test and set the maximum traffic volume of multicast
packets in the profile.
[AC6605] wlan
[AC6605-wlan-view] traffic-profile name test
[AC6605-wlan-traffic-prof-test] traffic-optimize multicast-suppression
packets 100 //Set the maximum traffic volume of multicast packets to
100 pps. If multicast services are available, you are advised to set the
rate limit according to the service traffic.
[AC6605-wlan-traffic-prof-test] quit
b. Bind the traffic profile to the VAP profile.

[AC6605-wlan-view] vap-profile name test
[AC6605-wlan-vap-prof-test] traffic-profile test
[AC6605-wlan-vap-prof-test] quit
----End

4.15.2 Example for Configuring WMM and Priority Mapping

area.
After accessing the network, users encounter poor experience in voice and video services. The
administrator wants to preferentially ensure forwarding of voice and video service traffic to
improve user experience.
Figure 4-61 Networking for configuring WMM and priority mapping
Data Planning

Item Data

radio5g

Item Data

profile l EDCA parameters: specified to provide higher priorities for voice and
video services

l Referenced profiles: SSID profile wlan-net and traffic profile wlan-
traffic

video services

video services
Traffic l Name: wlan-traffic

profile l Downlink mapping mode: DSCP
l Uplink mapping mode: 802.11e
l Priority mapping: specified to provide higher priorities for voice and
video services
1. Configure the WMM function so that network bandwidth is preferentially allocated to
voice and video services at the wireless side.
2. Configure priority mapping to ensure a higher priority of voice and video services so that
network bandwidth is preferentially allocated to these services.
Configuration Notes

user experience.
Procedure
Check Command Data

Item
Check the display ap all AP group: ap-group1

AP group
to which
an AP
belongs.
Check all display ap-group name ap-group1 l VAP profile: wlan-net

profiles l 2G radio profile: wlan-radio2g
referenced
by the AP l 5G radio profile: wlan-radio5g
group.
Check all display vap-profile name wlan-net SSID profile: wlan-net

profiles
referenced
by the VAP
profile.
NOTE
l If an AP has different configurations from that in the AP group, the configuration on the AP takes
precedence.
l A new profile takes effect only after being bound to an AP or an AP group.
Step 2 Configure the WMM function.
# Enter 2G radio profile wlan-radio2g and set EDCA parameters on APs to enable voice and
video services to preferentially use network bandwidth.
[AC6606] sysname AC
[AC] wlan
[AC-wlan-radio-2g-prof-wlan-radio2g] wmm edca-ap ac-vo aifsn 2 ecw ecwmin 2
ecwmax 4 txoplimit 0 ack-policy normal
[AC-wlan-radio-2g-prof-wlan-radio2g] wmm edca-ap ac-vi aifsn 5 ecw ecwmin 3
[AC-wlan-radio-2g-prof-wlan-radio2g] wmm edca-ap ac-bk aifsn 12 ecw ecwmin 8


# Enter 5G radio profile wlan-radio5g and set EDCA parameters on APs to enable voice and
video services to preferentially use network bandwidth. The configuration is similar to that in
the 2G radio profile and is not mentioned here.
# Enter SSID profile wlan-net and set EDCA parameters on STAs to enable voice and video
services to preferentially use network bandwidth.
[AC-wlan-ssid-prof-wlan-net] wmm edca-client ac-vo aifsn 2 ecw ecwmin 2 ecwmax 4
txoplimit 0
[AC-wlan-ssid-prof-wlan-net] wmm edca-client ac-vi aifsn 5 ecw ecwmin 3 ecwmax 5
txoplimit 0
[AC-wlan-ssid-prof-wlan-net] wmm edca-client ac-be aifsn 12 ecw ecwmin 6 ecwmax
10 txoplimit 0
[AC-wlan-ssid-prof-wlan-net] wmm edca-client ac-bk aifsn 12 ecw ecwmin 8 ecwmax
10 txoplimit 0
Step 3 Configuring priority mapping.

NOTE
This example requires that voice and video packets have the highest priority so that these packets are
preferentially transmitted. By default, the uplink and downlink mapping modes on the air interface are
802.11e and DSCP, respectively. The uplink and downlink priority mapping on the air interface can ensure
that voice and video packets have the highest tunnel DSCP priority. Therefore, you do not need to modify
default priority mapping.
To change the default priority mapping, for example, to enable video packets with a higher priority than voice
packets, you can refer to this step.
By default, the user priority of voice packets is set to 6 or 7, and that of the video packets is set to 4 or 5. In
this example, the tunnel DSCP priority of video packets is set to 48 and 56, and that of voice packets is set to
32 and 40. Video packets with a higher priority are preferentially transmitted.
# Create traffic profile wlan-traffic and configure priority mapping in the profile.
[AC-wlan-traffic-prof-wlan-traffic] priority-map downstream trust dscp
[AC-wlan-traffic-prof-wlan-traffic] priority-map downstream dscp 48 to 55 dot11e 4
[AC-wlan-traffic-prof-wlan-traffic] priority-map tunnel-upstream trust dot11e
[AC-wlan-traffic-prof-wlan-traffic] priority-map tunnel-upstream dot11e 6 dscp 32
# Bind traffic profile wlan-traffic to VAP profile wlan-net.

[AC-wlan-vap-prof-wlan-net] traffic-profile wlan-traffic

Run the display radio-2g-profile name wlan-radio2g command on the AC to check the
EDCA settings on APs in the 2G radio profile. The EDCA parameter priorities of AC_VI and
AC_VO packets are higher than those of AC_BE and AC_BK packets. Therefore, voice and
video services are enabled to preferentially use wireless channels. The configuration in the 5G
radio profile is similar to that in the 2G radio profile and is not mentioned here.
[AC-wlan-view] display radio-2g-profile name wlan-radio2g
------------------------------------------------------------

...
------------------------------------------------------------
AP EDCA parameters:
---------------------------------------------------
ECWmax ECWmin AIFSN TXOPLimit Ack-Policy
AC_VO 4 2 2 0 normal
AC_VI 5 3 5 0 normal
AC_BE 10 6 12 0 normal
AC_BK 10 8 12 0 normal
---------------------------------------------------
Run the display ssid-profile name wlan-net command on the AC to check the EDCA
settings on STAs in the SSID radio profile. The EDCA parameter priorities of AC_VI and
video services are enabled to preferentially use wireless channels.
[AC-wlan-view] display ssid-profile name wlan-net
-------------------------------------------------------------------
...
-------------------------------------------------------------------
WMM EDCA client parameters:
-------------------------------------------------------------------
ECWmax ECWmin AIFSN TXOPLimit
AC_VO 4 2 2 0
AC_VI 5 3 5 0
AC_BE 10 6 12 0
AC_BK 10 8 12 0
-------------------------------------------------------------------
Run the display traffic-profile name wlan-traffic command on the AC to check the priority
mapping configuration in the traffic radio profile. The DSCP priorities of AC_VI and
video services will be preferentially transmitted.
[AC-wlan-view] display traffic-profile name wlan-traffic
----------------------------------------------------
...
CAPWAP priority upstream map mode: 802.11e map DSCP
0 map 0
1 map 8
2 map 16
3 map 24
6 map 32
7 map 40
4 map 48
5 map 56
CAPWAP priority upstream map mode: 802.11e map 802.1p
0 map 0
1 map 1
2 map 2
3 map 3
4 map 4
5 map 5
6 map 6
7 map 7
WMM priority downstream map mode: DSCP map 802.11e
0-7 map 0
8-15 map 1
16-23 map 2
24-31 map 3
48-55 map 4
56-63 map 5
32-39 map 6
40-47 map 7
WMM priority downstream map mode: 802.1p map 802.11e
0 map 0
1 map 1
2 map 2

3 map 3
4 map 4
5 map 5
6 map 6
7 map 7
----------------------------------------------------------------------------------
-----------
Traffic Type Direction AppliedRecord
----------------------------------------------------------------------------------
-----------
----------------------------------------------------------------------------------
-----------
----------------------------------------------------
----End
Configuration Files
#
sysname AC
#
wlan
priority-map downstream dscp 48 to 55 dot11e 4
priority-map tunnel-upstream dot11e 6 dscp 32
wmm edca-client ac-bk aifsn 12 ecw ecwmin 8 ecwmax 10 txoplimit 0
wmm edca-client ac-vi aifsn 5 ecw ecwmin 3 ecwmax 5 txoplimit 0
wmm edca-client ac-vo aifsn 2 ecw ecwmin 2 ecwmax 4 txoplimit 0
normal
wmm edca-ap ac-bk aifsn 12 ecw ecwmin 8 ecwmax 10 txoplimit 0 ack-policy
normal
wmm edca-ap ac-vi aifsn 5 ecw ecwmin 3 ecwmax 5 txoplimit 0 ack-policy
normal
wmm edca-ap ac-vo aifsn 2 ecw ecwmin 2 ecwmax 4 txoplimit 0 ack-policy
normal
normal
wmm edca-ap ac-bk aifsn 12 ecw ecwmin 8 ecwmax 10 txoplimit 0 ack-policy
normal
wmm edca-ap ac-vi aifsn 5 ecw ecwmin 3 ecwmax 5 txoplimit 0 ack-policy
normal
wmm edca-ap ac-vo aifsn 2 ecw ecwmin 2 ecwmax 4 txoplimit 0 ack-policy
normal
radio 0
radio 1
ap-name area_1
ap-group ap-group1

#
return
4.15.3 Example for Configuring Traffic Policing
area.
To prevent STAs from maliciously occupying network resources and reduce network
congestion, the administrator requires that the uplink rate limit of each STA be 2 Mbit/s and
the total uplink rate limit of all STAs on a VAP be 30 Mbit/s.
Figure 4-62 Networking for configuring traffic policing
Data Planning

Item Data

l Referenced profiles: VAP profile wlan-net

l Referenced profiles: traffic profile wlan-traffic

Item Data

profile l Uplink rate limit of a single STA: 2 Mbit/s
l Uplink rate limit of all STAs on a VAP: 30 Mbit/s
1. Configure the uplink rate limits of a single STA and all STAs on a VAP in a traffic
profile to achieve traffic policing.
Configuration Notes
user experience.
Procedure
Check Command Data
Item

AP group
to which
an AP
belongs.

Check Command Data

Item
Check all display ap-group name ap-group1 l VAP profile: wlan-net

profiles
referenced
by the AP
group.
NOTE
precedence.
Step 2 Configure traffic policing.

# Create traffic profile wlan-traffic. Set the uplink rate limit of a single AP to 2 Mbit/s and
the total uplink rate limit of all STAs on the VAP to 30 Mbit/s.
[AC6606] sysname AC
[AC] wlan
[AC-wlan-traffic-prof-wlan-traffic] rate-limit vap up 30720


Run the display traffic-profile name wlan-traffic command on the AC to check the rate
limit configuration in the traffic profile. The command output shows that the uplink rate limit
of a single STA is 2048 kbit/s (2 Mbit/s) and the total uplink rate limit of all STAs on a VAP is
30720 kbit/s (30 Mbit/s).
----------------------------------------------------
Profile ID : 1
Priority map downstream trust : DSCP
User isolate mode : disable
Rate limit client up(Kbps) : 2048
Rate limit client down(Kbps) : 4294967295
Rate limit VAP up(Kbps) : 30720
Rate limit VAP down(Kbps) : 4294967295
...
----End
Configuration Files
#
sysname AC

#
wlan
rate-limit vap up 30720
radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
return
4.15.4 Example for Configuring Airtime Fair Scheduling

area.
The administrator requires that multiple users on the network be able to fairly use network
bandwidth to improve overall user experience.
Figure 4-63 Networking for configuring airtime fair scheduling

Data Planning

Item Data

l Referenced profiles: 2G radio profile wlan-radio2g, and 5G radio

profile l Airtime fair scheduling: enabled


1. Enable airtime fair scheduling to ensure that multiple users on a radio can fairly use
network bandwidth to improve overall user experience.
Configuration Notes
user experience.

Procedure
Check Command Data
Item

AP group
to which
an AP
belongs.
Check all display ap-group name ap-group1 l 2G radio profile: wlan-radio2g

profiles l 5G radio profile: wlan-radio5g
referenced
by the AP
group.
NOTE
precedence.
Step 2 Configure airtime fair scheduling.
# Create the RRM profile wlan-rrm and enable airtime fair scheduling.
[AC6606] sysname AC
[AC] wlan
# Bind the RRM profile wlan-rrm to the 2G radio profile wlan-radio2g.

# Bind the RRM profile wlan-rrm to the 5G radio profile wlan-radio5g.

Run the display rrm-profile name wlan-rrm command on the AC to check the configuration
of the RRM profile. The command output shows that airtime fair scheduling has been
enabled. Therefore, users on the network can fairly use network bandwidth.
------------------------------------------------------------
Auto channel select : enable
Auto transmit power select : enable
PER threshold for trigger channel/power select(%) : 60
Airtime fairness schedule : enable

Dynamic adjust EDCA parameter : disable

...
----End
Configuration Files
#
sysname AC
#
wlan
radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
return
4.15.5 Example for Configuring ACL-based Packet Filtering

area.
To control network traffic, the administrator requires that packets with source IP address
10.23.101.10 and destination IP address 10.23.101.11 be forbidden to pass.

Figure 4-64 Networking for configuring ACL-based packet filtering
Data Planning

Item Data


l Referenced profiles: traffic profile wlan-traffic

profile l Configuration of ACL-based IPv4 packet filtering
1. Configure ACL-based packet filtering in a traffic profile.
Configuration Notes


user experience.
Procedure
Check Command Data
Item

AP group
to which
an AP
belongs.
Check all display ap-group name ap-group1 VAP profile: wlan-net

profiles
referenced
by the AP
group.
NOTE
precedence.
Step 2 Configure ACL-based packet filtering.

# Create ACL 3001 and forbid packets with source IP address 10.23.101.10 and destination IP
address 10.23.101.11 to pass.
[AC6605] sysname AC
[AC] acl 3001
[AC-acl-adv-3001] rule deny ip source 10.23.101.10 0 destination 10.23.101.11 0
# Create traffic profile wlan-traffic and apply the ACL to it.

[AC] wlan
[AC-wlan-traffic-prof-wlan-traffic] traffic-filter inbound ipv4 acl 3001


Run the display traffic-profile name wlan-traffic command on the AC to check the
configuration of the traffic profile. The command output shows that ACL 3001 has been
configured to filter out packets with source IP address 10.23.101.10 and destination IP
address 10.23.101.11.
----------------------------------------------------
...
----------------------------------------------------------------------------------
-----------
Traffic Type Direction AppliedRecord
----------------------------------------------------------------------------------
-----------
traffic-filter inbound IPv4 ACL 3001
----------------------------------------------------------------------------------
-----------
----------------------------------------------------
----End
Configuration Files
#
sysname AC
#
acl number 3001
rule 5 deny ip source 10.23.101.10 0 destination 10.23.101.11 0
#
wlan
traffic-filter inbound ipv4 acl 3001
radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
return

4.15.6 Example for Configuring Optimization for Voice and Video

Services
area.
Voice, video, and data services are transmitted on the WLAN. The administrator requires that
voice and video services of QQ and WeChat have a higher priority to ensure good user
experience in these QQ and WeChat services.
Figure 4-65 Networking for configuring optimization for voice and video services
Data Planning
Item Data
Voice and l Applied protocols: QQ and WeChat

video
optimizatio
n

1. Configure optimization for voice and video services so that these QQ and WeChat
services have a higher priority than data services.
Configuration Notes
l The configuration of optimization for voice and video services supports only tunnel
forwarding.
user experience.
Procedure
Step 1 Configure optimization for voice and video services.
# Enable the security engine.

[AC6606] sysname AC
[AC] defence engine enable
NOTE
After the security engine is enabled, the system automatically loads the default signature database.
# Configure optimization for voice and video services on QQ and WeChat.

NOTE
By default, the voice and video traffic awareness and optimization function is enabled.
[AC] undo voice-aware app-protocol qq disable
[AC] undo voice-aware app-protocol weixin disable
[AC] undo video-aware app-protocol qq disable
[AC] undo video-aware app-protocol weixin disable
[AC] wlan

If a user makes video calls after optimization is configured for video services and the
configuration is successfully delivered, you can run the display video-aware-list command to
check video session information.
[AC-wlan-view] display video-aware-list ap-name area_1 radio 0
----------------------------------------------------------------------------------
-------------
Protocol Source IP/Port Destination IP/
Port
----------------------------------------------------------------------------------
-------------
qq 191.168.1.254/123
191.168.1.253/123
weixin 191.168.1.253/123
191.168.1.254/123
----------------------------------------------------------------------------------
-------------
Total: 2
If a user makes voice calls after optimization is configured for voice services and the
configuration is successfully delivered, you can run the display video-aware-list command to
check voice session information.
[AC-wlan-view] display voice-aware-list ap-name area_1 radio 0
-------------------------------------------------------------------------------
Protocol Source IP/Port Destination IP/Port
-------------------------------------------------------------------------------
qq 191.168.1.254/123 191.168.1.253/123
weixin 191.168.1.253/123 191.168.1.254/123
-------------------------------------------------------------------------------
Total : 2
----End
Configuration Files
#
defence engine enable
sysname AC
#
return
4.15.7 Example for Configuring Priorities for Lync Packets

area.
The administrator requires that voice and video packets of the Lync software have a higher
priority than desktop sharing and file transfer packets to ensure good user experience in voice
and video services.

Figure 4-66 Networking for configuring priorities for Lync packets
Data Planning

Item Data


l Referenced profiles: UCC profile wlan-ucc
UCC profile l Name: wlan-ucc

l 802.1p priority of Lync voice packets: 6
l 802.1p priority of Lync video packets: 5
l 802.1p priority of Lync desktop sharing packets: 4
l 802.1p priority of Lync file transfer packets: 3
Lync server 9000

port number
1. Configure priorities for Lync packets to set higher priorities for voice and video packets
than those of desktop sharing and file transfer packets.

2. Configure the AC to interact with the Lync server.
Configuration Notes
l The configuration of priorities for Lync packets supports only tunnel forwarding
user experience.
Procedure
Check Command Data
Item

AP group
to which
an AP
belongs.
Check all display ap-group name ap-group1 VAP profile: wlan-net

profiles
referenced
by the AP
group.
NOTE
precedence.

Step 2 Configure priorities for Lync packets.

# Create UCC profile wlan-ucc and configure priorities for Lync packets.
[AC6605] sysname AC
[AC] wlan
[AC-wlan-view] ucc-profile name wlan-ucc
[AC-wlan-ucc-prof-wlan-ucc] lync-voice remark dot1p 6
[AC-wlan-ucc-prof-wlan-ucc] lync-video remark dot1p 5
[AC-wlan-ucc-prof-wlan-ucc] lync-app-share remark dot1p 4
[AC-wlan-ucc-prof-wlan-ucc] lync-file-transfer remark dot1p 3
[AC-wlan-ucc-prof-wlan-ucc] quit
# Bind UCC profile wlan-ucc to VAP profile wlan-net.

[AC-wlan-vap-prof-wlan-net] ucc-profile wlan-ucc
[AC-wlan-view] quit
Step 3 Configure the AC to interact with the Lync server.

# Set the port number of the HTTP service to 9000.
[AC] lync listener http-port 9000
[AC] wlan
NOTE
l The port number of the HTTP service specified on the AC must be consistent with the port number on the
Lync server.
l You need to specify the IP address of the AC for the Lync server and the port number of the Lync server.

Run the display ucc-profile name wlan-ucc command on the AC to check the priority
mapping configuration for Lync packets. The command output shows that the priorities of
Lync voice and video packets are higher than those of Lync desktop sharing and file transfer
packets. Therefore, Lync voice and video packets will be preferentially transmitted.
[AC-wlan-view] display ucc-profile name wlan-ucc
--------------------------------------------------------------------------------
Lync voice 802.1p precedence : 6
Lync voice DSCP precedence : -
Lync video 802.1p precedence : 5
Lync video DSCP precedence : -
Lync app share 802.1p precedence : 4
Lync app share DSCP precedence : -
Lync file transfer 802.1p precedence : 3
Lync file transfer DSCP precedence : -
--------------------------------------------------------------------------------
----End
Configuration Files
#
sysname AC
#
lync listener http-port 9000
#
wlan
ucc-profile name wlan-ucc
lync-voice remark dot1p 6
lync-video remark dot1p 5

lync-app-share remark dot1p 4

lync-file-transfer remark dot1p 3
ucc-profile wlan-ucc
radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
return

4.16.1 Example for Configuring WLAN-based E-schoolbag
E-schoolbag is a digital teaching method. In a class, teachers and students use smart terminals
such as PCs, tablets, and mobile phones to participate in teaching and learning activities
online.
A teacher can teach students in multiple classrooms without space limitation.
To ensure successful teaching activities, AP4030TNs are used to deploy basic WLAN
services to support access of many students and provide sufficient bandwidth.
The AP4030TN has three radios: radios 0, 1, and 2. Radio 0 and radio 2 can switch between
2.4 GHz and 5 GHz while radio 1 operates on the 5 GHz band. By default, radio 0 works on
the 2.4 GHz frequency band and radio 2 on the 5 GHz frequency band. If all radios are used
for WLAN coverage services, the default frequency bands for radios are recommended. If
some radios are used for air scan, run the frequency { 2.4g | 5g } command in the AP radio
view or AP group radio view to switch the frequency band of the radios.
addresses to STAs.

Figure 4-67 Networking for configuring the WLAN-based e-schoolbag service
Data Planning

Item Data
Managemen VLAN 100

t VLAN for
APs
Service VLAN 101

VLAN for
STAs


Item Data
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

interface
address

radio5g

profile

l Maximum number of users: 128
l EDCA parameters for AC_BE packets on STAs
– AIFSN: 3
– ECWmin: 7
– ECWmax: 10


l Band steering: enabled
l Broadcast flood detection: enabled
l Rate threshold for broadcast flood detection: 50 pps
and traffic profile wlan-traffic

profile l Automatic channel calibration: disabled
l Airtime fair scheduling: enabled

Item Data

profile l RTS-CTS operation mode: rts-cts
l RTS-CTS threshold: 1400 bytes
l Beacon interval: 160 ms
l Short preamble: enabled
l GI mode: short
l 802.11bg basic rate: 6, 9, 12, 18, 24, 36, 48, 54, in Mbit/s
l Multicast rate: 11 Mbit/s
l EDCA parameters for AC_BE packets on APs:
– AIFSN: 3
– ECWmin: 5
– ECWmax: 6
l Referenced profile: RRM profile wlan-rrm

profile l RTS-CTS operation mode: rts-cts
l RTS-CTS threshold: 1400 bytes
l Beacon interval: 160 ms
l GI mode: short
l Multicast rate: 6 Mbit/s
l EDCA parameters for AC_BE packets on APs:
– AIFSN: 3
– ECWmin: 5
– ECWmax: 6
l Referenced profile: RRM profile wlan-rrm

profile l Uplink rate limit for a STA: 4000 kbit/s
l Downlink rate limit for a STA: 4000 kbit/s
to go online.


4. Adjust network parameters for e-schoolbag.
Configuration Notes
user experience.
Procedure
# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100 and VLAN 101. The default VLAN
VLAN 100, and GE0/0/3 to VLAN 101.

10.23.101.2/24.

NOTE

[AC6605] sysname AC
[AC] dhcp enable
[AC-Vlanif100] quit

[AC] wlan


e?[Y/N]:y
[AC-wlan-view] quit

NOTE
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP4030TN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 1

NOTE

# Bind VAP profile wlan-net to the AP group and apply the profile to all radios of the AP.
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio all
Step 6 Adjust network parameters for e-schoolbag.

1. Adjust parameters in VAP profile wlan-net.
[AC-wlan-vap-prof-wlan-net] undo band-steer disable
# Enable the broadcast flood detection function and configure the rate threshold for
broadcast flood detection. By default, the broadcast flood detection function is enabled.
[AC-wlan-vap-prof-wlan-net] undo anti-attack broadcast-flood disable
[AC-wlan-vap-prof-wlan-net] anti-attack broadcast-flood sta-rate-threshold 50
2. Adjust parameters in SSID profile wlan-net.
# Set the maximum number of STAs that can be associated with a VAP to 128 and set
EDCA parameters for AC_BE packets on STAs.
ecwmax 10
# Create traffic profile wlan-traffic and set the uplink and downlink rate limits for a STA
to 4000 kbit/s.
# Configure the traffic profile referenced by a VAP profile.

4. Create an RRM profile, enable airtime fair scheduling.
# Create 2G radio profile wlan-radio2g and set the parameters as follows:
– Set the RTS-CTS operation mode to rts-cts and the RTS-CTS threshold to 1400
bytes.
– Set the interval for sending Beacon frames to 160 ms.
enabled in radio profiles.
– Set the GI mode to short.
– Set the 802.11bg basic rate to 6, 9, 12, 18, 24, 36, 48, or 54, in Mbit/s.
– Set EDCA parameters for AC_BE packets on APs: AIFSN to 3, ECWmin to 5, and
ECWmax to 6.


ecwmax 6


# Create 5G radio profile wlan-radio5g and set the parameters as follows:
– Set the RTS-CTS operation mode to rts-cts and the RTS-CTS threshold to 1400
bytes.
– Set the interval for sending Beacon frames to 160 ms.
ECWmax to 6.
ecwmax 6


NOTE
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The settings of the AP channel and
power in this example are for reference only. You need to configure the AP channel and power based on the
actual country code and network planning.
# Disable automatic channel and power calibration functions.






[AC-wlan-ap-0] quit

WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Total: 3
---------------------------------------------------------------------------------
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
#
sysname SwitchA
#
#
#
#
return

#
sysname SwitchB
#
vlan batch 100 101
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
return
#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
#
return
#
sysname AC
#
vlan batch 100 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
#
wlan
(jpeqE%^%# aes
ssid wlan-net
max-sta-number 128


dot11bg basic-rate 6 9 12 18 24 36 48 54
beacon-interval 160
multicast-rate 11
normal
beacon-interval 160
normal
multicast-rate 6
radio 0
radio 1
radio 2
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
radio 2
channel 20mhz 157
eirp 127
#
return
4.16.2 Example for Configuring WLAN Hotspot2.0 Services
area. On a traditional WLAN, users need to manually select an SSID and set authentication
information to access the WLAN, causing poor user experience. To enhance user experience,
Hotspot2.0 services are deployed using a subscriber identity module (SIM) card for
authentication. In this way, users can access the WLAN automatically without awareness.

– The aggregation switch (Switch_B) functions as a DHCP server to assign IP
addresses to STAs.
Figure 4-68 Networking for configuring WLAN Hotspot2.0 services
Data Planning
Item Data

The aggregation switch (Switch_B)
addresses to STAs. The default gateway
address of STAs is 10.23.101.2.

Item Data

net


l Security policy: WPA2-802.1x-AES

l Access authentication mode: 802.1x

Item Data
Hotspot2.0 profile Hotspot2.0 profile

l Name: wlan-net
l Network type: free public network
l Internet access: supported
l Venue type: coffee shop (venue group
code 1 and venue type code 13)
l HESSID: 60de-4476-e360
l IP address availability: available
l Network authentication type: acceptance
l P2P cross connection: disabled
l Cellular network profile: wlan-net
– 46000
l Roaming consortium profile: wlan-net
– 50-6f-9a
l NAI realm profile: wlan-net
– www.mobileA.com
l Network connection capability profile:
wlan-net
– HTTP service: enabled
l Operator domain profile: wlan-net
– www.mobileA.com
l Operator name profile: wlan-net
– eng, mobileA
l Venue name profile: wlan-net
– eng, Coffee
l Operating class profile: wlan-net
– 81

net, security profile wlan-net,
authentication profile wlan-net, and
Hotspot2.0 profile wlan-net
STA user name and password l User name: huawei

l Password: huawei123
RADIUS server l IP address: 10.23.102.1

l Port number: 1812
l Shared key: Huawei@123

to go online.
4. Configure WPA2-802.1x authentication based on the operator's AAA server information
5. Configure Hotspot2.0 services based on the operator's network information.
Configuration Notes
user experience.
Procedure


10.23.101.2/24.

NOTE

[AC6605] sysname AC
[AC] dhcp enable
[AC-Vlanif100] quit


[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
----------------------------------------------------------------------------------
---
Total: 1


[AC-wlan-sec-prof-wlan-net] security wpa2 dot1x aes
the AP.

NOTE



[AC-wlan-ap-0] quit
Step 7 Configure WPA2-802.1x.

[AC-wlan-view] quit
[AC] radius-server template wlan-radius
[AC-radius-wlan-radius] radius-server authentication 10.23.102.1 1812
[AC-radius-wlan-radius] radius-server shared-key cipher Huawei@123

[AC-radius-wlan-radius] radius-server retransmit 2

[AC-radius-wlan-radius] undo radius-server user-name domain-included
[AC-radius-wlan-radius] quit
# Configure an AAA authentication scheme and configure the device to use RADIUS
authentication preferentially.
[AC] aaa
[AC-aaa] authentication-scheme wlan-authen
[AC-aaa-authen-wlan-authen] authentication-mode radius local
[AC-aaa-authen-wlan-authen] quit
[AC-aaa] quit
# Configure an 802.1x access profile and configure EAP relay authentication for 802.1x users.
# Configure an authentication profile and bind the AAA authentication scheme, RADIUS
server template, and 802.1x access profile to the authentication profile.
[AC-authentication-profile-wlan-net] authentication-scheme wlan-authen
[AC-authentication-profile-wlan-net] radius-server wlan-radius
Step 8 Configure Hotspot2.0 services.
# Configure Hotspot2.0 profile wlan-net based on the operator's network parameters. Ensure
that the WPA2-802.1x authentication profile has been bound to the VAP profile.
[AC] wlan
[AC-wlan-view] cellular-network-profile name wlan-net
[AC-wlan-cellular-network-prof-wlan-net] plmn-id 46000
[AC-wlan-cellular-network-prof-wlan-net] quit
[AC-wlan-view] connection-capability-profile name wlan-net
[AC-wlan-co-cap-prof-wlan-net] connection-capability tcp-http on
[AC-wlan-co-cap-prof-wlan-net] quit
[AC-wlan-view] operator-name-profile name wlan-net
[AC-wlan-wlan-op-name-prof-wlan-net] operator-friendly-name language-code eng
name mobileA
[AC-wlan-wlan-op-name-prof-wlan-net] quit
[AC-wlan-view] operating-class-profile name wlan-net
[AC-wlan-op-class-prof-wlan-net] operating-class-indication 81
[AC-wlan-op-class-prof-wlan-net] quit
[AC-wlan-view] operator-domain-profile name wlan-net
[AC-wlan-op-domain-prof-wlan-net] domain-name www.mobileA.com
[AC-wlan-op-domain-prof-wlan-net] quit
[AC-wlan-view] nai-realm-profile name wlan-net
[AC-wlan-nai-realm-prof-wlan-net] nai-realm realm-name www.mobileA.com
[AC-wlan-nai-realm-prof-wlan-net] quit
[AC-wlan-view] venue-name-profile name wlan-net
[AC-wlan-ve-na-prof-wlan-net] venue-name language-code eng name Coffee
[AC-wlan-ve-na-prof-wlan-net] quit
[AC-wlan-view] roaming-consortium-profile name wlan-net
[AC-wlan-ro-co-prof-wlan-net] roaming-consortium-oi 50-6f-9a in-beacon
[AC-wlan-ro-co-prof-wlan-net] quit
[AC-wlan-view] hotspot2-profile name wlan-net
[AC-wlan-hotspot2-prof-wlan-net] network-type public-free internet-access
[AC-wlan-hotspot2-prof-wlan-net] undo p2p-cross-connect disable
[AC-wlan-hotspot2-prof-wlan-net] venue-type group-code 1 type-code 13
[AC-wlan-hotspot2-prof-wlan-net] hessid 60de-4476-e360
[AC-wlan-hotspot2-prof-wlan-net] ipv4-address-avail available
[AC-wlan-hotspot2-prof-wlan-net] ipv6-address-avail available
[AC-wlan-hotspot2-prof-wlan-net] network-authen-type acceptance
[AC-wlan-hotspot2-prof-wlan-net] cellular-network-profile wlan-net
[AC-wlan-hotspot2-prof-wlan-net] connection-capability-profile wlan-net
[AC-wlan-hotspot2-prof-wlan-net] operator-name-profile wlan-net
[AC-wlan-hotspot2-prof-wlan-net] operating-class-profile wlan-net

[AC-wlan-hotspot2-prof-wlan-net] operator-domain-profile wlan-net

[AC-wlan-hotspot2-prof-wlan-net] nai-realm-profile wlan-net
[AC-wlan-hotspot2-prof-wlan-net] venue-name-profile wlan-net
[AC-wlan-hotspot2-prof-wlan-net] roaming-consortium-profile wlan-net
[AC-wlan-hotspot2-prof-wlan-net] quit
Step 9 Apply the authentication profile and Hotspot2.0 profile to the VAP profile.
[AC-wlan-vap-prof-wlan-net] hotspot2-profile wlan-net

WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Total: 2
---------------------------------------------------------------------------------
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
#
sysname SwitchA
#
#
#
#
return


#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
return

#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
#
return
#
sysname AC
#
#
authentication-scheme wlan-authen
radius-server wlan-radius
#
dhcp enable
#
radius-server template wlan-radius
radius-server shared-key cipher %^%#3|_'15Yp[3cBVN4*3lB3o&@0%pll(XJ:9@Yw'`(!
%^%#
radius-server retransmit 2
undo radius-server user-name domain-included
#
aaa
authentication-scheme wlan-authen
authentication-mode radius local
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0

#
#
#
wlan
ssid wlan-net
roaming-consortium-profile name wlan-net
roaming-consortium-oi 50-6f-9a in-beacon
operating-class-profile name wlan-net
operating-class-indication 81
cellular-network-profile name wlan-net
plmn-id 46000
connection-capability-profile name wlan-net
connection-capability tcp-http on
operator-domain-profile name wlan-net
operator-name-profile name wlan-net
operator-friendly-name language-code eng name mobileA
venue-name-profile name wlan-net
venue-name language-code eng name Coffee
nai-realm-profile name wlan-net
nai-realm realm-name www.mobileA.com
hotspot2-profile name wlan-net
hessid 60de-4476-e360
network-type public-free internet-access
venue-type group-code 1 type-code 13
ipv4-address-avail available
ipv6-address-avail available
network-authen-type acceptance
cellular-network-profile wlan-net
connection-capability-profile wlan-net
operator-name-profile wlan-net
operating-class-profile wlan-net
operator-domain-profile wlan-net
nai-realm-profile wlan-net
venue-name-profile wlan-net
roaming-consortium-profile wlan-net
hotspot2-profile wlan-net
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#

#
return
4.16.3 Example for Configuring Service Holding upon CAPWAP

Link Disconnection
area.
The enterprise requires that data forwarding be not affected even when the AC is faulty to
improve data transmission reliability.
l DHCP deployment mode: Switch functions as a DHCP server to assign IP addresses to
APs and STAs.
Figure 4-69 Networking for configuring service holding upon WLAN CAPWAP link
disconnection

Data Planning

Item Data
DHCP server Switch functions as a DHCP server to assign IP

Gateway address for APs 10.1.1.1/24
Gateway address for STAs 10.1.2.1/24
AC source interface VLANIF 100: 10.1.1.2/24

l Referenced profiles: AP system profile ap-system,
VAP profile wlan-net, and regulatory domain
profile default




AP system profile l Name: ap-system

l Service holding upon CAPWAP link
disconnection: enabled

to go online.
4. Configure service holding upon CAPWAP link disconnection to improve data
transmission reliability so that data forwarding is not affected even when the AC is
faulty.
Configuration Notes
user experience.
Procedure
# Create VLAN 100 (management VLAN) and VLAN 101 (service VLAN) on the switch. Set
the link type of GE0/0/1 that connects the switch to the APs to trunk and PVID of the
interface to 100, and configure the interface to allow packets of VLAN 100 and VLAN 101 to
pass. Set the link type of GE0/0/2 on the switch to trunk, and configure the interface to allow
packets of VLAN 100 to pass.


10.1.2.2/24.

# Add GE0/0/1 that connects the AC to the switch to VLAN 100, Create VLANIF 100 and set
its IP address to 10.1.1.2/24.
[AC6605] sysname AC
[AC-Vlanif100] ip address 10.1.1.2 255.255.255.0
[AC-Vlanif100] quit
# Configure VLANIF 100 to use the interface address pool to allocate IP addresses to APs.
# Configure VLANIF 101 to use the interface address pool to allocate IP addresses to STAs.

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit


NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
----------------------------------------------------------------------------------
---
Total: 1

NOTE
# Create the AP system profile ap-system and configure the service holding function.
[AC-wlan-view] ap-system-profile name ap-system
[AC-wlan-ap-system-prof-ap-system] keep-service enable allow new-access
[AC-wlan-ap-system-prof-ap-system] quit


# Bind the AP system profile and VAP profile to the AP group and apply the VAP profile to
radio 0 and radio 1 of the AP.
[AC-wlan-ap-group-ap-group1] ap-system-profile ap-system

NOTE



[AC-wlan-ap-0] quit

The WLAN with SSID wlan-net is available for STAs connected to the AP, and these STAs
can connect to the WLAN without authentication. If the AC is powered off, service data
forwarding for wireless users in area A is not affected.
----End
Configuration Files
#
sysname Switch
#
#
dhcp enable
#

interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif101
ip address 10.1.2.1 255.255.255.0
#
#
#
return
#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.1.2.2 255.255.255.0
#
#
return
#
sysname AC
#
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
#
#
wlan
ssid wlan-net
forward-mode direct-forward
keep-service enable allow new-access
radio 0


radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return
4.16.4 Example for Configuring Channel Switching Without

Service Interruption
area.
The enterprise requires that WLAN services not be interrupted even when the APs change
their working channels.
l DHCP deployment mode: Switch functions as a DHCP server to assign IP addresses to
APs and STAs.

Figure 4-70 Networking for configuring channel switching without service interruption
Data Planning
Item Data
DHCP server Switch functions as a DHCP server to assign IP

Gateway address for APs 10.1.1.1/24
Gateway address for STAs 10.1.2.1/24

Item Data

l Referenced profiles: 2G radio profile wlan-
radio2g, 5G radio profile wlan-radio5g, VAP
profile wlan-net, and regulatory domain profile
default





l Channel switch announcement: enabled
l Channel switch announcement mode: continue-
transmitting

l Channel switch announcement: enabled
l Channel switch announcement mode: continue-
transmitting
to go online.
4. Configure channel switching without service interruption to improve WLAN service
reliability so that services are not interrupted even when APs change their working
channels.

Configuration Notes
user experience.
Procedure
# Add GE0/0/1 and GE0/0/2 on Switch to VLAN 100 and VLAN 101, and GE0/0/3 to VLAN
100. VLAN 100 is the default VLAN of GE0/0/1 and GE0/0/2.
10.23.101.2/24.



NOTE
10.23.101.2/24.
[AC6605] sysname AC
[AC-Vlanif100] quit
# On Switch, configure VLANIF 100 to assign IP addresses to APs.

[Switch-Vlanif100] dhcp server excluded-ip-address 10.1.1.2
# On Switch, configure VLANIF 101 to assign IP addresses to STAs.

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

MAC addresses of AP1 and AP2 are 60de-4476-e360 and dcd2-fc04-b500, respectively.
Configure names for the APs based on the APs' deployment locations, so that you can know

where the APs are deployed from their names. For example, name AP1 area_1 if it is
deployed in Area 1.
NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
[AC-wlan-ap-1] quit
nor : normal [2]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
----------------------------------------------------------------------------------
---
Total: 2
NOTE
# Create 2G radio profile wlan-radio2g and 5G radio profile wlan-radio5g. Configure

channel switching without service interruption.
NOTE
The following example configures a 2G radio profile. The configuration of the 5G radio profile is similar.


[AC-wlan-radio-2g-prof-wlan-radio2g] undo channel-switch announcement disable
[AC-wlan-radio-2g-prof-wlan-radio2g] channel-switch mode continue-transmitting
[AC-wlan-radio-5g-prof-wlan-radio5g] undo channel-switch announcement disable
[AC-wlan-radio-5g-prof-wlan-radio5g] channel-switch mode continue-transmitting
# Bind the 2G radio profile, 5G radio profile, and VAP profile to the AP group and apply the
VAP profile to radio 0 and radio 1 of the AP.

The WLAN with SSID huawei is available for STAs connected to AP1 and AP2, and these
STAs can connect to the WLAN. When radio calibration for AP1 or AP2 is implemented to
change the channel of AP1 or AP2, service data forwarding for wireless users in Area A is not
affected. Run the display radio all command to view the working channels of all APs.
[AC-wlan-view] display radio all
CH/BW:Channel/Bandwidth
CE:Current EIRP (dBm)
ME:Max EIRP (dBm)
CU:Channel utilization
ST:Status
------------------------------------------------------------------------
AP ID Name RfID Band Type ST CH/BW CE/ME STA CU
------------------------------------------------------------------------
0 area_1 0 2.4G bgn on 11/20M 23/23 0 8%
0 area_1 1 5G an11ac on 149/20M 23/23 0 7%
1 area_2 0 2.4G an11ac on 1/20M 23/23 0 30%
1 area_2 1 5G an on 149/20M 23/23 0 21%
------------------------------------------------------------------------
Total:4
----End
Configuration Files
#
sysname Switch
#
#
dhcp enable
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0

#
interface Vlanif101
ip address 10.1.2.1 255.255.255.0
#
#
#
#
return
#
sysname AC
#
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
#
#
wlan
ssid wlan-net
radio 0
radio 1
ap-name area_1
ap-group ap-group1
ap-id 1 type-id 35 ap-mac dcd2-fc04-b500 ap-sn 210235419610D2000097
ap-name area_2
ap-group ap-group1
#
return

4.16.5 Example for Configuring an AP to Go Online Using a Static

IP Address
Administrators need to configure static IP addresses for APs so that the APs can discover an
AC. When the APs are authenticated by the AC, the APs go online properly on the AC.
AC networking mode: Layer 2 networking (AP goes online using a static IP address.)
Figure 4-71 Networking for configuring an AP to go online using a static IP address
Data Planning

Item Data
AC's source interface address 10.23.100.1/24
AP's static IP address 10.23.100.100/24
AP group Name: ap-group1

to go online.
d. Configure static IP addresses for the APs and enable the APs to go online.
Procedure
# Add GE0/0/1 and GE0/0/2 on Switch to VLAN 100. VLAN 100 is the default VLAN of
GE0/0/1.

NOTE
10.23.100.1/24.
[AC6605] sysname AC
[AC] vlan batch 100
[AC-Vlanif100] quit

# Set the AP's static IP address to 10.23.100.100/24.
[AC] wlan
[AC-wlan-view] provision-ap
[AC-wlan-provision-ap] address-mode static
[AC-wlan-provision-ap] ip-address 10.23.100.100 24
[AC-wlan-provision-ap] quit


e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
----------------------------------------------------------------------------------
---
Total: 1
----End
Configuration Files
#
sysname Switch
#
vlan batch 100
#
#

#
return
#
sysname AC
#
vlan batch 100
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
#
wlan
ap-name area_1
ap-group ap-group1
provision-ap
address-mode static
ip-address 10.23.100.100 255.255.255.0
#
return
4.16.6 Example for Configuring the Soft GRE Service
area. A wired network has been deployed in an area. To provide more convenient network
access services, administrators need to deploy a wireless network in this area. To facilitate the
unified management of wired and wireless users, administrators also need to use the existing
wired access gateway ME60 for authentication and accounting of wireless users.
– The ME60 functions as a DHCP server to assign IP addresses to STAs.
– Switch functions as a DHCP server to assign IP addresses to APs.
l Service data forwarding mode: soft GRE forwarding

Figure 4-72 Networking for configuring the soft GRE service
Data Planning

Item Data
Switch data planning
DHCP Switch functions as a DHCP server to assign IP addresses to APs.

server
IP address 10.23.100.3-10.23.100.254/24
pool for
APs
AC data planning

Item Data

interface
address

default

profile


Soft GRE l Name: wlan-soft

profile l Destination address of the soft GRE tunnel: 10.23.200.1

l Forwarding mode: soft GRE forwarding
and soft GRE profile wlan-soft
ME60 data planning
DHCP The ME60 functions as a DHCP server to assign IP addresses to STAs.

server
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs
VE Virtual-Ethernet2/0/0
interface for
soft GRE
Soft GRE l Name: group1

group l Virtual-Ethernet2/0/0 is referenced.
Destination l Name: Loopback 1

address of l IP address: 10.23.200.1/24
the soft
GRE tunnel l The soft GRE group group1 is referenced.

Item Data
RADIUS l Server group: radius1

server l Server IP address: 172.168.20.1
parameters
l Accounting port number: 1813
l Shared key: 123456
l RADIUS accounting scheme: radius
l RADIUS authentication scheme: radius
l Domain: aaadomain1
1. Configure network interworking of the APs, AC, Switch, and ME60.
2. Configure Switch and ME60 to function as DHCP servers to assign IP addresses to APs
and STAs, respectively.
3. Configure the ME60, soft GRE tunnel, and authentication and accounting functions.
to go online.
Configuration Notes
user experience.

Procedure
# On Switch, add GE0/0/1 to VLAN 100 and VLAN 101, GE0/0/2 to VLAN 100, and
GE0/0/3 to VLAN 199. Set the PVIDs of GE0/0/1 and GE0/0/3 to VLAN 100 and VLAN
199, respectively. Create VLANIF 199 and set its IP address to 10.23.199.2/24.
[Switch] vlan batch 100 101 199
[Switch-Vlanif199] ip address 10.23.199.2 24
# On the ME60, set the IP address of GE2/0/0 to 10.23.199.1/24, and configure a route to
10.23.100.0/24.
[HUAWEI] sysname ME60
[ME60] interface gigabitethernet 2/0/0
[ME60-GigabitEthernet2/0/0] ip address 10.23.199.1 24
[ME60-GigabitEthernet2/0/0] quit
[ME60] ip route-static 10.23.100.0 24 10.23.199.2

# On the AC, add GE0/0/1 to VLAN 100 (management VLAN). Create VLANIF 100 and set
its IP address to 10.23.100.1/24.
[AC6605] sysname AC
[AC-Vlanif100] quit
# Configure Switch as a DHCP server to assign IP addresses to APs, and configure a route to
10.23.200.0/24.

[Switch-Vlanif100] ip address 10.23.100.2 24

[Switch-Vlanif100] dhcp server excluded-ip-address 10.23.100.1
[Switch] ip route-static 10.23.200.0 24 10.23.199.1
# Configure the ME60 as a DHCP server to assign IP addresses to STAs.

[ME60] dhcp enable
[ME60] ip pool sta-pool bas local
[ME60-ip-pool-sta-pool] gateway 10.23.101.1 24
[ME60-ip-pool-sta-pool] section 1 10.23.101.3 10.23.101.254
[ME60-ip-pool-sta-pool] option 43 ip 10.23.101.1
[ME60-ip-pool-sta-pool] quit
Step 4 Configure the soft GRE tunnel on the ME60.

# Create a VE interface to support soft GRE.
[ME60] interface virtual-ethernet 2/0/0
[ME60-Virtual-Ethernet2/0/0] soft-gre enable
[ME60-Virtual-Ethernet2/0/0] quit
# Create a soft GRE group.

[ME60] soft-gre group group1
[ME60-softgre-group-group1] master virtual-ethernet 2/0/0
[ME60-softgre-group-group1] quit
# Configure an IP address for the loopback interface and bind the soft GRE group to it.
[ME60] interface loopback 1
[ME60-LoopBack1] ip address 10.23.200.1 255.255.255.0
[ME60-LoopBack1] binding soft-gre group group1
[ME60-LoopBack1] quit
Step 5 Configure RADIUS authentication and accounting on the ME60.

# Configure a RADIUS server profile, an AAA authentication and accounting scheme, and
domain information.
[ME60] radius-server group radius1
[ME60-radius-radius1] radius-server authentication 172.168.20.1 1812
[ME60-radius-radius1] radius-server accounting 172.168.20.1 1813
[ME60-radius-radius1] radius-server shared-key 123456
[ME60-radius-radius1] quit
[ME60] aaa
[ME60-aaa] authentication-scheme radius
[ME60-aaa-authen-radius] authentication-mode radius
[ME60-aaa-authen-radius] quit
[ME60-aaa] accounting-scheme radius
[ME60-aaa-accounting-radius] accounting-mode radius
[ME60-aaa-accounting-radius] quit
[ME60-aaa] domain aaadomain1
[ME60-aaa-domain-aaadomain1] ip-pool sta-pool
[ME60-aaa-domain-aaadomain1] authentication-scheme radius
[ME60-aaa-domain-aaadomain1] accounting-scheme radius
[ME60-aaa-domain-aaadomain1] radius-server group radius1
[ME60-aaa-domain-aaadomain1] quit
[ME60-aaa] quit
Step 6 Configure the BAS interface on the ME60.

# Create a BAS interface and configure the BAS interface type and authentication mode.
Configure the user VLAN and service VLAN as the same VLAN.
[ME60] interface virtual-ethernet 2/0/0.1
[ME60-Virtual-Ethernet2/0/0.1] user-vlan 101
[ME60-Virtual-Ethernet2/0/0.1-vlan-101-101] bas

[ME60-Virtual-Ethernet2/0/0.1-bas] access-type layer2-subscriber default-domain

authentication aaadomain1
[ME60-Virtual-Ethernet2/0/0.1-bas] authentication-method bind
[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
----------------------------------------------------------------------------------
---
Total: 1

# Create security profile wlan-net and use the default security policy in the profile.
# Create soft GRE profile wlan-soft and set the soft GRE profile parameters.
[AC-wlan-view] softgre-profile name wlan-soft
[AC-wlan-softgre-prof-wlan-soft] destination ip-address 10.23.200.1
[AC-wlan-softgre-prof-wlan-soft] quit
[AC-wlan-vap-prof-wlan-net] forward-mode softgre wlan-soft
the AP.

NOTE


[AC-wlan-ap-0] quit

WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
0 area_1 0 1 60DE-4476-E360 ON open 0 wlan-net
0 area_1 1 1 60DE-4476-E370 ON open 0 wlan-net
-------------------------------------------------------------------------------
Total: 2
Connect STAs to the WLAN with SSID wlan-net. Run the display station ssid wlan-net
command on the AC. The command output shows that the STAs are connected to the WLAN
wlan-net.
---------------------------------------------------------------------------------
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
#
sysname Switch
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.2 255.255.255.0
#
interface Vlanif199
ip address 10.23.199.2 255.255.255.0
#
#
#
#
ip route-static 10.23.200.0 0.0.0.0 10.23.199.2
#
return

#
sysname AC
#
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
#
wlan
ssid wlan-net
softgre-profile name wlan-soft
destination ip-address 10.23.200.1
forward-mode softgre wlan-soft
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return
l ME60 configuration file

#
sysname ME60
#
vlan batch 101
#
radius-server group radius1
radius-server accounting 172.168.20.1 1813 weight 0
radius-server shared-key 123456
#
ip pool sta-pool bas local
gateway 10.23.101.1 255.255.255.0
section 1 10.23.101.3 10.23.101.254
option 43 ip 10.23.101.1
#
aaa
authentication-scheme radius
#
accounting-scheme radius
#
domain aaadomain1

authentication-scheme radius
accounting-scheme radius
ip-pool sta-pool
radius-server group radius1
#
#
undo shutdown
ip address 10.23.199.1 255.255.255.0
#
interface Virtual-Ethernet2/0/0
soft-gre enable
#
interface Virtual-Ethernet2/0/0.1
user-vlan 101
bas
#
access-type layer2-subscriber default-domain authentication aaadomain1
authentication-method bind
#
#
interface LoopBack1
ip address 10.23.200.1 255.255.255.0
binding soft-gre group group1
#
soft-gre group group1
master Virtual-Ethernet2/0/0
#
ip route-static 10.23.100.0 255.255.255.0 10.23.199.2
#
return
4.16.7 Example for Configuring the WLAN BYOD Service

area.
To improve work efficiency, enterprises allow employees to access the enterprise intranet
through the WLAN using their own STAs. Only the STAs of the huawei type are allowed to
access the enterprise intranet to ensure network security.
addresses to STAs.

Figure 4-73 Networking for configuring the WLAN BYOD service
Data Planning

Item Data
Managemen VLAN 100

t VLAN for
APs
Service VLAN 101

VLAN for
STAs

IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

Item Data

interface
address

default

profile



net
Authenticati l Name: abc

on scheme l Authentication mode: local
AAA l Name: huawei.com

domain l Pushed URL: www.login.com
l Referenced domain: authentication scheme abc
User l User name: test

l Password: admin@12345
l User level: 3
l Access type: 802.1x
l STA type allowed to connect to the network: huawei
Terminal l Name: huawei

type l Terminal type: huawei
identificatio
n profile
802.1x l Name: wlan-dot1x

access l Authentication mode: CHAP
profile
Authenticati l Name: wlan-authentication

on profile l Referenced domain and profile: AAA domain huawei.com and 802.1x
access profile wlan-dot1x

2. Configure local authentication and authorization for 802.1x users.
3. Configure the URL push function so that the first web request from an authenticated user
is redirected to a specified web page.
4. Configure the terminal type identification function to allow only the STAs of the huawei
type to connect to the wireless network.
6. Configure an authentication profile and bind the AAA domain and 802.1x access profile
to the authentication profile.
7. Bind the authentication profile to a VAP profile to control access from STAs.
Procedure
VLAN 100.
10.23.101.2/24.



NOTE

[AC6605] sysname AC
[AC] dhcp enable
[AC-Vlanif100] quit

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit


NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
----------------------------------------------------------------------------------
---
Total: 1
Step 5 Configure local authentication and authorization for 802.1x users.
# Create an AAA scheme abc and set the authentication mode to local.
[AC-wlan-view] quit
[AC] aaa
[AC-aaa] authentication-scheme abc
[AC-aaa-authen-abc] authentication-mode local
[AC-aaa-authen-abc] quit
# Create the AAA domain huawei.com and apply the AAA authentication scheme abc to the
domain.
[AC-aaa] domain huawei.com
[AC-aaa-domain-huawei.com] authentication-scheme abc
[AC-aaa-domain-huawei.com] quit
# Create a local user test, and set the user password to admin@12345, user level to 3, service
type to 8021x, and allowed terminal type to huawei.
[AC-aaa] local-user test password cipher admin@12345 privilege level 3
[AC-aaa] local-user test service-type 8021x
[AC-aaa] local-user test device-type huawei
Step 6 Configure the URL push function.
# Configure the URL push function to specify the web page that an authenticated user must
access when the user connects to the network for the first time. After this function is
configured, the AC can obtain the UA field from the HTTP Get packet sent by the terminal.

NOTE
Ensure that the user client has a reachable route to the DNS server on the network so that domain name
resolution can be implemented. Ensure that the user client has a reachable route to the network segment
of the IP address corresponding to the domain name www.login.com so that the URL push function can
be implemented.
[AC-aaa] domain huawei.com
[AC-aaa-domain-huawei.com] force-push url www.login.com
[AC-aaa-domain-huawei.com] quit
[AC-aaa] quit
Step 7 Configure the terminal type identification function.
# Enable the terminal type awareness function.

[AC] device-sensor dhcp option 12 55 60
# Enable UA so that the AC can obtain and send the UA field from the HTTP Get packet sent
by the terminal to the terminal type identification module.
[AC] http parse user-agent enable
# Create the terminal type identification profile huawei and configure identification rules 0 to
4 in the profile.
Rules 0 to 2 are used to match Option 12, Option 55, and Option60 information in DHCP
packets from terminals. Rule 3 is used to match vendor OUI information. Rule 4 is used to
match user agent (UA) information in HTTP packets from terminals. If terminal information
can match any of the rules, the terminal type identifier huawei is set for the terminal.
[AC] device-profile profile-name huawei
[AC-device-profile-huawei] device-type huawei
[AC-device-profile-huawei] rule 0 dhcp-option 12 sub-match ascii
android-9f09b5dc88a64c37
[AC-device-profile-huawei] rule 1 dhcp-option 55 sub-match ascii \001!
\003\006\017\0343:;
[AC-device-profile-huawei] rule 2 dhcp-option 60 sub-match ascii dhcpcd-5.2.10
[AC-device-profile-huawei] rule 3 mac fcff-ffff-ffff mask 8
[AC-device-profile-huawei] rule 4 user-agent sub-match Mozille/5.0 (Linux; U;
Android 4.1.2; zh-CN; ZTE U956 Build/JZ054K) AppleWebKit/534.31 (KHTNL, like
Gecko) UCBrowser/8.8.3.276 U3/0.8.8 Moblie Sofari/534.31
[AC-device-profile-huawei] if-match rule 0 or rule 1 or rule 2 or rule 3 or rule 4
[AC-device-profile-huawei] enable
[AC-device-profile-huawei] quit
Step 8 Configure an 802.1x access profile to manage 802.1x access control parameters.
# Create the 802.1x access profile wlan-dot1x.

[AC] dot1x-access-profile name wlan-dot1x
# Set the authentication mode for 802.1x users to CHAP.

[AC-dot1x-access-profile-wlan-dot1x] dot1x authentication-method chap
[AC-dot1x-access-profile-wlan-dot1x] quit
Step 9 Create the authentication profile wlan-authentication, set the default user domain, configure
authentication in the domain huawei.com for STAs, and bind the 802.1x access profile to the
authentication profile.
[AC] authentication-profile name wlan-authentication
[AC-authentication-profile-wlan-authentication] access-domain huawei.com dot1x
[AC-authentication-profile-wlan-authentication] dot1x-access-profile wlan-dot1x
[AC-authentication-profile-wlan-authentication] quit

# Create security profile wlan-net and set the security policy to open in the profile. By
default, the security policy is open.
[AC] wlan
bind the security profile, authentication profile, and SSID profile to the VAP profile.
[AC-wlan-vap-prof-wlan-net] authentication-profile wlan-authentication
# Bind VAP profile wlan-net to the AP group and bind the profile to radio 0 and radio 1 of
the AP.

NOTE


[AC-wlan-ap-0] quit
The WLAN with the SSID wlan-net is available for STAs after the configuration is complete.

l If an STA of Huawei type has the CHAP-support client software installed, the STA can
be successfully authenticated and connect to the WLAN after correct user name and
password are entered.
l If an STA of a non-Huawei type has the CHAP-support client software installed, the STA
cannot be authenticated even if the correct user name and password are entered.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
return

#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
return

#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#


#
return
#
sysname AC
#
#
authentication-profile name wlan-authentication
dot1x-access-profile wlan-dot1x
access-domain huawei.com dot1x
#
dot1x-access-profile name wlan-dot1x
dot1x authentication-method chap
#
dhcp enable
#
aaa
authentication-scheme abc
domain huawei.com
authentication-scheme abc
force-push url www.login.com
local-user test password cipher %^%#M-CoTf@-h8}}_tK[!rXHKH9p*BGV@3y,i]Fcjh9Q
%^%#
local-user test privilege level 3
local-user test device-type huawei
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
#
wlan
ssid wlan-net
forward-mode tunnel
authentication-profile wlan-authentication
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#

device-profile profile-name huawei

device-type huawei
enable
rule 0 dhcp-option 12 sub-match ascii android-9f09b5dc88a64c37
rule 1 dhcp-option 55 sub-match ascii \001!\003\006\017\0343:;
rule 2 dhcp-option 60 sub-match ascii dhcpcd-5.2.10
rule 3 mac fcff-ffff-ffff mask 8
rule 4 user-agent sub-match Mozille/5.0 (Linux; U; Android 4.1.2; zh-CN; ZTE
U956 Build/JZ054K) AppleWebKit/534.31 (KHTNL, like Gecko) UCBrowser/8.8.3.276
U3/0.8.8 Moblie Sofari/534.31
if-match rule 0 or rule 1 or rule 2 or rule 3 or rule 4
#
return
4.16.8 Example for Configuring the Bonjour Gateway

area.
Departments 1 and 2 belong to VLAN 101 and VLAN 102 respectively, and each department
has a Bonjour-compliant printer. The enterprise requires that the Apple terminals discover
services provided by all printers in the enterprise using Bonjour.
addresses to STAs.

Figure 4-74 Networking for configuring the Bonjour gateway
Data Planning

Item Data
Managemen VLAN 100

t VLAN for
APs
Service VLAN101, VLAN102

VLAN for
STAs

server SwitchB (aggregation switch) functions as a DHCP server to assign IP
addresses to STAs. The default gateway addresses for STAs in Department 1
and 2 are 10.23.101.2 and 10.23.102.2, respectively.
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.4-10.23.101.254/24
pool for 10.23.102.4-10.23.102.254/24
STAs

Item Data

interface
address

l Referenced profiles: VAP profile wlan-net1, regulatory domain profile
radio5g
l Name: ap-group2
l Referenced profiles: VAP profile wlan-net2, regulatory domain profile
radio5g

profile
and 5 GHz radios
SSID l Name: wlan-net1

profile l SSID name: wlan-net1
Security l Name: wlan-net1


l Referenced profiles: SSID profile wlan-net1 and security profile wlan-
net1
l Name: wlan-net2
l Referenced profiles: SSID profile wlan-net1 and security profile wlan-
net1



Item Data

wlan-rrm

wlan-rrm
Parameters l VLAN 101:

for the – Service discovery interval: 100
Bonjour
gateway – Source IP address for sending mDNS requests: IP address of
VLANIF 101 on the AC 10.23.101.3/24
l VLAN 102:
– Service discovery interval: 100
– Source IP address for sending mDNS requests: IP address of
VLANIF 102 on the AC 10.23.102.3/24
2. Configure the Bonjour gateway on the AC to allow service discovery across VLANs.
NOTE
If mobile terminals with Apple iOS V6.0 or later dynamically obtain IP addresses using DHCP, run the dns-
list command in the global address pool view or the dhcp server dns-list command in the interface address
pool view to configure the DNS server IP address.
Procedure
# Add GE0/0/1, GE0/0/2, and GE0/0/3 on SwitchA (access switch) to VLAN 100. The
default VLAN of GE0/0/1 and GE0/0/3 is VLAN 100.

andGE0/0/3 to VLAN 101 and VLAN 102.
[SwitchB] vlan batch 100 101 102
# On the router, add GE1/0/0 to VLAN 101 and VLAN 102. Create VLANIF 101 and
VLANIF 102 and set the IP address of VLANIF 101 to 10.23.101.2/24 and VLANIF 102 to
10.23.102.2/24.

NOTE
# Add GE0/0/1 on the AC to VLAN 100, VLAN 101 and VLAN 102.
[AC6605] sysname AC
Step 3 Configure the AC as a DHCP server to assign IP addresses to APs.

[AC] dhcp enable
[AC-Vlanif100] quit
# Configure VLANIF 101 and VLANIF 102 on SwitchB to assign IP addresses to STAs, and
specify 10.23.101.2 and 10.23.102.2 as the default gateway addresses for STAs in Department
1 and 2, respectively.

[SwitchB-Vlanif101] dhcp server excluded-ip-address 10.23.101.3

[SwitchB-Vlanif102] dhcp server excluded-ip-address 10.23.102.3

[AC] wlan
e?[Y/N]:y
e?[Y/N]:y
[AC-wlan-view] quit

# Import APs offline on the AC and add authorized APs to AP group ap-group1 and monitor
APs to AP group ap-group2. Configure names for the APs based on the APs' deployment
location, so that you can know where the APs are located by name. For example, if the AP
with MAC address 60de-4476-e360 is deployed in area 1, name the AP area_1.
NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
[AC-wlan-ap-1] quit

nor : normal [2]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
----------------------------------------------------------------------------------
---
Total: 2

NOTE
[AC-wlan-view] security-profile name wlan-net1
[AC-wlan-sec-prof-wlan-net1] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net1] quit
[AC-wlan-view] ssid-profile name wlan-net1
[AC-wlan-ssid-prof-wlan-net1] ssid wlan-net1
[AC-wlan-ssid-prof-wlan-net1] quit
[AC-wlan-vap-prof-wlan-net1] forward-mode tunnel
[AC-wlan-vap-prof-wlan-net1] security-profile wlan-net1
[AC-wlan-vap-prof-wlan-net1] ssid-profile wlan-net1
[AC-wlan-vap-prof-wlan-net2] forward-mode tunnel
[AC-wlan-vap-prof-wlan-net2] security-profile wlan-net1
[AC-wlan-vap-prof-wlan-net2] ssid-profile wlan-net1
# Bind VAP profile wlan-net1 to AP group ap-group1.

# Bind VAP profile wlan-net2 to AP group ap-group2.



and scan duration.
ap-group1.
ap-group2.

Step 7 Configure the Bonjour gateway function on the AC.

# Enable the Bonjour gateway function.
[AC-wlan-view] quit
[AC] mdns gateway enable
# Set the service discovery interval. Configure the IP addresses of VLANIF 101 and VLANIF
102 as the source IP addresses for sending mDNS requests.
[AC] vlan 101
[AC-vlan101] mdns probe interval 100
[AC-vlan101] quit
[AC] vlan 102
[AC-vlan102] mdns probe interval 100
[AC-vlan102] quit

Printers and Apple terminals can detect the WLAN with SSID wlan-net.
You can find the print service in VLAN 101 and VLAN 102 on the Apple terminals.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
#
return

#
sysname SwitchB
#
#

dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
#
#
#
return
#
sysname Router
#
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
#
return
#
sysname AC
#
mdns gateway enable
#
#
dhcp enable
#
vlan 101
mdns probe interval 100
#
vlan 102
mdns probe interval 100
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.3 255.255.255.0
#
interface Vlanif102

ip address 10.23.102.3 255.255.255.0

#
#
#
wlan
ssid wlan-net1
forward-mode tunnel
forward-mode tunnel
radio 0
radio 1
radio 0
radio 1
ap-name area_1
ap-group ap-group1
ap-id 1 type-id 35 ap-mac dcd2-fc04-b500 ap-sn 210235419610D2000097
ap-name area_2
ap-group ap-group2
#
return
4.16.9 Example for Configuring Bandwidth-based Multicast CAC
area.

The multicast source for video conferences is deployed on the enterprise network to provide
enterprise video conferencing services. The multicast source address ranges from 225.1.1.1 to
225.1.1.5. To restrict the access of employees when the multicast bandwidth reaches the
maximum, administrators need to configure bandwidth-based multicast CAC, ensuring the
conference access quality.
APs and STAs.
Figure 4-75 Networking for configuring bandwidth-based multicast CAC
Data Planning
Item Data
Managemen VLAN 100

t VLAN for
APs
Service VLAN 101

VLAN for
STAs

Item Data

server STAs.
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs

interface
address

default, and traffic profile wlan-traffic

profile



net

profile l Maximum multicast bandwidth for a VAP: 40 Mbit/s

profile l Multicast group address: 225.1.1.1-225.1.1.5
l Bandwidth of the multicast program: 2 Mbit/s
2. Configure multicast-to-unicast conversion to convert multicast packets into unicast
packets to improve the efficiency of multicast data transmission.

3. Configure bandwidth-based multicast CAC to control the access of multicast users.
Configuration Notes
user experience.
Procedure
10.23.101.2/24.


NOTE
[AC6605] sysname AC
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).

[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
----------------------------------------------------------------------------------
---
Total: 1

NOTE
the AP.

NOTE



[AC-wlan-ap-0] quit
Step 7 Configure multicast-to-unicast conversion.

# Create traffic profile wlan-traffic. Configure IGMP snooping and multicast-to-unicast
conversion in the traffic profile.
[AC-wlan-traffic-prof-wlan-traffic] igmp-snooping enable
[AC-wlan-traffic-prof-wlan-traffic] traffic-optimize multicast-unicast enable
Step 8 Configure bandwidth-based multicast CAC.

# Configure 40960 kbit/s as the maximum multicast bandwidth for a VAP.
[AC-wlan-traffic-prof-wlan-traffic] igmp-snooping max-bandwidth 40960
# Create AP system profile wlan-system. Configure the multicast group address to range
from 225.1.1.1 to 225.1.1.5, and set the multicast group bandwidth to 2048 kbit/s.
[AC-wlan-ap-system-prof-wlan-system] ap-system-profile name wlan-system
[AC-wlan-ap-system-prof-wlan-system] igmp-snooping group-bandwidth start-group-
address 225.1.1.1 end-group-address 225.1.1.5 bandwidth 2048
# Apply traffic profile wlan-net to VAP profile wlan-traffic.

# Apply AP system profile wlan-system to the AP group.


WID : WLAN ID
--------------------------------------------------------------------------------

--------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Total: 2
---------------------------------------------------------------------------------
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
Run the display wlan igmp-snooping vap-cac ap-id 0 command on the AC. When the
difference between the CurBw and MaxBw values is smaller than the configured bandwidth
of a multicast group, new users cannot join the multicast group.
[AC-wlan-view] display wlan igmp-snooping vap-cac ap-id 0
Rf : Radio ID WID : WLAN ID
CurBw : Current bandwidth(kbps) MaxBw : Max bandwidth(kbps)
CurUser : Current user number MaxUser : Max user number
BwUtilization : Bandwidth utilization UserUtilization : User utilization
--------------------------------------------------------------------------------
Rf WID CurBw/MaxBw BwUtilization CurUser/MaxUser UserUtilization
--------------------------------------------------------------------------------
0 1 0/40960 0% 0/0 0%
1 1 0/40960 0% 0/0 0%
--------------------------------------------------------------------------------
Total: 2
----End
Configuration Files
#
sysname Switch
#
vlan batch 100
#
#
#
return

#
sysname Router
#
vlan batch 101
#

interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
wlan
igmp-snooping max-bandwidth 40960
traffic-optimize multicast-unicast enable
ssid wlan-net
forward-mode tunnel
igmp-snooping group-bandwidth start-group-address 225.1.1.1 end-group-
address 225.1.1.5 bandwidth 2048
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127

radio 1
channel 20mhz 149
eirp 127
#
return
4.16.10 Example for Configuring CAC Based on the Number of

Multicast Group Memberships
area.
The multicast source for video conferences is deployed on the enterprise network to provide
enterprise video conferencing services. The multicast source address ranges from 225.1.1.1 to
225.1.1.5. To restrict the access of employees when the number of multicast group
memberships reaches the maximum, administrators need to configure CAC based on the
number of multicast group memberships, ensuring the conference access quality.
APs and STAs.
Figure 4-76 Networking for configuring CAC based on the number of multicast group
memberships

Data Planning
Item Data
Managemen VLAN 100

t VLAN for
APs
Service VLAN 101

VLAN for
STAs

server STAs.
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs

interface
address

default, and traffic profile wlan-traffic

profile



net

profile l Maximum number of multicast group memberships for a VAP: 20

2. Configure multicast-to-unicast conversion to convert multicast packets into unicast
packets to improve the efficiency of multicast data transmission.
3. Configure CAC based on the number of multicast group memberships to control the
access of multicast users.
Configuration Notes
user experience.
Procedure
10.23.101.2/24.



NOTE
[AC6605] sysname AC
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit


NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
----------------------------------------------------------------------------------
---
Total: 1
NOTE
the AP.


NOTE



[AC-wlan-ap-0] quit
Step 7 Configure multicast-to-unicast conversion.

# Create traffic profile wlan-traffic. Configure IGMP snooping and multicast-to-unicast
conversion in the traffic profile.
[AC-wlan-traffic-prof-wlan-traffic] igmp-snooping enable
[AC-wlan-traffic-prof-wlan-traffic] traffic-optimize multicast-unicast enable
Step 8 Configure CAC based on the number of multicast group memberships.

# Set the maximum number of multicast group memberships for a VAP to 20.
[AC-wlan-traffic-prof-wlan-traffic] igmp-snooping max-user 20
# Apply traffic profile wlan-net to VAP profile wlan-traffic.


WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Total: 2

---------------------------------------------------------------------------------
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
Run the display wlan igmp-snooping vap-cac ap-id 0 command on the AC. When the
CurUser value is equal to the MaxUser value, new users cannot join the multicast group.
[AC-wlan-view] display wlan igmp-snooping vap-cac ap-id 0
Rf : Radio ID WID : WLAN ID
CurBw : Current bandwidth(kbps) MaxBw : Max bandwidth(kbps)
CurUser : Current user number MaxUser : Max user number
BwUtilization : Bandwidth utilization UserUtilization : User utilization
--------------------------------------------------------------------------------
Rf WID CurBw/MaxBw BwUtilization CurUser/MaxUser UserUtilization
--------------------------------------------------------------------------------
0 1 0/0 0% 0/20 0%
1 1 0/0 0% 0/20 0%
--------------------------------------------------------------------------------
Total: 2
----End
Configuration Files
#
sysname Switch
#
vlan batch 100
#
#
#
return
#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
#
return

#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
wlan
igmp-snooping max-user 20
traffic-optimize multicast-unicast enable
ssid wlan-net
forward-mode tunnel
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return

4.16.11 Example for Interconnecting an AC with a Network

Management Server
area.
The administrator of a network wants to deploy a network management server to easily
manage the network topology and devices in a visualized way, thus improving operation
experience and management efficiency.
addresses to STAs.
Figure 4-77 Networking for interconnecting an AC with a network management server

Data Planning

Item Data
Managemen VLAN 100

t VLAN for
APs
Service VLAN 101

VLAN for
STAs

IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

interface
address

default

profile



net

Item Data
IP address 10.23.1.1
of the
network
managemen
t server
SNMP SNMP V2C

version
running on
the network
managemen
t server
Name of the NetCenter

network
managemen
t server
Name of the trap

host
sending trap
messages
MIB view public_view

private_view
Read-only public123
community
name
Read-write private123
community
name
to go online.
4. Configure SNMP.
– Set the SNMP version on the AC to SNMPv2c.
– Configure access rights so that the network management server can manage
network devices.

– Configure network management server information.

NOTE
The SNMP version running on the network management server must be consistent with that configured on
the AC.
Procedure
10.23.101.2/24.

NOTE

[AC6605] sysname AC

[AC] dhcp enable
[AC-Vlanif100] quit
[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan

[AC-wlan-ap-0] quit
nor : normal [1]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
----------------------------------------------------------------------------------
---
Total: 1
NOTE
the AP.

NOTE




[AC-wlan-ap-0] quit
Step 7 Verify the online state of STAs.

WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Total: 2
---------------------------------------------------------------------------------
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
Step 8 Configure SNMP.

# Configure the SNMP agent function, and set the SNMP version to v2c.
[AC-wlan-view] quit
[AC] snmp-agent
[AC] snmp-agent sys-info version v2c
# Create the MIB view public_view, exclude the private subtree, and include the internet
subtree.
[AC] snmp-agent mib-view public_view include internet
[AC] snmp-agent mib-view public_view exclude private
# Create the MIB view private_view and include the mgmt subtree.
[AC] snmp-agent mib-view private include mgmt
# Create the read-only community public123 and reference public_view in read-only mode.
Create the read-write community private123 and reference private_view in read-write mode.

[AC] snmp-agent community read public123 mib-view public_view

[AC] snmp-agent community write private123 mib-view private_view
NOTE
The read-only and read-write community names must be consistent with those configured on the network
management server.
# Configure the target host of trap messages. Set the transfer protocol to SNMPv2c, host name
in trap messages to trap, target host name to NetCenter, and target host IP address to
10.23.1.1.
[AC] snmp-agent target-host trap-paramsname NetCenter v2c securityname trap
[AC] snmp-agent target-host trap-hostname NetCenter address 10.23.1.1 udp-port
162 trap-paramsname NetCenter

# Run the following commands to verify that the configuration:
[AC] display snmp-agent target-host
Traphost list:
Target host name: NetCenter
Traphost address: 10.23.1.1
Traphost portnumber: 162
Target host parameter: NetCenter
Total number is 1
Parameter list trap target host:

Parameter name of the target host: NetCenter
Message mode of the target host: SNMPV2C
Trap version of the target host: v2c
Security name of the target host: %^%##E9e5qFq#7{N#(<FX;(;@-ZuXCzh(W.oc_
%Yk}G6%^%#
Total number is 1
# If the online state of the AP is displayed on the network management server, the
configuration has taken effect.
----End
Configuration Files
#
sysname SwitchA
#
#
#
#
return

#
sysname SwitchB
#
#

dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
return
#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
#
return
#
sysname AC
#
vlan batch 100
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
snmp-agent local-engineid 800007DB03DCD2FCF9B5CA
snmp-agent community read %^%#&c{~@`7"T1LM>_VKF}SQAB[B*cK_-!A)3ZW!l^=L4[|8Aa!
NJNJOI<UdLWv,b8]NSoUFd2Vg\n)$\*wC%^%# mib-view public_
view
snmp-agent community write %^%#@=;PMXwdY=FN;)XZvMWPS|<II8n%:R!
FNAFnv{IKt4rR>6e.=<ZB["=N>yq;Hq.p:i<-E!-[1PS{i<'Q%^%# mib-view privat
e_view
snmp-agent sys-info version v2c
snmp-agent target-host trap-hostname NetCenter address 10.23.1.1 udp-port
162 trap-paramsname NetCenter
snmp-agent target-host trap-paramsname NetCenter v2c securityname %^
%##E9e5qFq#7{N#(<FX;(;@-ZuXCzh(W.oc_%Yk}G6%^%#
snmp-agent mib-view private include mgmt
snmp-agent mib-view public_view include internet
snmp-agent mib-view public_view exclude private
snmp-agent
#

#
wlan
ssid wlan-net
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return
4.16.12 Example for Configuring Wireless Packet Obtaining

area.
When devices carrying multiple services become faulty, maintenance personnel need to obtain
packets for accurate cause analysis.
APs and STAs.

Figure 4-78 Networking for configuring wireless packet obtaining
Data Planning
Item Data
Managemen VLAN 100

t VLAN for
APs
Service VLAN 101

VLAN for
STAs

server STAs.
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs

interface
address

Item Data

default

profile



net
Wireless l SFTP server IP address: 10.23.10.1

packet l SFTP user name: huawei
obtaining
configuratio l SFTP password: huawei123
n
2. Configure global parameters for obtaining packets, including the maximum length,
saving mode, upload mode, and server.
3. Configure a packet filtering rule.
4. Enable the wireless packet obtaining function.
Procedure

10.23.101.2/24.

NOTE
[AC6605] sysname AC

[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit
[AC] wlan

e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
----------------------------------------------------------------------------------
---
Total: 1
NOTE


the AP.

NOTE



[AC-wlan-ap-0] quit

[AC] wlan
WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Total: 2


---------------------------------------------------------------------------------
address
---------------------------------------------------------------------------------
14cf-9208-9abf 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
Step 8 Configure the wireless packet obtaining function.

# Set global parameters for the wireless packet obtaining function.
[AC-wlan-view] diagnose
[AC-diagnose] remote capture max-len 256
[AC-diagnose] remote capture save-mode local size 1024
[AC-diagnose] remote capture upload-mode sftp sftp-server 10.23.10.1 sftp-
username huawei sftp-password huawei123
# Configure a packet filtering rule.

[AC-diagnose] remote capture filter-profile name filter
[AC-diagnose] filter-profile name filter protocol-filter all
[AC-diagnose] filter-profile name filter address-filter id 1 source-mac-address
1047-80b1-56a0
# Enable the wireless packet obtaining function.

[AC-diagnose] remote capture ap-name area_1 radio 0 start filter-profile name
filter channel 1
[AC-diagnose] quit
Step 9 View obtained wireless packets.

Stop packet obtaining, upload the packet obtaining file to the SFTP server, and check the
obtained packets on the server.
[AC-wlan-view] diagnose
[AC-diagnose] remote capture ap-name area_1 radio 0 stop
[AC-diagnose] remote capture ap-name area_1 radio 0 get-packet
----End
Configuration Files
#
sysname Switch
#
vlan batch 100
#
#
#
return

#
sysname Router
#
vlan batch 101
#
interface Vlanif101

ip address 10.23.101.2 255.255.255.0

#
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
wlan
ssid wlan-net
forward-mode tunnel
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return

4.17 Typical Configuration for Interconnection Between

AC and Cisco ISE Server
4.17.1 Example for Configuring 802.1x Authentication (CLI)
Introduction to 802.1x Authentication

8802.1x authentication is a method used for Network Admission Control (NAC). It controls
user access rights based on access ports to protect enterprise intranet security.
802.1x authentication is more secure than MAC address authentication and Portal
authentication; however, it requires that 802.1x client software be installed on all user
terminals, allowing low networking flexibility. In contrast, MAC address authentication does
not need client software, but user terminals' MAC addresses must be registered on the
authentication server. Network configuration and management are complex. Portal
authentication also does not need client software, allowing flexible deployment. However, it
does not provide high security. Therefore, 802.1x authentication is applicable to network
construction scenarios where users are densely distributed and high information security is
required.
When the AC is interconnected with the Cisco ISE, three authentication methods, that is,
Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol
(CHAP), and Extensible Authentication Protocol (EAP), can be used in 802.1x authentication.
The configurations for the three authentication methods are similar. The following uses EAP
as an example.
For details about how to configure 802.1x authentication on the AC, see Configure 802.1x
authentication on the AC.
For details about how to configure the authentication on the Cisco ISE server, see Configure
the Cisco ISE.
Applicable Products and Versions
Table 4-84 Applicable products and versions
Product Version
Huawei AC V200R007C10 and later versions
Cisco ISE 2.0.0.306


Internet
Router
GE0/0/1
RADIUS Server
AC SwitchB GE0/0/4 10.23.103.1:1812
GE0/0/2
GE0/0/1 GE0/0/3
GE0/0/1
GE0/0/2
SwitchA
GE0/0/1
AP
STA STA

Data Planning





wlan-net






net
Table 4-86 Data planning on the Cisco ISE
Department R&D
Account Account: huawei

Password: huawei123
Device profile Huawei
Device name AC6605
Device's IP address 10.23.102.2/32
RADIUS shared key huawei@123
Authentication protocol l MS-CHAPv2

l PEAP
l CHAP (only for the test-aaa test)
5. Configure 802.1x authentication on the AC.
6. Configure the Cisco ISE server.
Configuration Notes
user experience.
l The AC and server must have the same RADIUS shared key.

Procedure
[AC6605] sysname AC
[AC-Vlanif102] quit

STAs.
[AC] dhcp enable
[AC-Vlanif100] quit


[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

name the AP area_1.
NOTE
[AC] wlan


[AC-wlan-ap-0] quit
nor : normal [1]
--------------------------------------------------------------------------------
Uptime
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Total: 1

NOTE



[AC-wlan-ap-0] quit

[AC-wlan-view] quit

[AC] aaa


[AC-aaa] quit



[AC] wlan
the VAP profile.
radio 1 of the AP.
[AC-wlan-view] quit
Step 6 Configure the Cisco ISE.

1. # Log in to the Cisco ISE server.
# Enter the access address of the Cisco ISE server in the address box, which is in the
format of https://Cisco ISE IP. Cisco ISE IP is the IP address of the Cisco ISE server.
# On the displayed page, enter the user name and password to log in to the Cisco ISE
server.

2. Create a department and an account.

# Choose Administration > Identity Management > Groups > User Identity Groups.
In the pane on the right side, click Add and create a department named R&D. Then,
click Submit.
# Choose Administration > Identity Management > Identities > Users. In the pane on
the right side, click Add to create the account with the user name of huawei and
password of huawei123. Add the account to department R&D. Then, click Submit.
3. Add the AC so that the Cisco ISE can interwork with the AC.
# Choose Administration > Network Resources > Network Device Profiles. In the
pane on the left side, click Add and create a device profile named Huawei. Then, click
Submit.

# Choose Administration > Network Resources > Network Devices. In the pane on
the right side, click Add. Set the device name to AC6605, IP address to 10.23.102.2/32,
and RADIUS shared key to huawei@123. Then, click Submit.
4. Configure the authentication protocol.

# Choose Policy > Policy Elements > Results > Authentication > Allowed Protocols.
Select Default Network Access and click Edit.

# Select Allow CHAP, Allow MS-CHAPv2, and Allow PEAP. For other parameters,
use the default settings. Click Save.
NOTE
By default, the Cisco ISE disables the CHAP authentication protocol. You need to select the CHAP
authentication protocol on the server so that the CHAP protocol can be used to carry out the test-aaa test
on the AC.
Step 7 On the AC, check whether users can pass RADIUS authentication.
[AC] test-aaa huawei huawei123 radius-template wlan-net
Info: Account test succeed.


algorithm to AES.
------------------------------------------------------------------------------
Status
------------------------------------------------------------------------------
------------------------------------------------------------------------------
----End
Configuration Files
#
sysname SwitchA
#
#
#
#
return

#
sysname SwitchB
#


#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
interface Vlanif103
ip address 10.23.103.2 255.255.255.0
#
interface Vlanif104
ip address 10.23.104.1 255.255.255.0
#
#
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
#
return
#
sysname Router
#
ip address 10.23.104.2 255.255.255.0
#
ip route-static 10.23.101.0 255.255.255.0 10.23.104.1
#
return
#
sysname AC
#
#
#
dhcp enable
#
%^%#
#
aaa

#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
#
ip route-static 10.23.103.0 255.255.255.0 10.23.102.1
#
#
wlan
ssid wlan-net
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
#
return

(CLI)
Introduction to MAC Address Authentication
MAC address authentication is a method used for Network Admission Control (NAC). It
controls user access rights based on access ports and user MAC addresses to protect security
for enterprise networks.
MAC address authentication does not need client software, but user terminals' MAC
addresses must be registered on the authentication server. Network configuration and
management are complex. In contrast, 802.1x authentication needs client software, allowing
low networking flexibility. However, 802.1x authentication is more secure. Portal
does not provide high security.

MAC address authentication is applicable to dumb terminals such as printers and fax
machine.
For details about how to configure MAC address authentication on the AC, see Configure
MAC address authentication on the AC.
For details about how to configure MAC address authentication on the Cisco ISE server, see
Configure the Cisco ISE.

Product Version
Cisco ISE 2.0.0.306

Internet
Router
GE0/0/1
Radius Server
AC SwitchB GE0/0/4 10.23.103.1:1812
GE0/0/2
GE0/0/1 GE0/0/3
GE0/0/1
GE0/0/2
SwitchA
GE0/0/1
AP
STA STA


Data Planning






l Country code: CN




net
Terminals MAC addresses (use the actual MAC

addresses of devices)

Password: huawei123
Device name AC6605

l PEAP
4. Configure basic WLAN services.
Configuration Notes
user experience.

Procedure
[AC6605] sysname AC
[AC-Vlanif102] quit

STAs.
[AC] dhcp enable
[AC-Vlanif100] quit


[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

name the AP area_1.
NOTE
[AC] wlan


[AC-wlan-ap-0] quit
nor : normal [1]
--------------------------------------------------------------------------------
Uptime
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Total: 1

NOTE



[AC-wlan-ap-0] quit

[AC-wlan-view] quit

[AC] aaa


[AC-aaa] quit

NOTE


[AC] wlan
the VAP profile.
radio 1 of the AP.
[AC-wlan-view] quit

server.

2. Add STAs.
# Choose Administration > Identity Management > Identities > EndPoints. In the
pane on the right side, click Add. On the page that is displayed, set MAC Address and
click Save.
Submit.


NOTE
on the AC.


------------------------------------------------------------------------------
Status
------------------------------------------------------------------------------
------------------------------------------------------------------------------
----End
Configuration Files
#
sysname SwitchA
#
#

#
#
return
#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
interface Vlanif103
ip address 10.23.103.2 255.255.255.0
#
interface Vlanif104
ip address 10.23.104.1 255.255.255.0
#
#
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
#
return
#
sysname Router
#
ip address 10.23.104.2 255.255.255.0
#
ip route-static 10.23.101.0 255.255.255.0 10.23.104.1
#
return
#
sysname AC
#
#

#
dhcp enable
#
%^%#
#
aaa
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
#
ip route-static 10.23.103.0 255.255.255.0 10.23.102.1
#
#
wlan
ssid wlan-net
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
#
return

4.17.3 Example for Configuring User Authorization Based on ACL

Numbers or Dynamic VLANs (CLI)
Introduction to User Authorization
In user authorization, the device controls network access rights based on the user role during
each phase of user authentication. After an 802.1x user is successfully authenticated on a
RADIUS server, the server sends authorization information to the access device of the user.
When the Cisco Identity Services Engine (ISE) functions as a RADIUS server, it can deliver
multiple authorization parameters. The following example uses ACL numbers and dynamic
VLANs to control user authorization.
l Authorization based on ACL numbers
If ACL number delivery is configured on the RADIUS server, authorization information
sent to the access device includes the ACL number. The access device matches ACL
rules based on the delivered ACL number to control user rights.
The RADIUS attribute used for ACL number delivery is (011) Filter-Id.
The ACL numbers supported by the AC range from 3000 to 3031.
l Authorization based on dynamic VLANs
If dynamic VLAN delivery is configured on the RADIUS server, authorization
information sent to the access device includes the VLAN attribute. After the access
device receives the authorization information, it changes the VLAN of the user to the
delivered VLAN. The delivered VLAN does not change or affect the interface
configuration. The priority of the delivered VLAN, however, is higher than that of the
user configured VLAN. That is, the delivered VLAN takes effect after the authentication
succeeds and the user-configured VLAN takes effect after the user goes offline.
The following RADIUS attributes are used for dynamic VLAN delivery:
– (064) Tunnel-Type (It must be set to VLAN or 13.)
– (065) Tunnel-Medium-Type (It must be set to 802 or 6.)
– (081) Tunnel-Private-Group-ID (It can be a VLAN ID or VLAN name.)
To ensure that the RADIUS server delivers VLAN information correctly, all the three
RADIUS attributes must be used. In addition, the Tunnel-Type and Tunnel-Medium-
Type attributes must be set to the specified values.
When the AC is interconnected with the Cisco ISE, three authentication methods, that is,
as an example.
For details about how to configure user authorization based on ACL numbers on the AC, see
user authorization configuration on the AC.
For details about how to configure user authorization based on ACL numbers on the Cisco
ISE server, see Cisco ISE configuration.


Product Version
Cisco ISE 2.0.0.306
Network access rights are controlled based on user roles when users access the WLAN
through 802.1x authentication.
A large number of employees use wireless terminals to access an enterprise network. To
ensure network security, the administrator needs to control network access rights of terminals.
After successful authentication, terminals can access the service server (with IP address
10.23.105.1) and devices in the laboratory (with VLAN ID 20 and IP address segment
10.23.20.2-10.23.20.100).
– The AC functions as a DHCP server to allocate IP addresses to APs.
– SwitchB functions as a DHCP server to assign IP addresses to STAs.

Figure 4-81 Networking for configuring user authorization based on ACL numbers or
dynamic VLANs
Data Planning

DHCP server l The AC functions as a DHCP server to

allocate IP addresses to APs.
l SwitchB functions as a DHCP server to


10.23.20.101-10.23.20.254/24
RADIUS authentication parameters l RADIUS server template name: wlan-

net
Resources accessible to users after l Access rights to the laboratory are

authentication granted using a dynamic VLAN. The
VLAN ID is 20.
l Access rights to the service server are
granted using an ACL number. The ACL
number is 3002.


l Bound profile and authentication
scheme: 802.1x access profile wlan-net,
RADIUS server template wlan-net, and

l Bound profile: VAP profile wlan-net
and regulatory domain profile default

l Country code: CN


l Security policy: WPA-WPA2+802.1x
+AES

l Bound profiles: SSID profile wlan-net,
security profile wlan-net, and
authentication profile wlan-net


Department R&D
Account l Account: huawei

Device name AC6605

l PEAP
Authorization ACL 3002
Dynamic VLAN VLAN20
3. Configure the parameters for interconnecting the AC and RADIUS server and network
access rights after successful authentication.
– Add users.
– Add the AC.
– Configure the password authentication protocol.
– Configure authentication policies.
– Configure authorization policies.
Configuration Notes
user experience.
l If a terminal obtains an IP address using DHCP, you need to manually trigger the DHCP
process to request an IP address after VLAN-based authorization is successful or the
authorization VLAN changes.

Procedure
# Add GE0/0/1 and GE0/0/3 on SwitchA (access switch) to VLAN20, VLAN 100 and VLAN
101 and GE0/0/2 to VLAN 20.
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN20, VLAN 100 and VLAN 101,
GE0/0/2 to VLAN 100 and VLAN 102, GE0/0/3 to VLAN 103, GE0/0/4 to VLAN104, and
GE0/0/5 to VLAN 105.
[SwitchB] vlan batch 20 100 to 105
# Create VLANIF interfaces VLANIF 102, VLANIF 103, VLANIF 104 and VLANIF 105 on
SwitchB and configure configure a default route with the next hop of the address of Router.

# On the AC, add GE0/0/1 connected to SwitchB to VLAN 100 and VLAN 102, create
VLANIF 102, and configure the static route to the RADIUS server.
[AC6605] sysname AC
[AC-Vlanif102] quit
STAs.
[AC] dhcp enable
[AC-Vlanif100] quit

# On SwitchB, configure the VLANIF 20 to assign IP addresses to authorized STAs. The IP

address segment 10.23.20.2-10.23.20.100 cannot be assigned to STAs.
[SwitchB-Vlanif20] dhcp server excluded-ip-address 10.23.20.2 10.23.20.100

[AC] wlan

e?[Y/N]:y
[AC-wlan-view] quit

name the AP area_1.
NOTE
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
--------------------------------------------------------------------------------
Uptime
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Total: 1

NOTE




[AC-wlan-ap-0] quit

[AC-wlan-view] quit

[AC] aaa
[AC-aaa] quit



[AC] wlan
the VAP profile.


radio 1 of the AP.
[AC-wlan-view] quit
Step 6 Configure the authorization parameter ACL 3002 for users who pass authentication.
[AC] acl 3002
[AC-acl-adv-3002] rule 1 permit ip destination 10.23.105.1 0
Step 7 Configure the Cisco ISE server.

server.
click Submit.

Submit.


NOTE
on the AC.

5. Configure the ACL and dynamic VLAN for authorization.
# Choose Policy > Policy Elements > Results > Authorization > Authorization
Profiles. In the pane on the right side, click Add. Enter the name, set the delivery
attribute to Radius:Filter-ID, and enter the ACL number 3002.
# Click Submit to complete the configuration and return to the Authorization Profiles
page.
# In the pane on the right side, click Add, enter the name, and configure the following
delivery attributes.

– Radius:Tunnel-Type: VLAN
– Radius:Tunnel-Medium-Type: 802
– Radius:Tunnel-Private-Group-ID: 20
# Click Submit to complete the configuration.

6. Add an authorization rule.
# Choose Policy > Authorization. In the pane on the right side, click the triangle next to
Edit. Choose Insert New Rule Above to add a new authorization rule named
ACL_VLAN. Set the authorized user group to R&D and select PermitAccess,
ACL_3002, and VLAN_20 under Permissions.
# Click Done on the right side. Then click Save to complete the authorization rule
configuration.


l An employee can access the service server, and laboratory after passing authentication.
l After the authentication succeeds, run the display access-user command on the AC. The
command output shows online employees.
------------------------------------------------------------------------------
Status
------------------------------------------------------------------------------
------------------------------------------------------------------------------
----End
Configuration Files
#
sysname SwitchA
#
#
#
#
#
return

#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif20
ip address 10.23.20.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
interface Vlanif103
ip address 10.23.103.2 255.255.255.0
#

interface Vlanif104
ip address 10.23.104.1 255.255.255.0
#
interface Vlanif105
ip address 10.23.105.2 255.255.255.0
#
#
#
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
#
return
#
sysname Router
#
ip address 10.23.104.2 255.255.255.0
#
ip route-static 10.23.101.0 255.255.255.0 10.23.104.1
#
return
#
sysname AC
#
vlan batch 100 102
#
#
dhcp enable
#
radius-server shared-key cipher %^%#r2}aCaYC_5+]c@/eolcB+CNMD=m\g2HmQ1/!crRU
%^%#
#
acl number 3002
rule 1 permit ip destination 10.23.105.1 0
rule 2 deny ip
#
aaa
#

interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
#
ip route-static 10.23.103.0 255.255.255.0 10.23.102.1
#
#
wlan
ssid wlan-net
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
#
return
4.17.4 Example for Configuring User Authorization Based on User

Groups (CLI)
Introduction to User Authorization Based on User Groups

each phase of user authentication.
A user group consists of users (terminals) with the same attributes such as the role and rights.
For example, you can divide users on a campus network into the R&D group, finance group,
marketing group, and guest group based on the enterprise department structure, and grant
different security policies to different departments.
When the AC is interconnected with the Cisco ISE, three authentication methods, that is
as an example.

For details about how to configure user authorization based on user groups on the AC, see
Configure a user group.
For details about how to configure user authorization based on user groups on the Cisco ISE
server, see Configure the Cisco ISE.

Product Version
Cisco ISE 2.0.0.306

Internet
Router
GE0/0/1
RADIUS Server
AC SwitchB GE0/0/4 10.23.103.1:1812
GE0/0/2
GE0/0/1 GE0/0/3
GE0/0/1
GE0/0/2
SwitchA
GE0/0/1
AP
STA STA

Data Plan





wlan-net






net


Department R&D

Password: huawei123
Device name AC6605

l PEAP
User group group1
Configuration Notes

user experience.
Procedure
[AC6605] sysname AC


[AC-Vlanif102] quit
STAs.

[AC] dhcp enable
[AC-Vlanif100] quit

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

name the AP area_1.

NOTE
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
--------------------------------------------------------------------------------
Uptime
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Total: 1

NOTE



[AC-wlan-ap-0] quit


[AC-wlan-view] quit

[AC] aaa
[AC-aaa] quit


[AC] wlan
the VAP profile.
radio 1 of the AP.
[AC-wlan-view] quit


NOTE
[AC] acl 3001

server.
click Submit.

Submit.


NOTE
on the AC.

5. Configure an authorized user group.

# Choose Policy > Policy Elements > Results > Authorization > Authorization
Profiles. In the pane on the right side, click Add. Configure Name, Access Type, and
Advanced Attributes Settings. Then, click Submit.
# Choose Policy > Authorization. Click next to Edit and choose Insert New Rule
Above from the menu to add a new authorization policy.

# In the new authorization policy, configure Rule Name, Conditions, and Permissions.
Click Done and then Save.

complete.
algorithm to AES.


----End
Configuration Files
#
sysname SwitchA
#
#
#
#
return

#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
interface Vlanif103
ip address 10.23.103.2 255.255.255.0
#
interface Vlanif104
ip address 10.23.104.1 255.255.255.0
#
#
#

#
#
ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
#
return
#
sysname Router
#
ip address 10.23.104.2 255.255.255.0
#
ip route-static 10.23.101.0 255.255.255.0 10.23.104.1
#
return
#
sysname AC
#
vlan batch 100 102
#
#
dhcp enable
#
%^%#
#
acl number 3001
rule 2 deny ip
#
user-group group1
acl-id 3001
#
aaa
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
#
ip route-static 10.23.103.0 255.255.255.0 10.23.102.1
#
#
wlan
ssid wlan-net


radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
#
return

External Portal Authentication Overview
Portal authentication is a method used for Network Admission Control (NAC) and is also
called web authentication. To access the Internet, the user must pass authentication on the
Portal. Portal authentication supports Portal 2.0, Hypertext Transfer Protocol (HTTP), and
Hypertext Transfer Protocol Secure (HTTPS). When a Huawei AC is interconnected with a
Cisco ISE, Portal authentication is implemented based on HTTP or HTTPS.
When the AC is interconnected with the Cisco ISE, HTTPS and HTTP can be used in Portal
authentication. The configurations for the two authentication methods are similar. The
following uses HTTPS as an example.
For the configuration for external Portal authentication on the AC, see Step 4.
For the configuration on the Cisco ISE server, see Step 5.

Product Version
Product V200R007C20
Cisco ISE 2.0.0.306

To improve WLAN security, an enterprise performs external Portal authentication using
HTTP or HTTPS to access-control users.
l Authentication mode: external Portal authentication
Figure 4-83 Networking diagram for configuring external Portal authentication

Data Planning


IP address pool for the STAs 10.23.101.2 to 10.23.101.254/24
IP address of the AC's source VLANIF 100: 10.23.100.1/24

interface

l Bound profiles: VAP profile wlan-net and
AP group l Name: default



Portal authentication parameters Portal authentication scheme name: wlan-net

Portal server template name: wlan-net
l Bound profile: URL template test
l Portal authentication protocol: HTTP
l User name and password that can be submitted by
users in GET mode during Portal authentication

l Bound profile: Portal server template wlan-net
URL template l Name: test

l URL address: https://10.23.103.1:8443/portal/
PortalSetup.action#portal=0ce17ad0-6d90-11e5-97
8e-005056bf2f0a
l URL symbol: The start character # is replaced
with ?.


l Bound profiles and authentication scheme: portal
access profile wlan-net, free-rule template default,
and RADIUS authentication scheme wlan-net

net
Department Huawei

Password: huawei123
Device name AC6605
Authentication protocol l PAP

5. Configure Portal authentication on the AC.
Configuration Notes
user experience.

Procedure
[AC6605] sysname AC


[AC-Vlanif102] quit
STAs.

[AC] dhcp enable
[AC-Vlanif100] quit

# Configure a static route to 10.0.0.1.

[SwitchB] ip route-static 10.0.0.1 32 10.23.102.2
[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

name the AP area_1.

NOTE
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
--------------------------------------------------------------------------------
Uptime
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Total: 1
Step 4 Configure external Portal authentication on the AC.

# Create an AAA scheme and set the authentication method to RADIUS.

[AC] aaa
[AC-aaa] quit
2. Configure a Portal server profile.

NOTE
Ensure that the Portal server IP address and URL are configured correctly and are the same as those on
the Portal server.
The ISE Portal URL is in format of https://10.23.103.1:8443/portal/
PortalSetup.action#portal=0ce17ad0-6d90-11e5-978e-005056bf2f0a and can be obtained through Step
5.5.
[AC] portal https-redirect enable
[AC] portal web-authen-server https ssl-policy default_policy port
8443 //Parse the HTTPS authentication request from users and send
authentication information to the server.
[AC-LoopBack0] quit

[AC] url-template name test

[AC-url-template-test] url https://10.23.103.1:8443/portal/
PortalSetup.action#portal=0ce17ad0-6d90-11e5-978e-005056bf2f0a
[AC-url-template-test] parameter start-mark #
[AC-url-template-test] url-parameter login-url switch_url https://
10.0.0.1:8443/login
[AC-url-template-test] quit
[AC] free-rule-template name default
[AC-free-rule-default] free-rule 0 destination ip 10.0.0.1 mask
255.255.255.255
[AC-free-rule-default] quit
[AC-web-auth-server-wlan-net] url-template test
[AC-web-auth-server-wlan-net] protocol http
[AC-web-auth-server-wlan-net] source-ip 10.23.100.1
[AC-web-auth-server-wlan-net] http get-method enable //Parse the
HTTP authentication request from users and send authentication information to
the server.
3. Configure the Portal access profile wlan-net and configure Layer 3 Portal authentication.
[AC-portal-access-profile-wlan-net] web-auth-server wlan-net layer3
4. Create the authentication profile wlan-net.

[AC-authentication-profile-wlan-net] free-rule-template default

# Create the security profile wlan-net and retain the default security policy (open system
authentication).
[AC] wlan
the VAP profile.
radio 1 of the AP.
[AC-wlan-view] quit


server.
pane on the left side, click Add and create a device profile named Huawei. Set
Supported Protocols to RADIUS. Then, click Submit.


# Select Allow CHAP. For other parameters, use the default settings. Click Save.

4. Add a user.
password of huawei123. Then, click Submit.
5. Obtain the URL of the ISE Portal.

# Choose Guest Access > Configure > Guest Portals. On the Guest Portals page,
select Self-Registered Guest Portal(default) and click Edit.

# On the Portals Settings and Customization page, click Portal test URL and copy the
link from the address bar.

l The wireless STA obtains an IP address after it associates with the WLAN.
l When a user opens the browser on the STA, the user is redirected to the Portal
authentication page. After the user enters the correct user name and password and is
successfully authenticated, the user can access the Internet.
l After authentication succeeds, run the display access-user access-type command on the
AC. The command output shows online users.
[AC] display access-user access-type portal
------------------------------------------------------------------------------

Status
------------------------------------------------------------------------------
------------------------------------------------------------------------------
----End
Configuration Files
#
sysname SwitchA
#
#
#
#
return

#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
interface Vlanif103
ip address 10.23.103.2 255.255.255.0
#
interface Vlanif104
ip address 10.23.104.1 255.255.255.0
#
#
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.23.104.2

ip route-static 10.0.0.1 255.255.255.255 10.23.102.2

#
return
#
sysname Router
#
ip address 10.23.104.2 255.255.255.0
#
ip route-static 10.23.101.0 255.255.255.0 10.23.104.1
#
return
#
sysname AC
#
http secure-server ssl-policy default_policy
http server enable
#
portal https-redirect enable
#
vlan batch 100 102
#
free-rule-template default
#
portal web-authen-server https ssl-policy default_policy
#
dhcp enable
#
%^%#
#
free-rule-template name default
#
url-template name test
url https://10.23.103.1:8443/portal/
PortalSetup.action#portal=0ce17ad0-6d90-11e5-978e-005056bf2f0a
parameter start-mark #
url-parameter login-url switch_url https://10.0.0.1:8443/login
#
server-ip 10.23.103.1
url-template test
source-ip 10.23.100.1
protocol http
http get-method enable
#
web-auth-server wlan-net layer3
#
aaa
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0

#
interface LoopBack0
ip address 10.0.0.1 255.255.255.255
#
ip route-static 10.23.103.0 255.255.255.0 10.23.102.1
#
#
wlan
ssid wlan-net
radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
return

AC and Aruba ClearPass Server
4.18.1 Example for Configuring 802.1x Authentication (CLI)
Introduction to 802.1x Authentication

8802.1x authentication is a method used for Network Admission Control (NAC). It controls
user access rights based on access ports to protect enterprise intranet security.
802.1x authentication is more secure than MAC address authentication and Portal
authentication; however, it requires that 802.1x client software be installed on all user
terminals, allowing low networking flexibility. In contrast, MAC address authentication does
not need client software, but user terminals' MAC addresses must be registered on the
authentication server. Network configuration and management are complex. Portal
does not provide high security. Therefore, 802.1x authentication is applicable to network
construction scenarios where users are densely distributed and high information security is
required.
When the AC is interconnected with the Aruba ClearPass, three authentication methods, that
is, Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol
as an example.

For details about how to configure 802.1x authentication on the AC, see Configure 802.1x
authentication on the AC.
For details about how to configure the authentication on the Aruba ClearPass server, see
Configure the Aruba ClearPass.

Product Version
Aruba ClearPass Policy Manager 6.5.0.71095

Internet
Router
GE0/0/1
RADIUS Server
AC SwitchB GE0/0/4 10.23.103.1:1812
GE0/0/2
GE0/0/1 GE0/0/3
GE0/0/1
GE0/0/2
SwitchA
GE0/0/1
AP
STA STA

Data Planning





wlan-net






net
Table 4-101 Data planning on the Aruba ClearPass

Password: huawei123
Device name AC6605
Service l Name: Radius

l Type: 802.1X Wireless – Identity Only
l Authentication method:
– EAP MSCHAPv2
– EAP PEAP
l Authentication source: Local User
Respository[Local SQL DB]
l Name: TEST-AAA
l Type: 802.1X Wireless – Identity Only
l Authentication method: PAP (only for
the test-aaa test)
5. Configure 802.1x authentication on the AC.
6. Configure the Aruba ClearPass server.

Configuration Notes
user experience.
Procedure

[AC6605] sysname AC
[AC-Vlanif102] quit
STAs.
[AC] dhcp enable
[AC-Vlanif100] quit


[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

name the AP area_1.

NOTE
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
--------------------------------------------------------------------------------
Uptime
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Total: 1

NOTE



[AC-wlan-ap-0] quit


[AC-wlan-view] quit

[AC] aaa
[AC-aaa] quit


[AC] wlan
the VAP profile.
radio 1 of the AP.
[AC-wlan-view] quit

Step 6 Configure the Aruba ClearPass.

1. Log in to the Aruba ClearPass server.
# Enter the access address of the Aruba ClearPass server in the address box, which is in
the format of https://Aruba ClearPass IP. Aruba ClearPass IP is the IP address of the
Aruba ClearPass server.
# Choose ClearPass Policy Manager.
# On the displayed page, enter the user name and password to log in to the Aruba
ClearPass server.
2. Create a local account.
# Choose Configuration > Identity > Local Users. In the pane on the right side, click
Add to create the account with the user name of huawei and password of huawei123.
Select Enable User and choose Role. Then, click Add.
3. Add the AC so that the Aruba ClearPass can interwork with the AC.
# Choose Configuration > Network > Devices. In the pane on the right side, click Add.
Configure Name, IP or Subnet Address, RADIUS Shared Secret, and Vendor Name.
Then, click Add.
4. Configure the service Radius.

# Choose Configuration > Services. In the pane on the right side, click Add.
# On the Service tab, set Type to 802.1X Wireless – Identity Only and Name to
Radius.

# On the Authentication tab, add EAP PEAP and EAP MSCHAPv2 to

Authentication Methods and [Local User Respository][Local SQL DB] to
Authentication Sources. Then, click Save.
# On other tabs, use default settings.

5. Configure the service TEST-AAA.
NOTE
The service TEST-AAA must be added to the server so that the test-aaa test can be carried out on the
AC.
Aruba ClearPass Policy Manager 6.5.0 cannot save CHAP passwords locally. Therefore, only the PAP
protocol can be used to carry out the test-aaa test on the AC to test whether users can pass RADIUS
authentication.
TEST-AAA and change NAS-Port-Type in the Service Rule pane to Ethernet(15).
# On the Authentication tab, add PAP to Authentication Methods and [Local User
Respository][Local SQL DB] to Authentication Sources. Then, click Save.


[AC] test-aaa huawei huawei123 radius-template wlan-net pap

algorithm to AES.
------------------------------------------------------------------------------


Status
------------------------------------------------------------------------------
------------------------------------------------------------------------------
----End
Configuration Files
#
sysname SwitchA
#
#
#
#
return

#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
interface Vlanif103
ip address 10.23.103.2 255.255.255.0
#
interface Vlanif104
ip address 10.23.104.1 255.255.255.0
#
#
#
#
#

ip route-static 0.0.0.0 0.0.0.0 10.23.104.2

#
return
#
sysname Router
#
ip address 10.23.104.2 255.255.255.0
#
ip route-static 10.23.101.0 255.255.255.0 10.23.104.1
#
return
#
sysname AC
#
#
#
dhcp enable
#
%^%#
#
aaa
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
#
ip route-static 10.23.103.0 255.255.255.0 10.23.102.1
#
#
wlan
ssid wlan-net
radio 0
radio 1


ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
#
return

(CLI)
Introduction to MAC Address Authentication

MAC address authentication is a method used for Network Admission Control (NAC). It
controls user access rights based on access ports and user MAC addresses to protect security
for enterprise networks.
MAC address authentication does not need client software, but user terminals' MAC
addresses must be registered on the authentication server. Network configuration and
management are complex. In contrast, 802.1x authentication needs client software, allowing
low networking flexibility. However, 802.1x authentication is more secure. Portal
does not provide high security.
MAC address authentication is applicable to dumb terminals such as printers and fax
machine.
For details about how to configure MAC address authentication on the AC, see Configure
MAC address authentication on the AC.
For details about how to configure MAC address authentication on the Aruba ClearPass
server, see Configure the Aruba ClearPass.
Product Version


Internet
Router
GE0/0/1
Radius Server
AC SwitchB GE0/0/4 10.23.103.1:1812
GE0/0/2
GE0/0/1 GE0/0/3
GE0/0/1
GE0/0/2
SwitchA
GE0/0/1
AP
STA STA


Data Planning






l Country code: CN




net

Terminals MAC addresses (use the actual MAC

addresses of devices)
Device name AC6605

l Type: MAC authentication
l Authentication method: MAC AUTH
l Authentication source: [Endpoints
Repository][Local SQL DB]
Configuration Notes
user experience.
Procedure

[AC6605] sysname AC
[AC-Vlanif102] quit
STAs.

[AC] dhcp enable
[AC-Vlanif100] quit


[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

name the AP area_1.
NOTE
[AC] wlan


[AC-wlan-ap-0] quit
nor : normal [1]
--------------------------------------------------------------------------------
Uptime
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Total: 1

NOTE



[AC-wlan-ap-0] quit

[AC-wlan-view] quit

[AC] aaa
[AC-aaa] quit


NOTE


[AC] wlan
the VAP profile.
radio 1 of the AP.
[AC-wlan-view] quit

ClearPass server.

2. Add STAs.
# Choose Configuration > Identity > Endpoints. In the pane on the right side, click
Add. In the Add Endpoint dialog box, set MAC Address and click Add.
Then, click Add.

# On the Service tab, set Type to MAC Authentication and Name to Radius.
# On the Authentication tab, add [MAC AUTH] to Authentication Methods and

[Endpoints Repository][Local SQL DB] to Authentication Sources. Then, click Save.



------------------------------------------------------------------------------
Status
------------------------------------------------------------------------------
------------------------------------------------------------------------------
----End
Configuration Files
#
sysname SwitchA
#
#
#
#
return

#
sysname SwitchB
#
#
dhcp enable
#

interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
interface Vlanif103
ip address 10.23.103.2 255.255.255.0
#
interface Vlanif104
ip address 10.23.104.1 255.255.255.0
#
#
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
#
return
#
sysname Router
#
ip address 10.23.104.2 255.255.255.0
#
ip route-static 10.23.101.0 255.255.255.0 10.23.104.1
#
return
#
sysname AC
#
#
#
dhcp enable
#
%^%#
#
aaa
#
interface Vlanif100

ip address 10.23.100.1 255.255.255.0

#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
#
ip route-static 10.23.103.0 255.255.255.0 10.23.102.1
#
#
wlan
ssid wlan-net
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
#
return
4.18.3 Example for Configuring User Authorization Based on ACL

Numbers or Dynamic VLANs (CLI)
Introduction to User Authorization

each phase of user authentication. After an 802.1x user is successfully authenticated on a
RADIUS server, the server sends authorization information to the access device of the user.
When the Aruba ClearPass functions as a RADIUS server, it can deliver multiple
authorization parameters. The following example uses ACL numbers and dynamic VLANs to
control user authorization.
l Authorization based on ACL numbers
If ACL number delivery is configured on the RADIUS server, authorization information
sent to the access device includes the ACL number. The access device matches ACL
rules based on the delivered ACL number to control user rights.
The RADIUS attribute used for ACL number delivery is (011) Filter-Id.

The ACL numbers supported by the AC range from 3000 to 3031.

l Authorization based on dynamic VLANs
If dynamic VLAN delivery is configured on the RADIUS server, authorization
information sent to the access device includes the VLAN attribute. After the access
device receives the authorization information, it changes the VLAN of the user to the
delivered VLAN. The delivered VLAN does not change or affect the interface
configuration. The priority of the delivered VLAN, however, is higher than that of the
user configured VLAN. That is, the delivered VLAN takes effect after the authentication
succeeds and the user-configured VLAN takes effect after the user goes offline.
The following RADIUS attributes are used for dynamic VLAN delivery:
– (064) Tunnel-Type (It must be set to VLAN or 13.)
– (065) Tunnel-Medium-Type (It must be set to 802 or 6.)
– (081) Tunnel-Private-Group-ID (It can be a VLAN ID or VLAN name.)
To ensure that the RADIUS server delivers VLAN information correctly, all the three
RADIUS attributes must be used. In addition, the Tunnel-Type and Tunnel-Medium-
Type attributes must be set to the specified values.
as an example.
For details about how to configure user authorization based on ACL numbers on the AC, see
user authorization configuration on the AC.
For details about how to configure user authorization based on ACL numbers on the Aruba
ClearPass server, see Aruba ClearPass configuration.
Product Version
Network access rights are controlled based on user roles when users access the WLAN
through 802.1x authentication.
A large number of employees use wireless terminals to access an enterprise network. To

ensure network security, the administrator needs to control network access rights of terminals.
After successful authentication, terminals can access the service server (with IP address
10.23.105.1) and devices in the laboratory (with VLAN ID 20 and IP address segment
10.23.20.2-10.23.20.100).

– The AC functions as a DHCP server to allocate IP addresses to APs.
– SwitchB functions as a DHCP server to assign IP addresses to STAs.
Figure 4-86 Networking for configuring user authorization based on ACL numbers or
dynamic VLANs

Data Planning

DHCP server l The AC functions as a DHCP server to

allocate IP addresses to APs.
l SwitchB functions as a DHCP server to

10.23.20.101-10.23.20.254/24
RADIUS authentication parameters l RADIUS server template name: wlan-

net
Resources accessible to users after l Access rights to the laboratory are

authentication granted using a dynamic VLAN. The
VLAN ID is 20.
l Access rights to the service server are
granted using an ACL number. The ACL
number is 3002.


l Bound profile and authentication
scheme: 802.1x access profile wlan-net,
RADIUS server template wlan-net, and

l Bound profile: VAP profile wlan-net
and regulatory domain profile default

l Country code: CN



l Security policy: WPA-WPA2+802.1x
+AES

l Bound profiles: SSID profile wlan-net,
security profile wlan-net, and

Account l Account: huawei

Device name AC6605

l Type: 802.1x Wireless - Identity Only
l Authentication method:
– MS-CHAPv2
– PEAP
l Name: TEST-AAA
l Type: 802.1x Wireless - Identity Only
l Authentication method: PAP (only for
the test-aaa test)
Authorization ACL 3002
Dynamic VLAN VLAN 20

3. Configure the parameters for interconnecting the AC and RADIUS server and network
access rights after successful authentication.
– Add users.
– Add the AC.
– Configure configuration files.
– Configure policies.
– Configure services.
Configuration Notes
user experience.
l If a terminal obtains an IP address using DHCP, you need to manually trigger the DHCP
process to request an IP address after VLAN-based authorization is successful or the
authorization VLAN changes.
Procedure
# Add GE0/0/1 and GE0/0/3 on SwitchA (access switch) to VLAN20, VLAN 100 and VLAN
101 and GE0/0/2 to VLAN 20.
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN20, VLAN 100 and VLAN 101,
GE0/0/2 to VLAN 100 and VLAN 102, GE0/0/3 to VLAN 103, GE0/0/4 to VLAN104, and
[SwitchB] vlan batch 20 100 to 105

# Create VLANIF interfaces VLANIF 102, VLANIF 103, VLANIF 104 and VLANIF 105 on
SwitchB and configure configure a default route with the next hop of the address of Router.
# On the AC, add GE0/0/1 connected to SwitchB to VLAN 100 and VLAN 102, create
VLANIF 102, and configure the static route to the RADIUS server.
[AC6605] sysname AC
[AC-Vlanif102] quit
STAs.
[AC] dhcp enable
[AC-Vlanif100] quit


# On SwitchB, configure the VLANIF 20 to assign IP addresses to authorized STAs. The IP

address segment 10.23.20.2-10.23.20.100 cannot be assigned to STAs.
[SwitchB-Vlanif20] dhcp server excluded-ip-address 10.23.20.2 10.23.20.100

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

name the AP area_1.
NOTE
[AC] wlan
[AC-wlan-ap-0] quit

nor : normal [1]

--------------------------------------------------------------------------------
Uptime
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Total: 1

NOTE


[AC-wlan-ap-0] quit


[AC-wlan-view] quit

[AC] aaa
[AC-aaa] quit




[AC] wlan
the VAP profile.
radio 1 of the AP.
[AC-wlan-view] quit
Step 6 Configure the authorization parameter ACL 3002 for users who pass authentication.
[AC] acl 3002
[AC-acl-adv-3002] rule 1 permit ip destination 10.23.105.1 0
Step 7 Configure the Aruba ClearPass server.

ClearPass server.

Then, click Add.
Radius, and select Authorization.
# On the Authentication tab, add [EAP PEAP] and [EAP MSCHAPv2] to

Authentication Methods and [Local User Repository][Local SQL DB] to
Authentication Sources.

# On the Authorization tab, add [Local User Repository][Local SQL DB] to

Authentication Source.
# On other tabs, use default settings. Click Save.

NOTE
AC.
authentication.


6. Configure the ACL and dynamic VLAN for authorization.
# Choose Configuration > Enforcement > Profiles. In the pane on the right side, click
Add.
# On the Profile tab, set Template to RADIUS Based Enforcement, and enter
ACLVLAN in the Name field.
# On the Attributes tab, configure attributes and values. Then, click Save.
# For parameters on other tabs, use the default settings.

# Choose Configuration > Enforcement > Policies. In the pane on the right side, click
Add.
# On the Enforcement tab, enter ACLVLAN in the Name field, set Enforcement Type
to RADIUS and Default Profile to Allow Access Profile.
# On the Rules tab, click Add Rule. On the Rules Editor tab, set Type to
Authentication, Name to Username, Operator to EQUALS, Value to huawei, and
Profile Names to [RADIUS]ACLVLAN. This configuration is used to deliver the
authorization ACL and dynamic VLAN to user huawei. Then, click Save.

# On the Rules tab, click Add Rule. On the Rules Editor tab, set Type to
Authentication, Name to Username, Operator to NOT_EQUALS, Value to huawei,
and Profile Names to [RADIUS][Allow Access Profile]. This configuration is used to
allow users to pass authentication without authorization operations. Then, click Save.
# Click Save to complete the configuration.

7. Bind authorization policies.
# Choose Configuration > Services. In the pane on the right side, click service name
Radius to open the Edit tab. Select the Enforcement tab, set Enforcement Policy to
ACLVLAN, and then click Save.

l An employee can access the service server, and laboratory after passing authentication.
l After the authentication succeeds, run the display access-user command on the AC. The
command output shows online employees.
------------------------------------------------------------------------------

Status
------------------------------------------------------------------------------
------------------------------------------------------------------------------
----End
Configuration Files
#
sysname SwitchA
#
#
#
#
#
return

#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif20
ip address 10.23.20.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
interface Vlanif103
ip address 10.23.103.2 255.255.255.0
#
interface Vlanif104
ip address 10.23.104.1 255.255.255.0
#
interface Vlanif105
ip address 10.23.105.2 255.255.255.0
#
#

#
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
#
return
#
sysname Router
#
ip address 10.23.104.2 255.255.255.0
#
ip route-static 10.23.101.0 255.255.255.0 10.23.104.1
#
return
#
sysname AC
#
vlan batch 100 102
#
#
dhcp enable
#
radius-server shared-key cipher %^%#r2}aCaYC_5+]c@/eolcB+CNMD=m\g2HmQ1/!crRU
%^%#
#
acl number 3002
rule 1 permit ip destination 10.23.105.1 0
rule 2 deny ip
#
aaa
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
#
ip route-static 10.23.103.0 255.255.255.0 10.23.102.1
#


#
wlan
ssid wlan-net
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
#
return
4.18.4 Example for Configuring User Authorization Based on User

Groups (CLI)
Introduction to User Authorization Based on User Groups
each phase of user authentication.
A user group consists of users (terminals) with the same attributes such as the role and rights.
For example, you can divide users on a campus network into the R&D group, finance group,
marketing group, and guest group based on the enterprise department structure, and grant
different security policies to different departments.
as an example.
For details about how to configure user authorization based on user groups on the AC, see
Configure a user group.
For details about how to configure user authorization based on user groups on the Aruba
ClearPass server, see Configure the Aruba ClearPass.


Product Version

Internet
Router
GE0/0/1
RADIUS Server
AC SwitchB GE0/0/4 10.23.103.1:1812
GE0/0/2
GE0/0/1 GE0/0/3
GE0/0/1
GE0/0/2
SwitchA
GE0/0/1
AP
STA STA

Data Plan





wlan-net






net


Department R&D

Password: huawei123
Device name AC6605

l PEAP
User group User-group
Configuration Notes

user experience.
Procedure
[AC6605] sysname AC


[AC-Vlanif102] quit
STAs.

[AC] dhcp enable
[AC-Vlanif100] quit

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

name the AP area_1.

NOTE
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
--------------------------------------------------------------------------------
Uptime
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Total: 1

NOTE



[AC-wlan-ap-0] quit


[AC-wlan-view] quit

[AC] aaa
[AC-aaa] quit


[AC] wlan
the VAP profile.
radio 1 of the AP.
[AC-wlan-view] quit


NOTE
[AC] acl 3001

ClearPass server.
Then, click Add.

Radius, and select Authorization.
# On the Authentication tab, add [EAP PEAP] and [EAP MSCHAPv2] to

Authentication Methods and [Local User Repository][Local SQL DB] to
Authentication Sources.
# On the Authorization tab, add [Local User Repository][Local SQL DB] to

Authentication Source.


NOTE
AC.
authentication.

6. Configure an authorized user group.
# Choose Configuration > Enforcement > Profiles. In the pane on the right side, click
Add. On the Profile tab, set Template to RADIUS Based Enforcement and Name to
User-group.

# On the Attributes tab, set Type to Radius:IETF and Filter-ID to group1. Then, click
Save.
# Choose Configuration > Enforcement > Policies. In the pane on the right side, click
Add. Set Name to User-group, Enforcement Type to RADIUS, and Default Profile to
[Allow Access Profile].
# On the Rules tab, click Add Rule. On the displayed Rules Editor tab, set Type to
Authentication, Name to Username, Operator to EQUALS, Value to huawei, and
Profile Names to [RADIUS] User-group. This configuration is used to deliver rights
configured for User-group to user huawei. Click Save.
# Use the same method to add a new rule. Set Type to Authentication, Name to
Username, Operator to NOT_EQUALS, Value to huawei, Profile Names to
[RADIUS] [Allow Access Profile]. This configuration is used to allow users to pass
authentication without authorization operations. Click Save.

# Click Save in the lower right corner.

7. Bind authorization policies.
# Choose Configuration > Services. Click service Radius to open the edit tab. Select
the Enforcement tab, and then set Enforcement Policy to User-group. Click Save.

complete.
algorithm to AES.


----End
Configuration Files
#
sysname SwitchA
#
#
#
#
return

#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
interface Vlanif103
ip address 10.23.103.2 255.255.255.0
#
interface Vlanif104
ip address 10.23.104.1 255.255.255.0
#
#
#

#
#
ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
#
return
#
sysname Router
#
ip address 10.23.104.2 255.255.255.0
#
ip route-static 10.23.101.0 255.255.255.0 10.23.104.1
#
return
#
sysname AC
#
vlan batch 100 102
#
#
dhcp enable
#
%^%#
#
acl number 3001
rule 2 deny ip
#
user-group group1
acl-id 3001
#
aaa
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
#
ip route-static 10.23.103.0 255.255.255.0 10.23.102.1
#
#
wlan
ssid wlan-net


radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
#
return

External Portal Authentication Overview
Portal authentication is a method used for Network Admission Control (NAC) and is also
called web authentication. To access the Internet, the user must pass authentication on the
Portal. Portal authentication supports Portal 2.0, Hypertext Transfer Protocol (HTTP), and
Hypertext Transfer Protocol Secure (HTTPS). When a Huawei AC is interconnected with a
Aruba ClearPass, Portal authentication is implemented based on HTTP or HTTPS.
When the AC is interconnected with the Aruba ClearPass server, HTTPS and HTTP can be
used in Portal authentication. The configurations for the two authentication methods are
similar. The following uses HTTPS as an example.
For the configuration for external Portal authentication on the AC, see Step 4.
For the configuration on the Aruba ClearPass server, see Step 5.

Product Version
Product V200R007C20
Aruba Clearpass 6.5.0.31375

To improve WLAN security, an enterprise performs external Portal authentication using
HTTP or HTTPS to access-control users.
l Authentication mode: external Portal authentication
Figure 4-88 Networking diagram for configuring external Portal authentication

Data Planning


IP address pool for the STAs 10.23.101.2 to 10.23.101.254/24
IP address of the AC's source VLANIF 100: 10.23.100.1/24

interface

l Bound profiles: VAP profile wlan-net and



Portal authentication parameters Portal authentication scheme name: wlan-net

Portal server template name: wlan-net
l Portal authentication protocol: HTTP
l URL address: https://10.23.103.1/guest/huawei.php

l Bound profile: Portal server template wlan-net

l Bound profiles and authentication scheme: portal
access profile wlan-net, free-rule template default,
and RADIUS authentication scheme wlan-net


net

Department Huawei
Account Account: test@huawei.com

Password: 470541 (manually set or
randomly generated by the Aruba ClearPass
server)
Device name AC6605
Authentication protocol l PAP

l CHAP
Configuration Notes
user experience.

Procedure
[AC6605] sysname AC
[AC-Vlanif102] quit

STAs.

[AC] dhcp enable
[AC-Vlanif100] quit


[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

name the AP area_1.
NOTE

[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
--------------------------------------------------------------------------------
Uptime
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Total: 1
Step 4 Configure external Portal authentication on the AC.

# Create an AAA scheme and set the authentication method to RADIUS.

[AC] aaa
[AC-aaa] quit

NOTE
the Portal server.
The Clearpass Portal URL is in format of https://10.23.103.1/guest/huawei.php?_browser=1 and can be
obtained through Step 5.2.
[AC-LoopBack0] quit
255.255.255.255
[AC-web-auth-server-wlan-net] url https://10.23.103.1/guest/huawei.php

[AC-portal-access-profile-wlan-net] web-auth-server wlan-net layer3

# Create the security profile wlan-net and retain the default security policy (open system
authentication).
[AC] wlan
the VAP profile.
radio 1 of the AP.
[AC-wlan-view] quit
Step 5 Configure the Aruba Clearpass.

# Click ClearPass Guest.
ClearPass server.
2. Configure the authentication page.
# Choose Configuration > Pages > Web Logins. Click Create a new web login page
in the right pane.

# Set parameters as follows:

– Name: huawei
– Page Name: huawei
– Vendor Settings: Custom Settings
– Submit URL: https://10.0.0.1:8443/login, the same as the authentication address
configured on the AC
– Username Field: username
– Password Field: password
Retain the default settings for other parameters.
# Click Save Changes.
# Click Test mapping huawei. Record the URL of the displayed page, for example,
https://10.23.103.1/guest/huawei.php?_browser=1.
3. Add guest accounts.
# Choose Guest > Create Account. Set Guest's Name to test@huawei.com, Company
Name to huawei, and Email Address to test@huawei.com. Record the generated
password and select Terms of Use.

# Click Create.
4. Add the AC so that the Aruba ClearPass server can interwork with the AC.
# On the ClearPass home page, click ClearPass Policy Manager. On the page that is
displayed, enter the user name and password.
# Choose Configuration > Network > Devices. Click Add in the page. In the Add
Device dialog box that is displayed, set parameters as follows:
– Name: AC6605
– IP or Subnet Address: 10.23.102.2
– RADIUS Shared Secret and Verify: huawei@123
– Vendor Name: Huawei
Click Add.
5. Add the guest access service.

# Choose Configuration > Start Here. Click Guest Access - Web Login in the right
pane.

# On the General tab page, set Name Prefix to huawei.
# On the Service Rule tab page, set Page name to huawei.
# Click Add Service.

6. Configure the RADIUS service.
# Choose Configuration > Services. Click Add in the right pane.
# On the Authentication tab page, add authentication methods [CHAP] and [PAP], and
authentication sources [Guest User Repository][Local SQL DB] and [Local User
Repository][Local SQL DB].
[AC] test-aaa test@huawei.com 470541 radius-template wlan-net

l The wireless STA obtains an IP address after it associates with the WLAN.
l When a user opens the browser on the STA, the user is redirected to the Portal
authentication page. After the user enters the correct user name and password and is
successfully authenticated, the user can access the Internet.
AC. The command output shows online users.
[AC] display access-user access-type portal
------------------------------------------------------------------------------
Status
------------------------------------------------------------------------------

------------------------------------------------------------------------------
----End
Configuration Files
#
sysname SwitchA
#
#
#
#
return

#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
interface Vlanif103
ip address 10.23.103.2 255.255.255.0
#
interface Vlanif104
ip address 10.23.104.1 255.255.255.0
#
#
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
ip route-static 10.0.0.1 255.255.255.255 10.23.102.2
#
return


#
sysname Router
#
ip address 10.23.104.2 255.255.255.0
#
ip route-static 10.23.101.0 255.255.255.0 10.23.104.1
#
return
#
sysname AC
#
http server enable
#
#
vlan batch 100 102
#
#
#
dhcp enable
#
%^%#
#
#
server-ip 10.23.103.1
url https://10.23.103.1/guest/huawei.php
source-ip 10.23.100.1
protocol http
#
web-auth-server wlan-net layer3
#
aaa
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
interface LoopBack0
ip address 10.0.0.1 255.255.255.255
#
ip route-static 10.23.103.0 255.255.255.0 10.23.102.1
#


#
wlan
ssid wlan-net
radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
return
4.18.6 Example for Configuring MAC Address-Prioritized Portal

Authentication (CLI)
Overview
MAC address-prioritized Portal authentication is one of the solutions that enable network
access of mobile terminals.
MAC address authentication is triggered when a terminal associates with an AP or traffic is
sent to an AC from an unauthorized terminal. If authentication fails, an authentication page is
displayed. After the user enters the user name and password and is successfully authenticated,
the authentication server records the MAC address of the user and binds it to the
authentication account. When the terminal associates with the AP the next time, MAC address
authentication is triggered and succeeds. The AC does not push the URL of the authentication
page to the user. The server saves a MAC address for the validity period for MAC address-
prioritized Portal authentication. A terminal can pass MAC address authentication only when
authentication is initiated within the validity period. After the validity period, the server
deletes the MAC address and unbinds the MAC address from the authentication account.
Therefore, after the validity period, MAC address authentication fails and the authentication
page is displayed.
For the configuration of MAC address-prioritized authentication on the AC, see Step 4.
For the configuration on the Aruba ClearPass server, see Step 5.

Product Version
Huawei AC V200R007C20
Aruba ClearPass 6.5.0.31375


Figure 4-89 Networking for MAC address-prioritized Portal authentication

Data Planning

Configurat Data
ion Item
Managemen VLAN 100

t VLAN
Service VLAN 101

VLAN
DHCP The AC functions as the DHCP server to assign IP addresses to APs, and
server SwitchB functions as the DHCP server to assign IP addresses to STAs.
IP address 10.23.100.2 to 10.23.100.254/24

pool for
APs
IP address 10.23.101.2 to 10.23.101.254/24

pool for the
STAs

of the AC's
source
interface

l Bound profiles: VAP profile wlan-net and regulatory domain profile
default




authenticati RADIUS server template name: wlan-net
on

template
l URL: https://10.23.103.1/guest/huawei.php?_browser=1

Configurat Data
ion Item

access l Bound profile: Portal server template wlan-net
profile
MAC l Name: wlan-net

access l User name: MAC address
profile

on profile l Bound profile and authentication scheme: Portal access profile wlan-net,
RADIUS server template wlan-net, RADIUS authentication scheme
wlan-net, and MAC access profile wlan-net

l Bound profiles: SSID profile wlan-net, security profile wlan-net, and
Access device information l Device name: AC6605

l NAS IP address: 10.23.102.2
l Aruba ClearPass server IP address:
10.23.103.1
l NAS type: Huawei AC
l DM port: 3799
l RADIUS shared key: huawei@123
Access user l Account: test@huawei.com

l Password: 470541
1. Configure network interworking of the AC, AP, and other network devices.
2. Configure the AP to go online.
3. Configure MAC address-prioritized Portal authentication parameters on the AC.
a. Configure the RADIUS server parameters.
b. Configure a Portal access profile for the external Portal server to manage Portal
access control parameters.

c. Configure a MAC access profile to manage MAC access control parameters.

d. Configure an authentication profile to manage Portal authentication configurations.
Configuration Notes
user experience.
Procedure

a static route to the RADIUS server.
[AC6605] sysname AC
[AC-Vlanif102] quit
STAs.
[AC] dhcp enable
[AC-Vlanif100] quit



[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit


NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
[AC-wlan-view] quit
[AC] display ap all
nor : normal [1]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
----------------------------------------------------------------------------------
---
Total: 1
Step 4 Configure MAC address-prioritized Portal authentication on the AC.

1. Configure a RADIUS server template and a RADIUS authentication scheme.
NOTE
Ensure that the RADIUS server IP address, port number, and shared key are configured correctly
on the AC and are the same as those on the RADIUS server.
# Configure a RADIUS server template and configure the encapsulation format of the
MAC address in the calling-station-id (Type 31) attribute of RADIUS packets.
[AC-radius-wlan-net] calling-station-id mac-format unformatted
# Create an authentication scheme and set the authentication method to RADIUS.

[AC] aaa
[AC-aaa] quit


NOTE
the Portal server.
The Clearpass Portal URL is in format of https://10.23.103.1/guest/huawei.php?_browser=1 and can be
obtained through Step 5.2.
[AC-LoopBack0] quit
255.255.255.255
[AC-web-auth-server-wlan-net] url https://10.23.103.1/guest/huawei.php
4. Configure the MAC access profile wlan-net.

5. Configure the authentication profile wlan-net.


# Create security profile wlan-net and set the security policy in the profile. By default,
the security policy is open system.
[AC] wlan
# Create VAP profile wlan-net, configure the data forwarding mode and service VLANs,
and apply the security profile, SSID profile, and authentication profile to the VAP
profile.


of the AP.
[AC-wlan-view] quit
Step 5 Configure the Aruba ClearPass server.

# Click ClearPass Guest.
ClearPass server.
2. Configure the authentication page.
# Choose Configuration > Pages > Web Logins. Click Create a new web login page
in the right pane.
# Set parameters as follows:
– Name: huawei
– Page Name: huawei
– Vendor Settings: Custom Settings
– Submit URL: https://10.0.0.1:8443/login, the same as the authentication address
configured on the AC
– Username Field: username
– Password Field: password
Retain the default settings for other parameters.

# Click Save Changes.

# Click Test mapping huawei. Record the URL of the displayed page, for example,
https://10.23.103.1/guest/huawei.php?_browser=1.
3. Add guest accounts.

# Choose Guest > Create Account. Set Guest's Name to test@huawei.com, Company
Name to huawei, and Email Address to test@huawei.com. Record the generated
password and select Terms of Use.

# Click Create.
4. Add the AC so that the Aruba ClearPass server can interwork with the AC.
# On the ClearPass home page, click ClearPass Policy Manager. On the page that is
displayed, enter the user name and password.
# Choose Configuration > Network > Devices. Click Add in the page. In the Add
Device dialog box that is displayed, set parameters as follows:
– Name: AC6605
– IP or Subnet Address: 10.23.102.2
– RADIUS Shared Secret and Verify: huawei@123
– Vendor Name: Huawei
Click Add.
5. Add the guest authentication with MAC caching service.

# Choose Configuration > Start Here. Click Guest Authentication with MAC
caching in the right pane.

# On the General tab page, set Name Prefix to huawei.
# On the Wireless Network Settings tab page, set Wireless SSID to wlan-net and
Select Wireless Controller to the added AC6605.
# Use the default settings on the MAC Caching Settings and Posture Settings tab
pages.
# On the Access Restrictions tab page, set Captive Portal Access to huawei,
Maximum number of devices allowed per user to 1, and Guest Access to Guest.
# Click Add Service.

6. Configure the service sequence.
# Choose Configuration > Services. Click Reorder in the lower right corner. Move the
huawei MAC Authentication and huawei User Authentication with MAC Caching
services before Radius.

# Click Save.
complete.
network.
l The MAC address validity period is 24 hours. When the user attempts to connect to the
WLAN 24 hours after the account is generated, the authentication page is displayed.
AC. The command output shows the online user.
------------------------------------------------------------------------------
Status
------------------------------------------------------------------------------
------------------------------------------------------------------------------
----End
Configuration Files
#
sysname SwitchA
#
#


#
#
return
#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
interface Vlanif103
ip address 10.23.103.2 255.255.255.0
#
interface Vlanif104
ip address 10.23.104.1 255.255.255.0
#
#
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.23.104.2
ip route-static 10.0.0.1 255.255.255.255 10.23.102.2
#
return
#
sysname Router
#
ip address 10.23.104.2 255.255.255.0
#
ip route-static 10.23.101.0 255.255.255.0 10.23.104.1
#
return
#
sysname AC
#


http server enable
#
#
vlan batch 100 102
#
#
#
dhcp enable
#
%^%#
calling-station-id mac-format unformatted
#
#
server-ip 10.23.103.1
url https://10.23.103.1/guest/huawei.php
source-ip 10.23.100.1
protocol http
#
#
aaa
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
#
interface LoopBack0
ip address 10.0.0.1 255.255.255.255
#
ip route-static 10.23.103.0 255.255.255.0 10.23.102.1
#
#
wlan
ssid wlan-net

radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
mac-authen username macaddress format with-hyphen
#
return

AC and Huawei Agile Controller-Campus Server
4.19.1 Example for Configuring Wireless 802.1X Authentication
This section describes how to configure wireless 802.1X authentication for mobile terminals
to access networks.
Involved Products and Versions

Product Type Product Name Version
Agile Controller-Campus Agile Controller-Campus V100R002C10
WLAN AC AC6605 V200R006C20
Access switch S2750EI V200R008C00
Aggregation switch S5720HI V200R008C00
A company maintains user accounts and organizations on the AD server, and wants to provide
wireless access for mobile office in its campus. Wireless 802.1X authentication can be used to
ensure security.
Authenticated users can access Internet resources.

Figure 4-90 Networking diagram
Data Plan
Table 4-117 Wireless VLAN plan

VLAN ID Function
10 mVLAN for wireless access
100 Service VLAN for wireless access
Table 4-118 Wireless network data plan

Item Data Description
Access switch S2750EI GE 0/0/2 The uplink and downlink

VLAN 10 interfaces allow packets
only from the mVLAN to
pass through. The service

GE 0/0/3 VLAN is encapsulated in

VLAN 10 the packets tagged with the
mVLAN ID.
Aggregation switch GE 0/0/1 This downlink interface

S5720HI VLAN 10 allows packets only from the
mVLAN to pass through.
The service VLAN is
encapsulated in the packets
tagged with the mVLAN ID.
GE 0/0/2 This uplink interface allows

VLAN 100 packets only from the
service VLAN to pass
through.
GE 0/0/3 The AC communicates with

VLAN 10 and VLAN 100 the uplink device through
the service VLAN and with
the downlink device through
the mVLAN.
AC6605 GE 0/0/1 The AC communicates with

VLANIF 10: the downlink device through
10.10.10.254/24 the mVLAN.
Gateway for APs.
Core router GE 1/0/1 Gateway for end users.

172.16.21.254/24
Server l Agile Controller- -

Campus: 192.168.11.10
l AD server:
192.168.11.100

Table 4-119 802.1X service data plan

RADIUS l RADIUS server: Agile The access control device

Controller-Campus and Agile Controller-
server Campus function as the
l Authentication key: RADIUS client and server
Admin@123 respectively. The
authentication,
l Accounting key: authorization, and
Admin@123 accounting keys and the
l Real-time accounting accounting interval must be
interval: 15 minutes the same on the access
l Authentication port: control device and Agile
1812 Controller-Campus.
l Accounting port: 1813 The Agile Controller-
Campus functioning as the
RADIUS server uses ports
1812 and 1813 for
authentication and
accounting respectively.
Pre-authentication domain Agile Controller-Campus -

server
Post-authentication domain Internet -
To ensure unified user traffic control on the AC, it is recommended that tunnel forwarding be
used to forward packets between the AC and APs.
1. Configure VLANs, IP addresses, and routes on the access switch, aggregation switch,
and AC to ensure network connectivity.
2. Set RADIUS interconnection parameters and wireless access service parameters on the
AC to implement wireless 802.1X authentication.
3. Add the AC on the Agile Controller-Campus, and configure authentication and
authorization.
NOTE
In this example, AD accounts have been synchronized to the basic configuration on the Agile Controller-
Campus.
In this example, the gateway for end users is deployed on the core router. If the gateway for end users is
deployed on the AC, you only need to configure dhcp select interface in the service VLAN on the AC.
This example provides only configurations of the AC, aggregation switch, and access switch.
Procedure
Step 1 [Device] Configure IP addresses, VLANs, and routes to implement network connectivity.
1. Configure the access switch.

[HUAWEI] sysname S2700
[S2700] vlan 10
[S2700-vlan10] quit
[S2700] interface gigabitethernet 0/0/3
[S2700-GigabitEthernet0/0/3] port link-type trunk
[S2700-GigabitEthernet0/0/3] port trunk pvid vlan 10
[S2700-GigabitEthernet0/0/3] port trunk allow-pass vlan 10
[S2700-GigabitEthernet0/0/3] quit
2. Configure the aggregation switch.

[S5700] vlan batch 10 100
[S5700-GigabitEthernet0/0/3] port trunk allow-pass vlan 10 100
3. Configure the AC.

# Configure the AC's interface to allow packets from the service VLAN and mVLAN to
pass through.
[HUAWEI] sysname AC
# Configure VLANIF 10 as the gateway for APs to dynamically assign IP addresses to

the APs. If the AC is used as the gateway for end users, configure the gateway IP address
and enable DHCP on the AC's interface in the service VLAN.
[AC] dhcp enable
[AC-Vlanif10] quit
# Configure the default route with the core router as the next hop.
Step 2 [Device] Configure AP online parameters to enable APs to go online automatically after
connecting to a network.
NOTE
If a Layer 3 network is deployed between the AP and AC, you need to configure the Option 43 field on the
DHCP server to carry the AC's IP address in advertisement packets, allowing the AP to discover the AC.
1. Run the ip pool ip-pool-name command in the system view to enter the IP address pool view.
2. Run the option 43 sub-option 2 ip-address AC-ip-address &<1-8> command to specify an IP address
for the AC.

# Create an AP group to which APs with the same configuration can be added.
[AC] wlan
[AC-wlan-regulatory-domain-prof-domain1] country-code cn
[AC-wlan-regulatory-domain-prof-domain1] quit
e?[Y/N]:y
[AC-wlan-view] quit

[AC] capwap source interface vlanif 10 //Configure an mVLAN interface.
# Import the AP offline on the AC and add the AP to the AP group ap-group1. This example
assumes that the MAC address of the AP is 60de-4476-e360. Configure a name for the AP
based on the AP's deployment location, so that you can know where the AP is located. For
example, if the AP with MAC address 60de-4476-e360 is deployed in area 1, name the AP
area_1.
[AC] wlan
Warning: This operation may cause AP reset. If the country code changes, it will,
clear channel, power and antenna gain configurations of the radio, Whether to
continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] quit
State field is displayed as nor, the AP has gone online properly.
[AC] display ap all
nor : normal [1]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
----------------------------------------------------------------------------------
---
Total: 1
Step 3 [Device] Configure 802.1X authentication parameters to enable 802.1X authentication.

The following figure shows the process of configuring wireless 802.1X authentication.

1. Configure a RADIUS server template, an authentication scheme, and an accounting

scheme.
[AC] radius-server template radius_template
[AC-radius-radius_template] radius-server authentication 192.168.11.10 1812
source ip-address 10.10.10.254
[AC-radius-radius_template] radius-server accounting 192.168.11.10 1813
[AC-radius-radius_template] radius-server shared-key cipher Admin@123
[AC-radius-radius_template] radius-server user-name original //Configure the
AC to send the user names entered by users to the RADIUS server.
[AC-radius-radius_template] quit
[AC] radius-server authorization 192.168.11.10 shared-key cipher Admin@123
[AC] aaa
[AC-aaa] authentication-scheme auth_scheme //Authentication scheme
[AC-aaa-authen-auth_scheme] authentication-mode radius //Set the
authentication scheme to RADIUS.
[AC-aaa-authen-auth_scheme] quit
[AC-aaa] accounting-scheme acco_scheme //Accounting scheme
[AC-aaa-accounting-acco_scheme] accounting-mode radius //Set the accounting
scheme to RADIUS.
[AC-aaa-accounting-acco_scheme] accounting realtime 15
[AC-aaa-accounting-acco_scheme] quit
[AC-aaa] quit
NOTE
The accounting realtime command sets the real-time accounting interval. A short real-time
accounting interval requires high performance of the device and RADIUS server. Set a real-time
accounting interval based on the user quantity.
Table 4-120 Accounting interval
1 to 99 3 minutes
100 to 499 6 minutes

≥ 1000 ≥ 15 minutes
2. Configure an access profile.

NOTE
An access profile defines the 802.1X authentication protocol and packet processing parameters. By
default, EAP authentication is used.
[AC] dot1x-access-profile name acc_dot1x
[AC-dot1x-access-profile-acc_dot1x] quit
3. Configure an authentication profile.
Specify the user access mode in the authentication profile through the access profile.
Bind the RADIUS authentication scheme, accounting scheme, and server template to the
authentication profile so that RADIUS authentication is used.
[AC] authentication-profile name auth_dot1x
[AC-authentication-profile-auth_dot1x] dot1x-access-profile acc_dot1x
[AC-authentication-profile-auth_dot1x] authentication-scheme auth_scheme
[AC-authentication-profile-auth_dot1x] accounting-scheme acco_scheme
[AC-authentication-profile-auth_dot1x] radius-server radius_template
[AC-authentication-profile-auth_dot1x] quit
4. Set wireless 802.1X authentication parameters.
# Create the security profile security_dot1x and set the security policy in the profile.
[AC] wlan
[AC-wlan-view] security-profile name security_dot1x
[AC-wlan-sec-prof-security_dot1x] security wpa2 dot1x aes
[AC-wlan-sec-prof-security_dot1x] quit
# Create the SSID profile wlan-ssid and set the SSID name to dot1x_access.
[AC-wlan-ssid-prof-wlan-ssid] ssid dot1x_access
# Create the VAP profile wlan-vap, configure the service data forwarding mode and
service VLAN, and apply the security, SSID, and authentication profiles to the VAP
profile.
[AC-wlan-vap-prof-wlan-vap] security-profile security_dot1x
[AC-wlan-vap-prof-wlan-vap] authentication-profile auth_dot1x
# Bind the VAP profile wlan-vap to the AP group ap-group1, and apply the VAP profile
to radio 0 and radio 1 of the AP.
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio all
[AC-wlan-view] quit

Step 4 [Device] Configure resources that authenticated users can access.

The Agile Controller-Campus can authorize authenticated users using static ACL, dynamic
ACL, or VLAN. In this example, a static ACL is used.
[AC] acl 3001
[AC-acl-adv-3001] rule 1 permit ip
Step 5 [Device] Configure the escape function, so services are not affected when the Agile
Controller-Campus becomes faulty.
[AC] user-group server_down
[AC-user-group-server_down] acl-id 3001 //Specify resources end users can access
after the escape function is enabled.
[AC-user-group-server_down] quit
[AC] authentication-profile name auth_dot1x
[AC-authentication-profile-auth_dot1x] authentication event authen-server-down
action authorize user-group server_down
[AC-authentication-profile-auth_dot1x] quit
Step 6 [Agile Controller-Campus] Add the SC server to the AD domain. (AD domain accounts are
used for authentication.)
If 802.1X authentication using the MSCHAPv2 protocol is performed on AD domain
accounts, add the SC server to the AD domain.
By default, the AnyOffice and the built-in 802.1X client of the operating system use the
MSCHAPv2 protocol.
Step 7 [Agile Controller-Campus] Add an access control device and connect it to the Agile
Controller-Campus through RADIUS.
Choose Resource > Device > Device Management, and add the AC.

Agile Controller-Campus Parameters Command
Authentication/Accounting key radius-server shared-key cipher

Admin@123
Authorization key radius-server authorization 192.168.11.10

shared-key cipher Admin@123
Real-time accounting interval (minute) accounting realtime 15
Step 8 [Agile Controller-Campus] Configure authentication and authorization rules. End users match
the rules based on specified conditions.
1. Choose Policy > Permission Control > Authentication & Authorization >
Authentication Rule, and modify the default authentication rule or create an
authentication rule.

Add the AD server to Data Source. By default, an authentication rule takes effect only
on the local data source. If the AD server is added as a data source, AD accounts will fail
to be authenticated.
2. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Result, and add an authorization ACL.
The ACL number must be the same as that configured on the authentication control
device.

Authorization Rule, and bind the authorization result to specify resources accessible to
users after successful authentication.

----End
Verification
1. Use a mobile phone to associate with the SSID dot1x_access, and enter an AD domain
user name and password.
2. Obtain an IP address on the 172.16.21.0/24 network segment after successful
authentication, and access Internet resources using this IP address.
3. Run the display access-user and display access-user user-id user-id commands on the
AC to view detailed online user information.
4. Choose Resource > User > RADIUS Log on the Agile Controller-Campus to view
RADIUS logs.
4.19.2 Example for Configuring Portal Authentication (Including

MAC Address-Prioritized Portal Authentication) for Wireless
Users
This example illustrates how to configure Portal authentication on a wireless network to
ensure that only authenticated wireless terminals can connect to the network.


A company has about 1000 employees and needs to deploy an authentication system to
implement access control for all the wireless users who attempt to connect to the enterprise
network. Only authenticated users can connect to the enterprise network.
The company has the following requirements:
l The authentication operations must be simple. The authentication system only performs
access authorization and does not require any client software on user terminals.
l A unified identity authentication mechanism is used to authenticate all terminals
attempting to connect to the campus network and deny access from unauthorized
terminals.
l Employees can connect only to public servers (such as the DHCP and DNS servers) of
the company before authentication, and can connect to both the intranet and Internet after
being authenticated.
l If authenticated employees move out of the wireless coverage area and move in again
within a certain period (60 minutes for example), they can connect to the wireless
network directly, without entering their user names and passwords again. This ensures a
good network access experience of employees.
l Guests can connect only to public servers (such as the DHCP and DNS servers) of the
company before authentication, and can connect only to the Internet after being
authenticated.
l Different authentication pages are pushed to employees and guests.

Figure 4-91 Networking of Portal authentication for wireless users
Requirement Analysis
l The company has no specific requirement on terminal security check and requires simple
operations, without a need to install authentication clients on wireless terminals.
Considering the networking and requirements of the company, Portal authentication can
be used on the campus network.
l Tunnel forwarding is recommended for packets exchanged between the AC and APs,
because this mode can ensure that all traffic of wireless users will be pass through the
AC for unified control.
l To implement interworking on the network, configure VLANs according to the
following plan:
– Add employees to VLAN 100 and guests to VLAN 101 to isolate employees from
guests.
– Use VLAN 10 as the mVLAN of the APs.
– Add GE0/0/1, GE0/0/2, and GE0/0/3 of the access switch S2750EI to VLAN 10 so
that these interfaces can transparently transmit packets of APs' mVLAN.
– On the aggregation switch S5700HI, add GE0/0/1 to mVLAN 10, GE0/0/3 to
mVLAN 10 and service VLANs 100 and 101, and GE0/0/2 service VLANs 100 and
101. In this way, these interfaces can transparently transmit packets of the
corresponding VLANs as required.

– Add GE0/0/1 of the AC to mVLAN 10 and service VLANs 100 and 101 so that the
AC can transparently transmit packets of these VLANs.
l Employees and guests are all authenticated on the web pages pushed by the Portal server.
You need to configure different ACL rules to control access rights of employees and
guests.
l Different SSIDs need to be configured for employees and guests so that different
authentication pages can be pushed to them based on their SSIDs.
l Enable MAC address-prioritized Portal authentication to allow employees to connect the
wireless network without entering user names and passwords when they move in and out
of the wireless coverage area repeatedly within a period (60 minutes for example).
MAC address-prioritized Portal authentication is a function provided by an AC. When
the Portal server needs to authenticate a user, the AC first sends the user terminal's MAC
address to the Portal server for identity authentication. If the authentication fails, the
Portal server pushes the Portal authentication page to the terminal. The user then enters
the account and password for authentication. The RADIUS server caches a terminal's
MAC address and associated MAC address during the first authentication for the
terminal. If the terminal is disconnected and then connected to the network within the
MAC address validity period, the RADIUS server searches for the SSID and MAC
address of the terminal in the cache to authenticate the terminal.
VLAN Plan
VLAN ID Function
100 Service VLAN for employees
101 Service VLAN for guests
Network Data Plan
Access switch S2750EI GE0/0/1 Connected to the AP in the

VLAN 10 guest area.
GE0/0/2 Connected to the S5720HI.

VLAN 10
GE0/0/3 Connected to the AP in the

VLAN 10 employee area.
Aggregation switch GE0/0/1 Connected to the access

S5720HI VLAN 10 switch.

GE0/0/2 Uplink interface that is

VLAN 100 and VLAN 101 connected to the core router
and allows packets only
from the service VLAN to
pass through.
GE0/0/3 Connected to the AC. The

VLAN 10, VLAN 100, and AC communicates with the
VLAN 101 uplink device through the
service VLAN and with the
downlink device through the
mVLAN.
AC6605 GE0/0/1 The AC communicates with

VLAN 10, VLAN 100, and the uplink device through
VLAN 101 the service VLAN and with
VLANIF 10: the mVLAN.
10.10.10.254/24
Gateway for APs.
Core router GE1/0/1 The sub-interface GE1/0/1.1

172.16.21.254/24 functions as the gateway for
employees.
Sub-interface number:
GE1/0/1.1 The sub-interface GE1/0/1.2
functions as the gateway for
Sub-interface IP address: guests.
172.20.0.1/16
Sub-interface number:
GE1/0/1.2
Sub-interface IP address:
172.21.0.1/16

Server l DNS server: -

192.168.11.1
l Agile Controller-
Campus: 192.168.11.10
l AD server:
192.168.11.100
l DHCP server:
192.168.11.2
– Employee: IP address
pool (172.20.0.0/16);
DNS server
(192.168.11.1)
– Guest: IP address
pool (172.21.0.0/16);
DNS server
(192.168.11.1)
l Service system:
192.168.11.200
Service Data Plan
Table 4-123 Portal service data plan


l RADIUS client: AC RADIUS client and server
respectively. The
l Authentication key: authentication,
Admin@123 authorization, and
l Accounting key: accounting keys and the
Admin@123 accounting interval must be
l Real-time accounting the same on the access
interval: 15 minutes control device and Agile
Controller-Campus.
l Authentication port:
1812 The Agile Controller-
l Accounting port: 1813 RADIUS server uses ports
1812 and 1813 for
authentication and

Portal l Portal server: Agile When Portal pages are

Controller-Campus pushed using a domain
server with domain name name, the Agile Controller-
access.example.com Campus server's domain
l Portal key: Admin@123 name is required.
l Portal server port: 50200 The Agile Controller-
l Port of the authentication Portal server uses port
control device for 50200 as the Portal server
associating with the port.
Portal server: 2000
When a Huawei switch or
AC functions as the
authentication control
device to provide Portal
authentication, the switch or
AC uses port 2000 by
default to associate with the
Portal server.
Pre-authentication domain DNS server, Agile -

Controller-Campus, AD
server, and DHCP server
Post-authentication domain Service system and Internet -

for employees

for guests
1. Configure the access switch, aggregation switch, and AC to implement interworking on
the network.
2. On the AC, configure a RADIUS server template, configure authentication, accounting,
and authorization schemes in the template, and specify the IP address of the Portal
server. In this way, the AC can communicate with the RADIUS server and Portal server
to perform MAC address-prioritized Portal authentication for employees.
3. Add the AC to the Service Manager and configure parameters for the AC to ensure that
the Agile Controller-Campus can manage the AC.
4. Configure authentication and authorization rules to grant different network access rights
to the authenticated employees and guests.
5. Customize different authentication pages for employees and guests, and configure Portal
page push rules to ensure that different web pages are pushed to employees and guests.
Prerequisites
You have configured a sub-interface, assigned an IP address to the sub-interface, and enabled
DHCP relay on the core router to enable terminals to automatically obtain IP addresses from
the DHCP server on a different network segment.

Procedure
Step 1 [Device] Configure the access switch to ensure network connectivity.
[S2700] vlan 10
[S2700-vlan10] quit
Step 2 [Device] Configure the aggregation switch to ensure network connectivity.

[S5700] vlan batch 10 100 101
[S5700-GigabitEthernet0/0/3] port trunk allow-pass vlan 10 100 101
Step 3 [Device] Configure the AC to ensure network connectivity.
# Add GE0/0/1 connected to the aggregation switch to mVLAN 10 and service VLANs 100
and 101.
[HUAWEI] sysname AC
# Configure the AC to assign IP addresses to APs from an interface address pool.

[AC] dhcp enable
[AC-Vlanif10] quit
# Configure a default route that the AC uses to communicate with the server. Packets are
forwarded to the core router by default.
Step 4 [Device] Configure the AP to go online.

NOTE
for the AC.
[AC] wlan
[AC-wlan-view] ap-group name employee //Configure an AP group for employees.
[AC-wlan-ap-group-employee] quit
[AC-wlan-view] ap-group name guest //Configure an AP group for guests.
[AC-wlan-ap-group-guest] quit
[AC-wlan-view] ap-group name employee
[AC-wlan-ap-group-employee] regulatory-domain-profile domain1
e?[Y/N]:y
[AC-wlan-view] ap-group name guest
[AC-wlan-ap-group-guest] regulatory-domain-profile domain1
e?[Y/N]:y
[AC-wlan-view] quit

# Import the AP offline on the AC and add the AP to the AP group. This example assumes
that the AP type is AP6010DN-AGN, the MAC address of AP_0 serving the employee area is
60de-4476-e360, and the MAC address of AP_1 serving the guest area is 60de-4476-e380.
[AC] wlan
[AC-wlan-ap-0] ap-name ap_0
[AC-wlan-ap-0] ap-group employee
continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-ap-1] ap-name ap_1
[AC-wlan-ap-1] ap-group guest
continue? [Y/N]:y
[AC-wlan-ap-1] quit
[AC-wlan-view] quit
[AC] display ap all

nor : normal [2]

----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 ap_0 employee 10.10.10.252 AP6010DN-AGN nor 0 10S
1 60de-4476-e380 ap_1 guest 10.10.10.253 AP6010DN-AGN nor 0 20S
----------------------------------------------------------------------------------
---
Total: 2
Step 5 [Device] Configure interconnection parameters for the AC and RADIUS server as well as the
AC and Portal server, so that the AC can associate with the RADIUS and Portal servers.
Figure 4-92 Configuration flow for Portal authentication service
# Configure a RADIUS server template, and configure authentication, accounting, and

authorization schemes in the template.
[AC-radius-radius_template] radius-server accounting 192.168.11.10 1813 source ip-

address 10.10.10.254
[AC-radius-radius_template] radius-server user-name original //Configure the AC
to send the user names entered by users to the RADIUS server.
[AC] aaa
[AC-aaa-authen-auth_scheme] authentication-mode radius //Set the authentication
scheme to RADIUS.
scheme to RADIUS.
[AC-aaa] quit
NOTE
The accounting realtime command sets the real-time accounting interval. A short real-time accounting
interval requires high performance of the device and RADIUS server. Set a real-time accounting interval
based on the user quantity.

1 to 99 3 minutes
≥ 1000 ≥ 15 minutes
# Check whether a user can use a RADIUS template for authentication. (User name test and
password Admin_123 have been configured on the RADIUS server.)
[AC] test-aaa test Admin_123 radius-template radius_huawei pap
# Configure the Portal server.

1. Configure the URL of the Portal authentication page. When a user attempts to access a
You are advised to configure the URL using a domain name to ensure secure and fast
page pushing. Before configuring the URL using a domain name, you must first
configure the mapping between the domain name and IP address of the Agile Controller-
Campus server on the DNS server.
[AC] url-template name huawei
[AC-url-template-huawei] url http://access.example.com:8080/portal //
access.example.com is the host name of the Portal server.
2. Configure parameters carried in the URL, which must be the same as those on the
authentication server.
[AC-url-template-huawei] url-parameter ssid ssid redirect-url url //Specify
the names of the parameters included in the URL. The parameter names must the
same as those on the authentication server.
//This first ssid indicates that the URL contains the SSID field, and the
second ssid indicates the parameter name.

//For example, after ssid ssid is configured, the URL redirected to the user
contains sid=guest, where ssid indicates the parameter name, and guest
indicates the SSID with which the user associates.
//The second SSID represents the transmitted parameter name only and cannot
be replaced with the actual user SSID.
//When the AC uses URL as the parameter name, the URL must be entered on the
Portal server to specify to which URL users' access request will be
redirected.
[AC-url-template-huawei] quit
3. Specify the port number used to process Portal protocol packets. The default port number
is 2000. If you change the port number on the AC, set the same port number when you
add this AC to the Agile Controller-Campus.
[AC] web-auth-server listening-port 2000
4. Configure a Portal server template, including configuring the IP address and port number
of the Portal server.
Set the destination port number in the packets sent to the Portal server to 50200. The
Portal server accepts packets with destination port 50200, but the AC uses port 50100 to
send packets to the Portal server by default. Therefore, you must change the port number
to 50200 on the AC so that the AC can communicate with the Portal server.
[AC] web-auth-server portal_huawei
[AC-web-auth-server-portal_huawei] server-ip 192.168.11.10 //IP address for
the Portal server.
[AC-web-auth-server-portal_huawei] source-ip 10.10.10.254 //The IP address
that the AC uses to communicate with the Portal server.
[AC-web-auth-server-portal_huawei] port 50200 //Set the destination port
number in the packets sent to the Portal server to 50200.
5. Configure the shared key used to communicate with the Portal server, which must be the
same as that on the Portal server. In addition, enable the AC to transmit encrypted URL
parameters to the Portal server.
[AC-web-auth-server-portal_huawei] shared-key cipher Admin@123 //Configure
the shared key used to communicate with the Portal server, which must be the
same as that on the Portal server.
[AC-web-auth-server-portal_huawei] url-template huawei //Bind the URL
template to the Portal server profile.
6. Enable the Portal server detection function.
After the Portal server detection function is enabled in the Portal server template, the
device detects all Portal servers configured in the Portal server template. If the number of
times that the device fails to detect a Portal server exceeds the upper limit, the status of
the Portal server is changed from Up to Down. If the number of Portal servers in Up state
is less than or equal to the minimum number (specified by the critical-num parameter),
the device performs the corresponding operation to allow the administrator to obtain the
real-time Portal server status. The detection interval cannot be shorter than 15s, and the
recommended value is 100s. The AC only supports Portal server detection but not Portal
escape.
[AC-web-auth-server-portal_huawei] server-detect interval 100 max-times 5
critical-num 0 action log
7. (Optional) Enable user information synchronization.
The user-sync command enables user information synchronization so that user
information on the device and Portal server is synchronized at intervals to ensure user
information consistency. Therefore, user information on the device and on the Portal
server may be inconsistent and accounting may be inaccurate. The user information
synchronization interval must be greater than 300s. (The Agile Controller-
Campusresponds to probe packets of a switch or AC at an interval of 5 minutes.) If the
synchronization interval is shorter than 300s, users may go offline after passing
authentication. You are advised to set the user information synchronization interval to
500s, that is, set interval to 100 and max-times to 5.

[AC-web-auth-server-portal_huawei] user-sync interval 100 max-times 5

[AC-web-auth-server-portal_huawei] quit
# Enable the Portal authentication quiet period function. With this function enabled, the AC
drops packets of an authentication user during the quiet period if the user fails Portal
authentication for the specified number of times in 60 seconds. This function protects the AC
from overloading caused by frequent authentication.
[AC] portal quiet-period
[AC] portal quiet-times 5 //Set the maximum number of authentication failures in
60 seconds before a Portal authentication is set to quiet state.
[AC] portal timer quiet-period 240 //Set the quiet period to 240 seconds.
# Create a Portal access profile, and bind the Portal server template to it.
In this example, different Portal survival solutions need to be configured for employees and
guests respectively. Therefore, configure two Portal access profiles.
[AC] portal-access-profile name acc_portal_employee //Create a Portal access
profile for employees.
[AC-portal-access-profile-acc_portal_employee] web-auth-server portal_huawei
direct //Configure the Portal server template used by the Portal access profile.
If the network between end users and the AC is a Layer 2 network, configure the
direct mode; if the network is a Layer 3 network, configure the layer3 mode.
[AC-portal-access-profile-acc_portal_employee] quit
[AC] portal-access-profile name acc_portal_guest //Create a Portal access
profile for guests.
[AC-portal-access-profile-acc_portal_guest] web-auth-server portal_huawei direct
[AC-portal-access-profile-acc_portal_guest] quit
# Create a MAC access profile so that MAC address-prioritized Portal authentication is

performed on employees.
[AC] mac-access-profile name acc_mac
[AC-mac-access-profile-acc_mac] quit
# Configure pre-authentication and post-authentication access rules for employees and guests.
[AC-free-rule-default_free_rule] free-rule 1 destination ip 192.168.11.1 mask
255.255.255.255 //Configure a Portal authentication-free rule to allow users to
connect to the DNS server before authentication.
connect to the AD server before authentication.
connect to the DHCP server before authentication.
[AC] acl 3001 //Configure the post-authentication domain for employees,
including the intranet and Internet.
[AC] acl 3002 //Configure the post-authentication domain for guests, including
the Internet.
[AC-acl-adv-3002] rule 5 deny ip destination 192.168.11.200 255.255.255.255 //
192.168.11.200 is the service system IP address and cannot be accessed by guests.
# Configure different authentication profiles for employees and guests respectively because
MAC address-prioritized Portal authentication needs to be enabled for employees.
[AC] authentication-profile name auth_portal_employee
[AC-authentication-profile-auth_portal_employee] mac-access-profile acc_mac //
Enable MAC address-prioritized authentication for employees.
[AC-authentication-profile-auth_portal_employee] portal-access-profile
acc_portal_employee
[AC-authentication-profile-auth_portal_employee] authentication-scheme auth_scheme

[AC-authentication-profile-auth_portal_employee] accounting-scheme acco_scheme

[AC-authentication-profile-auth_portal_employee] radius-server radius_template
[AC-authentication-profile-auth_portal_employee] free-rule-template
default_free_rule
[AC-authentication-profile-auth_portal_employee] quit
[AC] authentication-profile name auth_portal_guest
[AC-authentication-profile-auth_portal_guest] portal-access-profile
acc_portal_guest
[AC-authentication-profile-auth_portal_guest] authentication-scheme auth_scheme
[AC-authentication-profile-auth_portal_guest] accounting-scheme acco_scheme
[AC-authentication-profile-auth_portal_guest] radius-server radius_template
[AC-authentication-profile-auth_portal_guest] free-rule-template default_free_rule
[AC-authentication-profile-auth_portal_guest] quit
# Enable terminal type awareness to allow the ACs to send the option fields containing the
terminal type in DHCP packets to the authentication server. In this way, the authentication
server can push the correct Portal authentication pages to users based on their terminal types.
[AC] dhcp snooping enable
[AC] device-sensor dhcp option 12 55 60
# Configure Portal survival. Configure the device to grant network access rights of a user
group to users when the Portal server is Down so that the users can access the post-
authentication domain. In addition, configure the device to re-authenticate users when the
Portal server goes Up.
[AC-user-group-group1] acl 3001 //Employees' post-authentication domain
corresponding to group1.
[AC] portal-access-profile name acc_portal_employee
[AC-portal-access-profile-acc_portal_employee] authentication event portal-server-
down action authorize user-group group1 //Configure the network access
permission of employees when the Portal server is Down.
[AC-portal-access-profile-acc_portal_employee] authentication event portal-server-
up action re-authen //Enable the device to re-authenticate users when the Portal
server state changes from Down to Up.
[AC-portal-access-profile-acc_portal_employee] quit
[AC-user-group-group2] acl 3002 //Guests' post-authentication domain
corresponding to group1.
[AC] portal-access-profile name acc_portal_guest
[AC-portal-access-profile-acc_portal_guest] authentication event portal-server-
down action authorize user-group group2 //Configure the network access
permission of guests when the Portal server is Down.
[AC-portal-access-profile-acc_portal_guest] authentication event portal-server-up
action re-authen
[AC-portal-access-profile-acc_portal_guest] quit
Step 6 [Device] Set WLAN service parameters.

# Create the security profile security_portal and set the security policy in the profile.
[AC] wlan
[AC-wlan-view] security-profile name security_portal
[AC-wlan-sec-prof-security_portal] quit
# Create SSID profiles wlan-ssid-employee and wlan-ssid-guest, and set the SSID names to
employee and guest respectively.
[AC-wlan-view] ssid-profile name wlan-ssid-employee
[AC-wlan-ssid-prof-wlan-ssid-employee] ssid employee
[AC-wlan-ssid-prof-wlan-ssid-employee] quit
[AC-wlan-view] ssid-profile name wlan-ssid-guest
[AC-wlan-ssid-prof-wlan-ssid-guest] ssid guest
[AC-wlan-ssid-prof-wlan-ssid-guest] quit

# Create VAP profiles wlan-vap-employee and wlan-vap-guest, configure the service data
forwarding mode and service VLANs, and apply the security, SSID, and authentication
profiles to the VAP profiles.
[AC-wlan-view] vap-profile name wlan-vap-employee
[AC-wlan-vap-prof-wlan-vap-employee] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap-employee] service-vlan vlan-id 100
[AC-wlan-vap-prof-wlan-vap-employee] security-profile security_portal
[AC-wlan-vap-prof-wlan-vap-employee] ssid-profile wlan-ssid-employee
[AC-wlan-vap-prof-wlan-vap-employee] authentication-profile
auth_portal_employee //Bind the authentication profile of employees.
[AC-wlan-vap-prof-wlan-vap-employee] quit
[AC-wlan-view] vap-profile name wlan-vap-guest
[AC-wlan-vap-prof-wlan-vap-guest] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap-guest] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap-guest] security-profile security_portal
[AC-wlan-vap-prof-wlan-vap-guest] ssid-profile wlan-ssid-guest
[AC-wlan-vap-prof-wlan-vap-guest] authentication-profile auth_portal_guest //
Bind the authentication profile of guests.
[AC-wlan-vap-prof-wlan-vap-guest] quit
# Bind the VAP profile to the AP groups and apply the VAP profile to radio 0 and radio 1 of
the AP.
[AC-wlan-view] ap-group name employee
[AC-wlan-ap-group-employee] vap-profile wlan-vap-employee wlan 1 radio 0
[AC-wlan-ap-group-employee] vap-profile wlan-vap-employee wlan 1 radio 1
[AC-wlan-view] ap-group name guest
[AC-wlan-ap-group-guest] vap-profile wlan-vap-guest wlan 1 radio 0
[AC-wlan-ap-group-guest] vap-profile wlan-vap-guest wlan 1 radio 1
Step 7 [Agile Controller-Campus] Add the AC to the Service Manager to enable the Agile
Controller-Campus to manage the AC.
1. Choose Resource > Device > Device Management.
2. Click Add.
3. Configure parameters for the AC.


Parameter Value Description
Name AC -
IP address 10.10.10.254 The AC1 interface with this IP address must be

able to communicate with the Agile Controller-
Campus.
Authenticatio Admin@123 It must be the same as the shared key of the

n key RADIUS authentication server configured on the
AC.
Accounting Admin@123 It must be the same as the shared key of the

key RADIUS accounting server configured on the
AC.

Real-time 15 It must be the same as the real-time accounting

accounting interval configured on the AC.
interval
(minute)
Port 2000 This is the port that the AC uses to communicate

with the Portal server. Retain the default value.
Portal key Admin@123 It must be the same as the Portal key configured
on the AC.
Access 172.20.0.0/16; You need to add the IP addresses of all the

terminal IP 172.21.0.0/16 terminals that go online through Portal
list authentication to the access terminal IP list.
After the Portal server receives the account and
password submitted by an end user, it searches
for an access control device based on the
terminal's IP address and allows the terminal to
go online from the target access control device.
If the IP address pool of the access control
device does not include the terminal IP address,
the Portal server cannot find an access control
device to grant network access permission to the
terminal, causing the terminal login failure.
Enable Select The Portal server can send heartbeat packets to

heartbeat the access device only when Enable heartbeat
between between access device and Portal server is
access device selected and the Portal server's IP address has
and Portal been added to Portal server IP list. The access
server device then periodically detects heartbeat
packets of the Portal server to determine the
Portal server 192.168.11.10 Portal server status and synchronize user
IP list information from the Portal server. The server-
detect and user-sync commands must have been
configured in the Portal server view on the
access device.
4. Click OK.
Step 8 [Agile Controller-Campus] Add SSIDs on the Agile Controller-Campus, so that the Agile
Controller-Campus can authorize users through the SSIDs.
1. Choose Policy > Permission Control > Policy Element > SSID.
2. Click Add and add SSIDs for employees and guests.
The SSIDs must be the same as those configured on the AC.

Step 9 [Agile Controller-Campus] Configure authentication and authorization.

Add the AD server to Data Source. By default, an authentication rule takes effect only
on the local data source. If the AD server is added as a data source, AD accounts will fail
to be authenticated.

Authorization Result, and add authorization ACLs for employees and guests.
The ACL numbers must be the same as those configured on the authentication control
device.


employees and guests after successful authentication.


4. Modify the default authorization rule by changing the authorization result to Deny
Access.
Choose Policy > Permission Control > Authentication and Authorization >
Authorization Rule and click on the right of Default Authorization Rule. Change
the value of Authorization Result to Deny Access.

Step 10 [Agile Controller-Campus] Customize a Portal authentication page for employees.

1. Choose Policy > Permission Control > Page Customization > Page Customization.
2. Click .
3. Configure basic information about the authentication page.
Customize page Authentication page for -

name employee
Page Title Web This web title will be displayed on the

authentication page.
Self Register Deselected -
4. Select an authentication page template for employee authentication at the bottom of the
page, and click Next.

5. Click Next, select an authentication page template for employee authentication, and
select English from the Choose the language template drop-down list box.
6. Click Next.
Employees do not need to log in using mobile phones and can therefore skip this step.
7. Click Next. Set Authentication Page, Authentication Success Page, and User Notice
Page.
8. After completing the configuration, click Publish.

Step 11 [Agile Controller-Campus] Customize a Portal authentication page for guests.
2. Click .
3. Configure basic information about the page.

Customize page Authentication page for -

name guest
Page title Web This web title will be displayed on the

Self Register Selected -
Guest account Self- -

policy registration_approval
free_valid for 8 hours
4. Click Next, select an authentication page template for guest authentication, and select
English from the Choose the language template drop-down list box.

5. Click Next. Set Authentication Page, Authentication Success Page, User Notice
Page, Registration Page, and Registration Success Page.
6. Click Next to set the PC authentication pages.

7. After completing the configuration, click Publish.

Step 12 [Agile Controller-Campus] Configure Portal page push rules to ensure that different
authentication pages are pushed to employees and guests.
1. Choose Policy > Permission Control > Page Customization > Portal Page Push Rule.
2. Click Add.
3. Configure a Portal page push rule for employees and click OK.

Name push rule for employee -
User-defined ssid=employee For details about User-defined

parameters parameters, see 4.19.12.3 Defining a
Redirection Rule for the Portal
Page.

Pushed page Select the authentication The Service Manager automatically

page configured in Step saves each page in an independent
10. folder.
First page to Authentication -

push
URL Retain the default value. -
Page displayed Continue to visit the The original page before

after successful original page authentication is automatically
authentication displayed after authentication
succeeds.
4. Configure push rules for guests in a similar way and click OK.

5. Click OK.
Step 13 [Agile Controller-Campus] Enable MAC address-prioritized Portal authentication on the
Agile Controller-Campus.
1. Choose System > Terminal Configuration > Global Parameters.
2. On the MAC Address-prioritized Portal Authentication tab page, enable MAC
Address-prioritized Portal Authentication and set Mac Address-Prioritized Portal
Authentication to 60 minutes.

3. Click OK.
----End
Verification
If a terminal uses Internet Explorer 8 for Portal authentication, the following configuration
must be completed for the browser. Otherwise, the Portal authentication page cannot be
displayed.
1. Choose Tools > Internet Options.
2. Select options related to Use TLS on the Advanced tab.

3. Click OK.

Item Expected Result
Employee l Employee can only access the Agile Controller-Campus server, DNS
authenticatio server, AD server and DHCP server before authentication.
n l When the employee connects to the Wi-Fi hotspot employee using a
computer and attempts to visit the Internet or service system, the
employee authentication page is pushed to the user. After the employee
enters the correct user name and password, the authentication succeeds
and the requested web page is displayed automatically.
l After employees are successfully authenticated, they can access the
Internet and service system.
l After the authentication succeeds, run the display access-user command
on the AC. The command output shows that the employee account is
online.
l On the Service Manager, choose Resource > User > Online User
Management, and the employee account is displayed on the list of
online users.
l On the Service Manager, choose Resource > User > RADIUS Log, and
you can see the RADIUS authentication log for the employee account.
Guest l Guest can only access the Agile Controller-Campus server, DNS server,
authenticatio and DHCP server before authentication.
n l When the guest connects to the Wi-Fi hotspot guest using a mobile
phone and attempts to visit the Internet, the Mobile Phone authentication
page is pushed to the mobile phone. After the guest enters the correct
user name and password, the authentication succeeds and the requested
web page is displayed automatically.
l When the guest connects to the Wi-Fi hotspot guest using a laptop or
tablet, the PC/Pad authentication page is pushed to the laptop or tablet.
After the guest enters the correct user name and password, the
authentication succeeds and the requested web page is displayed
automatically.
l After guests are successfully authenticated using the accounts registered
by their mobile numbers, they can access the Internet but not the service
system.
on the AC. The command output shows that the guest account is online.
Management, and the guest account is displayed on the list of online
users.
l On the Service Manager, choose Resource > User > RADIUS Log, and
you can see the RADIUS authentication log for the guest account.
Summary and Suggestions

l The authentication key, accounting key, and Portal key must be kept consistent on the
AC and Agile Controller-Campus. The accounting interval set on the Agile Controller-
Campus must also be the same as those on the AC.

l Authorization rules or Portal page push rules are matched in descending order of priority
(ascending order of rule numbers). If the authorization condition or Portal push condition
of a user matches a rule, the Agile Controller-Campus does not check the subsequent
rules. Therefore, it is recommended that you set higher priorities for the rules defining
more precise conditions and set lower priorities for the rules defining fuzzy conditions.
l The RADIUS accounting function is configured on the AC to enable the Agile
Controller-Campus to obtain online user information by exchanging accounting packets
with the AC. The Agile Controller-Campus does not support the real accounting
function. If accounting is required, use a third-party accounting server.
4.19.3 Example for Configuring Wireless MAC Address

Authentication
This section describes how to configure wireless MAC address authentication for dumb
terminals such as IP phones, printers, and cameras to access networks in wireless mode.

As shown in Figure 4-93, dumb terminals such as printers and IP phones in the confidential
service office of a company associate with the AP through the mac_access SSID, and connect
to the intranet through the access switch S2750EI, aggregation switch S5720HI, and core
router. If unauthorized terminals access the intranet, the business system of the company may
be attacked or key information may leak. The administrator requests to control network access
permission of users on the AC to ensure intranet security. In addition, the AC functions as a
DHCP server to assign IP addresses on the 10.10.10.0/24 network segment to APs, and
centrally manages all users.
To ensure unified user traffic control on the AC, it is recommended that tunnel forwarding be
used to forward packets between the AC and APs.
AnyOffice cannot be installed on dumb terminals such as printers and IP phones in the
confidential service office. Therefore, wireless MAC address authentication can be used so
that the AC can send MAC addresses of the terminals as user information to the RADIUS
server for authentication.

Figure 4-93 Networking of MAC address authentication
Data Plan

VLAN ID Function
100 Service VLAN for wireless access


Access switch S2750EI GE0/0/2 The uplink and downlink

VLAN 10 interfaces allow packets
only from the mVLAN to
GE0/0/3 pass through. The service
VLAN 10 VLAN is encapsulated in
the packets tagged with the
mVLAN ID.
Aggregation switch GE0/0/1 This downlink interface

S5720HI VLAN 10 allows packets only from the
mVLAN to pass through.
The service VLAN is
encapsulated in the packets
tagged with the mVLAN ID.
GE0/0/2 This uplink interface allows

VLAN 100 packets only from the
service VLAN to pass
through.
GE0/0/3 The AC communicates with

the mVLAN.
AC6605 GE0/0/1 The AC communicates with

VLANIF 10: the downlink device through
10.10.10.254/24 the mVLAN.
Gateway for APs.
Core router GE1/0/1 Gateway for dumb terminals

172.16.21.254/24
Server l DNS server: -

192.168.11.1
l Agile Controller-
Campus: 192.168.11.10

Table 4-127 Service data plan for wireless MAC address authentication

l Authentication key: RADIUS client and server
Admin@123 respectively. The
authentication,
l Accounting key: authorization, and
Admin@123 accounting keys and the
l Real-time accounting accounting interval must be
interval: 15 minutes the same on the access
l Authentication port: control device and Agile
1812 Controller-Campus.
l Accounting port: 1813 The Agile Controller-
RADIUS server uses ports
1812 and 1813 for
authentication and
Pre-authentication domain DNS server and Agile -

Controller-Campus
1. Configure VLANs, IP addresses, and routes on the access switch, aggregation switch,
and AC to ensure network connectivity.
2. Set RADIUS interconnection parameters and MAC address authentication parameters on
the AC to implement wireless MAC address authentication.
3. Add the AC on the Agile Controller-Campus, and configure authentication and
authorization.
NOTE
In this example, the gateway for dumb terminals is deployed on the core router. If the gateway for dumb
terminals is deployed on the AC, you only need to configure dhcp select interface in the service VLAN on
the AC.
This example provides only configurations of the AC, aggregation switch, and access switch.
Procedure
Step 1 [Device] Configure IP addresses, VLANs, and routes to implement network connectivity.
[S2700] vlan 10
[S2700-vlan10] quit



[S5700] vlan batch 10 100
3. Configure the AC.

# Configure the AC's interface to allow packets from the service VLAN and mVLAN to
pass through.
[HUAWEI] sysname AC
# Configure VLANIF 10 as the gateway for APs to dynamically assign IP addresses to

the APs. If the AC is used as the gateway for dumb terminals, configure the gateway IP
address and enable DHCP on the AC's interface in the service VLAN.
[AC] dhcp enable
[AC-Vlanif10] quit
# Configure the default route with the core router as the next hop.
Step 2 [Device] Configure AP online parameters to enable APs to go online automatically after
connecting to a network.
NOTE
for the AC.
[AC] wlan

e?[Y/N]:y
[AC-wlan-view] quit

[AC] capwap source interface vlanif 10 //Configure an mVLAN interface.
# Import the AP offline on the AC and add the AP to the AP group ap-group1. This example
assumes that the MAC address of the AP is 60de-4476-e360. Configure a name for the AP
based on the AP's deployment location, so that you can know where the AP is located. For
example, if the AP with MAC address 60de-4476-e360 is deployed in area 1, name the AP
area_1.
[AC] wlan
continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] quit
[AC] display ap all
nor : normal [1]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
----------------------------------------------------------------------------------
---
Total: 1
Step 3 [Device] Configure MAC address authentication parameters to enable MAC address
authentication for dumb terminals.
The following figure shows the process of configuring wireless MAC address authentication.

1. Configure a RADIUS server template, an authentication scheme, and an accounting

scheme.
[AC-radius-radius_template] radius-server accounting 192.168.11.10 1813
[AC-radius-radius_template] radius-server user-name original //Configure the
AC to send the user names entered by users to the RADIUS server.
[AC] aaa
[AC-aaa-authen-auth_scheme] authentication-mode radius //Set the
authentication scheme to RADIUS.
scheme to RADIUS.
[AC-aaa] quit
NOTE
The accounting realtime command sets the real-time accounting interval. A short real-time
accounting interval requires high performance of the device and RADIUS server. Set a real-time
accounting interval based on the user quantity.
1 to 99 3 minutes

≥ 1000 ≥ 15 minutes

NOTE
In a MAC access profile, a MAC address without hyphens (-) is used as the user name and
password for MAC address authentication.
[AC] mac-access-profile name mac
[AC-mac-access-profile-mac] quit
[AC] authentication-profile name mac
[AC-authentication-profile-mac] mac-access-profile mac
[AC-authentication-profile-mac] authentication-scheme auth_scheme
[AC-authentication-profile-mac] accounting-scheme acco_scheme
[AC-authentication-profile-mac] radius-server radius_template
[AC-authentication-profile-mac] quit
4. Set wireless MAC authentication parameters.
# Create the security profile security-mac and set the security policy in the profile.
[AC] wlan
[AC-wlan-view] security-profile name security-mac
[AC-wlan-sec-prof-security-mac] quit
# Create the SSID profile wlan-ssid and set the SSID name to mac-access.
[AC-wlan-ssid-prof-wlan-ssid] ssid mac_access
profile.
[AC-wlan-vap-prof-wlan-vap] security-profile security-mac
[AC-wlan-vap-prof-wlan-vap] authentication-profile mac
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio all

Choose Resource > Device > Device Management, and add the AC.
Agile Controller-Campus Parameters Command
Authentication/Accounting key radius-server shared-key cipher

Admin@123
Authorization key radius-server authorization 192.168.11.10

shared-key cipher Admin@123
Real-time accounting interval (minute) accounting realtime 15
Step 5 [Agile Controller-Campus] Configure authentication and authorization rules. End users match
the rules based on specified conditions.
1. Add authentication rules.

# Choose Policy > Permission Control > Authentication and Authorization >
Authentication Rule.
# Click Add.
# Set the parameters of authentication rules.
– Service Type: MAC Bypass Authentication Service
# Click OK.
2. Add the devices that require MAC authentication.
# Choose Resource > Terminal > Terminal List.
# Select the first node in the Device Group list and click Add in the right-side window
to create a device group for MAC authentication, such as device group MAC.
# Select MAC in the Device Group list. On the Device List tab page in the right-side
window, click Add and enter the MAC address of the device, such as
00-11-22-33-44-55.

# Click OK.
# Repeat the preceding steps to add all devices that require MAC authentication to
device group MAC. The Agile Controller-Campus supports batch import of device MAC
addresses. For details, see Example in 4.19.12.5 Configuring MAC Address
Authentication.
3. Add authorization rules.
# Choose Policy > Permission Control > Authentication and Authorization >
Authorization Rule.
# Click Add.
# Set the parameters of authorization rules.
– Service Type: MAC Bypass Authentication Service
– Terminal Group: MAC
– Authorization Result: Permit Access

# Click OK.
# Repeat the preceding operations to create authorization rules. If MAC authentication is
not performed for the device that attempts to access the network, the device is not
allowed to access the network.

----End
Result
l After the configuration is complete, run the display mac-authen command on the AC to
view the MAC address authentication configuration.
l After a dumb terminal associates with the WLAN with the SSID mac_access, the AC
automatically obtains the dumb terminal's MAC address as the user name and password
for authentication. After successful authentication, the dumb terminal can access the
Internet.
l After the dumb terminal goes online, run the display access-user access-type mac-
authen command on the AC to view information about the online MAC address
authentication user.
l Choose Resource > User > RADIUS Log on the Agile Controller-Campus to view
RADIUS logs.
4.19.4 Example for Configuring Wireless Network Access Using a

Terminal Running the Android, iOS, or Windows OS
Before accessing a network in wireless mode using a terminal running the Android, iOS, or
Windows OS, you need to associate the terminal with the initialization SSID to download the

network configuration tool or configuration file. After the terminal automatically completes
network configuration, the user can access the network through 802.1X.

Item Product Version
AP AP6010DN-AGN V200R006C20
AC AC6605 V200R006C20
Portal server Agile Controller-Campus V100R002C10

RADIUS server
Windows CA server Windows Server 2008 R2 Windows Server 2008 R2

Enterprise Enterprise
To ensure network access security, an enterprise requests users to pass 802.1X certificate
authentication before they access the network. To access the network through 802.1X
certificate authentication, users need to complete complex configurations on terminals.
The Boarding deployment scheme simplifies operations and enables user terminals to
automatically complete configurations. As shown in Figure 4-94, the Boarding deployment
scheme provides two SSIDs. One is used for initializing the network and uses Portal
authentication. The other one is used for service access and uses 802.1X authentication.
When accessing a network, a user needs to associate with the initialization SSID first to
download the network configuration tool or configuration file. After the configuration is
automatically completed on the terminal, the user is automatically associated with the service
access SSID to access the network through 802.1X.

Patch
server Portal
server
AP AC Router
RADIUS
server
GE 0/0/1 GE 0/0/2
VLAN100 VLAN 100,
101, and 102
Portal CA
802.1X
server

Data Planning
Table 4-129 Network data planning
Item Data
AC Interface number: GE 0/0/1

VLAN: 100
IP address of VLANIF 100: 192.168.3.2/24
Interface number: GE 0/0/2

VLANs: 100, 101, and 102
IP address of VLANIF 101:
10.20.210.254/24
IP address of VLANIF 102:
10.20.211.254/24
Router IP address of the interface connected to the

AC: 192.168.3.254/24
Agile Controller-Campus (Portal server and 192.168.1.210

RADIUS server)
Windows CA server 192.168.1.211
Table 4-130 Service data planning
Item Data
VLAN VLAN 100: Management VLAN
VLAN 101: Portal service VLAN
VLAN 102: 802.1X service VLAN
DHCP The AC functions as the DHCP server to

allocate IP addresses for APs and terminals
from the following address pools:
l IP address pool for APs: 192.168.3.0/24
l Portal service IP address pool for
terminals: 10.20.210.0/24
l 802.1X service IP address pool for
terminals: 10.20.211.0/24
Pre-authentication domain Patch server: 192.168.1.200
Post-authentication domain 192.168.2.0/24
Authentication and accounting key, Admin@123

authorization key, and Portal key
Accounting interval (minutes) 15

1. Configure network interworking and enable APs to go online on the AC.
2. Configure a RADIUS server template and 802.1X authentication on the AC.
4. Configure post-authentication domain resources on the AC for users to access after
passing authentication.
5. Configure the Boarding on the Agile Controller-Campus.
6. Configure authentication and authorization on the Agile Controller-Campus.
Procedure
Step 1 Optional: Deploy the Windows CA server.
For details, see 4.19.12.6 Deploying a CA Certificate Server.
Step 2 [Device] Configure network interworking and enable APs to go online.

1. In this example, tunnel forwarding is used between the AC and APs. Configure the
downlink interface on the AC to allow packets from the management VLAN to pass
through.
[AC6605] sysname AC
[AC] vlan batch 100 to 102
2. Configure the uplink interface on the AC to allow packets from VLAN 100, VLAN 101,
and VLAN 102 to pass through so that the AC can communicate with upper-layer
network devices.
3. Configure IP addresses for VLANIF interfaces, and configure the AC to function as the
DHCP server to allocate IP addresses for APs, Portal services, and 802.1X services.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit
[AC-Vlanif102] quit
4. Configure the default route, with the next hop pointing to the IP address of the router
interface.


NOTE
If a Layer 3 network is deployed between the AP and AC, you need to configure the Option 43 field on
the DHCP server to carry the AC's IP address in advertisement packets, allowing the AP to discover the
AC.
2. Run the option 43 sub-option 2 ip-address AC-ip-address &<1-8> command to specify an IP
address for the AC.
# Create the AP group to which the APs with the same configuration can be added.
[AC] wlan
gain configurations of the radio and reset the AP. Continue?[Y/N]:y
[AC-wlan-view] quit

# Import the APs offline on the AC. Add APs to AP group ap-group1. Configure names
for the APs based on the APs' deployment locations, so that you can know where the
APs are deployed from their names. For example, if the AP with MAC address
60de-4474-9640 is deployed in area 1, name the AP area_1.
NOTE
In this example, the AP6010DN-AGN is used and has two radios: radio 0 and radio 1.
[AC] wlan
Warning: This operation maybe cause AP reset, Whether to continue? [Y/N]y
[AC-wlan-ap-0] quit
# After an AP is powered on, run the display ap all command to check the AP state. If
the State field displays nor, the AP has gone online.

nor : normal [1]
------------------------------------------------------------------------------
---------
Uptime
------------------------------------------------------------------------------
---------

0 60de-4476-e360 area_1 ap-group1 192.168.3.200 AP6010DN-AGN nor 0

5M:2S
------------------------------------------------------------------------------
---------
Total: 1
6. Define post-authentication resources in an ACL with the same number as that specified
in the authorization result on the Agile Controller-Campus.
[AC] acl 3001
[AC-acl-adv-3001] rule 1 permit ip destination 192.168.2.0 24 //Post-
authentication domain resources
[AC-acl-adv-3001] rule 2 deny ip
Step 3 [Device] Configure a RADIUS server template and 802.1X authentication.

1. Configure a RADIUS server template, as well as authentication and accounting schemes.
[AC] radius-server template radius_huawei //RADIUS server template
[AC-radius-radius_huawei] radius-server authentication 192.168.1.210 1812
[AC-radius-radius_huawei] radius-server accounting 192.168.1.210 1813 source
ip-address 192.168.3.2
[AC-radius-radius_huawei] radius-server shared-key cipher Admin@123
[AC-radius-radius_huawei] quit
[AC] aaa
[AC-aaa] authentication-scheme auth_scheme //RADIUS authentication scheme
[AC-aaa-authen-auth_scheme] authentication-mode radius
[AC-aaa] accounting-scheme acc_scheme //RADIUS accounting scheme
[AC-aaa-accounting-acc_scheme] accounting-mode radius
[AC-aaa-accounting-acc_scheme] accounting realtime 15
[AC-aaa-accounting-acc_scheme] quit
[AC-aaa] quit
2. Configure the 802.1X access profile dot1x_access.

NOTE
By default, an 802.1X access profile uses the EAP authentication mode. The authentication protocol
must be the same as that configured in the authentication rule on the Agile Controller-Campus.
[AC] dot1x-access-profile name dot1x_access
[AC-dot1x-access-profile-dot1x_access] quit
3. Configure the authentication profile dot1x_auth, and import the authentication scheme,
accounting scheme, and RADIUS server template.
[AC] authentication-profile name dot1x_auth
[AC-authentication-profile-dot1x_auth] dot1x-access-profile dot1x_access
[AC-authentication-profile-dot1x_auth] authentication-scheme auth_scheme
[AC-authentication-profile-dot1x_auth] accounting-scheme acc_scheme
[AC-authentication-profile-dot1x_auth] radius-server radius_huawei
[AC-authentication-profile-dot1x_auth] quit

# Create security profile dot1x-security and set the security policy in the profile. A
security policy must be configured for 802.1X authentication. The default open system
authentication is not allowed.
[AC] wlan
[AC-wlan-view] security-profile name dot1x-security
[AC-wlan-sec-prof-dot1x-security] security wpa2 dot1x aes
[AC-wlan-sec-prof-dot1x-security] quit
# Create the SSID profile dot1x-ssid, and set the SSID name to 802.1X.
[AC-wlan-view] ssid-profile name dot1x-ssid

[AC-wlan-ssid-prof-dot1x-ssid] ssid 802.1X


[AC-wlan-ssid-prof-dot1x-ssid] quit
# Create the VAP profile dot1x-vap, configure the data forwarding mode and service
VLANs, and apply the security profile, SSID profile, and authentication profile to the
VAP profile.
[AC-wlan-view] vap-profile name dot1x-vap
[AC-wlan-vap-prof-dot1x-vap] forward-mode tunnel
[AC-wlan-vap-prof-dot1x-vap] service-vlan vlan-id 102
[AC-wlan-vap-prof-dot1x-vap] security-profile dot1x-security
[AC-wlan-vap-prof-dot1x-vap] ssid-profile dot1x-ssid
[AC-wlan-vap-prof-dot1x-vap] authentication-profile dot1x_auth
[AC-wlan-vap-prof-dot1x-vap] quit
# Bind the VAP profile dot1x-vap to an AP group and apply the profile to radio 0 and
radio 1 of the AP.
[AC-wlan-ap-group-ap-group1] vap-profile dot1x-vap wlan 1 radio all
Step 4 [Device] Configure Portal authentication.

1. Configure a URL template to specify the URL of the pushed page and user terminal's
MAC address.
NOTE
If terminals running the iOS system need to be registered or claimed missing, the url-parameter user-
mac usermac command must be configured. This command is not required in other cases. Terminals
running the iOS system do not initiate Portal authentication when downloading configuration files, so
they are redirected to the Portal pushed page, but cannot send terminals' MAC addresses through Portal
login packets.
[AC] url-template name url_temp
[AC-url-template-url_temp] url http://192.168.1.210:8080/portal
[AC-url-template-url_temp] url-parameter user-mac usermac
[AC-url-template-url_temp] quit
2. Configure a Portal server profile and specify information about the Portal server.
[AC] web-auth-server portal_server
[AC-web-auth-server-portal_server] server-ip 192.168.1.210
[AC-web-auth-server-portal_server] source-ip 192.168.3.2
[AC-web-auth-server-portal_server] port 50200
[AC-web-auth-server-portal_server] shared-key cipher Admin@123
[AC-web-auth-server-portal_server] url-template url_temp
[AC-web-auth-server-portal_server] quit
3. Configure the Portal access profile portal_access.

[AC] portal-access-profile name portal_access
[AC-portal-access-profile-portal_access] web-auth-server portal_server direct
[AC-portal-access-profile-portal_access] quit
4. Configure an authentication-free rule profile. Add the resources (patch server) that users
can access before authentication to the profile.
[AC-free-rule-default_free_rule] free-rule 1 destination ip 192.168.1.200
mask 32
5. Configure the authentication profile portal_auth.

[AC] authentication-profile name portal_auth
[AC-authentication-profile-portal_auth] portal-access-profile portal_access
[AC-authentication-profile-portal_auth] free-rule-template default_free_rule
[AC-authentication-profile-portal_auth] authentication-scheme auth_scheme
[AC-authentication-profile-portal_auth] authentication-scheme acc_scheme

[AC-authentication-profile-portal_auth] radius-server radius_huawei

[AC-authentication-profile-portal_auth] quit

# Create security profile portal-security and set the security policy in the profile. By
default, the security policy is open system. Use the default security policy for Portal
authentication.
[AC] wlan
[AC-wlan-view] security-profile name portal-security
[AC-wlan-sec-prof-portal-security] quit
# Create the SSID profile portal-ssid, and set the SSID name to Portal.
[AC-wlan-view] ssid-profile name portal-ssid
[AC-wlan-ssid-prof-portal-ssid] ssid Portal
[AC-wlan-ssid-prof-portal-ssid] quit
# Create the VAP profile portal-vap, configure the data forwarding mode and service
VLANs, and apply the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name portal-vap
[AC-wlan-vap-prof-portal-vap] forward-mode tunnel
[AC-wlan-vap-prof-portal-vap] service-vlan 101
[AC-wlan-vap-prof-portal-vap] security-profile portal-security
[AC-wlan-vap-prof-portal-vap] ssid-profile Portal
[AC-wlan-vap-prof-portal-vap] authentication-profile portal_auth
[AC-wlan-vap-prof-portal-vap] quit
# Bind the VAP profile to an AP group and apply the VAP profile to radio 0 and radio 1
of the AP.
[AC-wlan-ap-group-ap-group1] vap-profile portal-vap wlan 2 radio all
Step 5 [Agile Controller-Campus] Configure the Boarding to enable the automatic configuration for
802.1X on user terminals.
Choose Policy > Permission Control > Boarding Management > Quick Start to perform
configurations according to the wizard.
1. Configure the network access policy and specify 802.1X access parameters.

The 802.1X network access parameters are the same as those on the AC. The commands
used to configure key parameters on the AC are as follows:
– Security mode: security wpa2 dot1x aes
– Encryption mode: security wpa2 dot1x aes
– SSID: ssid 802.1X
2. Upload a CA certificate for verification when a user certificate is used for authentication
and when the Agile Controller-Campus applies for a user certificate from the Windows
CA server.

3. Configure the SCEP certificate server to apply for user certificates from the Windows
CA server.
4. Optional: Configure OCSP to check the revocation status of user certificates online. The
revoked user certificates cannot be used. You are advised to use OCSP. If OCSP is not
configured, you can choose System > External Authentication > Certificate
Management to configure CRL synchronization or manually upload a CRL to check the
certificate revocation status.
5. Customize a Portal page.

The Agile Controller-Campus provides the default Portal page. The administrator can
modify the default Portal page or add a Portal page.
If the version of the network configuration tool needs to be updated, choose Policy >
Permission Control > Page Cunstomization > Page Customization Material to
upload the latest version.
– Android: A Portal authentication page needs to be customized, containing the

download link of the network configuration tool (in the format of *.apk).
– iOS: A Portal authentication page needs to be customized so that users can enter the
account and password for authentication on the page. An authentication success
page needs to be customized to provide the download link of the network
configuration file (in the format of *.mobileconfig).
– Windows: A Portal authentication page needs to be customized, containing the
download link of the network configuration tool (in the format of *.exe).
6. Configure Portal page push policies. Different Portal pages are pushed to terminals
running different OSs to provide proper network configuration tools or configuration
files.
Configure Portal page push policies for terminals running the Android OS, iOS, and
Windows OS. Set the following parameters and use the default settings for other
parameters.
– Android
n Name: Android
n Push different pages based on terminal OS: Android
n Pushed page: Android_en
– iOS
n Name: iOS
n Push different pages based on terminal OS: iOS
n Pushed page: iOS_en

– Windows
n Name: Windows
n Push different pages based on terminal OS: Windows PC
n Pushed page: Windows_en
Choose Resource > Device > Device Management to add an AC.

The commands used to configure parameters on the AC are as follows:
l Authentication/Accounting key: radius-server shared-key cipher Admin@123

l Authorization key: radius-server authorization 192.168.1.210 shared-key cipher
Admin@123

l Real-time accounting interval: accounting realtime 15

l Portal key: shared-key cipher Admin@123
Step 7 [Agile Controller-Campus] Configure authentication and authorization. After completing

802.1X network configurations, users can obtain permission based on the configured
authentication and authorization rules.
1. Optional: Configure an authentication rule.
This example uses the default authentication rule that contains all authentication
protocols.
If a non-local data source is used for synchronization, such as the AD/LDAP server,
modify the default authentication rule or create an authentication rule.
Authorization Result to configure authorization using an ACL.
The ACL number 3001 set in the ACL Number/AAA User Group area is the same as
that configured on the AC.
Authorization Rule to configure an authorization rule.
Set Authorization Result to Post-authentication domain configured in the preceding

step. Use the default settings for other parameters.
----End
Verification
l Terminals running the Android OS

a. After a terminal associates with the Portal wireless network, the terminal can
access the patch server specified in the free-rule command. If the terminal access
other websites, the terminal is redirected to the Portal authentication page for
Android terminals.
b. Download the network configuration tool (in the format of *.apk) on the Portal
authentication page and install the tool.
c. Enter the account and password on the network configuration tool and click Config.
The configuration for 802.1X certificate authentication will be automatically
completed. The terminal is automatically connected to the 802.1X wireless network
and you can access post-authentication domain resources.
l Terminals running the iOS
a. Connect the terminal to the Portal wireless network and access a web page. You are
redirected to the Portal authentication page configured for terminals running the
iOS.
b. Enter the account and password on the Portal authentication page for identity
authentication.
c. After the identity authentication succeeds, the Portal authentication success page is
automatically displayed. Download the configuration file in the format of
*.mobileconfig.
d. After the configuration file is installed, the system automatically completes
configuration for 802.1X certificate authentication. After manually connecting the
terminal to the 802.1X wireless network, you can access post-authentication domain
resources.
l Terminals running the Windows OS
a. Connect the terminal to the Portal wireless network and access a web page. You are
redirected to the Portal authentication page configured for terminals running the
Windows OS.
b. Download the network configuration tool (in the format of *.exe) on the Portal
authentication page and install the tool.
c. Enter the account and password on the network configuration tool and click Config.
The configuration for 802.1X certificate authentication will be automatically
completed. The terminal is automatically connected to the 802.1X wireless network
and you can access post-authentication domain resources.
4.19.5 Example for Configuring Guests to Obtain Passwords

Through Mobile Phones to Pass Authentication Quickly
Guests can obtain passwords through mobile phones to connect to networks quickly.
l RADIUS Server Agile Controller-Campus V100R002C10

l Portal Server

An enterprise has deployed an authentication system to implement access control for all the
wireless users who attempt to connect to the enterprise network. Only authenticated users can
connect to the enterprise network. Enterprise employees connect to the network through
personal computers (PCs) and guests connect to the network through mobile phones. The
administrator has created local accounts for the employees so that they can use the local
accounts to pass authentication. For guest accounts, the system should satisfy the following
demands:
l All guests must associate with the Wi-Fi network whose SSID is guest to connect to the
Internet. Other SSIDs are not allowed.
l All guests can use their mobile phone number to obtain passwords to access the network.
After guests send their requests to obtain passwords, passwords are sent to the guests
through SMS messages.
l After the authentication succeeds, the web page requested by the guest before the
authentication is displayed automatically.
Data Plan
Table 4-131 Data plan

SM + SC IP address: 172.18.1.1 -
(RADIUS
server +
Portal server)
SMS server Message Sending Method -

SMSGW
Enable distributed SC
no
Serial Port ID
COM1
Country Code
86
Baud Rate
115200
Test Number
13412345678
Number of 3002 -
the ACL for
guests' post-
authenticatio
n domain

SSID of the guest Configure this parameter on the

network to AC. For details, see step 4 in 4.19.2
which guests Example for Configuring Portal
associate Authentication (Including MAC
with Address-Prioritized Portal
Authentication) for Wireless
Users.
1. Configure the SMS server so that the system can send SMS messages properly.
2. Configure guest account policies. This example uses the default policy "self-
registration_obtaining passwords through mobile phones_8-hour validity period".
3. Customize the authentication page. The authentication page is automatically displayed if
an unauthenticated guest accesses the network.
4. Configure a Portal page push rule to push the customized authentication page to guests.
5. Add guest authorization results and authorization rules to assign access rights to guests
after they are successfully authenticated.
Prerequisites
Portal authentication configurations have been completed on the AC/switch and the Agile
Controller-Campus. For details, see configuration examples about Portal.
Procedure
Step 1 Enter https://172.18.1.1:8443 in the address box of a web browser to log in to the Service
Manager.
Step 2 Configure the SMS server so that the system can send SMS messages properly.
1. Choose System > Server Configuration > SMS Server Configuration.
2. Set parameters of the SMS server.

NOTE
If the SMS modem is used, no more than three guests can register per minute. If the number of
guests that need to register in a minute exceeds three, use the SMS gateway.
3. Click Test. The Test Succeeded message is displayed and the phone with the configured
mobile phone number receives a test SMS message.
4. Click Save.
Step 3 Configure guest account policies. Choose Policy > Permission Control > Guest
Management > Guest Account Policy.
This example uses the default policy "Self-registration_password through phones_valid for 8
hours". If the default policy cannot satisfy requirements, you can modify it or create a new
policy. Set the parameters marked in red rectangles according to the following figure.
Step 4 Customize the authentication page. The authentication page is automatically displayed if an
unauthenticated guest accesses the network.
2. Click .
You must select Self Register and set Guest Account Policy to the policy created in
Step 3.

4. Click Next. Set the page template and language template.

The page template is set to System-Mobile Quick Authentication Template and the
language template is set to English.
5. Click Next to customize the page pushed to a phone.

The guest uses the phone to obtain a password to complete registration. Therefore, no
registration and registration success pages are required. You only need to customize the

authentication, authentication success, and user notice pages. You can change logos as
required.
6. Click Next to customize the page pushed to a PC.
7. Click Publish.
If Delivery succeeded is displayed, page customization succeeds.
Step 5 Configure a Portal page push rule to push the customized authentication page to guests.

2. Click Add to add the Portal page push rule.
Name Push rule for phone -

registration

User-defined parameters ssid=guest – ssid=guest indicates

that the AC pushes the
specified page so long
as unauthorized guests
select the SSID guest.
– For details about User-
defined parameters,
see 4.19.12.3 Defining
a Redirection Rule for
the Portal Page.
– The AC needs to send
the user-defined URL
parameter to the Portal
server through the URL
parameter template, so
that the Portal server
can correctly match the
pushed condition. In
this example, the AC
sends the user-defined
URL parameter ssid to
the Portal server, so
that it can correctly
match the pushed
condition.
Pushed page Select the page customized -

in Step 4
Page displayed after Continue to visit the The value of the redirect-
successful authentication original page url field specified on the
AC must be url. For
details, see 4.19.12.8 How
Do I Continue to Access
the Original Page After
Successful Portal
Authentication?.
3. Click OK.
Step 6 Add SSIDs to the Agile Controller-Campus for SSID-based user authorization.
2. Click Add, and add a guest SSID.
The case-sensitive SSID name must be the same as those configured on the AC.

Step 7 Add an authorization result and rule to allow guests to connect to the Internet after they are
successfully authenticated.
Authorization Result and specify resources that guests can access after being
authenticated and authorized.

Name Authorization Result for guest -
Service Type Access Service -
ACL 3002 ACL number must be the same

Number/AAA as the number of the ACL
User Group configured for guests on the AC.
Authorization Rule and specify the authorization conditions for guests.
Name Authorization Rule for -

guest
Service Type Access User -

User Group Guest The value must be the same as that of

User Group specified when you
configure a guest account policy.
SSID guest The SSID must be the same as that

configured for guests on the AC.
Authorization Authorization Result for -

Result guest
----End
Verification
1. A guest uses a mobile phone to connect to a Wi-Fi network. The guest selects the hotspot
guest to connect to the Internet. The authentication page is pushed to the guest.
2. The guest enters his or her mobile phone number and clicks Get Password.
The authentication password is sent to the guest's mobile phone.
3. The guest enters the mobile phone number and password and clicks Login. The web
page requested by the guest before the authentication is displayed automatically.
4. On the Service Manager, choose Resource > User > Online User Management. The
online information about the account is displayed.
5. On the Service Manager, choose Resource > User > RADIUS Log. The RADIUS
authentication logs of the account are displayed.
4.19.6 Example for Configuring Guest Access Using Social Media

Accounts (GooglePlus, Facebook, or Twitter Accounts)
The Service Manager can interconnect with the Google, Facebook, and Twitter authentication
servers so that end users can use their social media accounts and passwords to complete
authentication on the Service Manager. Authenticated users then can connect to the network.


l Portal Server
An enterprise has deployed an authentication system to implement access control for all the
wireless users who attempt to connect to the enterprise network. Only authenticated users can
connect to the enterprise network. Enterprise employees connect to the network through PCs
and guests connect to the network through mobile phones. The administrator has created local
accounts for the employees so that they can use the local accounts to pass authentication. For

guest accounts, the administrator needs to configure the Service Manager to enable guests to
complete authentication using GooglePlus, Facebook or Twitter accounts.
Data Plan
Table 4-132 Data Plan

SM + SC Domain name: controller.sz -

(RADIUS
server +
Portal server)
Number of 3002 -
the ACL for
guests' post-
authenticatio
n domain

Users.
1. Configure the Agile Controller-Campus to interconnect with the Google, Facebook, and
Twitter authentication servers.
2. Customize authentication pages. The authentication page is automatically displayed if an
unauthenticated guest attempts to connect to the network.
3. Customize the portal page push rule to push the customized authentication page to
guests.
4. Configure social media as external authentication sources and add authorization results
and authorization rules to grant different access rights to guests after they are
Prerequisites
1. Portal authentication configurations have been completed on the AC/switch and the
Agile Controller-Campus. For details, see configuration examples about Portal. Pay
attention to the following points during the configuration:
a. When configuring the Portal server's URL in the URL template, set a URL in the
domain name format.
[AC-url-template-huawei] url http://Portal server's domain name:8080/
portal

b. A free rule has been configured on the AC/switch to permit social media website
addresses. This ensures that guests' terminals can access the social media
authentication page before passing authentication.
n Access to authentication-free resources is permitted by the domain name on
the AC/switch. You need to permit guests to access the following domain
names before passing authentication.
○ Google server: www.googleapis.com and apis.google.com
○ Facebook server: connect.facebook.net
○ Twitter server: api.twitter.com, abs.twimg.com, mobile.twitter.com and
twitter.com
n If the AC/switch cannot permit access to authentication-free resources by the
domain name, run the nslookup complete host name command in the CLI to
view the IP address matching the host name, and then permit the destination
server by the IP address.
c. If the enterprise uses its own DNS server and an access control device is used as the
DHCP server, you must configure the DNS server address on the VLANIF interface
of the access control device that communicates with terminals.
[AC-Vlanif101] dhcp server dns-list 172.18.1.2 //Configure the DNS
server address. 172.18.1.2 is only used as an example.
[AC-Vlanif101] quit
2. The social media server and Agile Controller-Campus server are reachable to each other.
Procedure
Step 1 Configure the interconnection with the Google authentication server.
1. Apply for a googlePlus account.
To enable end users to use googlePlus accounts for guest identity authentication,
enterprises must request their own googlePlus accounts from Google to obtain the
authorization information from Google.
a. Open the Web browser.
b. Enter https://accounts.google.com/SignUp?service=oz&continue=https://
plus.google.com/?hl=en-us&gpsrc=gplp0&hl=en-us in the address box.
c. Register an account.
2. Create the googlePlus application.
a. Enter https://console.developers.google.com/project in the address box. On the
page that is displayed, log in using a Google account, and click Create Project.
b. Enter a project name and click Create.

c. Click Use Google APIs.
d. In the Social APIs area, click Google+ API.
e. Click Enable API.

f. Click Go to Credentials.
g. Set the Credentials type and click What credentials do I need?.
h. Fill in required information, and click Create client ID.

Parameter Value
Name Web client 1
Authorized JavaScript origins https://Service Controller-Domain

Name:8445 or http://Service
Controller-Domain Name:8080.
When you customize pages on the
Agile Controller-Campus, the protocol
for page pushing must be consistent
with the input here. If you enter https://
Service Controller-domain name:8445
here, select Push pages using HTTPS.
If you enter http://Service Controller-
domain name:8080 here, deselect Push
pages using HTTPS.
NOTE
HTTP is an insecure protocol; therefore,
HTTPS is recommended.

Parameter Value
Authorized redirect URls https://Service Controller-Domain

Name:8445/portal or http://Service
Controller-Domain Name:8080/
portal.
When you customize pages on the
Agile Controller-Campus, the protocol
for page pushing must be consistent
with the input here. If you enter https://
Service Controller-domain name:8445
here, select Push pages using HTTPS.
If you enter http://Service Controller-
domain name:8080 here, deselect Push
pages using HTTPS.
If multiple Portal servers are deployed,
use Enter to isolate their URIs.
i. Set Email address and Product name shown to users, and click Continue.
j. Click Done.

k. On the Credentials page, click New credentials, and select API key.
l. Select Browser key.
m. Set the API key name, and click Create. The created API key is displayed.
n. Write down the client ID and API key.

Step 2 Configure the interconnection with the Facebook authentication server.

1. Apply for a Facebook account.
To enable end users to use Facebook accounts for guest identity authentication,
enterprises must request their own Facebook accounts from Facebook to obtain the
authorization information from Facebook.
b. Enter https://en-us.facebook.com/ in the address box.
2. Create a Facebook application.
a. Enter https://developers.facebook.com/ in the address box. On the page that is
displayed, log in using a Facebook account, and choose My Apps > Add a New
App.
Click Register in the upper right corner of the page upon initial login to register as
a developer. After that, you can create apps.
b. Choose Facebook Canvas.
c. Enter a project name, and click Create New Facebook App ID.

d. Set Contact Email, set Category to Utilities, and click Create App ID.
e. Click Skip Quick Start to skip the quick start wizard and access the application
configuration page.
f. Click Add Product in the navigation tree, then click Get Started under Facebook
Login.

g. Configure Valid OAuth redirect URIs and Deauthorize Callback URL.
Parameter Value
Valid OAuth redirect https://Service Controller-IP or Domain Name:8445

URIs or http://Service Controller-IP or Domain Name:
8080. If a Google account is used for authentication,
configure this parameter in the domain name format.
When you customize pages on the Agile Controller-
Campus, the protocol for page pushing must be
consistent with the input here. If you enter https://
Service Controller-domain name:8445 here, select Push
pages using HTTPS. If you enter http://Service
Controller-domain name:8080 here, deselect Push
pages using HTTPS.
NOTE
HTTP is an insecure protocol; therefore, HTTPS is
recommended.
If multiple Portal servers are deployed, enter multiple
URIs.
Deauthorize Callback https://Service Controller-IP or Domain Name:8445.

URL If a Google account is used for authentication, configure
this parameter in the domain name format.
If multiple Portal servers are deployed, enter multiple
URLs and separate them with spaces.

NOTE
Ensure that the address format of Deauthorize Callback URL and Valid OAuth redirect
URIs are the same. The domain name format is recommended. If one field is set to the IP
address format while the other is set to the domain name format, configuration error may
occur. If the IP address format is used, you are advised to use the network segment
192.168.x.x but not the segments 10.x.x.x or 172.x.x.x. Otherwise, the configuration may
fail.
h. Click Save changes.
i. Choose Settings > Basic, and save the App ID and App Secret of the corresponding
application. You need to set the two parameters when perform related configuration
on the Agile Controller-Campus.
j. Click App Review, and set Make My Project public to Yes.
Step 3 Configure the interconnection with the Twitter authentication server.

1. Apply for a Twitter account.
To enable end users to use Twitter accounts for guest identity authentication, enterprises
must request their own Twitter accounts from Twitter to obtain the authorization
information from Twitter.
b. Enter https://twitter.com/ in the address box.
2. Create a Twitter application.
a. Enter https://apps.twitter.com/ in the address box. On the page that is displayed,
log in using a Twitter account, and click Create New App.

b. Enter application information.
Parameter Value
Name authtest10001
Description authtest10001
Website https://Service Controller-IP or Domain Name:8445

or http://Service Controller-IP or Domain Name:
pages using HTTPS.
NOTE
recommended.

Parameter Value
Callback URL https://Service Controller-IP or Domain Name:8445

or http://Service Controller-IP or Domain Name:
pages using HTTPS.
NOTE
recommended.
c. Click Create your Twitter application.
d. Click Settings, select Allow this application to be used to Sign in with Twitter,
and click Update Settings.

e. Click Keys and Access Tokens.
f. Save the API Key and API Secret.

Step 4 On the Service Manager, configure the association parameters on Google, Facebook, and
Twitter authentication servers.
1. Choose System > External Authentication > Third-Party Applications.
Select Facebook, Google, and Twitter.

Parameter Value
Facebook
App ID *****************
App secret *****************
Google
Client ID *****************
API key *****************
Twitter
API key *****************
API secret *****************
User group ROOT\Guest
Role guest
Step 5 Customize the authentication page.

1. Choose Policy > Permission Control > Page Customization > Page Customization
and click .
2. Set parameters on the page.
If guests are allowed to complete authentication through both their social media accounts
and self-registration, select Self Register. For details about how to configure guests to
connect to networks through self-registration, see 4.19.5 Example for Configuring

Guests to Obtain Passwords Through Mobile Phones to Pass Authentication

Quickly.
Click Advanced setting and select or deselect Push pages using HTTPS based on the
configuration on the social media server.
– If the configuration on the social media server is https://Service Controller-IP or
Domain Name:8445, select Push pages using HTTPS.
– If the configuration on the social media server is http://Service Controller-IP or
Domain Name:8080, deselect Push pages using HTTPS.
3. Click Next and select the page template and language template.

4. Click Next and customize Authentication Page, Authentication Success Page, and
User Notice Page.
5. Click Publish.
Step 6 Configure portal page push rules.

1. Choose Policy > Permission Control > Page Customization > Portal Page Push Rule
and click Add.
Name Guest page pushing policy -

User-defined parameters ssid=guest – ssid=guest indicates

defined parameters,
the Portal Page.
match the pushed
condition.
Pushed page Select a page customized -

in Step 5.
Page displayed after Continue to access the Configure URL

successful authentication original page. parameters on the AC. For
details, see 4.19.12.8 How
Do I Continue to Access
the Original Page After
Successful Portal
Authentication?.
2. Click OK.

Step 8 Configure social media as external authentication sources.

Authentication Rule and click Add.
Parameter Value
Name Social Media
Customize Condition Social Media Account

Parameter Value
Data Source Third-Party Applications Data Source
Please select the allowed authentication Select all protocols.

protocol
2. Click OK.
Step 9 Configure authorization results and rules.

Authorization Result. Click Add.
Parameter Value
Name Social Media
ACL Number/AAA User Group 3002 (It has been configured on the
switch. The ACL determines the network
resources that the user can access after
successful authentication.)

2. Click OK.
Authorization Rule. Click Add.
Parameter Value
Name Authorization rules of social media
Customize Condition Social Media Account
Authorization Result Social media
4. Click OK.
----End
Verification
1. A guest connects to the Wi-Fi hotspot guest using a mobile phone. The guest
authentication page is pushed to the mobile phone.
2. On the authentication page, the guest presses the icon matching the guest's account type
and the web browser opens the corresponding website.
3. The guest enters the user name and password and presses Authentication. After
successful authentication, the user can visit the Internet.

online information about the account is displayed.
authentication logs of the account are displayed.
4.19.7 Example for Configuring Guests Connect to Networks by

Scanning Public QR Codes
After guests connect to a Wi-Fi network using their mobile phones, they can scan QR codes
posted in public areas for authentication to easily access a network.

l Portal Server
An enterprise has deployed an identity authentication system to implement access control for
all the wireless users who attempt to connect to the enterprise network. Only authenticated
users can connect to the enterprise network. To allow guests to access the network in the
enterprise exhibition hall, system administrators can post a public QR code in public areas in
the exhibition hall, so that guests can access the network by scanning the public QR code.
Data Plan
Table 4-133 Data plan

SM + SC IP address: 172.18.1.1 -
(RADIUS
server +
Portal server)
Number of 3002 -
the ACL for
guests' post-
authenticatio
n domain

Users.

1. Enable public QR code authentication.
2. Configure a guest account policy for creating public QR codes.
3. Create and export a public QR code. Print and post it in public areas where guests can
scan it to connect to the network.
4. Customize authentication and authentication success pages. After guests pass
authentication by scanning the public QR code, the authentication success page is
automatically displayed.
5. Customize a Portal page push rule to push the customized authentication page to guests.
6. Add guest authorization results and authorization rules to assign access permission to
guests after they are authenticated.
Prerequisites
Portal authentication has been configured on the AC/switch and the Agile Controller-Campus.
For details, see configuration examples about Portal.
NOTE
When you configure URL parameters in the URL template, a value must be set for redirect-url;
otherwise, the Agile Controller-Campus fails to interconnect with the AC/switch. The recommended
value is url.
[AC-url-template-huawei] url-parameter redirect-url url
[AC-url-template-huawei] url http://172.18.1.1:8080/portal
Procedure
Step 1 Enter https://172.18.1.1:8443 in the address box of a web browser to log in to the Service
Manager.
Step 2 Enable public QR code authentication.
You can use the Guest Management navigation to complete this step and the subsequent steps.
Choose Policy > Permission Control > Guest Management > Quick Start, set Guest
Account Management Mode to Public QR Code, and click Navigation. Complete the
configuration by following the navigation. The following example illustrates how to use the
GUI menus to open the configuration page and complete the configuration.
1. Choose Policy > Permission Control > Guest Management > Parameter Setting.
2. Click the Set Public QR Code Parameters tab.
3. Enable Public QR Code and set public QR code parameters.

Public QR Code Enable -
URL prefix in the http://192.168.1.1 Use an IP address but not a domain name
link to specify the URL prefix. The URL
prefix is only used to trigger Portal
authentication. The IP address of a post-
authentication domain can be used as the
URL prefix. In other words, an IP address
that guests cannot access before
authentication can be used as the URL
prefix.
URL encryption key Admin@123 -
Confirm URL Admin@123 -

encryption key
4. Click OK.
Step 3 Configure a guest account policy for creating public QR codes.
1. Choose Policy > Permission Control > Guest Management > Guest Account Policy.
2. Click Add.
3. Configure a guest account policy.

Name Public QR Code -
Creation type Single Only a single public QR code

can be created each time.
Public QR codes cannot be
created in batches.
Generation policy Public QR Code -
Effective time Takes effect immediately after -

being created

Account Fields Click Edit, select the Location Attribute fields of a public QR
field, and deselect the other code account are displayed.
fields. When creating a public QR
code, enter information about
the attribute fields that are
selected here. In this example,
the Location field is selected.
4. Click OK.
Step 4 Create a public QR code.
1. Choose Policy > Permission Control > Guest Management > Guest Account
Management.
2. Click Add to create a public QR code.
Set Account policy to the guest account policy configured in Step 3.
3. Click Save and generate a QR code.

Select the enterprise logo image in the Update Barcode Logo area, and click Upload to
add the logo to the public QR code.

4. Click Export Barcode to export the public QR code to a local directory. Print and post it
in public areas.
Step 5 Customize authentication and authentication success pages.
After a guest connects to a Wi-Fi network and scans the public QR code, the authentication
page is automatically displayed to authenticate the guest.
2. Click .

Customize page Public QR Code -

name
Page title Web This web title will be displayed on the

Enable Self- Deselect it. -

register
Push pages using Deselect it. If you want to allow guests to use
HTTPS WeChat to scan the public QR code
for authentication, you need to
purchase a server certificate issued by
a CA to replace the default server
certificate. For details, see 4.19.12.7
Server Certificate Importing Tool.
Otherwise, deselect Push pages using
HTTPS to ensure that guests can use
WeChat to scan the public QR code.
4. Click Next and set the page template and language template.

5. Click Next to customize authentication and authentication success pages.

6. Click Publish to complete the page customization.

Step 6 Configure a Portal page push rule to push the customized authentication page to guests.
2. Click Add to set the Portal page push rule.

Name Push rule for public QR -

code authentication

Customized parameters ssid=guest – ssid=guest indicates

defined parameters,
the Portal Page.
match the pushed
condition.
Account type Public QR Code -
Pushed page Select a page customized -

in Step 5.
3. Click OK.

Step 8 Add an authorization result and rule to allow guests to connect to the Internet after they are
Authorization Result and specify resources that guests can access after being
authenticated and authorized.

Name Authorization Result for guest -
Service Type Access Service -
ACL 3002 ACL number must be the same

Number/AAA as the number of the ACL
User Group configured for guests on the AC.
Authorization Rule and specify the authorization conditions for guests.
Name Authorization Rule for -

guest
Service Type Access User -

User Group Guest The value must be the same as that of

User Group specified when you
configure a guest account policy.
SSID guest The SSID must be the same as that

configured for guests on the AC.
Authorization Authorization Result for -

Result guest
----End
Verification
1. A guest uses a mobile phone to connect to the Wi-Fi hotspot guest.
Before scanning the public QR code, the guest needs to connect to the Wi-Fi hotspot for
public QR code authentication. Scanning a public QR code only triggers authentication
and authorization. It is recommended that the following information be added on the
upper side of the public QR codes posted in public areas: Connect to the Wi-Fi network
before scanning the public QR code for authentication.
2. The guest scans the public QR code posted in public areas.
NOTE
The customized public QR code authentication page is pushed only after the guest scans the public
QR code. If a guest does not scan the public QR code after connecting to the Wi-Fi network, the
guest is authenticated based on the Portal authentication process. The system matches Portal page
push rules by priority and pushes the matched authentication page but not the public QR code
authentication page to the guest.
3. The terminal automatically initiates an authentication request after the guest successfully
scans the public QR code.

If a blank page is displayed after the guest scans the public QR code using WeChat, the
possible causes are as follows:
– During customization of the authentication page, the administrator selects Push
pages using HTTPS but does not buy a trusted server certificate.
Guests can use another scanning tool to scan the public QR code for authentication.
Alternatively, the administrator re-customizes the public QR code authentication
page. During the customization, the administrator needs to deselect Push pages
using HTTPS and specify the new customized authentication page in the Portal
page push rule.
– If the guest has passed public QR code authentication and scans it again, a blank
page is displayed.
Choose Resource > User > Online User Management to check whether the
terminal is online using the public QR code account.
4. After the authentication succeeds, the authentication success page is displayed.

If the authentication fails, choose Resource > User > RADIUS Log to check RADIUS
authentication logs. Check causes of the authentication failure and whether the
authentication rule and authorization rule are correctly configured.
5. After the authentication succeeds, the guest can access the Internet.
online information about the public QR code account is displayed.
authentication logs of the public QR code account are displayed.
NOTE
The same account (public QR code account) is displayed on the Service Manager for all guests
who scan the same public QR code for authentication.

Authorization rules or Portal page push rules are matched in descending order of priority
(ascending order of rule numbers). If the authorization condition or Portal push condition of a
user matches a rule, the system does not check the subsequent rules. Therefore, it is
recommended that you set higher priorities for the rules defining more precise conditions and
set lower priorities for the rules defining fuzzy conditions.

4.19.8 Example for Configuring 802.1X Authentication for

Wireless Users in a VRRP HSB Environment
The two-node cluster environment includes the AC (VRRP) and RADIUS server two-node
clusters. Deploying two-node clusters on WLANs improve network reliability.

Core switch S7700 V200R008C00
To meet service requirements, a company needs to deploy an identity authentication system to
implement access control for all employees who attempt to connect to the enterprise network
in wireless mode. Only authenticated users can connect to the enterprise network.
l The network must be reliable because all employees need to connect to the wireless
network for work and Internet access.
accessing the enterprise network and deny access to the enterprise network and Internet
from unauthorized terminals.

Based on user requirements, networking design is performed as follows:
l Reliability
– AC1 and AC2 are connected to S7700A and S7700B in bypass mode, respectively.
A VRRP group is configured between AC1 and AC2, and HSB is used to determine
the active and standby ACs.
– A VRRP group is configured between S7700A and S7700B to improve reliability.
– Eth-Trunks are used to connect aggregation switches and access switches, ACs and
core switches, and ACs.
– The Agile Controller-Campus is deployed in 1+2 (one SM + two SCs) mode to
ensure reliability of the authentication server.
l Internetworking
The aggregation switch is configured as a DHCP server to assign IP addresses to APs.
Core switches serve as DHCP servers to assign IP addresses to employees and guests.

VLAN Plan
Table 4-134 VLAN plan
VLAN ID Function
100 mVLAN for APs
103 Egress VLAN for core switches
104 VLAN for communication between ACs
Network Data Plan
Table 4-135 Network data plan
Item N Interface Eth-Trunk VLAN IP address Descriptio

o. Number n
Access ( GE0/0/1 - 100 and 101 - Connected to

switch 1 the AP in the
S2750 ) employee
EI area
( GE0/0/4 - 100 and 101 - Connected to

2 the AP in the
) guest area
( GE0/0/2 and Eth-Trunk1 100 and 101 - Connected to

3 GE0/0/3 the
) aggregation
switch
S5720HI
Aggreg ( GE0/0/1 and Eth-Trunk1 100 and 101 VLANIF Connected to

ation 4 GE0/0/2 100: the access
switch ) 172.18.10.4/ switch
S5720 16 S2750EI
HI Gateway for
APs

5 GE0/0/4 the core
) switch
S7700A

6 GE0/0/6 the core
) switch
S7700B


o. Number n
S7700 ( GE1/0/1 and Eth-Trunk1 100 and 101 VLANIF Connected to

A 7 GE1/0/2 101: the
(Active ) 172.19.10.2/ aggregation
) 24 switch
S5720HI
( GE1/0/3 and Eth-Trunk2 100 and 101 VLANIF Connected to

8 GE1/0/4 100: AC1
) 172.18.10.5/
24
( GE1/0/5 - 103 VLANIF Connected to

9 103: the egress
) 172.22.20.1/ router
24

B 1 GE1/0/2 101: the
(Standb 0 172.19.10.3/ aggregation
y) ) 24 switch
S5720HI
( GE1/0/3 and Eth-Trunk2 100 and 101 VLANIF Connected to

1 GE1/0/4 100: AC2
1 172.18.10.6/
) 24

1 103: the egress
2 172.23.20.1/ router
) 24
AC1 ( GE0/0/1 and Eth-Trunk1 100 VLANIF Connected to

(Active 1 GE0/0/2 100: the core
) 3 172.18.10.2/ switch
) 24 S7700A
( GE0/0/3 and Eth-Trunk2 104 VLANIF Connected to

1 GE0/0/4 104: AC2
4 10.10.11.1/2
) 4

(Standb 1 GE0/0/2 100: the core
y) 5 172.18.10.3/ switch
) 24 S7700B

1 GE0/0/4 104: AC1
6 10.10.11.2/2
) 4


o. Number n
Virtual - - - - 172.18.10.1/ Connected to

address 24 the Agile
es of Controller-
ACs Campus
Virtual - - - - 172.19.10.1/ Gateway for

address 24 employees
es of
S7700s
Se SM + SC 172.22.10.2 -
rv
er SC 172.22.10.3 -
DNS server 172.22.10.4 -
Internal server 172.22.10.5 -
Service Data Plan
Table 4-136 Service data plan

AC Number of the ACL for You need to enter this ACL

employees' post-authentication number when configuring
domain: 3001 authorization rules and results on
SSID of the employee area: the Agile Controller-Campus.
employee
RADIUS authentication server: l The Service Controller of the

l Primary IP address: Agile Controller-Campus
172.22.10.2 provides RADIUS server
function; therefore, IP
l Secondary IP address: addresses of the authentication
172.22.10.3 server, accounting server, and
l Port number: 1812 authorization server are all the
l Shared key: Admin@123 IP address of the Service
Controller.
l Configure a RADIUS
accounting server to obtain
user login and logout
information. The port numbers
of the authentication server and
accounting server must be the
same as those of the RADIUS
server.

RADIUS accounting server: l Configure an authorization

l Primary IP address: server to enable the RADIUS
172.22.10.2 server to deliver authorization
rules to the AC. The shared
l Secondary IP address: key of the authorization server
172.22.10.3 must be the same as those of
l Port number: 1813 the authentication server and
l Shared key: Admin@123 accounting server.
l Accounting interval: 15
minutes
RADIUS authorization server:

l Primary IP address:
172.22.10.2
l Secondary IP address:
172.22.10.3
l Shared key: Admin@123
Agile IP address: 172.18.10.1 -

Controller-
Campus Authentication port: 1812 -
Accounting port: 1813 -
RADIUS shared key: Admin@123 It must be the same as the

RADIUS shared key configured
on the AC.
l Account: tony -
l Password: Admin@123
Post- Internal servers and Internet -

authentication
domain for
employees
Prerequisites
You have connected core router interfaces at 172.22.20.2/24 and 172.23.20.2/24 to S7700A
and S7700B, respectively.
NOTE
The active and standby nodes do no synchronize VRRP HSB configurations. Therefore, all operations must
be performed on both the active and standby nodes.
1. Configure the access switch, aggregation switch, core switches, and ACs to ensure
network connectivity and reliability.

2. Configure VRRP and HSB on core switches.

3. Configure VRRP and HSB on ACs.
4. Configure a RADIUS server template, authentication, accounting, and authorization
schemes in the template, and wireless 802.1X authentication on each AC.
5. Add ACs on the SM and set parameters to ensure that the Agile Controller-Campus can
communicate properly with the ACs.
6. Add an authorization result and an authorization rule to grant permission to employees
after they are successfully authenticated.
Procedure
Step 1 [Device] Configure the access switch S2750EI to ensure network connectivity.
[S2700] vlan batch 100 101 //Create VLAN 100 and VLAN 101 in a batch.
[S2700] interface gigabitethernet 0/0/1 //Enter the view of the interface
connected to an AP.
[S2700-GigabitEthernet0/0/1] port link-type trunk //Change the link type of
gigabitethernet0/0/1 to trunk.
[S2700-GigabitEthernet0/0/1] port trunk pvid vlan 100 //Set the default VLAN of
gigabitethernet0/0/1 to VLAN 100.
[S2700-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101 //Add
gigabitethernet0/0/1 to VLAN 100 and VLAN 101.
connected to another AP.
# Create Eth-Trunk 1, and add GE0/0/2 and GE0/0/3 to Eth-Trunk 1.

[S2700] interface eth-trunk 1 //Create Eth-Trunk 1.
[S2700-Eth-Trunk1] quit
[S2700] interface gigabitethernet 0/0/2 //Add gigabitethernet0/0/2 to Eth-Trunk
1.
[S2700-GigabitEthernet0/0/2] eth-trunk 1
1.
# Add Eth-Trunk 1 to VLANs.

[S2700] interface eth-trunk 1 //Enter the view of the interface connected to the
aggregation switch.
[S2700-Eth-Trunk1] port link-type trunk //Change the link type of Eth-Trunk 1 to
trunk.
[S2700-Eth-Trunk1] port trunk allow-pass vlan 100 101 //Add Eth-Trunk 1 to VLAN
100 and VLAN 101.
[S2700-Eth-Trunk1] undo port trunk allow-pass vlan 1
[S2700] quit
<S2700> save //Save the configuration.
Step 2 [Device] Configure the aggregation switch S5720HI to ensure network connectivity.
[HUAWEI] sysname S5720HI
[S5720HI] dhcp enable //Enable the DHCP service.

[S5720HI] vlan batch 100 101 //Create VLAN 100 and VLAN 101 in a batch.
[S5720HI] interface vlanif 100 //Enter the view of VLANIF 100.
[S5720HI-Vlanif100] ip address 172.18.10.4 24 //Configure an IP address for
VLANIF 100 as the APs' gateway.
[S5720HI-Vlanif100] dhcp select interface
[S5720HI-Vlanif100] dhcp server excluded-ip-address 172.18.10.1 172.18.10.3 //
Exclude IP addresses in use from the DHCP address pool.
[S5720HI-Vlanif100] dhcp server excluded-ip-address 172.18.10.5 172.18.10.6
[S5720HI-Vlanif100] quit

[S5720HI] interface eth-trunk 1
[S5720HI-Eth-Trunk1] quit
[S5720HI] interface gigabitethernet 0/0/1
[S5720HI-GigabitEthernet0/0/1] eth-trunk 1
[S5720HI-GigabitEthernet0/0/1] quit

[S5720HI] interface eth-trunk 1 //Enter the view of the interface connected to
the access switch S2700.
[S5720HI-Eth-Trunk1] port link-type trunk
[S5720HI-Eth-Trunk1] port trunk allow-pass vlan 100 101
[S5720HI-Eth-Trunk1] undo port trunk allow-pass vlan 1


the core switch S7700A.


the core switch S7700B.
[S5720HI] quit
<S5720HI> save //Save the configuration.

Step 3 [Device] Configure the core switch S7700A to ensure network connectivity.
[HUAWEI] sysname S7700A
[S7700A] vlan batch 100 101 103 //Create VLAN 100, VLAN 101, and VLAN 103 in a
batch.

[S7700A] interface eth-trunk 1
[S7700A-Eth-Trunk1] quit
[S7700A] interface gigabitethernet 1/0/1
[S7700A-GigabitEthernet1/0/1] eth-trunk 1
[S7700A-GigabitEthernet1/0/1] quit

[S7700A] interface eth-trunk 1 //Enter the view of the interface connected to
the aggregation switch S5720HI.
[S7700A-Eth-Trunk1] port link-type trunk
[S7700A-Eth-Trunk1] port trunk allow-pass vlan 100 101
[S7700A-Eth-Trunk1] undo port trunk allow-pass vlan 1
[S7700A] dhcp enable
[S7700A] interface vlanif 101 //Enter the view of VLANIF 101.
[S7700A-Vlanif101] ip address 172.19.10.2 24 //Configure an IP address for
VLANIF 101 for communicating with VLANIF 101 on S7700B.
[S7700A-Vlanif101] dhcp select interface //Configure DHCP for VLANIF 101 so that
the IP address of VLANIF 101 can be configured as the gateway for employees.
[S7700A-Vlanif101] dhcp server dns-list 172.22.10.4 //Configure the DNS server
address.
[S7700A-Vlanif101] dhcp server excluded-ip-address 172.19.10.1 //Exclude IP
addresses in use from the DHCP address pool.
[S7700A-Vlanif101] dhcp server excluded-ip-address 172.19.10.3
[S7700A-Vlanif101] quit


AC1.
VLANIF 100 for communicating with AC1.
# Configure an IP address for the interface connecting to the egress router.

[S7700A] interface gigabitethernet 1/0/5 //Enter the view of the interface
connected to the egress router.
[S7700A-GigabitEthernet1/0/5] port link-type trunk
[S7700A-GigabitEthernet1/0/5] port trunk pvid vlan 103
[S7700A-GigabitEthernet1/0/5] port trunk allow-pass vlan 103

[S7700A] interface vlanif 103
[S7700A-Vlanif103] ip address 172.22.20.1 24
[S7700A] ip route-static 0.0.0.0 0 172.22.20.2
[S7700A] quit
<S7700A> save //Save the configuration.
Step 4 [Device] Configure the core switch S7700B to ensure network connectivity.
[HUAWEI] sysname S7700B
[S7700B] vlan batch 100 101 103 //Create VLAN 100, VLAN 101, and VLAN 103 in a
batch.

[S7700B] interface eth-trunk 1
[S7700B-Eth-Trunk1] quit
[S7700B] interface gigabitethernet 1/0/1
[S7700B-GigabitEthernet1/0/1] eth-trunk 1
[S7700B-GigabitEthernet1/0/1] quit

[S7700B] interface eth-trunk 1 //Enter the view of the interface connected to
[S7700B-Eth-Trunk1] port link-type trunk
[S7700B-Eth-Trunk1] port trunk allow-pass vlan 100 101
[S7700B-Eth-Trunk1] undo port trunk allow-pass vlan 1
[S7700B] dhcp enable
[S7700B] interface vlanif 101 //Enter the view of VLANIF 101.
[S7700B-Vlanif101] ip address 172.19.10.3 24 //Configure an IP address for
VLANIF 101 for communicating with VLANIF 101 on S7700A.
[S7700B-Vlanif101] dhcp select interface //Configure DHCP for VLANIF 101 so that
[S7700B-Vlanif101] dhcp server dns-list 172.22.10.4 //Configure the DNS server
address.
[S7700B-Vlanif101] dhcp server excluded-ip-address 172.19.10.1 172.19.10.2 //
[S7700B-Vlanif101] quit


AC2.

[S7700B] interface gigabitethernet 1/0/5 //Enter the view of the interface

connected to egress router.
[S7700B-GigabitEthernet1/0/5] port link-type trunk
[S7700B-GigabitEthernet1/0/5] port trunk pvid vlan 103
[S7700B-GigabitEthernet1/0/5] port trunk allow-pass vlan 103
[S7700B] interface vlanif 103
[S7700B-Vlanif103] ip address 172.23.20.1 24
[S7700B] ip route-static 0.0.0.0 0 172.23.20.2
[S7700B] quit
<S7700B> save
Step 5 [Device] Configure VRRP groups on core switches (S7700s).

# On VLANIF 101 of S7700A, create VRRP group 1, set the priority of S7700A in the VRRP
group to 120 and preemption delay to 20s, and configure the virtual IP address of VRRP
group 1 as the employee gateway address.
<S7700A> system-view
[S7700A-Vlanif101] vrrp vrid 1 virtual-ip 172.19.10.1
[S7700A-Vlanif101] vrrp vrid 1 priority 120
[S7700A-Vlanif101] vrrp vrid 1 preempt-mode timer delay 20
# On VLANIF 101 of S7700B, create VRRP group 1 and set the priority of S7700B in the
VRRP group to 100.
<S7700B> system-view
[S7700B-Vlanif101] vrrp vrid 1 virtual-ip 172.19.10.1
Step 6 [Device] Configure the ACs to ensure network connectivity.

# On AC1, configure network connectivity, create Eth-Trunk 1 and Eth-Trunk 2, and add Eth-
Trunk 1 to VLAN 100 and Eth-Trunk 2 to VLAN 104. Add GE0/0/1 and GE0/0/2 connecting
AC1 to S7700A to Eth-Trunk 1, and GE0/0/3 and GE0/0/4 connecting AC1 to AC2 to Eth-
Trunk 2.
[AC1] vlan batch 100 101 104
[AC1] interface eth-trunk 1
[AC1-Eth-Trunk1] port link-type trunk
[AC1-Eth-Trunk1] port trunk allow-pass vlan 100
[AC1-Eth-Trunk1] trunkport GigabitEthernet 0/0/1 0/0/2 //Add GE0/0/1 and
GE0/0/2 connected to the core switch S7700A to Eth-Trunk 1.
[AC1-Eth-Trunk1] quit
[AC1-Eth-Trunk2] trunkport GigabitEthernet 0/0/3 0/0/4 //Add GE0/0/3 and GE0/0/4
connected to AC2 to Eth-Trunk 2.
# Configure an IP address for AC1 to communicate with other NEs.

[AC1-Vlanif104] ip address 10.10.11.1 24 //Configure an IP address for VLANIF
104 for communicating with AC2 and transmitting backup data.
# Configure a default route for AC1 so that packets are forwarded to core switches by default.

[AC1] ip route-static 0.0.0.0 0 172.18.10.5
AC2 to S7700B to Eth-Trunk 1, and GE0/0/3 and GE0/0/4 connecting AC2 to AC1 to Eth-
Trunk 2.
[AC2] vlan batch 100 101 104
connected to the core switch S7700B to Eth-Trunk 1.

104 for communicating with AC1 and transmitting backup data.
Step 7 [Device] Configure VRRP on AC1 to implement AC HSB.
# Set the recovery delay of a VRRP group to 30 seconds.

# Create a management VRRP group on AC1. Set the priority of AC1 in the VRRP group to
120 and preemption delay to 1200s.
[AC1-Vlanif100] vrrp vrid 1 virtual-ip 172.18.10.1 //Configure a virtual IP
address for the management VRRP group.
[AC1-Vlanif100] vrrp vrid 1 priority 120 //Set the priority of AC1 in the VRRP
group.
[AC1-Vlanif100] vrrp vrid 1 preempt-mode timer delay 1200 //Set the preemption
delay for AC1 in the VRRP group.
[AC1-Vlanif100] admin-vrrp vrid 1 //Configure vrid 1 as the mVRRP group.
# Create HSB service 0 on AC1. Configure the IP addresses and port numbers for the active
and standby channels. Set the retransmission time and interval of HSB service 0.
[AC1] hsb-service 0
[AC1-hsb-service-0] service-ip-port local-ip 10.10.11.1 peer-ip 10.10.11.2 local-
data-port 10241 peer-data-port 10241
group.

[AC1] hsb-group 0



# Enable HSB.
[AC1] hsb-group 0


[AC2-Vlanif100] admin-vrrp vrid 1 //Configure vrid 1 as the mVRRP backup group.
# Create HSB service 0 on AC2 Configure the IP addresses and port numbers for the active
[AC2] hsb-service 0
# Create HSB group 0 on AC2 and bind it to HSB service 0 and the management VRRP
group.
[AC2] hsb-group 0



Step 9 [Device] Enable HSB on AC2.

# Enable HSB.

[AC2] hsb-group 0
Step 10 [Device] Verify the VRRP configuration.

The State field of AC1 is displayed as Master and that of AC2 is displayed as Backup.
[AC1] display vrrp
State : Master
Virtual IP : 172.18.10.1
Master IP : 172.18.10.2
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2005-07-31 01:25:55 UTC+08:00
[AC2] display vrrp

State : Backup
Virtual IP : 172.18.10.1
Master IP : 172.18.10.2
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2005-07-31 02:11:07 UTC+08:00
The value of the Service State field is Connected, indicating that the active and standby HSB
channels have been established.
----------------------------------------------------------
Source Port : 10241
----------------------------------------------------------
----------------------------------------------------------
Source Port : 10241


----------------------------------------------------------
----------------------------------------------------------
HSB-group ID : 0
Vrrp Group ID : 1
Service Index : 0
Peer Group Device Type : AC6605
AP
DHCP
----------------------------------------------------------
----------------------------------------------------------
HSB-group ID : 0
Vrrp Group ID : 1
Service Index : 0
DHCP
AP
----------------------------------------------------------
Step 11 [Device] On the ACs, configure a RADIUS server template, and configure authentication,
accounting, and authorization schemes in the template. In this way, the ACs can communicate
with the RADIUS server.
# On AC1, configure a RADIUS server template, and configure authentication, accounting,
and authorization schemes in the template.
[AC1] radius-server template radius_template
[AC1-radius-radius_template] radius-server authentication 172.22.10.2 1812 source
ip-address 172.18.10.1 weight 80 //Configure a primary RADIUS authentication
server with a higher weight than that of the secondary authentication server.
Set the authentication port to 1812 and the source IP address to communicate with
the RADIUS server to 172.16.10.1.
ip-address 172.18.10.1 weight 40 //Configure a secondary RADIUS authentication
server with a lower weight than that of the primary authentication server.
[AC1-radius-radius_template] radius-server accounting 172.22.10.2 1813 source ip-
address 172.18.10.1 weight 80 //Configure a primary RADIUS accounting server
with a higher weight than that of the secondary accounting server to obtain user
login and logout information.
Set the accounting port to 1813 and the source IP address to communicate with the
RADIUS server to 172.16.10.1.
address 172.18.10.1 weight 40 //Configure a secondary RADIUS accounting server
with a lower weight than that of the primary accounting server to obtain user


[AC1-radius-radius_template] radius-server shared-key cipher Admin@123 //
Configure a shared key for the RADIUS server.
[AC1-radius-radius_template] radius-server user-name original //Configure the AC
[AC1-radius-radius_template] quit
[AC1] radius-server authorization 172.22.10.2 shared-key cipher Admin@123 //
Configure a RADIUS authorization server so that the RADIUS server can deliver
authorization rules to the AC.
Set the shared key to Admin@123, which must be the same as that of the
authentication and accounting server.
//Set the shared key to Admin@123, which must be the same as that of the
//The access control device can process CoA/DM Request packets initiated by the
Agile Controller-Campus only after the authorization servers are configured.
//Authentication servers and authorization servers must have a one-to-one
mapping, that is, the number of authentication servers and authorization servers
must be the same.
//If not, the Agile Controller-Campus will fail to kick some users offline.
[AC1] aaa
[AC1-aaa] authentication-scheme auth_scheme
[AC1-aaa-authen-auth_scheme] authentication-mode radius //Set the authentication
scheme to RADIUS.
[AC1-aaa-authen-auth_scheme] quit
[AC1-aaa] accounting-scheme acco_scheme
[AC1-aaa-accounting-acco_scheme] accounting-mode radius //Set the accounting
scheme to RADIUS.
//The RADIUS accounting scheme must be used so that the RADIUS server can
maintain account state information such as login/logout information and force
users to go offline.
[AC1-aaa-accounting-acco_scheme] accounting realtime 15 //Set the real-time
accounting interval to 15 minutes.
[AC1-aaa-accounting-acco_scheme] quit
[AC1-aaa] quit
NOTE

1 to 99 3 minutes
≥ 1000 ≥ 15 minutes

and authorization schemes in the template. The RADIUS authentication configuration of AC2
is the same as that of AC1 and is not provided here.
Step 12 [Device] Configure APs to go online on AC1 and AC2. The following uses AC1 as an
example.

[AC1] wlan
[AC1-wlan-view] regulatory-domain-profile name domain1
[AC1-wlan-regulatory-domain-prof-domain1] country-code cn
[AC1-wlan-regulatory-domain-prof-domain1] quit
[AC1-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
e?[Y/N]:y

# Import the AP offline on the AC and add the AP to the AP group ap-group1.
[AC1] wlan
[AC1-wlan-ap-0] ap-name ap_0
continue? [Y/N]:y
continue? [Y/N]:y
[AC1] display ap all
nor : normal [2]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 ap_0 ap_group 172.18.10.254 AP6010DN-AGN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 2
Step 13 [Device] Configure wireless 802.1X authentication on AC1. The 802.1X authentication
configuration of AC2 is the same as that of AC1 and is not provided here.
The following figure shows the process of configuring wireless 802.1X authentication.


NOTE
An access profile defines the 802.1X authentication protocol and packet processing parameters. By
default, EAP authentication is used.
[AC1] dot1x-access-profile name acc_dot1x
[AC1-dot1x-access-profile-acc_dot1x] quit
[AC1] authentication-profile name auth_dot1x
[AC1-authentication-profile-auth_dot1x] dot1x-access-profile acc_dot1x
[AC1-authentication-profile-auth_dot1x] authentication-scheme auth_scheme
[AC1-authentication-profile-auth_dot1x] accounting-scheme acco_scheme
[AC1-authentication-profile-auth_dot1x] radius-server radius_template
[AC1-authentication-profile-auth_dot1x] quit
3. Set wireless 802.1X authentication parameters.
# Create the security profile security_dot1x and set the security policy in the profile.
[AC1] wlan
[AC1-wlan-view] security-profile name security_dot1x
[AC1-wlan-sec-prof-security_dot1x] security wpa2 dot1x aes
[AC1-wlan-sec-prof-security_dot1x] quit
# Create the SSID profile wlan-ssid and set the SSID name to employee.
[AC1-wlan-view] ssid-profile name wlan-ssid
[AC1-wlan-ssid-prof-wlan-ssid] ssid employee
[AC1-wlan-ssid-prof-wlan-ssid] quit
profile.
[AC1-wlan-view] vap-profile name wlan-vap
[AC1-wlan-vap-prof-wlan-vap] forward-mode direct-forward //Configure direct

forwarding
[AC1-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC1-wlan-vap-prof-wlan-vap] security-profile security_dot1x
[AC1-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC1-wlan-vap-prof-wlan-vap] authentication-profile auth_dot1x
[AC1-wlan-vap-prof-wlan-vap] quit
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio all
Step 14 [Device] Configure resources accessible to users after successful authentication on AC1 and
AC2. In this example, all resources are configured as accessible after successful
authentication.
[AC1] acl 3001
[AC1-acl-adv-3001] rule 1 permit ip
[AC1-acl-adv-3001] quit
2. Click Add.

Name AC -
IP address 172.18.10.1 Virtual IP address of the AC.
Authenticatio Admin@123 It must be the same as the shared key of the

n key RADIUS authentication server configured on
the AC.
Accounting Admin@123 It must be the same as the shared key of the

key RADIUS accounting server configured on the
AC.

Real-time 15 It must be the same as the real-time accounting

accounting interval configured on the AC.
interval
(minute)
4. Click OK.
Step 16 Configure authentication and authorization.
1. Optional: Choose Policy > Permission Control > Authentication & Authorization >
By default, an authentication rule takes effect only on the local data source. If a third-
party data source such as AD data source is used, modify the default authentication rule
or create an authentication rule, and select the authentication data source correctly.
Authorization Result, and add an authorization ACL.
The ACL number must be the same as that configured on the authentication control
device.

users after successful authentication.
----End
Verification
Employee l Use a mobile phone to associate with the SSID employee, and enter an
authenticatio AD domain user name and password.
n l After successful authentication, you can access Internet resources
successfully.
l Run the display access-user and display access-user user-id user-id
commands on AC1 to view detailed online user information.
l Choose Resource > User > RADIUS Log on the Agile Controller-
Campus to view RADIUS logs.
AC1 power- Services are automatically switched to AC2, without affecting employee
off authentication. The process is not detected by user terminals.

SC power- After the network cable of an Service Controller, employees are re-
off authenticated and go online. Their access rights are normal.

l The authentication key and accounting key must be kept consistent on the ACs and Agile
Controller-Campus.
l Authorization rules are matched in descending order of priority (ascending order of rule
numbers). If the authorization condition of a user matches a rule, the Agile Controller-
Campus does not check the subsequent rules. Therefore, it is recommended that you set
higher priorities for the rules defining more precise conditions and set lower priorities for
the rules defining fuzzy conditions.
l The RADIUS accounting function is configured on the ACs to enable the Agile
4.19.9 Example for Configuring Portal Authentication for Wireless

Users in a VRRP HSB Environment
This example illustrates how to configure Portal authentication on a hot standby (HSB)
wireless network. VRRP-enabled ACs, RADIUS servers, and Portal servers on the network
are deployed in HSB mode, improving network reliability.

l The authentication operations must be simple. The authentication system only performs
access authorization and does not require any client software on user terminals.


terminals.
l Employees and guests access the campus network using different SSIDs.
l Employees can connect only to the DNS server and Agile Controller-Campus of the
company before authentication, and can connect to both the intranet and Internet after
l Guests can connect only to the DNS server and Agile Controller-Campus of the
company before authentication, and can connect only to the Internet after being
authenticated.
l Two ACs, two core switches, and two Agile Controller-Campus servers are deployed in
HSB mode to improve network reliability.
Figure 4-96 Networking of Portal authentication for wireless users in HSB mode
The company has no specific requirement on terminal security check and requires simple
operations, without a need to install authentication clients on wireless terminals. Considering
the networking and requirements of the company, Portal authentication can be used on the
campus network.
Based on user requirements, networking design is performed as follows:

l Reliability
– AC1 and AC2 are connected to S7700A and S7700B in bypass mode, respectively.
A VRRP group is configured between AC1 and AC2, and HSB is used to determine
the active and standby ACs.

– A VRRP group is configured between S7700A and S7700B to improve reliability.

– Eth-Trunks are used to connect aggregation switches and access switches, ACs and
core switches, and ACs.
– The Agile Controller-Campus is deployed in 1+2 (one SM + two SCs) mode to
ensure reliability of the authentication server.
l Internetworking
– The aggregation switch is configured as a DHCP server to assign IP addresses to
APs. Core switches serve as DHCP servers to assign IP addresses to employees and
guests.
l Data traffic forwarding mode
Data packets of employees and guests are forwarded in local and tunnel modes,
respectively. Authentication packets of employees and guests are forwarded both in
tunnel mode.
l Services
– Employees and guests are all authenticated on the web pages pushed by the Portal
server. You need to configure different ACL rules on the ACs to control access
rights of employees and guests.
– Different SSIDs need to be configured for employees and guests so that different
authentication pages can be pushed to them based on their SSIDs.
VLAN Plan
VLAN ID Function
100 mVLAN for APs
103 Egress VLAN for core switches
104 VLAN for communication between ACs
Network Data Plan

o. Number n
Access ( GE0/0/1 - 100 and 101 - Connected to

S2750 ) employee
EI area


o. Number n
( GE0/0/4 - 100 and 101 - Connected to

2 the AP in the
) guest area

3 GE0/0/3 the
) aggregation
switch
S5720HI
Aggreg ( GE0/0/1 and Eth-Trunk1 100 and 101 VLANIF Connected to

ation 4 GE0/0/2 100: the access
switch ) 172.18.10.4/ switch
S5720 24 S2750EI
HI Gateway for
APs

5 GE0/0/4 the core
) switch
S7700A

6 GE0/0/6 the core
) switch
S7700B

A 7 GE1/0/2 101: the
(Active ) 172.19.10.2/ aggregation
) 24 switch
S5720HI
( GE1/0/3 and Eth-Trunk2 100, 101, VLANIF Connected to

8 GE1/0/4 and 102 100: AC1
) 172.18.10.5/
24
VLANIF
102:
172.20.10.2/
24

9 103: the egress
) 172.22.20.1/ router
24


o. Number n

B 1 GE1/0/2 101: the
(Standb 0 172.19.10.3/ aggregation
y) ) 24 switch
S5720HI
( GE1/0/3 and Eth-Trunk2 100, 101, VLANIF Connected to

1 GE1/0/4 and 102 100: AC2
1 172.18.10.6/
) 24
VLANIF
102:
172.20.10.3/
24

1 103: the egress
2 172.23.20.1/ router
) 24

(Active 1 GE0/0/2 100: the core
) 3 172.18.10.2/ switch
) 24 S7700A

1 GE0/0/4 104: AC2
4 10.10.11.1/2
) 4

(Standb 1 GE0/0/2 100: the core
y) 5 172.18.10.3/ switch
) 24 S7700B

1 GE0/0/4 104: AC1
6 10.10.11.2/2
) 4
Virtual - - - - 172.18.10.1/ Connected to

address 24 the Agile
es of Controller-
ACs Campus

address 24 employees
1 of
S7700s


o. Number n

address 24 guests
2 of
S7700s
Se SM + SC (RADIUS server 1 + Portal server 1) 172.22.10.2 -

rv
er SC (RADIUS server 2 + Portal server 2) 172.22.10.3 -
DNS server 172.22.10.4 -
Service Data Plan


employee
Number of the ACL for guests' You need to enter this ACL
post-authentication domain: 3002 number when configuring
SSID of the guest area: guest authorization rules and results on
the Agile Controller-Campus.

172.22.10.2 provides RADIUS server and
Portal server functions;
l Secondary IP address: therefore, IP addresses of the
172.22.10.3 authentication server,
l Port number: 1812 accounting server,
l Shared key: Admin@123 authorization server, and Portal
server are all the IP address of
the Service Controller.
l Configure a RADIUS
accounting server to obtain
user login and logout
information. The port numbers
accounting server must be the
same as those of the RADIUS
server.

RADIUS accounting server: l Configure an authorization

l Primary IP address: server to enable the RADIUS
172.22.10.2 server to deliver authorization
rules to the AC. The shared
l Secondary IP address: key of the authorization server
172.22.10.3 must be the same as those of
l Port number: 1813 the authentication server and
l Shared key: Admin@123 accounting server.
l Accounting interval: 15
minutes
RADIUS authorization server:

172.22.10.2
172.22.10.3
Portal server:
172.22.10.2
172.22.10.3
l Port number that the AC uses
to listen on Portal protocol
packets: 2000
l Destination port number in the
packets that the AC sends to
the Portal server: 50200
l Encryption key for the URL
parameters that the AC sends
to the Portal server:
Admin@123
Agile Host name1: access1.example.com Users can use the domain name to
Controller- Host name2: access2.example.com access the Portal server.
Campus
Authentication port: 1812 -

on the AC.
Port number of the Portal server: -

50200

Portal key: Admin@123 It must be the same as the Portal

key configured on the AC.
Department: Employee Department Employee, employee

l Account: tony account tony, and guest account
susan have been created on the
l Password: Admin@123 Agile Controller-Campus.
Department: Guest
l Account: susan
Pre- SM + SC1 (RADIUS server + -

authentication Portal server), SC2 (RADIUS
domain server + Portal server), and DNS
server

authentication
domain for
employees
Post- Internet -
authentication
domain for
guests
Prerequisites
You have connected core router interfaces at 172.22.20.2/24 and 172.23.20.2/24 to S7700A
and S7700B, respectively.
1. Configure the access switches, aggregation switch, core switches, and ACs to implement
interworking on the network.
2. On the ACs, configure a RADIUS server template, configure authentication, accounting,
and authorization schemes in the template, and specify the IP addresses of Portal servers.
In this way, the ACs can communicate with RADIUS servers and Portal servers.
3. Add ACs to the Service Manager and configure parameters for the ACs to ensure that the
Agile Controller-Campus can manage the ACs.
4. Add authorization results and rules to grant different access rights to employees and
guests after they are successfully authenticated.
Procedure
[S2700] vlan batch 100 101 //Create VLAN 100 and VLAN 101 in a batch.

connected to an AP.

[S2700] interface eth-trunk 1 //Create Eth-Trunk 1.
1.
1.

[S2700] interface eth-trunk 1 //Enter the view of the interface connected to the
aggregation switch.
[S2700-Eth-Trunk1] port link-type trunk //Change the link type of Eth-Trunk 1 to
trunk.
[S2700-Eth-Trunk1] port trunk allow-pass vlan 100 101 //Add Eth-Trunk 1 to VLAN
100 and VLAN 101.
[S2700-Eth-Trunk1] undo port trunk allow-pass vlan 1
[S2700] quit
[HUAWEI] sysname S5720HI
[S5720HI] dhcp enable //Enable the DHCP service.
[S5720HI] vlan batch 100 101 //Create VLAN 100 and VLAN 101 in a batch.
[S5720HI] interface vlanif 100 //Enter the view of VLANIF 100.
[S5720HI-Vlanif100] ip address 172.18.10.4 24 //Configure an IP address for
VLANIF 100 as the APs' gateway.
[S5720HI-Vlanif100] dhcp select interface
[S5720HI-Vlanif100] dhcp server excluded-ip-address 172.18.10.1 172.18.10.3 //
[S5720HI-Vlanif100] dhcp server excluded-ip-address 172.18.10.5 172.18.10.6
[S5720HI-Vlanif100] quit



the access switch S2700.


the core switch S7700A.


the core switch S7700B.
[S5720HI] quit
<S5720HI> save //Save the configuration.
Step 3 [Device] Configure the core switch S7700A to ensure network connectivity.
[HUAWEI] sysname S7700A
[S7700A] vlan batch 100 to 103 //Create VLAN 100, VLAN 101, VLAN 102, and VLAN
103 in a batch.




[S7700A] dhcp enable
[S7700A-Vlanif101] dhcp server dns-list 172.22.10.4 //Configure the DNS server
address.
[S7700A-Vlanif101] dhcp server excluded-ip-address 172.19.10.1 //Exclude IP
addresses in use from the DHCP address pool.


AC1.
[S7700A-Eth-Trunk2] port trunk allow-pass vlan 100 101 102
the IP address of VLANIF 102 can be configured as the gateway for guests.
[S7700A-Vlanif102] dhcp server dns-list 172.22.10.4

[S7700A] interface gigabitethernet 1/0/5 //Enter the view of the interface
connected to the egress router.
[S7700A-GigabitEthernet1/0/5] port link-type trunk
[S7700A-GigabitEthernet1/0/5] port trunk pvid vlan 103
[S7700A-GigabitEthernet1/0/5] port trunk allow-pass vlan 103
[S7700A-Vlanif103] ip address 172.22.20.1 24
[S7700A] ip route-static 0.0.0.0 0 172.22.20.2
[S7700A] quit
Step 4 [Device] Configure the core switch S7700B to ensure network connectivity.
[HUAWEI] sysname S7700B
[S7700B] vlan batch 100 to 103 //Create VLAN 100, VLAN 101, VLAN 102, and VLAN
103 in a batch.



[S7700B] dhcp enable
[S7700B-Vlanif101] ip address 172.19.10.3 24 //Configure an IP address for VLANIF
101 for communicating with VLANIF 101 on S7700A.
[S7700B-Vlanif101] dhcp select interface //Configure DHCP for VLANIF 101 so that
[S7700B-Vlanif101] dhcp server dns-list 172.22.10.4 //Configure the DNS server
address.
[S7700B-Vlanif101] dhcp server excluded-ip-address 172.19.10.1 172.19.10.2 //


AC2.
[S7700B-Eth-Trunk2] port trunk allow-pass vlan 100 101 102
[S7700B-Vlanif102] ip address 172.20.10.3 24//Configure an IP address for VLANIF
102 for communicating with VLANIF 102 on S7700A.
[S7700B-Vlanif102] dhcp select interface//Configure DHCP for VLANIF 102 so that
the IP address of VLANIF 102 can be configured as the gateway for guests.
[S7700B-Vlanif102] dhcp server dns-list 172.22.10.4
[S7700B-Vlanif102] dhcp server excluded-ip-address 172.20.10.1 172.20.10.2

[S7700B] interface gigabitethernet 1/0/5 //Enter the view of the interface
connected to egress router.
[S7700B-GigabitEthernet1/0/5] port link-type trunk
[S7700B-GigabitEthernet1/0/5] port trunk pvid vlan 103
[S7700B-GigabitEthernet1/0/5] port trunk allow-pass vlan 103

[S7700B-Vlanif103] ip address 172.23.20.1 24
[S7700B] ip route-static 0.0.0.0 0 172.23.20.2
[S7700B] quit
<S7700B> save //Save the configuration.
Step 5 [Device] Configure VRRP groups on core switches (S7700s).

group 1 as the employee gateway address.
<S7700A> system-view
group 2 as the guest gateway address.
[S7700A] quit
VRRP group to 100.
<S7700B> system-view
VRRP group to 100.
[S7700B] quit
<S7700B> save //Save the configuration.

AC1 to S7700A to Eth-Trunk 1, and GE0/0/3 and GE0/0/4 connecting AC1 to AC2 to Eth-
Trunk 2.
[AC1] vlan batch 100 101 102 104
connected to the core switch S7700A to Eth-Trunk 1.



[AC1-Vlanif104] ip address 10.10.11.1 24 //Configure an IP address for VLANIF 104
for communicating with AC2 and transmitting backup data.
AC2 to S7700B to Eth-Trunk 1, and GE0/0/3 and GE0/0/4 connecting AC2 to AC1 to Eth-
Trunk 2.
[AC2] vlan batch 100 101 102 104
connected to the core switch S7700B to Eth-Trunk 1.


[AC1] wlan
[AC1-wlan-view] ap-group name ap_group
[AC1-wlan-ap-group-ap_group] quit


[AC1-wlan-ap-group-ap_group] regulatory-domain-profile domain1
e?[Y/N]:y

that the AP type is AP6010DN-AGN, and the MAC addresses of AP_0 and AP_1 are
60de-4476-e360 and 60de-4476-e380 respectively.
[AC1] wlan
[AC1-wlan-ap-0] ap-group ap_group
continue? [Y/N]:y
continue? [Y/N]:y
nor : normal [2]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
----------------------------------------------------------------------------------
---
Total: 2
The configuration procedure for AC2 is the same as that for AC1, and details are not provided
here.


must be the same.
[AC1] aaa
scheme to RADIUS.
scheme to RADIUS.
[AC1-aaa] quit
NOTE

1 to 99 3 minutes

≥ 1000 ≥ 15 minutes
[AC1] test-aaa test Admin_123 radius-template radius_huawei pap
# Configure Portal authentication for AC1.

1. Configure the URL of the primary Portal authentication page. When a user attempts to
access a website before authentication, the AC redirects the website to the primary Portal
server.
[AC1] url-template name huawei1
[AC1-url-template-huawei1] url http://access1.example.com:8080/portal //
access1.example.com is the host name of the primary Portal server.
[AC1-url-template-huawei1] url-parameter ssid ssid redirect-url url //
Specify the names of the parameters included in the URL. The parameter names
must the same as those on the authentication server.
redirected.
[AC1-url-template-huawei1] quit
3. Configure the URL of the secondary Portal authentication page. When the primary Portal
server is unavailable, the AC redirects the website that a user attempts to access to the
secondary Portal server.
access2.example.com is the host name of the secondary Portal server.
[AC1-url-template-huawei2] url-parameter ssid ssid redirect-url url
[AC1] web-auth-server listening-port 2000
5. Configure a primary Portal server template, including configuring the IP address and
port number of the primary Portal server.

[AC1] web-auth-server portal_huawei1
[AC1-web-auth-server-portal_huawei1] server-ip 172.22.10.2 //Configure an IP
address for the primary Portal server.
[AC1-web-auth-server-portal_huawei1] source-ip 172.18.10.1 //Configure an IP
address for the device to communicate with the Portal server.
[AC1-web-auth-server-portal_huawei1] port 50200 //Set the destination port
[AC1-web-auth-server-portal_huawei1] shared-key cipher Admin@123 //Configure
[AC1-web-auth-server-portal_huawei1] url-template huawei1 //Bind the URL

escape.
[AC1-web-auth-server-portal_huawei1] server-detect interval 100 max-times 5

[AC1-web-auth-server-portal_huawei1] user-sync interval 100 max-times 5
[AC1-web-auth-server-portal_huawei1] quit
9. Configure a secondary Portal server template, including configuring the IP address, port
number, and shared key of the secondary Portal server.
address for the secondary Portal server.
[AC1-web-auth-server-portal_huawei2] source-ip 172.18.10.1
[AC1-web-auth-server-portal_huawei2] port 50200
[AC1-web-auth-server-portal_huawei2] shared-key cipher Admin@123
[AC1-web-auth-server-portal_huawei2] url-template huawei2
(Optional)[AC1-web-auth-server-portal_huawei2] user-sync interval 100 max-
times 5

[AC1] portal quiet-period
[AC1] portal quiet-times 5 //Set the maximum number of authentication failures
in 60 seconds before a Portal authentication is set to quiet state.
[AC1] portal timer quiet-period 240 //Set the quiet period to 240 seconds.
[AC1] portal-access-profile name acc_portal //Create a Portal access profile.
[AC1-portal-access-profile-acc_portal] web-auth-server portal_huawei1
portal_huawei2 direct //Configure the primary and secondary Portal server
templates used by the Portal access profile. If the network between end users and
the AC is a Layer 2 network, configure the direct mode; if the network is a Layer
3 network, configure the layer3 mode.
[AC1-portal-access-profile-acc_portal] quit
[AC1] free-rule-template name default_free_rule
[AC1-free-rule-default_free_rule] free-rule 1 destination ip 172.22.10.4 mask
[AC1-free-rule-default_free_rule] quit
[AC1] acl 3001 //Configure the post-authentication domain for employees,
[AC1] acl 3002 //Configure the post-authentication domain for guests, including
the Internet.
[AC1-acl-adv-3002] rule 5 deny ip destination 172.22.10.5 0 //172.22.10.5 is
the company's server resource and cannot be accessed by guests.
# Configure an authentication profile.

[AC1] authentication-profile name auth_portal
[AC1-authentication-profile-auth_portal] portal-access-profile acc_portal
[AC1-authentication-profile-auth_portal] authentication-scheme auth_scheme
[AC1-authentication-profile-auth_portal] accounting-scheme acco_scheme
[AC1-authentication-profile-auth_portal] radius-server radius_template
[AC1-authentication-profile-auth_portal] free-rule-template default_free_rule
[AC1-authentication-profile-auth_portal] quit
[AC1] dhcp snooping enable
[AC1] device-sensor dhcp option 12 55 60

and authorization schemes in the template. The configuration procedure for AC2 is the same
as that for AC1, and details are not provided here.
Step 9 [Device] Set WLAN service parameters on AC.
[AC1] wlan
[AC1-wlan-view] security-profile name security_portal
[AC1-wlan-sec-prof-security_portal] quit

[AC1-wlan-view] ssid-profile name wlan-ssid-employee

[AC1-wlan-ssid-prof-wlan-ssid-employee] ssid employee
[AC1-wlan-ssid-prof-wlan-ssid-employee] quit
[AC1-wlan-view] ssid-profile name wlan-ssid-guest
[AC1-wlan-ssid-prof-wlan-ssid-guest] ssid guest
[AC1-wlan-ssid-prof-wlan-ssid-guest] quit
[AC1-wlan-view] vap-profile name wlan-vap-employee
[AC1-wlan-vap-prof-wlan-vap-employee] forward-mode direct-forward //Configure
direct forwarding for employees.
[AC1-wlan-vap-prof-wlan-vap-employee] service-vlan vlan-id 101
[AC1-wlan-vap-prof-wlan-vap-employee] security-profile security_portal
[AC1-wlan-vap-prof-wlan-vap-employee] ssid-profile wlan-ssid-employee
[AC1-wlan-vap-prof-wlan-vap-employee] authentication-profile auth_portal //Bind
the authentication profile.
[AC1-wlan-vap-prof-wlan-vap-employee] quit
[AC1-wlan-view] vap-profile name wlan-vap-guest
[AC1-wlan-vap-prof-wlan-vap-guest] forward-mode tunnel //Configure tunnel
forwarding for guests.
[AC1-wlan-vap-prof-wlan-vap-guest] service-vlan vlan-id 102
[AC1-wlan-vap-prof-wlan-vap-guest] security-profile security_portal
[AC1-wlan-vap-prof-wlan-vap-guest] ssid-profile wlan-ssid-guest
[AC1-wlan-vap-prof-wlan-vap-guest] authentication-profile auth_portal
[AC1-wlan-vap-prof-wlan-vap-guest] quit
the AP.
[AC1-wlan-ap-group-ap_group] vap-profile wlan-vap-employee wlan 1 radio 0 //
Configure the 2.4 GHz frequency band of the AP to provide services for employees.
Configure the 5 GHz frequency band of the AP to provide services for employees.
[AC1-wlan-ap-group-ap_group] vap-profile wlan-vap-guest wlan 2 radio 0 //
Configure the 2.4 GHz frequency band of the AP to provide services for guests.
Configure the 5 GHz frequency band of the AP to provide services for guests.
The configuration procedure for AC2 is the same as that for AC1, and details are not provided
here.

# Create a management VRRP group on AC1. Set the priority of AC1 in the VRRP group to
120 and preemption delay to 1200s.
[AC1-Vlanif100] vrrp vrid 1 priority 120 //Set the priority of AC1 in the VRRP
group.
[AC1-Vlanif100] vrrp vrid 1 preempt-mode timer delay 1200 //Set the preemption
delay for AC1 in the VRRP group.
[AC1-Vlanif100] admin-vrrp vrid 1 //Configure vrid 1 as the mVRRP group.

[AC1] hsb-service 0
group.
[AC1] hsb-group 0



# Enable HSB.
[AC1] hsb-group 0

# Create a management VRRP group on AC2

[AC2-Vlanif100] admin-vrrp vrid 1 //Configure vrid 1 as the mVRRP backup group.
[AC2] hsb-service 0
# Create HSB group 0 on AC2 and bind it to HSB service 0 and the management VRRP
group.
[AC2] hsb-group 0




# Enable HSB.
[AC2] hsb-group 0
Step 12 [Device] Verify the VRRP configuration.

The State field of AC1 is displayed as Master and that of AC2 is displayed as Backup.
[AC1] display vrrp
State : Master
Virtual IP : 172.18.10.1
Master IP : 172.18.10.2
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2005-07-31 01:25:55 UTC+08:00
[AC2] display vrrp

State : Backup
Virtual IP : 172.18.10.1
Master IP : 172.18.10.2
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2005-07-31 02:11:07 UTC+08:00
----------------------------------------------------------
Source Port : 10241


----------------------------------------------------------
----------------------------------------------------------
Source Port : 10241
----------------------------------------------------------
----------------------------------------------------------
HSB-group ID : 0
Vrrp Group ID : 1
Service Index : 0
AP
DHCP
----------------------------------------------------------
----------------------------------------------------------
HSB-group ID : 0
Vrrp Group ID : 1
Service Index : 0
DHCP
AP
----------------------------------------------------------
2. Click Add.


Name AC -
IP address 172.18.10.1 The AC interface with this IP address must be

able to communicate with the Service
Controller.
Enable Select -
RADIUS
Authenticatio Admin@123 [AC1-radius-radius_template] radius-server

n/Accounting shared-key cipher Admin@123
key
Authorization Admin@123 [AC1] radius-server authorization 172.22.10.2

key shared-key cipher Admin@123

Real-time 15 [AC1-aaa-accounting-acco_scheme] accounting

interval
(minute)
Enable Portal Select -

Portal key Admin@123 [AC1-web-auth-server-portal_huawei1] shared-

key cipher Admin@123
Access 172.20.0.0/24;17 You need to add the IP addresses of all the

Enable Selected When detecting that the primary Portal server is

heartbeat unavailable, the access device automatically
between connects to the secondary Portal server.
access device The Portal server can send heartbeat packets to
and Portal the access device only when Enable heartbeat
server between access device and Portal server is
selected and the Portal server's IP address has
been added to Portal server IP list. The access
device then periodically detects heartbeat
Portal server status and synchronize user
information from the Portal server. The server-
access device.
Portal server 172.22.10.2;172. -

IP list 22.10.3
4. Click OK.


Step 15 [Agile Controller-Campus] Configure authorization results and rules to grant different access
rights to employees and guests after they are successfully authenticated.
device.




Access.

----End
Verification
displayed.

3. Click OK.

Employee l User account tony (employee account) can only access the Agile
authenticatio Controller-Campus server and DNS server before authentication.
computer and attempts to visit the Internet, the default authentication
page is pushed to the user. After the employee enters the correct user
name and password, the authentication succeeds and the requested web
page is displayed automatically.
on the AC. The command output shows that the user tony is online.
Management. The user tony is displayed in the list of online users.
l On the Service Manager, choose Resource > User > RADIUS Log. You
can see the RADIUS authentication log for the user tony.
Guest l User account susan (guest account) can only access the Agile
phone and attempts to visit the Internet, the guest authentication page is
pushed to the user. After the guest enters the correct user name and
password, the authentication succeeds and the requested web page is
displayed automatically.
l User account susan cannot access internal servers of the company.
on the AC. The command output shows that the user susan is online.
Management. The user susan is displayed in the list of online users.
can see the RADIUS authentication log for the user susan.
off and guest authentication. The process is not detected by user terminals.
SC power- After the network cable of an Service Controller, employees and guests are
off re-authenticated and go online. Their access rights are normal.

ACs and Agile Controller-Campus. The accounting interval set on the Agile Controller-
Campus must also be the same as those on the ACs.

4.19.10 Example for Configuring Portal Authentication for

Wireless Users in an AC Dual-Link Backup Environment
This example illustrates how to configure AC dual-link backup to improve network reliability.

A company needs to deploy an authentication system to implement access control for
employees who attempt to connect to the enterprise network. Only authenticated users can
connect to the enterprise network.
l All employees do office work and visit the Internet through the wireless network and
require a reliable network.
terminals.
l Employees can connect only to the DNS server and Agile Controller-Campus of the
company before authentication, and can connect to both the intranet and Internet after
l Guests can access the DNS server and Agile Controller-Campus of the company before
authentication, and can access the Internet after they are successfully authenticated.

Figure 4-97 Networking of Portal authentication for wireless users in an AC dual-link backup
environment
Considering the networking and requirements of the company, Portal authentication based on
the Agile Controller-Campus can be used on the campus network. You need to configure
different ACL rules on the ACs to control access rights of employees.
Based on user requirements, the networking shown in Figure 4-97 is used, and networking
analysis is performed as follows:
l ACs are deployed in dual-link backup mode. HSB links are used to connect AC1 and
AC2 to determine the active and standby ACs, ensuring reliability of WLAN services.
l User data traffic is forwarded in direct mode, ensuring AC performance upon a large
amount of user data and ensuring network reliability.

VLAN Plan

VLAN ID Function
100 mVLAN for the AP
103 VLAN for communication between the

aggregation and core switches
104 VLAN for communication between the core

switch and servers
105 Backup VLAN of ACs
Network Data Plan

Item N Interface VLAN IP address Description
o. Number
Access (1) GE0/0/1 100 - Connected to

switch 101 the AP
S2750EI
(2) GE0/0/2 100 - Connected to
101 the aggregation
switch S5720HI
102

102 APs
Aggregat (4) GE0/0/1 100 VLANIF 100: Connected to

ion 101 172.18.10.3/16 the access
switch VLANIF 101: switch S2750EI
S5720HI 102
172.19.10.1/16 VLANIF 100 as
VLANIF 102: the AP's
172.20.10.1/16 gateway
VLANIF 101 as
the gateway for
employees
VLANIF 102 as
the gateway for
guests


o. Number

105 AC1

105 AC2
(7) GE0/0/4 103 VLANIF103:17 Connected to

2.21.10.1/24 the core switch
S7700
AC1 (8) GE0/0/1 100 VLANIF 100: Connected to

105 172.18.10.1/24 the aggregation
VLANIF 105: switch S5720HI
10.10.11.1/24

105 172.18.10.2/24 the aggregation
VLANIF 105: switch S5720HI
10.10.11.2/24
Core (1 GE1/0/1 103 172.21.10.2/24 Connected to

switch 0) the S5720HI
S7700
(1 GE1/0/2 104 172.22.10.1 Gateway for
1) servers
Ser SM + SC1 (RADIUS server + Portal server) 172.22.10.2 -

ver
SC2 (RADIUS server + Portal server) 172.22.10.3 -
DNS server 172.22.10.4 -
Company server 172.22.10.5 -
Service Data Plan


employee

SSID: guest authorization rules and results on

RADIUS accounting server: the Service Controller.
l Primary IP address: l Configure a RADIUS
172.22.10.2 accounting server to obtain
l Secondary IP address: user login and logout
172.22.10.3 information. The port numbers
l Port number: 1813 accounting server must be the
l Shared key: Admin@123 same as those of the RADIUS
l Accounting interval: 15 server.
minutes l Configure an authorization
server to enable the RADIUS
RADIUS authorization server: server to deliver authorization
l Primary IP address: rules to the AC. The shared
172.22.10.2 key of the authorization server
must be the same as those of
the authentication server and
172.22.10.3
accounting server.
Portal server: -
172.22.10.2
172.22.10.3
packets: 2000
Admin@123

Agile Authentication port: 1812 -

Controller-
Campus Accounting port: 1813 -

on the AC.

50200


Department: Guest
l Account: susan

server

authentication
domain for
employees
Post- Internet -
authentication
domain for
guests
1. Configure the access switch, aggregation switch, and ACs to ensure network
connectivity.
and authorization schemes in the template, and specify the IP address of the Portal
server. In this way, the ACs can communicate with the RADIUS server and Portal server.
3. Configure dual-link backup for ACs to ensure reliability of WLAN services.
5. Add authorization results and rules to grant different access rights to employees after
they are successfully authenticated.

Procedure
[S2700] vlan batch 100 101 102 //Create VLAN 100, VLAN 101 and VLAN 102 in a
batch.
connected to the AP.
[S2700-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101 102 //Add
gigabitethernet0/0/1 to VLAN 100, VLAN 101 and VLAN 102.
connected to the aggregation switch.
[S2700] interface gigabitethernet 0/0/3 //Connect to AP1's interface.
gigabitethernet0/0/3 to VLAN 100
[S2700] quit
[S5700] vlan batch 100 101 102 105 //Create VLAN 100, VLAN 101, VLAN 102 and
VLAN 105 in a batch.
[S5700] interface vlanif 100 //Enter the view of VLANIF 100.
[S5700-Vlanif100] ip address 172.18.10.3 16 //Configure an IP address for VLANIF
100 as the AP's gateway.
[S5700-Vlanif100] dhcp select interface
[S5700-Vlanif100] dhcp server excluded-ip-address 172.18.10.1 172.18.10.2 //
[S5700-Vlanif100] quit
[S5700] interface vlanif 101 //Enter the view of VLANIF 101.
101 as the gateway for employees.
[S5700-Vlanif101] dhcp server dns-list 172.22.10.4 //Configure the DNS server
address.
[S5700] interface vlanif 102 //Enter the interface view of VLANIF 102.
102 to enable it to function as a guest gateway.
[S5700-Vlanif102] dhcp server dns-list 172.22.10.4 //Configure an IP address for
the DNS server.
connected to the access switch.

connected to AC1.
connected to AC2.
[S5700] ip route-static 172.22.10.0 255.255.255.0 172.21.10.2
[S5700] quit
Step 3 [Device] Configure the core switch S7700 to ensure network connectivity.
[S7700] vlan batch 103 104 //Create VLANIF 103 and VLANIF 104 in batches.
[S7700] interface gigabitethernet 1/0/1 //Connect to the interface of the
aggregation switch.
[S7700] interface vlanif 103
[S7700-Vlanif103] ip address 172.21.10.2 255.255.255.0
[S7700] interface gigabitethernet 1/0/2 //Connect to the interface of the server
zone.
[S7700-GigabitEthernet1/0/2] port link-type access
[S7700-GigabitEthernet1/0/2] port default vlan 104 //Configure VLAN 104 as the
default VLAN for the gigabitethernet1/0/2 interface.
[S7700-Vlanif104] ip address 172.22.10.1 255.255.255.0 //Configure a gateway IP
address for the server zone.
[S7700] ip route-static 172.19.0.0 255.255.255.0 172.21.10.1 //Configure a
static route to the employees' network segment.
[S7700] ip route-static 172.20.1.0 255.255.255.0 172.21.10.1 //Configure a
static route to the guests' network segment.
[S7700] quit

# On AC1, ensure network connectivity, and add GE0/0/1 connecting to the S5720HI to

100 for communicating with servers and managing the AP.

# Configure a default route for AC1 so that packets are forwarded to the routing gateway by
default.
# On AC2, ensure network connectivity, and add GE0/0/1 connecting to the S5720HI to

100 for communicating with servers and managing the AP.
# Configure a default route for AC2 so that packets are forwarded to the routing gateway by
default.

[AC1] wlan
e?[Y/N]:y

[AC1] wlan

continue? [Y/N]:y
continue? [Y/N]:y
nor : normal [2]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
----------------------------------------------------------------------------------
---
Total: 2
The configuration of AC2 is the same as that of AC1 and is not provided here.

must be the same.
[AC1] aaa
scheme to RADIUS.
scheme to RADIUS.
[AC1-aaa] quit
NOTE
1 to 99 3 minutes
≥ 1000 ≥ 15 minutes

and authorization schemes in the template. The RADIUS authentication configuration of AC2
is the same as that of AC1 and is not provided here. However, when setting the source IP
address for AC2 in the RADIUS server template, set the source IP address of AC2 to
172.18.10.1.
# Configure Portal authentication for AC1.

server.
redirected.



escape.

times 5


# Configure pre-configuration and post-authentication access rules for users.

the Internet.

# The Portal authentication configuration of AC2 is the same as that of AC1 and is not
provided here. However, when setting the source IP address for AC2 in the Portal server
template, set the source IP address of AC2 to 172.18.10.1.
Step 7 [Device] Set WLAN service parameters on the ACs.
[AC1] wlan


[AC1-wlan-vap-prof-wlan-vap-guest] forward-mode direct-forward //Configure
direct forwarding for guests.
the AP.
# The WLAN service parameters configuration of AC2 is the same as that of AC1 and is not
provided here.
Step 8 [Device] Configure dual-link backup on AC1 to implement HSB.
# Configure the IP address of AC2 and the AC1 priority to implement dual-link backup.
[AC1] wlan
[AC1-wlan-view] wlan ac protect enable
Warning: This operation maybe cause ap reset or client down, continue?[Y/N]:y
[AC1-wlan-view] wlan ac protect protect-ac 172.18.10.2 priority 2
Warning: Operation successful. It will take effect after AP reset.
Warning: Reset AP (s), continue?[Y/N]:y
[AC1] hsb-service 0
# Bind the NAC service to the HSB service.

# Bind the WLAN service to the HSB service.

Step 9 [Device] Configure dual-link backup on AC2 to implement HSB.

# Configure the IP address of AC1 and the AC2 priority to implement dual-link backup.

[AC2] wlan
[AC2-wlan-view] wlan ac protect enable
Warning: This operation maybe cause ap reset or client down, continue?[Y/N]:y
[AC2-wlan-view] wlan ac protect protect-ac 172.18.10.1 priority 5
[AC2] hsb-service 0
# Bind the NAC service to the HSB service.

# Bind the WLAN service to the HSB service.

Step 10 [Device] Verify the dual-link configuration.

# After the configurations are complete, run the display ac protect command on AC1 and
AC2 to view dual-link backup information.
------------------------------------------------------------
Protect AC : 172.18.10.2
Priority : 2
Coldbackup kickoff station: disable
------------------------------------------------------------
------------------------------------------------------------
Protect AC : 172.18.10.1
Priority : 5
Coldbackup kickoff station: disable
------------------------------------------------------------
----------------------------------------------------------
Source Port : 10241
----------------------------------------------------------
----------------------------------------------------------
Source Port : 10241


----------------------------------------------------------
2. Click Add.

Name AC -

Controller.
Enable Select -
RADIUS
Standby 172.18.10.2 The AC2 interface with this IP address must be

device IP able to communicate with the Service
address Controller.


key


interval
(minute)
Enable Portal Selected -



Enable Select The Portal server can send heartbeat packets to

heartbeat the access device only when Enable heartbeat
between between access device and Portal server is
access device selected and the Portal server's IP address has
and Portal been added to Portal server IP list. The access
server device then periodically detects heartbeat
Portal server 172.22.10.2;172. Portal server status and synchronize user
IP list 22.10.3 information from the Portal server. The server-
access device.
4. Click OK.


device.




Access.

----End
Verification
displayed.

3. Click OK.

computer and attempts to visit the Internet, the employee authentication
off authentication. The process is not detected by user terminals.

ACs and Agile Controller-Campus. The accounting interval set on the Agile Controller-
Campus must also be the same as those on the ACs.
l Authorization rules are matched in descending order of priority (ascending order of rule
numbers). If the authorization condition of a user matches a rule, the Agile Controller-
Campus does not check the subsequent rules. Therefore, it is recommended that you set
higher priorities for the rules defining more precise conditions and set lower priorities for
the rules defining fuzzy conditions.

4.19.11 Example for Configuring Portal Authentication for

Wireless Users in an AC N+1 Environment
This example illustrates how to configure Portal authentication on an AC N+1 network. The
RADIUS server and Portal server are both deployed in a two-node cluster, improving network
access reliability.

terminals.
l Employees and guests access the campus network using different SSIDs.
l Employees use laptops to access the network, and guests use mobile terminals to access
the network.
l Employees can connect only to the DNS server, DHCP server, and Agile Controller-
Campus of the company before authentication, and can connect to both the intranet and
Internet after being authenticated.
l Guests can connect only to the DNS server, DHCP server, and Agile Controller-Campus
of the company before authentication, and can connect only to the Internet after being
authenticated.
l There are three ACs on the network. Two ACs are deployed as the active ACs, and one
as the standby AC to improve network reliability.

Figure 4-98 Networking of Portal authentication for wireless users in N+1 mode
l Considering the networking and requirements of the company, without specific
requirement on terminal security check. Portal authentication can be used on the campus
network to authenticate employees and guests, and authentication points are deployed on
the ACs.
l It is recommended that authentication packets be forwarded in tunnel mode and user data
packets be forwarded in local mode to release the burden on the ACs.
VLAN Plan

VLAN ID Function
100 mVLAN for APs
103 VLAN for connecting the core switch to the

server domain

Network Data Plan

o. Number
Access (1) GE0/0/1 100, 101, and - Connected to

S2750EI guest area
(2) GE0/0/2 100, 101, and - Connected to

102 the AP in the
guest area

102 the aggregation
switch S5720HI
Aggregat (4) GE0/0/1 100, 101, and - Connected to

ion 102 the access
switch switch S2750EI
S5720HI
102 the core switch
S7700

AC1

AC2

AC3

172.18.10.1 the S5720HI
AC2 (1 GE0/0/1 100 VLANIF 100: Connected to

0) 172.18.10.2 the S5720HI
AC3 (1 GE0/0/1 100 VLANIF 100: Connected to

1) 172.18.10.3 the S5720HI


o. Number
S7700 (1 GE1/0/1 100, 101, and VLANIF 100: Connected to

2) 102 172.18.10.4 the S5720HI
VLANIF 101: VLANIF 100
172.20.10.1 for
VLANIF 102: communicating
172.19.10.1 with ACs and as
the gateway for
APs
VLANIF 101 as
the gateway for
employees
VLANIF 102 as
the gateway for
guests
(1 GE1/0/2 103 VLANIF 103: Connected to

3) 172.22.10.1 the server
domain
Ser SM + SC1 (RADIUS server + Portal server) 172.22.10.2 -

ver
SC2 (RADIUS server + Portal server) 172.22.10.3 -
DNS server 172.22.10.4 -
DHCP server 172.22.10.6 IP address pool:

l IP address
range for
APs:
172.18.10.0/
24
l IP address
range for
employees:
172.20.0.0/1
6
l IP address
range for
guests:
172.19.0.0/1
6

Service Data Plan


employee
SSID of the guest area: guest authorization rules and results on

RADIUS accounting server: the Service Controller.
l Primary IP address: l Configure a RADIUS
172.22.10.2 accounting server to obtain
l Secondary IP address: user login and logout
172.22.10.3 information. The port numbers
l Port number: 1813 accounting server must be the
l Shared key: Admin@123 same as those of the RADIUS
l Accounting interval: 15 server.
minutes l Configure an authorization
server to enable the RADIUS
RADIUS authorization server: server to deliver authorization
l Primary IP address: rules to the AC. The shared
172.22.10.2 key of the authorization server
must be the same as those of
the authentication server and
172.22.10.3
accounting server.

Portal server:
172.22.10.2
172.22.10.3
packets: 2000
Admin@123
Agile Host name1: access1.example.com Users can use the domain name to
Controller- Host name2: access2.example.com access the Portal server.
Campus
IP address of the active device 1: -
172.18.10.1
IP address of the active device 2:
172.18.10.2
IP address of the standby device:
172.18.10.3
Authentication port: 1812 -

on the AC.

50200


Department: Guest
l Account: susan


server

authentication
domain for
employees
Post- Internet -
authentication
domain for
guests
1. Configure the access switch, aggregation switch, and core switch to ensure network
connectivity.
and authorization schemes in the template, and specify the IP addresses of Portal servers.
In this way, the ACs can communicate with RADIUS servers and Portal servers.
3. Configure reliability services and basic WLAN services for the ACs.
5. Add authorization results and rules to grant different access rights to employees and
guests after they are successfully authenticated.
Procedure
[S2700] vlan batch 100 101 102 //Create VLAN 100, VLAN 101, and VLAN 102 in a
batch.
connected to an AP.
gigabitethernet0/0/1 to VLAN 100, VLAN 101, and VLAN 102.
[S2700-GigabitEthernet0/0/1] port-isolate enable //Configure port isolation to
prevent unwanted broadcast packets in a VLAN and Layer 2 communication between
WLAN users connected to different APs.
[S2700-GigabitEthernet0/0/2] port-isolate enable


connected to the aggregation switch S5700.
[S2700] quit
Step 2 [Device] Configure the aggregation switch S5700 to ensure network connectivity.
[S5700] vlan batch 100 101 102 //Create VLAN 100, VLAN 101, and VLAN 102 in a
batch.
connected to the access switch S2700.
connected to the core switch S7700.
connected to AC1.
connected to AC2.
connected to AC3.
[S5700] quit
Step 3 [Device] Configure the core switch S7700 to ensure network connectivity.
[S7700] dhcp enable //Enable the DHCP service.
[S7700] vlan batch 100 to 103 //Create VLAN 100, VLAN 101, VLAN 102, and VLAN
103 in a batch.
[S7700-Vlanif100] ip address 172.18.10.4 24
[S7700-Vlanif100] dhcp select relay //Enable the DHCP relay agent.
[S7700-Vlanif100] dhcp relay server-ip 172.22.10.6 //Configure the DHCP server
connected to the DHCP relay agent.
[S7700-Vlanif101] dhcp select relay
[S7700-Vlanif101] dhcp relay server-ip 172.22.10.6
[S7700-Vlanif102] dhcp select relay
[S7700-Vlanif102] dhcp relay server-ip 172.22.10.6

connected to the server domain.

[S7700] quit

# Configure network connectivity, connect GE0/0/1 on AC1 to the S5700, and add GE0/0/1 to
mVLAN 100 and service VLANs 101 and 102.
[AC1] vlan batch 100 101 102
[AC1] interface gigabitethernet 0/0/1 //Enter the view of the interface
[AC1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101 102
[AC1-Vlanif100] ip address 172.18.10.1 24 //Configure a source IP address for
AC1.
[AC1] ip route-static 0.0.0.0 0 172.18.10.4 //Configure a default route between
AC1 and the server zone so that packets are forwarded to the core switch by
default.
mVLAN 100 and service VLANs 101 and 102.
[AC2] vlan batch 100 101 102
AC2.
default.
mVLAN 100 and service VLANs 101 and 102. Configure AC3 as the standby AC of AC1
and AC2.
[AC3] vlan batch 100 101 102
AC3.
default.


On AC1, configure the AP to go online.
[AC1] wlan
e?[Y/N]:y

that the AP type is AP6010DN-AGN and the MAC address of the AP is 60de-4476-e360.
[AC1] wlan
continue? [Y/N]:y
nor : normal [1]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
----------------------------------------------------------------------------------
---
Total: 1

NOTE
The configuration process on AC2 is the same as that on AC1. The detailed process is as follows:
1. Create the AP group ap_group on AC2 and add APs managed by AC2 to this AP group.
2. Create a regulatory domain profile on AC2, configure the AC country code in the profile, and apply the
profile to the AP group.
3. Specify the IP address of VLANIF 100 on AC2 as the source address.
4. Add an AP with the type AP6010DN-AGN and MAC address 60de-4476-e380 to AC2 offline, and add
the AP to ap_group.

[AC3] wlan
continue? [Y/N]:y

[AC3] wlan
continue? [Y/N]:y
continue? [Y/N]:y


must be the same.
[AC1] aaa
scheme to RADIUS.
scheme to RADIUS.
[AC1-aaa] quit
NOTE


1 to 99 3 minutes
≥ 1000 ≥ 15 minutes

server.
redirected.


escape.



times 5
the Internet.

The configurations of AC2 and AC3 are the same as that of AC1 and are not described here.
When configuring the authentication server, specify the IP address of VLANIF 100 on a
device as the source address.
Step 7 [Device] Set WLAN service parameters.

Set WLAN service parameters on AC1.
[AC1] wlan
the AP.
Set WLAN service parameters on AC2, which are the same as those on AC1.
Set WLAN service parameters on AC3.
The WLAN service configurations on the standby AC must contain all the configurations on
the active ACs. In this example, the active ACs have the same WLAN service configurations,
so the configurations on AC3 must be the same as those on AC1 or AC2.

[AC3] wlan
the AP.
Step 8 [Device] Enable N+1 backup on AC1, AC2, and AC3.

# On AC1, configure the global and individual priorities of the active AC1 and configure an
IP address for the standby AC3 so that the ACs work in N+1 backup mode.
NOTE
the AC that connects to more APs is the active AC. If the ACs can connect to the same number of APs, the
AC that connects to more STAs is the active AC. If the ACs can connect to the same number of STAs, the AC
with a smaller IP address is the active AC.
[AC1] wlan
[AC1-wlan-view] ac protect protect-ac 172.18.10.3 //Configure an IP address for
the standby AC.

[AC1-wlan-view] ac protect priority 6 //Configure the global priority of the

active AC1.
[AC1-wlan-view] ap-system-profile name ap-system1 //Create an AP system profile
and enter this profile view.
[AC1-wlan-ap-system-prof-ap-system1] priority 3 //Configure the individual
priority of the active AC1.
[AC1-wlan-ap-system-prof-ap-system1] quit
[AC1-wlan-ap-group-ap_group] ap-system-profile ap-system1 //Bind the AP system
# On AC2, configure the global and individual priorities of the active AC2 and configure an
IP address for the standby AC3 so that the ACs work in N+1 backup mode.
[AC2] wlan
[AC2-wlan-view] ac protect protect-ac 172.18.10.3 //Configure an IP address for
the standby AC.
[AC2-wlan-view] ac protect priority 6 //Configure the global priority of the
active AC2.
[AC2-wlan-ap-system-prof-ap-system1] priority 3 //Configure the individual
priority of the active AC2.
[AC2-wlan-ap-group-ap_group] ap-system-profile ap-system1 //Bind the AP system
# On AC3, configure IP addresses for active ACs and configure the global priority of the
standby AC3 so that the ACs work in N+1 backup mode.
[AC3] wlan
[AC3-wlan-view] ac protect priority 5
[AC3-wlan-ap-system-prof-ap-system1] protect-ac ip-address 172.18.10.1
[AC3-wlan-ap-system-prof-ap-system2] protect-ac ip-address 172.18.10.2
[AC3-wlan-view] ap-id 0
[AC3-wlan-ap-0] ap-system-profile ap-system1
[AC3-wlan-view] ap-id 1
[AC3-wlan-ap-1] ap-system-profile ap-system2
# On AC1, enable N+1 backup and restart all APs to make the function take effect.
NOTE
By default, N+1 backup is enabled. To restart all APs, run the ap-reset all command on AC1 and AC2. After
the APs are restarted, N+1 backup starts to take effect.
[AC1-wlan-view] undo ac protect enable //Enable the N+1 backup function.
# On AC2, enable N+1 backup and restart all APs to make the function take effect.
[AC2-wlan-view] undo ac protect enable

# Enable revertive switchover and N+1 backup on AC3.

[AC3-wlan-view] undo ac protect restore disable //Enable the global revertive
switching function.
[AC3-wlan-view] undo ac protect enable
Step 9 [Agile Controller-Campus] Add AC1 to the Service Manager to enable the Agile Controller-
Campus to manage the AC.
2. Click Add.
3. Configure parameters for AC1.

Name AC1 -

Controller.
Standby 172.18.10.3 It is used for AC3 to communicate with the

device IP Agile Controller-Campus.
address

key



interval
(minute)



Enable Selected When a Portal server is unavailable, services can

heartbeat be switched to the standby Portal server.
between The Portal server can send heartbeat packets to
access device the access device only when Enable heartbeat
and Portal between access device and Portal server is
server selected and the Portal server's IP address has
Portal server 172.22.10.2;172. been added to Portal server IP list. The access
IP list 22.10.3 device then periodically detects heartbeat
Portal server status and synchronize user
information from the Portal server. The server-
access device.
4. Click OK.
5. Click Add again and set parameters of AC2.



device.




Access.

----End
Verification
displayed.

3. Click OK.

computer and attempts to visit the Internet, the default authentication
AC1 and Services are automatically switched to AC3, and employees and guests are
AC2 power- offline. Employees and guests are re-authenticated and go online, and their
off access rights are normal.
SC power- After the network cable of an Service Controller, employees and guests are
off re-authenticated and go online. Their access rights are normal.

AC and Agile Controller-Campus. The accounting interval set on the Agile Controller-
Campus must also be the same as those on the AC.

l The RADIUS accounting function is configured on the AC to enable the Agile

4.19.12 Appendix
4.19.12.1 Common Page Customization Operations Using the Editor

This section describes common page customization operations using the editor, for example,
replacing pictures, buttons, and controls, and deleting controls.
Replace the Replace the Logo Add Dynamic Change Static

Background Image Pictures Pictures
Modify the Button Delete Picture, Text Change the Add Links to User
Background Box, Button, and Authentication Notice Page, Page
Other Controls Mode Switching, Forget
Password and
Registration Page
Add Common Add Common Modify the Interval Set Mandatory

Buttons Fields for Quickly Fields
Obtaining the
Password Through
Mobile Phone
Replace the Background Image
Click to select the background image.

To ensure smooth display of a customized page, large-sized pictures are not recommended for
the background image. You are advised to use small pictures and lay out them in tile mode.

Replace the Logo

Click the logo, and then click Replace.
Add Dynamic Pictures
Click to select pictures and enter hyperlinks of the pictures.

Dynamic pictures consist of a group of pictures and corresponding hyperlinks. The pictures
can be switched at a specified interval. You can use dynamic pictures to provide characteristic
advertisements.
Change Static Pictures

Click the picture you want to change, and then click Replace or .
Check the sizes of the original pictures you want to change. Ensure that the sizes of new
pictures to be uploaded be the same as those of the pictures to be replaced.

Modify the Button Background

Click the button you want to change, and click Button Image.
Texts on buttons cannot be modified directly. Use the picture editor to enter texts on the
button's background image, convert the texts to be part of the image, and then replace the
background image.

Delete Picture, Text Box, Button, and Other Controls

Click the control you want to delete, and press Delete.

Change the Authentication Mode
Select the authentication mode you want from the drop-down list box on the
menu bar. Before adding a new authentication mode, press Delete to delete all controls used
in the original authentication mode.
l Account password authentication
Includes the Account and Password fields and Log In buttons.
l Passcode authentication
Includes the Passcode field and Log In buttons.
l Quick mobile phone authentication
Includes the Phone number and Password fields as well as Get Password and Log In
buttons.
l Mobile phone verification code authentication
Includes the Account, Password and Verification code fields, and Get Verification
Code and Log In buttons.
NOTE
l The validity period of a verification code is 10 minutes. When the validity period expires,
users need to obtain a new verification code.
l Click Get Verification Code and then Set Button Background and Verification Code
Delivery Interval to set the countdown period for receiving a verification code through a
short message and the text on the button.
l End users receive verification codes through their mobile phones when this authentication
mode is used. Therefore, end users' mobile phone numbers must be configured; otherwise,
they cannot receive verification codes.
l One-key authentication
Includes the Email field and Log In button.
l Uniform authentication
Indicates account/password authentication, passcode authentication, and social media
authentication.

Add Links to User Notice Page, Page Switching, Forget Password and
Registration Page
Select links you want to add from the drop-down list box on the menu bar.
Links to the target pages are available by default. You can add the links directly without any
special settings.
The following figure shows the link setting effect for the user notice page. Click Readme to
switch to the user notice page.

Add Common Buttons
Select buttons you want to add from the drop-down list box on the menu bar.
The following figure shows the effect of adding the AutoLogin button.
NOTE
l End users need to enable the browser cookie after adding the Remember password or Auto login
button; otherwise the button does not take effect. Enabling the browser cookie may cause potential
risks. Exercise caution when you perform this operation.
l The AutoLogin button does not take effect on the automatically displayed Portal authentication
page on iPhone, because the displayed web page on iPhone cannot save cookie information. The
built-in Safari browser of iPhone can save cookie information.

Add Common Fields

Generally, you need to add specific fields, such as, verification code and phone number when
customizing a registration page. Select the field you want to add from the
drop-down list box on the menu bar.

NOTE
The verification code field is not provided in the default authentication page template. You are advised
to add the field to improve login and authentication security. On the position where a verification code is
to be added, select Verification code from the Field drop-down list box.
Modify the Interval for Quickly Obtaining the Password Through Mobile Phone
Click Get Password on the quick authentication page, and then click Set Button
Background and Short Message Sending Interval. Set the parameters accordingly in the
displayed dialog box.

Set Mandatory Fields

Click the field, and select Not Empty.


4.19.12.2 Customizing Pages

This section describes how to customize registration page, authentication page, authentication
success page, and user notice page for guests.
Context
To ensure that a page has an elegant appearance and high security, an administrator must be
capable of page editing and image processing.
Based on the screen size, terminal devices are classified into mobile phones and computers.
When you customize a page for mobile phones, the compact and simple style, small pictures,
and short texts are recommended because mobile phones have small screen size. As
computers have large screen size and can carry more information than mobile phones, you can
use large pictures and relatively long texts during page customization. You need to customize
pages for mobile phones and computers if an enterprise allows guests to access the network
using mobile phones and computers (laptops and tablet computers).
Page customization supports multiple languages, including simplified Chinese, English,

traditional Chinese, Germany, Spanish, French, and Portuguese by default. If the default
language templates do not meet your needs, you can add language templates. For details, see
4.19.12.4 Example: Adding Language Templates.
The Service Manager provides pre-defined page templates that are frequently used. You can
choose Policy > Permission Control > Page Customization > Authentication &
Registration Template to locate the templates. Administrators can select their desired page
style or modify the style of the templates.
The registration page, authentication page, authentication success page, and user notice page
make up a set of guest pages.
Procedure
Step 1 Choose Policy > Permission Control > Page Customization > Page Customization.
Step 2 Click in the operation area on the right.
Step 3 Set parameters for the customized page and click Next.
Step 4 Select your desired page template and preview the effect. Select a language template and click
Next.
Step 5 Customize pages for mobile phones and PCs.

For details, see 4.19.12.1 Common Page Customization Operations Using the Editor.
Step 6 Click Preview, Test and Publish.
A customization page can be used by guests only after the page is released. The save to draft
function only saves a customization page on the Service Manager.
After you click Publish, the system automatically saves the customization page.
----End

4.19.12.3 Defining a Redirection Rule for the Portal Page

After customizing authentication and registration pages for guests, the administrator defines a
redirection rule for the Portal page to ensure that the guests can access the corresponding
authentication and registration page.
Prerequisites
The authentication or registration page has been customized. For details, see 4.19.12.2
Customizing Pages.
Context
If guests use different authentication and registration pages, configure a unified Portal page
http://server-ip:8080/portal or http://agilecontroller.huawei.com:8080/portal for all users.
The Agile Controller-Campus automatically redirects the Portal page to the authentication or
registration page based on the defined redirection rule.
The URL using the domain name is recommended for safer and faster. However, you need to
configure the mapping between the domain name agilecontroller.huawei.com and the server
IP address on the DNS server in advance.
The Agile Controller-Campus supports redirection based on the following authentication

information:
l IP address of the terminal to be authenticated.
l Information about the access device to be authenticated, for example, MAC address or
SSID.
This information is obtained from the HTTP parameter in the user authentication data.
The redirection rule needs to be associated with the access device. For details, see Table
4-150.
l Terminal's operating system type for authentication.
l Account type for authentication.
You need to configure the authentication-free function for WeChat accounts and select
the corresponding option for public QR codes.
The redirection rules are prioritized. The rule with the highest priority is preferentially
matched with the user authentication data. If all configured rules are mismatched, the default
rule is used.
Procedure
Step 1 Choose Policy > Permission Control > Page Customization > Portal Page Push Rule.
Step 2 Click Add.
Step 3 Set push rule related parameters.
Table 4-150 Set push rule related parameters

Parameter Description
Name Indicates the name of a Portal page push rule.

Push conditions Specifies the condition for pushing Portal pages, including the time,
terminal's IP address segment, self-defined parameter, terminal's
operating system type, and account type.
Self-defined parameters must be the same as those parameters carried
in the URL configured on the AC by running the url-parameter
command. The command format on the AC is as follows: url-
parameter { ac-ip ac-ip-value | ac-mac ac-mac-value | ap-ip ap-ip-
value | ap-mac ap-mac-value | ssid ssid-value | sysname sysname-
value | user-ipaddress user-ipaddress-value | user-mac user-mac-
value | redirect-url redirect-url-value } *
l ac-ip ac-ip-value: specifies the AC IP address carried in the URL.
If required, set ac-ip-value to ac-ip.
l ac-mac ac-mac-value: specifies the AC MAC address carried in
the URL and sets the parameter name.
l ap-ip ap-ip-value: specifies the AP IP address carried in the URL
and sets the parameter name.
l ap-mac ap-mac-value: specifies the AP MAC address carried in
the URL. If required, set ap-mac-value to apmac.
l ssid ssid-value: specifies the SSID that users associate with carried
in the URL. If required, set ssid-value to ssid.
l sysname sysname-value: specifies the device system name carried
in the URL and sets the parameter name.
l user-ipaddress user-ipaddress-value: specifies the user IP address
carried in the URL. If required, set user-ipaddress-value to userip.
l user-mac user-mac-value: specifies the user MAC address carried
in the URL. If required, set user-mac-value to usermac.
l redirect-url redirect-url-value: specifies the original URL that a
user accesses carried in the URL. If required, set redirect-url-value
to url.
For example, if the url-parameter ssid ssid command is configured
on the AC, you must set ssid-value to ssid. If users connect to the
network through the SSID example, you must set Customized
parameters to ssid=example.
NOTE
l For WeChat authentication and public QR code authentication, you must set
a value for redirect-url.
l For WeChat authentication-free, you need to set values for redirect-url and
user-mac.
l In scenarios where guests follow WeChat public account to access Wi-Fi,
ssid, redirect-url, and user-mac are mandatory.
l When configure URL parameters in the URL template view on the AC, do
not run the parameter { start-mark parameter-value | assignment-mark
parameter-value | isolate-mark parameter-value } * command to modify
symbols in the URL. If you modify the symbols in the URL, URL
resolution on the Agile Controller-Campus may fail, leading to an
interconnection failure.

Push page Select a page customized in 4.19.12.2 Customizing Pages.
First page to push Specifies the page to be pushed to a guest for the first time.
URL Use the default value.
Page displayed l No redirect: The authentication success page is displayed after the
after successful authentication succeeds.
authentication l Redirect to the specified address: A specified page is displayed
after the authentication succeeds. Set the URL to be switched to in
Address.
l Continue to visit the original page: The original page that the user
requests is displayed after the authentication succeeds. You need to
configure the url-parameter redirect-url url command in the
URL template on the AC or switch. For details, see 4.19.12.8 How
Do I Continue to Access the Original Page After Successful
Portal Authentication?.
Description -
Step 4 Click OK.
----End
Example
Configure three redirection rules for the Portal page.
Redirection Rule Redirected to Priority (Smaller Value,

Higher Priority)
Terminal device type: Authentication page A 1

Android mobile phone
Self-defined parameter: Authentication page B 2

network
Terminal's IP address Authentication page C 3

segment:
10.10.10.10-10.10.10.50
Default rule Default page N
A guest uses a laptop to connect to the wireless network network. The laptop's IP address is
10.10.10.20. The guest accesses http://server-ip:8080/portal or or http://
agilecontroller.huawei.com:8080/portal and then is redirected to authentication page B for
authentication.

4.19.12.4 Example: Adding Language Templates

Language templates are used to specify languages of GUI elements such as page titles,
buttons, and expressions on pages such as the self-service page, authentication page,
registration page, authentication success page, registration success page, and user notice page.
By default, the Agile Controller-Campus provides the following language templates: Chinese,
English, traditional Chinese, German, French, Spanish and Portuguese. You can add language
templates if the default language templates cannot satisfy your demands.
Procedure
Step 1 Choose Policy > Permission Control > Page Customization > Language Template to
create a language template for basic self-service information.
Step 2 Choose Policy > Permission Control > Page Customization > Page Customization to
customize the page containing this language template.

When you customize an authentication success page, the page must contain the Self-help
Service button.
Step 3 Choose Policy > Permission Control > Page Customization > Portal Page Push Rule to
create a Portal page push rule and choose the page customized in the preceding step as the
page to be pushed.

Step 4 Enter http://IP address of the Portal authentication server:8080/portal in the address box of
a web browser to visit the self-service page and check whether the GUI elements are
displayed in the language configured in the language template.
----End
4.19.12.5 Configuring MAC Address Authentication

This section describes operations and precautions for configuring MAC address
authentication.

Scenario Description
MAC address authentication controls terminal network access permission based on the device
interface and terminal MAC address. When a terminal connects to the network, the access
control device automatically detects the terminal MAC address and sends the MAC address as
the account and password to the RADIUS server for identity authentication. The RADIUS
server instructs the access control device to grant network access permission to the end user
only after the user identity is verified on the RADIUS server. MAC address authentication
applies to scenarios where dumb terminals such as printers and IP phones cannot be
authenticated using user names and passwords or scenarios where only terminal MAC
addresses but not user names and passwords need to be verified due to special requirements.
These terminals cannot trigger identity authentication and need to wait until the access control
device sends authentication requests to the RADIUS server to connect to the network.
Task Overview
Procedure
Step 1 Configure the access control device.
l Function
In MAC address authentication, the access control device sends authentication requests
to the RADIUS server. Therefore, configurations related to RADIUS authentication must
be performed on the access control device.
l Entrance
Log in to the CLI of the access control device through the console port or using SSH.

l Key configuration description

See configuration examples for MAC address authentication.
Step 2 Add the access control device on the Agile Controller-Campus.
l Function
The Agile Controller-Campus can work with the access control device only after the
device is added to the Agile Controller-Campus and interconnection parameters on the
Agile Controller-Campus and device are the same.
l Entrance
Choose Resource > Device > Device Management.
– Authentication/Accounting key: The value is the same as the value configured using
the radius-server shared-key command in the RADIUS template.
– Authorization key: The value is the same as the value configured using the radius-
server authorization 172.18.1.1 shared-key cipher Admin@123 command in the
system view.
– Real-time accounting interval: The value is the same as the value configured using
the accounting realtime command in the accounting template.
Step 3 Add terminals to be authenticated using MAC address authentication.
l Function
In MAC address authentication, the identity of a terminal is verified using the terminal
MAC address. The terminal can be authenticated only after it is manually added to the
terminal list.
l Entrance
a. Choose Resource > Terminal > Terminal List.
b. In the Device Group list, choose the first node and click Add on the right to add a
device group to be authenticated using MAC address authentication.
c. In the Device Group list, click the created device group and add terminals to be
authenticated using MAC address authentication on the right.
n Add terminals one by one.
Click the Device List tab to add the terminals one by one.
n Add terminals in a batch.
Click the Device Group List tab and click Import to add the terminals in a
batch.

Terminal Type – Unknown type: default value, indicating temporarily un-

identified devices. The Agile Controller-Campus needs
to continue to identify such devices.
– Fixed terminal: wired access devices, such as desktop
computers.
– Mobile terminal: wireless access devices, such as
tablets.
– Dumb terminal: devices that provide fewer functions
than PCs, do not have processors or disks, and need to
connect to hosts to process services, such as printers and
VoIP phones.
Statically Assigned – Enable: The Agile Controller-Campus identifies devices

Policy using only the policies set in Matched Policy. If you
know the device types, you can statically assign policies
to enhance the device identification ratio and accuracy.
– Disable: The Agile Controller-Campus automatically
selects policies to identify devices. Disable is the
default value and applies when you do not know the
device types.
The Agile Controller-Campus matches the collected
device information with the rules in the rule database. If
the device matches a rule, the Agile Controller-Campus
queries all identification policies that contain this rule
and evaluates a score for each policy based on the
device information. The highest score is the
identification result.
Matched Policy You need to set a name for the policy when Statically
Assigned Policy is enabled. Resource > Terminal >
Identification Policy displays all policy names.
User-Defined Device – Enable: The Agile Controller-Campus adds devices to

Group device groups. If you know the device types, you can set
the User-Defined Device Group parameter to
accurately add devices to groups.
– Disable: The Agile Controller-Campus automatically
identifies device types and adds the devices to groups.
Disable is the default value and applies when you do
not know the device types.
Device Group You need to set a name for the group when User-Defined
Device Group is enabled. Resource > Terminal >
Terminal List displays all group names.
Step 4 Configure an authentication rule.

l Function
In MAC address authentication, users do not need to enter their user names and
passwords for authentication. The service type used in MAC address authentication

differs from that used in common authentication modes. Therefore, the default
authentication rule cannot be used and an authentication rule needs to be configured
separately.
l Entrance
Choose Policy > Permission Control > Authentication & Authorization >
Authentication Rule.
Choose MAC Bypass Authentication Service for Service Type.
Step 5 Configure an authorization rule.
l Function
The Agile Controller-Campus grants network access permission to terminals using an
authorization rule. The default authorization rule does not apply to MAC address
authentication and an authorization rule needs to be configured separately.
l Entrance
Authorization Rule.
– When adding an authorization rule, choose MAC Bypass Authentication Service
for Service Type.
– According to the rule priority, the Agile Controller-Campus matches terminal
access information with authorization conditions of the authorization rule. When
access information about a terminal matches all authorization conditions of an
authorization rule, the Agile Controller-Campus grants permission defined by the
authorization result of the authorization rule to the terminal.
Step 6 A terminal accesses the network.
After a terminal connects to the network, authentication is performed automatically. After
passing the authentication, the terminal can access resources in the post-authentication
domain.
After the terminal is authenticated successfully:
l Run the display access-user command on the device. Online information about the
terminal MAC address is displayed.
l On the Service Manager, choose Resource > User > Online User Management. Online
information about the terminal is displayed.
l On the Service Manager, choose Resource > User > RADIUS Log. The RADIUS
authentication logs of the terminal are displayed.
If the terminal fails to be authenticated, create a common account on the Agile Controller-
Campus, log in to the device, and run the test-aaa user-name user-password radius-template
template-name pap command to test whether the account can pass RADIUS authentication.
l If the system displays the message "Info: Account test succeed", indicating that the
account can pass RADIUS authentication, the fault occurs in the access authentication
phase. Check the network connection between the terminal and the access control device.
l If the system displays the message "Error: Account test time out", indicating that the
account cannot pass RADIUS authentication, the fault occurs in the RADIUS
authentication phase. Check whether interconnection parameter configurations of the
RADIUS server on the Agile Controller-Campus are consistent with those on the access
control device.

The test aaa command can only test whether users can pass RADIUS authentication and the
interaction process of RADIUS accounting is not involved. Therefore, after running the test
aaa command, you can view RADIUS logs but cannot view user online information on the
Agile Controller-Campus.
----End
Example
The following example describes how to import MAC address authentication terminals in a
batch.
l How to Fill in the Excel File When You Do Not Know Device Details
When you do not know the device details, fill in only the MAC address and device group
and enter Device Group List in Unknown Device List.
l How to Fill in the Excel File When You Know Device Details
When you know the device details, you can manually configure an identification policy
to enhance the identification ratio and accuracy. The Agile Controller-Campus identifies
the device based on the configured identification policy.
In this case, specify Endpoint MAC, set Statically Assigned Policy to Enable, enter
the name of the identification policy in Matched Policy, and enter Device Group List in
Unknown Device List. The Agile Controller-Campus automatically adds the device to a
device group.
l How to Fill in the Excel File When You Manually Add the Device to a Specified Device
Group
By default, the Agile Controller-Campus classifies devices into groups based on the
device types. You can also manually add a device to a specified device group.
In this case, specify Endpoint MAC, set User-Defined Device Group to Enable, and
enter the name of a specific device group in Device Group List.
l How to Fill in the Excel File When You Need to Mark the Device Access Location
l You can use the IP address and connected interface of a device to rapidly locate the
device when a fault occurs.
In this case, specify Endpoint MAC, Access Device IP Address, and Access Device
Port and enter Device Group List in Unknown Device List.
4.19.12.6 Deploying a CA Certificate Server

To use 802.1X certificate authentication, a CA certificate server must be deployed in advance.
A Windows CA certificate server supports only Windows Server 2008 Enterprise or Windows
Server 2008 R2 Enterprise.

You are advised to check the CA certificate server deployment according to the following
flowchart.
Check the working status

of the CA component
Check extended fields

CDP and AIA
Check network
registration service and
HTTPS mode
Check the client

authentication field in the
SCEP template
Check the registry

settings
Check the permission on

SCEP and OCSP
templates
Check the issue of the

SCEP and OCSP
templates
Check the ocsp_test

status
1. Open a browser and enter http://Server-IP/certsrv, where Server-IP indicates the IP

address of the CA certificate server.

If the following page is displayed after login using the AD domain account
administrator and its password, the CA server functions properly. Otherwise, delete and
then add the CA component again.
2. On Server Manager, right-click the root certificate. In the displayed dialog box, click
the Extensions tab and check extended fields CDP and AIA.
– CDP: Include in the CDP extension of issued certificates must be selected for
LDAP and HTTP.
– AIA: The two options in the red box must be selected for the OCSP URL.

3. Open a browser and enter https://Server-IP/certsrv/mscep_admin, where Server-IP

indicates the IP address of the CA certificate server.
If the following page is displayed after login using the AD domain account
administrator and its password, the SCEP and HTTPS settings are correct.

If the page is displayed in HTTP mode but cannot be displayed in HTTPS mode, check
whether HTTPS is bound to the certificate, and whether the correct root certificate is
selected. Select the certificate the same as the full computer name for SSL certificate.
If the page cannot be displayed in HTTP mode, check whether Network Device
Enrollment Service is Installed.
4. The SCEP template must contain the Client Authentication field. Otherwise, end users
may fail the authentication. If the SCEP template does not contain the Client
Authentication field, correct the settings based on the video instruction.
5. In the registries, set the SCEP template name and disable EnforcePassword.
Find entries in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography
\MSCEP, and set their values to the SCEP template name.
Registry modification takes effect only after the operating system is restarted.

Set EnforcePassword to 0.
6. Check the permission settings in the SCEP and OCSP templates. If the settings are
incorrect, correct them based on the video instruction.

7. Check whether the SCEP and OCSP templates are issued. If SCEP and OCSP templates
are not in the list, issue the templates based on the video instruction.
8. Choose Start > Administrative Tools > Online Responder Management to check
whether OCSP is in working state. If not, delete ocsp_test and create it again based on
the video instruction.

4.19.12.7 Server Certificate Importing Tool

The server certificate importing tool is used to replace the default authentication certificate of
the Tomcat server and portal server. The Tomcat server or portal server certificate is used for
establishing a reliable communication channel between the Tomcat server and Web browser.
To enable the server to support the Internet Explorer 6 that is used on Windows XP operating
system, the SHA1 encryption mode is used for certificate signature by default. If the browser
versions with later than the Internet Explorer 6 are used, the SHA256 encryption mode is
recommended, which is more secure.
Prerequisites
The Service Manager and Service Controller have been installed.
Context
l If the Service Manager and Service Controller are installed on the same hardware server,
both Tomcat server certificate and Portal server certificate are replaced after you run the
server certificate importing tool.
l If the Service Manager and Service Controller are installed on different hardware
servers, run the server certificate importing tool on the server where the Service Manager
is installed to replace the Tomcat server certificate, and run the tool on the server where
the Service Controller is installed to replace the Portal server certificate.
Procedure
Step 1 Log in to the server where the Service Manager or Service Controller is installed.
l Windows
Log in to the server using an administrator account.
l Linux
Log in to the server using a root account.
Step 2 Start the server certificate importing tool.

l Windows
Access the installation directory of the Agile Controller-Campus, which is D:\Agile
Controller by default. Change the installation directory according to the actual situation.
Double-click Upload Certificate.bat to start the certificate importing tool.
l Linux
a. Run the chmod /opt/755 **.jks command to add read and write permissions to
certificate files, so that the certificate importing tool can normally obtain certificate
files. In this command, opt specifies the directory for saving a certificate file and
755 **.jks specifies the certificate name. You need to replace them with the actual
directory and file name respectively.
b. Run the su - controller command to switch to the controller user.
c. Run the cd /opt/AgileController command to access the installation directory of the
Agile Controller-Campus. /opt/AgileController is the default installation directory
of the Agile Controller-Campus. Change the installation directory according to the
actual situation.
d. Run the ll command to check whether the Upload Certificate.sh file exists in the
installation directory of the Agile Controller-Campus.
If so, continue to perform the following steps. If not, check whether the installation
directory of the Agile Controller-Campus is correct.
e. Run the sh Upload Certificate.sh command to start the certificate importing tool.
Step 3 Click Browse. Select the path for storing the certificate and enter the Certificate Password.
Step 4 Click Upload to replace the default server certificate.
Step 5 Restart the Service Manager and Service Controller services after successful upload to make
new certificates take effect.

NOTE
After a Portal server certificate is uploaded, you can only access the Portal server by the domain name
using the HTTPS protocol, and the domain name must be the same as that used during server certificate
application.
----End
4.19.12.8 How Do I Continue to Access the Original Page After Successful Portal
Authentication?
Question
How do I continue to access the original page after successful Portal authentication?
Answer
When forcible switching is disabled, the web browser switches an authenticated end user to
the URL requested before the authentication. The AC sends the URL to the Portal server,
which parses the URL to obtain the specific URL. For example, an end user wants to access
http://bbs.example.com. After you specify the URL address parameter (url) on the AC, the
Portal server receives http://Portal server IP address:8080/portal?url=http://bbs.example.com,
and the web browser pushes http://bbs.example.com to the authenticated end user.
To access the original page after successful Portal authentication, you need to perform the
following configurations on both the AC and Agile Controller-Campus.
l Configuration on the AC
When configuring the Portal server on the AC, configure the AC to send the URL that
the user accesses as the parameter to the Portal server.
<AC> system-view
[AC] url-template name myurl
[AC-url-template-myurl] url http://192.168.1.203:8080/portal
[AC-url-template-myurl] url-parameter redirect-url url
#The Portal server obtains the URL to be switched to based on the url
parameter. The AC must send the URL that the user accesses as the parameter
to the Portal server. Do not change the parameter name url.
[AC-url-template-myurl] quit
[AC] web-auth-server portal

[AC-web-auth-server-portal] server-ip 10.1.1.1
[AC-web-auth-server-portal] port 50200
[AC-web-auth-server-portal] shared-key simple Admin@123
[AC-web-auth-server-portal] url-template myurl
[AC-web-auth-server-portal] quit
[AC-Vlanif30] web-auth-server portal direct
l Configuration on the Agile Controller-Campus V100R002C00

When configuring the Portal page push rule on the Agile Controller-Campus, set Page
displayed after successful authentication to Continue to visit the original page.

l Configuration on the Agile Controller-Campus V100R001C00

When configuring the Portal page push rule on the Agile Controller-Campus,
choosePolicy > Permission Control > Page Customization > Page Customization,
and set URL Field Name to url.
----End
4.19.12.9 What Should I Do Before Connecting a GPRS Modem to the Agile

Controller-Campus?
Question
What Should I Do Before Connecting a GPRS Modem to the Agile Controller-Campus?
Answer
1. Ensure that the GPRS modem driver is compatible with the operating system (Microsoft
Windows Server 2008, Microsoft Windows Server 2012 or SUSE Linux 11 SP3) of the
server to be connected.
2. Obtain the baud rate (data transmission rate) of the GPRS modem.
NOTE
Refer to the Product Documentation of the GPRS modem or consult the GPRS modem's technical
support engineer.

3. Use the serial cable or USB cable to connect the GPRS modem to the server.
NOTE
l If the GPRS modem provides a console port, use the serial cable to connect to the GPRS
modem to the server with the Service Manager installed.
l If the GPRS modem provides a USB to serial converter, use the USB cable to connect to the
GPRS modem to the server with the Service Manager installed and install the USB driver for
the GPRS modem on the server.
4. Configure the baud rate (data transmission rate) of the server to be connected to ensure
that the rate is the same as that of the SMS modem.
– Windows
i. Choose Start > Administrative Tools > Computer Management.
ii. On the Computer Management page, choose System Tools > Device
Manager.
iii. In Ports (COM&LPT), right-click Communications Port (COM1) or
Communications Port (COM2) according to the console port of the SMS
modem and choose Properties.
iv. Click the Port Settings tab and check the baud rate. If the default baud rate
differs from that of the GPRS modem, change the baud rate based on the
GPRS modem's baud rate.

– Linux
In the Linux operating system, the console port identifier is ttyS*. Generally, ttyS0
matches the console port COM1 and ttyS1 matches the console port COM2 in the
Windows operating system. Perform the operation based on the console port to
which the GPRS modem connects.
When configuring a communication port on the Agile Controller-Campus, ensure
that the port is in the /dev/ttyS0 format.
i. Log in to the Linux operating system using the root account.
ii. Run the ls -lrt /dev/ttyS* command and view the console port to which the
GPRS modem connects.
Determine the console port to which the GPRS modem connects based on the
time when the GPRS modem is connected to the server port.
iii. Run the stty -a -F /dev/ttyS0 command and view the baud rate of the console
port.

The port ttyS0 is used as an example. You need to replace it with the actual
port connected to the GPRS modem.
If the baud rate is different from that of the GPRS modem, change the baud rate
based on that of the GPRS modem.
i. Run the stty -F console port speed baud rate command to change the baud
rate of the console port.
For example, you can run the stty -F /dev/ttyS0 speed 115200 command to
change the baud rate of the console port ttyS0 to 115200.
stty -F /dev/ttyS0 speed 115200 //Change the baud rate of the
console port ttyS0 to 115200.
9600 //Display the baud rate before the change.
ii. Run the stty -F /dev/ttyS0 command to check whether the baud rate has been
changed.
4.20 Comprehensive Case

4.20.1 Example for Configuring Unified Access for Wired and
Wireless Users
In practice, both wired and wireless users need to access one network. For example, the PCs
and printers of a company connect to the network in wired mode, and laptops and mobile
phones connect wirelessly. After unified access for wired and wireless users is configured on
a network, users of both types can access the network and be managed in a unified manner.
A hospital needs to deploy both a wired and a wireless network. To simplify management and
maintenance, the administrator requires that wired and wireless users be centrally managed on
the AC, non-authentication and Portal authentication be configured for the wired and wireless
users respectively, and wireless users roam under the same AC.
As shown in Figure 4-99, the AC connects to the egress gateway Router in the uplink
direction. In the downlink direction, the AC connects to and manages APs through S5700-1
and S5700-2 access switches. The S5700-1 and S5700-2 are deployed in the first and second

floors, respectively. An AP2010DN is deployed in each room to provide both wired and
wireless access. The AP5030DN is deployed in the corridor to provide wireless network
coverage. The S5700-1 and S5700-2 are PoE switches directly providing power to connected
APs.
The AC functions as a DHCP server to assign IP addresses to APs, STAs, and PCs.
Figure 4-99 Networking for unified wired and wireless access
Data Planning
Table 4-151 Network data planning
Item Interface VLAN Description
AC GE1/0/1 100, 201 Connected to the

S5700-1
GE1/0/2 100, 202 Connected to the

S5700-2
GE1/0/3 200 Connected to the

Agile Controller
GE1/0/4 300 Connected to the

egress gateway
S5700-1 GE0/0/1 100, 201 Connected to the AC
GE0/0/2 100, 201 Connected to AP101

Item Interface VLAN Description
S5700-2 GE0/0/1 100, 202 Connected to the AC
AP101 and AP102 Eth0/0/0 201 GE0/0/0 connects to

Eth0/0/1 the S5700-1.
GE0/0/0 Eth0/0/0 and
Eth0/0/1 connects to
wired users.
AP101 and AP102
are AP2010DNs and
are deployed in
rooms on the first
floor to provide
wired and wireless
access.
AP103 - - AP103 is an
AP5030DN and is
deployed in the
corridor on the first
floor to provide
wireless access.
AP201 and AP202 Eth0/0/0 202 GE0/0/0 connects to

Eth0/0/1 the S5700-2.
GE0/0/0 Eth0/0/0 and
Eth0/0/1 connects to
wired users.
AP201 and AP202
are AP2010DNs and
are deployed in
rooms on the second
floor to provide
wired and wireless
access.
AP203 - - AP203 is an
AP5030DN and is
deployed in the
corridor on the
second floor to
provide wireless
access.

Table 4-152 Service data planning

AC's source interface 10.23.100.1/24 -

address
AP group l Name: ap-group1 -

l Referenced profiles:
VAP profile wlan-vap1,
regulatory domain
profile domain1, and
radio profiles radio-2g
and radio-5g
l Name: ap-group2
VAP profile wlan-vap2,
regulatory domain
profile domain1, and
radio profiles radio-2g
and radio-5g
Portal access profile l Name: portal1 -

l Referenced profile:
Portal server profile
portal1
Authentication profile l Name: portal1 -

l Referenced profile:
Portal access profile
portal1
Regulatory domain profile l Name: domain1 -

l Country code: CN
AP wired port profile Name: wired1, wired2, -

wired3, or wired4
RRM profile Name: rrm1 -
Radio profile l Name: radio-2g or -

radio-5g
l Referenced profile: RRM
profile rrm1
Security profile l Name: wlan-security -

l Security and
authentication policy:
OPEN

SSID profile l Name: wlan-ssid -

l SSID: hospital-wlan
Traffic profile Name: traffic1 -
VAP profile l Name: wlan-vap1 Provides WLAN network

l SSID: hospital-wlan coverage for the first floor
of the building.
l Data forwarding mode:
tunnel forwarding
l Service VLAN: VLAN
101
security profile wlan-
security, SSID profile
wlan-ssid, authentication
profile portal1, and
traffic profile traffic1
l Name: wlan-vap2 Provides WLAN network

l SSID: hospital-wlan coverage for the second
floor of the building.
l Data forwarding mode:
tunnel forwarding
l Service VLAN: VLAN
102
security profile wlan-
security, SSID profile
wlan-ssid, authentication
profile portal1, and
traffic profile traffic1
DHCP server The AC functions as a -

DHCP server to assign IP
addresses to APs, STAs, and
PCs.
AP gateway and IP address VLANIF 100: -

pool range 10.23.100.1/24
10.23.100.2-10.23.100.254/
24
Gateway and IP address VLANIF 101: -

pool range of the wireless 10.23.101.1/24
users 10.23.101.2-10.23.101.254/
24

VLANIF 102: -
10.23.102.1/24
10.23.102.2-10.23.102.254/
24
Gateway and IP address VLANIF 201: -

pool range of the wired 10.23.201.1/24
users 10.23.201.2-10.23.201.254/
24
VLANIF 202: -
10.23.202.1/24
10.23.202.2-10.23.202.254/
24
Server parameters Authentication server: l The Service Controller

l IP address: 10.23.200.1 (SC) of the Agile
Controller provides
l Port number: 1812 RADIUS server and
l RADIUS shared key: Portal server functions;
Admin@123 therefore, the IP address
of the SC is used for the
Accounting server: authentication server,
l IP address: 10.23.200.1 accounting server,
l Port number: 1813 authorization server, and
Portal server.
l RADIUS shared key:
Admin@123 l Configure a RADIUS
accounting server to
Authorization server: collect user login and
l IP address: 10.23.200.1 logout information. The
port numbers of the
l RADIUS shared key: authentication server and
Admin@123 accounting server must
Portal server: be the same as those of
the RADIUS server.
l Configure an
l Port number that the AC authorization server to
uses to listen on Portal enable the RADIUS
protocol packets: 2000 server to deliver
l Destination port number authorization rules to the
in the packets that the AC. The shared key of
AC sends to the Portal the authorization server
server: 50100 must be the same as that
of the authentication
l Portal shared key:
server and accounting
Admin@123
server.
l Encryption key for the
URL parameters that the
AC sends to the Portal
server: Admin@123

Table 4-153 Radio channel data planning

AP101 Radio 0: channel 1 and Use the WLAN Planner to

power level 10 plan AP installation
locations, and the working
AP102 Radio 0: channel 6 and channel and power of the
power level 10 AP radio. Set the channel
AP103 Radio 0: channel 11 and mode and power mode to
power level 10 fixed, and configure the
channel and power for each
Radio 1: channel 153 and AP.
power level 10
AP201 Radio 0: channel 1 and

power level 10

power level 10

power level 10
Radio 1: channel 157 and
power level 10
1. Configure network interworking of the AC, APs, S5700-1, S5700-2, and other network
devices.
2. Configure the AC as a DHCP server to assign IP addresses to APs, wired users, and
wireless users.
3. Configure a RADIUS server template, configure authentication, accounting, and
authorization in the template, and configure Portal authentication.
4. Configure basic WLAN services, including AC system parameters, AP management, and
WLAN service parameters.
5. Configure VAPs and deliver VAP parameters to APs.
6. Verify the configuration to ensure that both wired and wireless users can access the
Internet.
Configuration Notes


user experience.
Procedure
Step 1 Configure network devices to communicate with each other.
# Add GE0/0/1 to GE0/0/4 of the S5700-1 to VLAN 100 (management VLAN) and VLAN
201 (VLAN for wired service packets), and add GE0/0/1 to GE0/0/4 of the S5700-2 to VLAN
100 and VLAN 202 (VLAN for wireless service packets). Set PVIDs for interfaces directly
connected to APs. You are advised to configure port isolation on these interfaces to reduce
unnecessary broadcast traffic. The S5700-1 is used as an example here. The configuration on
the S5700-2 is similar. For details, see the configuration file of the S5700-2.
[HUAWEI] sysname S5700-1
[S5700-1] vlan batch 100 201
[S5700-1] interface gigabitethernet 0/0/1
[S5700-1-GigabitEthernet0/0/1] port link-type trunk
[S5700-1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 201
[S5700-1-GigabitEthernet0/0/1] quit
[S5700-1-GigabitEthernet0/0/2] port trunk pvid vlan 100 //Set a PVID for the
interface directly connected to the AP.
[S5700-1-GigabitEthernet0/0/2] port-isolate enable //Configure port isolation
to reduce broadcast packets.
[S5700-1-GigabitEthernet0/0/3] port trunk pvid vlan 100
[S5700-1-GigabitEthernet0/0/3] port-isolate enable
[S5700-1-GigabitEthernet0/0/4] port trunk pvid vlan 100
[S5700-1-GigabitEthernet0/0/4] port-isolate enable
# On the AC, add GE1/0/1 (connected to the S5700-1) to VLAN 100 and VLAN 201,
GE1/0/2 (connected to the S5700-2) to VLAN 100 and VLAN 202, GE1/0/4 (connected to
the upper-layer network) to VLAN 300, and GE1/0/3 (connected to the Agile Controller) to
VLAN 200.
[AC6605] sysname AC
[AC] vlan batch 100 200 201 202 300


# Configure VLANIF 200 for communication between the AC and Agile Controller.
[AC-Vlanif200] ip address 10.23.200.2 24 //Configure an IP address for
communication between the AC and Agile Controller.
[AC-Vlanif200] quit
Step 2 Configure the AC as a DHCP server to assign IP addresses to PCs, APs, and STAs.
# Configure the AC to assign IP addresses to PCs, APs, and STAs from an interface address
pool.
[AC] dhcp enable
[AC] interface vlanif 100 //Configure an interface address pool to assign IP
addresses to APs.
[AC-Vlanif100] description manage_ap
[AC-Vlanif100] quit
addresses to STAs on the first floor.
[AC-Vlanif101] description manage_floor1_sta
[AC-Vlanif101] quit
addresses to STAs on the second floor.
[AC-Vlanif102] description manage_floor2_sta
[AC-Vlanif102] quit
addresses to PCs on the first floor.
[AC-Vlanif201] description manage_floor1_pc
[AC-Vlanif201] quit
addresses to PCs on the second floor.
[AC-Vlanif202] description manage_floor2_pc
[AC-Vlanif202] quit
Step 3 Configure a RADIUS server template, configure authentication, accounting, and authorization
in the template, and configure Portal authentication.
# Configure a RADIUS server template on the AC, and configure authentication, accounting,
and authorization in the template.
[AC] radius-server template radius1 //Create the RADIUS server template radius1
[AC-radius-radius1] radius-server authentication 10.23.200.1 1812 source ip-

address 10.23.200.2 weight 80 //Configure the RADIUS authentication server and

authentication port 1812. The AC uses the IP address 10.23.200.2 to communicate
with the RADIUS server.
[AC-radius-radius1] radius-server accounting 10.23.200.1 1813 source ip-address
10.23.200.2 weight 80 //Configure the RADIUS accounting server to collect user
login and logout information and set the accounting port number to 1813. The AC
uses the IP address 10.23.200.2 to communicate with the RADIUS server
[AC-radius-radius1] radius-server shared-key cipher Admin@123 //Configure the
shared key for the RADIUS server.
[AC-radius-radius1] undo radius-server user-name domain-included //The user
name that the device sends to the RADIUS server does not carry the domain name.
Configure the command when the RADIUS server does not accept the user name with
the domain name.
[AC-radius-radius1] quit
[AC] radius-server authorization 10.23.200.1 shared-key cipher Admin@123 //
Configure an IP address for the RADIUS authorization server, set the shared key
to Admin@123, same as the authentication and accounting keys. Configure the
authorization server so that the RADIUS server can deliver authorization rules to
the AC.
[AC] aaa
[AC-aaa] authentication-scheme radius1 //Create the authentication scheme
radius1.
[AC-aaa-authen-radius1] authentication-mode radius //If the Agile Controller
functions as the RADIUS server, the authentication mode must be set to RADIUS.
[AC-aaa-authen-radius1] quit
[AC-aaa] accounting-scheme radius1 //Create the accounting scheme radius 1.
[AC-aaa-accounting-radius1] accounting-mode radius //Set the accounting mode to
RADIUS. To facilitate account status information maintenance on the RADIUS
server, including the login and logout information, and forced logout
information, the accounting mode must be set to radius.
[AC-aaa-accounting-radius1] quit
[AC-aaa] domain portal1 //Create the domain portal1.
[AC-aaa-domain-portal1] authentication-scheme radius1 //Bind the authentication
scheme radius1.
[AC-aaa-domain-portal1] accounting-scheme radius1 //Bind the accounting scheme
radius1.
[AC-aaa-domain-portal1] radius-server radius1 //Bind the RADIUS server template
radius1.
[AC-aaa-domain-portal1] quit
[AC-aaa] quit

[AC] web-auth-server portal1 //Create the Portal server template portal1.
[AC-web-auth-server-portal1] server-ip 10.23.200.1 //Configure an IP address for
the Portal server.
[AC-web-auth-server-portal1] port 50100 //Set the destination port number used
by the device to send packets to the Portal server to 50100 (default setting).
[AC-web-auth-server-portal1] shared-key cipher Admin@123 //Configure the shared
key for message exchange between the AC and Portal server.
[AC-web-auth-server-portal1] url http://10.23.200.1:8080/portal //Configure the
URL for a Portal server.
[AC-web-auth-server-portal1] quit
# Enable Portal authentication for wireless users, and configure non-authentication for wired
users.
[AC] portal-access-profile name portal1
[AC-portal-acces-profile-portal1] web-auth-server portal1 direct //Bind the
Portal server template portal1 and specify Layer 2 authentication as the Portal
authentication mode.
[AC-portal-acces-profile-portal1] quit
[AC] authentication-profile name portal1
[AC-authen-profile-portal1] portal-access-profile portal1
[AC-authen-profile-portal1] access-domain portal1 force //Configure the forcible
user domain portal1.
[AC-authen-profile-portal1] quit

# Create AP groups.
[AC] wlan
[AC-wlan-regulate-domain-domain1] country-code cn //Configure the AC country
code. Radio features of APs managed by the AC must conform to local laws and
regulations. The default country code is CN.
e?[Y/N]:y
e?[Y/N]:y
[AC-wlan-view] quit

# Import the APs offline on the AC.

[AC] wlan
[AC-wlan-ap-101] ap-name ap-101
[AC-wlan-ap-101] ap-group ap-group1 //Add APs on the first floor to ap-group1.
[AC-wlan-ap-201] ap-group ap-group2 //Add APs on the second floor to ap-group2.


# Power on the APs and run the display ap all command to check the AP state. If the State
field is nor, the APs have gone online.
nor : normal [6]
----------------------------------------------------------------------------------
---------------
Uptime
----------------------------------------------------------------------------------
---------------
101 60de-4476-e320 ap-101 ap-group1 10.23.101.254 AP6010DN-AGN nor 0 10S
103 dcd2-fc04-b520 ap-103 ap-group1 10.23.101.252 AP6010DN-AGN nor 0 23S
203 dcd2-fc04-b540 ap-203 ap-group2 10.23.102.252 AP6010DN-AGN nor 0 55S
----------------------------------------------------------------------------------
---------------
Total: 6
# Configure an AP2010DN's uplink interface GE0/0/0 and downlink interfaces Eth0/0/0 and
Eth0/0/1 to allow wired service packets to pass.
[AC-wlan-view] wired-port-profile name wired1
[AC-wlan-wired-port-wired1] vlan pvid 201 //The downlink interface of the
AP2010DN is used to connect wired terminals, such as the PCs. Set a PVID for the
interface. VLAN 201 is used to transmit wired service packets of the first floor.
[AC-wlan-wired-port-wired1] vlan untagged 201 //The downlink interface of the
AP2010DN is used to connect wired terminals. Add the interface to VLAN 201 in
untagged mode.
[AC-wlan-wired-port-wired1] quit
[AC-wlan-wired-port-wired2] vlan tagged 201 //The uplink interface of the
AP2010DN is used to connect to the upper-layer devices. Add the interface to VLAN
201 in tagged mode.
[AC-wlan-wired-port-wired3] vlan pvid 202 //The downlink interface of the
AP2010DN is used to connect wired terminals, such as the PCs. Set a PVID for the
interface. VLAN 202 is used to transmit wired service packets of the second floor.
[AC-wlan-wired-port-wired3] vlan untagged 202
[AC-wlan-wired-port-wired4] vlan tagged 202
[AC-wlan-ap-101] wired-port-profile wired1 ethernet 0
[AC-wlan-ap-101] wired-port-profile wired2 gigabitethernet 0



# Create RRM profile rrm1.
[AC-wlan-view] rrm-profile name rrm1
[AC-wlan-rrm-prof-rrm1] calibrate auto-channel-select disable //Set the channel
selection mode of the radio to fixed.
[AC-wlan-rrm-prof-rrm1] calibrate auto-txpower-select disable //Set the channel
mode of the radio to fixed.
[AC-wlan-rrm-prof-rrm1] quit
# Create radio profiles radio-2g and radio-5g and bind rrm1 to the radio files.
[AC-wlan-view] radio-2g-profile name radio-2g
[AC-wlan-radio-2g-prof-radio-2g] rrm-profile rrm1
[AC-wlan-radio-2g-prof-radio-2g] quit
[AC-wlan-view] radio-5g-profile name radio-5g
[AC-wlan-radio-5g-prof-radio-5g] rrm-profile rrm1
[AC-wlan-radio-5g-prof-radio-5g] quit
# Create security profile wlan-security and set the security policy in the profile.
[AC-wlan-view] security-profile name wlan-security //Portal authentication has
been enabled on the interface. Set the security policy to OPEN (default setting),
that is, no authentication and no encryption.
[AC-wlan-sec-prof-wlan-security] quit
# Create SSID profile wlan-ssid and set the SSID name to hospital-wlan.
[AC-wlan-ssid-prof-wlan-ssid] ssid hospital-wlan //Set the SSID to hospital-wlan.
# Create traffic profile traffic1 and configure Layer 2 user isolation.

[AC-wlan-view] traffic-profile name traffic1
[AC-wlan-traffic-prof-traffic1] user-isolate l2
# Create VAP profiles wlan-vap1 and wlan-vap2, configure the data forwarding mode and
service VLANs, and apply the security profile, SSID profile, and authentication profile to the
VAP profile.
[AC-wlan-view] vap-profile name wlan-vap1
[AC-wlan-vap-prof-wlan-vap1] forward-mode tunnel //Set the service forwarding
mode to tunnel.
[AC-wlan-vap-prof-wlan-vap1] service-vlan vlan-id 101 //Set the VLAN ID to 101.
The default VLAN ID is 1.
[AC-wlan-vap-prof-wlan-vap1] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap1] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap1] authentication-profile portal1
[AC-wlan-vap-prof-wlan-vap1] traffic-profile traffic1
[AC-wlan-vap-prof-wlan-vap1] quit
[AC-wlan-view] vap-profile name wlan-vap2
[AC-wlan-vap-prof-wlan-vap2] forward-mode tunnel //Set the service forwarding
mode to tunnel.
[AC-wlan-vap-prof-wlan-vap2] service-vlan vlan-id 102
[AC-wlan-vap-prof-wlan-vap2] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap2] ssid-profile wlan-ssid

[AC-wlan-vap-prof-wlan-vap2] authentication-profile portal1

[AC-wlan-vap-prof-wlan-vap2] traffic-profile traffic1
[AC-wlan-vap-prof-wlan-vap2] quit
# Bind the VAP profile and radio profile to the AP group.

[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap1 wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] radio-2g-profile radio-2g radio all

[AC-wlan-radio-101/0] channel 20mhz 1 //Configure the channel based on the
planning result of the WLAN Planner.
[AC-wlan-radio-101/0] eirp 10 //Configure the power based on the planning result
of the WLAN Planner.
[AC-wlan-ap-103] radio 1 //The AP5030 supports two radios. This step configures
radio 1.


# After the configuration is complete, run the display vap all command. The command output
shows that VAPs have been created.
[AC-wlan-view] display vap all
WID : WLAN ID
----------------------------------------------------------------------------------
----------------------------------------------------------------------------------
101 ap-101 0 1 60DE-4476-E320 ON OPEN 0 hospital-wlan
103 ap-103 0 1 DCD2-FC04-B520 ON OPEN 0 hospital-wlan
---------------------------------------------------------------------------------
Total: 8
# Connect STAs to the WLAN with SSID hospital-wlan. After you enter the password, the
STAs can access the wireless network. Run the display station all command on the AC. The
command output shows that the STAs are connected to the WLAN hospital-wlan.
[AC-wlan-view] display station all
----------------------------------------------------------------------------------
------------------------
address SSID
----------------------------------------------------------------------------------
------------------------
14cf-9208-9abf 0 ap-101 0/1 2.4G 11n 3/8 -70 10
10.23.101.254 hospital-wlan
----------------------------------------------------------------------------------
------------------------
Total: 1 2.4G: 1 5G: 0
# STAs and PCs obtain IP addresses and connect to the network properly.
----End
Configuration Files
l S5700-1 configuration file
#
sysname S5700-1
#
vlan batch 100 201
#
#
#


#
#
return
l S5700-2 configuration file
#
sysname S5700-2
#
vlan batch 100 202
#
#
#
#
#
return
#
sysname AC
#
vlan batch 100 to 102 200 to 202 300
#
authentication-profile name portal1
access-domain portal1
access-domain portal1 force
#
dhcp enable
#
radius-server template radius1
radius-server shared-key cipher %^%#ZGx{:~QFtUUhhG!`ba-
PTj=H1p_J<1/%ZAXuB5)0%^%#
radius-server authentication 10.23.200.1 1812 source ip-address 10.23.200.2
weight 80
radius-server accounting 10.23.200.1 1813 source ip-address 10.23.200.2
weight 80
undo radius-server user-name domain-included
radius-server authorization 10.23.200.1 shared-key cipher %^
%#w]=@OYp:T9"u@{I2RD4U5QJi2{u]$M{]DND|;=s"%^%#
#
web-auth-server portal1
server-ip 10.23.200.1
port 50100
shared-key cipher %^%#yJ0=%9W@FVMN/=HIR9EN@1abUN6>a(Bn@MHR7Bl4%^%#

url http://10.23.200.1:8080/portal
#
web-auth-server portal1 direct
#
aaa
authentication-scheme radius1
accounting-scheme radius1
domain portal1
authentication-scheme radius1
accounting-scheme radius1
radius-server radius1
#
interface Vlanif100
description manage_ap
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
description manage_floor1_sta
ip address 10.23.101.1 255.255.255.0
#
interface Vlanif102
description manage_floor2_sta
ip address 10.23.102.1 255.255.255.0
#
interface Vlanif200
ip address 10.23.200.2 255.255.255.0
#
interface Vlanif201
description manage_floor1_pc
ip address 10.23.201.1 255.255.255.0
#
interface Vlanif202
description manage_floor2_pc
ip address 10.23.202.1 255.255.255.0
#
#
#
#
#
#
wlan
traffic-profile name traffic1
user-isolate l2
security-profile name wlan-security
ssid-profile name wlan-ssid
ssid hospital-wlan
vap-profile name wlan-vap1
forward-mode tunnel


traffic-profile traffic1
authentication-profile portal1
vap-profile name wlan-vap2
forward-mode tunnel
traffic-profile traffic1
authentication-profile portal1
rrm-profile name rrm1
radio-2g-profile name radio-2g
rrm-profile rrm1
radio-5g-profile name radio-5g
rrm-profile rrm1
wired-port-profile name wired1
vlan pvid 201
vlan untagged 201
vlan tagged 201
vlan pvid 202
vlan untagged 202
vlan tagged 202
radio 0
radio-2g-profile radio-2g
vap-profile wlan-vap1 wlan 1
radio 1
radio 2
radio 0
radio 1
radio 2
ap-name ap-101
ap-group ap-group1
wired-port-profile wired1 ethernet 0
wired-port-profile wired2 gigabitethernet 0
radio 0
channel 20mhz 1
eirp 10
ap-name ap-102
ap-group ap-group1


radio 0
channel 20mhz 6
eirp 10
ap-name ap-103
ap-group ap-group1
radio 0
channel 20mhz 11
eirp 10
radio 1
channel 20mhz 153
eirp 10
ap-name ap-201
ap-group ap-group2
radio 0
channel 20mhz 1
eirp 10
ap-name ap-202
ap-group ap-group2
radio 0
channel 20mhz 6
eirp 10
ap-name ap-203
ap-group ap-group2
radio 0
channel 20mhz 11
eirp 10
radio 1
channel 20mhz 157
eirp 10
#
return
4.20.2 Higher Education Campus Network Deployment Case

(S12700 Used as the Gateway and Authentication Point)
4.20.2.1 Application Scenario and Service Requirements
Application Scenario
This solution uses the core switch as the gateway and authentication point and applies to
education campus networks with less than 10,000 access users, meeting customers'
requirements of unified management and configuration for access switches.
The number of users at colleges and universities is considered for campus network
construction. Users at colleges and universities access networks only after being
authenticated. To ensure network security, users of different roles must have been assigned
different network access rights.
Education campus networks must meet the following requirements:

l Access
Provide both wired and wireless access.
l Security
Assign different network access rights to students, teachers, and other roles.
l Authentication and Accounting
Use PPPoE, Portal, or 802.1X authentication for wired users, and use Portal or 802.1X
authentication for wireless users. There are accounting requirements.
l O&M
Provide unified management of wired and wireless networks.
4.20.2.2 Solution Design
Networking Diagram
The core switch S12700 is configured as the authentication point and gateway for users on the
entire school campus backbone network. The S12700 has the X1E card installed, supports
native AC, and carries wireless services on the entire network.
Network Design
Two S12700s constitute a Cluster Switch System (CSS) that is used as the core of a campus
network, providing high network reliability and scalability.
The S7700 is used as the aggregation switch in each office building and connects to access
switches of each floor. The S5700 is used as the access switch.
The core switch S12700 is configured with native AC to manage APs on the entire network
and transmits wireless services to implement wired and wireless convergence.
The S12700 is used as the gateway for both wired and wireless users on the entire network,
and forwards packets of users based on routes. The S12700 also functions as the
authentication point to authenticate wired and wireless users.
Involved NEs and Software Versions

Product Software Version
S12700 V200R009C00
S7700 V200R009C00
S5700 V200R009C00
Agile Controller-Campus V100R002C10
USG6600 V500R001C00
AP V200R006C20

4.20.2.3 Configuration Roadmap and Data Plan
3. Use two S12700s to set up a CSS.
4. Configure interfaces and VLANs on the core switch S12700.
5. Configure Dynamic Host COnfiguration Protocol (DHCP) on the core switch, and
configure the core switch as a DHCP server to allocate IP addresses to users.
6. Configure the WLAN service on the core switch S12700.
7. Configure wired and wireless authentication and accounting services on the core switch
S12700. Portal authentication is used as an example here.
8. Configure Extensible Messaging and Presence Protocol (XMPP) parameters on the core
switch for interworking with the Agile Controller, and enable free mobility.
9. Configure interfaces and IP addresses on the firewall.
10. Configure zones and security policies on the firewall.
11. Configure Huawei Redundancy Protocol (HRP) on the firewall.
12. Configure intelligent route selection on the firewall.
13. Configure a NAT address pool and a NAT policy on the firewall.
14. Perform agile network configurations on the firewall.
15. Log in to the Agile Controller to add user groups and user accounts.
16. Configure Remote Authentication Dial In User Service (RADIUS), Portal, and XMPP
parameters, and add a core switch and a firewall on the Agile Controller.
17. Configure and deploy security groups and inter-group policies on the Agile Controller.
18. Configure and deploy QoS policies on the Agile Controller.
19. Add a RADIUS relay agent and define customization conditions on the Agile Controller.
20. Define authentication rules on the Agile Controller and enable the RADIUS relay agent.
21. Configure authorization results and rules on the Agile Controller.
22. Add network devices on the Srun.
23. Add RADIUS attributes based on customization conditions of the Agile Controller on
the Srun.
24. Configure management of accounting and control policies on the Srun.
25. Configure user group management and create users on the Srun
Data Plan
Table 4-154 Basic service data plan of the core switch

Item VLAN ID Network Segment
Network segment connected VLAN 10 192.168.10.0/24

to the uplink interface

mVLAN for APs VLAN 20 192.168.20.0/24
Service VLAN of wireless VLAN 30 172.16.30.0/24

users
Service VLAN of wired VLAN 40 172.16.40.0/24

users

to the Agile Controller
Table 4-155 Authentication service data plan of the core switch

Item Data
RADIUS server template l Authentication server IP address:

168.88.77.10
l Authentication server port number: 1812
l Accounting server IP address:
168.88.77.10
l Accounting server port number: 1813
l RADIUS server shared key:
Admin@123
l Accounting interval: 15 minutes
Portal server l URL: http://168.88.77.10:8080/portal

l IP address: 168.88.77.10
XMPP password Admin@123
Pre-authentication domain DNS server IP address: 168.88.77.140
Post-authentication domain l User1 matches the free mobility inter-

group policy and is allowed to access
Server1 and Server2.
l User2 matches the free mobility inter-
Server1 but is not allowed to access
Server2.
l User1 and user2 cannot access each
other.

Table 4-156 Service data plan of the Agile Controller

Item Data
IP address of the core switch 168.88.77.157
RADIUS authentication key Admin@123
RADIUS accounting key Admin@123
Portal parameters Settings on the two core switches:

l Port number: 2000
l Portal key: Admin@123
l IP address segment of access terminals:
172.16.0.0/16
Security group l group1

l group2
Resource group l server1: 21.0.0.100

l server2: 22.0.0.100
Table 4-157 Data plan of the egress solution and USG6600 HRP
Device Interface Member VLANIF IP Remote Remote
Number Interface Address Device Interface
Number
FW1 GE1/0/1 - - 201.0.0.1/ Public IP -

24 address 1
assigned
by ISP1 to
an
enterprise
GE1/0/2 - - 202.0.0.2/ Public IP -

24 address 2
assigned
by ISP2 to
an
enterprise
GE1/0/5 - - 10.10.0.1/ FW2 GE1/0/5

24
Eth-Trunk GE1/0/3 - 192.168.1 S12700 Eth-Trunk

30 and 0.1/24 CSS2 30
GE1/0/4


Number
FW2 GE1/0/1 - - 201.0.0.2/ Public IP -

24 address 3
assigned
by ISP1 to
an
enterprise
GE1/0/2 - - 202.0.0.1/ Public IP -

24 address 4
assigned
by ISP2 to
an
enterprise
GE1/0/5 - - 10.10.0.2/ FW1 GE1/0/5

24

40 and 0.2/24 CSS2 40
GE1/0/4
S12700 Eth-Trunk GE1/2/0/0 VLANIF 192.168.1 FW1 Eth-Trunk

CSS2 30 and 10 0.3/24 30
GE2/2/0/0
Eth-Trunk GE1/2/0/1 VLANIF 192.168.1 FW2 Eth-Trunk

40 and 10 0.3/24 40
GE2/2/0/1
Eth-Trunk XGE1/1/0 - - S7700-A Eth-Trunk

20 /0 and 20
XGE2/1/0
/0
Eth-Trunk XGE1/1/0 - - S7700-B Eth-Trunk

10 /1 and 20
XGE2/1/0
/1
S7700-A Eth-Trunk XGE2/0/1 - - S12700 Eth-Trunk

20 and CSS2 20
XGE2/0/2
S7700-B Eth-Trunk XGE2/0/1 - - S12700 Eth-Trunk

10 and CSS2 10
XGE2/0/2
4.20.2.4 Configuration Notes

Free Mobility Configuration Notes:

l The Agile Controller-Campus can support the free mobility function only after a license
is loaded.
l To implement free mobility, authentication points for intranet users must be deployed on
agile switches. It is recommended that S12700 and S7700 with X1E/X2S/X2E/X2H
cards, and S5720-HI switches be used.
l Policy enforcement points for free mobility are deployed on agile switches, Next-
Generation Firewalls (NGFWs), or Secure Sockets Layer virtual private network (SVN).
l If there is a requirement for user-to-user access control, Layer 2 isolation must be
deployed on access switches to divert all traffic to authentication point switches. User
isolation for wireless service needs to be configured in the VAP profile.
l If 802.1X authentication needs to be deployed on switches and firewalls function as
policy enforcement points for free mobility, it is required to configure real-time
accounting on switches. The switches report IP addresses to the Agile Controller-
Campus for firewalls to query by sending accounting packets.
l When 802.1X authentication is used for wired users, the authentication points can be
core switches or aggregation switches. If the authentication points are core switches,
EAP packet transparent transmission must be configured on access switches and
aggregation switches. Similarly, if the authentication points are aggregation switches,
EAP packet transparent transmission must be configured on access switches.
l When a firewall functions as a policy enforcement point, the intranet user network
segment needs to be specified on the Agile Controller-Campus for the firewall to query
the security group to which an IP address belongs. When user access traffic reaches the
firewall, the firewall sends the user IP address to the Agile Controller-Campus to query
its security group. The firewall will initiate inquiries only when the IP addresses are
within the intranet segment.
l When a firewall functions as a policy enforcement point, to prevent the security group
queries sent from the firewall to the Agile Controller-Campus from being discarded, it is
recommended that the Agile Controller-Campus deliver global configurations to the
firewall and forward RADIUS packets to the Agile Controller-Campus.
l Only firewalls support the free mobility QoS policy.
l To implement free mobility, only firewalls support the application-based access
permission control, bandwidth rate limit, and priority scheduling.
4.20.2.5 Configuration Procedure
4.20.2.5.1 Configuring the Aggregation Switch S7700-A in Office Building A

# Create a service VLAN for wired users and configure the VLAN allowed by an interface.
The configuration of the aggregation switch S7700 in office building B is similar to that in
office building A, and is not mentioned here.
# Create a VLAN.
[HUAWEI] sysname S7700-A
[S7700-A] vlan batch 40
# Create an Eth-Trunk connected to the core switch.

[S7700-A] interface eth-trunk 20
[S7700-A-Eth-Trunk20] description connect to S127
[S7700-A-Eth-Trunk20] port link-type trunk
[S7700-A-Eth-Trunk20] port trunk allow-pass vlan 40
[S7700-A-Eth-Trunk20] quit

# Create an Eth-Trunk connected to the core switch and add uplink interfaces to the Eth-
Trunk.
[S7700-A] interface xgigabitethernet 2/0/1
[S7700-A-XGigabitEthernet2/0/1] eth-trunk 20
[S7700-A-XGigabitEthernet2/0/1] quit
[S7700-A] interface xgigabitethernet 2/0/2
[S7700-A-XGigabitEthernet2/0/2] eth-trunk 20
[S7700-A-XGigabitEthernet2/0/2] quit
# Create VLAN 40 connected to the access switch and add downlink interfaces to VLAN 40.
[S7700-A] interface gigabitethernet 1/0/1
[S7700-A-GigabitEthernet1/0/1] port link-type trunk
[S7700-A-GigabitEthernet1/0/1] port trunk allow-pass vlan 40
[S7700-A-GigabitEthernet1/0/1] port-isolate enable
[S7700-A-GigabitEthernet1/0/1] quit
4.20.2.5.2 Configuring the Access Switch S5700-A in Office Building A

# Create a service VLAN for wired users and configure the VLAN allowed by an interface.
The configuration of the access switch S5700-B in office building B is similar to that of the
access switch in office building A, and is not mentioned here. The difference is that the
downlink interface of S5700-B is a trunk interface.
# Create a VLAN.
[HUAWEI] sysname S5700-A
# Configure an uplink interface connected to the aggregation switch.

# Configure a downlink interface connected to a user PC.

[S5700-A-GigabitEthernet0/0/1] port link-type access
[S5700-A-GigabitEthernet0/0/1] port default vlan 40
4.20.2.5.3 Configuring the Core Switch S12700

Step 1 Use two S12700s to set up a CSS.
# Install CSS cards on S12700-1 and S12708-2, and connect cluster cables.
For details on CSS setup, see CSS of S Switches.
# Configure the CSS connection mode, CSS ID, and CSS priority.
<S12700-1> system-view
[S12700-1] set css mode css-card
[S12700-1] set css id 1
Warning: Modifying the CSS chassis ID will cause interface configuration loss.
Continue? [Y/N]:y
Info: This operation may take a few seconds. Please wait....
Info: CSS configuration has been changed, and the new configuration will take
effect after a reboot and CSS has been enabled.
[S12700-1] set css priority 100 //On S12708-1, set the CSS ID and CSS
priority to 1 and 100, respectively.


[S12700-2] set css id 2
Continue? [Y/N]:y
# Check the CSS configuration. After the configuration is complete, run the display css
status saved command to check whether the configuration is correct.
[S12700-1] display css status saved //Check the CSS configuration
on S12708-1.
Current Id Saved Id CSS Enable CSS Mode Priority Master Force
------------------------------------------------------------------------------

on S12708-2.
------------------------------------------------------------------------------
# Enable the CSS function.

[S12700-1] css enable //Enable the CSS function on
S12708-1 and restart BRAS02.
rebooted. The next CSS mode is CSS card. Reboot now? [Y/N]:y
[S12708-2] css enable //Enable the CSS function on S12708-2
and restart BRAS01.
# Check whether a CSS is set up successfully. Log in to the CSS from the console port of any
MPU and run the display device command to check the CSS status. If the card status of two
member switches is displayed in the command output, the CSS is set up successfully.
Step 2 Configure multi-active detection (MAD) in direct mode on cluster interfaces.

1. Configure MAD in direct mode on GE1/1/1/7.
<CSS> system-view
[CSS-GigabitEthernet1/1/1/7] mad detect mode direct
Warning: This command will block the port, and no other configuration running
on this port is recommended. Continue?[Y/N]:y

3. Check detailed MAD configuration of the CSS.

[CSS] display mad
verbose
Current MAD domain:
0
Current MAD status:
Detect
Mad direct detect interfaces
configured:
GigabitEthernet1/1/1/7

Mad relay detect interfaces

configured:
Excluded
ports(configurable):
Excluded ports(can not be
configured):
XGigabitEthernet1/6/0/0
Step 3 Configure basic network parameters.

# Create VLANs.
<HAUWEI> system-view
[HUAWEI] sysname CORE-SWITCH
[CORE-SWITCH] vlan batch 10 20 30 40 1000
# Enable DHCP globally.

[CORE-SWITCH] dhcp enable
# Create a wireless management interface VLANIF 20, and assign addresses to APs from the
[CORE-SWITCH] interface vlanif 20
[CORE-SWITCH-Vlanif20] ip address 192.168.20.1 255.255.255.0
[CORE-SWITCH-Vlanif20] dhcp select interface
[CORE-SWITCH-Vlanif20] quit
# Create a wireless service interface VLANIF 30, and assign addresses to STAs from the
[CORE-SWITCH-Vlanif30] arp-proxy inner-sub-vlan-proxy enable //Enable intra-VLAN
ARP proxy; otherwise, wireless users cannot communicate through the AC. Determine
the configuration according to the actual situation.
[CORE-SWITCH-Vlanif30] dhcp server dns-list 168.88.77.140 //Configure the DNS
server address for terminals.
# Create a wired service interface VLANIF 40, and assign addresses to terminals from the
[CORE-SWITCH-Vlanif40] arp-proxy inner-sub-vlan-proxy enable //Enable intra-VLAN
ARP proxy; otherwise, wired users cannot communicate through the AC. Determine
the configuration according to the actual situation.
[CORE-SWITCH-Vlanif40] dhcp server dns-list 168.88.77.140 //Configure the DNS
server address for terminals.
# Create VLANIF 1000 connected to the server.

# Create Eth-Trunk 20 connected to both the core switch and the aggregation switch S7700-A
in office building A, and add interfaces to the Eth-Trunk. The interconnection configuration

between the core switch and the aggregation switch in office building B is similar to that in
office building A, and is not mentioned here. (The service VLAN corresponding to office
building B is VLAN 20.)
[CORE-SWITCH] interface eth-trunk 20
[CORE-SWITCH-Eth-Trunk20] description con to S7700-A
[CORE-SWITCH-Eth-Trunk20] port link-type trunk
[CORE-SWITCH-Eth-Trunk20] port trunk allow-pass vlan 40
[CORE-SWITCH-Eth-Trunk20] quit
[CORE-SWITCH] interface xgigabitethernet 1/1/0/0
[CORE-SWITCH-XGigabitEthernet1/1/0/0] eth-trunk 20
[CORE-SWITCH-XGigabitEthernet1/1/0/0] quit
[CORE-SWITCH] interface xgigabitethernet 2/1/0/0
[CORE-SWITCH-XGigabitEthernet2/1/0/0] eth-trunk 20
[CORE-SWITCH-XGigabitEthernet2/1/0/0] quit
# Add an interface connected to the Agile Controller to VLAN 1000.

[CORE-SWITCH] interface gigabitethernet 1/3/0/0
[CORE-SWITCH-GigabitEthernet1/3/0/0] port link-type access
[CORE-SWITCH-GigabitEthernet1/3/0/0] port default vlan 1000
[CORE-SWITCH-GigabitEthernet1/3/0/0] quit
Step 4 Configure authentication parameters.

# Set the NAC mode to unified.
[CORE-SWITCH] authentication unified-mode

[CORE-SWITCH] radius-server template test01
[CORE-SWITCH-radius-test01] radius-server authentication 168.88.77.10 1812
source ip-address 168.88.77.157 //Configure the IP address of the primary RADIUS
authentication server, and set the authentication port number to 1812.
[CORE-SWITCH-radius-test01] radius-server accounting 168.88.77.10 1813 source ip-
address 168.88.77.157 //Configure the IP address of the primary
accounting server, and set the accounting port number to 1813.
[CORE-SWITCH-radius-test01] radius-server shared-key cipher Admin@123 //The
shared key must be the same as that configured on the Agile Controller.
[CORE-SWITCH-radius-test01] quit
[CORE-SWITCH] radius-server authorization 168.88.77.10 shared-key cipher Admin@123
# Configure an authentication scheme named test01 and set the authentication mode to
RADIUS.
[CORE-SWITCH] aaa
[CORE-SWITCH-aaa] authentication-scheme test01
[CORE-SWITCH-aaa-authen-test01] authentication-mode radius
[CORE-SWITCH-aaa-authen-test01] quit
# Configure an accounting scheme named test01 and set the accounting mode to RADIUS.
[CORE-SWITCH-aaa] accounting-scheme test01
[CORE-SWITCH-aaa-accounting-test01] accounting-mode radius
[CORE-SWITCH-aaa-accounting-test01] accounting realtime 15 //Set the accounting
interval to 15 minutes.
[CORE-SWITCH-aaa-accounting-test01] quit
# Create an authentication domain named huawei, and bind the authentication scheme,
accounting scheme, and RADIUS server template to the domain.
[CORE-SWITCH-aaa] domain huawei
[CORE-SWITCH-aaa-domain-huawei] authentication-scheme test01
[CORE-SWITCH-aaa-domain-huawei] accounting-scheme test01
[CORE-SWITCH-aaa-domain-huawei] radius-server test01
[CORE-SWITCH-aaa-domain-huawei] quit
[CORE-SWITCH-aaa] quit

# Configure the Portal authentication server and create a Portal access profile named portal1.
[CORE-SWITCH] web-auth-server test01
[CORE-SWITCH-web-auth-server-test01] server-ip 168.88.77.10 //Configure the IP
address of the Portal authentication server.
[CORE-SWITCH-web-auth-server-test01] source-ip 168.88.77.157
[CORE-SWITCH-web-auth-server-test01] port 50100 //Configure the port
number of the Portal authentication server.
[CORE-SWITCH-web-auth-server-test01] shared-key cipher Admin@123 //Configure
the shared key for communication between the Portal authentication server and
switch. The shared key must be the same as that of the Agile Controller.
[CORE-SWITCH-web-auth-server-test01] url http://168.88.77.10:8080/portal //
Configure the URL of the web page.
[CORE-SWITCH-web-auth-server-test01] quit
[CORE-SWITCH] portal-access-profile name portal1
[CORE-SWITCH-portal-acces-profile-portal1] web-auth-server test01 direct
[CORE-SWITCH-portal-acces-profile-portal1] quit
# Configure an authentication-free rule named default_free_rule to permit packets from the

DNS server so that the Portal authentication page can be redirected.
[CORE-SWITCH] free-rule-template name default_free_rule
[CORE-SWITCH-free-rule-default_free_rule] free-rule 1 destination ip
168.88.77.140 mask 32 source any
[CORE-SWITCH-free-rule-default_free_rule] quit
# Configure an authentication profile named p1.

[CORE-SWITCH] authentication-profile name p1
[CORE-SWITCH-authen-profile-p1] portal-access-profile portal1
[CORE-SWITCH-authen-profile-p1] free-rule-template default_free_rule
[CORE-SWITCH-authen-profile-p1] access-domain huawei portal force
[CORE-SWITCH-authen-profile-p1] quit
Step 5 Configure the wired user interface and enable Portal authentication on the interface.
[CORE-SWITCH-Vlanif40] authentication-profile p1
Step 6 Configure XMPP parameters for interworking with the Agile Controller, and enable free
mobility.
[CORE-SWITCH] group-policy controller 168.88.77.10 password Admin@123 src-ip
168.88.77.157
Step 7 Configure WLAN services.
# Create an AP group and add APs with the same configuration to the AP group.
[CORE-SWITCH] wlan
[CORE-SWITCH-wlan-view] ap-group name ap-
group1
[CORE-SWITCH-wlan-ap-group-group1] quit
# Create a regulatory domain profile, configure the AC's country code in the profile, and
[CORE-SWITCH-wlan-view] regulatory-domain-profile name domain1
[CORE-SWITCH-wlan-regulate-domain-domain1] country-code CN
[CORE-SWITCH-wlan-regulate-domain-domain1] quit
[CORE-SWITCH-wlan-view] ap-group name ap-group1
[CORE-SWITCH-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
configurations of the radio and reset the AP. Continue?[Y/N]:y
[CORE-SWITCH-wlan-ap-group-ap-group1] quit
[CORE-SWITCH-wlan-view] quit
# Configure the source interface of the AC.

[CORE-SWITCH] capwap source interface vlanif 20
MAC address of the AP is ac85-3d95-d800.
[CORE-SWITCH] wlan
[CORE-SWITCH-wlan-view] ap auth-mode mac-auth
[CORE-SWITCH-wlan-view] ap-id 0 ap-mac ac85-3d95-d800
[CORE-SWITCH-wlan-ap-0] ap-group ap-group1
clear channel, power and antenna gain configurations of the radio, whether to
continue? [Y/N]:y
[CORE-SWITCH-wlan-ap-0] quit
# After powering on the AP, run the display ap all command on the AC to check the AP
running status. The command output shows that the AP status is normal.
[CORE-SWITCH-wlan-view] display ap all
nor : normal [1]
----------------------------------------------------------------------------------
---------------------
STA Uptime
----------------------------------------------------------------------------------
---------------------
0 ac85-3d95-d800 ac85-3d95-d800 ap-group1 192.168.20.250 AP6010DN-AGN nor
0 2M:16S
----------------------------------------------------------------------------------
---------------------
Total: 1
# Configure WLAN service parameters.

[CORE-SWITCH-wlan-view] ssid-profile name portal
[CORE-SWITCH-wlan-ssid-prof-portal] ssid portal_test
[CORE-SWITCH-wlan-ssid-prof-portal] quit
[CORE-SWITCH-wlan-view] vap-profile name wlan-vap
[CORE-SWITCH-wlan-vap-prof-wlan-vap] forward-mode tunnel
[CORE-SWITCH-wlan-vap-prof-wlan-vap] service-vlan vlan-id 30
[CORE-SWITCH-wlan-vap-prof-wlan-vap] ssid-profile portal
[CORE-SWITCH-wlan-vap-prof-wlan-vap] authentication-profile p1
[CORE-SWITCH-wlan-vap-prof-wlan-vap] quit
# Bind the VAP profile to the AP group.

[CORE-SWITCH-wlan-view] ap-group name ap-group1
[CORE-SWITCH-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio all
[CORE-SWITCH-wlan-ap-group-ap-group1] quit
# Commit the configuration.

[CORE-SWITCH-wlan-view] commit all
Warning: Committing configuration may cause service interruption, continue?[Y/N]:y
# After the configuration, run the display vap ssid portal_test command. If the Status field
displays ON, the VAP has been successfully created on the AP radio.
[CORE-SWITCH-wlan-view] display vap ssid portal_test
WID : WLAN ID
----------------------------------------------------------------------------------
--
----------------------------------------------------------------------------------
--
0 ac85-3d95-d800 0 1 AC85-3D95-D800 ON Open 0 portal_test

0 ac85-3d95-d800 1 1 AC85-3D95-D810 ON Open 0 portal_test

----------------------------------------------------------------------------------
--
Total: 2
Step 8 Create an Eth-Trunk between the core switch S12700 and the USG6600.
# Configure a VLANIF interface connecting the core switch to the USG6600.

[CORE-SWITCH-Vlanif10] ip address 192.168.10.3 24
# On the S12700, create Eth-Trunk 30 and Eth-Trunk 40 connected to FW1 and FW2
respectively, and add member interfaces to Eth-Trunk 30 and Eth-Trunk 40.
[CORE-SWITCH] interface eth-trunk 30 //Create Eth-Trunk30 connected to FW1.
[CORE-SWITCH-Eth-Trunk30] port link-type access
[CORE-SWITCH-Eth-Trunk30] port default vlan 10
[CORE-SWITCH-GigabitEthernet1/2/0/0] eth-trunk 30
[CORE-SWITCH] interface eth-trunk 40 //Create Eth-Trunk 40 connected to FW2.
[CORE-SWITCH-Eth-Trunk40] port link-type access
[CORE-SWITCH-Eth-Trunk40] port default vlan 10
Step 9 Configure routes.
# Configure a routing protocol based on site requirements. OSPF is used here.
# Configure a loopback interface.

[CORE-SWITCH] interface loopback 0
[CORE-SWITCH-LoopBack0] ip address 3.3.3.3 32 //The IP address is used as the
router ID.
[CORE-SWITCH-LoopBack0] quit
# Configure OSPF to advertise routes.

[CORE-SWITCH] ospf 1 router-id 3.3.3.3
[CORE-SWITCH-ospf-1] area 0.0.0.0
[CORE-SWITCH-ospf-1-area-0.0.0.0] network 192.168.10.0 0.0.0.255 //Configure the
core switch to advertise the network segment connected to the USG6600.
core switch to advertise the network segment of wireless users.
core switch to advertise the network segment of wired users.
core switch to advertise the address segment of the Agile Controller to
interconnect with the firewall.
[CORE-SWITCH-ospf-1-area-0.0.0.0] quit
[CORE-SWITCH-ospf-1] quit
----End

4.20.2.5.4 Configuring the Egress Firewall USG6600

Step 1 Configure interfaces.
# Configure interfaces on FW1.

[USG6600] sysname FW1
[FW1] interface gigabitethernet 1/0/1
[FW1-GigabitEthernet1/0/1] ip address 201.0.0.1 24 //Configure an IP address for
the interface connected to ISP1.
[FW1-GigabitEthernet1/0/1] gateway 201.0.0.254
[FW1-GigabitEthernet1/0/1] quit
the heartbeat line where HRP is used.
[FW1] interface eth-trunk 30
[FW1-Eth-Trunk30] ip address 192.168.10.1 24 //Configure an IP address for the
Eth-Trunk connected to the CSS.
[FW1-Eth-Trunk30] quit
[FW1] interface loopback 0
[FW1-LoopBack0] ip address 1.1.1.1 32 //The IP address is used as the router ID.
[FW1-LoopBack0] quit

[FW2-LoopBack0] ip address 2.2.2.2 32 //The IP address is used as the router
ID.
Step 2 Add interfaces through which the firewall connects to the core switch S12700 to the Eth-
Trunk.
# Add interconnected interfaces to the Eth-Trunk on FW1.

[FW1-GigabitEthernet1/0/3] eth-trunk 30


Step 3 Configure security zones where interfaces belong.

# Add interfaces to security zones.
[FW1] firewall zone trust //Add interfaces connected to the intranet to zones.
[FW1-zone-trust] add interface eth-trunk 30
[FW1-zone-trust] quit
[FW1] firewall zone dmz //Add the interface connected to the heartbeat line
of two network devices to the DMZ.
[FW1-zone-dmz] add interface gigabitethernet 1/0/5
[FW1-zone-dmz] quit
[FW1] firewall zone name isp1 //Add the interface connected to ISP1
to the ISP1 zone.
[FW1-zone-isp1] set priority 10
[FW1-zone-isp1] add interface gigabitethernet 1/0/1
[FW1-zone-isp1] quit
to the ISP2 zone.
[FW2] firewall zone trust //Add the interface connected to the intranet to a
zone.
[FW2-zone-dmz] quit
to the ISP1 zone.
to the ISP2 zone.

# Configure the firewall to advertise the network segment of the downlink interface.
[FW1] ospf 1 router-id 1.1.1.1
[FW1-ospf-1] import-route static
[FW1-ospf-1] area 0.0.0.0
[FW1-ospf-1-area-0.0.0.0] network 192.168.10.0 0.0.0.255
[FW1-ospf-1-area-0.0.0.0] quit
[FW1-ospf-1] quit
[FW2] ospf 1 router-id 2.2.2.2
[FW2-ospf-1] import-route static
[FW2-ospf-1] area 0.0.0.0
[FW2-ospf-1-area-0.0.0.0] network 192.168.10.0 0.0.0.255
[FW2-ospf-1-area-0.0.0.0] quit
[FW2-ospf-1] quit
# Configure default routes to the ISP server. In this example, static routes are used.
[FW1] ip route-static 21.0.0.0 255.255.255.0 201.0.0.254

Step 5 Configure intelligent route selection.
# Enable the health check function, and configure health check for links of ISP1 and ISP2.
Assume that the destination server's IP address of ISP1 is 21.0.0.100 and the destination
server's IP address of ISP2 is 22.0.0.100.
[FW1] healthcheck enable
[FW1] healthcheck name isp1_health
[FW1-healthcheck-isp1_health] destination 21.0.0.100 interface GigabitEthernet
1/0/1 protocol tcp-simple destination-port 1001
[FW1-healthcheck-isp1_health] quit
# Set the link bandwidth and overload protection threshold for interfaces. (Assume that the
bandwidth and the overload protection threshold of ISP1 are 100 Mbit/s and 95%
respectively, and those of ISP2 are 50 Mbit/s and 90% respectively). Configure health check
for links of ISP1 and ISP2 respectively.
[FW1-GigabitEthernet1/0/1] bandwidth ingress 100000 threshold 95
[FW1-GigabitEthernet1/0/1] bandwidth egress 100000 threshold 95
[FW1-GigabitEthernet1/0/1] healthcheck isp1_health
# Configure a global route selection policy and set the working mode of intelligent route
selection to link bandwidth-based load balancing.
[FW1] multi-interface
[FW1-multi-inter] mode proportion-of-bandwidth
[FW1-multi-inter] add interface gigabitethernet 1/0/1
[FW1-multi-inter] quit
Step 6 Configure HRP and load balancing.

# Configure quick session backup, specify the heartbeat interface, and enable HRP on FW1
and FW2.
[FW1] hrp track interface eth-trunk 30
[FW1] hrp interface gigabitethernet 1/0/5 remote 10.10.0.2
[FW1] hrp mirror session enable
[FW1] hrp enable
[FW2] hrp interface gigabitethernet 1/0/5 remote 10.10.0.2
[FW2] hrp enable
Step 7 Configure a security policy.

# Set the action of the default security policy to permit.
HRP_M[FW1] security-policy
HRP_M[FW1-policy-security] default action permit
Warning:Setting the default packet filtering to permit poses security risks. You
are advised to configure the security policy based on the actual data flows. Are
you sure you want to continue?[Y/N]y
HRP_M[FW1-policy-security] quit
Step 8 Connect the USG6600 to the Agile Controller.

# Configure a RADIUS server template on FW1. FW2 will automatically synchronize the
configuration of FW1.
HRP_M[FW1] radius-server template test01
HRP_M[FW1-radius-test01] radius-server shared-key cipher Admin@123
HRP_M[FW1-radius-test01] radius-server authentication 168.88.77.10 1812
HRP_M[FW1-radius-test01] radius-server accounting 168.88.77.10 1813
HRP_M[FW1-radius-test01] quit
# Perform agile network configurations on FW1. FW2 will automatically synchronize the
configuration of FW1.
HRP_M[FW1] agile-network
HRP_M[FW1-agile-network] radius-server test01
HRP_M[FW1-agile-network] server ip 168.88.77.10
HRP_M[FW1-agile-network] local ip 192.168.10.1
HRP_M[FW1-agile-network] password Admin@123
HRP_M[FW1-agile-network] agile-network enable
HRP_M[FW1-agile-network] xmpp connect
HRP_M[FW1-agile-network] quit
Step 9 Configure a NAT policy.

# Create address pools named addressgroup1 (201.0.0.10 to 201.0.0.12) and addressgroup2
(202.0.0.10 to 202.0.0.12) on FW1. The address pool configured on FW1 will be
automatically synchronized to FW2.
HRP_M[FW1] nat address-group addressgroup1
HRP_M[FW1-nat-address-group-addressgroup1] section 0 201.0.0.10 201.0.0.12
HRP_M[FW1-nat-address-group-addressgroup1] mode pat
HRP_M[FW1-nat-address-group-addressgroup1] route enable
HRP_M[FW1-nat-address-group-addressgroup1] quit
HRP_M[FW1-nat-address-group-addressgroup2] section 1 202.0.0.10 202.0.0.12
HRP_M[FW1-nat-address-group-addressgroup2] mode pat
HRP_M[FW1-nat-address-group-addressgroup2] route enable
HRP_M[FW1-nat-address-group-addressgroup2] quit
# Configure source NAT policies to allow intranet users to access the Internet by using public
IP addresses translated using NAT.
HRP_M[FW1] nat-policy
HRP_M[FW1-policy-nat] rule name policy_nat1

HRP_M[FW1-policy-nat-policy_nat1] source-zone trust

HRP_M[FW1-policy-nat-policy_nat1] source-address range 172.16.30.1 172.16.30.254
HRP_M[FW1-policy-nat-policy_nat1] destination-zone isp1
HRP_M[FW1-policy-nat-policy_nat1] action nat address-group addressgroup1
HRP_M[FW1-policy-nat-policy_nat1] quit
HRP_M[FW1-policy-nat-policy_nat2] source-zone trust
HRP_M[FW1-policy-nat-policy_nat2] destination-zone isp2
HRP_M[FW1-policy-nat-policy_nat2] action nat address-group addressgroup2
HRP_M[FW1-policy-nat-policy_nat2] quit
HRP_M[FW1-policy-nat] quit
# Contact the ISP administrator to set destination addresses to those in the routes of
addressgroup1 and addressgroup2. The next hop is the interface address corresponding to
the USG6600.
----End
4.20.2.5.5 Configuring the Agile Controller

Step 1 Log in to the Agile Controller.
# Open the Internet Explorer, enter the Agile Controller access address in the address bar, and
press Enter.
The following table describes addresses for accessing the Agile Controller.
Access Format Description
https://Agile Controller-IP:8443 Agile Controller-IP specifies the IP address

of the Agile Controller.
IP address of the Agile Controller If port 80 is enabled during installation, you

can access the Agile Controller by simply
entering its IP address without the port
number. The Agile Controller URL will
automatically change to https://Agile
Controller-IP:8443.
# Enter the administrator user name and password.

If you log in to the Agile Controller for the first time, use the super administrator user name
and password. Change the password immediately after logging in; otherwise, the Agile
Controller cannot be used.
Step 2 Add the S12700.
#Choose Resource > Device > Device Management
# Click Add to add the S12700.
Configure the IP address for the S12700 that communicates with the Agile Controller. Enable
RADIUS and Portal authentication, set the RADIUS authentication and accounting keys to
Admin@123, and set the real-time accounting interval to 15 minutes. Set the port number to
2000, Portal key to Admin@123, and access terminal IP address list to be within the
allocation scope of terminal IP addresses (a route for packets to be returned to the terminal IP

address should be added to the Agile Controller server, and its configuration is not mentioned
here).

# Click the XMPP tab and set XMPP interconnection parameters.
# Click Synchronize to synchronize device data. After data synchronization, the indicator of
the communication status turns green.

Step 3 Add the USG6600.

# Choose Resource > Device > Device Management and click Add to add the USG6600.
Configure the IP address of the USG6600 that communicates with the Agile Controller.
Enable RADIUS authentication, set the RADIUS authentication and accounting keys to
Admin@123, and set the real-time accounting interval to 15 minutes.
# Click the XMPP tab and set XMPP interconnection parameters.

# Click Synchronize to synchronize device data. After data synchronization, the indicator of
the communication status turns green.
Step 4 Create a device group named test and add two USG6600s to this group.
# Choose Resource > Device > Device Management, and then choose Device Group > Free
Mobility > Custom on the left side of the page to create a customized group named test.

# Click Add, select the S12700 and USG6600, and add them to the customized group.
Step 5 Configure two dynamic security groups group1 and group2, and two static security
groups server1 and server2.
# Choose Policy > Permission Control > Security Group > Dynamic Security Group
Management.
# Click Add and create group1 and group2.

# Choose Policy > Permission Control> Security Group > Static Security Group
Management.
# Click Add and create server1 and server2
Step 6 Configure access control policies.
# Choose Policy > Free Mobility > Policy Configuration > Permission Control and click
Add.
# The policy matrix is as follows.
After the configuration is complete, group1 can access server1 and server2, group2 can only
access server1, and group1 and group2 cannot access each other.

# Click Global Deployment to deploy access control policies on the entire network.
Step 7 Deploy security groups.

# Choose Policy > Permission Control > Security Group > Dynamic Security Group
Management.
# Click Global Deployment to deploy security groups on the entire network.
Step 8 Add the internal network configuration on the Agile Controller.

# Choose Policy > Permission Control > Security Group > Intranet Configuration to add
a network segment of the internal network, click Save. When the system asks you whether to
deploy it immediately, select Yes. The internal network segment is delivered to the firewall.

# After the network segment of the internal network is deployed successfully, run the display
agile-network intranet-address command to check the internal network segment that is
delivered by the USG6600.
HRP_M[FW1] display agile-network intranet-address
Intranet Address 172.16.30.0-172.16.30.255
172.16.40.0-172.16.40.255
Step 9 Deploy a QoS policy based on customer requirements.
# Choose Policy > Free Mobility > Policy Configuration> QoS Policy to configure a QoS
policy.
Click next to the VIP security group and select group1.
# Click Add in Device List, select FW1 and FW2, and click OK.
# Click Deploy to deploy the QoS policy. After the QoS policy is deployed successfully, you
can view the deployment result on the USG6600. group1 is deployed as the VIP security
group.
HRP_Mdisplay agile-network security-group all
Total Security Group: 3.
-------------------------------------------------------------------------------
GroupID GroupName VIP priority
-------------------------------------------------------------------------------
0 unknown no 0
1 group1 yes 5
2 group2 no 0
Step 10 Add an authentication user on the Agile Controller.
# Choose Resource > User Mangement, click Add to add users teacher and student, and
configure passwords.

Step 11 Configure the RADIUS relay agent on the Agile Controller to obtain packets sent from
devices and forward the packets to the RADIUS server.
# Choose System > External Authentication > RADIUS Proxy.
# Click Add.
# Set parameters and click OK.


The following table describes RADIUS relay parameters.
Communication parameters IP address of the primary IP addresses of the primary

RADIUS server and secondary RADIUS
IP address of the secondary servers (Srun)
RADIUS server
Shared key When packets are

exchanged between the
Agile Controller-Campus
and the RADIUS server, the
RADIUS server uses this
key to authenticate the
identity of the Agile
Controller-Campus.
Authentication port The configured shared key

Accounting port must be the same as that on
the RADIUS server.

Timeout interval The Agile Controller-

Retransmission count Campus sends request
packets to the RADIUS
server. If no response
packets are received within
the timeout interval, the
retransmits request packets.
If the retransmission count
is reached, the Agile
Controller-Campus
considers that the RADIUS
server is unavailable.
The timeout interval and
retransmission count of the
are the same as those of the
RADIUS server.
Other settings Forwarding accounting This function needs to be

packets to the external configured when accounting
RADIUS server is performed for access
users. The RADIUS
accounting server needs to
be configured.
Forwarding authorization This function enables the

results to the external Agile Controller-Campus to
RADIUS server forward authorization results
delivered from the RADIUS
server to network devices.
This function is configured
when the RADIUS server
and network devices support
the same RADIUS
attributes, that is, the
network devices can parse
authorization results
delivered by the RADIUS
server.
Using packet attributes This function is configured

returned by the RADIUS when the RADIUS server
server as the authorization and network devices support
condition different RADIUS
attributes, that is, the
network devices cannot
parse the authorization
results delivered by the
RADIUS server.

Delay in an attempt to When the Agile Controller-

connect to the primary Campus detects that the
RADIUS server when the primary RADIUS server
primary RADIUS server does not work properly,
fails services are switched to the
secondary RADIUS server.
After the delay, the Agile
Controller-Campus attempts
to send authentication
packets to the primary
RADIUS server again.
Step 12 Add authorization results on the Agile Controller.

# Choose Policy > Permission Control > Authentication & Authorization >
Authorization Result, and click Add to create an authorization result.

Table 4-158 Information about authorization results

Authorization Parameter Value Description
Result
group1 Name group1 -
Service type Access service -
Security group group1 -
group2 Name group2 -
Service type Access service -
Security group group2 -
# Click OK.
----End
4.20.2.6 Verification
Step 1 After the security group and the inter-group policy are successfully deployed, you can run the
following commands on the core switch to view deployment information.
# Run the display ucl-group all command on the core switch to view deployment
information of the security group.
[CORE-SWITCH] display ucl-group all
ID UCL group name
--------------------------------------------------------------------------------
1 group1
2 group2
--------------------------------------------------------------------------------
Total : 2
# Run the display acl all command on the core switch to view the access control policy.
[CORE-SWITCH] display acl all
Total nonempty ACL number is 2
Ucl-group ACL Auto_PGM_U1 9998, 3 rules
Acl's step is 5
rule 1 permit ip source ucl-group name group1 destination 21.0.0.100 0 (match-
counter 0)
counter 0)
rule 3 deny ip source ucl-group name group1 destination ucl-group name group2
(match-counter 0)
Acl's step is 5
counter 0)
rule 2 deny ip source ucl-group name group2 destination ucl-group name group1
(match-counter 0)
rule 3 deny ip source ucl-group name group2 destination 22.0.0.100 0 (match-
counter 0)
Step 2 After the security group and the security policy are successfully deployed, you can run the
following commands on the USG6600 to check deployment information.

# Run the display agile-network security-group all command on the USG6600 to check the
security group configuration.
HRP_M[FW1] display agile-network security-group all
-------------------------------------------------------------------------------
GroupID GroupName VIP priority
-------------------------------------------------------------------------------
0 unknown no 0
2 group2 no 0
1 group1 yes 5
# Run the display security-policy rule all command on the USG6600 to check the security
policy configuration.
HRP_M[FW1] display security-policy all
Total:7
RULE ID RULE NAME STATE ACTION HITTED
-------------------------------------------------------------------------------
0 default enable deny 128877
5 Auto_PGM_U2_1 enable permit 0
6 Auto_PGM_U2_2 enable deny 0
-------------------------------------------------------------------------------
# Run the display security-policy rule command on the USG6600 to check the security
policy configuration.
HRP_M[FW1] display security-policy rule name Auto_PGM_U2_1
(0 times matched)
rule name Auto_PGM_U2_1
destination-address 21.0.0.100 0.0.0.0
source-group 2
action permit
Step 3 After configuring HRP, run the display hrp state command to check the HRP status.
HRP_M[FW1] display hrp state
Role: active, peer: active
Running priority: 44998, peer: 44998
Core state: normal, peer: normal
Backup channel usage: 0.00%
Stable time: 0 days, 0 hours, 4 minutes
Last state change information: 2016-06-23 19:16:46 HRP core state changed,
old_state = abnormal(standby), new_state = normal, local_priority = 44998,
peer_priority = 44998.
HRP_S[FW2] display hrp state

Last state change information: 2016-07-28 20:43:16 HRP link changes to up.
Step 4 When FW1 fails, for example, a tracked interface goes Down, the role of FW2 becomes
active.
Role: active, peer: standby (should be "active-active")
Core state: abnormal(active), peer: abnormal(standby)

old_state = normal, new_state = abnormal(active), local_priority = 44998,

peer_priority = 44996.
----End
4.20.2.7 Configuration Script

S5700-A S5700-B
# #
sysname S5700-A sysname S5700-B
# #
vlan batch 40 vlan batch 20
# #
interface GigabitEthernet0/0/1 interface GigabitEthernet0/0/1
port link-type access port link-type trunk
port default vlan 40 port trunk pvid vlan 20
port-isolate enable group 1 port trunk allow-pass vlan 20
# port-isolate enable group 1
interface GigabitEthernet0/0/2 #
port link-type trunk interface GigabitEthernet0/0/2
port trunk allow-pass vlan 40 port link-type trunk
# port trunk allow-pass vlan 20
return #
return
S7700-A S7700-B
# #
# #
# #
interface Eth-Trunk20 interface Eth-Trunk10
description connect to S127 description connect to S127
port link-type trunk port link-type trunk
port trunk allow-pass vlan 40 port trunk allow-pass vlan 20
# #
interface XGigabitEthernet2/0/1 interface XGigabitEthernet2/0/1
eth-trunk 20 eth-trunk 10
# #
interface XGigabitEthernet2/0/2 interface XGigabitEthernet2/0/2
# #
port link-type trunk port link-type trunk
port trunk allow-pass vlan 40 port trunk allow-pass vlan 20
port-isolate enable group 1 port-isolate enable group 1
# #
return return

S12700 CSS
#
sysname CORE-SWITCH
#
vlan batch 10 20 30 40 1000
#
access-domain huawei portal force
#
group-policy controller 168.88.77.10 password %^%#[k>:K48o,,LpDo,|-GmSlC$p/
vLsQ.nTSwS^C3I0%^%# src-ip 168.88.77.157
#
dhcp enable
#
radius-server template test01
radius-server shared-key cipher %^%#[k>:K48o,,LpDo,|-GmSlC$p/vLsQ.nTSwS^C3I0%^
%#
weight 80
radius-server accounting 168.88.77.10 1813 source ip-address 168.88.77.157
weight 80
radius-server authorization 168.88.77.10 shared-key cipher %^%#_7zY2\gzd5na,V-
SB"P4L;(+(pVDlL(,Wf$|<a=&%^%#
#
free-rule 1 destination ip 168.88.77.140 mask 255.255.255.255 source any
#
web-auth-server test01
server-ip 168.88.77.10
port 50100
shared-key cipher %^%#_7zY2\gzd5na,V-SB"P4L;(+(pVDlL(,Wf$|<a=&%^%#
url http://168.88.77.10:8080/portal
source-ip 168.88.77.157
#
web-auth-server test01 direct
#
aaa
authentication-scheme test01
accounting-scheme test01
domain huawei
radius-server test01
#
interface Vlanif10
ip address 192.168.10.3 255.255.255.0
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
#
interface Vlanif40
ip address 172.16.40.1 255.255.255.0

S12700 CSS
#
interface Vlanif1000
ip address 168.88.77.157 255.255.128.0
#
#
description con to S7700-A
#
port link-type access
port default vlan 10
#
#
interface XGigabitEthernet 1/1/0/0
eth-trunk 20
#
eth-trunk 10
#
mad detect mode direct
#
interface GigabitEthernet 1/2/0/0
eth-trunk 30
#
eth-trunk 40
#
#
eth-trunk 20
#
eth-trunk 10
#
#
eth-trunk 30
#
eth-trunk 40
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
ospf 1 router-id 3.3.3.3
area 0.0.0.0
network 168.88.0.0 0.0.127.255
network 172.16.30.0 0.0.0.255
network 172.16.40.0 0.0.0.255
network 192.168.10.0 0.0.0.255

S12700 CSS
#
#
wlan
ssid-profile name portal
ssid portal_test
forward-mode tunnel
ssid-profile portal
radio 0
radio 1
radio 2
ap-id 0 type-id 19 ap-mac ac85-3d95-d800 ap-sn 2102354483W0DC000733
ap-group ap-group1
#
return

FW1 FW2
# #
sysname FW1 sysname FW2
# #
hrp enable hrp enable
hrp interface GigabitEthernet1/0/5 hrp interface GigabitEthernet1/0/5
remote 10.10.0.2 remote 10.10.0.1
hrp mirror session enable hrp mirror session enable
hrp track interface Eth-Trunk30 hrp track interface Eth-Trunk40
# #
healthcheck enable healthcheck enable
healthcheck name isp1_health healthcheck name isp1_health
destination 21.0.0.100 interface destination 21.0.0.100 interface
GigabitEthernet1/0/1 protocol tcp- GigabitEthernet1/0/1 protocol tcp-
simple destination-port 1001 simple destination-port 1003
healthcheck name isp2_health healthcheck name isp2_health
destination 22.0.0.100 interface destination 22.0.0.100 interface
GigabitEthernet1/0/2 protocol tcp- GigabitEthernet1/0/2 protocol tcp-
simple destination-port 1002 simple destination-port 1004
# #
radius-server template test01 radius-server template test01
radius-server shared-key cipher %^ radius-server shared-key cipher %^
%#[k>:K48o,,LpDo,|-GmSlC$p/ %#[k>:K48o,,LpDo,|-GmSlC$p/
vLsQ.nTSwS^C3I0%^%# vLsQ.nTSwS^C3I0%^%#
radius-server authentication radius-server authentication
168.88.77.10 1812 weight 80 168.88.77.10 1812 weight 80
radius-server accounting 168.88.77.10 radius-server accounting 168.88.77.10
1813 weight 80 1813 weight 80
undo radius-server user-name domain- undo radius-server user-name domain-
included included
radius-server group-filter class radius-server group-filter class
# #
interface Eth-Trunk30 interface Eth-Trunk30
ip address 192.168.10.1 255.255.255.0 #
# interface Eth-Trunk40
interface Eth-Trunk40 ip address 192.168.10.2 255.255.255.0
# #
undo shutdown undo shutdown
ip address 201.0.0.1 255.255.255.0 ip address 201.0.0.2 255.255.255.0
healthcheck isp1_health healthcheck isp1_health
gateway 201.0.0.254 gateway 201.0.0.254
bandwidth ingress 100000 threshold 95 bandwidth ingress 100000 threshold 95
bandwidth egress 100000 threshold 95 bandwidth egress 100000 threshold 95
# #
healthcheck isp2_health healthcheck isp2_health
gateway 202.0.0.254 gateway 202.0.0.254
bandwidth ingress 50000 threshold 90 bandwidth ingress 50000 threshold 90
bandwidth egress 50000 threshold 90 bandwidth egress 50000 threshold 90
# #
# #
# #
# #
interface LoopBack0 interface LoopBack0

FW1 FW2
# #
firewall zone trust firewall zone trust
add interface GigabitEthernet0/0/0 add interface GigabitEthernet0/0/0
add interface Eth-Trunk30 add interface Eth-Trunk30
add interface Eth-Trunk40 add interface Eth-Trunk40
# #
firewall zone dmz firewall zone dmz
set priority 50 set priority 50
# #
firewall zone name isp1 id 4 firewall zone name isp1 id 4
# #
firewall zone name isp2 id 5 firewall zone name isp2 id 5
# #
ospf 1 router-id 1.1.1.1 ospf 1 router-id 2.2.2.2
import-route static import-route static
area 0.0.0.0 area 0.0.0.0
network 192.168.10.0 0.0.0.255 network 192.168.10.0 0.0.0.255
# #
ip route-static 21.0.0.0 255.255.255.0 ip route-static 21.0.0.0 255.255.255.0
201.0.0.254 201.0.0.254
ip route-static 22.0.0.0 255.255.255.0 ip route-static 22.0.0.0 255.255.255.0
202.0.0.254 202.0.0.254
# #
nat address-group addressgroup1 0 nat address-group addressgroup1 0
mode pat mode pat
route enable route enable
section 0 201.0.0.10 201.0.0.12 section 0 201.0.0.10 201.0.0.12
# #
nat address-group addressgroup2 1 nat address-group addressgroup2 1
mode pat mode pat
route enable route enable
section 0 202.0.0.10 202.0.0.12 section 0 202.0.0.10 202.0.0.12
# #
multi-interface multi-interface
mode proportion-of-bandwidth mode proportion-of-bandwidth
# #
agile-network agile-network
agile-network enable agile-network enable
radius-server test01 radius-server test01
server ip 168.88.77.10 server ip 168.88.77.10
local ip 192.168.10.1 local ip 192.168.10.2
password %^%#[k>:K48o,,LpDo,|-GmSlC$p/ password %^%#[k>:K48o,,LpDo,|-GmSlC$p/
vLsQ.nTSwS^C3I0%^%# vLsQ.nTSwS^C3I0%^%#
xmpp connect xmpp connect
# #
security-policy security-policy
default action permit default action permit
# #
nat-policy nat-policy
rule name policy_nat1 rule name policy_nat1
source-zone trust source-zone trust
destination-zone isp1 destination-zone isp1
source-address range 172.16.30.1 source-address range 172.16.30.1
172.16.30.254 172.16.30.254
172.16.40.254 172.16.40.254
action nat address-group action nat address-group
addressgroup1 addressgroup1
rule name policy_nat2 rule name policy_nat2

FW1 FW2
source-zone trust source-zone trust
destination-zone isp2 destination-zone isp2
172.16.30.254 172.16.30.254
172.16.40.254 172.16.40.254
action nat address-group action nat address-group
addressgroup2 addressgroup2
# #
return return
4.20.3 Higher Education Campus Network Deployment Case

(Branch Switch Used as the Gateway and Authentication Point)
4.20.3.1 Application Scenario and Service Requirements
Application Scenario
This solution uses the aggregation switch as the gateway and authentication point and applies
to higher education campus networks with more than 15,000 access users, meeting customers'
requirements of unified management and configuration for access switches.
The number of users of a school campus must be considered for school campus network
construction. Users on a school campus can access the campus network only after being
authenticated. To ensure network security, users of different roles must have been assigned
different network access rights.
The education industry networks must meet the following requirements.
l Access
Provide both wired and wireless access.
l Security
Assign different network rights to students, teachers, and other roles.
l Authentication
Use PPPoE, Portal, or 802.1X authentication for wired users, and use Portal or 802.1X
authentication for wireless users.
l O&M
Uniformly manage wired and wireless networks.
4.20.3.2 Solution Design
Networking Diagram
The aggregation switch S12700 or S7700 is configured as the authentication point and
gateway on the entire school campus backbone network. The S12700 and S7700 have the
X1E card installed, support native AC, and carry wireless services on the entire network.

Network Design
l Two S12700s constitute a Cluster Switch System (CSS) that is used as the core of a
campus network, providing high network reliability and scalability.
l The S12700 and S7700 are used as aggregation switches in each office building and
connect to access switches of each floor. The S5700 is used as the access switch.
l The aggregation switch S12700 and S7700 are configured with native AC to manage
APs on the entire network and transmit wireless services to implement wired and
wireless convergence.
l The aggregation switch S12700 and S7700 are used as the gateway for both wired and
wireless users on the entire network, and forward packets of users based on routes. The
S12700 and S7700 also function as the authentication point to authenticate wired and
wireless users.
Involved NEs and Software Versions

Product Software Version
S12700 equipped with the X1E card V200R009C00
S7700 equipped with the X1E card V200R009C00
S5700 V200R009C00
Agile Controller-Campus V100R002C10
USG6600 V500R001C00
NGFW module V500R001C00
AP V200R006C20
4.20.3.3 Configuration Roadmap and Data Plan

2. Use two S12700s to set up a CSS.
3. Configure the core switch connected to the NGFW module and USG6600.
4. Establish a connection between the NGFW card and the Agile Controller.
5. Configure interfaces and VLANs on the aggregation switch S12700.
6. Configure the aggregation switch as a DHCP server to allocate IP addresses to users.
7. Configure wireless services on the aggregation switch S12700 and configure wired
services on the S7700.
8. Configure wired and wireless authentication and accounting services on the aggregation
switch S12700 or S7700. Portal authentication is used as an example here.

9. Configure Extensible Messaging and Presence Protocol (XMPP) parameters on the

aggregation switch for interworking with the Agile Controller, and enable free mobility.
10. Configure interfaces and IP addresses on the firewall.
11. Configure zones and security policies on the firewall.
12. Configure HRP on the firewall.
13. Perform agile network configurations on the firewall.
14. Log in to the Agile Controller to add user groups and user accounts.
15. Configure Remote Authentication Dial In User Service (RADIUS), Portal, and XMPP
parameters, and add an aggregation switch and a firewall (including the NGFW module)
on the Agile Controller.
16. Configure and deploy security groups and inter-group policies on the Agile Controller.
17. Configure and deploy QoS policies on the Agile Controller.
18. Configure and deploy service chains on the Agile Controller.
19. Add a RADIUS relay agent and define customization conditions on the Agile Controller.
20. Define authentication rules on the Agile Controller and enable the RADIUS relay agent.
21. Configure authorization results and rules on the Agile Controller.
22. Add network devices on the Srun.
23. Add RADIUS attributes based on customization conditions of the Agile Controller on
the Srun.
24. Configure management of accounting and control policies on the Srun.
25. Configure user group management and create users on the Srun.
Data Plan
Table 4-159 Basic service data plan of the core switch

to the NGFW card

to the uplink interface on the
USG6600

to the downlink interface on
the S12700

to the downlink interface on
the S7700

to the Agile Controller
LoopBack 1 - 3.3.3.3/32

Table 4-160 Basic service data plan of the NGFW module


to the core switch
Remote addresses for - 172.30.100.1/32

service chains 172.30.101.1/32
LoopBack 1 - 4.4.4.4/32
Table 4-161 Basic service data plan of the aggregation switch S12700

core switch S12700
mVLAN for APs VLAN 20 192.168.20.1/24
Service VLAN of wireless VLAN 30 172.16.30.1/24

users
Tunnel addresses of service - 172.30.100.2/32

chains 172.30.101.2/32
LoopBack 1 - 1.1.1.1/32
Table 4-162 Basic service data plan of the aggregation switch S7700

core switch S12700
Service VLAN of wired VLAN 40 172.16.40.1/24

users
Tunnel addresses of service - 172.30.100.3

chains 172.30.101.3
LoopBack 1 - 2.2.2.2/32

Table 4-163 Basic service data plan of the aggregation switch S12700 or S7700
Item Data
RADIUS server template l Authentication server IP address:

168.88.77.10
l Authentication server port number: 1812
l Accounting server IP address:
168.88.77.10
l Accounting server port number: 1813
l RADIUS server shared key:
Admin@123
l Accounting interval: 15 minutes
Portal server l URL: http://168.88.77.10:8080/portal

l IP address: 168.88.77.10
XMPP password Admin@123
Pre-authentication domain DNS server IP address: 168.88.77.140
Post-authentication domain l User1 matches the free mobility intra-

Server1 and Server2.
l User2 matches the free mobility intra-
Server1 but is not allowed to access
Server2.
l User1 and user2 cannot access each
other.
Table 4-164 Service data plan of the Agile Controller

Item Data
IP address of the aggregation switch S12700 1.1.1.1

IP address of the aggregation switch S7700 2.2.2.2
IP address of the NGFW card 4.4.4.4
IP address of FW1 5.5.5.5
IP address of FW2 6.6.6.6
RADIUS authentication key Admin@123
RADIUS accounting key Admin@123

Item Data
Portal parameters Settings on the two core switches:

l Port number: 2000
l Portal key: Admin@123
l IP address segment of access terminals:
172.16.0.0/16
Security group l group1

l group2
Resource group l server1: 21.0.0.100

l server2: 22.0.0.100
Item Parameter Data
Device management IP address of the core switch 168.88.77.157
RADIUS key Admin@123
Portal key Admin@123
Portal redirection page index_2.html
Portal Authentication address of 168.88.77.9

AAA
Authentication port of AAA 1812
Accounting address of AAA 168.88.77.9
Accounting port 1813

(authentication port of
AAA)
NAS IP 168.88.77.10/1.1.1.1/2.2.2.2
Portal key Admin@123
DM port 3799
RADIUS attribute Name group1 and group2
Attribute name Filter-ID
Vendor-ID 0
Vendor-name -
Attribute ID 11
Type Integer

Item Parameter Data
Delivery condition Delivery without any

condition
Format %d
Fixed value 25 and 26
Dictionary dictionary.rfc2865
NAS type Huawei, H3C, Srun

gateways
Accounting policy Name account_policy
Control policy Name group1_control and

group2_control
Accounting group Name group1_accounting bound to

the accounting policy
account_policy and the
control policy
group1_control
Name group2_accounting bound to

the accounting policy
account_policy and the
control policy
group2_control
User group Name group1 and group2
User User name/password user1/Huawei123 bound to

the user group group1 and
the accounting group
group1_accounting
user2/Huawei123 bound to
the user group group2 and
the accounting group
group2_accounting
Table 4-165 Data plan of the egress solution and USG6600 HRP
Number
FW1 GE1/0/1 - - 201.0.0.1/ Public IP address1

24 assigned by ISP1 to an
enterprise


Number
GE1/0/2 - - 202.0.0.2/ Public IP address2

enterprise
GE1/0/5 - - 10.10.0.1/ FW2 GE1/0/5

24

1 0.1/24 CSS2 3
GE1/0/4
FW2 GE1/0/1 - - 201.0.0.2/ Public IP address3

enterprise
GE1/0/2 - - 202.0.0.1/ Public IP address4

enterprise
GE1/0/5 - - 10.10.0.2/ FW1 GE1/0/5

24

1 0.2/24 CSS2 4
GE1/0/4
S12700 Eth-Trunk GE1/2/0/0 VLANIF 192.168.1 FW1 Eth-Trunk

CSS2 3 10 0.3/24 1
GE2/2/0/0
Eth-Trunk GE1/2/0/1 VLANIF 192.168.1 FW2 Eth-Trunk

4 10 0.3/24 1
GE2/2/0/1
Eth- XGE1/4/0 - - NGFW Eth-Trunk

Trunk0 /0 module 0
XGE1/4/0
/1
Eth-Trunk XGE1/3/1 - - Aggregati Eth-Trunk

1 /0 on switch 1
S12700
XGE2/3/1
/0
Eth-Trunk XGE1/3/1 - - Aggregati Eth-Trunk

2 /1 on switch 1
S7700
XGE2/3/1
/2
NGFW Eth-Trunk GE1/0/0 - - S12700 Eth-Trunk

module 0 CSS2 0
GE1/0/1


Number
Aggregati Eth-Trunk XGE2/1/0 - - S12700 Eth-Trunk

on switch 1 CSS2 1
S12700 XGE2/1/1
GE1/1/0 - - - S5700-A GE0/0/25
Aggregati Eth-Trunk XGE2/1/0 - - S12700 Eth-Trunk

on switch 1 CSS2 2
S7700 XGE2/1/1
GE2/0/1 - - - S5700-B GE0/0/25
4.20.3.4 Configuration Notes

Free Mobility Configuration Notes:
l The Agile Controller-Campus can support the free mobility function only after a license
is loaded.
l To implement free mobility, authentication points for intranet users must be deployed on
agile switches. It is recommended that S12700 and S7700 with X1E/X2S/X2E/X2H
cards, and S5720-HI switches be used.
l Policy enforcement points for free mobility are deployed on agile switches, Next-
Generation Firewalls (NGFWs), or Secure Sockets Layer virtual private network (SVN).
l If there is a requirement for user-to-user access control, Layer 2 isolation must be
deployed on access switches to divert all traffic to authentication point switches. User
isolation for wireless service needs to be configured in the VAP profile.
l If 802.1X authentication needs to be deployed on switches and firewalls function as
policy enforcement points for free mobility, it is required to configure real-time
accounting on switches. The switches report IP addresses to the Agile Controller-
Campus for firewalls to query by sending accounting packets.
l When 802.1X authentication is used for wired users, the authentication points can be
core switches or aggregation switches. If the authentication points are core switches,
EAP packet transparent transmission must be configured on access switches and
aggregation switches. Similarly, if the authentication points are aggregation switches,
EAP packet transparent transmission must be configured on access switches.
l When a firewall functions as a policy enforcement point, the intranet user network
segment needs to be specified on the Agile Controller-Campus for the firewall to query
the security group to which an IP address belongs. When user access traffic reaches the
firewall, the firewall sends the user IP address to the Agile Controller-Campus to query
its security group. The firewall will initiate inquiries only when the IP addresses are
within the intranet segment.
l When a firewall functions as a policy enforcement point, to prevent the security group
queries sent from the firewall to the Agile Controller-Campus from being discarded, it is
recommended that the Agile Controller-Campus deliver global configurations to the
firewall and forward RADIUS packets to the Agile Controller-Campus.
l Only firewalls support the free mobility QoS policy.

l To implement free mobility, only firewalls support the application-based access

permission control, bandwidth rate limit, and priority scheduling.
4.20.3.5 Configuration Procedure
4.20.3.5.1 Configuring the Access Switch S5700-A in Office Building A

Step 1 Create a service VLAN for wireless users and configure the VLAN allowed by an interface.
The configuration of the access switch S5700 in office building B is similar to that in office
building A, and is not mentioned here.
# Create a VLAN.
<S5700-A> system-view
# Configure an uplink interface connected to the aggregation switch.

# Configure a downlink interface connected to APs.

[S5700-A-GigabitEthernet0/0/1] port trunk pvid vlan 20
----End
4.20.3.5.2 Configuring Core Switches

Step 1 Use two S12700s to set up a CSS.
# Install CSS cards on S12700-1 and S12708-2, and connect cluster cables.
For details on CSS setup, see CSS of S Switches.
# Configure the CSS connection mode, CSS ID, and CSS priority.
[S12700-1] set css id 1
Continue? [Y/N]:y
[S12700-2] set css id 2
Continue? [Y/N]:y

# Check the CSS configuration. After the configuration is complete, run the display css
status saved command to check whether the configuration is correct.
on S12708-1.
------------------------------------------------------------------------------

on S12708-2.
------------------------------------------------------------------------------
# Enable the CSS function.

[S12700-1] css enable //Enable the CSS function on
S12708-1 and restart BRAS02.
[S12708-2] css enable //Enable the CSS function on S12708-2
and restart BRAS01.
# Check whether a CSS is set up successfully. Log in to the CSS from the console port of any
MPU and run the display device command to check the CSS status. If the card status of two
member switches is displayed in the command output, the CSS is set up successfully.
Step 2 Configure multi-active detection (MAD) in direct mode on cluster interfaces.
<CSS> system-view

3. Check detailed MAD configuration of the CSS.

[CSS] display mad
verbose
Current MAD domain:
0
Current MAD status:
Detect
Mad direct detect interfaces
configured:
Mad relay detect interfaces

configured:
Excluded
ports(configurable):
Excluded ports(can not be
configured):


# Create VLANs.
[HUAWEI] sysname core-switch
[core-switch] vlan batch 9 10 11 12 1000
# Create a loopback interface, and specify the IP address of this interface as the OSPF router
ID.
[core-switch] interface loopback 1
[core-switch-LoopBack1] ip address 3.3.3.3 255.255.255.255
[core-switch-LoopBack1] quit
# Configure IP addresses for interconnected interfaces.

[core-switch] interface vlanif 9 //This interface is connected to the NGFW
module.
[core-switch-Vlanif9] ip address 192.168.9.2 255.255.255.0
[core-switch-Vlanif9] quit
[core-switch] interface vlanif 10 //The uplink interface connects to the
USG6600.
[core-switch] interface vlanif 11 //The downlink interface connects to the
aggregation switch S12700.
[core-switch] interface vlanif 12 //The downlink interface connects to the
[core-switch] interface vlanif 1000 //The interface connects to the Agile
Controller.
# Add interfaces to VLANs.

[core-switch] interface eth-trunk 0 //Create Eth-Trunk 0 connected to the NGFW
module.
[core-switch-Eth-Trunk0] port link-type trunk
[core-switch-Eth-Trunk0] undo port trunk allow-pass vlan 1
[core-switch-Eth-Trunk0] port trunk allow-pass vlan 9
[core-switch-Eth-Trunk0] stp disable //Disable STP on Eth-Trunk 0 connected to
the firewall.
[core-switch-Eth-Trunk0] quit
[core-switch] interface xgigabitethernet 1/4/0/0
[core-switch-XGigabitEthernet1/4/0/0] eth-trunk 0
[core-switch-XGigabitEthernet1/4/0/0] quit
[core-switch] interface eth-trunk 1 //Create Eth-Trunk 1 connected to the
[core-switch] interface eth-trunk 2 //Create Eth-Trunk 2 connected to the


[core-switch] interface eth-trunk 3 //Create Eth-Trunk 3 connected to FW1.
[core-switch-Eth-Trunk3] port link-type access
[core-switch-Eth-Trunk3] port default vlan 10
[core-switch] interface gigabitethernet 1/2/0/0
[core-switch-GigabitEthernet1/2/0/0] eth-trunk 3
[core-switch-GigabitEthernet1/2/0/0] quit
[core-switch] interface eth-trunk 4 //Create Eth-Trunk 4 connected to FW2.
[core-switch-Eth-Trunk4] port link-type access
[core-switch-Eth-Trunk4] port default vlan 10
[core-switch-GigabitEthernet1/2/0/20] port link-type access
[core-switch-GigabitEthernet1/2/0/20] port default vlan 1000
Step 4 Configure the NGFW module.

# Configure interworking between the NGFW module and the core switch.
[NGFW Module] vlan batch 9
[NGFW Module] interface vlanif 9
[NGFW Module-Vlanif9] ip address 192.168.9.1 255.255.255.0
[NGFW Module-Vlanif9] quit
[NGFW Module] interface eth-trunk 0
[NGFW Module-Eth-Trunk0] quit
[NGFW Module] interface gigabitethernet 1/0/0
[NGFW Module-GigabitEthernet1/0/0] eth-trunk 0
[NGFW Module-GigabitEthernet1/0/0] quit
[NGFW Module] interface gigabitethernet 1/0/1
[NGFW Module-GigabitEthernet1/0/0] eth-trunk 0
[NGFW Module-GigabitEthernet1/0/0] quit
[NGFW Module] interface eth-trunk 0
[NGFW Module-Eth-Trunk0] portswitch
[NGFW Module-Eth-Trunk0] port link-type trunk
[NGFW Module-Eth-Trunk0] port trunk allow-pass vlan 9
[NGFW Module-Eth-Trunk0] undo port trunk allow-pass vlan 1
[NGFW Module-Eth-Trunk0] quit
# Configure loopback interfaces' addresses.

[NGFW Module] interface loopback 1 //The interface is used to interwork with
the Agile Controller.
[NGFW Module-LoopBack1] ip address 4.4.4.4 255.255.255.255
[NGFW Module-LoopBack1] quit
[NGFW Module] interface loopback 100 //The interface is used for service
orchestration.
[NGFW Module] interface loopback 101 //The interface is used for service
orchestration.


# Configure a security zone.

[NGFW Module] firewall zone trust
[NGFW Module-zone-trust] add interface eth-trunk 0
[NGFW Module-zone-trust] add interface vlanif 9
[NGFW Module-zone-trust] quit
# Configure a security policy.

[NGFW Module] security-policy
[NGFW Module-policy-security] default action permit
[NGFW Module-policy-security] quit
# Configure agile services on the NGFW module.

[NGFW Module] radius-server template test01
[NGFW Module-radius-test01] radius-server shared-key cipher Admin@123
[NGFW Module-radius-test01] radius-server authentication 168.88.77.10 1812 source
LoopBack 0
[NGFW Module-radius-test01] radius-server accounting 168.88.77.10 1813 source
LoopBack 0
[NGFW Module-radius-test01] quit
[NGFW Module] agile-network
[NGFW Module-agile-network] radius-server test01
[NGFW Module-agile-network] server ip 168.88.77.10
[NGFW Module-agile-network] local ip 4.4.4.4
[NGFW Module-agile-network] password Admin@123
[NGFW Module-agile-network] agile-network enable
[NGFW Module-agile-network] xmpp connect
[NGFW Module-agile-network]
quit
# Configure a route on the NGFW module.

[NGFW Module] ip route-static 0.0.0.0 0.0.0.0 192.168.9.2
Step 5 Configure routes on the core switch.
# Configure a routing protocol based on site requirements. OSPF and static routing protocols
are used here.
[core-switch] ip ip-prefix test01 index 1 permit 172.16.30.0 24 //The route is
advertised to the firewall only.
[core-switch] ip ip-prefix test01 index 2 permit 172.16.40.0 24
[core-switch] ospf 1 router-id 3.3.3.3
[core-switch-ospf-1] filter-policy ip-prefix test01 export static //Configure
the core switch to advertise static routes to network segments of wired and
wireless users.
[core-switch-ospf-1] import-route static
[core-switch-ospf-1] area 0.0.0.0
[core-switch-ospf-1-area-0.0.0.0] network 192.168.10.0 0.0.0.255 //Configure the
core switch to advertise the network segment connected to the USG6600.
[core-switch-ospf-1-area-0.0.0.0] network 168.88.0.0 0.0.127.255 //Configure the
core switch to advertise the address segment of the Agile Controller.
[core-switch-ospf-1-area-0.0.0.0] quit
[core-switch-ospf-1] quit
[core-switch] ip route-static 1.1.1.1 255.255.255.255 192.168.11.1


----End
4.20.3.5.3 Configuring the Aggregation Switch S12700 in Office Building A

The configuration of the S7700 is similar to that of the aggregation switch, and is not
mentioned here.

# Create VLANs.
[S12700] vlan batch 11 20 30
# Enable DHCP globally.

[S12700] dhcp enable
# Create loopback interfaces.

[S12700] interface loopback 1 //The interface is used to interwork with
the Agile Controller.
[S12700-LoopBack1] ip address 1.1.1.1 255.255.255.255
[S12700-LoopBack1] quit
[S12700] interface loopback 100 //The interface is used for service
orchestration.
[S12700] interface loopback 101 //The interface is used for service
orchestration.
# Create VLANIF 11 connected to the core switch.

# Create a wireless management interface VLANIF 20, and assign IP addresses to APs from
the interface address pool.
# Create a wireless service interface VLANIF 30, and assign IP addresses to STAs from the
[S12700-Vlanif30] arp-proxy inner-sub-vlan-proxy enable //Enable intra-VLAN ARP
proxy; otherwise, wireless users cannot communicate through the AC. Determine the
configuration according to the actual situation.
[S12700-Vlanif30] dhcp server dns-list 168.88.77.140 //Configure the DNS server
address for terminals.
# Add uplink and downlink interfaces to the corresponding VLANs.

[S12700] interface eth-trunk 1 //The interface is connected to the core
switch.

[S12700-Eth-Trunk1] port link-type trunk

[S12700-Eth-Trunk1] port trunk allow-pass vlan 11
[S12700] interface xgigabitethernet 2/1/0
[S12700-XGigabitEthernet2/1/0] eth-trunk 1
[S12700-XGigabitEthernet2/1/0] quit
[S12700] interface xgigabitethernet 2/1/1
[S12700-XGigabitEthernet2/1/1] eth-trunk 1
[S12700] interface gigabitethernet 1/1/0 //The interface is connected to
S5700-A.
[S12700-XGigabitEthernet1/1/0] port link-type trunk
[S12700-XGigabitEthernet1/1/0] port trunk allow-pass vlan 20

# Configure a routing protocol based on site requirements. Static routing protocols are used
here.
[S12700] ip route-static 0.0.0.0 0.0.0.0 192.168.11.2
Step 3 Configure authentication parameters.

# Set the NAC mode to unified.
[S12700] authentication unified-mode

[S12700] radius-server template test01
[S12700-radius-test01] radius-server authentication 168.88.77.10 1812 source ip-
address 1.1.1.1 //Configure the IP address of the primary RADIUS
authentication server, and set the authentication port number to 1812.
[S12700-radius-test01] radius-server accounting 168.88.77.10 1813 source ip-
address 1.1.1.1 //Configure the IP address of the primary accounting server, and
set the accounting port number to 1813.
[S12700-radius-test01] radius-server shared-key cipher Admin@123 //The shared
key must be the same as that configured on the Agile Controller.
[S12700-radius-test01] quit
# Configure the RADIUS authorization server.

[S12700] radius-server authorization 168.88.77.10 shared-key cipher Admin@123
# Configure an authentication scheme test01 and set the authentication mode to RADIUS.
[S12700] aaa
[S12700-aaa] authentication-scheme test01
[S12700-aaa-authen-test01] authentication-mode radius
[S12700-aaa-authen-test01] quit
# Configure an accounting scheme named test01 and set the accounting mode to RADIUS.
[S12700-aaa] accounting-scheme test01
[S12700-aaa-accounting-test01] accounting-mode radius
[S12700-aaa-accounting-test01] accounting realtime 15 //Set the accounting
interval to 15 minutes.
[S12700-aaa-accounting-test01] quit
# Create an authentication domain named huawei and bind the authentication scheme,
accounting scheme, and RADIUS server template to the domain.
[S12700-aaa] domain huawei
[S12700-aaa-domain-huawei] authentication-scheme test01
[S12700-aaa-domain-huawei] accounting-scheme test01
[S12700-aaa-domain-huawei] radius-server test01
[S12700-aaa-domain-huawei] quit
# Configure the Portal authentication server and create a Portal access profile named portal1.

[S12700] web-auth-server test01

[S12700-web-auth-server-test01] server-ip 168.88.77.10 //Configure the IP
address of the Portal authentication server.
[S12700-web-auth-server-test01] source-ip 1.1.1.1
[S12700-web-auth-server-test01] port 50100 //Configure the port number
of the Portal authentication server.
[S12700-web-auth-server-test01] shared-key cipher Admin@123 //Configure the
shared key for communication between the Portal authentication server and switch.
The shared key must be the same as that of the Agile Controller.
[S12700-web-auth-server-test01] url http://168.88.77.10:8080/portal //Configure
the URL of the web page.
[S12700-web-auth-server-test01] quit
[S12700] portal-access-profile name portal1
[S12700-portal-acces-profile-portal1] web-auth-server test01 direct
[S12700-portal-acces-profile-portal1] quit
# Configure an authentication-free rule to permit packets from the DNS server so that the
Portal authentication page can be redirected.
[S12700] free-rule-template name default_free_rule
[S12700-free-rule-default_free_rule] free-rule 1 destination ip 168.88.77.140
mask 32 source any
[S12700-free-rule-default_free_rule] quit
# Configure an authentication profile named p1.

[S12700] authentication-profile name p1
[S12700-authen-profile-p1] portal-access-profile portal1
[S12700-authen-profile-p1] free-rule-template default_free_rule
[S12700-authen-profile-p1] access-domain huawei portal force
[S12700-authen-profile-p1] quit
Step 4 Configure XMPP parameters for interworking with the Agile Controller, and enable free
mobility.
[S12700] group-policy controller 168.88.77.10 password Admin@123 src-ip 1.1.1.1

# Create an AP group and add APs with the same configuration to the AP group.
[S12700] wlan
[S12700-wlan-view] ap-group name ap-group1
[S12700-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC's country code in the profile, and
[S12700-wlan-view] regulatory-domain-profile name domain1
[S12700-wlan-regulate-domain-domain1] country-code CN
[S12700-wlan-regulate-domain-domain1] quit
[S12700-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
configurations of the radio and reset the AP. Continue?[Y/N]:y
[S12700-wlan-view] quit
# Configure the source interface of the AC.

[S12700] capwap source interface vlanif 20
# Import the AP offline on the AC and add the AP to the AP group ap-group1. Assume that
the MAC address of the AP is ac85-3d95-d800.
[S12700] wlan
[S12700-wlan-view] ap auth-mode mac-auth
[S12700-wlan-view] ap-id 0 ap-mac ac85-3d95-d800
[S12700-wlan-ap-0] ap-group ap-group1

clear channel, power and antenna gain configurations of the radio, whether to
continue? [Y/N]:y
[S12700-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP status. If the
[S12700-wlan-view] display ap all
nor : normal [1]
----------------------------------------------------------------------------------
---------------------
STA Uptime
----------------------------------------------------------------------------------
---------------------
0 ac85-3d95-d800 ac85-3d95-d800 ap-group1 192.168.20.250 AP6010DN-AGN nor
0 2M:16S
----------------------------------------------------------------------------------
---------------------
Total: 1
# Configure WLAN service parameters.

[S12700-wlan-view] ssid-profile name portal
[S12700-wlan-ssid-prof-portal] ssid portal_test
[S12700-wlan-ssid-prof-portal] quit
[S12700-wlan-view] vap-profile name wlan-vap
[S12700-wlan-vap-prof-wlan-vap] forward-mode tunnel
[S12700-wlan-vap-prof-wlan-vap] service-vlan vlan-id 30
[S12700-wlan-vap-prof-wlan-vap] ssid-profile portal
[S12700-wlan-vap-prof-wlan-vap] authentication-profile p1
[S12700-wlan-vap-prof-wlan-vap] quit
# Bind the VAP profile to the AP group.

[S12700-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio all
# Commit the configuration.

[S12700-wlan-view] commit all
Warning: Committing configuration may cause service interruption, continue?[Y/N]:y
[S12700-wlan-view] quit
# After the configuration, run the display vap ssid portal-test command. If the Status field
displays ON, the VAP has been successfully created on the AP radio.
[S12700] display vap ssid portal_test
WID : WLAN ID
----------------------------------------------------------------------------------
--
----------------------------------------------------------------------------------
--
0 ac85-3d95-d800 0 1 AC85-3D95-D800 ON Open 0
portal_test
0 ac85-3d95-d800 1 1 AC85-3D95-D810 ON Open 0
portal_test
----------------------------------------------------------------------------------
--
Total: 2
----End

4.20.3.5.4 Configuring the Firewalls

The configuration of FW2 is similar to that of FW1, and is not mentioned here. In addition,
after configuring HRP, some configurations will be automatically synchronized to FW2.
Step 1 Configure interfaces.

[FW1-LoopBack0] ip address 5.5.5.5 32 //The IP address is used as the router ID.
Step 2 Add interfaces through which the firewall connects to the core switch S12700 to the Eth-
Trunk.
Step 3 Configure security zones where interfaces belong.

# Add interfaces to security zones.
[FW1] firewall zone trust //Add the interface connected to the intranet to the
trust zone.
[FW1-zone-dmz] quit
to the ISP1 zone.
to the ISP2 zone.
Step 4 Configure intelligent route selection.

# Enable the health check function, and configure health check for links of ISP1 and ISP2.
Assume that the destination server's IP address of ISP1 is 21.0.0.100 and the destination
server's IP address of ISP2 is 22.0.0.100.
[FW1-healthcheck-isp1_health] destination 21.0.0.100 interface gigabitethernet
[FW1-healthcheck-isp2_health] destination 22.0.0.100 interface gigabitethernet
# Set the link bandwidth and overload protection threshold for interfaces. (Assume that the
bandwidth and the overload protection threshold of ISP1 are 100 Mbit/s and 95%
respectively, and those of ISP2 are 50 Mbit/s and 90% respectively). Configure health check
for links of ISP1 and ISP2 respectively.
# Configure a global route selection policy, and set the working mode of intelligent route
selection to link bandwidth-based load balancing.
[FW1-multi-inter] add interface gigabitethernet1/0/1
[FW1-multi-inter] add interface gigabitethernet1/0/2
Step 5 Configure a security policy.
# Set the action of the default security policy to permit.

[FW1] security-policy
[FW1-policy-security] default action permit
[FW1-policy-security] quit
Step 6 Configure HRP and load balancing.
# Configure quick session backup, specify the heartbeat interface, and enable HRP.
[FW1] hrp interface gigabitethernet1/0/5 remote 10.10.0.2
[FW1] hrp enable
Step 7 Connect the USG6600 to the Agile Controller.

HRP_M[FW1] radius-server template test01
HRP_M[FW1-radius-test01] radius-server shared-key cipher Admin@123
HRP_M[FW1-radius-test01] radius-server authentication 168.88.77.10 1812 source
loopback 0
HRP_M[FW1-radius-test01] radius-server accounting 168.88.77.10 1813 source
loopback 0
HRP_M[FW1-radius-test01] quit

# Perform agile network configurations.

HRP_M[FW1] agile-network
HRP_M[FW1-agile-network] radius-server test01
HRP_M[FW1-agile-network] server ip 168.88.77.10
HRP_M[FW1-agile-network] local ip 5.5.5.5
HRP_M[FW1-agile-network] password Admin@123
HRP_M[FW1-agile-network] agile-network enable
HRP_M[FW1-agile-network] xmpp connect
HRP_M[FW1-agile-network] quit
Step 8 Configure a NAT policy.

# Create address pools named addressgroup1 (201.0.0.10 to 201.0.0.12) and addressgroup2
(202.0.0.10 to 202.0.0.12).
HRP_M[FW1-address-group-addressgroup1] section 0 201.0.0.10 201.0.0.12
HRP_M[FW1-address-group-addressgroup1] mode pat
HRP_M[FW1-address-group-addressgroup1] route enable
HRP_M[FW1-address-group-addressgroup1] quit
HRP_M[FW1-address-group-addressgroup2] section 1 202.0.0.10 202.0.0.12
HRP_M[FW1-address-group-addressgroup2] mode pat
HRP_M[FW1-address-group-addressgroup2] route enable
HRP_M[FW1-address-group-addressgroup2] quit
# Configure source NAT policies to allow intranet users to access the Internet by using public
IP addresses translated using NAT.
HRP_M[FW1] nat-policy
HRP_M[FW1-policy-nat-rule-policy_nat1] source-zone trust
HRP_M[FW1-policy-nat-rule-policy_nat1] source-address range 172.16.30.1
172.16.30.254
172.16.40.254
HRP_M[FW1-policy-nat-rule-policy_nat1] destination-zone isp1
HRP_M[FW1-policy-nat-rule-policy_nat1] action nat address-group addressgroup1
HRP_M[FW1-policy-nat-rule-policy_nat1] quit
172.16.30.254
172.16.40.254
HRP_M[FW1-policy-nat-rule-policy_nat2] source-zone trust
HRP_M[FW1-policy-nat-rule-policy_nat2] destination-zone isp2
HRP_M[FW1-policy-nat-rule-policy_nat2] action nat address-group addressgroup2
HRP_M[FW1-policy-nat-rule-policy_nat2] quit
HRP_M[FW1-policy-nat] quit
# Contact the ISP administrator to set destination addresses to those in the routes of
addressgroup1 and addressgroup2. The next hop is the interface address corresponding to
the USG6600.
Step 9 Configure routes based on site requirements.
# Advertise OSPF routes.
HRP_M[FW1] ospf 1 router-id 5.5.5.5
HRP_M[FW1-ospf-1] import-route static
HRP_M[FW1-ospf-1] area 0.0.0.0
HRP_M[FW1-ospf-1-area-0.0.0.0] network 5.5.5.5 0.0.0.0
HRP_M[FW1-ospf-1-area-0.0.0.0] network 192.168.10.0 0.0.0.255
HRP_M[FW1-ospf-1-area-0.0.0.0] quit
HRP_M[FW1-ospf-1] quit
# Configure default routes to the ISP server. In this example, static routes are used.

HRP_M[FW1] ip route-static 21.0.0.0 255.255.255.0 201.0.0.254

HRP_M[FW1] ip route-static 22.0.0.0 255.255.255.0 202.0.0.254
----End
4.20.3.5.5 Configuring the Agile Controller

Step 1 Log in to the Agile Controller.
1. Open the Internet Explorer, enter the Agile Controller access address in the address bar,
and press Enter. The following table describes addresses for accessing the Agile
Controller.
Access Format Description
https://AgileController- Agile Controller-IP specifies the IP address of the Agile

IP:8443 Controller.
IP address of the Agile If port 80 is enabled during installation, you can access the
Controller Agile Controller by simply entering its IP address without
the port number. The Agile Controller address will
automatically change to https://Agile Controller-IP:8443.
2. Enter the administrator user name and password. If you log in to the Agile Controller for
the first time, use the super administrator user name and password. Change the password
immediately after logging in; otherwise, the Agile Controller cannot be used.
Step 2 Add the aggregation switch S12700.
1. Choose Resource > Device> Device Management and add the aggregation switch
S12700 to the authentication point device. Configure the IP address for the S12700 that
communicates with the Agile Controller. Enable RADIUS and Portal authentication, set
the RADIUS authentication and accounting keys to Admin@123, and set the real-time
accounting interval to 15 minutes. Set the Portal port to 2000, Portal key to Admin@123,
and access terminal IP address list to be within the allocation scope of terminal IP
addresses (a route for packets to be returned to the terminal IP address should be added
to the Agile Controller server, and its configuration is not mentioned here).


2. # Click the XMPP tab and set XMPP interconnection parameters.
3. Click OK.
4. Click Synchronize to synchronize device data. After data synchronization, the indicator
of the communication status turns green.
Step 3 Add the firewall USG6600 and the NGFW module.

1. Choose Resource > Device> Device Management and add the USG6600 and the
NGFW module. Configure the IP address of the USG6600 that communicates with the
Agile Controller. Enable RADIUS authentication, set the RADIUS authentication and
accounting keys to Admin@123, and set the real-time accounting interval to 15 minutes.
The configurations of FW2 and the NGFW module are similar to that of FW1, and are
not mentioned here.

2. Click the XMPP tab and set XMPP interconnection parameters.

3. Click OK.
4. Click Synchronize to synchronize device data. After data synchronization, the indicator
of the communication status turns green.
Step 4 Configure two dynamic security groups named group1 and group2, and two resource groups
named server1 and server2.
1. Choose Policy > Permission Control> Security Group > Dynamic Security Group
Management. Click Add and create group1 and group2.
2. Choose Policy > Permission Control> Security Group > Static Security Group
Management. Click Add and create server1 and server2.
Step 5 Configure access control policies.

1. Choose Policy > Free Mobility > Policy Configuration > Permission Control, and
click Add to add access rights.

2. The policy matrix is as follows.

After the configuration is complete, group1 can access server1 and server2, group2 can
only access server1. group1 and group2 cannot access each other.
3. Select the new policy and click Global Deployment to deploy the network policy on the
agile device.
Step 6 Deploy security groups.

Choose Policy > PermissionControl > Security Group > Dynamic Security Group
Management. Click Global Deployment to deploy security groups on the entire network.
Step 7 Configure a network segment of the internal network.

1. Choose Policy > Permission Control > Security Group > Intranet Configuration to
add a network segment of the internal network, click Save. When the system asks you
whether to deploy it immediately, select Yes. The internal network segment is delivered
to the firewall.
NOTE
The firewall uses the network segment of the internal network to query the security group based
on users' IP addresses. When user access traffic reaches the firewall, it queries the security group
where users belong on the Agile Controller-Campus. Only the IP address in the network segment
of the internal network can trigger such query.
2. After the network segment of the internal network is deployed successfully, run the
display agile-network intranet-address command to check the internal network
segment that is delivered by the NGFW module.
[NGFW] display agile-network intranet-address
Intranet Address 172.16.30.0-172.16.30.255
172.16.40.0-172.16.40.255
Step 8 Deploy a QoS policy.
1. Choose Policy > Free Mobility > Policy Configuration > QoS Policy. Click
next to the VIP security group configuration and select group1.

2. Click Add in Device List, select FW1 and FW2, and click OK.
3. Click Deploy to deploy the QoS policy. After the QoS policy is deployed successfully,
you can view the deployment result on the USG6600. group1 is deployed as the VIP
security group.
HRP_M[FW1] display agile-network security-group all
-------------------------------------------------------------------------------
GroupID GroupName VIP

priority
-------------------------------------------------------------------------------
0 unknown no 0
1 group1 yes 5
2 group2 no 0
Step 9 Configure a service chain.

1. You can direct the traffic of cross-branch communication between users from the core
switch to the NGFW module by configuring a service chain. Free mobility is enabled on
the NGFW module to control the traffic of cross-branch communication and to unify
access policies on the entire school campus network.
2. Choose Policy > Service Chain > IP Address Pool, and click Add to add an IP address
pool (IP address of the GRE tunnel interface).
3. Choose Policy > Service Chain > Service Chain Resources.

Drag AggregationS127 and NGFW next to Orchestration Device to the orchestration
device and firewall nodes on the right, and select the IP address pool that is added in the
previous step from IP Pool on the left. Click Save and select Deploy.

4. After the service chain is successfully deployed, run the display interface tunnel
command on the aggregation switch or on the NGFW module to check the GRE tunnel
status.
[S12700] display interface Tunnel
Tunnel16382 current state : UP
Description:Controller_MSV_from_172.30.100.1
Route Port,The Maximum Transmit Unit is 1500
Internet Address is 172.30.10.5/30
Encapsulation is TUNNEL, loopback not set
Tunnel source 172.30.100.2 (LoopBack100), destination 172.30.100.1
Tunnel protocol/transport GRE/IP, key disabled
keepalive enable period 1 retry-times 3
Checksumming of packets disabled
Current system time: 2016-07-30 15:58:22+08:00
Input bandwidth utilization : --
Output bandwidth utilization : --
Tunnel16383 current state : UP
Description:Controller_MSV_to_172.30.101.1
Route Port,The Maximum Transmit Unit is 1500
Internet Address is 172.30.10.1/30
Encapsulation is TUNNEL, loopback not set
Tunnel source 172.30.101.2 (LoopBack101), destination
172.30.101.1
Tunnel protocol/transport GRE/IP, key disabled
keepalive enable period 1 retry-times 3
Checksumming of packets disabled
Current system time: 2016-07-30 15:58:22+08:00
Input bandwidth utilization : --
Output bandwidth utilization : --
5. Choose Policy > Service Chain > Service Flow Definition. Click Add to add a service
flow, and set the definition mode to ACL to add intercommunication traffic between
office building A and office building B.

6. Choose Policy > Service Chain > Service Chain Orchestration.

Drag AggregationS127 and OfficeBulidingA2B on the left to the orchestration device
and the service flow on the right respectively. Drag the bottom NGFW module to the
firewall above the orchestration device, set Chain Exception Handling
Mode to Forward, and click Save. The procedure for adding AggregationS77 is similar
to that for adding AggregationS127 (set the S7700 service to OfficeBulidingB2A), and
is not mentioned here.

7. After deployment, run the display current-configuration| include traffic-

redirect command on AggregationS127 and AggregationS77 to view the redirection
policy delivered by the service chain, and run the display acl name command to view
the ACL rule delivered by the service chain.
[S12700] display current-configuration | include traffic-
redirect
traffic-redirect inbound acl name MSV_ACL_20160730144446_D8F7 interface
Tunnel16383
[S12700] display acl name MSV_ACL_20160730144446_D8F7
Advanced ACL MSV_ACL_20160730144446_D8F7 3998, 1 rule
Acl's step is 5
0.0.0.255
[S7700] display current-configuration | include traffic-redirect
traffic-redirect inbound acl name MSV_ACL_20160730144519_5F0E interface
Tunnel16383
[S7700] display acl name MSV_ACL_20160730144519_5F0E
Advanced ACL MSV_ACL_20160730144519_5F0E 3999, 1 rule
Acl's step is 5
0.0.0.255
Step 10 Add authorization results.

Authorization Result, and click Add to create an authorization result.

2. Configure basic information about the authorization result and click OK.
Authorization Result Parameter Value
group1 Name group1
Service type Access service
Security group group1
group2 Name group2
Service type Access service
Security group group2
----End
4.20.3.6 Verification
Step 1 After configuring HRP, you can run the display hrp state command to check the HRP status.


old_state = abnormal(active), new_state = normal, local_
priority = 44998, peer_priority = 44998.
HRP_S[FW2] display hrp state
old_state = abnormal(standby), new_state = normal, local
_priority = 44998, peer_priority = 44998.
Step 2 When FW1 fails, for example, a tracked interface goes Down, the role of FW2 becomes
active.
Role: active, peer: standby (should be "active-active")
Core state: abnormal(active), peer: abnormal(standby)
old_state = normal, new_state = abnormal(active), local_
priority = 44998, peer_priority = 44996.
Step 3 After the security group and the inter-group policy are successfully deployed, you can run the
following commands on the aggregation switch to check deployment information.
# Run the display ucl-group all command to check the security group configuration.
[S12700] display ucl-group all
ID UCL group name
--------------------------------------------------------------------------------
1 group1
2 group2
--------------------------------------------------------------------------------
Total : 2
# Run the display acl all command to check the access control policy configuration.
[S12700] display acl all
Total nonempty ACL number is 3
Advanced ACL MSV_ACL_20160730144446_D8F7 3998, 1 rule
Acl's step is 5
0.0.0.255
Advanced ACL Auto_PGM_OPEN_POLICY 3999, 0 rule
Acl's step is 5
Acl's step is 5
rule 1 permit ip source ucl-group name group2 destination 21.0.0.100 0
rule 2 deny ip source ucl-group name group2 destination 22.0.0.100 0
rule 3 deny ip source ucl-group name group2 destination ucl-group name
group1
Acl's step is 5
rule 1 permit ip source ucl-group name group1 destination 21.0.0.100 0
rule 2 deny ip source ucl-group name group1 destination 22.0.0.100 0
rule 3 deny ip source ucl-group name group1 destination ucl-group name

group2
Ucl-group ACL Auto_PGM_PREFER_POLICY 9999, 0 rule
Acl's step is 5
Step 4 After the security group and the security policy are successfully deployed, you can run the
following commands on the USG6600 and the NGFW module to check deployment
information.
# Run the display security-policy all command to check the security policy configuration.
HRP_M[FW1] display security-policy all
Total:9
RULE ID RULE NAME STATE ACTION HITTED
-------------------------------------------------------------------------------
0 default enable permit

88
1 Auto_PGM_U1_1 enable permit
0
2 Auto_PGM_U1_2 enable deny
0
0
13
0
5
0
0
-------------------------------------------------------------------------------
Step 5 A wireless user is authenticated on a terminal using the user name and password that are
defined on the Srun. After the user is successfully authenticated, check the user table on the
switch. The wireless user successfully matches a security group.
# Check online information of the wireless user named user1.

[S12700] display access-user user-id 16016
Basic:
User ID : 16016
User name : user1
Domain-name : huawei
User MAC : 0c96-bfe1-a39d
User IP address : 172.16.30.254
User vpn-instance : -
User IPv6 address : -
User access Interface : Wlan-Dbss0
User vlan event : Success
QinQVlan/UserVlan : 0/30
User access time : 2016/07/30 16:05:34
User accounting session ID : S1270000000000000030acfc860003e90
Option82 information : -
User access type : WEB
AP name : ac85-3d95-d800
Radio ID : 0
AP MAC : ac85-3d95-d800
SSID : portal_test
Online time : 22(s)
Work group ID : default
User forward slot : 3
Web-server IP address : 192.168.254.254
Dynamic group index(Effective) : 1
Dynamic group name(Effective) : group1

AAA:
User authentication type : WEB authentication
Current authentication method : RADIUS
Current authorization method : -
Current accounting method : RADIUS
# Check online information of the wireless user named user2.

Basic:
User ID : 16017
User name : user2
User MAC : 0c96-bfe1-a2c2
User access Interface : Wlan-Dbss0
User access time : 2016/07/30 16:07:36
User accounting session ID : S1270000000000000030d57a870003e91
AP name : ac85-3d95-d800
Radio ID : 0
AP MAC : ac85-3d95-d800
SSID : portal_test
Online time : 10(s)
Work group ID : default
User forward slot : 3
AAA:
Step 6 A wired user is authenticated on a terminal using the user name and password that are defined
on the Srun. After the user is successfully authenticated, check the user table on the switch.
The wired user successfully matches a security group.
# Check online information of the wired user named user1.

Basic:
User ID : 16016
User name : user1
User MAC : 3cd9-2b5d-d9dc
User access Interface : GigabitEthernet2/0/0
User access time : 2016/07/30 18:25:10 DST
User accounting session ID : S770002000000000040009d610003e90
Terminal Device Type : Data Terminal
AAA:


# Check online information of the wired user named user2.

Basic:
User ID : 16021
User name : user2
User MAC : 28f1-0e02-8647
User access Interface : GigabitEthernet2/0/0
User access time : 2016/07/30 18:28:41 DST
User accounting session ID : S7700020000000000402f119b0003e95
Terminal Device Type : Data Terminal
AAA:
Step 7 After the user goes online, the user packet can trigger the NGFW module to obtain a correct
security group from the Agile Controller.
[NGFW Module] display agile-network user
Total user: 4, show user: 4.
-------------------------------------------------------------------------------
IP-address Create-time Rate(input,output) Security-group
-------------------------------------------------------------------------------
172.16.30.253 2016/07/30 16:36:17 0 0 2-group2
172.16.40.254 2016/07/30 16:36:17 0 0 2-group2
172.16.30.254 2016/07/30 16:37:27 0 0 1-group1
172.16.40.253 2016/07/30 16:37:27 0 0 1-group1
Step 8 Verify traffics of cross-branch communication.

# The user user1 of office building A can communicate with the user user1 of office building
B.
C:\Users\Administrator>ping 172.16.40.253

Replay from 172.16.40.253: bytes=32 time=108ms TTL=254
Ping statistics for 172.16.40.253:

Packets: Sent = 4, Received = 4, Lost = 0 (0% Loss),
Approximate round trip times in milli-seconds:
Minimum = 4ms, Maximum = 108ms, Average = 42ms
# The user user1 of office building A cannot communicate with the user user2 of office
building B.
C:\Users\Administrator>ping 172.16.40.254


Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 172.16.40.254:

Packets: Sent = 4, Received = 0, Lost = 4 (100% Loss),
----End
4.20.3.7 Configuration Script

S5700-A S5700-B
# #
# #
# #
interface GigabitEthernet0/0/1 interface
port link-type trunk GigabitEthernet0/0/1
port trunk pvid vlan 20 port link-type access
port trunk allow-pass vlan 20 port default vlan 40
port-isolate enable group 1 port-isolate enable group 1
# #
interface GigabitEthernet0/0/25 interface
port link-type trunk GigabitEthernet0/0/25
port trunk allow-pass vlan 20 port link-type trunk
# port trunk allow-pass vlan 40
#

Aggregation Switch S12700

#
sysname S12700
#
vlan batch 11 20 30
#
#
group-policy controller 168.88.77.10 password %^%#duP\H"`mKM6&m`@&N4#82$i0+@:0^
$4f6]PNy_BL%^%# src-ip 1.1.1.1
#
dhcp enable
#
radius-server shared-key cipher %^%#'r14>>_+3*MZfB=3VWbRp#\;3WF!x$6)cg.s!E#S%^
%#
weight 80
radius-server accounting 168.88.77.10 1813 source ip-address 1.1.1.1 weight
80
radius-server authorization 168.88.77.10 shared-key cipher %^%#0_E"8;nWP6N`*\/
kIycN;[$'/
#
free-rule 1 destination ip 168.88.77.140 mask 255.255.255.255 source any
#
server-ip 168.88.77.10
port 50100
shared-key cipher %^%#)$Q5/GX+[-D+Dz(s_;OLPRvd$J=xa3>(|d#8.y,L%^
%#
url http://168.88.77.10:8080/portal
source-ip 1.1.1.1
#
#
aaa
domain huawei
#
interface Vlanif11
ip address 192.168.11.1 255.255.255.0
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
#
interface Vlanif30
ip address 172.16.30.1 255.255.255.0
#


#
#
interface XGigabitEthernet2/1/0
eth-trunk 1
#
eth-trunk 1
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
interface LoopBack100
ip address 172.30.100.2 255.255.255.255
#
ip address 172.30.101.2 255.255.255.255
#
ip route-static 0.0.0.0 0.0.0.0 192.168.11.2
#
#
wlan
ssid-profile name portal
ssid portal_test
forward-mode tunnel
ssid-profile portal
radio 0
radio 1
radio 2
ap-id 0 type-id 19 ap-mac ac85-3d95-d800 ap-sn
2102354483W0DC000733
ap-group ap-group1
#
return


#
sysname S7700
#
vlan batch 12 40
#
authentication mode multi-authen max-user 100
#
group-policy controller 168.88.77.10 password %^
%#2<1iP`j5kB]U#X>FGJM;na:J-}>E]X2QYJ#E]X[F%^%# src-ip 2.2.2.2
#
dhcp enable
#
radius-server shared-key cipher %^%#0Kc.C&eT<P91FzB4MP*ZSQaa$c8v_6,^N>6IAu&H%^
%#
weight 80
80
radius-server authorization 168.88.77.10 shared-key cipher %^%#PEIT<a/3w+D
+}M:q.^rQ}Amd#j=(n!p}!(G[O)wR%^%#
#
free-rule 1 destination ip 168.88.77.140 mask 255.255.255.255 source
any
#
server-ip 168.88.77.10
port 50100
url http://168.88.77.10:8080/portal
source-ip 2.2.2.2
#
#
aaa
domain huawei
#
interface Vlanif12
ip address 192.168.12.1 255.255.255.0
#
interface Vlanif40
ip address 172.16.40.1 255.255.255.0
#
#
eth-trunk 1
#


eth-trunk 1
#
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
ip address 172.30.100.3 255.255.255.255
#
ip address 172.30.101.3 255.255.255.255
#
ip route-static 0.0.0.0 0.0.0.0 192.168.12.2
#
return

Core S12700 CSS

#
sysname core-switch
#
#
interface Vlanif9
ip address 192.168.9.2 255.255.255.0
#
interface Vlanif10
ip address 192.168.10.3 255.255.255.0
#
interface Vlanif11
ip address 192.168.11.2 255.255.255.0
#
interface Vlanif12
ip address 192.168.12.2 255.255.255.0
#
interface Vlanif1000
ip address 168.88.77.157 255.255.128.0
#
stp disable
#
#
#
#
#
#
eth-trunk 3
#
eth-trunk 4
#
#
interface XGigabitEthernet1/3/1/0
eth-trunk 1
#
eth-trunk 3
#
eth-trunk 4
#

Core S12700 CSS

#
eth-trunk 1
#
eth-trunk 2
#
eth-trunk 2
#
eth-trunk 0
#
eth-trunk 0
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
ospf 1 router-id 3.3.3.3
filter-policy ip-prefix test01 export static
import-route static
area 0.0.0.0
network 168.88.0.0 0.0.127.255
network 192.168.10.0 0.0.0.255
#
ip ip-prefix test01 index 1 permit 172.16.30.0 24
ip ip-prefix test01 index 2 permit 172.16.40.0 24
#
ip route-static 1.1.1.1 255.255.255.255 192.168.11.1
ip route-static 2.2.2.2 255.255.255.255 192.168.12.1
ip route-static 4.4.4.4 255.255.255.255 192.168.9.1
ip route-static 172.16.30.0 255.255.255.0 192.168.11.1
ip route-static 172.16.40.0 255.255.255.0 192.168.12.1
ip route-static 172.30.100.1 255.255.255.255 192.168.9.1
ip route-static 172.30.100.2 255.255.255.255 192.168.11.1
ip route-static 172.30.100.3 255.255.255.255 192.168.12.1
ip route-static 172.30.101.1 255.255.255.255 192.168.9.1
ip route-static 172.30.101.2 255.255.255.255 192.168.11.1
ip route-static 172.30.101.3 255.255.255.255 192.168.12.1
#

NGFW Module
#
sysname NGFW Module
#
vlan batch 9
#
radius-server shared-key cipher %@%@eJb}7fm's=:^`p5QuT<77K&]%@%@
weight 80
80
undo radius-server user-name domain-
included
radius-server group-filter
class
#
interface Vlanif9
ip address 192.168.9.1 255.255.255.0
#
portswitch
#
undo shutdown
eth-trunk 0
#
undo shutdown
eth-trunk 0
#
interface LoopBack0
ip address 4.4.4.4 255.255.255.255
#
ip address 172.30.100.1 255.255.255.255
#
ip address 172.30.101.1 255.255.255.255
#
firewall zone trust
set priority 85
add interface Eth-Trunk0
add interface GigabitEthernet0/0/0
add interface Vlanif9
#
ip route-static 0.0.0.0 0.0.0.0 192.168.9.2
#
agile-network
agile-network enable
server ip 168.88.77.10
local ip 4.4.4.4
password %$%$0}:jXH3"FLn__tY:4q^0Nof]%$%$
xmpp connect
#
security-policy
default action permit
#

FW1 FW2
# #
sysname FW1 sysname FW2
# #
hrp enable hrp
hrp interface GigabitEthernet1/0/5 enable
remote 10.10.0.2
hrp mirror session enable hrp interface GigabitEthernet1/0/5
hrp track interface Eth-Trunk1 remote 10.10.0.1
# hrp mirror session enable
healthcheck enable hrp track interface Eth-Trunk1
healthcheck name #
isp1_health healthcheck enable
destination 21.0.0.100 interface healthcheck name
GigabitEthernet1/0/1 protocol tcp- isp1_health
simple destination-port 1001 destination 21.0.0.100 interface
healthcheck name isp2_health GigabitEthernet1/0/1 protocol tcp-
destination 22.0.0.100 interface simple destination-port 1003
GigabitEthernet1/0/2 protocol tcp- healthcheck name
simple destination-port 1002 isp2_health
# destination 22.0.0.100 interface
radius-server template test01 GigabitEthernet1/0/2 protocol tcp-
radius-server shared-key cipher %@ simple destination-port 1004
%@YeBxR{:_6A7/`xDG-3u7#BCr%@%@ #
radius-server authentication radius-server template test01
168.88.77.10 1812 source LoopBack 0 radius-server shared-key cipher %@
weight 80 %@YeBxR{:_6A7/`xDG-3u7#BCr%@
radius-server accounting 168.88.77.10 %@
1813 source LoopBack 0 weight radius-server authentication
80 168.88.77.10 1812 source LoopBack 0
undo radius-server user-name domain- weight 80
included radius-server accounting 168.88.77.10
radius-server group-filter class 1813 source LoopBack 0 weight 80
# undo radius-server user-name domain-
interface Eth-Trunk1 included
ip address 192.168.10.1 radius-server group-filter
255.255.255.0 class
# #
interface GigabitEthernet1/0/1 interface Eth-Trunk1
undo shutdown ip address 192.168.10.2
ip address 201.0.0.1 255.255.255.0
255.255.255.0 #
healthcheck isp1_health interface GigabitEthernet1/0/1
gateway 201.0.0.254 undo shutdown
bandwidth ingress 100000 threshold ip address 201.0.0.2
95 255.255.255.0
bandwidth egress 100000 threshold healthcheck
95 isp1_health
# gateway 201.0.0.254
interface GigabitEthernet1/0/2 bandwidth ingress 100000 threshold 95
undo shutdown bandwidth egress 100000 threshold
ip address 202.0.0.2 255.255.255.0 95
healthcheck isp2_health #
gateway 202.0.0.254 interface GigabitEthernet1/0/2
bandwidth ingress 50000 threshold undo
90 shutdown
bandwidth egress 50000 threshold ip address 202.0.0.1
90 255.255.255.0
# healthcheck isp2_health
interface GigabitEthernet1/0/3 gateway
undo shutdown 202.0.0.254
eth-trunk 1 bandwidth ingress 50000 threshold
# 90
interface GigabitEthernet1/0/4 bandwidth egress 50000 threshold
undo shutdown 90
eth-trunk 1 #
# interface GigabitEthernet1/0/3

FW1 FW2
interface GigabitEthernet1/0/5 undo
undo shutdown shutdown
ip address 10.10.0.1 255.255.255.0 eth-trunk 1
# #
interface LoopBack0 interface
ip address 5.5.5.5 255.255.255.255 GigabitEthernet1/0/4
# undo shutdown
firewall zone trust eth-trunk 1
set priority 85 #
add interface GigabitEthernet0/0/0 interface GigabitEthernet1/0/5
add interface Eth-Trunk1 undo shutdown
# ip address 10.10.0.2
firewall zone dmz 255.255.255.0
set priority 50 #
add interface interface LoopBack0
GigabitEthernet1/0/5 ip address 6.6.6.6
# 255.255.255.255
#
firewall zone name isp1 id firewall zone trust
4 set priority 85
set priority 10 add interface
add interface GigabitEthernet1/0/1 GigabitEthernet0/0/0
# add interface Eth-Trunk1
firewall zone name isp2 id 5 #
set priority 20 firewall zone
add interface dmz
GigabitEthernet1/0/2 set priority 50
# add interface GigabitEthernet1/0/5
ospf 1 router-id 5.5.5.5 #
import-route firewall zone name isp1 id 4
static set priority 10
area add interface
0.0.0.0 GigabitEthernet1/0/1
network 5.5.5.5 #
0.0.0.0
network 192.168.10.0 firewall zone name isp2 id 5
0.0.0.255 set priority
# 20
add interface
ip route-static 21.0.0.0 255.255.255.0 GigabitEthernet1/0/2
201.0.0.254 #
ip route-static 22.0.0.0 255.255.255.0 ospf 1 router-id
202.0.0.254 6.6.6.6
# import-route
nat address-group addressgroup1 static
0 area
mode pat 0.0.0.0
route enable network 6.6.6.6
section 0 201.0.0.10 201.0.0.12 0.0.0.0
# network 192.168.10.0
nat address-group addressgroup2 1 0.0.0.255
mode pat #
route enable ip route-static 21.0.0.0 255.255.255.0
section 1 202.20.1.1 202.20.1.5 201.0.0.254
# ip route-static 22.0.0.0 255.255.255.0
multi-interface 202.0.0.254
mode proportion-of-bandwidth #
add interface nat address-group addressgroup1 0
GigabitEthernet1/0/1 mode pat
add interface GigabitEthernet1/0/2 route
# enable
agile- section 0 201.0.0.10
network 201.0.0.12
agile-network #
enable nat address-group addressgroup2
radius-server test01 1

FW1 FW2
server ip 168.88.77.10 mode pat
local ip 5.5.5.5 route enable
password %$%$"YrVNBu2P~I{BlL0'$8UE680% section 1 202.20.1.1 202.20.1.5
$%$ #
xmpp connect multi-interface
# mode proportion-of-bandwidth
security-policy add interface
default action permit GigabitEthernet1/0/1
# add interface
nat-policy GigabitEthernet1/0/2
rule name policy_nat1 #
source-zone trust agile-network
destination-zone isp1 agile-network
source-address range 172.16.30.1 enable
172.16.30.254 radius-server test01
source-address range 172.16.40.1 server ip 168.88.77.10
172.16.40.254 local ip 6.6.6.6
action nat address-group password %$%$_i#0Mg|T-XkLhMY&VI&WGh$_%
addressgroup1 $%$
rule name policy_nat2 xmpp connect
source-zone trust #
destination-zone isp2
source-address range 172.16.30.1 security-policy
172.16.30.254 default action permit
source-address range 172.16.40.1 #
172.16.40.254 nat-policy
action nat address-group rule name policy_nat1
addressgroup2 source-zone trust
# destination-zone isp1
return source-address range 172.16.30.1
172.16.30.254
source-address range 172.16.40.1
172.16.40.254
action nat address-group
addressgroup1
rule name
policy_nat2
source-zone
trust
destination-zone
isp2
172.16.30.254
172.16.40.254
action nat address-group
addressgroup2
#
return

Typical Configuration Examples 5 Typical Configuration Examples (Web)
5 Typical Configuration Examples (Web)
About This Chapter

5.2 WLAN Basic Networking Configuration Examples (FAT AP)
5.3 PPPoE Configuration Examples (Fat AP)
5.4 PPPoE Configuration Examples (Fat Central AP)
5.10 Agile Distributed Networking Configuration Examples
5.12 Example for Configuring Vehicle-Ground Communication
5.13 Radio Resource Management Configuration Examples
5.18 Typical Configuration for Interconnection Between AC and Cisco ISE Server
5.19 Typical Configuration for Interconnection Between AC and Aruba ClearPass Server


5.1.1 Example for Configuring Internal Personnel to Access the
WLAN (802.1x Authentication)

Internet
Router
GE0/0/1
RADIUS Server
AC SwitchB GE0/0/4 10.23.103.1:1812
GE0/0/2
GE0/0/1 GE0/0/3
GE0/0/1
GE0/0/2
SwitchA
GE0/0/1
AP
STA STA

Data Planning





wlan-net






net
2. Select Config Wizard to configure AC system parameters.
3. Select Config Wizard to configure the APs to go online on the AC.
4. Select Config Wizard to configure WLAN services on the AC. When configuring the
security policy, select 802.1X and RADIUS authentication, and set the RADIUS server
parameters.
NOTE
Configuration Notes
user experience.

Procedure
STAs.
Step 2 Configure a DHCP server to assign IP addresses to STAs.



Step 3 Configure system parameters for the AC.

1. Perform basic AC configurations.
# Choose Configuration > Config Wizard > AC. The Basic AC Configuration page is
displayed.
# Set Country/Region based on actual situations. For example, set Country/Region to

China. Set System time to Manual and Date and time to PC Time.
# Click Next. The Port Configuration page is displayed.

2. Configure ports.
# Select GigabitEthernet0/0/1. Expand Batch Modify. Set Interface type to Trunk

and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN) and VLAN 102.
NOTE
If the AC and AP are directly connected, set the default VLAN of the interface connected to the AP to
# Click Apply. In the dialog box that is displayed, click OK.
# Click Next. The Network Interconnection Configuration page is displayed.


# Under Interface Configuration, click Create. The Create Interface Configuration

page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24, DHCP status to ON, and
DHCP type to Interface address pool.
NOTE
Configure the DNS server address as required.
# Click OK.
# Set the IP address of VLANIF 102 to 10.23.102.2/24 in the same way.
# Under Static Route Table, click Create. The Create Static Route Table page is
displayed.
# Set Destination IP to 10.23.103.0, Subnet Mask to 24(255.255.255.0), and Next hop
address to 10.23.102.1.
# Click OK.

# Click Next.
# Click Next. The AC Source Address page is displayed.
4. Configure the source address for AC.
# Set AC source address to VLANIF. Click the browse button and select Vlanif100.
# Click Next. The Confirm Settings page is displayed.

5. Confirm the configuration.
# Confirm the configuration and click Continue With AP Online.
1. Configure an AP to go online.
# Click Batch Import. The Batch Import page is displayed. Click to download an
AP template file to your local computer.
# Fill in the AP template file with AP information according to the following example.
To add multiple APs, fill in the file with information of the APs.
– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
– AP Group: ap-group1
NOTE
– If you set AP authentication mode to MAC address authentication, the AP's MAC address is
mandatory and the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory and the
AP's MAC address is optional.
You are advised to export the radio ID, AP channel, frequency bandwidth, and power planned on
WLAN Planner to a .csv file, and then enter them in the AP template file. Set the longitude and latitude
as required.
# Click next to Import AP File, select the AP template file, and click Import.
# On the page that displays the template import result, click OK.

# Click Next. The Group APs page is displayed.
# AP group information has been added in the AP template file. Click Next. The
Confirm Configurations page is displayed.
# Confirm the configuration and click Continue With Wireless Service Configuration.
Step 5 Configure WLAN services

1. # Click Create. The Basic Information page is displayed.
2. # Set the SSID name, forwarding mode, and service VLAN ID.
3. # Click Next. The Security Authentication page is displayed.

4. # Set Security settings to 802.1x authentication, and configure parameters of the
external RADIUS server.
5. # Click Next. The Access Control page is displayed.

6. # Set Binding the AP group to ap-group1.
7. # Click Finish.
Step 6 Set the AP channel and power.

1. Disable the automatic channel and power calibration functions.
NOTE
Automatic channel and power calibration functions are enabled by default. The manual channel and
power configurations take effect only when these two functions are disabled.
# Choose Configuration > AP Config > AP Group > AP Group.
# In the AP group list, click ap-group1. Choose Radio Management > Radio 0 > 2G
Radio Profile > RRM Profile. The RRM Profile page is displayed.
# Disable automatic channel and power calibration.


2. Manually configure the AP channel and power.
# Choose Configuration > AP Config > AP Config > AP Info. The AP List page is
displayed.
# Click the ID of the AP whose channel and power need to be configured. The AP
customized settings page is displayed.
# Click next to Radio Management. The profiles under Radio Management are
displayed.
# Click Radio0. The Radio 0 Settings(2.4G) page is displayed. Set the AP channel to
20-MHz channel 6 and the transmit power to 127 dBm. The configuration of radio 1 (20-
MHz channel 149) on the Radio 1 Settings page is similar to the configuration of radio
0 and is not mentioned here.


Examples.
algorithm to AES.
OK.
----End
5.1.2 Example for Configuring Guests to Access the WLAN (MAC

Address-prioritized Portal Authentication)


addresses to STAs.
Data Planning

Item Data
Managemen VLAN100
t VLAN for
APs
Service VLAN101
VLAN for
STAs

Item Data

IP address 10.23.100.2–10.23.100.254/24
pool for
APs
IP address 10.23.101.3–10.23.101.254/24
pool for
STAs

interface
address

default

profile



on

template
server: 50200

profile
MAC Name:wlan-net
access
profile

Item Data

profile


2. Select Config Wizard to configure system parameters for the AC.
4. Configure WLAN services and MAC address-prioritized Portal authentication on the AC
using the WLAN configuration wizard.
5. Configure authentication-free rules for an AP group.
6. Complete service verification.
Configuration Notes
user experience.

Procedure
VLAN 100.
10.23.101.2/24.
Step 2 Configure a DHCP server to assign IP addresses to STAs and specify the gateway for the
STAs.


displayed.

2. Configure interfaces.
# Select GigabitEthernet0/0/1 and expand Batch Modify. Set Interface type to Trunk
and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN) and VLAN 101
(service VLAN).
NOTE

3. Configuring network interconnections.
# Click Create under Interface Configuration. The Create Interface Configuration
page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24, DHCP status to ON and DHCP
type to Interface address pool.

# Click OK. An address pool for VLANIF 100 is configured.

displayed.
# Configure the default route and set its next hop address to 10.23.101.2.
# Click OK.
# Click Next.


– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
NOTE
as required.

# Click Create. The Basic Information page is displayed.
# Configure the SSID name, forwarding mode, and service VLAN ID.
# Click Next. The Security Authentication page is displayed.
# Set Security settings to Portal (applicable to enterprise networks) and select MAC
address-prioritized. Under External Portal Server Configuration, set the server name, IP
address, shared-key, port number, and server URL. Under External RADIUS Sever
Configuration, set the server name, authentication server IP address, and shared key.
# Click Next. The Access Control page is displayed.
# Set Binding the AP group to ap-group1.
# Click Finish.
Step 6 Configure network resources accessible to authentication-free users.

1. Choose Configuration > AP Config > AP Group.
2. In the AP group list, click ap-group1. Choose VAP Configuration > wlan-net >
Authentication Profile > Authentication-free Rule Profile. The Authentication-free
Rule Profile page is displayed.
3. Set Authentication-free Rule Profile to default_free_rule.
4. Select Authentication-free Rule in Control mode.

5. Click Create. On the Create Authentication-free Rule page that is displayed, set Rule
ID to 1 and the authentication-free resource to the IP address of the DNS server.
6. Click OK.
7. Select the authentication-free rule with the ID 1 and click Apply. In the dialog box that
is displayed, click OK.
1. The WLAN with the SSID wlan-net is available.
2. The STA can associate with the WLAN and obtain an IP address 10.23.101.x/24, and its
gateway address is 10.23.101.2.
3. Choose Monitoring > User > User Statistics. In User List, set the search criteria to
SSID, enter wlan-net, and click . You can see that the STA goes online successfully
and obtains an IP address.

4. When a user opens the browser and attempts to access the network, the user is
network.
5. Assume that the MAC address validity period configured on the server is 60 minutes. If a
----End

addresses to STAs.

Data Planning

Item Data

l Name: sta-pool
and VLAN 102

STAs.

Item Data

10.23.102.3-10.23.102.254/24




+AES

pool


rrm

rrm

5. Select Config Wizard to configure WLAN services on the AC.

ent Item

on the users.
number of
access
users
n aging
time

STAs.


ent Item

coverage area.
roaming experience.

schedulin
g
threshold
which
Beacon
frames
are sent
(GI)
mode to
short GI
rate set

for a radio


ent Item

parameter l AP:
s
– ecwmin: 5
– ecwmax: 6
– aifsn: 3
l Client:
– ecwmin: 7
– ecwmax: 10
– aifsn: 3
7. Deliver the WLAN services to the APs and verify the configuration.
Procedure


102 to 10.23.102.2/24.


displayed.


and add GigabitEthernet0/0/1 to VLAN 100 (management VLAN).
NOTE

page is displayed.
# Set the IP address of VLANIF 100 to 10.23.100.1/24. Set DHCP status to ON and
DHCP type to Global address pool.
# Click OK.
# Under Global Address Pool, click Create. The Create Global Address Pool page is
displayed.

# Configure the global IP address pool huawei.

– IP address pool subnet: 10.23.10.0
– Option 43: ASCII, IP address of 10.23.100.1
– Gateway IP address: 10.23.10.1
NOTE
# Click OK.
displayed.
address to 10.23.100.2.

# Click OK.
# Click Next.

– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
NOTE
as required.

# Set the SSID name, forwarding mode, and service VLAN. Set Service VLAN to VLAN
Pool. Click Create next to VLAN Pool. The Create VLAN Pool page is displayed.
# Set VLAN pool name to sta-pool and VLAN assignment mode to Hash. Add VLANs 101
and 102.
# Click OK. In the dialog box that is displayed, click OK.
Click Next. The Security Authentication page is displayed.

# Set Security settings to Key (applicable to personnel networks) and set the key.


Click Finish.
# In the AP group list, click ap-group1. Click in front of VAP Configuration.

# Click the VAP profile wlan-net. On the VAP profile configuration page that is
displayed, enable band steering.



Under it, click in front of wlan-net. Click SSID Profile. The SSID Profile page is
displayed.
# The SSID profile configuration page is displayed. Set the maximum number of users to
128 and association aging time to 1 minute. Configure EDCA parameters for AC_BE
packets of STAs as follows: AIFSN: 3; ECWmin: 7; ECWmax: 10


Under it, click in front of wlan-net. Click Traffic Profile. The Traffic Profile page
is displayed.
# Click Create. The Create Traffic Profile page is displayed.
# Enter the profile name wlan-traffic in Profile name and click OK. The new traffic
profile configuration page is displayed.
# Set the user isolation mode to All isolation, and the upstream and downstream rate
limits to 1000 kbit/s and 2000 kbit/s for STAs, respectively.


4. Set the AP channel and power.
displayed.
# Click next to Radio Management. The profiles in Radio Management are

displayed.
# Click Radio 0. The Radio 0 Settings(2.4G) page is displayed. Set the AP channel to
20-MHz channel 1 and transmit power to 127 dBm. The configuration of Radio1 is
similar to the configuration of Radio 0, and is not mentioned here.

5. Configure the AP to work in dual-5G mode. This step is only for APs that support
switching between 2.4G and 5G radios.

# In the AP group list, click the AP group ap-group1 and click next to Radio
Management. The profiles in Radio Management are displayed.
# Click Radio 0. The Radio 0 Settings(2.4G) page is displayed. Enable the dual-5G
mode. In the dialog box that is displayed, click OK.

6. Create the 2G radio profile and adjust 2G radio profile parameters. Skip this step if the
AP has been configured to work in dual-5G mode. Go to the next step to create the 5G
radio profile and bind the 5G radio profile to radio 0.
Radio Profile. The 2G Radio Profile page is displayed.
# Click Create. On the Create 2G Radio Profile page that is displayed, enter the profile
name wlan-radio2g and click OK. The 2G radio profile configuration page is displayed.
# Perform the following configurations:
– Set the RTS-CTS mode to rts-cts and the RTS-CTS threshold to 1400 bytes.
– Enable the short preamble function.
– Set the 802.11bg basic rate to 6, 9, 12, 18, 24, 36, 48, or 54, in Mbit/s.
ECWmax to 6.


# Perform the following configurations:

– Set the RTS-CTS mode to rts-cts and the RTS-CTS threshold to 1400 bytes.
ECWmax to 6.

8. Create the RRM profile and adjust RRM profile parameters.

Radio Profile. Click in front of 2G Radio Profile. Profiles in the 2G radio profile
are displayed.
# Click RRM Profile. The RRM Profile page is displayed.
# Click Create. The Create RRM Profile page is displayed.
# Enter the profile name wlan-rrm in Profile name and click OK. The new RRM
# Disable automatic channel and power calibration functions; enable airtime fair
scheduling; enable smart roaming; configure the SNR-based roaming trigger mode; and
set the SNR threshold to 15 dB.
Radio Profile. Click in front of 5G Radio Profile. Profiles in the 5G radio profile
are displayed.
# Click RRM Profile. The RRM Profile page is displayed.
# In the RRM profile, select wlan-rrm and click Apply. In the dialog box that is
displayed, click OK.
1. Choose Monitoring > SSID > VAP. In VAP List, check VAP status. You can see that
the status of the VAP in wlan-net is normal.

5. When a large number of users connect to the network in the stadium, the users still have
good Internet experience.
----End
5.1.4 Example for Configuring WLAN Backhaul

addresses to STAs.


Data Planning
AP Type MAC Address
AP_1 AP8130DN 60de-4474-9640
Item Data

Item Data

addresses to STAs.


l Country code: CN


+AES



AP_2 (leaf)
l Name: wds-list2
AP_3 (leaf)

Item Data

security
l Name: wds-leaf
security

the group.
l Name: ap-group2
added to the group.
default
l Name: ap-group3
the group.
to go online.

virtual links.
Configuration Notes
user experience.
Procedure


10.23.101.2/24.

address pool.
Step 3 Configure AC system parameters.

displayed.

NOTE


page is displayed.
NOTE

# Click Next.



# Click Batch Import. The Batch Import page is displayed. Click and download
the AP template file to your local PC.
NOTE
mandatory but the AP's SN is optional.
– If you set AP authentication mode to SN authentication, the AP's SN is mandatory but the AP's
MAC address is optional.
as required.
# Click next to Import AP file, select the AP template file, and click Import.
# Click OK.

Step 5 Configure wireless services.

1. Click Create. The Basic Information page is displayed.
2. Set the SSID name, forwarding mode, and service VLAN ID.
3. Click Next. The Security Authentication page is displayed.

4. Configure the key authentication mode, AES algorithm, and key.
5. Click Next. The Access Control page is displayed.

6. Set Binding the AP group to ap-group1.
7. Click Finish. Bind the AP group ap-group3 in the same way.
Step 6 Configure the AP_1.
1. Create WDS profile wds-root and configure the WDS working mode and tagged VLAN.
# In the AP group list, click ap-group1. Choose WDS > WDS Profile. The WDS
Profile List page is displayed.
# Click Create. On the Create WDS Profile page that is displayed, enter the profile
name wds-root, set Radio to 1, and click OK.
# Choose WDS > WDS Profile > wds-root. The WDS Profile page is displayed.
# Set WDS network bridge name, WDS working mode, and Tagged VLAN.

NOTE
In a WDS profile, Tagged VLAN needs to be configured according to actual situations. If traffic from a
different service VLAN needs to be transmitted over the WDS link, set Tagged VLAN to the service
VLAN.

2. Create security profile wds-security and configure the security policy.
# Choose WDS > WDS Profile > wds-root > Security Profile. The Security Profile
page is displayed.
# Click Create. On the Create Security Profile page that is displayed, enter the profile
name wds-security and click OK. The security profile configuration page is displayed.
# Set the key.

3. Create WDS whitelist profile wds-list1 and add the MAC address of the leaf AP to the
WDS whitelist.
# Choose WDS > WDS Whitelist Profile. The WDS Whitelist Profile List page is
displayed.
# Click Create. On the Create WDS Whitelist Profile page that is displayed, enter the
profile name wds-list1, set Radio to 1, and click OK. The WDS Whitelist Profile List
page is displayed.
# Choose WDS > WDS Whitelist Profile > wds-list1. The WDS Whitelist Profile page
is displayed.
# Click Add to configure the WDS whitelist.

# Click OK.
4. Configure WDS service parameters for the root node. Set the channel parameters of
Radio1 to 40+ MHz and 157. Set the bridge distance to 4.
# Choose Configuration > AP Config > AP Config > AP Info. The AP Info page is
displayed.
# Click the AP ID 1. The AP customized settings page is displayed.
# Choose Radio Management > Radio1. The Radio 1 Settings(5G) page is displayed.
# Set the channel parameters to 40+ MHz and 157. Set the bridge distance to 4. Disable
automatic channel and power calibration.
Step 7 Configure AP_3.

1. Create WDS profile wds-leaf and configure the WDS working mode and tagged VLAN.
name wds-leaf, set Radio to 1 and Copy parameters from other profiles to wds-root,
and click OK.
# Choose WDS > WDS Profile > wds-leaf. The WDS Profile page is displayed.
# Set WDS working mode to Leaf, retain the default settings of other parameters, and
click Apply. In the dialog box that is displayed, click OK.

2. Configure WDS service parameters for the leaf node. Set parameters for Radio1. Set
Channel to 40+ MHz and 149, and WDS/Mesh bridge distance(0.1km) to 4. Disable
Configure WDS service parameters by referring to the configuration procedure on the
root node.

1. Reference WDS profile wds-leaf to radio 1 and wds-root to radio 0.
# Click Add. On the Add WDS Profile page that is displayed, enter the profile name
wds-leaf, set Radio to 1, and click OK.
wds-root, set Radio to 0, and click OK.
WDS whitelist.
displayed.
page is displayed.
is displayed.
# Click OK.
3. Configure WDS service parameters. Configure Radio0 to switch to the 5 GHz frequency
band. Set the channel parameters of Radio0 to 40+ MHz and 149. Set the coverage
distance to 4. Set the channel parameters of Radio1 to 40+ MHz and 157. Set the bridge
distance to 4.
displayed.

# Choose Radio Management > Radio1. The Radio 0 Settings(2.4G) page is

displayed.
# Set Radio0 to switch to the 5 GHz frequency band. Set the channel parameters of
Radio0 to 40+ MHz and 149. Set the bridge distance to 4. Disable automatic channel
and power calibration.

# Set the channel parameters of Radio1 to 40+ MHz and 157. Set the coverage distance
to 4. The configuration is the same as that for Radio0, and is not mentioned here.
NOTE



displayed.
displayed.

1. Choose Monitoring > AP. In AP List, check whether the AP state is normal. If so, the
APs have gone online on the AC through WDS links.
2. Choose Monitoring > Mesh&WDS > WDS Network Bridge Information and check
WDS information. After the WDS links are successfully established, you can view
detailed information about the WDS links on the page.

----End
5.1.5 Example for Configuring Rail Transportation WLAN

Services


Data Planning

AP Type MAC Address

(L1_001)

(L1_003)

(L1_010)

(L1_150)

(L1_160)

(L1_170)
......

AP (in the front)

AP (in the rear)
.......

Item Data


address

Item Data

trackside APs

mounted terminals




l Name: mesh-net
l Name: mesh-net

l Name: hand-over
l Name: hand-over

situations.



Item Data

device
and the AC.
NOTE
Configuration Notes
user experience.
Procedure
Step 1 Configure switches.

1. Configure Switch_A. Create VLAN 100, VLAN 101 and VLAN 200, add interfaces
GE0/0/1 to GE0/0/4 to VLAN 101, and configure these interfaces to allow packets from
VLAN 101 to pass through. Set PVIDs of GE0/0/3 and GE0/0/4 to VLAN 101. Add
GE0/0/5 to VLAN 200, set its PVID to VLAN 200, and configure GE0/0/5 to allow
packets from VLAN 200 to pass through. Configure GE0/0/1, GE0/0/2, and GE0/0/6 to
allow packets from VLAN 100 to pass through.
2. On Switch_A, configure an IP address for VLANIF 101 and enable the DHCP server
function to assign IP addresses for vehicle-mounted terminals.
[Switch_A-Vlanif101] dhcp server excluded-ip-address 10.23.224.2 10.23.224.3
3. Configure an IP address for VLANIF 200 on Switch_A and specify the IP address of
GE1/0/0 on the router as the next hop address of the default route so that packets from
the vehicle-ground communication network can be forwarded to the egress router.
4. Configure an IP address for GE1/0/0 on Router and configure routes to the internal

NOTE
You can configure routes to external networks and the NAT function on the egress router according to
service requirements to ensure normal communications between internal and external networks.
5. Configure Switch_B and Switch_C to enable Layer 2 communications between trackside
APs and the ground network.
# On Switch_B, create VLAN 100 and VLAN 101, configure GE0/0/2 and GE0/0/1 to
allow packets from VLAN 100 and VLAN 101 to pass through, and set the PVID of
GE0/0/1 to VLAN 100 (management VLAN for trackside APs).

GE0/0/1: allow packets from VLAN 100 and VLAN 101 to pass through and set their
PVIDs to VLAN 100.
# On Switch_C, create VLAN 100 and VLAN 101, configure GE0/0/2 and GE0/0/1 to
allow packets from VLAN 100 and VLAN 101 to pass through, and set the PVID of

GE0/0/1: allow packets from VLAN 100 and VLAN 101 to pass through and set their
PVIDs to VLAN 100.
6. Enable Layer 2 multicast on Switch_A, Switch_B, and Switch_C to allow them to



[Switch_A] vlan 101

[Switch_A] acl 2000



[Switch_A] vlan 101
[Switch_A] quit

NOTICE
configured, enabling the fast leave function improves the quality of multicast services. If
the trackside APs are not directly connected to the switches or Layer 3 multicast is
configured, you cannot configure the fast leave function because this function may
interrupt multicast services.
[Switch_B] vlan 101

[Switch_C] vlan 101

displayed.


(service VLAN).
NOTE


page is displayed.
NOTE

# Click Next.



Step 3 Configure trackside APs
1. Choose Configuration > Config Wizard > Mesh.
2. Create the AP group mesh-mpp for the MPPs.
# In AP Group List, click Create. The Create AP Group page is displayed.
# Set the AP group name to mesh-mpp and click OK.
3. Configure Mesh parameters for the MPPs.
# In AP Group List, select the AP group mesh-mpp.
# Click the Service Settings tab and configure Mesh parameters.
– Set the Mesh role to Mesh-portal.
– Set the Mesh ID to mesh-net.
– Select Radio 1 as the radio used by Mesh links. Set the bandwidth of radio 1 to
40+MHz and channel to 157.
– In Security Settings, set the password type to PASS-PHRASE, and enter and
confirm the password a1234567.

– Click Edit in the Mesh whitelist area to add MAC addresses of Mesh nodes. In this
example, MAC addresses 0046-4b59-2e10 and 0046-4b59-2e20 are added. Click
OK. The Mesh whitelist are added.
Add MAC addresses of vehicle-mounted APs on other trains to the Mesh whitelist
# After configuring Mesh parameters, click Apply.
4. Add MPPs
# On the AP List tab page, click Add. The Add AP page is displayed.
# Set Mode to Manually add and manually add APs.
# In this example, APs with MAC addresses 0046-4b59-1d10, 0046-4b59-1d20,
0046-4b59-1d30, 0046-4b59-1d40, 0046-4b59-1d50, and 0046-4b59-1d60 are added.
Set AP ID to 1, 2, 3, 101, 102, and 103 for the APs respectively. Set the AP names to
L1_001, L1_003, L1_010, L1_150, L1_160, and L1_170, respectively. Click OK. The
APs are added as MPPs.

5. Configure a Mesh profile.

# In the AP group list, click the AP group mesh-mpp. Choose Mesh > Mesh Profile.
The Mesh Profile List page is displayed.
# Click Create. The Create Mesh Profile page is displayed. Set Profile name to mesh-
net.
# Click OK.
6. Configure a Mesh handover profile.
# Choose Mesh > Mesh Profile > mesh-net > Mesh Handover Profile. The Mesh
Handover Profile page is displayed.
# Click Create. The Create Mesh Handover Profile page is displayed. Set Profile
name to hand-over and click OK. The Mesh profile configuration page is displayed.
# Set Position-based handover algorithm to ON.

7. Configure the AP's wired port profile.
# Choose AP > AP Wired Port Settings. Click GE0. The GE0 profile management
page is displayed.

# Click Create. The Create AP Wired Port Profile page is displayed. Set Profile name
to wired-port and click OK. The configuration page of the wired port profile is
displayed.
# Set Port mode to Endpoint, add the wired port to VLAN 101 in tagged mode, and set
the Port PVID to 101.

Step 4 Configure a vehicle-mounted AP.
NOTE
This example provides the detailed configuration procedure of the vehicle-mounted AP in the front of the
train. The configuration procedure of the vehicle-mounted AP in the rear is similar to that of the vehicle-
mounted AP in the front.
1. Create VLAN 101 on the vehicle-mounted APs, configure GE0/0/1 to allow packets
# Choose Configuration > Interface > VLAN. On the VLAN tab, click Create. On the
Create VLAN page that is displayed, set VLAN ID to 101.

# Click OK.
# Choose Configuration > Interface > ETH Interface and click GigabitEthernet0/0/1.
The Modify Interface Settings page is displayed.
# Set Default VLAN to VLAN 101. Add GigabitEthernet0/0/1 to VLAN 101 in tagged
mode.
# Click OK.
2. Configure a Mesh profile.
# Choose Configuration > WLAN Service > WLAN Config. Click Radio1.
# Choose Mesh > Mesh Profile. The Mesh Profile page is displayed.
# Click Create. The Create Mesh Profile page is displayed.
# Set Profile name to mesh-net and click OK. The Mesh Profile page is displayed.
3. Configure a security profile.
# Choose Mesh > Mesh Profile > Security Profile. The Security Profile page is
displayed.

# Click Create. The Create Security Profile page is displayed.
# Set Profile name to sp01 and click OK. The Security Profile page is displayed.
# Set Security Mode to WPA2-PSK-AES, Password type to PASS-PHRASE, and

Password to a1234567.

4. Configure a Mesh handover profile.
# Choose Mesh > Mesh Profile > Mesh Handover Profile. The Mesh Handover
Profile page is displayed.
# Click Create and create the Mesh handover profile hand-over. Click OK. The Mesh
# Set Position-based handover algorithm to ON and Moving direction to forward.

Click Apply. In the dialog box that is displayed, click OK.
5. Configure a Mesh whitelist profile.
# Choose Mesh > Mesh Whitelist Profile. The Mesh Whitelist Profile page is
displayed.
# Click Create and create the Mesh whitelist whitelist01. Click OK.
# Click Create, the Create MAC Address page is displayed. Choose Manually add
and add members to the MAC address whitelist. In this example, MAC addresses
0046-4b59-1d10, 0046-4b59-1d20, 0046-4b59-1d30, 0046-4b59-1d40,
0046-4b59-1d50, and 0046-4b59-1d60 are added.

# Click OK and Apply. In the dialog box that is displayed, click OK.
Step 5 Add proxied devices on the vehicle-mounted AP
# Add proxied ground devices. Add MAC addresses of Switch_A, network management
device, and multicast source on the vehicle-mounted AP.
# Choose Configuration > Proxied Device > Proxied Device > Proxied Ground Device.
Click Create and add MAC addresses of proxied ground devices. In this example, MAC
addresses 707b-e8e9-d328, 286e-d488-12cd, and 286e-d488-b6ab are added, click OK.
# Add proxied vehicle-mounted devices. Add MAC addresses of the vehicle-mounted devices
on the vehicle-mounted AP.
# Choose Configuration > Proxied Device > Proxied Device > Proxied Vehicle-mounted
Device. Click Create and add MAC addresses of proxied vehicle-mounted devices. In this
example, MAC addresses 286e-d488-d359 and 286e-d488-d270 are added, click OK.
Step 6 Configure IGMP snooping on the vehicle-mounted AP

# Choose Configuration > IGMP-Snooping > IGMP-Snooping. Set IGMP-Snooping to

ON in Global Setting.
# In the VLAN List area, set IGMP-Snooping Status of VLAN 101 to Enable.

1. On the AC, choose Monitoring > Mesh&WDS > Mesh Link Information to view
Mesh link information. If Mesh links are set up successfully, information about Mesh
links is displayed.
2. Verify the configuration on the vehicle-mounted AP.
# Choose Maintenance > Train To Ground COMM > Mesh Link Information to
view Mesh link information. Displayed information is the same as that checked on the
AC.
# Choose Maintenance > Train To Ground COMM > Vehicle-mounted AP Field

Strength to view field strength of the vehicle-mounted AP.
# Choose Maintenance > Train To Ground COMM > Vehicle-mounted AP Roaming

Trace to view the roaming trace of the vehicle-mounted AP.
----End

5.1.6 Example for Configuring Agile Distributed Wi-Fi Services

Data Planning
Item Data

IP address 10.23.100.2-10.23.100.254/24
pool for
central APs
and RUs
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs

interface
address

default

profile



net
3. Select Config Wizard to configure the central APs and RUs to go online on the AC.

5. Deliver the WLAN services to the central APs and RUs, and verify the configuration.
Configuration Notes
user experience.
Procedure
10.23.101.2/24.

displayed.


NOTE

# Set Interface type of GigabitEthernet0/0/2 to Trunk and add the interface to VLAN
101 in the same way.
page is displayed.
NOTE

# Click OK. Set the IP address of VLANIF 101 to 10.23.101.1/24 and configure the
interface address pool on VLANIF 101 in the same way.
# Click Next.



1. Configure a central AP and RUs to go online.

– MAC address of the central AP: 68a8-2845-62fd
– AP SN: 210235419610CB002287
– AP name: central_AP
– AP group: ap-group1
NOTE
– If AP authentication mode is set to MAC address authentication, the AP's MAC address is
– If AP authentication mode is set to SN authentication, the AP's SN is mandatory and the AP's
You are advised to import the radio ID, AP channel, frequency bandwidth, and power planned on
as required.
# Configure the SSID name, forwarding mode, and service VLAN.

# Set Security settings to Key (applicable to personnel networks), select the AES mode,
and set the key.

# Click Finish.
Step 5 Configure the RU channel and power.

NOTE


displayed.
displayed.


----End
5.1.7 Example for Configuring Rogue Device Detection and

Containment
rogue AP.

addresses to STAs.
Data Planning
Item Data
Managemen VLAN 100

t VLAN for
APs
Service VLAN 101

VLAN for
STAs

Item Data

IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

interface
address


profile



net

spoofing SSIDs

NOTE
mode.
Configuration Notes
user experience.
Procedure
VLAN 100.


10.23.101.2/24.
STAs.

displayed.

(service VLAN).
NOTE


page is displayed.
NOTE

# Click Next.



– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
NOTE
as required.


and set the key.

# Click Finish.
NOTE



displayed.
displayed.

1. Configure radio 0 of AP group ap-group1 to work in normal mode, and enable rogue
# Choose Configuration > AP Config > AP Group. The AP Group page is displayed.

# Click AP group ap-group1. The AP group configuration page is displayed.

# Choose Radio Management > Radio 0. The Radio 0 Settings(2.4G) page is
displayed.
# Configure radio 0 to work in normal mode, and enable rogue device detection and
containment.
# Click Apply. In the Info dialog box that is displayed, click OK.
# Configure radio 1 to work in normal mode, and enable rogue device detection and
containment in the same way.
2. Create WIDS profile wlan-wids and configure the containment mode against rogue APs
# Click in front of WIDS. Under it, click WIDS Profile. The WIDS Profile page is
displayed.
# Click Create. On the Create WIDS Profile page that is displayed, enter the profile
name wlan-wids and click OK. The WIDS profile configuration page is displayed.
# Configure the containment mode against rogue APs using spoofing SSIDs.

# Click Apply. In the Info dialog box that is displayed, click OK.
Choose Monitoring > WIDS. In the Device Detection area, view the detection result.
l Click a number in the detection result list. The detected device information is displayed
in Device Detection Information.
l Select a device in the detected device list and click View Discovered APs. Information
about the APs that detect the device is displayed.
l In the list of APs that detect the device, select an AP and click View Whitelist to view
the whitelist of the AP.
----End

(FAT AP)
As shown in Figure 5-8, a Fat AP is connected to the Internet in wired mode and connects to
anywhere, anytime.

l Router functions as a DHCP server to assign IP addresses to STAs.
GE0/0/0
10.23.101.2/24
STA Internet
GE1/0/0
10.23.101.1/24
STA

Data planning
Item Data
DHCP server Router functions as a DHCP server to assign

IP addresses to STAs.


+AES

1. Configure Router as a DHCP server to assign IP addresses to STAs.
2. Configure basic WLAN services using the WLAN configuration wizard.
3. Configure the AP channel and transmit power.
4. Associate STAs to the WLAN to verify services.
Configuration Notes
traffic suppression, see How Do I Configure Multicast Packet Suppression to Reduce
Impact of a Large Number of Low-Rate Multicast Packets on the Wireless Network? in
the FAT AP Product Documentation.
Procedure
Step 1 Configure Router as a DHCP server to assign IP addresses to STAs.
# Configure Router as a DHCP server to assign IP addresses to STAs from the IP address pool
on GE1/0/0.


[Router-GigabitEthernet1/0/0] dhcp select interface
[Router-GigabitEthernet1/0/0] dhcp server excluded-ip-address 10.23.101.2
Step 2 Configure basic WLAN services.

1. Choose Wizard > Config Wizard. The Configure Wi-Fi Signals page is displayed.
2. Configure Wi-Fi signals.
# Configure basic information about an SSID.
# Click Next. The IP and Rate page is displayed.
# Set IP address parameters.
# Click Finish.
3. Configure Internet connection parameters.
# Click Next. The Configure Internet Connection page is displayed.
# Add an interface to VLAN 101 in tagged mode.

NOTE
If you log in to the web platform using a PC whose Ethernet interface is being modified, do not delete
the existing VLAN configuration on the interface to ensure that the PC can communicate with Fat APs.
As shown in the following figure, GigabitEthernet0/0/0 is added to VLAN 1 by default and STAs
communicate with the AP through this interface. You can use the default IP address of the AP to log in
to the web platform. If you need to use the default IP address to log in to the web platform, do not
delete VLAN 1.
# Click Finish.
NOTE
# Choose Configuration > WLAN Service > WLAN Config.

# In the WLAN Config navigation tree, choose Radio0 > Radio Management > Radio
Profile.
# Click before Radio Profile. Other profiles bound to the radio profile are displayed.
# Click RRM Profile. On the default RRM profile page that is displayed, disable
automatic channel calibration and automatic power calibration.

# Click Apply. In the dialog box that is displayed, click OK. Disable automatic channel
calibration and automatic power calibration for radio 1 in the similar way. The
configuration is not mentioned here.
# Choose Configuration > WLAN Service > WLAN Config > Radio0. The Radio0
page is displayed.
# Click Radio Management. The Radio 0 Setting(2.4G) page is displayed.
# Set the AP channel to 20-MHz channel 6 and the transmit power to 127 dBm. The
configuration of radio 1 (20-MHz channel 149) on the Radio 1 Settings page is similar
to the configuration of Radio 0 and is not mentioned here.
Step 4 Configure the VLANIF interface.

1. Choose Configuration > Interface > VLAN > VLAN. The VLAN page is displayed.
2. Select VLAN 101. On the Modify VLAN page, set the IP address of VLANIF 101 to
10.23.101.2/24.
3. Click OK.
2. STAs can associate with the WLAN and obtain IP addresses on the network segment
10.23.101.x/24.

3. Choose Monitoring > Terminal Manage > STA Management. In User, you can see
that STAs go online properly and obtain IP addresses.
----End
As shown in Figure 5-9, a Fat AP is connected to the Internet in wired mode and connected to
anywhere, anytime.
l Enterprise employees are assigned IP addresses on the network segment 10.23.101.0/24.

GE0/0/0
10.23.200.1/24
STA Internet
GE1/0/0
VLAN200
10.23.200.2/24
STA
Data planning
Item Data



+AES

1. Configure Router to communicate with the AP.

Configuration Notes
Procedure
10.23.200.2/24.



# Click Finish.
3. Configure Internet connections.
NOTE
delete VLAN 1.

# Click Finish.
NOTE

Profile.

page is displayed.
Step 4 Configure Layer 3 network connectivity.

1. Create a VLANIF interface.
# Choose Configuration > Interface > VLAN > VLAN. The VLAN page is displayed.
# Click Create. Create VLANIF 200, and set the IP address of VLANIF 200 to
10.23.200.1/24.
# Click OK.
2. Configure a default route.
# Choose Configuration > IP Service > Route. The Route page is displayed.
# Click Create in Static Route Configuration Table and create a static route.

# Click OK.
2. The STA can associate with the WLAN and obtain an IP address 10.23.101.x/24 and its
----End
5.2.3 Example for Configuring Users on the Fat AP to Access the

Public Network Through NAT
As shown in Figure 5-10, a Fat AP is connected to the Internet in wired mode and connected
to STAs in wireless mode. An enterprise branch needs to deploy basic WLAN services for

anywhere, anytime. The administrator wants enterprise employees to access the public
network using public IP addresses.

l Enterprise employees are assigned IP addresses on 10.23.101.0/24. These IP addresses
are translated to the IP address of the Fat AP outbound interface using Easy-IP for
employees to access the public network.
Figure 5-10 Networking diagram for configuring STAs to access the public network through
NAT
GE0/0/0
FAT AP VLAN200
202.169.10.1/24
STA Internet
202.169.10.2/24
STA
Data planning
Item Data



+AES


Item Data
NAT Outbound The private IP address segment

10.23.101.0/24 is mapped to the public IP
address 202.169.10.1.
3. Configure NAT so that users can access the public network using public IP addresses.
Configuration Notes
Procedure


# Click Finish.
3. Configure Internet connections.
NOTE
delete VLAN 1.

# Click Finish.
NOTE

Profile.

page is displayed.
Step 3 Configure Layer 3 network connectivity.

1. Create a VLANIF interface.
# Choose Configuration > Interface > VLAN > VLAN. The VLAN page is displayed.
# Click Create. Create VLANIF 200, and set the IP address of VLANIF 200 to
202.169.10.1/24.
# Click OK.
2. Configure a default route.
# Choose Configuration > IP Service > Route. The Route page is displayed.
# Click Create in Static Route Configuration Table and create a static route.

# Click OK.
Step 4 Configure an ACL.

1. Choose Configuration > Security > ACL. The Basic ACL Settings page is displayed.
2. Click Create. On the Create Basic ACL page that is displayed, set ACL parameters.
3. Click OK.
4. In the new ACL, click Add Rule. On the Add Rule page, set ACL parameters.
5. Click OK.

1. Choose Configuration > IP Service > NAT. The NAT page is displayed.
2. Click Create in NAT Mapping and create a NAT mapping.
3. Click OK.


2. The STA can associate with the WLAN and obtain an IP address 10.23.101.x/24 and its
4. STAs can access the public network successfully.
----End
5.3 PPPoE Configuration Examples (Fat AP)

5.3.1 Example for Configuring the Device as a PPPoE Client
the disconnection.

Data Planning

Item Data
Uplink port GE0/0/0
IP address PPPoE dialup

allocation
mode
User name/ user1@system/huawei123

Password
VLAN to VLAN 100

which the
PPPoE
session is
bound.
NAT Enabled
1. Configure the PPPoE server.
2. Configure the PPPoE client. Use the configuration wizard to configure the PPPoE dialup
function and enable NAT to translate private IP addresses to public IP addresses.
Procedure
pool for PPPoE clients. For details about the configuration procedure, see the documentation
of the PPPoE server.


1. Choose Wizard > Config Wizard. The Config Wizard page is displayed.
2. Click Next.
3. On the 2.Configure Internet Connection page, configure PPPoE dialup.
NOTE
delete VLAN 1.
4. Click Finish.In the dialog box that is displayed, click OK.

After the configuration is complete, a PPPoE dialup interface is automatically generated,
through which hosts on the LAN can connect to the Internet using dialup. When wireless
users attempt to connect to the public network, private IP addresses are translated into public
IP addresses for communication.
----End


ADSL Modem
modem
Data Planning

Item Data
Uplink port GE0/0/0

allocation
mode

Password

Item Data
VLAN to VLAN 100

which the
PPPoE
session is
bound.
NAT Enabled
function and enable NAT to translate private IP addresses to public IP addresses.
Procedure

[Router] aaa
[Router-aaa] quit


[Router] aaa


[Router-aaa] quit




1. Choose Wizard > Config Wizard. The Config Wizard page is displayed.
2. Click Next.
3. On the 2.Configure Internet Connection page, configure PPPoE dialup.
NOTE
delete VLAN 1.

4. Click Finish.In the dialog box that is displayed, click OK.

----End
5.4 PPPoE Configuration Examples (Fat Central AP)

5.4.1 Example for Configuring the Device as a PPPoE Client
the disconnection.

Data Planning
Item Data
Uplink port GE0/0/0

allocation
mode

Password
VLAN to VLAN 100

which the
PPPoE
session is
bound.
NAT Enabled
1. Configure the PPPoE server.
function on the AP and enable NAT to translate private IP addresses to public IP
addresses.
Procedure

pool for PPPoE clients. For details about the configuration procedure, see the documentation
of the PPPoE server.
1. Create VLAN 100 and add GE0/0/0 to VLAN 100.
# Choose Configuration > Central AP Config > VLAN > VLAN. The VLAN page is
displayed.
# Click Create. On the Create VLAN page that is displayed, set VLAN ID to 100.
Select GigabitEthernet0/0/0 in Available Interface List and click . In the

Modify Link Type dialog box that is displayed, set Link type to Trunk and Mode to
Tagged.
# Click OK.
2. Add GE0/0/0 to the default VLAN 100.
# Choose Configuration > Central AP Config > Interface > Interface Attribute. The
Interface Attribute page is displayed.
# Click GigabitEthernet0/0/0. On the Modify Interface Settings page that is displayed,
set Default VLAN to 100.

# Click OK.
3. Create VLANIF 100 and configure the PPPoE client.
# Choose Configuration > Central AP Config > VLAN > VLANIF. The VLANIF
page is displayed.
# Click Create. On the Create VLANIF page that is displayed, set VLAN ID to 100,
Connection type to Broadband dialup, User name to user1@system, Password to
huawei123, and Enable NAT to ON.
# Click OK.

----End

ADSL Modem

modem
Data Planning

Item Data
Uplink port GE0/0/0

allocation
mode

Password
VLAN to VLAN 100

which the
PPPoE
session is
bound.
NAT Enabled

function on the AP and enable NAT to translate private IP addresses to public IP
addresses.
Procedure

[Router] aaa
[Router-aaa] quit


[Router] aaa
[Router-aaa] quit





1. Create VLAN 100 and add GE0/0/0 to VLAN 100.
# Choose Configuration > Central AP Config > VLAN > VLAN. The VLAN page is
displayed.
# Click Create. On the Create VLAN page that is displayed, set VLAN ID to 100.
Select GigabitEthernet0/0/0 in Available Interface List and click . In the

Modify Link Type dialog box that is displayed, set Link type to Trunk and Mode to
Tagged.
# Click OK.
2. Add GE0/0/0 to the default VLAN 100.
# Choose Configuration > Central AP Config > Interface > Interface Attribute. The
Interface Attribute page is displayed.
# Click GigabitEthernet0/0/0. On the Modify Interface Settings page that is displayed,

set Default VLAN to 100.

# Click OK.
3. Create VLANIF 100 and configure the PPPoE client.
# Choose Configuration > Central AP Config > VLAN > VLANIF. The VLANIF
page is displayed.
# Click Create. On the Create VLANIF page that is displayed, set VLAN ID to 100,
Connection type to Broadband dialup, User name to user1@system, Password to
huawei123, and Enable NAT to ON.
# Click OK.
----End

Inline Mode
area.

APs and STAs.
Data Planning
Item Data
Managemen VLAN 100

t VLAN for
APs
Service VLAN 101

VLAN for
STAs

server STAs.
IP address 10.23.100.2-10.23.100.254/24
pool for
APs

Item Data
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

interface
address

default

profile



net
Configuration Notes


user experience.
Procedure
# Add GE0/0/1 and GE0/0/2 on the access switch to VLAN 100 and VLAN 101. The default
VLAN of GE0/0/1 is VLAN 100.
10.23.101.2/24.

displayed.


(service VLAN).
NOTE

page is displayed.
NOTE

# Click Next.




– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
NOTE
as required.


# Click Finish.

NOTE


displayed.
displayed.


----End

Inline Mode
area.
APs and STAs.

Data Planning
Item Data
Managemen VLAN 100

t VLAN for
APs
Service VLAN 101

VLAN for
STAs

server STAs.
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

interface
address

Item Data

default

profile



net
Configuration Notes

user experience.
Procedure
10.23.101.2/24.

displayed.

and add GigabitEthernet0/0/1 to VLAN 100.

NOTE

page is displayed.
NOTE

# Click Next.

– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
NOTE
as required.

and set the key.
# Click Finish.

NOTE


displayed.
displayed.


----End

Bypass Mode
area.

addresses to STAs.
Data Planning

Item Data
Managemen VLAN 100

t VLAN for
APs
Service VLAN 101

VLAN for
STAs

Item Data

IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

interface
address

default

profile



net

Configuration Notes
user experience.
Procedure

10.23.101.2/24.
STAs.

displayed.

NOTE


page is displayed.
NOTE

# Click Next.



– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
NOTE
as required.



# Click Finish.
NOTE



displayed.
displayed.



----End

Bypass Mode
area.


addresses to STAs.
Data Planning
Item Data
Managemen VLAN 100

t VLAN for
APs
Service VLAN 101

VLAN for
STAs

IP address 10.23.100.2-10.23.100.254/24
pool for
APs

Item Data
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

interface
address

radio5g

profile
and 5 GHz radios



net



wlan-rrm

wlan-rrm

Configuration Notes
user experience.
Procedure
VLAN 100.


10.23.101.2/24.
STAs.

displayed.


(service VLAN).

NOTE

page is displayed.
NOTE

# Click Next.

– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
NOTE
as required.

and set the key.
# Click Finish.
Step 6 Enable radio calibration to allow APs to automatically select the optimal channels and power.
1. Create radio profiles.
NOTE
The following example configures a 2G radio profile. The configuration of a 5G radio profile is similar.

2. Create an RRM profile, and configure automatic channel and power calibration.
# Click next to 2G Radio Profile, and select RRM Profile. The RRM Profile page
is displayed. Click Create. On the Create RRM Profile page that is displayed, enter the
profile name wlan-rrm and click OK. The RRM profile configuration page is displayed.
# Enable automatic channel and power calibration.

3. Create an air scan profile and configure the probe channel set, scan interval, and scan
duration.
# Select Air Scan Profile. The Air Scan Profile page is displayed. Click Create. On the
Create Air Scan Profile page that is displayed, enter the profile name wlan-airscan and
click OK. The air scan profile configuration page is displayed.
# Enable scanning, and configure the probe channel set, scan interval, and scan duration.

4. Enable radio calibration.
# Choose Configuration > AC Config > Basic Config > Radio Calibration. The
Radio Calibration page is displayed.

# Set Calibration mode to Manual and click Immediate Calibration. In the dialog box
that is displayed, click OK.
# Choose Monitoring > Radio. In Radio List, check the channel and power of the
radio. In this example, three APs have gone online on the AC, and the list shows that AP
channels have been automatically assigned through the radio calibration function.
# Radio calibration stops 1 hour after the radio calibration is manually triggered.
Radio Calibration page is displayed. On the Radio Calibration page, set Calibration
mode to Scheduled and set the start time to 3:00 am.


----End

Inline Mode
addresses to STAs.

Data Planning
Item Data

l Name: sta-pool
and VLAN 102

10.23.101.2 and 10.23.102.2.

10.23.102.3-10.23.102.254/24

Item Data


5 GHz radios


+AES

pool



rrm

rrm

Configuration Notes
user experience.
Procedure
Step 1 Configure the switches and router.

# Add GE0/0/1 on SwitchB to VLAN 10, VLAN 101, and VLAN 102, and GE0/0/2 to VLAN
100, VLAN 101, and VLAN 102. Create VLANIF 100 and set its IP address to
10.23.100.2/24.
102 to 10.23.102.2/24.
Step 2 Configure a DHCP server to allocate IP addresses to STAs.


displayed.


NOTE
and add GigabitEthernet0/0/1 to VLANs 100 through 102.

# Deselect GigabitEthernet0/0/1 and then select GigabitEthernet0/0/2. Add
GigabitEthernet0/0/2 to VLAN101 and VLAN 102 in the same way.
page is displayed.

# Click OK.
displayed.

NOTE
# Click OK.
displayed.

address to 10.23.100.2.

# Click OK.
# Click Next.


– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
NOTE
as required.
and 102.

Click Finish.
NOTE



duration.




----End

Inline Mode
APs and STAs.

Data Planning
Item Data

l Name: sta-pool
and VLAN 102


10.23.102.3-10.23.102.254/24


Item Data

5 GHz radios


+AES

pool



rrm

rrm


Configuration Notes
user experience.
Procedure
GE0/0/1 is VLAN 10.
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 10, and GE0/0/2 to VLAN 100.

102 to 10.23.102.2/24.
Step 2 Configure DHCP relay.


displayed.


NOTE
and add GigabitEthernet0/0/1 to VLAN 100.

# Click Apply.
# Deselect GigabitEthernet0/0/1 and then select GigabitEthernet0/0/2. Add
GigabitEthernet0/0/2 to VLAN 101 and VLAN 102 in the same way.
page is displayed.
# Click OK.
# Set the IP address of VLANIF 101 to 10.23.101.1/24 and that of VLANIF 102 to
10.23.102.1/24, DHCP status to ON, and DHCP type to Interface address pool.
displayed.


NOTE
# Click OK.
displayed.
address to 10.23.100.2.
# Click OK.

# Click Next.

– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
NOTE
as required.


and 102.



Click Finish.
NOTE


duration.




----End

Bypass Mode

addresses to STAs.
Data Planning
Item Data

l Name: sta-pool
and VLAN 102

Item Data

10.23.101.2 and 10.23.102.2.

10.23.102.3-10.23.102.254/24

default



+AES

pool

Configuration Notes
user experience.
Procedure


102 to 10.23.102.2/24.


displayed.


NOTE

page is displayed.
# Click OK.
displayed.


NOTE
# Click OK.
displayed.
address to 10.23.100.2.

# Click OK.
# Click Next.

– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
NOTE
as required.

and 102.


Click Finish.

NOTE


displayed.
displayed.


----End

Bypass Mode
area.
addresses to STAs.

Data Planning
Item Data

10.23.101.2 and 10.23.102.2.

10.23.102.3-10.23.102.254/24
VLAN pool l Name: sta-pool

and VLAN 102

Item Data

default



+AES

pool
Configuration Notes


user experience.
Procedure
GE0/0/1 is VLAN 10.
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 10, GE0/0/2 to VLAN 100,
VLAN 101, and VLAN 102, and GE0/0/3 to VLAN 101 and VLAN 102. Create VLANIF
100 and set the IP address of VLANIF 100 to 10.23.100.2/24.
102 to 10.23.102.2/24.




displayed.

NOTE
and add GigabitEthernet0/0/1 to VLANs 100 through 102.



page is displayed.
# Click OK.
displayed.


NOTE
# Click OK.
displayed.
address to 10.23.100.2.
# Click OK.
# Click Next.



– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
NOTE
as required.

and 102.


Click Finish.

NOTE

displayed.
displayed.



----End
5.5.9 Example for Configuring NAT Traversal Between the AC

and APs
area.
Administrators require unified AP management by the AC. Therefore, NAT traversal is
configured between the AC and APs to save the enterprise's public IP addresses.
l AC networking mode: NAT traversal between the AC at the headquarters and APs in the
branch
APs and STAs.
Figure 5-23 Networking for configuring NAT traversal between the AC and APs

Data Planning
Item Data


default



+AES

NAT Outbound Router_1: translates the private IP addresses

in the network segment 10.23.100.0/24 to
the public IP addresses in the network
segment 2.2.2.1.
Static NAT Router_2: translates the private IP addresses

in the network segment 10.23.200.1 to the
public IP addresses in the network segment
3.3.3.3.

2. Configure NAT for address translation.
Configuration Notes
user experience.
Procedure
# On Switch, add GE0/0/1, GE0/0/2, and GE0/0/3 to VLAN 100 and VLAN 101. VLAN 100
is the default VLAN of GE0/0/1 and GE0/0/2.


[Router_1-GigabitEthernet1/0/0] port trunk allow-pass vlan 100 to 101
# On Router_2, add GE1/0/0 to VLAN 200. If the peer end of GE0/0/1 is at 3.3.3.2/24, set the
IP address of GE0/0/1 to 3.3.3.1/24. Create VLANIF 200 and set its IP address to
10.23.200.2/24.
[Router_2] interface GigabitEthernet1/0/0

# Configure Router_1 as a DHCP server to assign IP addresses to APs and STAs. The AC's
source interface address is translated into the public IP address 3.3.3.3 after NAT mapping.

# Configure outbound NAT on Router_1.
[Router_1] acl 2000
[Router_1-acl-basic-2000] quit
[Router_1-GigabitEthernet0/0/1] nat outbound 2000

# Configure static NAT on Router_2.

[Router_2-GigabitEthernet0/0/1] nat static global 3.3.3.3 inside 10.23.200.1

displayed.




page is displayed.

NOTE
displayed.
# Set Destination IP to 0.0.0.0, Subnet Mask to 0(0.0.0.0), and Next hop address to
10.23.200.2.
# Click OK.
# Click Next.




– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
NOTE
as required.


# Click Finish.

NOTE


displayed.
displayed.



----End
5.5.10 Example for Configuring VPN Traversal Between the AC

and APs
area.
Administrators require unified AP management by the AC and protection on traffic
exchanged between the branch and headquarters. Therefore, an IPSec tunnel is established
between the branch and headquarters to protect traffic.

l AC networking mode: IPSec tunnel between the AC at the headquarters and APs in the
branch.
APs and STAs.
Figure 5-24 Networking for configuring VPN traversal between the AC and APs
Data Planning

Item Data
WLAN service data planning on the AC


Item Data

default



+AES

IPSec data planning on Router_2
IKE parameters l IKE version: IKEv1

l Negotiation mode: main
l Peer IP address: 202.138.162.1
l Authentication mode: pre-shared key
authentication
l Pre-shared key: huawei@1234
l Authentication algorithm: SHA2-256
l Encryption algorithm: AES-128
l DH group number: group14
IPSec parameters l Security protocol: ESP

l ESP negotiation mode: main
l ESP authentication algorithm:
SHA2-256
l ESP encryption algorithm: AES-128
l Encapsulation mode: tunnel

Item Data
IPSec policy Connection name: map1

l Interface name: gigabitethernet 0/0/1
l Networking mode: branch site
l Connection number: 10
l ACL number: 3101
2. Configure IPSec parameters to set up an IPSec tunnel.
a. Configure an IP address and a static route on each interface to implement
communication between both ends.
b. Configure ACLs and define the data flows to be protected by the IPSec tunnel.
c. Configure an IPSec proposal to define the traffic protection method.
d. Configure IKE peers and define the attributes used for IKE negotiation.
e. Configure an IPSec policy, and apply the ACL, IPSec proposal, and IKE peers to
the IPSec policy to define the data flows to be protected and protection method.
f. Apply the IPSec policy to the interface so that the interface can protect traffic.
to go online.
Configuration Notes

user experience.
Procedure
# On Switch, add GE0/0/1 and GE0/0/2 to VLAN 100 and VLAN 101. VLAN 100 is the
default VLAN of GE0/0/1.
[Router_1-GigabitEthernet1/0/0] port trunk allow-pass vlan 100 101
# On Router_2, add GE1/0/0 to VLAN 200. Create VLANIF 200 and set its IP address to
10.23.200.2/24. If the peer end of GE0/0/1 is at 202.138.163.2/24, set the IP address of
GE0/0/1 to 202.138.163.1/24.
# Configure a static route from Router_2 to APs with the next hop address 202.138.162.2 on
Router_2.



# Configure Router_1 as a DHCP server to assign IP addresses to APs and STAs.
Step 3 Configure ACLs and define the data flows to be protected by the IPSec tunnel.
# On Router_2, configure an ACL to protect the data flows from the AC (IP address
10.23.200.0/24) at the headquarters to the APs (IP address 10.23.100.0/24) in the branch.
10.23.100.0 0.0.0.255
# On Router_1, configure an ACL to protect the data flows from the APs (IP address
10.23.100.0/24) in the branch to the AC (IP address 10.23.200.0/24) at the headquarters.
10.23.200.0 0.0.0.255
Step 4 Configure IPSec.

1. Create an IPSec proposal on Router_2 and Router_1.

2. Create IKE peers on Router_2 and Router_1.

[Router_2] ike peer spub
[Router_2-ike-peer-spub] pre-shared-key cipher huawei@1234

[Router_2-ike-peer-spub] remote-address 202.138.162.1

[Router_2-ike-peer-spub] quit

[Router_1] ike peer spua
[Router_1-ike-peer-spua] pre-shared-key cipher huawei@1234
[Router_1-ike-peer-spua] remote-address 202.138.163.1
[Router_1-ike-peer-spua] quit
3. Create IPSec policies on Router_2 and Router_1.

[Router_2] ipsec policy map1 10 isakmp
[Router_2-ipsec-policy-isakmp-map1-10] ike-peer spub
[Router_2-ipsec-policy-isakmp-map1-10] proposal tran1
[Router_2-ipsec-policy-isakmp-map1-10] security acl 3101
[Router_2-ipsec-policy-isakmp-map1-10] quit

[Router_1] ipsec policy use1 10 isakmp
[Router_1-ipsec-policy-isakmp-use1-10] ike-peer spua
[Router_1-ipsec-policy-isakmp-use1-10] proposal tran1
[Router_1-ipsec-policy-isakmp-use1-10] security acl 3101
[Router_1-ipsec-policy-isakmp-use1-10] quit
4. Apply the IPSec policies to the interfaces of Router_2 and Router_1, so that the
interfaces can protect traffic.
[Router_2-GigabitEthernet0/0/1] ipsec policy map1

[Router_1-GigabitEthernet0/0/1] ipsec policy use1

displayed.


page is displayed.
NOTE

displayed.
# Set Destination IP to 0.0.0.0, Subnet Mask to 0(0.0.0.0), and Next hop address to
10.23.200.2.
# Click OK.
# Click Next.




– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
NOTE
as required.

# Click Finish.

NOTE


displayed.
displayed.


----End
5.5.11 Example for Configuring Hand-in-Hand WDS Services
addresses to STAs.


Data Planning

AP Type MAC Address
AP_1 AP8130DN 60de-4474-9640

Item Data

Item Data

addresses to STAs.


l Country code: CN


+AES



AP_2 (leaf)
l Name: wds-list2
AP_3 (leaf)

Item Data

security
l Name: wds-leaf
security

the group.
l Name: ap-group2
added to the group.
default
l Name: ap-group3
the group.
to go online.

virtual links.
Configuration Notes
user experience.
Procedure


10.23.101.2/24.

address pool.

displayed.

NOTE


page is displayed.
NOTE

# Click Next.



NOTE
as required.
# Click OK.

Step 5 Configure wireless services.

1. Click Create. The Basic Information page is displayed.
2. Set the SSID name, forwarding mode, and service VLAN ID.
3. Click Next. The Security Authentication page is displayed.

4. Configure the key authentication mode, AES algorithm, and key.
5. Click Next. The Access Control page is displayed.

6. Set Binding the AP group to ap-group1.
7. Click Finish. Bind the AP group ap-group3 in the same way.
Step 6 Configure the AP_1.
1. Create WDS profile wds-root and configure the WDS working mode and tagged VLAN.
name wds-root, set Radio to 1, and click OK.
# Choose WDS > WDS Profile > wds-root. The WDS Profile page is displayed.

NOTE
VLAN.

2. Create security profile wds-security and configure the security policy.
# Choose WDS > WDS Profile > wds-root > Security Profile. The Security Profile
page is displayed.
name wds-security and click OK. The security profile configuration page is displayed.
# Set the key.

WDS whitelist.
displayed.
page is displayed.
is displayed.

# Click OK.
4. Configure WDS service parameters for the root node. Set the channel parameters of
Radio1 to 40+ MHz and 157. Set the bridge distance to 4.
displayed.
# Set the channel parameters to 40+ MHz and 157. Set the bridge distance to 4. Disable

1. Create WDS profile wds-leaf and configure the WDS working mode and tagged VLAN.
name wds-leaf, set Radio to 1 and Copy parameters from other profiles to wds-root,
and click OK.
# Choose WDS > WDS Profile > wds-leaf. The WDS Profile page is displayed.
# Set WDS working mode to Leaf, retain the default settings of other parameters, and
click Apply. In the dialog box that is displayed, click OK.

2. Configure WDS service parameters for the leaf node. Set parameters for Radio1. Set
Channel to 40+ MHz and 149, and WDS/Mesh bridge distance(0.1km) to 4. Disable
Configure WDS service parameters by referring to the configuration procedure on the
root node.

1. Reference WDS profile wds-leaf to radio 1 and wds-root to radio 0.
wds-leaf, set Radio to 1, and click OK.
wds-root, set Radio to 0, and click OK.
WDS whitelist.
displayed.
page is displayed.
is displayed.
# Click OK.
3. Configure WDS service parameters. Configure Radio0 to switch to the 5 GHz frequency
band. Set the channel parameters of Radio0 to 40+ MHz and 149. Set the coverage
distance to 4. Set the channel parameters of Radio1 to 40+ MHz and 157. Set the bridge
distance to 4.
displayed.

# Choose Radio Management > Radio1. The Radio 0 Settings(2.4G) page is

displayed.
# Set Radio0 to switch to the 5 GHz frequency band. Set the channel parameters of
Radio0 to 40+ MHz and 149. Set the bridge distance to 4. Disable automatic channel
and power calibration.

# Set the channel parameters of Radio1 to 40+ MHz and 157. Set the coverage distance
to 4. The configuration is the same as that for Radio0, and is not mentioned here.
NOTE



displayed.
displayed.

1. Choose Monitoring > AP. In AP List, check whether the AP state is normal. If so, the
APs have gone online on the AC through WDS links.

----End
5.5.12 Example for Configuring Back-to-Back WDS
On some enterprise networks, wired network deployment is restricted by construction
conditions. When obstacles exist between two networks or the distance between them is long,
APs cannot all be connected to the AC in wired mode. Back-to-back wireless distribution
system (WDS) technology can cascade APs in wired mode as trunk bridges. This networking
ensures sufficient bandwidth on wireless links for long distance data transmission.
addresses to STAs.

l Wireless backhaul mode: WDS back-to-back

Figure 5-26 Networking for configuring back-to-back WDS
Data Planning

AP_1 AP8130DN dcd2-fcf6-76a0
AP_2 AP8130DN 60de-4474-9640
AP_4 AP8130DN 60de-4476-e360


Item Data

APs

addresses to STAs.
IP address of the AC's VLANIF 100: 10.23.100.1/24

source interface
WDS profile l wds-net1 (WDS profile used by AP_1): WDS mode root,
from AP_2
l wds-net2 (WDS profile used by AP_3): WDS mode root,
from AP_4
l wds-net3 (WDS profile used by AP_2 and AP_4):
referencing no WDS whitelist
WDS role l AP_1: root

l AP_2: leaf
l AP_3: root
l AP_4: leaf
WDS name wds-net
WDS whitelist l wds-list1: contains MAC address of AP_2 and is bound to

AP_1
l wds-list2: contains MAC address of AP_4 and is bound to
AP_3
Radio used by WDS Radio 1 (AP_1 and AP_2):

l Channel: 157
l WDS/Mesh bridge distance: 4 (unit: 100 m)
Radio 1 (AP_3 and AP_4):
l Channel: 149

Item Data
Security profile l Name: wds-sec

AP group l wds-root1: AP_1

l wds-root2: AP_3
l wds-leaf1: AP_2
l wds-leaf2: AP_4. If a wired interface of AP_4 is connected
to a Layer 2 network, a wired port profile needs to be
configured for AP_4. Therefore, AP_2 and AP_4 are added
to two separate AP groups.
1. Configure WDS links in Area A and Area B so that AP_1 and AP_2 can go online on the
AC.
2. Configure Switch_C to enable AP_2 and AP_3 to communicate through the wired
network.
3. Configure WDS links in Area B and Area C so that AP_4 can go online on the AC.
4. Configure wired interfaces on AP_4 to enable wired users connected to AP_4 to access
the network.
Configuration Notes
user experience.

Procedure
# Configure the access switch Switch_C. Configure GE0/0/1 and GE0/0/2 to allow packets
from VLAN 100 and VLAN 101 to pass through.
[Switch_C] vlan batch 100 to 101
10.23.101.2/24.


address pool.

displayed.

NOTE



page is displayed.
NOTE
# Click Next.




NOTE
You are advised to import the radio ID, AP channel, frequency bandwidth, and power planned on
as required.
# Click OK.
# Confirm the configuration and click Finish.
Step 5 Configure the root node AP_1.
1. Configure the WDS profile wds-net1 for the root node AP_1.
# In the AP group list, click wds-root1. Choose WDS > WDS Profile. The WDS
name wds-net1 and click OK.
# Choose WDS > WDS Profile > wds-net1. The WDS Profile page is displayed.

NOTE
VLAN.

2. Create security profile wds-sec and configure the security policy.
# Choose WDS > WDS Profile > wds-net1 > Security Profile. The Security Profile
page is displayed.
name wds-sec and click OK. The security profile configuration page is displayed.
# Set the key.

3. Configure the WDS whitelist profile wds-list1 for AP_1 to permit access only from
AP_2 over the WDS link.
displayed.
profile name wds-list1 and click OK. The WDS Whitelist Profile List page is
displayed.
is displayed.
# Click Add to add the MAC address of AP_2 60de-4474-9640 to the profile.

# Click OK.
4. Configure WDS service parameters.
# Set the channel parameters to 40+ MHz and 157. Set the bridge distance to 4.
NOTE
Step 6 Configure the root node AP_3.

1. Configure the WDS profile wds-net2 in the AP group wds-root2. The configuration is
similar to that for the WDS profile wds-net1 in the AP group wds-root1.
If the WDS profile wds-net2 is the same as the WDS profile wds-net1, you do not need
to create the WDS profile wds-net2. AP_3 and AP_1 can share the WDS profile wds-
net1.
2. Bind the security profile wds-sec to the AP group wds-root2.
# Enter the Security Profile page under the AP group wds-root2. The configuration is
similar to that under the AP group wds-root1.
# Set Security Profile to wds-sec and click Apply. In the dialog box that is displayed,
click OK.
3. Configure the WDS whitelist profile wds-list2 for AP_3 to permit access only from
AP_4 over the WDS link.
# Add the MAC address of AP_4 60de-4476-e360 to wds-list2. The configuration is
similar to that for the WDS whitelist profile wds-list1 under the AP group wds-root1.
# Configure service parameters in the AP group wds-root2. The configuration is similar

to that in the AP group wds-root1. Set the channel parameters to 40+ MHz and 149. Set
the bridge distance to 4.

Step 7 Configure the leaf node AP_2.

1. Configure the WDS profile wds-net3 in the AP group wds-leaf1. The configuration is
similar to that for the WDS profile wds-net1 in the AP group wds-root1.
In the WDS profile wds-net3, set WDS working mode to Leaf.
2. Bind the security profile wds-sec to the AP group wds-leaf1. The configuration is
similar to that for binding the security profile to the AP group wds-root2.
Step 8 Configure the leaf node AP_4.
1. Configure the WDS profile wds-net3 in the AP group wds-leaf2.
# Enter the WDS Profile List page under the AP group wds-leaf2. The configuration is
similar to that under the AP group wds-root1.
# Click Add. On the page that is displayed, set WDS profile name to wds-net3 and
click OK. In the dialog box that is displayed, click OK.
2. Bind the security profile wds-sec to the AP group wds-leaf2. The configuration is
similar to that for binding the security profile to the AP group wds-root2.
4. Configure the AP's wired port profile.
# Choose AP > AP Wired Port Settings. Click GE0. The GE0 profile management
page is displayed.
# Click Create. The Create AP Wired Port Profile page is displayed. Set Profile name
to wired-port and click OK. The configuration page of the wired port profile is
displayed.
# Set Port mode to Endpoint, add the wired port to VLAN 101 in tagged mode, and set
the Port PVID to 101. This example assumes that the downlink network of AP_4's
wired port GE0 transmits service traffic of VLAN 101.

# Click OK.
1. # Choose Configuration > AP Config > AP Config. The AP list page is displayed. If
the AP status is normal, the APs have gone online on the AC through WDS links.
----End

5.5.13 Example for Configuring Common Mesh Services
An enterprise needs to establish Mesh wireless backhaul links in different areas to expand
wireless coverage and reduce wired deployment costs.
l Wireless backhaul mode: Mesh portal-node
Figure 5-27 Networking for configuring mesh services
Data Planning
AP Type MAC Address
area_1 AP8130DN 60de-4476-e360
area_2 AP8130DN dcd2-fc04-b500
area_3 AP8130DN 60de-4474-9640
Item Data

APs

Item Data

APs.
Mesh profile name Name: mesh-net
Mesh role l area_1: Mesh-portal (MPP)


l Channel: 157
Security profile l Security policy: WPA2+PSK+AES

AP group l ap-group1: area_1

l ap-group2: area_2 and area_3
1. Configure network connectivity and enable the AP (MPP) in Area A to go online on the
AC in wired mode.
2. Configure Mesh services to enable APs (MPs) in Area B and Area C to go online on the
AC through Mesh links.
Configuration Notes

user experience.
AP models.

AP9132DN 802.11n 802.11ac N/A
AP9131DN 802.11n 802.11ac N/A
AP9130DN 802.11ac 802.11ac N/A
AP8150DN 802.11ac 802.11ac N/A
AP8130DN-W 802.11ac 802.11ac N/A
AP8130DN 802.11ac 802.11ac N/A
AP8050DN-S 802.11ac 802.11ac N/A
AP8050DN 802.11ac 802.11ac N/A
AP8030DN 802.11ac 802.11ac N/A
AP7110DN-AGN 802.11n 802.11n N/A
AP7050DN-E 802.11ac 802.11ac N/A
AP7050DE 802.11ac 802.11ac N/A
AP6610DN-AGN 802.11n 802.11n N/A
AP6510DN-AGN 802.11n 802.11n N/A

AP6150DN 802.11ac 802.11ac N/A
AP6050DN 802.11ac 802.11ac N/A
AP6010DN-AGN 802.11n 802.11n N/A
AP5130DN 802.11n 802.11ac N/A
AP5030DN 802.11n 802.11ac N/A
AP5010DN-AGN 802.11n 802.11n N/A
AP4151DN 802.11ac 802.11ac N/A
AP4130DN 802.11n 802.11ac N/A
AP4051DN 802.11ac 802.11ac N/A
AP4050DN-HD 802.11ac 802.11ac N/A
AP4050DN-E 802.11ac 802.11ac N/A
AP4050DN-S 802.11ac 802.11ac N/A
AP4050DN 802.11ac 802.11ac N/A
Mesh not
AP4030TN 802.11n 802.11ac
supported
AP4030DN 802.11n 802.11ac N/A
Procedure
# Add GE0/0/1 and GE0/0/2 on Switch_B to VLAN 100. The default VLAN of GE0/0/1 is
VLAN 100.


# Add GE0/0/1 on Switch_A to VLANs 100, and GE0/0/2 to VLAN 100.


displayed.

NOTE


page is displayed.
NOTE

# Click Next.



Step 3 Configure MPPs.
2. Create the AP group ap-group1 for the MPP.
# Enter the AP group name ap-group1 and click OK.
3. Configure Mesh parameters for the MPP.
# In AP Group List, select the AP group ap-group1.
40+MHz, channel to 157, and WDS/Mesh bridge distance to 4.

example, MAC addresses 60de-4476-e360, 60de-4474-9640, and dcd2-fc04-b500
area added to the Mesh whitelist.

4. Add MPPs.
# Set Mode to Manually add and manually add MPPs.
# Click OK.
Step 4 Configure the MP.
2. Create the AP group ap-group2 for the MP.
# Enter the AP group name ap-group2 and click OK.

3. Configure Mesh parameters for the MP.

– Set the Mesh role to Mesh-node.
example, MAC addresses 60de-4476-e360, 60de-4474-9640, and dcd2-fc04-b500
area added to the Mesh whitelist.


4. Add MPs.
# Set Mode to Manually add and manually add MPs.
# Click OK.
1. Choose Configuration > Config Wizard > Mesh. In AP Group List, select ap-group1
and ap-group2 to check whether the AP status is normal. If so, the APs have gone
online on the AC through Mesh links.
2. Choose Monitoring > Mesh&WDS > Mesh Link Information to check Mesh link
information. After the Mesh links are successfully established, you can view detailed
information about the Mesh links on the page.

----End
5.5.14 Example for Configuring Dual-MPP Mesh Services

If an enterprise needs to provide wireless network access services for different areas, multiple
Mesh Portal Points (MPPs) can be configured to work on different channels. This can reduce
MP contention for wireless channels, thus improving coverage performance.
l Wireless backhaul node: dual Mesh portal-node
Figure 5-28 Networking for configuring dual-MPP Mesh services

Data Planning

AP_1 AP8130DN 60de-4474-9640
AP_4 AP8130DN 1047-80ac-cc60

Item Data

APs

APs.
Mesh profile l Name: mesh-net
Mesh role l AP_1: Mesh-portal (MPP)

l AP_2: Mesh-portal (MPP)
Regulatory domain l Name: default

profile l Country code: CN

l Channel: 157
Security profile l Security policy: WPA2+PSK+AES

AP group l mesh-mpp: AP_1 and AP_2

l mesh-mp: AP_3 and AP_4

1. Configure network connectivity and enable APs (MPPs) in Area A to go online on the
AC in wired mode.
2. Configure Mesh services to enable APs (MPs) in Area B to go online on the AC through
Mesh links.
Configuration Notes
user experience.
l During the configuration of a Mesh network with multiple MPPs, to enable MPs to set
up wireless links with multiple MPPs simultaneously, configure the MPPs to work on the
same channel.
AP models.
AP9132DN 802.11n 802.11ac N/A

AP9131DN 802.11n 802.11ac N/A
AP9130DN 802.11ac 802.11ac N/A
AP8150DN 802.11ac 802.11ac N/A
AP8130DN-W 802.11ac 802.11ac N/A
AP8130DN 802.11ac 802.11ac N/A
AP8050DN-S 802.11ac 802.11ac N/A
AP8050DN 802.11ac 802.11ac N/A
AP8030DN 802.11ac 802.11ac N/A
AP7110DN-AGN 802.11n 802.11n N/A
AP7050DN-E 802.11ac 802.11ac N/A
AP7050DE 802.11ac 802.11ac N/A
AP6610DN-AGN 802.11n 802.11n N/A
AP6510DN-AGN 802.11n 802.11n N/A
AP6150DN 802.11ac 802.11ac N/A
AP6050DN 802.11ac 802.11ac N/A
AP6010DN-AGN 802.11n 802.11n N/A
AP5130DN 802.11n 802.11ac N/A
AP5030DN 802.11n 802.11ac N/A
AP5010DN-AGN 802.11n 802.11n N/A
AP4151DN 802.11ac 802.11ac N/A
AP4130DN 802.11n 802.11ac N/A
AP4051DN 802.11ac 802.11ac N/A
AP4050DN-HD 802.11ac 802.11ac N/A
AP4050DN-E 802.11ac 802.11ac N/A
AP4050DN-S 802.11ac 802.11ac N/A

AP4050DN 802.11ac 802.11ac N/A
Mesh not
AP4030TN 802.11n 802.11ac
supported
AP4030DN 802.11n 802.11ac N/A
Procedure
# Add GE0/0/1 and GE0/0/2 on Switch_A to VLAN 100.

# Add GE0/0/1, GE0/0/2, and GE0/0/3 on Switch_B to VLAN 100. The default VLAN of


displayed.


NOTE


page is displayed.

NOTE

# Click Next.

Step 3 Configure MPPs.
2. Create the AP group mesh-mpp for the MPPs.
# Set the AP group name to mesh-mpp and click OK.
3. Configure Mesh parameters for the MPPs.


example, MAC addresses 60de-4474-9640, dcd2-fc04-b500, dcd2-fc96-e4c0, and
1047-80ac-cc60 are added. Click OK.

# After configuring Mesh parameters, Click Apply. In the dialog box that is displayed,
click OK.
4. Add MPPs.
# Set Mode to Manually add and manually add MPPs.
# In this example, APs with MAC addresses 60de-4474-9640 and dcd2-fc04-b500 are
added. Set AP ID to 1 and 2 for the APs respectively. Click OK. The APs are added as
MPPs.

Step 4 Configure MPs.

2. Create the AP group mesh-mp for the MPs.
# Set the AP group name to mesh-mp and click OK.
3. Configure Mesh parameters for the MPs.
# In AP Group List, select the AP group mesh-mp.
– Set the Mesh role to Mesh-node.
example, MAC addresses 60de-4474-9640, dcd2-fc04-b500, dcd2-fc96-e4c0, and
1047-80ac-cc60 are added. Click OK.

# After configuring Mesh parameters, Click Apply. In the dialog box that is displayed,
click OK.
4. Add MPs.
# In AP Group List, select the AP group mesh-mp.
# Set Mode to Manually add and manually add MPs.
# In this example, APs with MAC addresses dcd2-fc96-e4c0 and 1047-80ac-cc60 are
added. Set AP ID to 3 and 4 for the APs respectively. Click OK. The APs are added as
MPs.


1. Choose Configuration > Config Wizard > Mesh. In AP Group List, select mesh-mpp
and mesh-mp to check whether the status of APs in the AP list is normal. If the AP
status is normal, the APs have gone online on the AC through Mesh links.
2. Choose Monitoring > Mesh&WDS > Mesh Link Information and check information
about Mesh links. After the WDS links are successfully established, you can view details
about the WDS links on the following page.
----End

5.6.1 Example for Configuring an Eth-Trunk on an AP's Wired
Uplink Interfaces
The administrator wants to configure an Eth-Trunk on an AP's wired uplink interfaces to
ensure uplink reliability.
Figure 5-29 Networking for configuring an Eth-Trunk on an AP's wired uplink interfaces

Data Planning

Item Data
AP wired port profile l Name: wired-port1

l Eth-Trunk: Eth-Trunk0

l Referenced profile: AP wired port
profile wired-port1
1. Configure an Eth-Trunk on a switch.
2. Configure an Eth-Trunk for an AP on the AC.
3. Restart the AP.
4. Connect the switch and AP physically.
Configuration Notes
l This example is applicable to an AP with two or more wired uplink interfaces.
l This example assumes that the AP has gone online and describes how to configure an
Eth-Trunk on the wired uplink interfaces of the AP. Before physical connections,
configure the Eth-Trunk. Otherwise, a loop will occur on the network, causing the AP to
go offline.
user experience.
Procedure
Step 1 Check AP information.

Check Item Operation on the Web Data

Platform
Check the AP's group. Choose Monitoring > AP > AP group name: ap-group1
AP Statistics Collection. AP name: AP1
Check the AP's group in AP
List.
Step 2 Configure an Eth-Trunk on the switch.
# Create Eth-Trunk1, and add GE0/0/1 and GE0/0/2 to Eth-Trunk1.

[Switch] interface eth-trunk 1
[Switch-Eth-Trunk1] description Connect to AP1
[Switch-Eth-Trunk1] port link-type trunk
[Switch-Eth-Trunk1] port trunk pvid vlan 100
[Switch-Eth-Trunk1] port trunk allow-pass vlan 100
[Switch-Eth-Trunk1] undo port trunk allow-pass vlan 1
[Switch-Eth-Trunk1] port-isolate enable
[Switch-Eth-Trunk1] quit
Step 3 Configure an Eth-Trunk for the AP on the AC.

1. Create Eth-Trunk0.
# Choose Configuration > AC Config > Interface > Eth-Trunk. The Eth-Trunk page
is displayed.
# In Eth-Trunk Interface List, click Create. The Create Eth-Trunk page is displayed.
# Create Eth-Trunk0 and configure the interface description.
# Click OK.
2. Create VLAN 100 and add Eth-Trunk0 to it.
# Choose Configuration > AC Config > VLAN > VLAN. The VLAN page is
displayed.
# Click Create. The Create VLAN page is displayed.
# Create VLAN 100. In Available Interface List, select Eth-Trunk0 and click
. On the Modify Link Type page, set Link type to Trunk and click OK.

# Click OK.
3. Create wired port profile wired-port1, and add GE0 and GE1 on the AP to Eth-Trunk0.
# In the AP group list, select AP group ap-group1. Choose AP > AP Wired Port
Settings. The AP Wired Port Configuration List page is displayed.
# Select GE0. The GE0 configuration page is displayed.
# Click Create and create AP wired port profile wired-port1. Click OK to return to the
GE0 configuration page.
# Set Enable Eth-Trunk to ON.
Click OK. In the dialog box that is displayed, click OK.

# Bind AP wired port profile wired-port1 to GE1 in the same way, and set Enable Eth-
Trunk to ON for GE1.
Step 4 Restart the AP.
NOTE
The configuration on the AP's wired interfaces takes effect only after the AP is restarted.
# Choose Maintenance > AP Maintenance > AP Restart.

# Select AP1 and click Restart. In the dialog box that is displayed, click OK to restart the AP.
Step 5 Connect the switch and AP physically.
----End

To improve WLAN security, an enterprise uses the external Portal authentication mode to
control user access.
addresses to STAs.
l Authentication mode: External Portal authentication

Figure 5-30 Networking for configuring external Portal authentication
Data Planning

Item Data
Managemen VLAN100
t VLAN for
APs
Service VLAN101
VLAN for
STAs

IP address 10.23.100.2-10.23.100.254/24
pool for
APs

Item Data
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

interface
address

default

profile



on

template
server: 50200

profile
Authenticati l Name:default_free_rule
profile

on Profile l Referenced profile: Portal access profile wlan-net, RADIUS Server
profile wlan-net, authentication-free rule profile default_free_rule and

Item Data

4. Configure WLAN services and external Portal authentication on the AC using the
WLAN configuration wizard.
Configuration Notes
user experience.
Procedure
VLAN 100.

10.23.101.2/24.
STAs.

displayed.


(service VLAN).
NOTE

page is displayed.


displayed.
# Click OK.
# Click Next.


– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
NOTE
as required.

# Set Security settings to Portal (applicable to enterprise networks) and deselect MAC
address, shared-key, port number, and server URL. Under External RADIUS Server
Configuration, set the server name, Port number, authentication server IP address, and shared
key.
Click Finish.



6. Click OK.

network.
----End
5.7.2 Example for Configuring Built-in Portal Authentication for

Local Users
To improve WLAN security, an enterprise uses the Portal authentication mode. To reduce
costs, the enterprise deploys an AC as the Portal server and uses the local authentication mode
so that authentication is performed on the AC.


addresses to STAs.
l Authentication mode: built-in Portal authentication
Figure 5-31 Networking for configuring built-in Portal authentication for local users
Data Planning

Item Data


Item Data

default



Local user l User name: guest

l Password: guest@123
Authentication scheme l Name: wlan-net

l Authentication scheme: local

l The built-in Portal server is used.
– Server IP: 10.23.101.1
– SSL policy: default_policy
– Port number: 20000
Authentication-free rule profile l Name: default_free_rule

l Authentication-free resource: IP address
of the DNS server (8.8.8.8)
Authentication Profile l Name: wlan-net

l Referenced profiles: Portal access profile
wlan-net, authentication-free rule profile
default_free_rule, and authentication
scheme wlan-net

net, security profile wlan-net, and

4. Configure WLAN services and built-in Portal authentication on the AC using the WLAN
configuration wizard.
Configuration Notes
user experience.
Procedure
VLAN 100.

10.23.101.2/24.
STAs.

displayed.

(service VLAN).

NOTE

page is displayed.

displayed.

# Click OK.
# Click Next.


– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
NOTE
as required.
# Set Security settings to Portal (applicable to enterprise networks) and Portal server to
Built-in Portal server. Under Built-in Portal Server Configuration, configure the server IP
address and port number.

# Click Manage next to Local user. The Local User page is displayed
# Click Create. The Create Local User page is displayed.
# Set Creation mode to Manually add and configure the local user name and password.
# Click OK.
# On the Create Local User page, select the new user and click OK.
Click Finish.

6. Click OK.
3. When a user browses a web page, the browser automatically redirects the user to the
Portal authentication page. After entering the correct user name and password, the user
passes the authentication and can access the web page.

----End
5.7.3 Example for Configuring MAC Address-prioritized Portal

Authentication
addresses to STAs.

Data Planning

Item Data
Managemen VLAN100
t VLAN for
APs
Service VLAN101
VLAN for
STAs

IP address 10.23.100.2–10.23.100.254/24
pool for
APs

Item Data
IP address 10.23.101.3–10.23.101.254/24
pool for
STAs

interface
address

default

profile



on

template
server: 50200

profile
MAC Name:wlan-net
access
profile

profile

Item Data


4. Configure WLAN services and MAC address-prioritized Portal authentication on the AC
using the WLAN configuration wizard.
Configuration Notes
user experience.

Procedure
VLAN 100.
10.23.101.2/24.
STAs.

displayed.



(service VLAN).
NOTE

page is displayed.


displayed.
# Click OK.
# Click Next.


– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
NOTE
as required.

# Set Security settings to Portal (applicable to enterprise networks) and select MAC
address, shared-key, port number, and server URL. Under External RADIUS Sever
Configuration, set the server name, authentication server IP address, and shared key.
# Click Finish.


6. Click OK.

network.
5. Assume that the MAC address validity period configured on the server is 60 minutes. If a
----End
5.7.4 Example for Configuring 802.1X Authentication


Internet
Router
GE0/0/1
RADIUS Server
AC SwitchB GE0/0/4 10.23.103.1:1812
GE0/0/2
GE0/0/1 GE0/0/3
GE0/0/1
GE0/0/2
SwitchA
GE0/0/1
AP
STA STA

Data Planning





wlan-net






net
security policy, select 802.1X and RADIUS authentication, and set the RADIUS server
parameters.
NOTE
Configuration Notes
user experience.

Procedure
STAs.




displayed.


2. Configure ports.

NOTE



page is displayed.
NOTE
# Click OK.
displayed.
address to 10.23.102.1.
# Click OK.

# Click Next.

– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
NOTE
as required.

Step 5 Configure WLAN services

1. # Click Create. The Basic Information page is displayed.
2. # Set the SSID name, forwarding mode, and service VLAN ID.
3. # Click Next. The Security Authentication page is displayed.

4. # Set Security settings to 802.1x authentication, and configure parameters of the
external RADIUS server.
5. # Click Next. The Access Control page is displayed.

6. # Set Binding the AP group to ap-group1.
7. # Click Finish.

NOTE


displayed.
displayed.


Examples.
algorithm to AES.
OK.
----End




Internet
Router
GE0/0/1
Radius Server
AC SwitchB GE0/0/4 10.23.103.1:1812
GE0/0/2
GE0/0/1 GE0/0/3
GE0/0/1
GE0/0/2
SwitchA
GE0/0/1
AP
STA STA


Data Planning






l Country code: CN




net
security policy, select MAC and RADIUS authentication, and set the RADIUS server
parameters.
NOTE
Configuration Notes
user experience.

Procedure
STAs.




displayed.


2. Configure ports.

NOTE



page is displayed.
NOTE
# Click OK.
displayed.
address to 10.23.102.1.
# Click OK.

# Click Next.

– AP MAC: 60de-4476-e360
– AP SN: 210235419610CB002287
– AP Name: area_1
NOTE
as required.



# Set Security settings to Open (applicable to personal networks).
# Click Finish.
Step 6 Configure the RADIUS server.
# Choose Configuration > Security > AAA > RADIUS.
# Under RADIUS Server Profile, click Create. In the Create RADIUS Server Profile
dialog box that is displayed, configure the RADIUS server parameters.
# Click OK.
Step 7 Configure MAC address authentication.
# Choose Configuration > AP Config > AP Group. The AP Group page is displayed.
# Click AP group ap-group1. The AP group configuration page is displayed.

# Choose VAP Configuration > wlan-net > Authentication Profile. The

Authentication Profile page is displayed.
# Click Create. On the Create Authentication Profile page that is displayed, enter the
profile name wlan-net and click OK. The authentication profile configuration page is
displayed.
# Click Apply.
2. Configure the MAC access profile wlan-net.
# Click in front of Authentication Profile. Under it, click MAC Authentication

Profile. The MAC Authentication Profile page is displayed.
# Click Create. On the Create MAC Authentication Profile page that is displayed,
enter the profile name wlan-net and click OK. On the MAC authentication profile
configuration page that is displayed, configure the user name format for MAC address
authentication.
# Click Apply.
3. Configure the RADIUS authentication scheme wlan-net.
# Click in front of Authentication Profile. Under it, click Authentication Scheme.

The Authentication Scheme page is displayed.
# Click Create. On the Create Authentication Scheme page that is displayed, enter the
profile name wlan-net and click OK. The authentication scheme configuration page is
displayed. Set First authentication to RADIUS authentication.
# Click Apply.
4. Bind the RADIUS profile wlan-net.
# Click in front of Authentication Profile. Under it, click RADIUS Profile. The
RADIUS Profile page is displayed.
# Select the RADIUS profile wlan-net and click Apply.

NOTE


displayed.
displayed.


l For interconnection with the Cisco ISE, see "Example for Configuring MAC Address
l For interconnection with the Aruba ClearPass, see "Example for Configuring MAC
Address Authentication" in the Typical Configuration Examples-WLAN and the Aruba
Wireless AC Address Authentication" in the Agile Controller-Campus Typical
Configuration Examples.

----End
5.7.6 Example for Configuring MAC Authentication for Local

Users
Dumb terminals (such as printers) in the physical access control department cannot have an
authentication client installed. To meet the enterprise's security requirements, configure MAC
address authentication on the AC and use the local authentication mode to authenticate
identities of dumb terminals.
addresses to STAs.


l Authentication mode: MAC authentication
l Security policy:open
Figure 5-35 Networking for configuring MAC authentication for local users
Data Planning

Item Data

AC's source interface VLANIF 100:10.23.100.1/24

Item Data

default

l Country code: CN


Local authentication parameters l Name of the local authentication

scheme: wlan-net
l User name and password of the local
user: 0011-2233-4455 and guest@123,
respectively, which must be consistent
with those in the MAC access profile
l Access type of the local user: MAC
MAC access profile l Name: wlan-net

l User name and password for MAC
address authentication: A MAC address
is used as the user name and the
password is guest@123, which must be
consistent with those in the local
authentication parameters

l Referenced profiles: MAC access profile
wlan-net and authentication scheme
wlan-net



3. Select Config Wizard to configure the AP to go online on the AC.
4. Select Config Wizard to configure WLAN services on the AC. When configuring a
security policy, select MAC address authentication and local authentication. When
adding a local user, ensure that the user name is the same as the MAC address of the
user, and the password is the same as that configured in the MAC access profile.
Configure the planned password in the MAC access profile.
Configuration Notes
user experience.
Procedure
VLAN 100.

[SwitchB

14 WLAN Typical Configuration Examples PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

14 WLAN Typical Configuration Examples PDF

Hochgeladen von

Copyright:

Verfügbare Formate

Typical Configuration Examples

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Issue 03 (2017-10-31) Huawei Proprietary and Confidential i

About This Document

l Data configuration engineers

Indicates an imminently hazardous situation

Indicates a potentially hazardous situation

Indicates a potentially hazardous situation

Indicates a potentially hazardous situation

Issue 03 (2017-10-31) Huawei Proprietary and Confidential ii

NOTE Calls attention to important information,

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[] Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... } Optional items are grouped in braces and separated by

[ x | y | ... ] Optional items are grouped in brackets and separated by

{ x | y | ... }* Optional items are grouped in braces and separated by

[ x | y | ... ]* Optional items are grouped in brackets and separated by

&<1-n> The parameter before the & sign can be repeated 1 to n

# A line starting with the # sign is comments.

Issue 03 (2017-10-31) Huawei Proprietary and Confidential iii

Interface Numbering Conventions

Issue 03 (2017-10-31) Huawei Proprietary and Confidential iv

Model Declaration for Carriers Outside China

Table 1 WLAN product models for carriers outside China

Issue 03 (2017-10-31) Huawei Proprietary and Confidential v

Software Version Product Model

Changes in Issue 03 (2017-10-31)

The following information is added:

Issue 03 (2017-10-31) Huawei Proprietary and Confidential vi

– 5.19 Typical Configuration for Interconnection Between AC and Aruba

Changes in Issue 02 (2017-07-10)

Changes in Issue 01 (2017-06-12)

Issue 03 (2017-10-31) Huawei Proprietary and Confidential vii

About This Document.....................................................................................................................ii

Issue 03 (2017-10-31) Huawei Proprietary and Confidential viii

3.1.26 WIDS Whitelist Profile........................................................................................................................................... 30

4 Typical Configuration Examples (CLI)................................................................................... 46

Issue 03 (2017-10-31) Huawei Proprietary and Confidential ix

4.4 AP's Wired Interface Configuration Examples...........................................................................................................286

Issue 03 (2017-10-31) Huawei Proprietary and Confidential x

4.14 WLAN Security Configuration Examples................................................................................................................610

Issue 03 (2017-10-31) Huawei Proprietary and Confidential xi

4.19.3 Example for Configuring Wireless MAC Address Authentication....................................................................... 974

Issue 03 (2017-10-31) Huawei Proprietary and Confidential xii

4.20.3.4 Configuration Notes......................................................................................................................................... 1264

5 Typical Configuration Examples (Web)..............................................................................1304

Issue 03 (2017-10-31) Huawei Proprietary and Confidential xiii

5.5.14 Example for Configuring Dual-MPP Mesh Services.......................................................................................... 1564

Issue 03 (2017-10-31) Huawei Proprietary and Confidential xiv

About This Document.....................................................................................................................ii

Issue 03 (2017-10-31) Huawei Proprietary and Confidential xv

3.1.2 WLAN Basic Service Configuration Procedure........................................................................................................15

4 Typical Configuration Examples (CLI)................................................................................... 46

Issue 03 (2017-10-31) Huawei Proprietary and Confidential xvi

4.1.4 Example for Configuring WLAN Backhaul..............................................................................................................82

Issue 03 (2017-10-31) Huawei Proprietary and Confidential xvii

Issue 03 (2017-10-31) Huawei Proprietary and Confidential xviii

4.16.5 Example for Configuring an AP to Go Online Using a Static IP Address............................................................ 699

Issue 03 (2017-10-31) Huawei Proprietary and Confidential xix

4.19.12.6 Deploying a CA Certificate Server.................................................................................................................1185