S5700 Configuration Guide - WLAN-AC PDF

S5700 and S6720 Series Ethernet Switches
V200R012C00
Configuration Guide - WLAN-AC
Issue 04
Date 2018-08-17
HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2018. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or
representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://e.huawei.com
Issue 04 (2018-08-17) Copyright © Huawei Technologies Co., Ltd. i

Configuration Guide - WLAN-AC About This Document
About This Document
Intended Audience
This document provides the basic concepts, configuration procedures, and configuration
examples in different application scenarios of the WLAN feature supported by the device.
This document describes how to configure the WLAN feature. The
S5720HI&S5730HI&S6720HI are referred to as Access Controllers (ACs) in this document
to facilitate WLAN AC function descriptions unless otherwise stated.
This document is intended for:
l Data configuration engineers
l Commissioning engineers
l Network monitoring engineers
l System maintenance engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Indicates a potentially hazardous situation

which, if not avoided, could result in
equipment damage, data loss, performance
deterioration, or unanticipated results.
NOTICE is used to address practices not
related to personal injury.
NOTE Calls attention to important information,

best practices and tips.
NOTE is used to address information not
related to personal injury, equipment
damage, and environment deterioration.
Issue 04 (2018-08-17) Copyright © Huawei Technologies Co., Ltd. ii

Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention Description
Boldface The keywords of a command line are in boldface.
Italic Command arguments are in italics.
[] Items (keywords or arguments) in brackets [ ] are optional.
{ x | y | ... } Optional items are grouped in braces and separated by

vertical bars. One item is selected.
[ x | y | ... ] Optional items are grouped in brackets and separated by

vertical bars. One item is selected or no item is selected.
{ x | y | ... }* Optional items are grouped in braces and separated by

vertical bars. A minimum of one item or a maximum of all
items can be selected.
[ x | y | ... ]* Optional items are grouped in brackets and separated by

vertical bars. Several items or no item can be selected.
&<1-n> The parameter before the & sign can be repeated 1 to n

times.
# A line starting with the # sign is comments.
Interface Numbering Conventions

Interface numbers used in this manual are examples. In device configuration, use the existing
interface numbers on devices.
To obtain better user experience, you are advised to set the number of columns displayed on
the command line editor to 132 or higher.
Security Conventions
l Password setting
– To ensure device security, use ciphertext when configuring a password and change
the password periodically.
– The switch considers all passwords starting and ending with %^%#, %#%#, %@
%@ or @%@% as ciphertext and attempts to decrypt them. If you configure a
plaintext password that starts and ends with %^%#, %#%#, %@%@ or @%@%,
the switch decrypts it and records it into the configuration file (plaintext passwords
are not recorded for the sake of security). Therefore, do not set a password starting
and ending with %^%#, %#%#, %@%@ or @%@%.
Issue 04 (2018-08-17) Copyright © Huawei Technologies Co., Ltd. iii

– When you configure passwords in ciphertext, different features must use different
ciphertext passwords. For example, the ciphertext password set for the AAA feature
cannot be used for other features.
l Encryption algorithms
The switch currently supports the 3DES, AES, RSA, SHA1, SHA2, and MD5. 3DES,
RSA, and AES are reversible, whereas SHA1, SHA2, and MD5 are irreversible. Using
the encryption algorithms DES , 3DES, RSA (RSA-1024 or lower), MD5 (in digital
signature scenarios and password encryption), or SHA1 (in digital signature scenarios) is
a security risk. If protocols allow, use more secure encryption algorithms, such as AES,
RSA (RSA-2048 or higher), SHA2, or HMAC-SHA2.
An irreversible encryption algorithm must be used for the administrator password. SHA2
is recommended for this purpose.
l Personal data
Some personal data (such as MAC or IP addresses of terminals) may be obtained or used
during operation or fault location of your purchased products, services, features, so you
have an obligation to make privacy policies and take measures according to the
applicable law of the country to protect personal data.
l Mirroring
The terms mirrored port, port mirroring, traffic mirroring, and mirroring in this
document are mentioned only to describe the product's function of communication error
or failure detection, and do not involve collection or processing of any personal
information or communication data of users.
Disclaimer
This document is designed as a reference for you to configure your devices. Its contents,
including web pages, command line input and output, are based on laboratory conditions. It
provides instructions for general scenarios, but does not cover all use cases of all product
models. The examples given may differ from your use case due to differences in software
versions, models, and configuration files. When configuring your device, alter the
configuration depending on your use case.
The specifications provided in this document are tested in lab environment (for example, a
certain type of cards have been installed on the tested device or only one protocol is run on
the device). Results may differ from the listed specifications when you attempt to obtain the
maximum values with multiple functions enabled on the device.
Product Software Versions Matching NMS Versions

The product software versions matching NMS versions are as follows.
S1720, S2700, S5700, and S6720 NMS

Product Software Version
V200R012C00 eSight V300R009C00

iManager U2000 V200R018C50
Issue 04 (2018-08-17) Copyright © Huawei Technologies Co., Ltd. iv

AP Version Support
The following table describes the mapping relationship between the product and AP software
versions.
S5720HI&S5730HI&S6720HI Software AP Software Version

Version
V200R012C00 V200R009C00
V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
The central AP and RU must have the same version. For example, if the central AP version is
V200R006C20, the RU version must be also V200R006C20.
Issue 04 (2018-08-17) Copyright © Huawei Technologies Co., Ltd. v

Configuration Guide - WLAN-AC Contents
Contents
About This Document.....................................................................................................................ii

1 WLAN Features Supported in This Version............................................................................ 1
2 General Precautions for WLAN.................................................................................................. 8
3 Wireless Network Deployment and Configuration Suggestions...................................... 12
3.1 Network Design Suggestion......................................................................................................................................... 12
3.2 WLAN Service Configuration Suggestion................................................................................................................... 21
3.3 Security Configuration Suggestion...............................................................................................................................24
3.4 Radio Configuration Suggestion.................................................................................................................................. 25
3.5 Deployment Suggestions for Different Network Scales...............................................................................................29
4 WLAN Service Configuration Procedure............................................................................... 30

4.1 Reference Relationships Between WLAN Profiles......................................................................................................30
4.2 WLAN Basic Service Configuration Procedure...........................................................................................................32
4.3 AP Group and AP......................................................................................................................................................... 33
4.4 Regulatory Domain Profile...........................................................................................................................................35
4.5 Radio Profile.................................................................................................................................................................35
4.6 Air Scan Profile............................................................................................................................................................ 35
4.7 RRM Profile................................................................................................................................................................. 36
4.8 VAP Profile...................................................................................................................................................................36
4.9 SSID Profile..................................................................................................................................................................37
4.10 Authentication Profile.................................................................................................................................................37
4.11 Security Profile........................................................................................................................................................... 38
4.12 Traffic Profile............................................................................................................................................................. 38
4.13 STA Blacklist Profile.................................................................................................................................................. 39
4.14 STA Whitelist Profile................................................................................................................................................. 39
4.15 AP System Profile...................................................................................................................................................... 40
4.16 AP Wired Port Profile.................................................................................................................................................42
4.17 AP Wired Port Link Profile........................................................................................................................................ 42
4.18 WIDS Profile.............................................................................................................................................................. 42
4.19 WIDS Spoof SSID Profile.......................................................................................................................................... 43
4.20 WIDS Whitelist Profile.............................................................................................................................................. 43
4.21 Location Profile.......................................................................................................................................................... 43
4.22 BLE Profile.................................................................................................................................................................44
Issue 04 (2018-08-17) Copyright © Huawei Technologies Co., Ltd. vi

4.23 WDS Profile............................................................................................................................................................... 44

4.24 WDS Whitelist Profile................................................................................................................................................45
4.25 Mesh Profile............................................................................................................................................................... 45
4.26 Mesh Handover Profile...............................................................................................................................................46
4.27 Mesh Whitelist Profile................................................................................................................................................46
4.28 IoT Profile...................................................................................................................................................................46
4.29 WMI Profile................................................................................................................................................................47
4.30 AP Provisioning Profile..............................................................................................................................................47
4.31 Common Operations of Profiles................................................................................................................................. 47
5 WLAN Service Configuration................................................................................................... 49

5.1 Overview of WLAN..................................................................................................................................................... 49
5.2 Understanding WLAN..................................................................................................................................................49
5.2.1 Concepts Related to WLAN...................................................................................................................................... 50
5.2.2 802.11 Standards........................................................................................................................................................51
5.2.3 WLAN Architecture.................................................................................................................................................. 57
5.2.4 AP Online Process..................................................................................................................................................... 59
5.2.5 RU Online Process.....................................................................................................................................................63
5.2.6 STA Access................................................................................................................................................................67
5.2.7 Data Forwarding Mode..............................................................................................................................................74
5.2.8 Uninterrupted AP Operation After CAPWAP Link Disconnection.......................................................................... 78
5.3 Application Scenarios for WLAN................................................................................................................................ 79
5.3.1 WLAN Networking Application on Medium- and Large-sized Campus Networks................................................. 80
5.3.2 WLAN Networking Application on Small Campus Networks................................................................................. 81
5.3.3 WLAN Networking Application in Enterprise Branches..........................................................................................82
5.3.4 Typical Application of an Agile Distributed WLAN................................................................................................ 83
5.3.5 Typical Application of Uninterrupted AP Operation After CAPWAP Link Disconnection..................................... 84
5.4 Summary of WLAN Configuration Tasks....................................................................................................................84
5.5 Configuration Limitations for WLAN..........................................................................................................................85
5.6 Licensing Requirements and Limitations for WLAN.................................................................................................. 90
5.7 Default Settings for WLAN..........................................................................................................................................93
5.8 Creating an AP Group.................................................................................................................................................. 93
5.9 Configuring APs to Go Online..................................................................................................................................... 94
5.9.1 Configuring a DHCP Server......................................................................................................................................94
5.9.2 Configuring Network Interconnections..................................................................................................................... 96
5.9.3 Configuring Country Codes.......................................................................................................................................97
5.9.4 Configuring a Source Interface or Source Address................................................................................................... 99
5.9.5 (Optional) Configuring a Network Element Name................................................................................................. 100
5.9.6 (Optional) Configuring CAPWAP Tunnel Parameters............................................................................................101
5.9.7 (Optional) Configuring Automatic Upgrade When APs Go Online....................................................................... 104
5.9.8 Adding APs..............................................................................................................................................................107
5.9.9 Checking Whether APs Can Go Online.................................................................................................................. 110
5.10 Configuring the Central AP and RUs to Go Online................................................................................................. 116
Issue 04 (2018-08-17) Copyright © Huawei Technologies Co., Ltd. vii

5.10.1 Setting the Working Mode for the Central AP's Wired Interface.......................................................................... 116
5.11 Configuring STAs to Go Online............................................................................................................................... 117
5.11.1 Configuring a Radio...............................................................................................................................................117
5.11.1.1 Configuring Basic Radio Parameters..................................................................................................................117
5.11.1.2 Creating a Radio Profile..................................................................................................................................... 120
5.11.1.3 (Optional) Configuring Smooth Channel Switching.......................................................................................... 121
5.11.1.4 (Optional) Adjusting Radio Parameters..............................................................................................................122
5.11.1.5 Binding a Radio Profile...................................................................................................................................... 131
5.11.1.6 Verifying the Radio Configuration..................................................................................................................... 132
5.11.2 Configuring a VAP.................................................................................................................................................132
5.11.2.1 Creating a VAP Profile....................................................................................................................................... 132
5.11.2.2 Configuring a Data Forwarding Mode................................................................................................................133
5.11.2.3 Configuring Service VLANs.............................................................................................................................. 134
5.11.2.4 (Optional) Configuring the VAP Type................................................................................................................135
5.11.2.5 (Optional) Configuring the Scheduled VAP Auto-Off Function........................................................................ 137
5.11.2.6 (Optional) Configuring MU-MIMO................................................................................................................... 137
5.11.2.7 (Optional) Configuring the Device to Forcibly Disconnect STAs Without Traffic............................................139
5.11.2.8 (Optional) Adjusting VAP Parameters................................................................................................................139
5.11.2.9 Configuring a Security Profile............................................................................................................................140
5.11.2.10 Configuring an SSID Profile.............................................................................................................................141
5.11.2.11 Binding VAP Profiles........................................................................................................................................144
5.11.2.12 Verifying the VAP, Security, and SSID Profile Configuration..........................................................................145
5.11.3 (Optional) Configuring the STA Offline Delay Function......................................................................................146
5.11.4 Checking the STA Online Result...........................................................................................................................147
5.12 Configuring STAs to Go Online (Agile Distributed WLAN).................................................................................. 148
5.13 Maintaining Basic WLAN Services......................................................................................................................... 148
5.13.1 Checking Wireless Link Quality Between an AP and a STA................................................................................148
5.13.2 Checking Connectivity Between an AP and a Network Device............................................................................149
5.13.3 Checking AP Running Statistics............................................................................................................................149
5.13.4 Checking AP Online Failure and Offline Records................................................................................................ 150
5.13.5 Clearing AP Online Failure and Offline Records..................................................................................................150
5.13.6 Clearing the List of Unauthorized APs..................................................................................................................150
5.13.7 Checking STA Running Statistics......................................................................................................................... 151
5.13.8 Checking STA Online Failure and Offline Records.............................................................................................. 151
5.13.9 Clearing STA Online Failure and Offline Records................................................................................................152
5.13.10 Enabling the Function of Recording Successful STA Associations in the Log.................................................. 152
5.14 Configuration Examples for WLAN Services..........................................................................................................153
5.14.1 Example for Configuring WLAN Services on a Small-Scale Network................................................................ 153
5.14.2 Example for Configuring WLAN Services on a Medium-Scale Network............................................................ 161
5.14.3 Example for Configuring WLAN Services on a Large-Scale Network................................................................ 171
5.14.4 Example for Configuring Seamless Channel Switching....................................................................................... 185
5.14.5 Example for Configuring an Agile Distributed WLAN........................................................................................ 194
Issue 04 (2018-08-17) Copyright © Huawei Technologies Co., Ltd. viii

6 AP Management Configuration Guide................................................................................. 203

6.1 Licensing Requirements and Limitations for WLAN................................................................................................ 203
6.2 Configuring AP Online Parameters (AP Provisioning View).................................................................................... 205
6.2.1 Configuring AP Online Parameters......................................................................................................................... 205
6.2.2 Delivering Configurations....................................................................................................................................... 206
6.2.3 Clearing Configurations.......................................................................................................................................... 207
6.3 Configuring AP Online Parameters (AP View)..........................................................................................................208
6.3.1 Configuring AP Online Parameters......................................................................................................................... 208
6.4 Managing APs............................................................................................................................................................ 209
6.4.1 Modifying AP Names.............................................................................................................................................. 209
6.4.2 Modifying the AP Group to Which APs Belong..................................................................................................... 210
6.4.3 Configuring the Default Domain Name Suffix for APs.......................................................................................... 210
6.4.4 Performing an In-Service Upgrade on APs............................................................................................................. 211
6.4.5 Configuring a Scheduled AP Upgrade Task............................................................................................................214
6.4.6 Switching the Working Mode of an AP...................................................................................................................216
6.4.7 Resetting an AP....................................................................................................................................................... 219
6.4.8 Restoring the Factory Settings of an AP................................................................................................................. 219
6.4.9 Deleting an AP.........................................................................................................................................................220
6.4.10 Configuring an AC to Report STA Traffic Statistics and Online Duration on APs.............................................. 220
6.4.11 Setting the Longitude and Latitude of an AP........................................................................................................ 221
6.4.12 Verifying the AP Configuration.............................................................................................................................221
6.5 Managing Wired Login for APs................................................................................................................................. 222
6.6 Managing Wireless Login for APs............................................................................................................................. 224
6.7 Configuring Offline Management and Antenna Alignment VAPs.............................................................................226
6.8 Configuring AP System Management........................................................................................................................ 230
6.8.1 Configuring AP Indicators.......................................................................................................................................230
6.8.2 Configuring the USB Function on an AP................................................................................................................ 232
6.8.3 Configuring the AP Channel Mode......................................................................................................................... 233
6.8.4 Configuring a Management VLAN on an AP......................................................................................................... 234
6.8.5 Configuring the Rate Limit for Broadcast and Multicast Packets of APs...............................................................236
6.8.6 Configuring Terminal Attributes for the VTY User Interface.................................................................................237
6.8.7 Configuring ACL-based Login Control for the VTY User Interface of APs.......................................................... 238
6.8.8 Configuring the Alarm Function on an AP............................................................................................................. 240
6.8.9 Configuring the Log Backup and Log Suppression Functions on an AP................................................................243
6.8.10 Configuring LLDP on an AP.................................................................................................................................244
6.8.11 Configuring an AP to Report Information About Its LLDP Neighbors................................................................ 247
6.8.12 Configuring Sampling Parameter on an AP.......................................................................................................... 248
6.8.13 Configuring Service Holding upon CAPWAP Link Disconnection......................................................................249
6.8.14 Optimizing AP System Profile Parameters........................................................................................................... 250
6.8.15 Verifying the AP System Configuration................................................................................................................ 252
6.9 Managing an AP's Wired Interface.............................................................................................................................252
6.10 Managing the PoE Function of an AP...................................................................................................................... 259
Issue 04 (2018-08-17) Copyright © Huawei Technologies Co., Ltd. ix

6.10.1 Overview of PoE................................................................................................................................................... 259

6.10.2 Understanding PoE................................................................................................................................................ 260
6.10.3 Configuration Limitations for PoE........................................................................................................................ 269
6.10.4 Enabling the PoE Function.................................................................................................................................... 270
6.10.5 (Optional) Configuring the LLDP Power Capacity Negotiation...........................................................................270
6.10.6 Configuring PoE Power Management................................................................................................................... 271
6.10.7 Configuring the Device to Allow High Inrush Current During Power-On........................................................... 273
6.10.8 Configuring PoE Power-on and Power-off Management......................................................................................274
6.10.9 Applying Profiles...................................................................................................................................................275
6.10.10 Verifying the PoE Configuration......................................................................................................................... 277
6.11 Configuring APs to Report KPIs.............................................................................................................................. 277
6.12 Maintaining APs....................................................................................................................................................... 280
6.12.1 Checking Wireless Link Quality Between an AP and a STA................................................................................280
6.12.2 Checking Connectivity Between an AP and a Network Device............................................................................280
6.12.3 Checking AP Running Statistics............................................................................................................................281
6.12.4 Checking AP Neighbor Information......................................................................................................................281
6.13 Configuration Examples for AP Management......................................................................................................... 282
6.13.1 Example for Configuring Service Holding upon CAPWAP Link Disconnection.................................................282
6.14 Common Configuration Errors................................................................................................................................. 289
6.14.1 After the AP's Uplink Wired Interface Is Configured to Work in Endpoint Mode, the AP Cannot Go Online After
a Restart............................................................................................................................................................................ 289
7 Radio Resource Management..................................................................................................291

7.1 Overview of Radio Resource Management................................................................................................................291
7.2 Understanding Radio Resource Management............................................................................................................ 291
7.2.1 Radio Calibration.....................................................................................................................................................291
7.2.2 AP-based Load Balancing....................................................................................................................................... 299
7.2.3 Band Steering.......................................................................................................................................................... 302
7.2.4 Smart Roaming........................................................................................................................................................ 303
7.2.5 User CAC................................................................................................................................................................ 305
7.3 Summary of Radio Resource Management Configuration Tasks...............................................................................306
7.4 Licensing Requirements and Limitations for Radio Resource Management............................................................. 311
7.5 Default Settings for Radio Resource Management.................................................................................................... 315
7.6 Configuring Interference Detection............................................................................................................................315
7.7 Configuring Radio Calibration................................................................................................................................... 316
7.8 Configuring Load Balancing...................................................................................................................................... 322
7.8.1 Configuring Static Load Balancing......................................................................................................................... 322
7.8.2 Configuring Dynamic Load Balancing....................................................................................................................324
7.9 Configuring Band Steering......................................................................................................................................... 327
7.10 Configuring Smart Roaming.................................................................................................................................... 328
7.11 Configuring the Function of Quickly Disconnecting STAs......................................................................................331
7.12 Configuring User CAC............................................................................................................................................. 332
7.13 Configuring Dynamic EDCA Parameter Adjustment.............................................................................................. 334
Issue 04 (2018-08-17) Copyright © Huawei Technologies Co., Ltd. x

7.14 Configuring the AMC Algorithm for a Radio.......................................................................................................... 335

7.15 Configuring Automatic Per Packet Power Adjustment............................................................................................ 337
7.16 Configuring the Smart Antenna Function................................................................................................................ 338
7.17 Configuring a CCA Threshold................................................................................................................................. 340
7.18 Maintaining Radio Resource Management.............................................................................................................. 341
7.18.1 Displaying Radio Calibration Statistics.................................................................................................................341
7.18.2 Clearing Radio Calibration Statistics.................................................................................................................... 341
7.18.3 Checking Roam-Incapable Records of STAs in Smart Roaming.......................................................................... 342
7.19 Configuration Examples for Radio Resource Management..................................................................................... 342
7.19.1 Example for Configuring Radio Calibration......................................................................................................... 342
7.19.2 Example for Configuring Static Load Balancing.................................................................................................. 353
7.19.3 Example for Configuring Dynamic Load Balancing.............................................................................................363
7.19.4 Example for Configuring Band Steering............................................................................................................... 375
7.19.5 Example for Configuring Smart Roaming.............................................................................................................384
7.19.6 Example for Configuring User Connection Access Control (CAC)..................................................................... 388
7.20 FAQ About Radio Resource Management............................................................................................................... 397
7.20.1 Where Are Interference Sources in WLAN and How Is the Interference Strength?.............................................397
7.20.2 What Are the Requirements for a Radio to Join a Load Balancing Group?..........................................................398
7.21 References for Radio Resource Management...........................................................................................................398
8 Spectrum Analysis.....................................................................................................................399
8.1 Overview of Spectrum Analysis.................................................................................................................................399
8.2 Understanding Spectrum Analysis............................................................................................................................. 399
8.3 Application Scenarios for Spectrum Analysis............................................................................................................403
8.4 Licensing Requirements and Limitations for Spectrum Analysis.............................................................................. 403
8.5 Default Settings for Spectrum Analysis..................................................................................................................... 405
8.6 Configuring Spectrum Analysis................................................................................................................................. 406
8.6.1 Configuring Spectrum Analysis on an AC.............................................................................................................. 408
8.6.2 Checking Spectrum Graphs..................................................................................................................................... 411
8.7 Maintaining Spectrum Analysis................................................................................................................................. 412
8.7.1 Checking Information About Non-Wi-Fi Devices on an AC.................................................................................. 412
8.7.2 Clearing Information About Non-Wi-Fi Devices on an AC....................................................................................412
8.8 Configuration Examples for Spectrum Analysis........................................................................................................ 413
8.8.1 Example for Configuring Spectrum Analysis......................................................................................................... 413
9 Roaming Configuration........................................................................................................... 424

9.1 Overview of Roaming................................................................................................................................................ 424
9.2 Understanding Roaming............................................................................................................................................. 426
9.2.1 Roaming Between APs in the Same Service VLAN............................................................................................... 426
9.2.2 Roaming Between APs in Different Service VLANs..............................................................................................427
9.2.3 Inter-AC Roaming................................................................................................................................................... 429
9.2.4 802.11r Fast Roaming..............................................................................................................................................430
9.2.5 Agile Distributed SFN Roaming............................................................................................................................. 432
9.3 Licensing Requirements and Limitations for Roaming..............................................................................................435
Issue 04 (2018-08-17) Copyright © Huawei Technologies Co., Ltd. xi

9.4 Default Settings for Roaming..................................................................................................................................... 439

9.5 Configuring Roaming Between APs in the Same Service VLAN............................................................................. 439
9.5.1 Configuring Non-Fast Roaming Between APs in the Same Service VLAN.......................................................... 440
9.5.2 Configuring PMK Fast Roaming Between APs in the Same Service VLANs....................................................... 440
9.5.3 (Optional) Configuring 802.11r Fast Roaming........................................................................................................440
9.5.4 Verifying the Roaming Configuration..................................................................................................................... 441
9.6 Configuring Roaming Between APs in Different Service VLANs............................................................................ 441
9.6.1 Configuring Non-Fast Roaming Between APs in Different Service VLANs......................................................... 443
9.6.2 Configuring Fast Roaming Between APs in Different Service VLANs................................................................. 444
9.6.4 Verifying the Roaming Configuration..................................................................................................................... 445
9.7 Configuring Inter-AC Roaming..................................................................................................................................445
9.7.1 (Optional) Configuring DTLS Encryption of an Inter-AC Tunnel..........................................................................445
9.7.2 (Optional) Configuring Encryption for Sensitive Information Between ACs.........................................................446
9.7.3 Configuring a Mobility Group.................................................................................................................................447
9.7.5 Verifying the Inter-AC Roaming Configuration......................................................................................................448
9.8 Configuring Agile Distributed SFN Roaming............................................................................................................448
9.9 Configuration Examples for Roaming........................................................................................................................451
9.9.1 Example for Configuring Non-Fast Roaming Between APs in the Same Service VLAN......................................451
9.9.2 Example for Configuring Fast Roaming Between APs in the Same Service VLAN..............................................460
9.9.3 Example for Configuring Non-Fast Roaming Between APs in Different Service VLANs.................................... 471
9.9.4 Example for Configuring Fast Roaming Between APs in Different Service VLANs............................................ 480
9.9.5 Example for Configuring Inter-AC Layer 2 Roaming............................................................................................ 493
9.9.6 Example for Configuring Agile Distributed SFN Roaming.................................................................................... 503
10 WLAN QoS Configuration.................................................................................................... 515

10.1 Overview of WLAN QoS......................................................................................................................................... 515
10.2 Understanding WLAN QoS......................................................................................................................................515
10.2.1 WMM.................................................................................................................................................................... 515
10.2.2 Priority Mapping....................................................................................................................................................520
10.2.3 Traffic Policing...................................................................................................................................................... 522
10.2.4 Airtime Scheduling................................................................................................................................................526
10.2.5 ACL-based Packet Filtering.................................................................................................................................. 528
10.2.6 Priority Increase of Lync Packets.......................................................................................................................... 528
10.2.7 SVP Voice Traffic Optimization............................................................................................................................530
10.3 Application Scenarios for WLAN QoS.................................................................................................................... 530
10.4 Summary of WLAN QoS Configuration Tasks........................................................................................................531
10.5 Licensing Requirements and Limitations for WLAN QoS...................................................................................... 532
10.6 Default Settings for WLAN QoS..............................................................................................................................534
10.7 Configuring WLAN QoS..........................................................................................................................................535
10.7.1 Configuring WMM................................................................................................................................................535
10.7.2 Configuring Priority Mapping............................................................................................................................... 538
Issue 04 (2018-08-17) Copyright © Huawei Technologies Co., Ltd. xii

10.7.3 Configuring Traffic Policing................................................................................................................................. 542

10.7.4 Configuring Airtime Fair Scheduling....................................................................................................................546
10.7.5 Configuring ACL-based Packet Filtering..............................................................................................................547
10.7.6 Configuring ACL-based Priority Remarking........................................................................................................ 548
10.7.7 Configuring User Isolation on a VAP....................................................................................................................549
10.7.8 Configuring Priorities for Lync Packets................................................................................................................ 550
10.7.9 Configuring Multimedia Air Interface Optimization............................................................................................ 551
10.7.10 Configuring SVP Voice Traffic Optimization..................................................................................................... 553
10.8 Configuration Examples for WLAN QoS................................................................................................................ 553
10.8.1 Example for Configuring WMM and Priority Mapping....................................................................................... 553
10.8.2 Example for Configuring Traffic Policing.............................................................................................................564
10.8.3 Example for Configuring Airtime Fair Scheduling............................................................................................... 572
10.8.4 Example for Configuring ACL-based Packet Filtering......................................................................................... 580
10.8.5 Example for Configuring Priorities of Lync Packets.............................................................................................589
10.9 FAQ...........................................................................................................................................................................598
10.9.1 What Is the Relationship Between WMM and 802.11e?.......................................................................................598
10.9.2 How Do I Configure Multicast Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast
Packets on the Wireless Network?....................................................................................................................................598
11 WLAN Security Configuration............................................................................................. 601

11.1 Overview of WLAN Security................................................................................................................................... 601
11.2 Understanding WLAN Security................................................................................................................................601
11.2.1 Wireless Intrusion Detection..................................................................................................................................601
11.2.2 Wireless Intrusion Prevention................................................................................................................................604
11.2.3 Attack Detection.................................................................................................................................................... 605
11.2.4 Defense Against Brute Force Attacks Using Keys................................................................................................607
11.3 Application Scenarios for WLAN Security.............................................................................................................. 608
11.3.1 Rogue Device Detection and Containment............................................................................................................608
11.3.2 Attack Device Detection........................................................................................................................................608
11.4 Licensing Requirements and Limitations for WLAN Security................................................................................ 609
11.5 Default Settings for WLAN Security........................................................................................................................612
11.6 Configuring Device Detection and Containment......................................................................................................613
11.6.1 Creating a WIDS Profile........................................................................................................................................615
11.6.2 Configuring the Radio Working Mode.................................................................................................................. 615
11.6.3 (Optional) Setting Air Scan Parameters.................................................................................................................616
11.6.4 Configuring Device Detection............................................................................................................................... 617
11.6.5 (Optional) Configuring Fuzzy Matching Rules for Identifying Spoofing SSIDs..................................................619
11.6.6 (Optional) Configuring a WIDS Whitelist.............................................................................................................619
11.6.7 Configuring Device Containment..........................................................................................................................621
11.6.8 Applying the Configuration to an AP Group or a Specific AP............................................................................. 622
11.6.9 Verifying the Device Detection and Containment Configuration..........................................................................623
11.7 Configuring Attack Detection and a Dynamic Blacklist.......................................................................................... 624
11.7.1 Creating a WIDS Profile........................................................................................................................................626
Issue 04 (2018-08-17) Copyright © Huawei Technologies Co., Ltd. xiii

11.7.2 Configuring the Radio Working Mode.................................................................................................................. 626

11.7.3 (Optional) Setting Air Scan Parameters.................................................................................................................627
11.7.4 Configuring WIDS Attack Detection and a Dynamic Blacklist............................................................................ 628
11.7.5 Applying the Configuration to an AP Group or a Specific AP............................................................................. 631
11.7.6 Verifying the Attack Detection and Dynamic Blacklist Configuration................................................................. 632
11.8 Configuring WLAN Security....................................................................................................................................632
11.8.1 Configuring Strict STA IP Address Learning Through DHCP............................................................................. 632
11.8.2 Configuring DAI....................................................................................................................................................633
11.8.3 Configuring Defense Against Bogus DHCP Server Attacks.................................................................................634
11.8.4 Configuring the IPSG Function............................................................................................................................. 634
11.8.5 Configuring Flood Attack Detection..................................................................................................................... 635
11.8.6 Applying the Configuration................................................................................................................................... 636
11.8.7 Verifying the WLAN Security Configuration........................................................................................................637
11.9 Maintaining WLAN Security....................................................................................................................................637
11.9.1 Verifying the Configuration of Device Detection and Containment..................................................................... 637
11.9.2 Verifying the Configuration of Attack Detection and Dynamic Blacklist.............................................................638
11.9.3 Checking Air Interface Environment Information About AP Radios................................................................... 638
11.9.4 Clearing WLAN Security Information.................................................................................................................. 639
11.10 Configuration Examples for WLAN Security........................................................................................................ 639
11.10.1 Example for Configuring WIDS and WIPS........................................................................................................ 639
11.10.2 Example for Configuring Attack Detection.........................................................................................................647
11.11 References for WLAN Security..............................................................................................................................656
12 Security Policy Configuration...............................................................................................657

12.1 Understanding WLAN Security Policies..................................................................................................................657
12.1.1 WEP.......................................................................................................................................................................657
12.1.2 WPA/WPA2........................................................................................................................................................... 658
12.1.3 WAPI..................................................................................................................................................................... 663
12.2 Application Scenarios for WLAN Security Policies................................................................................................ 668
12.3 Default Settings for WLAN Security Policies..........................................................................................................669
12.4 Configuring a WLAN Security Policy..................................................................................................................... 669
12.4.1 Creating a Security Profile.................................................................................................................................... 672
12.4.2 Configuring a Security Policy............................................................................................................................... 672
12.4.2.1 Configuring Open System Authentication......................................................................................................... 674
12.4.2.2 Configuring WEP............................................................................................................................................... 675
12.4.2.3 Configuring WPA/WPA2-PSK...........................................................................................................................676
12.4.2.4 Configuring WPA/WPA2-802.1X...................................................................................................................... 677
12.4.2.5 Configuring WAPI-PSK..................................................................................................................................... 678
12.4.2.6 Configuring WAPI-Certificate............................................................................................................................679
12.4.3 Applying the Security Policy Configuration to a VAP Profile.............................................................................. 681
12.4.4 Verifying the WLAN Security Policy Configuration............................................................................................ 682
12.5 Configuration Examples for WLAN Security Policies............................................................................................ 682
12.5.1 Example for Configuring a WEP Security Policy................................................................................................. 682
Issue 04 (2018-08-17) Copyright © Huawei Technologies Co., Ltd. xiv

12.5.2 Example for Configuring a WPA2-PSK-AES Security Policy............................................................................. 689

12.5.3 Example for Configuring a WPA2-802.1X-AES Security Policy.........................................................................696
12.5.4 Example for Configuring a WAPI-PSK Security Policy....................................................................................... 708
12.5.5 Example for Configuring a WAPI-Certificate Security Policy..............................................................................715
12.5.6 Example for Configuring MAC Address Authentication (AAA in RADIUS Mode)........................................... 723
12.5.7 Example for Configuring MAC + 802.1X Authentication (AAA Mode: RADIUS)............................................ 732
12.5.8 Example for Configuring External Portal Authentication..................................................................................... 741
12.5.9 Example for Configuring Built-in Portal Authentication...................................................................................... 755
13 STA Blacklist and Whitelist Configuration....................................................................... 765

13.1 Understanding STA Blacklist and Whitelist.............................................................................................................765
13.2 Application Scenarios for STA Blacklist and Whitelist........................................................................................... 766
13.3 Default Settings for STA Blacklist and Whitelist.....................................................................................................768
13.4 Configuring STA Blacklist and Whitelist.................................................................................................................768
13.4.1 Configuring a STA Whitelist Profile..................................................................................................................... 768
13.4.2 Configuring a STA Blacklist Profile......................................................................................................................769
13.4.3 Applying the Configuration to a VAP Profile or an AP System Profile................................................................770
13.4.4 Verifying the STA Blacklist and Whitelist Configuration..................................................................................... 771
13.5 Configuration Examples for STA Blacklist and Whitelist....................................................................................... 771
13.5.1 Example for Configuring STA Blacklist and Whitelist......................................................................................... 771
14 WDS Configuration................................................................................................................ 780

14.1 Overview of WDS.................................................................................................................................................... 780
14.2 Understanding WDS.................................................................................................................................................780
14.3 Application Scenarios for WDS............................................................................................................................... 785
14.4 STP Scenarios Supported by a WDS Network.........................................................................................................786
14.5 Understanding WDS Profiles................................................................................................................................... 790
14.6 Licensing Requirements and Limitations for WDS................................................................................................. 790
14.7 Default Settings for WDS.........................................................................................................................................794
14.8 Configuring WDS.....................................................................................................................................................794
14.8.1 Adding an AP........................................................................................................................................................ 794
14.8.2 (Optional) Enabling the Backhaul Function on the 4.9 GHz Frequency Band..................................................... 797
14.8.3 Configuring WDS Radio Parameters.................................................................................................................... 799
14.8.4 Configuring Parameters for an AP's Wired Interface............................................................................................ 803
14.8.5 Configuring a Security Profile...............................................................................................................................805
14.8.6 (Optional) Configuring a WDS Whitelist..............................................................................................................805
14.8.7 Configuring a WDS Profile................................................................................................................................... 806
14.8.8 Verifying the WDS Configuration......................................................................................................................... 810
14.9 Maintaining WDS.....................................................................................................................................................810
14.9.1 Checking Information About WDS Links.............................................................................................................810
14.9.2 Configuring Antenna Alignment VAPs................................................................................................................. 810
14.10 Configuration Examples for WDS......................................................................................................................... 814
14.10.1 Example for Configuring the WLAN Service Using WDS Technology.............................................................814
Issue 04 (2018-08-17) Copyright © Huawei Technologies Co., Ltd. xv

15 Mesh Configuration................................................................................................................ 827

15.1 Overview of Mesh.................................................................................................................................................... 827
15.2 Understanding Mesh.................................................................................................................................................828
15.3 Application Scenarios for Mesh............................................................................................................................... 832
15.4 STP Scenarios Supported by a Mesh Network.........................................................................................................834
15.5 Understanding Mesh Profiles................................................................................................................................... 837
15.6 Licensing Requirements and Limitations for Mesh................................................................................................. 838
15.7 Mesh Interconnection Requirements........................................................................................................................ 841
15.8 Default Settings for Mesh.........................................................................................................................................844
15.9 Configuring the Mesh Function................................................................................................................................844
15.9.1 Adding APs............................................................................................................................................................845
15.9.2 (Optional) Enabling the Backhaul Function on the 4.9 GHz Frequency Band..................................................... 848
15.9.3 Configuring Mesh Radio Parameters.................................................................................................................... 850
15.9.6 Configuring a Mesh Whitelist............................................................................................................................... 856
15.9.7 Configuring a Mesh Role and Mesh Profile.......................................................................................................... 858
15.9.8 (Optional) Enabling FWA......................................................................................................................................862
15.9.9 Verifying the Mesh Configuration......................................................................................................................... 866
15.10 Maintaining Mesh Links.........................................................................................................................................866
15.10.1 Checking Information About Mesh Links...........................................................................................................866
15.10.2 Configuring Antenna Alignment VAPs............................................................................................................... 867
15.11 Configuration Examples for Mesh..........................................................................................................................870
15.11.1 Example for Configuring Mesh Services.............................................................................................................870
15.11.2 Example for Configuring Dual-MPP Mesh Services.......................................................................................... 878
15.12 References for Mesh............................................................................................................................................... 888
16 Vehicle-Ground Fast Link Handover Configuration....................................................... 889

16.1 Overview of Vehicle-Ground Fast Link Handover...................................................................................................889
16.2 Understanding Vehicle-Ground Fast Link Handover............................................................................................... 890
16.2.1 Network Models of Vehicle-Ground Fast Link Handover.................................................................................... 890
16.2.2 Signal Coverage Models of Vehicle-Ground Fast Link Handover........................................................................891
16.2.3 Implementation of Vehicle-Ground Fast Link Handover...................................................................................... 892
16.3 Application Scenarios for Vehicle-Ground Fast Link Handover..............................................................................899
16.4 Licensing Requirements and Limitations for Vehicle-Ground Fast Link Handover................................................900
16.5 Default Settings for Vehicle-Ground Fast Link Handover....................................................................................... 902
16.6 Summary of Vehicle-Ground Fast Link Handover Configuration Tasks................................................................. 903
16.7 Configuring Trackside APs...................................................................................................................................... 906
16.7.1 Adding APs............................................................................................................................................................906
16.7.5 Configuring a Mesh Whitelist............................................................................................................................... 912
Issue 04 (2018-08-17) Copyright © Huawei Technologies Co., Ltd. xvi

16.7.6 Configuring a Mesh Handover Profile.................................................................................................................. 913

16.7.7 Configuring a Mesh Role and Mesh Profile.......................................................................................................... 914
16.7.8 Guaranteeing Multicast Data Transmission...........................................................................................................918
16.7.9 Verifying the Trackside AP Configuration............................................................................................................ 920
16.8 Configuring a Vehicle-Mounted AP......................................................................................................................... 920
16.8.3 (Optional) Configuring a Mesh Whitelist..............................................................................................................921
16.8.4 Configuring Train-Ground Communication (For Vehicle-Mounted APs in V200R007 or Later)........................922
16.8.5 Configuring a Mesh Profile................................................................................................................................... 926
16.8.6 Configuring Proxied Ground Devices................................................................................................................... 929
16.8.7 Configuring Proxied Vehicle-Mounted Devices....................................................................................................930
16.8.8 Enabling IGMP Snooping on a Vehicle-Mounted AP...........................................................................................931
16.8.9 Verifying the Vehicle-Mounted AP Configuration................................................................................................ 931
16.9 Monitoring Vehicle-Ground Fast Link Handover.................................................................................................... 932
16.10 Configuration Examples for Vehicle-Ground Fast Link Handover........................................................................932
16.10.1 Example for Configuring Vehicle-Ground Fast Link Handover......................................................................... 932
17 Wi-Fi Tag Location Configuration....................................................................................... 946

17.1 Overview of Wi-Fi Tag Location..............................................................................................................................946
17.2 Understanding Wi-Fi Tag Location.......................................................................................................................... 946
17.3 Application Scenarios for Wi-Fi Tag Location.........................................................................................................949
17.4 Licensing Requirements and Limitations for WLAN Tag Location........................................................................ 949
17.5 Summary of Wi-Fi Tag Location Configuration Tasks............................................................................................ 953
17.6 Default Settings for Wi-Fi Tag Location.................................................................................................................. 953
17.7 Configuring Wi-Fi Tag Location.............................................................................................................................. 954
17.7.1 Configuring WLAN Location for AeroScout Tags............................................................................................... 954
17.7.2 Configuring WLAN Location for Ekahau Tags.................................................................................................... 959
17.8 Maintaining Wi-Fi Tag Location.............................................................................................................................. 964
17.8.1 Checking Information About Wi-Fi Tag Location................................................................................................ 964
17.8.2 Clearing Tag Information...................................................................................................................................... 964
17.9 Configuration Examples for Wi-Fi Tag Location.....................................................................................................965
17.9.1 Example for Configuring Basic WLAN Location Services Based on AeroScout Tags........................................965
17.9.2 Example for Configuring Basic WLAN Location Services Based on Ekahau Tags............................................. 973
18 Terminal Location Configuration........................................................................................ 982

18.1 Overview of Terminal Location................................................................................................................................982
18.2 Understanding Terminal Location............................................................................................................................ 982
18.2.1 Wi-Fi Terminal Location....................................................................................................................................... 982
18.2.2 AeroScout MU Location....................................................................................................................................... 985
18.3 Implementation of Terminal Location...................................................................................................................... 987
18.4 Licensing Requirements and Limitations for Terminal Location.............................................................................988
18.5 Summary of Terminal Location Configuration Tasks.............................................................................................. 991
18.6 Default Settings for Terminal Location.................................................................................................................... 991
Issue 04 (2018-08-17) Copyright © Huawei Technologies Co., Ltd. xvii

18.7 Configuring Terminal Location................................................................................................................................ 992

18.7.1 Configuring WLAN Location for AeroScout MUs...............................................................................................992
18.7.2 Configuring Wi-Fi Terminal Location...................................................................................................................997
18.8 Configuration Examples for Terminal Location.....................................................................................................1003
18.8.1 Example for Configuring Basic WLAN Location Services Based on AeroScout MU.......................................1003
18.8.2 Example for Configuring Wi-Fi Terminal Location............................................................................................ 1011
19 Bluetooth Location Configuration..................................................................................... 1020

19.1 Overview of Bluetooth Location............................................................................................................................ 1020
19.2 Understanding Bluetooth Location.........................................................................................................................1021
19.2.1 Bluetooth Terminal Location...............................................................................................................................1021
19.2.2 Bluetooth Tag Location....................................................................................................................................... 1023
19.2.3 Bluetooth Data Transparent Transmission...........................................................................................................1025
19.3 Application Scenarios for Bluetooth Location....................................................................................................... 1027
19.3.1 Bluetooth Terminal Location...............................................................................................................................1027
19.3.2 Bluetooth Tag Location....................................................................................................................................... 1027
19.3.3 Bluetooth Data Transparent Transmission...........................................................................................................1028
19.4 Licensing Requirements and Limitations for Bluetooth Location......................................................................... 1029
19.5 Default Settings for Bluetooth Location.................................................................................................................1032
19.6 Configuring Bluetooth Location.............................................................................................................................1032
19.6.1 Configuring Bluetooth Terminal Location.......................................................................................................... 1032
19.6.2 Configuring Bluetooth Tag Location...................................................................................................................1037
19.6.3 Configuring Bluetooth Data Transparent Transmission...................................................................................... 1040
19.7 Maintaining Bluetooth Location.............................................................................................................................1044
19.7.1 Checking Information About BLE Devices Used for Bluetooth Location..........................................................1044
19.7.2 Deleting Information About BLE Devices Stored on the AC............................................................................. 1044
19.8 Configuration Examples for Bluetooth Location................................................................................................... 1044
19.8.1 Example for Configuring Bluetooth Location.....................................................................................................1044
19.9 References for Bluetooth Location.........................................................................................................................1051
20 Hotspot 2.0 Configuration Guide....................................................................................... 1052

20.1 Overview of Hotspot 2.0........................................................................................................................................ 1052
20.2 Understanding Hotspot 2.0..................................................................................................................................... 1053
20.3 Application Scenarios for Hotspot 2.0................................................................................................................... 1057
20.4 Licensing Requirements and Limitations for Hotspot 2.0......................................................................................1059
20.5 Configuring Hotspot 2.0......................................................................................................................................... 1060
20.5.1 Configuring WPA2-802.1X Authentication........................................................................................................ 1062
20.5.2 Configuring a Hotspot 2.0 Profile....................................................................................................................... 1062
20.5.3 Configuring ANQP Parameters........................................................................................................................... 1063
20.5.4 Applying a Hotspot 2.0 Profile to a VAP Profile.................................................................................................1067
20.5.5 Verifying the Hotspot 2.0 Configuration............................................................................................................. 1067
20.6 Configuration Examples for Hotspot 2.0................................................................................................................1068
20.6.1 Example for Configuring WLAN Hotspot 2.0 Services......................................................................................1069
20.7 References for Hotspot 2.0..................................................................................................................................... 1080
Issue 04 (2018-08-17) Copyright © Huawei Technologies Co., Ltd. xviii

21 WLAN Traffic Optimization Configuration.................................................................... 1082

21.1 Overview of WLAN Traffic Optimization............................................................................................................. 1082
21.2 Licensing Requirements and Limitations for WLAN Traffic Optimization.......................................................... 1082
21.3 Default Settings for WLAN Traffic Optimization..................................................................................................1084
21.4 Configuring Traffic Limit....................................................................................................................................... 1085
21.5 Configuring Multicast Optimization...................................................................................................................... 1086
21.5.1 Configuring IGMP Snooping.............................................................................................................................. 1086
21.5.2 Configuring Multicast-to-Unicast Conversion.................................................................................................... 1088
21.5.3 Configuring Multicast CAC................................................................................................................................ 1089
21.6 Maintaining WLAN Traffic Optimization..............................................................................................................1091
21.6.1 Displaying Multicast CAC Statistics................................................................................................................... 1091
21.7 Configuration Examples for WLAN Traffic Optimization.................................................................................... 1092
21.7.1 Example for Configuring Multicast CAC Based on Multicast Bandwidth......................................................... 1092
21.7.2 Example for Configuring Multicast CAC Based on the Number of Multicast Group Memberships................. 1100
22 Dual-Link Cold Backup Configuration............................................................................ 1110

22.1 Overview of Dual-Link Cold Backup.....................................................................................................................1110
22.2 Understanding Dual-Link Cold Backup................................................................................................................. 1110
22.3 Application Scenarios for Dual-Link Cold Backup................................................................................................1113
22.3.1 Application of Dual-Link Cold Backup...............................................................................................................1113
22.4 Summary of Dual-Link Cold Backup Configuration Tasks....................................................................................1114
22.5 Licensing Requirements and Limitations for Dual-Link Cold Backup.................................................................. 1114
22.6 Default Settings for Dual-Link Cold Backup......................................................................................................... 1116
22.7 Configuring Dual-Link Cold Backup (Traditional Method)...................................................................................1117
22.8 Configuring Dual-Link Cold Backup (New Method).............................................................................................1121
22.9 (Optional) Configuring the Active/Standby Link Switchover Mode..................................................................... 1123
22.10 Configuration Examples for Dual-Link Cold Backup..........................................................................................1125
22.10.1 Example for Configuring Dual-link Cold Backup (AP-Specific Configuration Mode)....................................1125
22.10.2 Example for Configuring Dual-Link Cold Backup Globally (Global Configuration Mode)............................ 1134
23 N+1 Backup Configuration..................................................................................................1144

23.1 Overview of N+1 Backup....................................................................................................................................... 1144
23.2 Understanding N+1 Backup................................................................................................................................... 1144
23.3 Application Scenarios for N+1 Backup.................................................................................................................. 1150
23.3.1 Typical Application Scenarios for N+1 Backup.................................................................................................. 1150
23.4 Summary of N+1 Backup Configuration Tasks......................................................................................................1152
23.5 Licensing Requirements and Limitations for N+1 Backup.................................................................................... 1154
23.6 Default Settings for N+1 Backup........................................................................................................................... 1156
23.7 Configuring N+1 Backup....................................................................................................................................... 1157
23.7.1 Configuring Option 43 on the DHCP Server.......................................................................................................1157
23.7.2 Configuring AC Roles (Traditional Method 1)................................................................................................... 1158
23.7.3 Configuring AC Roles (Traditional Method 2)................................................................................................... 1159
23.7.4 Configuring AC Roles (New Method).................................................................................................................1162
23.7.5 Configuring Revertive Switchover...................................................................................................................... 1164
Issue 04 (2018-08-17) Copyright © Huawei Technologies Co., Ltd. xix

23.7.6 (Optional) Configuring CAPWAP Heartbeat Detection......................................................................................1164

23.7.7 (Optional) Configuring the Active/Standby Link Switchover Mode.................................................................. 1165
23.7.8 Enabling N+1 Backup..........................................................................................................................................1167
23.7.9 Verifying the N+1 Backup Configuration............................................................................................................1167
23.8 Configuration Examples for N+1 Backup.............................................................................................................. 1168
23.8.1 Example for Configuring N+1 Backup (APs and ACs in different network segments)......................................1168
24 Smart Retail IoT Solution - ESL......................................................................................... 1186

24.1 Overview of the Smart Retail IoT Solution - ESL..................................................................................................1186
24.2 Understanding the Smart Retail IoT Solution - ESL.............................................................................................. 1189
24.3 Implementation Precautions for the Smart Retail IoT Solution - ESL................................................................... 1192
24.4 Software and Hardware Installation for the Smart Retail IoT Solution - ESL....................................................... 1192
24.5 Configuration Guide for the Smart Retail IoT Solution - ESL...............................................................................1193
24.5.1 Configuring Network Interworking..................................................................................................................... 1194
24.5.2 Configuring APs to Go Online............................................................................................................................ 1194
24.5.3 Configuring the Wireless Coverage Service........................................................................................................1196
24.5.4 Configuring Component Interworking................................................................................................................ 1199
24.5.4.1 Configuring Interworking Between ESL Cards and APs................................................................................. 1199
24.5.4.2 Registering ESLs.............................................................................................................................................. 1201
24.5.5 Associating ESL IDs with Commodity Codes.................................................................................................... 1201
24.5.6 Configuring ESL Services................................................................................................................................... 1202
24.5.7 Example for Configuring the Smart Retail IoT Solution - ESL.......................................................................... 1202
25 Healthcare IoT Solution....................................................................................................... 1212

25.1 Overview of the Healthcare IoT Solution...............................................................................................................1212
25.2 Understanding the Healthcare IoT Solution........................................................................................................... 1216
25.2.1 Infant Abduction Prevention............................................................................................................................... 1216
25.2.2 Medical Asset Management................................................................................................................................ 1220
25.2.3 Infusion Management.......................................................................................................................................... 1220
25.3 Implementation Precautions for the Healthcare IoT Solution................................................................................ 1221
25.4 Software and Hardware Installation for the Healthcare IoT Solution.................................................................... 1222
25.5 Configuration Guide for the Healthcare IoT Solution............................................................................................1222
25.5.1 Configuring Network Interworking.....................................................................................................................1222
25.5.4 Configuring Parameters for APs to Communicate with the Host Computer...................................................... 1227
25.5.5 Preventing Infant Abductions.............................................................................................................................. 1228
25.5.6 Managing Medical Assets................................................................................................................................... 1229
25.5.7 Managing Infusion...............................................................................................................................................1229
25.5.8 Example for Configuring the Healthcare IoT Solution....................................................................................... 1229
26 Education IoT Solution - Student Health and Safety.....................................................1238

26.1 Overview of the Education IoT Solution - Student Health and Safety...................................................................1238
26.2 Understanding the Education IoT Solution - Student Health and Safety............................................................... 1240
Issue 04 (2018-08-17) Copyright © Huawei Technologies Co., Ltd. xx

26.3 Implementation Precautions for the Education IoT Solution - Student Health and Safety.................................... 1242
26.4 Software and Hardware Installation for the Education IoT Solution - Student Health and Safety........................ 1243
26.5 Configuration Guide for the Education IoT Solution - Student Health and Safety................................................1243
26.5.4 Configuring APs to Communicate with the Host Computer............................................................................... 1247
26.5.5 Example for Configuring the Education IoT Solution - Student Health and Safety........................................... 1249
27 Enterprise IoT Solution - Energy Efficiency Management........................................... 1258

27.1 Overview of the Enterprise IoT Solution - Energy Efficiency Management......................................................... 1258
27.2 Understanding the Enterprise IoT Solution - Energy Efficiency Management......................................................1261
27.3 Implementation Precautions for the Enterprise IoT Solution - Energy Efficiency Management...........................1263
27.4 Software and Hardware Installation for the Enterprise IoT Solution - Energy Efficiency Management...............1264
27.5 Configuration Guide for the Enterprise IoT Solution - Energy Efficiency Management...................................... 1265
27.5.4 Configuring APs to Communicate with Host Computers................................................................................... 1269
27.5.5 Configuring Energy Efficiency Management......................................................................................................1271
27.5.6 Example for Configuring the Enterprise IoT Solution - Energy Efficiency Management..................................1271
28 Enterprise IoT Solution - Smart Meeting Rooms............................................................1279

28.1 Overview of the Enterprise IoT Solution - Smart Meeting Rooms........................................................................ 1279
29 Shopping Mall and Supermarket IoT Solution - Smart Shopping Guide.................1282

29.1 Overview of the Shopping Mall and Supermarket IoT Solution - Smart Shopping Guide....................................1282
29.2 Understanding the Shopping Mall and Supermarket IoT Solution - Smart Shopping Guide................................ 1285
29.3 Summary of Configuration Tasks for the Shopping Mall and Supermarket IoT Solution - Smart Shopping Guide
........................................................................................................................................................................................ 1287
29.4 Implementation Precautions for the Shopping Mall and Supermarket IoT Solution - Smart Shopping Guide..... 1289
29.5 Software and Hardware Installation for the Shopping Mall and Supermarket IoT Solution - Smart Shopping Guide
........................................................................................................................................................................................ 1290
29.6 Configuration Guide for the Shopping Mall and Supermarket IoT Solution - Smart Shopping Guide................. 1290
29.6.4 Configuring Transparent Transmission of Bluetooth Data (With Tablet Kiosks Installed)................................ 1295
29.6.5 Configuring Transparent Transmission of Bluetooth Data (With No Tablet Kiosk Installed)............................ 1295
29.6.6 Associating BLE Labels with Commodities....................................................................................................... 1297
29.6.7 Configuration Example for the Shopping Mall and Supermarket IoT Solution - Smart Shopping Guide..........1297
29.6.7.1 Example of Configuring the Shopping Mall and Supermarket IoT Solution - Smart Shopping Guide (With
Tablet Kiosks Installed).................................................................................................................................................. 1297
29.6.7.2 Example of Configuring the Shopping Mall and Supermarket IoT Solution - Smart Shopping Guide (With No
Tablet Kiosk Installed)....................................................................................................................................................1306
Issue 04 (2018-08-17) Copyright © Huawei Technologies Co., Ltd. xxi

30 Shopping Mall and Supermarket IoT Solution - Hotspot Service and Customer Flow
Analysis........................................................................................................................................ 1314
30.1 Overview of the Shopping Mall and Supermarket IoT Solution - Hotspot Service and Customer Flow Analysis1314
30.2 Understanding the Shopping Mall and Supermarket IoT Solution - Hotspot Service and Customer Flow Analysis
........................................................................................................................................................................................ 1317
30.3 Implementation Precautions for the Shopping Mall and Supermarket IoT Solution - Hotspot Service and Customer
Flow Analysis................................................................................................................................................................. 1318
30.4 Software and Hardware Installation for the Shopping Mall and Supermarket IoT Solution - Hotspot Service and
Customer Flow Analysis................................................................................................................................................ 1319
30.5 Configuration Guide for the Shopping Mall and Supermarket IoT Solution - Hotspot Service and Customer Flow
Analysis.......................................................................................................................................................................... 1319
30.5.3 Configuring the Hotspot Service......................................................................................................................... 1322
30.5.4 Configuring Customer Flow Analysis................................................................................................................. 1324
30.5.5 Configuring Servers.............................................................................................................................................1327
30.5.6 Example for Configuring the Shopping Mall and Supermarket IoT Solution - Hotspot Service and Customer
Flow Analysis................................................................................................................................................................. 1328
31 Shopping Mall and Supermarket IoT Solution - Indoor Navigation......................... 1340

31.1 Overview of the Shopping Mall and Supermarket IoT Solution - Indoor Navigation........................................... 1340
31.2 Understanding the Shopping Mall and Supermarket IoT Solution - Indoor Navigation........................................1343
31.3 Implementation Precautions for the Shopping Mall and Supermarket IoT Solution - Indoor Navigation.............1344
31.4 Software and Hardware Installation for the Shopping Mall and Supermarket IoT Solution - Indoor Navigation.1345
31.5 Configuration Guide for the Shopping Mall and Supermarket IoT Solution - Indoor Navigation........................ 1346
31.5.4 Configuring the Bluetooth Terminal Location Function..................................................................................... 1350
31.5.5 Configuring a Location Server............................................................................................................................ 1353
31.5.6 Example for Configuring the Shopping Mall and Supermarket IoT Solution - Indoor Navigation....................1353
32 Shopping Mall and Supermarket Solution - Personnel and Asset Management.....1362

32.1 Overview of the Shopping Mall and Supermarket Solution - Personnel and Asset Management......................... 1362
32.2 Understanding the Shopping Mall and Supermarket Solution - Personnel and Asset Management......................1365
32.3 Implementation Precautions for the Shopping Mall and Supermarket Solution - Personnel and Asset Management
........................................................................................................................................................................................ 1366
32.4 Software and Hardware Installation for the Shopping Mall and Supermarket Solution - Personnel and Asset
Management................................................................................................................................................................... 1366
32.5 Configuration Guide for the Shopping Mall and Supermarket Solution - Personnel and Asset Management...... 1366
32.5.4 Configuring the Bluetooth Tag Location Function..............................................................................................1371
32.5.5 Configuring a Location Server............................................................................................................................ 1372
Issue 04 (2018-08-17) Copyright © Huawei Technologies Co., Ltd. xxii

32.5.6 Example for Configuring the Personnel and Asset Management IoT Solution.................................................. 1373
Issue 04 (2018-08-17) Copyright © Huawei Technologies Co., Ltd. xxiii

Configuration Guide - WLAN-AC 1 WLAN Features Supported in This Version
1 WLAN Features Supported in This Version
Featu S172 S272 S5700 S5720 S5720 S5720 S6720 S6720 S6720
re 0GF 0EI LI LI SI EI LI SI EI
R S275 S5700 S5720 S5720I S5720 S6720 S6720 S6720
S172 0EI S-LI S-LI -SI HI S-LI S-SI S-EI
0G S5710- S5720 S5730 S6720
W X-LI S-SI HI HI
S172 S5730
0G SI
WR
S5730
S172 S-EI
0X
S172
0G
W-E
S172
0G
WR-
E
S172
0X-E
Basic Not Not Not Not Not Only Not Not Only
WLA supp supp support support support support suppo suppo suppo
N orted orted ed ed ed ed by rted rted rted
servic the by the
es (AP S5720 S6720
online HI and HI
, STA S5730
online HI
)
Issue 04 (2018-08-17) Copyright © Huawei Technologies Co., Ltd. 1

Featu S172 S272 S5700 S5720 S5720 S5720 S6720 S6720 S6720
R S275 S5700 S5720 S5720I S5720 S6720 S6720 S6720
0G S5710- S5720 S5730 S6720
W X-LI S-SI HI HI
S172 S5730
0G SI
WR
S5730
S172 S-EI
0X
S172
0G
W-E
S172
0G
WR-
E
S172
0X-E
AP Not Not Not Not Not Only Not Not Only

Mana supp supp support support support support suppo suppo suppo
gemen orted orted ed ed ed ed by rted rted rted
t the by the
S5720 S6720
HI and HI
S5730
HI
Radio Not Not Not Not Not Only Not Not Only
resour supp supp support support support support suppo suppo suppo
ce orted orted ed ed ed ed by rted rted rted
manag the by the
ement S5720 S6720
HI and HI
S5730
HI
Spectr Not Not Not Not Not Only Not Not Only
um supp supp support support support support suppo suppo suppo
Analy orted orted ed ed ed ed by rted rted rted
sis the by the
S5720 S6720
HI and HI
S5730
HI

Featu S172 S272 S5700 S5720 S5720 S5720 S6720 S6720 S6720
R S275 S5700 S5720 S5720I S5720 S6720 S6720 S6720
0G S5710- S5720 S5730 S6720
W X-LI S-SI HI HI
S172 S5730
0G SI
WR
S5730
S172 S-EI
0X
S172
0G
W-E
S172
0G
WR-
E
S172
0X-E
Roami Not Not Not Not Not Only Not Not Only
ng supp supp support support support support suppo suppo suppo
orted orted ed ed ed ed by rted rted rted
the by the
S5720 S6720
HI and HI
S5730
HI
WLA Not Not Not Not Not Only Not Not Only
N supp supp support support support support suppo suppo suppo
QoS orted orted ed ed ed ed by rted rted rted
the by the
S5720 S6720
HI and HI
S5730
HI
WLA Not Not Not Not Not Only Not Not Only
N supp supp support support support support suppo suppo suppo
securit orted orted ed ed ed ed by rted rted rted
y the by the
S5720 S6720
HI and HI
S5730
HI

Featu S172 S272 S5700 S5720 S5720 S5720 S6720 S6720 S6720
R S275 S5700 S5720 S5720I S5720 S6720 S6720 S6720
0G S5710- S5720 S5730 S6720
W X-LI S-SI HI HI
S172 S5730
0G SI
WR
S5730
S172 S-EI
0X
S172
0G
W-E
S172
0G
WR-
E
S172
0X-E
WDS Not Not Not Not Not Only Not Not Only
supp supp support support support support suppo suppo suppo
the by the
S5720 S6720
HI and HI
S5730
HI
Mesh Not Not Not Not Not Only Not Not Only
supp supp support support support support suppo suppo suppo
the by the
S5720 S6720
HI and HI
S5730
HI
Vehicl Not Not Not Not Not Only Not Not Only
e- supp supp support support support support suppo suppo suppo
groun orted orted ed ed ed ed by rted rted rted
d fast the by the
link S5720 S6720
hando HI and HI
ver S5730
HI

Featu S172 S272 S5700 S5720 S5720 S5720 S6720 S6720 S6720
R S275 S5700 S5720 S5720I S5720 S6720 S6720 S6720
0G S5710- S5720 S5730 S6720
W X-LI S-SI HI HI
S172 S5730
0G SI
WR
S5730
S172 S-EI
0X
S172
0G
W-E
S172
0G
WR-
E
S172
0X-E
Tag Not Not Not Not Not Only Not Not Only
Locati supp supp support support support support suppo suppo suppo
on orted orted ed ed ed ed by rted rted rted
the by the
S5720 S6720
HI and HI
S5730
HI
Termi Not Not Not Not Not Only Not Not Only
nal supp supp support support support support suppo suppo suppo
Locati orted orted ed ed ed ed by rted rted rted
on the by the
S5720 S6720
HI and HI
S5730
HI
Blueto Not Not Not Not Not Only Not Not Only
oth supp supp support support support support suppo suppo suppo
Locati orted orted ed ed ed ed by rted rted rted
on the by the
S5720 S6720
HI and HI
S5730
HI

Featu S172 S272 S5700 S5720 S5720 S5720 S6720 S6720 S6720
R S275 S5700 S5720 S5720I S5720 S6720 S6720 S6720
0G S5710- S5720 S5730 S6720
W X-LI S-SI HI HI
S172 S5730
0G SI
WR
S5730
S172 S-EI
0X
S172
0G
W-E
S172
0G
WR-
E
S172
0X-E
IoT Not Not Not Not Not Only Not Not Only
AP supp supp support support support support suppo suppo suppo
the by the
S5720 S6720
HI and HI
S5730
HI
Air Not Not Not Not Not Only Not Not Only
Interfa supp supp support support support support suppo suppo suppo
ce orted orted ed ed ed ed by rted rted rted
Perfor the by the
mance S5720 S6720
HI and HI
S5730
HI
Dual- Not Not Not Not Not Only Not Not Only
link supp supp support support support support suppo suppo suppo
backu orted orted ed ed ed ed by rted rted rted
p the by the
S5720 S6720
HI and HI
S5730
HI

Featu S172 S272 S5700 S5720 S5720 S5720 S6720 S6720 S6720
R S275 S5700 S5720 S5720I S5720 S6720 S6720 S6720
0G S5710- S5720 S5730 S6720
W X-LI S-SI HI HI
S172 S5730
0G SI
WR
S5730
S172 S-EI
0X
S172
0G
W-E
S172
0G
WR-
E
S172
0X-E
N+1 Not Not Not Not Not Only Not Not Only
backu supp supp support support support support suppo suppo suppo
p orted orted ed ed ed ed by rted rted rted
the by the
S5720 S6720
HI and HI
S5730
HI
Hotsp Not Not Not Not Not Only Not Not Only
ot 2.0 supp supp support support support support suppo suppo suppo
the by the
S5720 S6720
HI and HI
S5730
HI

Configuration Guide - WLAN-AC 2 General Precautions for WLAN
2 General Precautions for WLAN
l Only the S5720HI, S5730HI and S6720HI support WLAN-AC service.

l Before configurations in this chapter, set the NAC mode to unified (default). To check
the current NAC mode, run the display authentication mode command.
l Mobility of wireless users varies depending on scenarios. For example, users move
frequently in the wireless city or start/end of a class, which has high impact on device
performance. To ensure wireless user experience, properly control the number of users.
For the optimal deployment scale in major wireless scenarios, see the configuration
guide in the campus solution documentation. For deployment precautions, see
Deployment Notes.
Table 2-1 lists AC and AP versions applicable to WLAN examples. Table 2-2 lists AP
models supported by different versions.
Table 2-1 Applicable products and versions

AC Version AC Product Model Matching AP Version
V200R012C00 S5720HI, S5730HI, S6720HI, S7700, l V200R009C00

S9700 l V200R008C10
NOTE
l V200R008C00
For S7700, you are advised to deploy
S7712, or S7706 switches for WLAN l V200R007C20
services. S7703 switches are not
recommended. l V200R007C10
For S9700, you are advised to deploy l V200R006C20
S9712 or S9706 switches for WLAN l V200R006C10
recommended.

AC Version AC Product Model Matching AP Version
V200R011C10 S5720HI, S7700, S9700 l V200R008C10

NOTE l V200R008C00
services. S7703 switches are not l V200R007C10
recommended.
l V200R006C20
S9712 or S9706 switches for WLAN l V200R006C10
recommended.
V200R011C00 S5720HI l V200R007C20

l V200R007C10
l V200R006C20
l V200R006C10
V200R010C00 S5720HI, S7700, S9700 l V200R007C10

NOTE l V200R006C20
recommended.
S9712 or S9706 switches for WLAN
recommended.
V200R009C00 S5720HI, S7700, S9700 l V200R006C20

NOTE l V200R006C10
recommended.
recommended.
NOTE
The central AP and RU must use the same version. For example, if the AD9430DN-24 version is
V200R006C20, the R240D version must be also V200R006C20.

Table 2-2 AP models supported by different versions

AP Version AP Model
V200R009C0 AP6010SN-GN, AP6010DN-AGN, AP6310SN-GN, AP6510DN-AGN,

0 AP6610DN-AGN, AP7110SN-GN, AP7110DN-AGN, AP5010SN-GN,
AP5010DN-AGN, AP3010DN-AGN, AP2010DN, AP7030DE,
AP9330DN, AP5030DN, AP5130DN, AP8130DN, AP8030DN,
AD9431DN-24X, AD9430DN-24, AD9430DN-12, R230D, R240D,
R450D, AP6050DN, AP6150DN, AP7050DE, AP7050DN-E, AP4030TN,
AP4050DN-E, AP4050DN-HD, R250D, R250D-E, AP2050DN,
AP2050DN-E, AP1050DN-S, AP8130DN-W, AP4050DN, AP4051DN,
AP4151DN, AP8050DN, AP8150DN, AP4051TN, AP6052DN,
AP7052DN, AP7152DN, AP7052DE, AP8050TN-HD, AP8082DN,
AP8182DN, AP2051DN, AP2051DN-E, R251D, R251D-E

AP5010DN-AGN, AP3010DN-AGN, AP6510DN-AGN-US, AP6610DN-
AGN-US, AP5030DN, AP5130DN, AP7030DE, AP2010DN, AP8130DN,
AP9131DN, AP9132DN, AD9431DN-24X, AD9430DN-24,
AD9430DN-12, R230D, R240D, R450D, AP6050DN, AP6150DN,
AP7050DE, AP7050DN-E, AP4030TN, AP4050DN-E, AP4050DN-HD,
R250D, R250D-E, AP2050DN, AP2050DN-E, AP1050DN-S,
AP8130DN-W, AP4050DN, AP4051DN, AP4151DN, AP8050DN,
AP8150DN, AP4051TN, AP6052DN, AP7052DN, AP7152DN,
AP7052DE, AP8050TN-HD, AP8082DN, AP8182DN

AP9131DN, AP9132DN, AD9431DN-24X, AD9430DN-24,
AD9430DN-12, R230D, R240D, R450D, AP6050DN, AP6150DN,
AP7050DE, AP7050DN-E, AP4030TN, AP4050DN-E, AP4050DN-HD,
R250D, R250D-E, AP2050DN, AP2050DN-E, AP1050DN-S,
AP8130DN-W, AP4050DN, AP4051DN, AP4151DN, AP8050DN,
AP8150DN

AP9131DN, AP9132DN, AD9430DN-24, AD9430DN-12, R230D,
AP2050DN-E, AP8130DN-W, AP4050DN, AP4051DN, AP4151DN,
AP8050DN, AP8150DN

AP Version AP Model

AP9131DN, AP9132DN, AD9430DN-24, AD9430DN-12, R230D,
AP2050DN-E, AP8130DN-W

AP2030DN, AP9131DN, AP9132DN, AD9430DN-24, AD9430DN-12,
R230D, R240D

AP2030DN
NOTE
WDS and Mesh are not supported by the AP6310SN-GN, AP7030DE, AP2010DN, AP2030DN, AP9330DN,
AD9431DN-24X, AD9430DN-24, AD9430DN-12, R230D, R240D, R450D, R250D, R250D-E, AP2050DN,
AP2050DN-E, AP2051DN, AP2051DN-E, R251D, and R251D-E.

S5700 and S6720 Series Ethernet Switches 3 Wireless Network Deployment and Configuration
Configuration Guide - WLAN-AC Suggestions
3 Wireless Network Deployment and

Configuration Suggestions
3.1 Network Design Suggestion
Enabling STP Edge Ports Connected to APs

To improve network stability and prevent network loops caused by incorrect connections, the
Spanning Tree Protocol (STP) is enabled on the device by default. When an STP-enabled port
on the device is connected to another device that does not support STP, the port is blocked for
30 seconds. It is recommended that switch ports connected to APs be configured as STP edge
ports, so that the APs can rapidly connect to the network.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] stp edged-port enable
Enabling LLDP on the PoE Ports Connected to APs

After the Link Layer Discovery Protocol (LLDP) is configured, the device can analyze
powered devices (PDs). When LLDP is disabled, the device can detect and classify PDs only
by analyzing the current and resistance between the device and PDs. Compared with current
and resistance analysis, the LLDP function provides more comprehensive and accurate
analysis.
Enable LLDP globally. After LLDP is enabled globally, the LLDP function is enabled on all
ports by default.
[HUAWEI] lldp enable
Configuring VLANs
In practice, the management VLAN and service VLAN must be configured for management
packets and service data packets.
l Management VLAN: transmits packets that are forwarded through CAPWAP tunnels,
including management packets and service data packets forwarded through CAPWAP
tunnels.

l Service VLAN: transmits service data packets.

NOTE
l It is recommended that you use different VLANs for the management VLAN and service VLAN.
l You are not advised to use VLAN 1 as the management VLAN or service VLAN.
l In tunnel forwarding mode, the management VLAN and service VLAN must be different. The network
between the AC and AP can only permit packets with management VLAN tags to pass through, and
cannot permit packets with service VLAN tags to pass through.
l When a downlink GE interface of an AD9431DN-24X works in middle mode, the interface allows
packets from all VLANs but no VLAN is created by default. VLANs are automatically created or deleted
based on the VLAN list on the connected RU.
The following describes the forwarding process of management and service data packets.
Here, VLAN m and VLAN m' represent management VLANs, while VLAN s and VLAN s'
represent service VLANs.
l When an AP connects to an AC through a Layer 2 network, VLAN m is the same as
VLAN m', and VLAN s is the same as VLAN s'.
l When an AP connects to an AC through a Layer 3 network, VLAN m is different from
VLAN m', and VLAN s is different from VLAN s'.
l Figure 3-1 shows the process of forwarding management packets through CAPWAP
tunnels.

Figure 3-1 Forwarding management packets through CAPWAP tunnels
802.3 UDP/IP CAPWAP Payload

AC
VLAN m’ 802.3 UDP/IP CAPWAP Payload
Switch
VLAN m 802.3 UDP/IP CAPWAP Payload
In Figure 3-1:
– In the uplink direction (from the AP to the AC): When receiving management
packets, the AP encapsulates the packets in CAPWAP packets. The switch tags the
packets with VLAN m. The AC decapsulates the CAPWAP packets and removes
the tag VLAN m'.
– In the downlink direction (from the AC to the AP): When receiving downstream
management packets, the AC encapsulates the packets in CAPWAP packets and
tags them with VLAN m'. The switch removes VLAN m from the packets. The AP
decapsulates the CAPWAP packets.
l Figure 3-2 shows the process of directly forwarding service data packets.
Figure 3-2 Forwarding service data packet directly
Internet
VLAN s’ 802.3 Payload

Switch
VLAN s 802.3 Payload

AP
802.11 Payload
802.11 Payload
STA
Payload
VLAN s, VLAN s’: service VLAN
Data packet
In Figure 3-2, service data packets are not encapsulated in CAPWAP packets.
– In the uplink direction (from the STA to the Internet): When upstream service data
packets in 802.11 format are sent from the STA to the AP, the AP converts the
packets into 802.3 packets, tags the packets with VLAN s, and forwards the packets
to the destination.
– In the downlink direction (from the Internet to the STA): When downstream service
data packets in 802.3 format reach the AP (the packets are tagged with VLAN s' by
upstream devices), the AP converts the 802.3 packets into 802.11 packets and
forwards them to the STA.
l Figure 3-3 shows the process of forwarding service data packets through CAPWAP
tunnels.

Figure 3-3 Forwarding service data packets through CAPWAP tunnels
Internet

AC
VLAN m’ 802.3 UDP/IP CAPWAP VLAN s 802.3 Payload

Switch
VLAN m 802.3 UDP/IP CAPWAP VLAN s 802.3 Payload
802.3 UDP/IP CAPWAP VLAN s 802.3 Payload

AP
802.11 Payload
802.11 Payload
STA
Payload
VLAN m, VLAN m’: management VLAN

VLAN s: service VLAN
Data packet
In Figure 3-3, service data packets are encapsulated in CAPWAP packets and
transmitted through CAPWAP data tunnels.
packets into 802.3 packets, tags the packets with VLAN s, and encapsulates them in
CAPWAP packets. The upstream switch tags the packets with VLAN m. The AC
decapsulates the CAPWAP packets and removes the tag VLAN m' from the
packets.
data packets reach the AC, the AC encapsulates the packets in CAPWAP packets,
allows the packets carrying VLAN s to pass through, and tags the packets with
VLAN m'. The switch removes VLAN m from the packets. The AP decapsulates
the CAPWAP packets, removes VLAN s, converts the 802.3 packets into 802.11
packets, and forwards them to the STA.
Management VLAN tag VLAN m is the outer tag of CAPWAP-encapsulated packets.
The intermediate devices between the AC and AP can only transparently transmit
packets carrying VLAN m and cannot be configured with VLAN s encapsulated in the
CAPWAP packets.
Enabling the STP TC Protection Function

The STP function is enabled on an AC by default. STP can prevent network loops caused by
incorrect connections or required by link backup.
When the STP topology changes, the device sends Topology Change (TC) packets to instruct
other devices to update their forwarding tables. If network flapping occurs, the devices will
receive a large number of TC packets in a short period of time, and update MAC address or

ARP entries frequently. As a result, the devices are heavily burdened, threatening network
stability.
The STP TC protection function is enabled by default. After enabling the TC protection
function, you can set the number of times a switching device processes TC packets within a
given time. If the number of TC packets received by the switching device within the given
time exceeds the specified threshold, the switching device processes TC packets only for the
specified number of times. For the TC packets exceeding the threshold, the switching device
processes them together after the timer expires. In this way, the switching device is prevented
from frequently deleting its MAC address and ARP entries, and therefore relieved from the
ensuing burdens.
# If you need to understand how the switching device processes TC packets, enable the TC
protection alarm function.
[HUAWEI] stp tc-protection
Disabling an AC from Responding to TC Packets and Enabling the MAC-ARP

Association Function When the AC Functions As a Gateway
In normal cases, when STP detects network topology changes, the device sends TC packets to
instruct its ARP module to age out or delete ARP entries. In this case, the device needs to
learn ARP entries again to obtain the latest ARP entry information. However, if the network
topology changes frequently or network devices on the network have a large number of ARP
entries, ARP learning will increase the number of ARP packets. These ARP packets will
occupy excessive system resources and affect running of other services.
To prevent this situation, you can disable APR tables from responding to TC packets. In this
way, ARP entries of network devices on the network are not aged out or deleted even if the
network topology changes. In addition, you can enable MAC address-triggered ARP entry
update to prevent user service interruption even if ARP entries are not updated in a timely
manner.
# Disable the device from aging out or deleting ARP entries upon network topology changes.
[HUAWEI] arp topology-change disable
# Enable MAC address-triggered ARP entry update.

[HUAWEI] mac-address update arp
Configuring Port Isolation on Ports Connected to APs

In wireless application scenarios, APs typically do not need to access each other at Layer 2 or
exchange broadcast packets. Therefore, you can configure port isolation on switch ports
connected to APs. This function improves user communication security and prevents invalid
broadcast packet data from being sent to the APs, ensuring the APs' forwarding performance
and user services. In addition, port isolation needs be configured for Layer 2 network devices
connected to the AP gateway. For example, port isolation needs to be configured on the ports
of aggregation switches connected to APs on the same Layer 2 network.
# Configure port isolation on GE0/0/1.

[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] port-isolate enable group 1

User Isolation Is Recommended in Accounting Scenarios

In a traffic profile, user isolation prevents Layer 2 packets of all users from being forwarded
to each other. That is, the users cannot communicate with each other after user isolation is
enabled. This improves user communication security and enables the gateway to centrally
forward user traffic, facilitating user accounting and management.
# Configure traffic profile traffic1 and Layer 2 wireless user isolation in the profile.
[HUAWEI] wlan
[HUAWEI-wlan-view] traffic-profile name traffic1
[HUAWEI-wlan-traffic-prof-traffic1] user-isolate l2
Warning: This action may cause service interruption. Continue?[Y/N]y
Enabling Optimized ARP Reply

When a stack functions as an access gateway, the stack can receive a large number of ARP
packets requesting for the stack's interface MAC address. If all these ARP Request packets
are sent to the master switch, the CPU usage of the switch increases, and other services are
affected.
To address the preceding problem, enable optimized ARP reply, which improves the switch's
capability of defending against ARP flood attack. After this function is enabled, the stack
performs the following operations:
l When receiving an ARP Request packet of which the destination IP address is the local
interface address, the switch where the interface is located directly returns an ARP Reply
packet.
l When a stack system receives an ARP Request packet of which the destination IP
address is not the local interface address and intra-VLAN proxy ARP is enabled on the
master switch, the switch where the interface is located checks whether the ARP Request
packet meets the proxy condition. If so, the switch returns an ARP Reply packet. If not,
the switch discards the packet.
NOTE
The optimized ARP reply function can be configured on a stand-alone fixed switch, but does not take
effect.
By default, the optimized ARP reply function is enabled. After a device receives an ARP
Request packet, the device checks whether an ARP entry corresponding to the source IP
address of the ARP Request packet exists.
l If the corresponding ARP entry exists, the stack performs optimized ARP reply to this
ARP Request packet.
l If the corresponding ARP entry does not exist, the stack does not performs optimized
ARP reply to this ARP Request packet.
Optimized ARP reply enabled globally or on a specified VLANIF does not take effect if any
of the following commands is executed:
l arp anti-attack gateway-duplicate enable: enables the ARP gateway anti-collision
function.
l arp ip-conflict-detect enable: enables IP address conflict detection.
l arp anti-attack check user-bind enable: enables dynamic ARP inspection.
l dhcp snooping arp security enable: enables egress ARP inspection.
l arp over-vpls enable: enables ARP proxy on the device located on a VPLS network.

l arp-proxy enable: configures the routed ARP proxy function.

After the optimized ARP reply function is enabled, the following functions become invalid:
l ARP rate limiting based on source MAC addresses (configured using the arp speed-
limit source-mac command)
l ARP rate limiting based on source IP addresses (configured using the arp speed-limit
source-ip command)
l Global ARP rate limiting, ARP rate limiting in VLANs, as well as ARP rate limiting on
interfaces (configured using the arp anti-attack rate-limit enable command)
Reliability Configuration
ACs use iStack technology for networking, and access switches are connected to different
members in the iStack through Eth-Trunks. If one AC is faulty, the network can be restored
rapidly.

Figure 3-4 Reliability configuration
Issue 04 (2018-08-17) AC_1 Copyright © Huawei Technologies Co.,AC_2

Ltd. 20
ARP Proxy Is Not Recommended When the AC Serves as a Gateway

The ARP proxy function increases the burden on the gateway, reducing the number of
wireless users supported by the AC. It is recommended that the ARP proxy function be
disabled when the AC serves as the gateway, unless otherwise required.
The AC Is Not Recommended as a DHCP Server

Wireless users roam, causing DHCP lease renewal (a short lease). This poses high
requirements for the performance of the DHCP server. When the AC serves as a DHCP
server, AC system performance is consumed, reducing the number of wireless users supported
by the AC. Therefore, it is not recommended that the AC serve as both the gateway and
DHCP server, unless otherwise required.
Properly Deploying eSight

If eSight is deployed, it periodically collects system data from the AC. In this case, you need
to deploy Performance Management (PM) and set the collection interval to 30 minutes or
longer.
PM is a technology used to collect and measure various system performance indicators. The
following uses the collection interval of 30 minutes as an example.
[HUAWEI] pm
[HUAWEI-pm] statistics-task task1
[HUAWEI-pm-statistics-task1] sample-interval 30
PM technology periodically collects system data and consumes system resources. If eSight is
not deployed, it is recommended that PM be disabled.
3.2 WLAN Service Configuration Suggestion
Configuring WPA2 + 802.1X Authentication

In commercial use environments, secure authentication and encryption modes are required.
WPA2-AES encryption is recommended. High-security 802.1X authentication together with
AES encryption is more suitable for closed enterprise networks.
# Configure WPA2 authentication (802.1X authentication and AES encryption).

[HUAWEI] wlan
[HUAWEI-wlan-view] security-profile name p1
[HUAWEI-wlan-sec-prof-p1] security wpa2 dot1x aes
If STAs of multiple types exist, you can configure different authentication and encryption
modes. Hybrid encryption is recommended.
# Configure WPA-WPA2 authentication (802.1X authentication and hybrid encryption).

[HUAWEI] wlan
[HUAWEI-wlan-view] security-profile name p1
[HUAWEI-wlan-sec-prof-p1] security wpa-wpa2 dot1x aes-tkip

Configuring the Retransmission Timeout Interval for RADIUS Request Packets

For a large-scale or busy network, configure the shortest retransmission timeout interval for
RADIUS request packets. When a long retransmission timeout interval is set, retransmission
occupies system resources. A short retransmission timeout interval can improve the AC's
packet processing capability.
The default retransmission timeout interval for wireless users is 5 seconds, which is suitable
for most wireless user authentication scenarios. When IP addresses of more than eight
authentication servers are configured in a RADIUS server template, or 802.1X authentication
is used, it is recommended that the retransmission timeout interval be set to 1 second to
improve network processing efficiency.
# Set the retransmission timeout interval of RADIUS request packets to 1 second.
[HUAWEI] radius-server template test1
[HUAWEI-radius-test1] radius-server timeout 1
Configuring the Timeout Interval for Sending 802.1X Authentication Requests

By default, the timeout interval for an AC to send 802.1X authentication requests is 30
seconds, and the maximum number of retransmission times is 2. In some scenarios, you can
adjust these values properly to optimize network deployment.
If one-time passwords (OTPs) are used, for example, access passwords are sent by network
maintenance departments to STAs through short messages, users send requests for applying
for passwords, and receive the applied passwords, and enter the passwords for authentication.
This process may take more than 30 seconds. In this case, set a longer timeout interval for
sending 802.1X authentication requests.
If the network environment is poor (for example, wireless interference is severe) and many
packets are lost, you are advised to set a short timeout interval for sending 802.1X
authentication requests and a large number of retransmission times to improve network
convergence performance.
# Set the timeout interval for sending 802.1X authentication requests to 20 seconds, and the
maximum number of retransmission times to 4.
[HUAWEI] dot1x timer tx-period 20
[HUAWEI] dot1x-access-profile name d1
[HUAWEI-dot1x-access-profile-d1] dot1x retry 4
Reducing the Number of SSIDs

SSIDs identify different wireless networks. When you search for available wireless networks
on a STA, the displayed wireless network names are SSIDs.
It is recommended that a limited number of SSIDs be configured on an AC. A maximum of
16 SSIDs can be configured for each AP. Too many SSIDs occupy AC system resources.
Reducing the Association Aging Time of STAs

STAs in stadiums move frequently, and a large number of STAs associate with APs deployed
at stadium entrances in a short period of time. As a result, no new STA can associate with the
APs after the number of associated STAs reaches the upper limit.
Many STAs will leave the coverage area of the APs. Therefore, you are advised to set the
association aging time of STAs to 1 minute.

In wireless city scenarios, you are advised to reduce the association aging time of STAs. One
minute is recommended.
# Set the association aging time of STAs to 1 minute in the SSID profile ssid1.
[HUAWEI] wlan
[HUAWEI-wlan-view] ssid-profile name ssid1
[HUAWEI-wlan-ssid-prof-ssid1] association-timeout 1
STA Blacklist and Whitelist Are Not Recommended

On a WLAN, the blacklist or whitelist can be configured to filter access from STAs based on
specified rules. The blacklist or whitelist allows authorized STAs to connect to the WLAN
and rejects access from unauthorized STAs.
The STA blacklist and whitelist increase the burden on the AC and degrade AC performance.
Therefore, the blacklist and whitelist are not recommended, unless otherwise required.
802.11r Is Not Recommended

802.11r is an IEEE protocol that defines fast roaming. Before associating with target APs,
STAs complete handshakes for initial identity authentication. By default, 802.11r is disabled.
Only iOS 6 and later versions support 802.11r. STAs that do not support 802.11r cannot
associate with 802.11r-enabled WLANs. It is recommended that 802.11r be disabled when
multiple types of STAs exist on a WLAN.
AP Load Balancing Is Not Recommended

After AP load balancing is configured, APs in the load balancing group forward received
Probe packets to the AC. The AC then determines the APs from which STAs can access the
WLAN. Too many Probe packets may degrade AC performance. Therefore, it is
recommended that the AP load balancing function be disabled, unless otherwise required.
The Function of Recording Successful STA Associations in the Log Is Not

Recommended
After the function of recording successful STA associations in the log is enabled, information
about successfully associated STAs is recorded in the log, so that the administrator can view
information about successful STA associations. Recording successful STA associations in the
log degrades AC performance, especially in scenarios with a large number of STAs.
Therefore, it is recommended that this function be disabled. This function is disabled by
default.
# Disable the function of recording successful STA associations in the log.
[HUAWEI] wlan
[HUAWEI-wlan-view] undo report-sta-assoc enable
Reporting Information about STA Traffic and Online Duration on APs Is Not
Recommended
You can enable an AC to report information about STA traffic and online duration on APs to
eSight. After this function is enabled, the AC collects and reports the information to eSight

through Syslog when STAs get offline or roam within the AC, which facilitates data query on
eSight.
Frequent information reporting degrades AC performance, especially in scenarios with a large

number of STAs. Therefore, it is recommended that this function be disabled no matter
whether eSight is deployed on a WLAN. This function is disabled by default.
# Disable the AC from reporting information about STA traffic and online duration on APs.
[HUAWEI] wlan
[HUAWEI-wlan-view] undo report-sta-info enable
Enabling the Function of Disconnecting Weak-Signal STAs

This function is recommended in high-density stadium and higher education scenarios, but
not recommended in wireless city scenarios.
3.3 Security Configuration Suggestion
Network Security Suggestion

To protect network devices' CPU against attacks and ensure that users can use network
resources properly, user control traffic and data traffic need to be limited. It is recommended
that the traffic be limited on network edges, that is, on APs.
l Control traffic limiting: ARP, ND, and IGMP flood attack detection is enabled on an AP
by default. The rate thresholds for ARP, ND, and IGMP flood attack detection are 5 pps,
16 pps, and 4 pps, respectively. You are not advised to change the default values. When
service traffic is heavy on a network, the values can be increased properly. However, it is
recommended that the values be increased by no more than 100%.
# Set the rate threshold for ARP flood attack detection to 10 pps. (This function is
supported only by V200R010.)
[HUAWEI] wlan
[HUAWEI-wlan-view] vap-profile name profile1
[HUAWEI-wlan-vap-prof-profile1] anti-attack arp-flood sta-rate-threshold 10
l Data traffic limiting: The rate limit of upstream and downstream packets for each STA or
all STAs associated with a VAP is configured in a traffic profile on an AP.
# Set the rate limit of upstream packets to 1 Mbit/s for each STA associated with the
VAP that has the traffic profile p1.
[HUAWEI] wlan
[HUAWEI-wlan-view] traffic-profile name p1
[HUAWEI-wlan-traffic-prof-p1] rate-limit client up 1024
Different suggestions are provided for X series cards and non-X series cards of ACs.
l The user-level rate limiting function is recommended for X series cards and is enabled
by default. Supported packet types include ARP Request, ARP Reply, ND, DHCP
Request, DHCPv6 Request, and 802.1X. By default, the user-level rate limit is 10 pps.
You can adjust the rate limit for a specified STA.
# Set the rate limit threshold for the STA with MAC address 000a-000b-000c to 20 pps.
[HUAWEI] cpu-defend host-car mac-address 000a-000b-000c pps 20

l The attack source tracing function is recommended for non-X series cards and is enabled
by default. If the number of protocol packets of normal services exceeds the specified
checking threshold and an attack source punishment action is configured, the attack
source tracing function may affect these normal services. You can attempt to disable the
attack source tracing function or disable this function for corresponding protocols to
restore the services.
# Configure the device to discard packets from the identified source every 10 seconds.
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] auto-defend enable
[HUAWEI-cpu-defend-policy-test] auto-defend action deny timer 10
# Delete IGMP and TTL-expired packets from the list of traced packets.
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] auto-defend enable
[HUAWEI-cpu-defend-policy-test] undo auto-defend protocol igmp ttl-expired
ICMP Fast Reply Is Recommended

Ping is a common method for checking network connectivity. However, a large number of
ICMP packets affect device performance, reducing the number of wireless users supported by
the AC. The ICMP fast reply function is enabled on a switch by default. Keep this function
enabled, unless otherwise required.
CAPWAP Tunnel Encryption Is Not Recommended

The parent and an AS transmit management packets through a Control and Provisioning of
Wireless Access Points (CAPWAP) tunnel. To ensure tunnel confidentiality and security, you
can use Datagram Transport Layer Security (DTLS) to encrypt packets transmitted in the
CAPWAP tunnel. DTLS encryption, however, degrades AC performance. It is recommended
that DTLS encryption be disabled in scenarios without high security requirements or special
customer requirements.
3.4 Radio Configuration Suggestion
WIDS Is Not Recommended

Wireless Intrusion Detection System (WIDS) enables monitoring APs to periodically detect
wireless signals. In this manner, the AC can obtain information about devices on the wireless
network and take measures to prevent access from unauthorized devices. Frequent monitoring
and data reporting, however, degrade AC performance. Therefore, it is recommended that
WIDS be disabled, unless otherwise required.
Scanning Channels of Unauthorized Devices

If the WIDS function is enabled, an AP scans all channels supported by the corresponding
country code by default. Frequent channel scanning degrades AC performance. It is
recommended that only calibration channels be scanned.
# Configure an air scan channel set that contains all calibration channels.
[HUAWEI] wlan
[HUAWEI-wlan-view] air-scan-profile name huawei
[HUAWEI-wlan-air-scan-prof-huawei] scan-channel-set dca-channel

Configuring a Proper Interval for Reporting Information About Unauthorized

Devices
If WIDS is enabled, a monitoring AP caches information about detected wireless devices at
the interval at which an AP incrementally reports wireless device information. When the
interval is reached, the monitoring AP reports the information to the AC and then clears the
reported information.
By default, an AP incrementally reports wireless device information to an AC at an interval of
300 seconds. You are not advised to change the default value. When a short interval is set,
suspicious devices can be rapidly detected. If the interval is too short, however, information
about unauthorized devices that exist instantaneously may be incorrectly reported. As a result,
the reported information may be incorrect, and information reporting occupies unnecessary
AC and AP resources.
# Set the interval at which an AP incrementally reports wireless device information to an AC
to 120 seconds.
[HUAWEI] wlan
[HUAWEI-wlan-view] air-scan-profile name huawei
[HUAWEI-wlan-view] ap-group name office
[HUAWEI-wlan-ap-group-office] radio 0
[HUAWEI-wlan-group-radio-office/0] wids device detect enable
[HUAWEI-wlan-group-radio-office/0] quit
[HUAWEI-wlan-ap-group-office] quit
[HUAWEI-wlan-view] wids-profile name office
[HUAWEI-wlan-wids-prof-office] device report-interval 120
Properly Configuring Radio Calibration

On a WLAN, operating status of APs is affected by the radio environment. In this case, you
can configure radio calibration. The radio calibration function can dynamically adjust
channels and power of APs managed by the same AC to ensure that the APs work at the
optimal performance.
Figure 3-5 Channels in the 2.4 GHz frequency band

1 3 5 7 9 11 13
2.412 2.422 2.432 2.442 2.452 2.462 2.472
2 4 6 8 10 12 14
2.417 2.427 2.437 2.447 2.457 2.467 2.484
1: channel
2.412: center frequency
(GHz)
Frequent radio calibration degrades AC performance. Because radio signals are centralized in
high-density stadiums, radio calibration is triggered frequently to prevent signal overlapping
and interference. Therefore, it is recommended that radio calibration be disabled in high-
density stadiums, and manual or scheduled calibration be used.

Figure 3-6 Channel adjustment principle

Before channel After channel
adjustment adjustment
AP2 AP2
Channel 6 Channel 6
AP1 AP1
Channel 1 Channel 1
AP4 AP4
AP3 Channel 6 AP3 Channel 11
Channel 11 Channel 6
Note: A circle represents an AP's coverage area

Channel X indicates an AP's working channel
# Set the radio calibration mode to manual.

[HUAWEI] wlan
[HUAWEI-wlan-view] calibrate enable manual
# Set the radio calibration mode to schedule and set the time for scheduled radio calibration
to 20:30:00.
[HUAWEI] wlan
[HUAWEI-wlan-view] calibrate enable schedule time 20:30:00
Properly Configuring Band Steering

Compared with the 2.4 GHz frequency band, the 5 GHz frequency band has fewer
interference sources and more available channels, and provides higher access capability.
Most STAs support both the 5 GHz and 2.4 GHz frequency bands, and usually associate with
the 2.4 GHz frequency band by default when connecting to the Internet through APs. To
associate STAs with the 5 GHz frequency band, you need to manually select the 5 GHz
frequency band. The band steering function addresses this issue.
After the band steering function is enabled for a specified SSID on the AC, the AP
preferentially associates the STAs connected to the SSID with the 5 GHz frequency band.
After the 5 GHz frequency band is fully loaded, the AP steers the STAs to the 2.4 GHz
frequency band.
If both radios of an AP use the same VAP profile, the band steering function takes effect on
both the radios as long as the function is enabled for an SSID on one radio of the AP. For
example, if the band steering function is enabled for the SSID huawei on the 2.4 GHz radio
but not on the 5 GHz radio, the AP preferentially steers STAs associated with the SSID to the
5 GHz radio.
The band steering function is enabled by default. Single-radio APs do not support the band
steering function.

Enabling Smart Roaming Based on Scenarios

On a traditional WLAN, when a STA is moving away from an AP, the STA's access rate
becomes lower, but the STA still associates with the AP instead of re-initiating a connection
with the AP or roaming to another AP. This degrades user experience. The smart roaming
function can address this issue. When detecting that the signal-to-noise ratio (SNR) or access
rate of a STA is lower than the specified threshold, the AP sends a Disassociation packet to
the STA so that the STA can reconnect to the AP or roam to another AP.
This function applies to high-density static scenarios, for example, lecture halls. This function
is not recommended in scenarios where STAs move frequently, such as wireless cities. If this
function is enabled, you are advised to retain the default roaming threshold.
If a high roaming threshold is configured, STAs may go offline frequently. If a small roaming
threshold is configured, STAs cannot roam to APs with better signals in a timely manner.
# Enable smart roaming. (in versions earlier than V200R011C10SPC600)
[HUAWEI] wlan
[HUAWEI-wlan-view] rrm-profile name huawei
[HUAWEI-wlan-rrm-prof-huawei] smart-roam enable
# Enable smart roaming. (in V200R011C10SPC600 and later versions)

[HUAWEI] wlan
[HUAWEI-wlan-rrm-prof-huawei] undo smart-roam disable
Dynamic EDCA Parameter Adjustment Is Recommended

A WLAN has only three non-overlapping channels on the 2.4 GHz frequency band. When
APs are densely deployed in high-density indoor scenarios of universities, multiple APs have
to work on the same channel. As a result, co-channel interference is caused and degrades
network performance.
The dynamic EDCA parameter adjustment function allows APs to adjust EDCA parameters
flexibly by detecting the number of STAs to reduce the possibility of collision, improve the
throughput, and enhance user experience.
# Enable dynamic EDCA parameter adjustment.
[HUAWEI] wlan
[HUAWEI-wlan-rrm-prof-huawei] dynamic-edca enable
Enabling the Short GI

In high-density indoor scenarios of universities, you are advised to enable the short GI to
improve the transmission rate of 802.11n and 802.11ac packets.
# Set the GI mode to short.
[HUAWEI] wlan
[HUAWEI-wlan-view] radio-2g-profile name default
[HUAWEI-wlan-radio-2g-prof-default] guard-interval-mode short
Setting the RTS-CTS Operation Mode in a Radio Profile

The Request To Send/Clear To Send (RTS/CTS) handshake protocol prevents data
transmission failures caused by channel conflicts. If STAs perform RTS/CTS handshakes

before sending data each time, RTS frames consume high channel bandwidth. In high-density
indoor scenarios of universities, you are advised to use the RTS/CTS mode.
# Set the RTS-CTS operation mode to rts-cts in a radio profile.
[HUAWEI] wlan
[HUAWEI-wlan-radio-2g-prof-default] rts-cts-mode rts-cts
[HUAWEI-wlan-radio-2g-prof-default] rts-cts-threshold 1400
[HUAWEI-wlan-radio-2g-prof-default] quit
[HUAWEI-wlan-radio-5g-prof-default] rts-cts-mode rts-cts
[HUAWEI-wlan-radio-5g-prof-default] rts-cts-threshold 1400
[HUAWEI-wlan-radio-5g-prof-default] quit
Disconnecting Weak-Signal STAs

If the uplink signal strength of a STA received by an AP is low, the STA is far away from the
AP. If the STA continues to connect to the AP, a large number of packets are retransmitted and
air interface resources are wasted. To prevent the STA from reducing the throughput of the
entire AP, you are advised to force the STA to go offline so that the STA can associate with an
AP with better signal quality.
NOTE
If a large signal strength threshold is set, STAs may go offline easily. Set a proper threshold based on the
actual situation.
# Enable the function of disconnecting weak-signal STAs (V200R011C00 and earlier

versions).
[HUAWEI] wlan
[HUAWEI-wlan-view] rrm-profile name default
[HUAWEI-wlan-rrm-prof-default] smart-roam enable
[HUAWEI-wlan-rrm-prof-default] smart-roam roam-threshold check-snr
[HUAWEI-wlan-rrm-prof-default] smart-roam quick-kickoff-threshold snr 20
# Enable the function of disconnecting weak-signal STAs (V200R011C10 and later versions).
[HUAWEI] wlan
[HUAWEI-wlan-view] rrm-profile name default
[HUAWEI-wlan-rrm-prof-default] undo smart-roam quick-kickoff-threshold disable
[HUAWEI-wlan-rrm-prof-default] smart-roam quick-kickoff-threshold check-snr
[HUAWEI-wlan-rrm-prof-default] smart-roam quick-kickoff-threshold snr 20
3.5 Deployment Suggestions for Different Network Scales

For details, see Huawei Campus Switches Native AC Sales Guide.

Configuration Guide - WLAN-AC 4 WLAN Service Configuration Procedure
4 WLAN Service Configuration Procedure
4.1 Reference Relationships Between WLAN Profiles

Various profiles are designed based on different functions and features of WLAN networks to
help users configure and maintain functions of WLAN networks. These profiles are called
WLAN profiles. Figure 4-1 shows the referencing relationships between WLAN profiles. By
getting to know the referencing relationships, users can easily grasp the configuration
roadmap of WLAN profiles and complete their configurations.
As shown in Figure 4-1, the following profiles can be bound to the AP group and AP: radio
profile, VAP profile, Location profile, regulatory domain profile, AP system profile, WIDS
profile, AP wired port profile, WDS profile, and Mesh profile. Some of the listed profiles can
further reference other profiles, for example, the radio profile can reference an air scan profile
and an RRM profile.

Figure 4-1 Reference relationships between WLAN profiles
Regulatory domain profile*
Air scan profile*

Radio profile*
RRM profile*
SSID profile*
Security profile*
VAP profile* Traffic profile*
STA blacklist profile
802.1x access profile*

STA whitelist profile
AP Portal access profile*
Authentication profile*
MAC access profile*
Authentication-free
STA blacklist profile rule profile*
AP system STA whitelist profile
AP group profile *
WMI profile
AP wired port
AP wired port link profile*
profile*
WIDS spoof SSID profile
WIDS profile*
WIDS whitelist profile
Location profile
BLE profile
Security profile*
WDS profile*
WDS whitelist profile
Security profile*
Mesh profile* Mesh handover profile*
Mesh whitelist profile

NOTE
l The profiles marked with * can be configured as default profiles.

l AP provisioning profiles cannot be referenced by other profiles and are only used to deliver
configurations to specified APs or AP groups. Therefore, this figure does not show AP provisioning
profiles.
l An AP radio can directly reference some profiles, including the radio profile, VAP profile, WDS profile,
WDS whitelist profile, Mesh profile, and Mesh whitelist profile.
l The IoT profiles are directly referenced in the IoT card interface view and are not displayed.
WLAN profiles are designed to facilitate configuration and maintenance of WLAN functions.
When configuring WLAN service functions, users need to configure parameters in matching
WLAN profiles. After completing the configurations, they need to bind the profiles to upper-
level profiles, AP groups, or APs, and the configurations will be automatically delivered to
APs. After that, the configured functions automatically take effect on the APs.
NOTE
l If a WLAN profile is bound to an upper-level profile, this upper-level profile should be bound to an AP
group or AP.
l Configurations in an AP provisioning profile take effect only after they are manually delivered to APs.
Configurations in other WLAN profiles are automatically delivered to APs.
For example, to configure air interface scan parameters, you can configure the parameters in
an air scan profile and bind the air scan profile to a radio profile, which is then bound to an
AP group or AP, as shown in Figure 4-1. The configurations of air interface scan parameters
are automatically delivered to APs and take effect. If referencing relationships between
profiles are set in advance, parameter configurations in the air scan profile are automatically
delivered to APs.
4.2 WLAN Basic Service Configuration Procedure

You can follow the procedure in Figure 4-2 to configure WLAN basic services.
The WLAN basic service configuration procedure includes the following steps:
1. Create an AP group.
2. Configure network interconnection.
3. Configure system parameters for the AC.
4. Configure the AC to deliver WLAN services to Fit APs.

Figure 4-2 WLAN basic service configuration flowchart

Create an AP group
Configure network Configure the DHCP server

interconnection Configure device connectivity
Configure the AC to
manage Fit APs Configure a country code (in a regulatory
domain profile)
Configure system
Configure the AC’s source interface
parameters for the AC
Set the AP authentication mode and
configure APs to go online
Configure the AC to
Configure basic radio parameters (on
deliver WLAN services to
radios)
Fit APs
Create an SSID Create a security

Create a radio profile
profile profile
Bind
Create a VAP profile
Bind
AP or AP group
4.3 AP Group and AP

To simplify the configuration of a large number of APs, you can add them to an AP group and
perform centralized configuration.
However, APs may have different configurations. These configurations cannot be uniformly
performed but can be directly performed on each AP.
Each AP must and can only join one AP group when going online. If an AP obtains both AP
group and specific configurations from an AC, the AP specific configurations are
preferentially used.
l If no configuration is available on each AP, the AP uses the configurations in the AP
group.
l If configurations are available on the AP, the AP uses the configurations preferentially.
However, if the configurations are incomplete, the AP obtains the configurations that do
not exist on itself from the AP group.
l Performance of APs in an AP group may vary according to the model. If the unified
configuration delivered to the AP group is not supported by an AP in the group, the
configuration does not take effect for this AP.

As shown in Figure 4-3, the AP with ID 1 does not find any configurations on itself;
therefore, the AP uses all WLAN configurations in the AP group a to which it belongs.
Figure 4-3 AP group
AP group name: a
Regulatory domain profile name: a

Country code: CN
VAP profile name: a
SSID profile: a
AP system profile: a
Other profiles...
AP 1 does not find any

configurations on itself, so it uses
all configurations in the AP group.
AP ID: 1
Name of the AP group
to which it belongs: a
As shown in Figure 4-4, the AP with ID 101 finds configurations on itself so the AP
preferentially uses the configurations. Since there is only regulatory domain profile
configuration on the AP, the AP acquires other configurations in AP group a to which it
belongs, for example, VAP profile, AP system profile, and other profiles shown in the
following figure.
Figure 4-4 AP group and AP
AP ID: 101 AP group name: a
Regulatory domain profile name: a

Country code: CN
Regulatory domain profile name: b VAP profile name: a
Country code: US SSID profile: a
AP system profile: a
Other profiles...
The AP finds regulatory domain

1 profile configuration on itself and
preferentially uses the The configurations on the AP
configuration. 2 are incomplete. The AP
acquires the other
configurations in the AP group.
AP ID: 101
Name of the AP group to
which it belongs: a

4.4 Regulatory Domain Profile

A regulatory domain profile provides configurations of country code, calibration channel, and
calibration bandwidth for an AP.
l A country code identifies the country to which AP radios belong. Different countries
support different AP radio attributes, including the transmit power and supported
channels. Correct country code configuration ensures that radio attributes of APs comply
with laws and regulations of countries and regions to which the APs are delivered. For
details, see 5.9.3 Configuring Country Codes.
l A calibration channel set limits the dynamic AP channel adjustment range when the
radio calibration function is configured. Radar channels and the channels that are not
supported by STAs are avoided. For details, see 7 Radio Resource Management.
l The 5 GHz frequency band has richer spectrum resources. In addition to 20 MHz
channels, APs working on the 5 GHz frequency band support 40 MHz and 80 MHz
channels, Different calibration bandwidths support different calibration channels. Larger-
bandwidth channels mean higher transmission rates. However, at least three channels are
required in radio calibration to achieve the optimal calibration effect. When configuring
the calibration bandwidth, ensure that enough calibration channels are available for use.
For details, see 7 Radio Resource Management.
4.5 Radio Profile

Radio profiles are used to optimize radio parameters, and control the in-service channel
switching function. For details, see 5.11.1 Configuring a Radio.
Radio profiles are divided into 2G and 5G radio profiles. 2G and 5G radio profiles apply to
2.4 GHz and 5 GHz radios respectively. The differences between configurations of 2G and 5G
radio profiles are as follows:
l 2G radio profiles allow you to configure the 802.11bg basic rate set and supported rate
set.
l 5G radio profiles allow you to configure the 802.11a basic rate set and supported rate set,
and perform 802.11ac-related configurations.
Radio profiles can reference air scan profiles and RRM profiles.
l Air scan profiles are designed for radio calibration, spectrum analysis, location, and
WIDS data analysis. APs periodically scan radio signals in their surrounding
environment and report the collected information to ACs or servers.
l RRM profiles are designed to maintain optimal radio resource utilization. They enable
APs to check the surrounding radio environment, dynamically adjust working channels
and transmit power, and evenly distribute access users. This function helps adjust radio
coverage, reduce radio signal interference, and enable a wireless network to quickly
adapt to changes in the radio environment. With the radio resource management
function, the wireless network can provide high service quality for wireless users. For
details, see 7 Radio Resource Management.
4.6 Air Scan Profile

The air scan profile is used for radio calibration and Wireless Intrusion Detection System
(WIDS) data analysis. An AP periodically scans surrounding radio signals and reports the
collected information to an AC or server.
l Radio calibration
An authorized AP scans surrounding radio signals, collects information about
surrounding authorized APs, rogue APs, and non-Wi-Fi devices, and reports the
information to an AC.
For the detailed configuration, see 7.7 Configuring Radio Calibration.
l WIDS data analysis
A monitor AP scans channels to monitor information about neighboring wireless
devices, collects information about neighboring wireless devices by listens on WLAN
packets sent from neighboring wireless devices, and periodically reports collected
information to an AC. The AC then uses the information to determine rogue devices.
For the detailed configuration, see .
The air scan profile takes effect only after it is referenced by the radio profile.
4.7 RRM Profile

WLAN technology uses radio signals (such as 2.4 GHz or 5 GHz radio waves) as
transmission medium. Radio waves will attenuate when they are transmitted over air,
degrading service quality for wireless users. Radio resource management enables a WLAN to
adapt to changes in the radio environment by dynamically adjusting radio resources. This
improves service quality for wireless users.
Radio resource management (RRM) enables APs to check the surrounding radio environment,
dynamically adjust channels and transmit power, and evenly distribute access users. This
function helps reduce radio signal interference, adjust radio coverage, and enable a wireless
network to quickly adapt to changes in the radio environment. With the RRM profile, the
wireless network can provide high service quality for wireless users and maintain an optimal
radio resource utilization. For the detailed configuration, see 7 Radio Resource
Management.
The RRM profile takes effect only after it is referenced by the radio profile.
4.8 VAP Profile

After parameters in a VAP profile are configured, and the VAP profile is bound to an AP
group or AP, virtual access points (VAPs) are created on APs. VAPs provide wireless access
services for STAs. You can configure parameters in the VAP profile to enable APs to provide
different wireless services.
A VAP profile can reference the following profiles:
l SSID profile: used to configure SSIDs of WLANs. In the profile, you can also disable
access of non-HT STAs and configure the association aging time of STAs and delivery
traffic indication message (DTIM) interval. For details, see 5.11.2.10 Configuring an
SSID Profile.
l Security profile: used to configure security policies of WLANs, including policies for
authentication and encryption of STAs. Security policies include open system

authentication, WEP, WPA/WPA2-PSK, WPA/WPA2-802.1X, WAPI-PSK, and WAPI-

certificate. For details, see 12 Security Policy Configuration.
l Traffic profile: used to configure priority mapping and traffic policing functions of
WLANs. After the WMM function is enabled on the STA and AP, the priority mapping
function allows you to configure methods for mapping upstream priorities of packets,
upstream tunnel priorities, and downstream priorities. The traffic policing function limits
packet sending rates of wireless STAs. For details, see 10.7.2 Configuring Priority
Mapping and 10.7.3 Configuring Traffic Policing.
l Authentication profile: used to manage network admission control (NAC)
configurations. You can bind access profiles (including the 802.1X access profile, MAC
access profile, and Portal access profile) to authentication profiles to determine
configurations of the access protocols. After the authentication profile configuration is
complete, bind it to an interface or VAP profile to authenticate and control access users.
For details, see NAC Configuration (Unified Mode).
4.9 SSID Profile

on your laptop, the displayed wireless network names are SSIDs.
An SSID profile is used to configure the SSID name and other access parameters of a WLAN.
The following configurations are performed in an SSID profile:
l SSID hiding: When creating a WLAN, configure an AP to hide the SSID of the WLAN
to ensure security. Only the users who know the SSID can connect to the WALN.
l Maximum number of STAs: More access users on a VAP indicate fewer network
resources that each user can occupy. To ensure Internet experience of users, you can
configure a proper maximum number of access users on a VAP according to actual
network situations.
l SSID hiding when the number of STAs reaches the maximum: When this function is
enabled and the number of access users on a WLAN reaches the maximum, the SSID of
the WLAN is hidden and new users cannot search for the SSID.
l Denying access of non-HT STAs: Non-HT STAs that support only 802.11a, 802.11b, and
802.11g protocols cannot access a wireless network. These terminals provide a rate far
smaller than 802.11n and 802.11ac terminals. If the non-HT STAs access the wireless
network, data transmission rates of the 802.11n and 802.11ac terminals are decreased. To
ensure data transmission rates of the 802.11n and 802.11ac terminals, access of non-HT
STAs is denied.
l STA association timeout period: If an AP receives no data packet from an STA in a
continuous period of time, the STA goes offline after the association timeout period
expires.
l DTIM interval: The DTIM interval specifies how many Beacon frames are sent by an AP
before the Beacon frame that contains the DTIM. The Beacon frame carrying DTIM
wakes an STA in power-saving mode, and transmits the broadcast and multicast frames
saved on the AP to the STA.
For details about how to configure an SSID profile, see 5.11.2.10 Configuring an SSID
Profile.
4.10 Authentication Profile

NAC implements access control on users. To facilitate NAC function configuration, the
device uses authentication profiles to uniformly manage NAC configuration. You can
configure parameters in an authentication profile to provide different access control modes for
users. For example, you can configure the access profile bound to the authentication profile to
determine the authentication mode for the authentication profile. The device then uses the
authentication mode to authenticate users on the interface or VAP profile to which the
authentication profile is applied.
For the configuration, see Configuring an Authentication Profile.
4.11 Security Profile

You can configure WLAN security policies to authenticate identities of wireless terminals and
encrypt user packets, protecting the security of the WLAN and users. The supported WLAN
security policies include open system authentication, WEP, WPA/WPA2-PSK, WPA/
WPA2-802.1X, WAPI-PSK, and WAPI-certificate. You can configure one of them in a
security profile. Open system authentication and WPA/WPA2-802.1X need to be configured
together with NAC to manage user access.
To connect a STA to the WLAN, bind the security profile to a VAP profile. The STA can
connect to the WLAN through an SSID only after it completes identity authentication
according to the security policy configured in the VAP profile. For the detailed configuration,
see 12.4 Configuring a WLAN Security Policy.
For WDS services, bind the security profile to the WDS profile. To ensure WDS security, set
the security policy to WPA2+PSK+AES. For the detailed configuration, see 14.8.5
Configuring a Security Profile.
For Mesh services, bind the security profile to the Mesh profile. To ensure Mesh security, set
the security policy to WPA2+PSK+AES. For the detailed configuration, see 15.9.5
Configuring a Security Profile.
4.12 Traffic Profile

In a traffic profile, you can configure priority mapping on the wireless side, air interface
performance optimization, traffic policing, and ACL-based packet filtering. The
configurations in a traffic profile take effect only after it is bound to a VAP profile.
l Priority mapping
Packets of different types have different priorities. For example, 802.11 packets sent by
STAs carry user priorities or DSCP priorities, VLAN packets on wired networks carry
802.1p priorities, and IP packets carry DSCP priorities. Priority mapping must be
configured on network devices to retain the priorities of packets that traverse different
networks.
For details, see 10.7.2 Configuring Priority Mapping.
l Traffic policing
To protect network resources and prevent network congestion, you can configure traffic
policing to limit the rate of traffic entering a WLAN. In a traffic profile, you can
configure rate limiting for upstream and downstream packets of all STAs or each STA on
a VAP.
For details, see 10.7.3 Configuring Traffic Policing.

l Traffic optimization
On a WLAN, a large number of wireless packets need to be forwarded, which may easily
cause network congestion and degrade network performance. WLAN traffic optimization
measures, such as traffic limit and multicast optimization, can be taken to adjust network
traffic in real time, significantly reducing impact of burst data on the network and
improving network performance.
For details, see 21 WLAN Traffic Optimization Configuration.
l ACL-based packet priority re-marking
You can configure ACL-based packet filtering to enable a device to permit or deny
packets matching ACL rules to control network traffic.
For details, see 10.7.5 Configuring ACL-based Packet Filtering.
l ACL-based packet priority re-marking
You can configure ACL-based packet re-marking priorities of packets matching ACL
rules to implement differentiated services for wireless packets.
For details, see 10.7.6 Configuring ACL-based Priority Remarking.
4.13 STA Blacklist Profile

A STA blacklist profile contains MAC addresses of wireless terminals forbidden to connect to
the WLAN. To forbid some STAs to connect to the WLAN, configure a STA blacklist profile
and apply the STA blacklist profile to an AP system profile or a VAP profile.
The effective scope of the STA blacklist profile differs according to the profiles to which it is
applied.
l AP system profile: The STA blacklist profile takes effect based on the AP. APs using the
AP system profile will use the STA blacklist profile. The STA blacklist profile takes
effect on all STAs connected to the APs (all VAPs).
l VAP profile: The STA blacklist profile takes effect based on the VAP. If the STA
blacklist profile is applied to an AP, the STA blacklist profile applies only to STAs
connected to the corresponding VAPs.
For the detailed configuration, see 13.4.2 Configuring a STA Blacklist Profile in the
Configuration-User Access and Authentication Configuration Guide.
4.14 STA Whitelist Profile

A STA whitelist profile contains MAC addresses of STAs allowed to connect to the WLAN.
To allow only some STAs to connect to the WLAN, configure a STA whitelist profile and
apply the STA whitelist profile to an AP system profile or a VAP profile.
The effective scope of the STA whitelist profile differs according to the profiles to which it is
applied.
l AP system profile: The STA whitelist profile takes effect based on the AP. APs using the
AP system profile will use the STA whitelist. The STA whitelist profile takes effect on
all STAs connected to the APs (all VAPs).
l VAP profile: The STA whitelist profile takes effect based on the VAP. If the STA
whitelist profile is applied to an AP, the STA whitelist profile applies only to STAs

For the detailed configuration, see 13.4.1 Configuring a STA Whitelist Profile in the
Configuration-User Access and Authentication Configuration Guide.
4.15 AP System Profile

An AP system profile is used to configure AP system parameters and can reference STA
blacklist and whitelist profiles as well as spectrum analysis configuration. The following
configurations are performed in an AP system profile:
l Manage AP login modes.

A user can log in to an AP through the console port, STelnet, SFTP, and Telnet in wired
mode, or through Telnet in wireless mode. These login modes can be disabled in an AP
system profile to ensure AP login security. For details, see 6.5 Managing Wired Login
for APs and 6.6 Managing Wireless Login for APs.
l Configure the offline management VAP and antenna alignment VAP for an AP.
When an AP goes offline unexpectedly, the AC cannot manage the AP. In this case, you
can enable the management VAP and log in to the AP using Telnet or Stelnet to
troubleshoot the fault. This prevents complex operations.
You can associate a mobile phone on which the WiFi Go APP is installed with the
wireless network with SSID hw_manage_xxxx (xxxx is the last four bits of the AP
MAC address) and use the phone to receive packets sent by the antenna alignment VAP.
For details, see 14.9.2 Configuring Antenna Alignment VAPs.
l A management VLAN is configured for an AP.
In practice, the PVID of an AP wired interface is usually set to the management VLAN
ID. For details, see 5.5 Configuration Limitations for WLAN. When management
packets from the AP or data packets forwarded in tunnel mode reach the access device
through the CAPWAP tunnel, the access device tags the packets with the PVID.
If the PVID of the access device has been used for other purposes (for example, as the
default VLAN ID of wired users), the PVID cannot be configured as the management
VLAN ID on the access device interface. In this case, configure CAPWAP packets sent
from an AP wired interface to carry the management VLAN tag. The AP then adds the
management VLAN ID to the CAPWAP packets sent to the AC. You only need to
configure the access device to allow the packets carrying the management VLAN ID to
pass.
For details, see 6.8.4 Configuring a Management VLAN on an AP.
l Configure service holding upon CAPWAP link disconnection.
To mitigate impact of link disconnections on users in direct forwarding mode and
improve service reliability, you can configure the function of service holding upon
CAPWAP link disconnection. To allow new users to access APs after CAPWAP link
disconnection, you can configure the function of user access upon CAPWAP link
disconnection. After the disconnected CAPWAP link is restored, the AP forces all the
STAs that went online during CAPWAP link disconnection to go offline. The AP then
reassociates with these STAs and reports STA information through logs. For Portal or
MAC address authentication STAs, after the broken CAPWAP link is restored, the AP
forces all these STAs to go offline and reports STA information through logs.
For details, see 6.8.13 Configuring Service Holding upon CAPWAP Link
Disconnection.

l Configure PoE parameters for an AP.

PoE parameters include PoE power, parameters that are configured to allow high inrush
current during power-on, and PoE standard used by the AP. For details, see 6.10
Managing the PoE Function of an AP.
l Configure AP indicators.
Blinking indicators of indoor APs deployed in hospitals and hotels may affect people's
nighttime rest. Therefore, you can turn off AP indicators after APs are installed and run
properly.
l Configure the alarm function on an AP.
– You can configure alarm thresholds on an AP to monitor the AP in real time. When
the configured thresholds are exceeded, the AP generates alarms or logs to notify
the AC of AP status.
– If a STA cannot go online due to security type mismatch, UAC, or access user
upper limit exceeding, the STA will automatically re-connect to the AP. During this
period, the AP sends a large number of STA association failure alarms to the AC,
which degrades the system performance.
To solve this problem, enable alarm suppression for the AP. The AP then does not report
alarms repeatedly in the alarm suppression period, preventing alarm storms.
For details, see 6.8.8 Configuring the Alarm Function on an AP.
l Configure the log backup and log suppression functions on an AP.
– Logs record user operations and system running information. After logs are backed
up to a server, network administrators can summarize and analyze AP logs to learn
the operations performed on APs for fault location.
The device supports automatic log backup. After automatic log backup is
configured, logs generated by an AP are automatically sent to the log server.
– If a STA keeps attempting to connect to an AP because of signal interference or
instability, the AP sends a large number of duplicate login and logout logs to the AC
in a short period, causing a huge waste of resources.
To address this problem, enable log suppression. The AP sends only one log about a
user to the AC within the log suppression period.
For details, see 6.8.9 Configuring the Log Backup and Log Suppression Functions
on an AP.
l Configure LLDP on an AP.
The Link Layer Discovery Protocol (LLDP) helps the NMS obtain detailed Layer 2
information, such as the network topology, device interface status, and management
address.
After LLDP is configured on an AP, the AP can send LLDP packets carrying local
system status information to directly connected neighbors and parse LLDP packets
received from neighbors.
For details, see 6.8.10 Configuring LLDP on an AP.
l Configure the effective scope of a STA blacklist or whitelist.
If a STA blacklist or whitelist is applied to an AP system profile, the STA blacklist or
whitelist takes effect on all APs using the AP system profile. For details, see 13.4.3
Applying the Configuration to a VAP Profile or an AP System Profile.
l Configure some parameters for spectrum analysis.

The parameters include the IP address and port number of a spectrum server and aging
time of information about non-Wi-Fi devices on an AC during spectrum analysis. For
details, see 8.6.1 Configuring Spectrum Analysis on an AC.
4.16 AP Wired Port Profile

An AP wired port profile provides configurations of AP wired ports. AP wired port link
profiles can be bound to AP wired port profiles. AP wired port link profiles are used to
configure link-layer parameters of AP wired ports. For details, see 6.9 Managing an AP's
Wired Interface.
The following configurations are performed in an AP wired port profile:

l Add an AP's wired port to an Eth-Trunk.
l Configure STP, working mode, and DHCP trusted port on an AP's wired port.
l Configure STA address learning, IP source guard, and dynamic ARP probing on an AP's
wired port.
l Specify the maximum broadcast, multicast, and unknown unicast traffic allowed by an
AP's wired port.
l Associate STP with the error-triggered shutdown function on an AP's wired port.
l Configure IGMP Snooping for an AP's wired port.
4.17 AP Wired Port Link Profile

An AP wired port link profile provides link layer configurations on an AP's wired port.
The following configurations are performed in an AP wired port link profile:

l Enable or disable an AP's wired port.
Enable an AP's wired port before using the port. Disable the AP's wired port when a user
connected to the AP's wired port attacks the network. For details, see 6.9 Managing an
AP's Wired Interface.
l Configure LLDP and the types of advertise TLVs on an AP's wired port.
You can obtain the network topology of an AP through LLDP. For details, see 6.8.10
Configuring LLDP on an AP.
l Configure PoE for an AP's wired port.
Some APs can function as PSE devices to supply PoE power for PDs. Configure PoE for
an AP's wired port, so that the AP can provide PDs with PoE power through this port.
For details, see 6.10 Managing the PoE Function of an AP.
l Configure the alarm function for CRC errors on an AP's wired port.
For details, see 6.9 Managing an AP's Wired Interface.
4.18 WIDS Profile

WIDS profiles provide mechanisms to protect WLAN networks. WIDS profiles are bound to
AP groups or APs so that they can take effect. For details, see 11.6 Configuring Device

Detection and Containment and 11.7 Configuring Attack Detection and a Dynamic
Blacklist.
A WIDS profile supports the following functions:

l WIDS device detection and countering
– APs detect Wi-Fi devices within their coverage range and determine whether they
are authorized.
– You can configure a WIDS spoof SSID profile and a WIDS whitelist profile to
identify spoofing SSIDs and add the trusted devices to the whitelist. After
configuring these profiles, you bind them to the WIDS profile.
– Countermeasures are taken on the detected rogue device so that rogue STAs cannot
access the network or authorized STAs will not access rogue APs.
l WIDS attack detection and dynamic blacklist
– APs detect Wi-Fi devices on a network that launch attacks, including flood attacks,
weak IV attacks, spoofing attacks, and Brute force PSK cracking attacks.
– After the dynamic blacklist function is enabled, attacking devices are added to the
dynamic blacklist and packets from these devices are discarded.
4.19 WIDS Spoof SSID Profile

WLAN services are available in public places, such as banks and airports. Users can connect
to the WLANs after associating with corresponding SSIDs. If a rogue AP is deployed and
provides spoofing SSIDs similar to authorized SSIDs, the users may be misled and connect to
the rogue AP, which brings security risks. To address this problem, configure a fuzzy
matching rule to identify spoofing SSIDs. The device compares a detected SSID with the
matching rule. If the SSID matches the rule, the SSID is considered a spoofing SSID. The AP
using the spoofing SSID is a rogue AP. After rogue AP containment is configured, the device
contains the rogue AP and disconnects users from the spoofing SSID.
For the detailed configuration, see 11.6.5 (Optional) Configuring Fuzzy Matching Rules
for Identifying Spoofing SSIDs.
4.20 WIDS Whitelist Profile

After the rogue device containment function is enabled, rogue APs can be detected and
contained. However, there may be APs of other vendors or on other networks working in the
existing signal coverage areas. If these APs are contained, their services will be affected. To
prevent this situation, you can configure the WIDS whitelist profile to add these APs to a
WIDS whitelist which includes an authorized MAC address list, OUI list, and SSID list.
For the detailed configuration, see 11.6.6 (Optional) Configuring a WIDS Whitelist in the
Configuration-WLAN Security Configuration Guide.
4.21 Location Profile

A location profile is used to enable the WLAN location function and configure location server
parameters and the mode used by APs to report location information. For details, see 17 Wi-

Fi Tag Location Configuration, 19 Bluetooth Location Configuration and 18 Terminal

Location Configuration.
4.22 BLE Profile

l Bluetooth terminal location technology uses Bluetooth Low Energy (BLE) devices and a
location system to locate Bluetooth terminals through the iBeacon protocol. An AP with
a built-in Bluetooth module collects information about BLE devices and sends the
information to a server through an AC. The server sends data about maps and BLE
device locations to a Bluetooth terminal through an app server. The Bluetooth terminal
then works with the location app to calculate its own location. Alternatively, the AP
collects information carried in Bluetooth terminal location packets and sends the
information to the AC or location server for server-side location.
l Bluetooth tag location technology uses Bluetooth tags and a location system to locate
Bluetooth tags through the BLE protocol. An AP with a built-in Bluetooth module
collects information about Bluetooth tags and sends the information to a location server
to locate the Bluetooth tags. The AP also monitors battery power of Bluetooth tags and
checks whether Bluetooth tags are disconnected.
l Bluetooth data transparent transmission technology is used to enable an AP with a built-
in Bluetooth module to collect data from Bluetooth clients (such as Bluetooth
thermometers, blood pressure monitors, and heart rate monitors) and upload the data to a
server.
For the detailed configuration, see 19.6 Configuring Bluetooth Location.
4.23 WDS Profile

A WDS profile contains major parameters required for configuring the WDS function. To
enable radios of an AP group or a specified AP to set up Mesh links, a WDS profile must be
applied to the radios.
When configuring WDS services, use the WDS profile with the following profiles:
l Security profile: After a security profile is bound to a WDS profile, parameters in the
security profile will be used for WDS link setup to ensure security of WDS links, The
WPA2+PSK+AES security policy is recommended for a WDS security profile.
l WDS whitelist profile: A WDS whitelist profile contains MAC addresses of neighboring
APs allowed to set up WDS links with an AP. After a WDS whitelist profile is applied to
an AP radio, only APs with MAC addresses in the whitelist can access the AP, and other
APs are denied. In the WDS, only APs with radios working in root mode and middle
mode can have a whitelist configured. APs in leaf mode require no whitelist.
NOTE
l A neighboring AP with the MAC address in the whitelist can set up a wireless virtual link with the
local AP only after passing security authentication.
l If no WDS whitelist profile is used, all neighboring APs can access the local AP.
l AP group radio or AP radio: You can configure major feature parameters for radios in an
AP group or a specified AP radio, including the working channel and bandwidth,
antenna gain, transmit power, and radio coverage distance. For example, when
configuring the WDS function, configure the same channel for radios of WDS APs.

l Radio profile: The radio profile is classified into the 2G and 5G radio profiles. You can
configure other radio parameters for WDS links through a radio profile.
By default, the system provides the WDS profile default. By default, the security profile
default-wds with the security policy WPA2+PSK+AES and the security key huawei_secwds
is referenced by a WDS profile regardless of whether the WDS profile is the default profile
provided by the system or a WDS profile created by users. If the default security profile
default-wds is used, you are advised to change the security key of the profile to ensure
security.
4.24 WDS Whitelist Profile

A WDS whitelist profile contains MAC addresses of neighboring APs allowed to set up WDS
links with an AP. After a WDS whitelist profile is applied to an AP radio, only APs with
MAC addresses in the whitelist can access the AP, and other APs are denied. In the WDS,
only APs with radios working in root mode and middle mode can have a whitelist configured.
APs in leaf mode require no whitelist.
NOTE
l A neighboring AP with the MAC address in the whitelist can set up a wireless virtual link with the local
AP only after passing security authentication.
4.25 Mesh Profile

A Mesh profile contains major parameters required for configuring the Mesh function. To
enable radios of an AP group or a specified AP to set up Mesh links, a Mesh profile must be
When configuring Mesh services, use the Mesh profile with the following profiles:
l Security profile: After a security profile is bound to a Mesh profile, parameters in the
security profile will be used for Mesh link setup to ensure security of Mesh links, The
WPA2+PSK+AES security policy is recommended for a Mesh security profile.
NOTE
The security policy can be set to open system authentication only for the Mesh network in rail
transportation scenarios.
l Mesh whitelist profile: A Mesh whitelist profile contains MAC addresses of neighboring
APs allowed to set up Mesh links with an AP. After a Mesh whitelist profile is applied to
APs are denied. On common Mesh networks, a Mesh whitelist must be configured for a
Mesh node.
NOTE
l On a Mesh network where ATs are deployed, after FWA is enabled in a Mesh profile, you do not
need to configure a Mesh whitelist for a Mesh node. All ATs are allowed to access the Mesh node.
configuring the Mesh function, configure the same channel for radios of Mesh APs.

configure other radio parameters for Mesh links through a radio profile.
l AP wired port profile: The AP wired port profile is used to configure AP wired port
parameters and Mesh roles. When configuring Mesh services, you need to configure AP
wired port parameters according to actual situations, enabling the Mesh network to
transmit user services. For example, if direct forwarding is used on a Mesh network, you
need to configure wired ports of Mesh APs to allow service VLANs to pass through.
l Mesh handover profile: After a Mesh handover profile is bound to a Mesh profile, the
Mesh profile can provide the fast Mesh link handover function and apply to train-ground
communication scenarios. A Mesh handover profile and the FWA mode of a Mesh
profile are mutually exclusive. A Mesh handover profile cannot be referenced by the
Mesh profile in which the FWA mode is enabled.
By default, the system provides the Mesh profile default. Both the default Mesh profile
default and a self-defined Mesh profile have the security profile default-mesh referenced by
default. In the security profile default-mesh, the security policy is set to WPA2+PSK+AES
and the security key to huawei_secmesh. If the default security profile default-mesh is used,
you are advised to change the security key of the profile to ensure security.
4.26 Mesh Handover Profile

After a Mesh handover profile is bound to a Mesh profile, the Mesh profile can provide the
fast Mesh link handover function and apply to train-ground communication scenarios. A
Mesh handover profile and the FWA mode of a Mesh profile are mutually exclusive. A Mesh
handover profile cannot be referenced by the Mesh profile in which the FWA mode is
enabled.
4.27 Mesh Whitelist Profile

Mesh whitelist profile: A Mesh whitelist profile contains MAC addresses of neighboring APs
allowed to set up Mesh links with an AP. After a Mesh whitelist profile is applied to an AP
radio, only APs with MAC addresses in the whitelist can access the AP, and other APs are
denied. On common Mesh networks, a Mesh whitelist must be configured for a Mesh node.
NOTE
l A neighboring AP with the MAC address in the whitelist can set up a wireless virtual link with the local
AP only after passing security authentication.
l On a Mesh network where ATs are deployed, after FWA is enabled in a Mesh profile, you do not need to
configure a Mesh whitelist for a Mesh node. All ATs are allowed to access the Mesh node.
4.28 IoT Profile

An IoT profile provides the following communication parameters between an AP and a host
computer:
l Domain name, IP address and port number of the host computer:

Before the AP reports data to the host computer, configure the IP address, domain name,
and port number for the host computer. If these parameters are not configured, serial port
data reported by the AP will be discarded.

l Host computer trusted by the AP:

Configure a trusted host computer. So that only hosts with specified IP addresses can
communicate with the AP and deliver configurations, protecting the AP against attacks.
If no trusted host computer is configured, other hosts can also deliver IoT card
configurations to the AP.
l Shared key:
To enhance communication security, you can configure a shared key for encrypting
communication data between the AP and host computers. The shared key must be the
same on the AP and host computers.
l Local port number:
The port number identifies an IoT card slot and is used for the AP to communicate with
host computers.
For details, see 25.5.4 Configuring Parameters for APs to Communicate with the Host
Computer in the Configuration - Healthcare IoT Solution.
4.29 WMI Profile

Wi-Fi networks are open and shared, and work on free wireless frequency bands. Therefore,
co-channel interference may easily occur in wireless environments, causing Wi-Fi network
instability. These always-changing factors make post-event backtracking difficult. To improve
troubleshooting efficiency, configure APs to report key performance indicators (KPIs) to a
WLAN Maintaining Insight (WMI) server for possible fault cause analysis. In addition, data
statistics are centrally collected for observing device and network trends and identifying
potential device and network faults.
The server to which APs report information is called WMI server. You can set parameters for
APs to report KPI information to the WMI server in the WMI profile.
For details, see 6.11 Configuring APs to Report KPIs in the AP Management Configuration
Guide.
4.30 AP Provisioning Profile

To facilitate maintenance and management, an AP provisioning profile is designed so that you
can run commands on a Fit AP after logging in to the Fit AP. You can also configure
parameters in an AP provisioning profile and manually deliver configurations to specified
APs or AP groups. For details, see 6.2 Configuring AP Online Parameters (AP
Provisioning View) or 6.4.6 Switching the Working Mode of an AP.
Parameters in an AP provisioning profile are configured for an AP to go online, including

l the AP name, group to which an AP belongs, mode of obtaining an IP address, static IP
address, gateway address, and AC IP address list.
l Configure the running mode of the AP. Set the running mode of the AP to switch
between the Fat AP and cloud AP modes.
4.31 Common Operations of Profiles

Copying Profiles
To improve configuration efficiency, you can copy configurations in one profile to another
profile and then modify specific parameters.
For example, if you need to copy the configurations in VAP profile b to VAP profile a, you
only need to run the copy-from profile-name command in VAP profile a. The detailed
procedure is as follows:
[HUAWEI] wlan
[HUAWEI-wlan-view] vap-profile name a
[HUAWEI-wlan-vap-prof-a] copy-from b
NOTE
l You can perform this operation only between profiles of the same type. For example, you can copy the
configurations in a VAP profile to another VAP profile other than a radio profile.
l If a profile is bound to another profile, you cannot perform this operation in this profile. For example, if
VAP profile a is bound to an AP group, you cannot perform this operation in VAP profile a.
Viewing Reference Information About a Profile

After configuring a profile, you can run the display references profile-type name profile-
name command to view to which profiles it is bound. profile-type indicates the name of a
profile type. You can run the display references ? command in any view to view all profile-
type available for viewing and description. For example, you can run the display references
radio-2g-profile name default command to view the profiles to which 2G radio profile
default is bound.

Configuration Guide - WLAN-AC 5 WLAN Service Configuration
5 WLAN Service Configuration
5.1 Overview of WLAN

Definition
A wireless local area network (WLAN) is a network that uses high-frequency (2.4 GHz or 5
GHz) signals such as radio waves, lasers, and infrared rays to replace the traditional media
used for transmission on a wired LAN. WLAN technology described in this document is
implemented based on 802.11 standards.
802.11 was originally a wireless LAN communications standard defined by the Institute of
Electrical and Electronics Engineers (IEEE) in 1997. The IEEE then made amendments to the
standard, forming the 802.11 family, including 802.11, 802.11a, 802.11b, 802.11e, 802.11g,
802.11i, 802.11n and 802.11ac.
Purpose
WLAN technology allows you to easily access a wireless network and move around within
the coverage of the wireless network. Wired LANs use wired cables or optical fibers as
transmission media, which are expensive and have fixed locations. As further emphasis was
placed on network mobility, wired LANs were unable to meet user's requirements. This led to
the development of WLAN, which has become the most cost-efficient and convenient
network access mode.
Benefits
l High network mobility: WLANs are easily connected, and are not limited by cable and
port positions. This makes WLANs great for scenarios where users are often moving,
such as office buildings, airport halls, resorts, hotels, stadiums, and cafes.
l Flexible network deployment: WLANs provide wireless network coverage in places
where cables are difficult to deploy, such as subways and highways. WLANs reduce the
number of required cables, offer low-cost, easy deployment, and have high scalability.
5.2 Understanding WLAN

5.2.1 Concepts Related to WLAN
l Station (STA): a terminal that supports 802.11 standards. For example, a PC that has a
wireless network interface card (NIC) or a mobile phone that supports WLAN, as shown
in Figure 5-1.
Figure 5-1 Centralized architecture
STA
FIT AP
STA
CA
PW
AP AC
STA
STA WAP
CAPWAP CAP
STA
RU Central AP
l Access controller (AC): a device that controls and manages all of the access points (APs)
on a WLAN in the centralized architecture. For example, an AC can connect to an
authentication server to authenticate STAs, as shown in Figure 5-1.
l Access point (AP): a device that provides 802.11-compliant wireless access for STAs.
APs connect wired networks to wireless networks.
– Fit AP: an AP that provides wireless access for STAs in the Fit AP architecture. A
Fit AP provides only reliable, high-performance wireless connections and depends
on an AC to provide other functions, as shown in Figure 5-1.
– Central AP: an AP that takes over some of an AC's work in the agile distributed
architecture to perform central management and collaboration of remote units
(RUs), such as STA going online, configuration delivery, and STA roaming between
RUs.
– Remote unit (RU): a remote radio module for a central AP in the agile distributed
architecture. An RU receives and sends 802.11 packets through the air interface, as
shown in Figure 5-1.
l Radio signal: a high-frequency electromagnetic wave that has long-distance transmission
capabilities. Radio signals provide transmission media for 802.11-compliant WLANs.
Radio signals described in this document are electromagnetic waves in the 2.4 GHz or 5
GHz frequency band.
l Control And Provisioning of Wireless Access Points (CAPWAP): an encapsulation and
transmission mechanism defined in RFC 5415. CAPWAP implements communication
between APs and ACs, as shown in Figure 5-1.
l Virtual access point (VAP): a WLAN service entity on an AP. You can create different
VAPs on an AP to provide wireless access service for different user groups.
l Service set identifier (SSID): a unique identifier that identifies a wireless network. When
you search for available wireless networks on your laptop, SSIDs are displayed to
identify the available wireless networks.
SSIDs are classified into two types:

– Basic service set identifier (BSSID): the link-layer MAC address of a VAP on an
AP. Figure 5-2 shows the relationship between VAP and BSSID.
Figure 5-2 Relationship between VAP and BSSID
STA1:
I join the guest network
VAP1:
SSID: guest
BSSID：0025.9e45.24a0
AP
VAP2:
SSID: internal
BSSID：0025.9e45.24a9
STA2:
I join the internal network
– Extended service set identifier (ESSID): a chosen identifier for one or a group of
wireless networks. For example, in Figure 5-2, SSID guest identifies one wireless
network, and SSID internal identifies another wireless network. A STA scans all
wireless networks and selects a wireless network based on the SSID. In general
terms, an SSID refers to an ESSID.
NOTE
Multiple APs can use one ESSID to provide roaming service for users; however, their
BSSIDs must be unique because the MAC address of each AP is unique.
l Basic service set (BSS): an area covered by an AP. STAs in a BSS can communicate
with each other.
l Extend service set (ESS): a group of BSSs that share the same SSID.
Figure 5-3 shows the relationship between SSID, BSSID, BSS, and ESS.
Figure 5-3 Relationship between SSID, BSSID, BSS, and ESS
ESS
AP1 AP2
BSSID: BSSID:
BSS 0025.9e45.24a0 BSS 0025.9e45.3100
SSID=”huawei” SSID=”huawei”
5.2.2 802.11 Standards

Introduction to 802.11
Figure 5-4 illustrates the role of 802.11 standards within the IEEE 802 standard family,
involving the physical layer and data link layer.
Figure 5-4 Role of 802.11 standards within the IEEE 802 standard family
802.2 (logical link control layer)
802.3 802.5 802.11

802.3 802.5 Data link
802.1 MAC MAC 802.11 MAC
layer
(used for
network
802.11 802.11a 802.11b 802.11g
manage
FHSS/DSSS OFDM DSSS DSSS/OFDM
ment)
PHY PHY PHY PHY
Physical
layer
802.11n 802.11ac 802.11ac wave2
802.3 802.5 OFDM/MIMO OFDM/MIMO OFDM/MU-MIMO
PHY PHY PHY PHY PHY
l Physical Layer
The different 802.11 standards use different physical layer technologies, including
frequency hopping spread spectrum (FHSS), direct sequence spread spectrum (DSSS),
orthogonal frequency division multiplexing (OFDM), and multiple-input multiple-output
(MIMO). These physical layer technologies support different frequency bands and
transmission rates, as detailed in Table 5-1.
Table 5-1 Comparisons between 802.11 standards

802.11 Physical Frequency Transmiss Compatibi Commerci
Standard Layer Band ion Rate lity with al Use
Technolog (GHz) (Mbit/s) Other
y 802.11
Standards
802.11 FHSS/ 2.4 1 and 2 Incompatibl Released in

DSSS e 1997,
supported
by most
products
802.11b DSSS 2.4 1, 2, 5.5, Incompatibl Released in

and 11 e 1999,
supported
by most
products
802.11a OFDM 5 6, 9, 12, 18, Incompatibl Released in

24, 36, 48, e 1999, rarely
and 54 used

802.11 Physical Frequency Transmiss Compatibi Commerci

Standard Layer Band ion Rate lity with al Use
Technolog (GHz) (Mbit/s) Other
y 802.11
Standards
802.11g DSSS/ 2.4 6, 9, 12, 18, Compatible Released in

OFDM 24, 36, 48, with 2003,
and 54 802.11b widely used
802.11n OFDM/ 2.4, 5 A Compatible Released in

MIMO maximum with 2009,
of 600 802.11a, widely used
Mbit/s, 802.11b,
depending and 802.11g
on the
modulation
and coding
scheme
(MCS)
802.11ac OFDM/ 5 A Compatible Released in

MIMO maximum with 2013,
of 1300 802.11a and widely used
Mbit/s in 802.11n
theory,
depending
on the
MCS,
spatial flow
quantity,
channel
bandwidth,
and guard
interval
(GI) length
802.11ac OFDM/MU 5 A Compatible Released in

wave2 -MIMO maximum with 2016,
of 6.9 802.11a, occasionall
Gbit/s in 802.11n and y used
theory, 802.11ac
depending
on the
MCS,
spatial flow
quantity,
channel
bandwidth,
and guard
interval
(GI) length

l Data Link Layer

On a wired LAN, 802.3 standards use carrier sense multiple access with collision
detection (CSMA/CD) to control the wired media access of different devices. CSMA/CD
requires all terminals to detect each other's packets. However, CSMA/CD does not work
for WLANs. WLANs provide only limited wireless signal coverage, so some terminals
may fail to detect each other's packets.
To overcome the problems encountered with CSMA/CD, 802.11 standards use carrier
sense multiple access with collision avoidance (CSMA/CA).
NOTE
For details about CSMA/CA, see 10.2.1 WMM.
802.11 MAC Frame Format

An 802.11 MAC frame consists of a MAC header, frame body, and frame check sequence
(FCS). The settings of attribute fields in the MAC header determine the frame type. Figure
5-5 shows the 802.11 MAC frame format.
Figure 5-5 802.11 MAC frame format
MAC Header
2bytes 2bytes 6bytes 6bytes 6bytes 2bytes 6bytes 2bytes 0 - 2312bytes 4bytes
Frame Duration Address Address Address Sequence Address QoS Frame
/ID FCS
Control 1 2 3 Control 4 Control Body
1bit 1bit
2bits 2bits 4bits 1bit 1bit 1bit 1bit 1bit 1bit
Protocol To From More Pwr More Protected
Type Subtype Retry Order
Version DS DS Frag Mgmt Data Frame
An 802.11 MAC frame has a maximum length of 2348 bytes. The following describes the
purpose of each field in an 802.11 MAC frame.
l Frame Control field: includes the following sub-fields:
– Protocol Version: indicates the MAC version of the frame. Currently, only MAC
version 0 is supported.
– Type/Subtype: identifies the frame type, such as data, control, and management
frames.
n Data frame: transmits data packets: includes a special type of frame, the Null
frame. A Null frame has a zero-length frame body. A STA can send a Null
frame to notify an AP of changes in the power-saving state.
NOTE
802.11 supports the power-saving mode, allowing STAs to shut down antennas to save
power when no data is being transmitted.
n Control frame: helps transmit data frames, releases and obtains channels, and
acknowledges received data. Some common control frames include:
○ Acknowledgement (ACK) frame: After receiving a data frame, the
receiving STA will send an ACK frame to the sending STA to confirm the
receipt.
○ Request to Send (RTS) and Clear to Send (CTS) frames: These frames
provide a mechanism to reduce collisions for APs with hidden STAs. A

STA sends an RTS frame before sending data frames. The STA that
receives the RTS frame responds with a CTS frame. This mechanism is
used to release a channel and enable a sending STA to obtain data
transmission media.
n Management frame: manages WLANs. Functions include notifying network
information, adding or removing STAs, and managing radio. Some common
management frames include:
○ Beacon frame: is periodically sent by an AP to announce the WLAN
presence and provide WLAN parameters, such as the SSID, rate, and
authentication type.
○ Association Request/Response frame: A STA sends an Association
Request frame to an AP to request to join a WLAN. After receiving the
Association Request frame, the AP sends an Association Response frame
to the STA to accept or reject the association request.
○ Disassociation frame: is sent from a STA to terminate association with an
AP.
○ Authentication Request/Response frame: is used in link authentication
between a STA and an AP for identity authentication.
○ Deauthentication frame: is sent from a STA to terminate link
authentication with an AP.
○ Probe Request/Response frame: A STA or an AP sends a Probe Request
frame to detect available WLANs. After another STA or AP receives the
Probe Request frame, it needs to reply with a Probe Response frame that
carries all of the parameters specified in a Beacon frame.
– To DS and From DS: indicates whether a data frame is destined for a distribution
system (or an AP). If both fields are set to 1, the data frame is transmitted between
APs.
– More Frag: indicates whether a packet is divided into multiple fragments for
transmission.
– Retry: indicates whether to retransmit a frame. This field helps eliminate duplicate
frames.
– Pwr Mgmt: indicates the desired power management mode of a STA after the
completion of a frame exchange, such as Active or Sleep mode.
– More Data: indicates that an AP transmits buffered packets to a STA in power-
saving mode.
– Protected Frame: indicates whether a frame is encrypted.
– Order: indicates whether a frame is transmitted in order.
l Duration/ID field: provides the following functions according to its values.
– Indicates the duration for which a STA can occupy a channel. This field is used for
CSMA/CA.
– Identifies an MAC frame transmitted during Contention-Free Period (CFP). The
value of this field is fixed as 32768, indicating that a STA keeps occupying a
channel and other STAs cannot use the channel.
– Specifies the Association ID (AID) of a PS-Poll frame, which identifies the BSS to
which a STA belongs. A STA may work in active or sleep mode. When a STA
works in sleep mode, an AP buffers data frames destined for the STA. When the
STA transitions from the sleep mode to the active mode, the STA sends a PS-Poll
frame to request the buffered data frames. After receiving the PS-Poll frame, the AP

delivers the requested data frames to the STA based on the AID in the PS-Poll
frame.
l Address field: transmits information about MAC addresses. An 802.11 frame can have
up to four address fields. The four address fields vary according to the values of the To
DS/From DS sub-field in the Frame Control field. For example, the values of the four
address fields are different when a frame is sent from a STA to an AP and when a frame
is sent from an AP to a STA. Table 5-2 describes the scenarios and rules for filling in the
four address fields.
Table 5-2 Rules for filling in the four address fields

To DS From DS Address Address Address Address Descript
1 2 3 4 ion
0 0 Destinati Source BSSID Unused The

on address frame is a
address managem
ent or
control
frame, for
example,
a Beacon
frame
sent by an
AP.
0 1 Destinati BSSID Source Unused AP1

on address sends the
address frame to
STA1 as
shown in
(1) in
Figure
5-6.
1 0 BSSID Source Destinati Unused STA2

address on sends the
address frame to
AP1 as
shown in
(2) in
Figure
5-6.
1 1 BSSID of BSSID of Destinati Source AP1

the the source on address sends the
destinatio AP address frame to
n AP AP2 as
shown in
(3) in
Figure
5-6.

Figure 5-6 WLAN networking
Internet
AC
(3) To DS=1;
From DS=1
AP1 AP2
(1) To DS=0;
From DS=1 (2) To DS=1;
From DS=0
STA1 STA2 STA3 STA4
l Sequence Control field: is used to eliminate duplicate frames and reassemble fragments.
It includes two sub-fields:
– Fragment Number: is used to reassemble fragments.
– Sequence Number: is used to eliminate duplicate frames. When a device receives an
802.11 MAC frame, it discards the frame if the Sequence Number field value is the
same as a previous frame.
l QoS Control field: exists only in a data frame to implement 802.11e-compliant WLAN
QoS.
l Frame Body field: transmits payload from higher layers. It is also called the data field. In
802.11 standards, the transmitted payload is also called a MAC service data unit
(MSDU).
l Frame Check Sequence (FCS) field: checks the integrity of received frames. The FCS
field is similar to the cyclic redundancy check (CRC) field in an Ethernet packet.
5.2.3 WLAN Architecture

A WLAN has a wired side and a wireless side. On the wired side, an AP connects to the
Internet using Ethernet. On the wireless side, a STA communicates with an AP using 802.11
standards. The WLAN architecture on the wireless side is the centralized architecture.
The centralized architecture includes the Fit AP architecture and the agile distributed
architecture.
Fit AP Architecture
In Fit AP architecture, an AC manages and controls multiple APs (Fit APs) in a centralized
manner, as shown in Figure 5-7.

Figure 5-7 Fit AP architecture
STA
FIT AP DNS DHCP
STA server server
CA Campus egress
PW AC
STA AP gateway
Campus Internet
network
STA WAP
CAP
FIT AP NMS
STA
In Fit AP architecture, APs work together with an AC to implement wireless access.

l The AC implements all security, control, and management functions. These functions
include mobile user management, identity authentication, VLAN assignment, radio
management, and data forwarding.
l Fit APs implement wireless radio access, including radio signal transmission and
detection response, data encryption and decryption, and data transmission
acknowledgment.
l The AC and APs communicate using Control and Provisioning of Wireless Access
Points (CAPWAP). They can be connected across a Layer 2 or Layer 3 network.
In centralized architecture, wireless access involves the following operations:

1. Fit APs establish CAPWAP tunnels with an AC. For details, see 5.2.4 AP Online
Process.
2. STAs associate with a Fit AP. For details, see 5.2.6 STA Access.
Agile Distributed Architecture

In agile distributed architecture, an AC manages and controls multiple central APs in a
centralized manner, and each central AP manages and controls RUs, as shown in Figure 5-8.
NOTE
A central AP cannot be cascaded with another central AP for extending the network.
Figure 5-8 Agile distributed architecture

RU
STA
Central AP
RU DNS DHCP
STA server Server
Campus egress
AC gateway
Campus Internet
RU
network
STA
RU
Central AP NMS
STA

In agile distributed architecture, RUs, central APs, and ACs work together to implement
wireless access.
l The AC implements all security, control, and management functions. These functions
include mobile user management, identity authentication, VLAN assignment, radio
management, and data forwarding.
l RUs are connected to a central AP, and receive and send 802.11 packets through the air
interface. A central AP takes over some of an AC's work to perform central management
and collaboration of RUs, such as STA going online, configuration delivery, and STA
roaming between RUs.
l The AC and central APs, or central APs and RUs both communicate using CAPWAP.
For the AD9431DN-24X, in tunnel forwarding mode, RUs set up CAPWAP tunnels with
the AC. The AC and central APs are connected across a Layer 2 or Layer 3 network, and
central APs and RUs are connected across a Layer 2 network.
Wireless access includes the following steps:

1. Central AP going online: Central APs set up CAPWAP tunnels with an AC. For details,
see 5.2.4 AP Online Process.
2. RUs going online:
– When RUs are connected to an AD9430DN-12 or AD9430DN-24, they set up
CAPWAP tunnels with the central AP. For details, see 5.2.5 RU Online Process.
– When RUs are connected to an AD9431DN-24X: In tunnel forwarding mode, the
RUs set up CAPWAP tunnels with the AC; in direct forwarding mode, services are
forwarded directly at Layer 2, without the CAPWAP tunnel. For details, see 5.2.5
RU Online Process.
3. STA access: STAs associate with a central AP or RU. For details, see 5.2.6 STA Access.
5.2.4 AP Online Process
In centralized architecture, Fit APs need to go online before being managed and controlled by
an AC. AP login includes the following steps:
1. IP Address Allocation
2. CAPWAP Tunnel Establishment
3. AP Access Control
4. AP Software Upgrade
5. CAPWAP Tunnel Maintenance
6. AC Configuration Delivery
IP Address Allocation
An AP obtains an IP address through any of the following modes:
l Static mode: An IP address is manually configured for the AP.
l DHCP mode: The AP functions as a DHCP client and requests an IP address from a
DHCP server.

CAPWAP Tunnel Establishment

The AC manages and controls APs in a centralized manner through Control and Provisioning
of Wireless Access Points (CAPWAP) tunnels. CAPWAP tunnels provide the following
functions:
l Maintain the running status of APs and the AC.
l Help the AC manage APs and deliver configurations to APs.
l Transmit service data to the AC for centralized forwarding.
Figure 5-9 shows the process of establishing a CAPWAP tunnel.
Figure 5-9 CAPWAP tunnel establishment process

AP AC
Discovery Request
Discovery Response
DTLS
The process of establishing a CAPWAP tunnel is as follows:

1. An AP sends a Discovery Request packet to find an available AC. (Discovery Phase)
NOTE
In Discovery phase, the AC determines whether to permit access from an AP based on the Discovery
Request packet that the AP sends and will not respond to Discovery Request packets of APs not
permitted for access. The process is similar to Figure 5-10.
An AP can discover an AC in static or dynamic mode.
– Static mode
An AC IP address list is preconfigured on the AP. When the AP goes online, the AP
unicasts a Discovery Request packet to each AC whose IP address is specified in
the preconfigured AC IP address list. After receiving the Discovery Request packet,
the ACs send Discovery Response packets to the AP. The AP then selects an AC to
establish a CAPWAP tunnel according to the received Discovery Response packets.
– Dynamic mode
An AP can dynamically discover an AC in DHCP, DNS, or broadcast mode. Details
on each of the modes are as follows:
n DHCP mode: An AP obtains the AC IP address through DHCP (by
configuring a DHCP response packet to carry Option 43 containing the AC IP
address list on the DHCP server), and sends a Discovery Request unicast
packet to the AC. The AC then sends a Discovery Response packet to the AP.
n DNS mode: An AP obtains the AC domain name and DNS server IP address
through the DHCP service ( by configuring a DHCP response packet to carry
Option 15 containing the AC domain name on the DHCP server), and sends a
request to the DNS server to obtain the IP address corresponding to the AC

domain name. After obtaining the AC IP address, the AP unicasts a Discovery

Request packet to the AC. The AC then sends a Discovery Response packet to
the AP.
After receiving the DHCP Response packet, the AP obtains the AC domain
name carried in Option 15. The AP then automatically adds the prefix huawei-
wlan-controller to the obtained domain name and sends it to the DNS server
to obtain the IP address corresponding to the AC domain name. For example,
after obtaining the AC domain name ac.test.com configured on the DHCP
server, the AP adds the prefix huawei-wlan-controller to ac.test.com and
sends the huawei-wlan-controller.ac.test.com to the DNS server for
resolution. The IP address corresponding to huawei-wlan-
controller.ac.test.com must be configured on the DNS server.
n Broadcast mode: An AP broadcasts a Discovery Request packet to
automatically discover an AC in the same network segment and then selects an
AC to establish a CAPWAP tunnel according to the Discovery Response
packets received from available ACs. The broadcast mode is used when the
following conditions are met:
○ No AC IP address list is configured on the AP.
○ The AP sends unicast Discovery Request packets for 10 consecutive
times but does not receive any Discovery Response packet. Dual-Link
Cold Backup is not configured on the AP.
○ The AP sends unicast Discovery Request packets for 10 consecutive
times but does not receive any Discovery Response packet. Dual-Link
Cold Backup is configured on the AP and the AP discovers an AC to
establish the active link.
NOTE
If an AP does not receive any Discovery Response packet after sending unicast Discovery
Request packets for ten consecutive times, and Dual-Link Cold Backup is configured on
the AP, the AP does not broadcast a Discovery Request packet to discover an AC to
establish the standby link. Instead, the AP keeps sending unicast Discovery Request
packets.
2. The AP establishes CAPWAP tunnels with an AC.
CAPWAP tunnels include data tunnels and control tunnels.
– Data tunnel: transmits service data packets from the AP to the AC for centralized
forwarding.
– Control tunnel: transmits control packets between the AP and AC. You can also
enable Datagram Transport Layer Security (DTLS) encryption over the control
tunnel to ensure security of CAPWAP control packets. Subsequently, CAPWAP
control packets will be encrypted and decrypted using DTLS.
NOTE
For details about the setup of active and standby CAPWAP links, see 22.2 Understanding Dual-Link
Cold Backup.
AP Access Control
The AP sends a Join Request packet to an AC. The AC then determines whether to allow the
AP access and sends a Join Response packet to the AP. The Join Response packet carries the
AP software upgrade mode and AP version information.
Figure 5-10 shows a flowchart depicting the process for AP access control.

Figure 5-10 AP access control flowchart
Start
Is the MAC Yes

address or SN of the AP
in the blacklist?
No
Non-authentication Check the SN authentication

AP authentication
mode
MAC authentication
Is the AP
Yes with the specified Is the AP Yes
MAC address added with the specified SN
offline? added offline?
No No
Yes Is the AP Yes

with the specified Is the AP
MAC address in the with the specified SN in
whitelist? the whitelist?
No No
Add the AP to list of
unauthenticated
APs
Manually confirm
the AP (entering the
MAC or SN)
Prohibit the AP
AP goes online
from going online
AP Software Upgrade
The AP determines whether its system software version is the same as that specified on the
AC according to parameters in the received Join Response packet. If the two versions are
different, the AP updates its software version in AC, FTP, or SFTP mode.
After the software version is updated, the AP restarts and repeats steps 1 to 3.
CAPWAP Tunnel Maintenance

The AP and AC exchange Keepalive (UDP port 5247) packets to monitor the data tunnel
connectivity.

The AP and AC exchange Echo (UDP port 5246) packets to monitor the control tunnel
connectivity.
AC Configuration Delivery
The AC sends a Configuration Update Request packet to the AP, which then replies with a
Configuration Update Response packet. The AC then delivers service configuration to the AP.
5.2.5 RU Online Process

An agile distributed WLAN is composed of an AC, a central AP, and RUs. The AC centrally
manages the central AP and RUs. The central AP and its connected RUs must be reachable at
Layer 2. RUs are connected to a central AP, and receive and send 802.11 packets through the
air interface. A central AP takes over some of an AC's work to perform central management
and collaboration of RUs, such as STA going online, configuration delivery, and STA roaming
between RUs. The central AP and RUs need to go online before being managed and
controlled by the AC.
See 5.2.4 AP Online Process for the online process of the central AP.
The RU online process includes the following steps:
1. IP Address Allocation
2. CAPWAP Tunnel Establishment
3. CAPWAP Tunnel Maintenance
4. RU Access Control
5. RU Software Upgrade
6. AC Configuration Delivery
IP Address Allocation
An RU obtains an IP address in any of the following modes:
l Static mode: An IP address is manually configured for an RU. CAPWAP packets
between the central AP and RUs are forwarded at Layer 2 and are independent of IP
addresses on an agile distributed WLAN. Therefore, the configuration of a static IP
address does not affect the RU going online. Ensure that a route is reachable between the
IP address of the RU and the central AP source address. Otherwise, services involving IP
addresses may be affected, for example, Telnet.
l DHCP mode: An RU functions as a DHCP client and requests an IP address from a
DHCP server.
CAPWAP Tunnel Establishment

The AC manages and controls RUs in a centralized manner through Control and Provisioning
of Wireless Access Points (CAPWAP) tunnels. CAPWAP tunnels provide the following
functions:
l Maintain connectivity states between the AC and RUs.
l Help the AC to manage and deliver configurations to RUs.
l Transmit service data to the AC for centralized forwarding.
Management packets between the AC and RUs are transmitted through CAPWAP control
tunnels between them. A CAPWAP control tunnel between an RU and AC consists of the

CAPWAP control tunnel between the AC and central AP associated with the RU and that
between the RU and central AP.
l See 5.2.4 AP Online Process for the process of establishing a CAPWAP control tunnel
between the AC and central AP.
l See Figure 5-11 for the process of establishing a CAPWAP control tunnel between the
central AP and RU.
Figure 5-11 CAPWAP tunnel establishment between the central AP and RUs
RU Center AP
Discovery Request
Discovery Response
DTLS
The process of establishing a CAPWAP tunnel is as follows:

1. An RU sends a Discovery Request packet to find a central AP. (Discovery Phase)
NOTE
In Discovery phase, the central AP determines whether to permit access from an RU based on the
Discovery Request packet that the RU sends and will not respond to Discovery Request packets of RUs
not permitted for access. The process is similar to Figure 5-12.
An RU can discover a central AP in either of the following two modes.
– When no IP address list of central APs is configured on an RU or an RU does not
receive any Discovery Response packet after sending unicast Discovery Request
packets ten consecutive times, the RU will broadcast Discovery Request packets to
automatically discover a central AP in the same network segment and then selects a
central AP to establish a CAPWAP tunnel according to the returned Discovery
Response packets.
– A static IP address list of central APs is preconfigured on an RU. When the RU
goes online, it sends a unicast Discovery Request packet to each central AP whose
IP address is specified in the IP address list. After receiving the Discovery Request
packet, the central APs return Discovery Response packets to the RU. The RU then
selects a central AP to establish a CAPWAP tunnel.
2. The RU establishes a CAPWAP tunnel with a central AP.
CAPWAP tunnels include data tunnels and control tunnels.
– Data tunnel: transmits service data from the RU to an AC for centralized
forwarding.
– Control tunnel: transmits control packets between the RU and central AP or
between the RU and AC. You can choose to enable datagram transport layer
security (DTLS) encryption over the control tunnel to ensure security of CAPWAP
control packets. Subsequently, all CAPWAP control packets will be encrypted and
decrypted through DTLS, ensuring integrity and privacy of the CAPWAP control
packets.

CAPWAP Tunnel Maintenance

For the AD9430DN-12 and AD9430DN-24, the RU and central AP exchange Keepalive
packets to detect the data tunnel connectivity. For the AD9431DN-24X, the RU and AC
exchange Keepalive packets to detect the data tunnel connectivity.
The RU and central AP exchange Echo packets to detect the control tunnel connectivity.
RU Access Control
When an RU requests to access the AC, the central AP sends an Authentication Request
packet to the AC. The AC then determines whether to allow the RU access and returns an
Authentication Response packet to the AP. The Authentication Response packet carries the
RU software upgrade mode and RU version.
Figure 5-12 shows a flowchart depicting the process for RU access control.

Figure 5-12 RU access control flowchart
Start
Is the MAC address Yes

or SN of the RU in the
blacklist?
No
Non- SN
authentication authentication
Check the RU
authentication mode.
MAC
authentication
Yes Is the MAC Is the SN

Yes
address of the RU of the RU added
added offline? offline?
No No
Yes Is the MAC Is the SN Yes

address of the RU in of the RU in the
the whitelist? whitelist?
Add the RU to the

No list of No
unauthenticated
RUs
Manually confirm
the RU (enter the
MAC address or
SN)
Forbid the RU to
RU goes online
go online
RU Software Upgrade
The RU determines whether its system software version is the same as that specified on the
AC according to parameters in the received Authentication Response packet.

l If so, the RU goes to the next stage.

l If not, the RU upgrades its version in the upgrade mode carried in the Authentication
Response packets. The upgrade mode includes the AC mode, FTP mode, and SFTP
mode.
After the software version is updated, the RU restarts and repeats the preceding steps.
AC Configuration Delivery
The AC sends a Configuration Update Request packet to the central AP, which then replies
with a Configuration Update Response packet. The AC then delivers service configurations of
RUs to the central AP, and the central AP delivers the service configurations to the RUs.
5.2.6 STA Access
STAs can access wireless networks after APs are logged in and CAPWAP tunnels are
established. STA access involves the following steps:
l Scanning
l Link authentication
l Association
STA access depends on the number of access users supported by the AC and a single AP.
l If the number of STAs associated with an AP reaches the maximum limit of the AP but
not the maximum limit of the AC, a new STA cannot connect to the current AP.
However, the STA can associate with another AP on the network.
l If the number of STAs associated with an AP reaches the maximum limit of the AC, a
new STA cannot access the WLAN even though the maximum limit of the AP is not
reached.
l If the number of STAs associated with an AP does not reach the maximum limit of the
AP or AC, a new STA can access the WLAN.
Scanning
The STA scanning stage is similar for Fit AP and agile distributed architectures. The only
difference is that STAs scan different objects: APs in Fit AP architecture and RUs in agile
distributed architecture.
A STA can actively or passively scan wireless networks.
Active Scanning
In active scanning, a STA periodically searches for nearby wireless networks. The STA can
send two types of Probe Request frames: probes containing an SSID and probes that do not
contain an SSID.
l Probes containing an SSID: The STA sends a Probe Request frame containing an SSID
in each channel to search for the AP with the same SSID. Only the AP with the same
SSID will respond to the STA. For example, in Figure 5-13, the STA sends a Probe
Request frame containing the SSID huawei to search for an AP with the SSID huawei.

Figure 5-13 Active scanning by sending a Probe Request frame containing an SSID
Probe Request (SSID=huawei)

Probe Response
STA AP1
(SSID=huawei)
This method applies to the scenario where a STA actively scans wireless networks to
access a specified wireless network.
l Probes that do not contain an SSID: The STA periodically broadcasts a Probe Request
frame that does not contain an SSID in the supported channels as shown in Figure 5-14.
The APs return Probe Response frames to notify the STA of the wireless services they
can provide.
Figure 5-14 Active scanning by sending a Probe Request frame containing no SSID
AP1
ll)
= Nu
SID
t (S onse
es sp
equ Re
e
e R rob
P rob P
STA
Prob
e Requ
est (
SSID
=Nul
l)
APn
This method applies to the scenario where a STA actively scans wireless networks to
determine whether wireless services are available.
Passive Scanning
When passive scanning is enabled, a STA listens on the Beacon frames that an AP
periodically sends in each channel to obtain AP information, as shown in Figure 5-15. A
Beacon frame contains information including the SSID and supported rate.

Figure 5-15 Passive scanning process
Beac
o n
STA1
on
Beac
AP
STA2
To converse power, enable the STA to passively scan wireless networks. In most cases, VoIP
terminals passively scan wireless networks.
Link Authentication
The link authentication stage is similar for Fit AP and agile distributed architectures. The only
difference is that different objects authenticate STAs: APs in Fit AP architecture and RUs in
agile distributed architecture.
To ensure wireless link security, an AP needs to authenticate STAs that attempt to access the
AP. IEEE 802.11 defines two authentication modes: open system authentication and shared
key authentication.
l Open system authentication requires no authentication. STAs that attempt to access the
AP are successfully authenticated as long as the AP supports this mode. An illustration
of the open system authentication procedure is shown in Figure 5-16.
Figure 5-16 Open system authentication
Authentication Request
Authentication Response
STA AP
l Shared key authentication requires that the STA and AP have the same shared key
preconfigured. The AP checks whether the STA has the same shared key to determine
whether the STA can be authenticated. If the STA has the same shared key as the AP, the
STA is authenticated. Otherwise, STA authentication fails. Figure 5-17 shows the shared
key authentication process.

Figure 5-17 Shared key authentication
STA AP
1
Authentication Response(Challenge)
2
(EncryptedChallenge)
3
Authentication Response(Success)
4
The shared key authentication process consists of the following steps:

a. The STA sends an Authentication Request packet to the AP.
b. The AP generates a challenge and sends it to the STA.
c. The STA uses the preconfigured key to encrypt the challenge and sends it to the AP.
d. The AP uses the preconfigured key to decrypt the encrypted challenge and
compares the decrypted challenge with the challenge sent to the STA. If the two
challenges are the same, the STA is authenticated. Otherwise, STA authentication
fails.
Association
Client association is also known as link negotiation. After link authentication is complete, a
STA initiates link negotiation using Association packets, as shown in Figure 5-18 in Fit AP
architecture and Figure 5-19 and Figure 5-20 in agile distributed architecture.
Figure 5-18 STA association in Fit AP architecture
STA AP AC
1 Association Request
3 Association Response
l STA association in Fit AP architecture consists of the following steps:

a. The STA sends an Association Request packet to the AP. The Association Request
packet carries the STA's parameters and the parameters that the STA selects
according to the service configuration, including the transmission rate, channel,
QoS capabilities, access authentication algorithm, and encryption algorithm.
b. The AP receives the Association Request packet, encapsulates the packet into a
CAPWAP packet, and sends the CAPWAP packet to the AC.
c. The AC determines whether to associate with the STA according to the received
Association Request packet and replies with an Association Response packet.
d. The AP decapsulates the received Association Response packet and sends it to the
STA.

Figure 5-19 STA association in agile distributed architecture (intra-central AP roaming)
STA RU Central AP AC
3 Determine an intra-
central AP roaming
4 Process intra-
central AP roaming

Figure 5-20 STA association in agile distributed architecture (non-intra-central AP roaming)
STA RU Central AP AC
3 Determine a
non-intra-central
AP roaming
l STA association in agile distributed architecture consists of the following steps:

a. The STA sends an Association Request packet to the RU. The Association Request
packet carries the STA's parameters and the parameters that the STA selects

according to the service configuration, including the transmission rate, channel,

QoS capabilities, access authentication algorithm, and encryption algorithm.
b. The RU receives the Association Request packet, encapsulates the packet into a
CAPWAP packet, and sends the CAPWAP packet to the central AP.
c. The central AP checks whether a local user entry matches.
n If so, intra-central AP roaming occurs. The central AP performs local roaming
and sends an Association Response packet to the RU.
n If no, roaming is not intra-central AP roaming. The central AP forwards the
Association Request packet to the AC. The AC then determines whether
access authentication is required and sends an Association Response packet to
the central AP.
NOTE
After association, the STA determines whether it needs to be authenticated according to the received
Association Response packet:
l If the STA does not need to be authenticated, the STA can access the wireless network.
l If the STA needs to be authenticated, the STA initiates user access authentication. After authentication,
the STA can access the wireless network. For details about user access authentication, see NAC
Configuration in S1720, S2700, S5700, and S6720 V200R012C00 Configuration Guide - User Access
and Authentication.
5.2.7 Data Forwarding Mode

Data on a WLAN involves control packets (management packets) and data packets. Control
packets are forwarded through CAPWAP control tunnels. Data packets are forwarded in
tunnel forwarding (centralized forwarding) or direct forwarding (local forwarding) mode
according to whether data packets are forwarded through CAPWAP data tunnels.
Tunnel Forwarding
In tunnel forwarding mode, APs encapsulate service data packets over a CAPWAP data tunnel
and send them to an AC, which then forwards these packets to an upper-layer network, as

Figure 5-21 Tunnel forwarding
Internet
AC
LAN
el
nn
tu
AP
W
AP
C
AP
Data packet
Control packet
STA
Direct Forwarding
In direct forwarding mode, an AP directly forwards service data packets to an upper-layer
network without encapsulating them over a CAPWAP data tunnel, as shown in Figure 5-22.

Figure 5-22 Direct forwarding
Internet
AC
LAN
el
nn
tu
AP
W
AP
C
AP
Data packet
Control packet
STA
Centralized Authentication in Direct Forwarding Mode

If direct forwarding is used, service data does not need to be forwarded by an AC. When user
access authentication (for example, 802.1X authentication) is required on a wireless user
access network and the access control point is deployed on an AC, user authentication packets
cannot be managed by the AC in a centralized manner. This makes in controlling users in a
uniform manner difficult.
In direct forwarding mode, the AC supports centralized authentication by default. User
authentication packets can be forwarded over CAPWAP tunnels to the AC, while common
data packets do not need to be forwarded by the AC, as shown in Figure 5-23.

Figure 5-23 Centralized authentication in direct forwarding mode
Internet
AC
LAN
el
nn
tu
AP
W
AP
C
AP
Common data packet
Control packet
Authentication packet
STA
Comparison of tunnel forwarding and direct forwarding
Table 5-3 Comparison of tunnel forwarding and direct forwarding

Data Advantage Disadvantage
Forwarding
Mode
Tunnel An AC forwards data packets in Service data must be forwarded by an

forwarding a centralized manner, ensuring AC, reducing packet forwarding
security and facilitating efficiency and burdening the AC.
centralized management and
control. New devices are easy to
deploy and configure, with
small changes to the current
network.
Direct Service data packets do not need Service data packets cannot be
forwarding to be forwarded by an AC, centrally managed or controlled. New
improving packet forwarding device deployment causes large
efficiency and reducing the changes to the existing network.
burden on the AC.

5.2.8 Uninterrupted AP Operation After CAPWAP Link

Disconnection
In a scenario that uses direct forwarding and AC+Fit AP architecture, the AP and AC must
establish a CAWAP tunnel for control packet forwarding before a STA connects to the
Internet through WLAN. When the CAPWAP tunnel is faulty, the AP cannot forward data
packets, online users on the AP are forcibly disconnected from the AP, and new users cannot
connect to the AP. These problems negatively affect user experience. To solve these problems,
enable the AP to hold services and grant new users access permission after the CAPWAP link
is disconnected.
l Service holding upon CAPWAP link disconnection
After the service holding function is enabled, the AP can still forward data packets when
the CAPWAP tunnel is faulty. This function ensures uninterrupted data service
transmission in direct forwarding mode, reducing loss for users and improving service
reliability.
Figure 5-24 Service holding upon CAPWAP link disconnection
Internet
AC
Switch
l
ne
n
tu
AP
W
AP
C
AP
: data packets
: control packets
STA
l User access permission after CAPWAP link disconnection

The service holding function takes effect only for online users but not for offline users.
Under normal circumstances, offline users are not allowed to go online when the
CAPWAP link is broken.
When the function that allows STA access after CAPWAP link disconnection is enabled,
the AP allows offline STAs to go online and access the network. After the broken
CAPWAP link is restored, the AP forces all the STAs that went online during CAPWAP
link disconnection to go offline. The AP then reassociates with these STAs and reports

STA information through logs. For Portal or MAC address authentication STAs, after the
broken CAPWAP link is restored, the AP forces all these STAs to go offline and reports
STA information through logs.
NOTE
This function allows all the users who enter the correct key to go online. The STA whitelist and
blacklist configured on the AC do not take effect after the CAPWAP link is broken.
When the function that allows user access after CAPWAP link disconnection is disabled,
STA association and key negotiation are performed between the AC and STA. After this
function is enabled, STA authentication, association, and key negotiation are performed
between the AP and STA. The different processes for association and authentication are
Figure 5-25 User access permission after CAPWAP link disconnection
Internet
AC
LAN
el
nn
tu
AP
W
AP
C
AP
①
②
STA
① Authentication packet exchange before user access permission after
CAPWAP link disconnection is disabled
② Authentication packet exchange before user access permission
after CAPWAP link disconnection is enabled
On an agile distributed WLAN, the service holding or user access permission functions apply
only to scenarios where the CAPWAP link between the AC and central AP is disconnected
but not to scenarios where the CAPWAP link between the central AP and RU is disconnected.
5.3 Application Scenarios for WLAN

5.3.1 WLAN Networking Application on Medium- and Large-

sized Campus Networks
Medium and large campus networks are deployed in headquarters of large and medium
enterprises, branches of large enterprises, colleges and universities, and airports. On a large
campus network, a large number of APs are often deployed.
Most of these campus networks use the centralized WLAN architecture (AC+Fit AP) to
facilitate network maintenance and enhance security. Based on the AC deployment mode, two
AC solutions are available: centralized AC solution and distributed AC solution.
Centralized AC Solution
The centralized AC solution deploys independent ACs to manage APs on the network.
Figure 5-26 shows the centralized AC solution on a medium or large campus network.
Figure 5-26 Centralized AC solution on a medium or large campus network
Internet
Campus
network
Campus egress Campus egress
gateway gateway
NMS AC
Aggregation Aggregation
switch switch
Access Access
switch switch
AP AP

Distributed AC Solution
The distributed AC solution deploys multiple ACs in different areas to manage APs. This
mode integrates AC functions on an aggregation switch to manage all the APs connected to
the aggregation switch, without using an independent AC.
Figure 5-27 shows the distributed AC solution on a medium or large campus network.
Figure 5-27 Distributed AC solution on a medium or large campus network
Internet
Campus
network
Campus egress Campus egress
gateway gateway
NMS
AC AC
Switch Switch
AP AP
5.3.2 WLAN Networking Application on Small Campus Networks

Small-scale campus networks are deployed in small- and medium-scale enterprises. Its
WLAN deployment scale is smaller than that on a large-scale campus network but is greater
than that on a SOHO network.
To reduce costs, a small-scale campus network does not use dedicated NMS devices or
authentication servers, resulting in low reliability.
A small-scale campus network often uses the centralized AC solution. In Figure 5-28.

Figure 5-28 Small-scale campus network WLAN solution
Internet
Campus
Router network
(campus egress
gateway)
AC
AP
5.3.3 WLAN Networking Application in Enterprise Branches

The enterprise branch WLAN networking can be used when an enterprise deploys WLANs in
the headquarters and branches and the headquarters needs to manage WLANs in branches.
Large-scale and small-scale branch WLAN networkings are defined based on the AC
deployment mode, independent of the network size. Figure 5-29 and Figure 5-30 show the
large-scale and small-scale branch WLAN networkings.

Figure 5-29 Large-scale branch WLAN networking
AP
AC
Branch Headquarters
WAN
network network
Branch Headquarters
Access
egress egress
switch
gateway gateway NMS
(manages WLANs in a
unified manner)
Figure 5-30 Small-scale branch WLAN networking
AP
AC
Branch Headquarters
network WAN
network
Branch Headquarters
Access
egress egress
switch
gateway gateway NMS
(manages
WLANs in a
unified manner)
5.3.4 Typical Application of an Agile Distributed WLAN

In scenarios with a high concentration of rooms, such as hotels, school dormitories, and
hospitals, walls or other indoor objects may cause severe signal attenuation. Common indoor
settled APs or distributed APs cannot meet the requirement of high-performance wireless
coverage at low costs; therefore, Huawei develops the agile distributed WLAN architecture.
An agile distributed WLAN is composed of the AC, central AP, and RU. The RU receives and
sends wireless packets. The central AP connects to the RUs through network cables.
Compared with feeder cables used by common APs to connect to antennas, the network
cables provide longer deployment distance, allowing RUs to be deployed further from the
central AP.
The central AP directly connects to and provides PoE power for RUs, as shown in Figure
5-31. You can also connect the central AP to RUs through a switch to increase the number of
the connected RUs. A Layer 2 reachable tree network must be deployed between the RUs and
central AP.

Figure 5-31 Agile distributed WLAN

Room Room Room Room
Staircase
AC
RU RU RU RU Central AP
Corridor
Network
RU RU RU RU PoE switch
ELV Network O&M

center
room
Room Room Room Room
5.3.5 Typical Application of Uninterrupted AP Operation After

CAPWAP Link Disconnection
As shown in Figure 5-32, to reduce management and maintenance costs, some small- and
medium-sized enterprises deploy the AC at the headquarters to manage the APs and STAs in
branches. In direct forwarding mode, service holding upon CAPWAP link disconnection is
configured. After the CAPWAP link between the AP and AC is broken, online branch users
can access local network resources (such as the local servers), and new branch users can still
access the WLAN to obtain network resources.
Figure 5-32 Uninterrupted AP operation after CAPWAP link disconnection
Internet
AC
Online
user
AP
Enterprise Enterprise
Online WAN
branch headquarters
user
New online NMS

user
5.4 Summary of WLAN Configuration Tasks

After the AP group is created, and AP and STA online configurations are complete, APs can
go online and STAs can access the wireless network.
The basic WLAN service functions can be implemented only when all the following
configuration tasks are completed.

l Configure a common WLAN.

a. 5.8 Creating an AP Group: Create an AP group to reference WLAN profiles.
b. 5.9 Configuring APs to Go Online: Configure APs to go online.
c. 5.11 Configuring STAs to Go Online: Enable STAs to access the network.
l Configure an agile distributed WLAN.
a. 5.8 Creating an AP Group: Create an AP group to reference WLAN profiles.
b. 5.10 Configuring the Central AP and RUs to Go Online: Configure the central
APs and remote units (RUs) to go online.
c. 5.12 Configuring STAs to Go Online (Agile Distributed WLAN): Enable STAs
to access the network.
5.5 Configuration Limitations for WLAN

VLAN Deployment
Packets transmitted on a WLAN include management packets and service data packets.
l Management packets must be forwarded through Control And Provisioning of Wireless

Access Points (CAPWAP) tunnels.
l Service data packets can be forwarded directly or through CAPWAP tunnels.
In practice, the management VLAN and service VLAN must be configured for management
packets and service data packets.
l Management VLAN: transmits packets that are forwarded through CAPWAP tunnels,
including management packets and service data packets forwarded through CAPWAP
tunnels.
l Service VLAN: transmits service data packets.
NOTE
l It is recommended that you use different VLANs for the management VLAN and service VLAN.
l In tunnel forwarding mode, the management VLAN and service VLAN must be different. The network
between the AC and AP can only permit packets with management VLAN tags to pass through, and
cannot permit packets with service VLAN tags to pass through.
l When a downlink GE interface of an AD9431DN-24X works in middle mode, the interface allows
packets from all VLANs but no VLAN is created by default. VLANs are automatically created or deleted
based on the VLAN list on the connected RU.
The following describes the forwarding process of management and service data packets.
Here, VLAN m and VLAN m' represent management VLANs, while VLAN s and VLAN s'
represent service VLANs.
l When an AP connects to an AC through a Layer 2 network, VLAN m is the same as
VLAN m', and VLAN s is the same as VLAN s'.
l When an AP connects to an AC through a Layer 3 network, VLAN m is different from
VLAN m', and VLAN s is different from VLAN s'.
l Figure 5-33 shows the process of forwarding management packets through CAPWAP
tunnels.

Figure 5-33 Forwarding management packets through CAPWAP tunnels
802.3 UDP/IP CAPWAP Payload

AC
Switch
VLAN m 802.3 UDP/IP CAPWAP Payload
In Figure 5-33:
– In the uplink direction (from the AP to the AC): When receiving management
packets, the AP encapsulates the packets in CAPWAP packets. The switch tags the
packets with VLAN m. The AC decapsulates the CAPWAP packets and removes
the tag VLAN m'.
– In the downlink direction (from the AC to the AP): When receiving downstream
management packets, the AC encapsulates the packets in CAPWAP packets and
tags them with VLAN m'. The switch removes VLAN m from the packets. The AP
decapsulates the CAPWAP packets.
l Figure 5-34 shows the process of directly forwarding service data packets.
Figure 5-34 Forwarding service data packet directly
Internet
VLAN s’ 802.3 Payload

Switch

AP
802.11 Payload
802.11 Payload
STA
Payload
VLAN s, VLAN s’: service VLAN
Data packet
In Figure 5-34, service data packets are not encapsulated in CAPWAP packets.
packets into 802.3 packets, tags the packets with VLAN s, and forwards the packets
to the destination.
data packets in 802.3 format reach the AP (the packets are tagged with VLAN s' by
upstream devices), the AP converts the 802.3 packets into 802.11 packets and
forwards them to the STA.
l Figure 5-35 shows the process of forwarding service data packets through CAPWAP
tunnels.

Figure 5-35 Forwarding service data packets through CAPWAP tunnels
Internet

AC

Switch
VLAN m 802.3 UDP/IP CAPWAP VLAN s 802.3 Payload
802.3 UDP/IP CAPWAP VLAN s 802.3 Payload

AP
802.11 Payload
802.11 Payload
STA
Payload
VLAN m, VLAN m’: management VLAN

VLAN s: service VLAN
Data packet
In Figure 5-35, service data packets are encapsulated in CAPWAP packets and
transmitted through CAPWAP data tunnels.
packets into 802.3 packets, tags the packets with VLAN s, and encapsulates them in
CAPWAP packets. The upstream switch tags the packets with VLAN m. The AC
decapsulates the CAPWAP packets and removes the tag VLAN m' from the
packets.
data packets reach the AC, the AC encapsulates the packets in CAPWAP packets,
allows the packets carrying VLAN s to pass through, and tags the packets with
VLAN m'. The switch removes VLAN m from the packets. The AP decapsulates
the CAPWAP packets, removes VLAN s, converts the 802.3 packets into 802.11
packets, and forwards them to the STA.
Management VLAN tag VLAN m is the outer tag of CAPWAP-encapsulated packets.
The intermediate devices between the AC and AP can only transparently transmit
packets carrying VLAN m and cannot be configured with VLAN s encapsulated in the
CAPWAP packets.
In WLAN networking, management VLANs and service VLANs must be properly planned.
The following assumes that an AP connects to an AC through a Layer 2 network.
l In Figure 5-36, to implement direct forwarding, ensure that the AP can exchange
management VLAN packets with the AC and exchange service VLAN packets with
upstream devices.

Figure 5-36 VLAN deployment in direct forwarding mode
Internet
VLAN 101
SW2 AC
VLAN 100 VLAN 100
VLAN 101
VLAN 100
VLAN 101 VLAN 100

SW1
l
ne
n
tu
VLAN 101 VLAN 100
AP
PW
CA
AP
STA Management VLAN: VLAN 100

Service VLAN: VLAN 101
Management packet
Data packet
l In Figure 5-37, to implement tunnel forwarding, ensure that the AP can exchange
management VLAN packets with the AC and the AC can exchange service VLAN
packets with upstream devices.

Figure 5-37 VLAN deployment in tunnel forwarding mode
Internet
VLAN 101
SW2 VLAN 101 VLAN 101
AC
VLAN 100 VLAN 100
VLAN 100
VLAN 100
SW1
el
nn
tu
VLAN 100
AP
PW
CA
AP
STA Management VLAN: VLAN 100

Management packet
Data packet
APs Supported by the Device

l APs mentioned in this document are Huawei AP products.
l You can run the display ap-type { all | id type-id | type ap-type } command to check the
AP types supported by the device.
5.6 Licensing Requirements and Limitations for WLAN

Involved Network Elements
AP
l APs mentioned in this document are Huawei AP products. You are advised to use
Huawei APs to connect to the AC.
l You can run the display ap-type all command to check the default AP types supported
by the device.

l When central APs and RUs are used, ensure that their versions are the same. For
example, if the central AP version is V200R007C10, the RU version must be
V200R007C10.
Table 5-4 Mapping between switch versions and AP versions

Product Software Version AP Software Version
V200R012C00 V200R009C00
V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C10 V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C00 V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R010C00 V200R007C10
V200R006C20
V200R006C10
V200R009C00 V200R006C20
V200R006C10
V200R008C00 V200R005C30
V200R005C20
V200R005C10
V200R007 V200R005C20
V200R005C10
V200R006 V200R005C00
Licensing Requirements
When the device is used as a WLAN AC, the number of online APs supported by the device
is controlled by licenses. The device supports a maximum of 16 online APs. To increase the

number of online APs supported by the device, apply for and purchase a license from the
agent.
l AP resource license-16AP for WLAN access controller
For details about how to apply for a license, see Applying for Licenses in the S1720, S5700,
and S6720 Series Switches License Usage Guide.
Version Requirements
Table 5-5 Products and minimum version supporting the WLAN service
Series Product Model Minimum Version
Required
S1700 series switches - Not supported
S5700 series switches S5720HI, S5730HI S5720HI: V200R006

S5730HI: V200R012
S6700 series switches S6720HI V200R012
Feature Limitations
Packets transmitted on a WLAN include management packets and service data packets.
l It is recommended that you use different VLANs for the management VLAN and service
VLAN.
l In tunnel forwarding mode, management VLAN and service VLAN must be different.
In actual WLAN networking, management VLANs and service VLANs must be properly
planned. The following example assumes that an AP connects to an AC through a Layer 2
network.
l In direct forwarding mode, ensure that the AP can exchange management VLAN packets
with the AC and exchange service VLAN packets with upstream devices.
l In tunnel forwarding mode, ensure that the AP can exchange management VLAN
packets with the AC and the AC can exchange service VLAN packets with upstream
devices.
Networking restrictions
l In tunnel forwarding mode, the AC and AP do not support IP packet fragmentation.
l In the AC + AP networking, to prevent loops, port flapping, or AP disconnection, do not
use Smart Link, equal-cost routing, or port protection services.

l The AC cannot manage APs through VPNs. That is, the source interface cannot be added
to a VPN.
l APs cannot connect to physical Layer 3 interfaces or subinterfaces on the AC.
l The AC can manage APs and STAs using IPv4 addresses but not IPv6 addresses.
l VXLAN is supported from V200R011C10. The VXLAN service cannot be configured
on the CAPWAP source interface specified for the AC. Otherwise, the AC cannot
manage APs, and APs fail to go online.
The AC and AP exchange CAPWAP packets to communicate with each other. To prevent
CAPWAP packet attacks from affecting normal device communication, you can configure
local attack defense on devices. To configure local attack defense, specify a trusted AP source
address in an ACL rule and then configure a whitelist in the attack defense policy or configure
user-defined flows to limit the rate of specified CAPWAP packets. For details, see Local
Attack Defense Configuration.
In wireless city scenarios, it is recommended that the STA aging time be reduced. The
recommended value is 1 minute.
5.7 Default Settings for WLAN

Table 5-6 Default settings for WLAN
Parameter Default Setting
Country code CN (China)
AP authentication mode mac-auth (MAC authentication)
Data forwarding mode Direct forwarding
Channel switchover announcement Enabled
Channel switchover announcement mode continue-transmitting (In this mode, data

transmission is continued on the current
channel.)
5.8 Creating an AP Group

Context
On an AC + Fit AP network, one AC manages many APs. Usually, you need to perform the
same configurations on the APs. In this situation, you can add the APs to an AP group and
perform configurations uniformly in the AP group, which simplifies operations. All APs in
the group use the same configurations.
Each AP must and can only join one AP group. An AP group contains configurations shared
by all APs. You can configure configurations specific to a single AP in the AP view.
By default, an AP automatically joins the AP group default. The AP group default cannot be
deleted, but you can modify configurations in the default AP group.

By default, an AP group has the following profiles bound: AP system profile default, 2G
radio profile default, 5G radio profile default, regulatory domain profile default, WIDS
profile default, and AP wired port profile default.
Pre-configuration Tasks
Before creating an AP group, perform the task of CLI Login Configuration.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run wlan
The WLAN view is displayed.
Step 3 Run ap-group name group-name
An AP group is created, and the AP group view is displayed.
By default, the system provides the AP group default.
----End
Verifying the Configuration

l Run the display ap-group { all | name group-name } command to view AP group
configurations.
Follow-up Procedure
After an AP group is created, you need to add APs to the AP group so that the APs can use
configurations in the group. For details, see 5.9.8 Adding APs.
5.9 Configuring APs to Go Online

To enable APs to discover an AC and go online on the AC after passing security
authentication, you need to configure network elements (NEs), interconnections between NEs,
and AC system parameters.
Before configuring APs to go online, perform the task of CLI Login Configuration.
Configuration Procedure
Perform the following steps in the listed order.
5.9.1 Configuring a DHCP Server
You can configure a DHCP server to assign IP addresses to APs and STAs.

A service DHCP address pool and a management DHCP address pool are used to assign IP
addresses to STAs and APs, respectively. The two types of DHCP address pools must be
configured separately.
Configuring a DHCP Server

To go online successfully, APs and STAs must obtain IP addresses. You can configure an AC
as a DHCP server or use an independent DHCP server to assign IP addresses to APs and
STAs.
l When an enterprise branch has no independent DHCP server, configure an AC as a
DHCP server.
l An independent DHCP server applies to WLANs in medium- to large-sized campuses.
Depending on different devices functioning as a DHCP server, the configuration is as follows:

l For details about how to configure an AC as a DHCP server, see Configuring a DHCP
Server in Configuration Guide - IP Service.
l For details about how to configure an independent DHCP server, see related product
configuration manuals.
When the AC and APs are on the same network segment, the APs can discover the AC in
broadcast mode. You do not need to configure Option 43 or DNS. If either of the two methods
is configured to notify the APs of the AC's IP address, the APs will preferentially send unicast
Discovery Request packets to this IP address. If the APs do not receive any Discovery
Response packet after sending the unicast packets 10 consecutive times, the APs broadcast
packets on the local network segment to discover an AC.
If the AC and APs are on different network segments, you must configure Option 43 or DNS
to specify the AC's CAPWAP source IP address for the APs. Otherwise, the APs cannot
discover the AC and go online successfully.
Configuring Option 43
l If an AC functions as a DHCP server to assign IP addresses to APs, perform the
following operations:
a. Run the system-view command to enter the system view.
b. Run the ip pool ip-pool-name command to create a global address pool and enter its
view.
c. Run any of the following commands to configure the option 43 field.
n option 43 hex hex-string
n option 43 sub-option 3 ascii ascii-string
n option 43 sub-option 2 ip-address ip-address &<1-8>
n option 43 sub-option 1 hex hex-string
NOTE
Run any of the following commands to configure the option 43 field. If multiple commands are
executed on an AP in V200R006, only the last command takes effect. If multiple commands are
executed on an AP in V200R007C10 or a later version, all the commands take effect.
l option 43 sub-option 3 ascii ascii-string
l option 43 sub-option 2 ip-address ip-address &<1-8>
l option 43 sub-option 1 hex hex-string

l If an independent DHCP server is used to assign IP addresses to APs, you must

configure option 43. Otherwise, the APs cannot discover the AC and go online
successfully. For details about the configuration, see related product configuration
manuals.
Configuring DNS
NOTE
In this mode, you need to configure the domain name and address of the AC on the DNS server.
l If an AC functions as a DHCP server to assign IP addresses to APs, perform the
following operations:
b. Run the ip pool ip-pool-name command to create a global address pool and enter its
view.
c. Run the gateway-list ip-address &<1-8> command to configure a gateway address
for DHCP clients.
d. Run the network ip-address [ mask { mask | mask-length } ] command to set a
network segment of the global address pool.
e. Run the dns-list ip-address &<1-8> command to configure a DNS server address
for DHCP clients.
f. Run the domain-name domain-name to configure a domain name suffix for APs.
After obtaining the suffix, the APs concatenate the suffix and huawei-wlan-
controller into a fully qualified domain name (FQDN). The APs then use this
FQDN to request the AC's IP address from the DNS server.
l If an independent DHCP server is used to assign IP addresses to APs, you must
configure the domain name suffix for APs. Otherwise, the APs cannot discover the AC
and go online successfully. For details about how to configure an independent DHCP
server, see related product configuration manuals.
5.9.2 Configuring Network Interconnections
To enable APs and STAs to obtain IP addresses, APs to discover the AC and go online on the
AC, and STAs to access the network, configure interconnections between network devices.
The APs need to send service packets to STAs, and forward management packets and STAs'
service packets the AC. When configuring network interconnections, configure the
management and service packets separately.
Configuring Management Packet Exchange

Management packets between the AC and APs are transmitted only on the network between
them. To ensure that the AC and APs exchange management packets properly, you need to
configure correct VLANs and routes.
NOTE
The PVIDs of network device interfaces directly connected to the APs must be set to management VLAN
IDs.

Configuring Service Packet Exchange

Service packets are transmitted between the STAs and upper-layer network. Configure service
packet exchange based on the forwarding mode to ensure their proper transmissions.
l Tunnel forwarding mode:
– Configure the AC and APs to exchange management packets but not service
packets. In tunnel forwarding mode, service packets are encapsulated in CAPWAP
data tunnels and forwarded by the AC to the upper-layer network.
– Configure the AC to exchange service packets with upper-layer network devices.
l Direct forwarding mode:
Configure the APs to exchange service VLAN packets with the upper-layer network. In
direct forwarding mode, service packets are not encapsulated in CAPWAP data tunnels.
They can be forwarded directly or by the AC to the upper-layer network.
NOTE
If a VLAN pool is configured as service VLANs, configure the APs and upper-layer network to allow
packets from all VLANs in the VLAN pool to pass.
Configuring APs and STAs to Communicate with the DHCP Server

The APs and STAs must obtain IP addresses from the DHCP server; therefore, you need to
configure the APs and STAs to communicate with the DHCP server.
5.9.3 Configuring Country Codes
Context
A country code identifies the country to which AP radios belong. Different countries support
different AP radio attributes, including the transmit power and supported channels. Correct
country code configuration ensures that radio attributes of APs comply with laws and
regulations of countries and regions to which the APs are delivered.
The country code is configured in a regulatory domain profile. Two configuration scenarios
are available:
l If the APs managed by an AC are located in the same country or region, you only need
to configure one country code.
l If the APs managed by an AC are located in different countries, you need to configure
different country codes for the APs.
As shown in Figure 5-38, APs using regulatory domain profile 1 in country 1 and those using
regulatory domain profile 2 in country 2 are all managed and controlled by the same AC. In
this situation, you need to configure the country code of country 1 in regulatory domain
profile 1 and that of country 2 in regulatory domain profile 2.

Figure 5-38 Multiple country codes

Network
management
platform
Branch
Headquarters Country 2
Country 1
AP regulatory
AP regulatory Switch Internet Switch
domain profile 2
domain profile 1
AC AP PC
AP AP AP
STA STA STA STA
NOTE
l When configuring an AC for the first time, you must configure the correct country code. The
country code must comply with local laws and regulations.
Procedure
Step 2 Run wlan
Step 3 Run regulatory-domain-profile name profile-name
A regulatory domain profile is created, and the regulatory domain profile view is displayed.
By default, the system provides the regulatory domain profile default.
Step 4 Run country-code country-code
A country code is configured.
By default, the country code CN is configured.
For details about country codes, see country-code.
Modifying the country code in a regulatory domain profile will restart APs using the profile.
Step 5 Run quit
Return to the WLAN view.
Step 6 Bind the regulatory domain profile to an AP group or AP.
l Binding the regulatory domain profile to an AP group
a. Run the ap-group name group-name command to enter the AP group view.

b. Run the regulatory-domain-profile profile-name command to bind the regulatory

domain profile to the AP group.
By default, the regulatory domain profile default is bound to an AP group.
l Binding the regulatory domain profile to an AP
a. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to enter the
AP view.
domain profile to the AP.
By default, no regulatory domain profile is bound to an AP.
----End

l Run the display regulatory-domain-profile { all | name profile-name } command to
check the country code configured in a regulatory domain profile.
l Run the display references regulatory-domain-profile name profile-name command to
check reference information about a regulatory domain profile.
5.9.4 Configuring a Source Interface or Source Address
Context
You need to specify at least one VLANIF interface, or loopback interface. In this manner, APs
managed by an AC can learn the IP address of the specified interface to set up a CAPWAP
tunnel with the AC. This interface is called the source interface.
l VLANIF interface: applies to the scenario where the APs that associate with the AC
belong to the same management VLAN.
l Loopback interface: applies to the scenario where the APs that associate with the AC
belong to different management VLANs. When the APs belong to multiple management
VLANs, the AC must have multiple VLANIF interfaces configured. If one of the
VLANIF interfaces is specified as the source interface, all the APs cannot go online
when the source interface fails. A loopback interface remains Up after being created.
When a loopback interface is used as the source interface and a VLANIF interface
becomes faulty, only the AP that connects to the VLANIF interface cannot go online.
Procedure
l Configure an IPv4 source interface.
– Specify a VLANIF interface.
i. Run system-view
ii. Run vlan vlan-id
A VLAN is created, and the VLAN view is displayed.
The created VLAN is a management VLAN.
iii. Run quit
Return to the system view.

iv. Run interface vlanif vlan-id

A VLANIF interface is created, and the VLANIF interface view is displayed.
v. Run ip address ip-address { mask | mask-length }
An IP address and a subnet mask are configured for the VLANIF interface.
vi. Run quit
vii. Run the capwap source interface vlanif vlan-id command to specify a
VLANIF interface as the source interface.
– Specify a loopback interface.
i. Run system-view
ii. Run interface loopback loopback-number
A loopback interface is created, and the loopback interface view is displayed.
iii. Run ip address ip-address { mask | mask-length }
An IP address and a subnet mask are configured for the loopback interface.
The IP address of a loopback interface must use a 32-bit mask.
iv. Run quit
v. Run the capwap source interface loopback loopback-number command to
specify a loopback interface as the source interface.
----End

l Run the display capwap configuration command to check the source interface of an
AC.
5.9.5 (Optional) Configuring a Network Element Name
Context
A network element is a physical device or service unit on the network topology. Each AC is a
network element.
You can configure network element names for ACs so that the ACs can be identified by an
NMS.
Procedure
Step 2 Run wlan
Step 3 Run ac sysnetid ac-sysnetid

A network element name is configured for the AC.
By default, no NE name is configured for an AC.
----End

l Run the display ac global configuration command to check global configurations of an
AC, including the AC's NE name.
5.9.6 (Optional) Configuring CAPWAP Tunnel Parameters
Context
After an AP is powered on and obtains an AC IP address, the AP begins to establish
CAPWAP tunnels with the AC. CAPWAP tunnels include control and data tunnels.
The AC sends management packets over the control tunnel to manage APs in a centralized
manner. Data packets of users are all forwarded to the AC for centralized processing through
the data tunnel. To improve link reliability and prevent CAPWAP control tunnels from being
terminated when the service traffic volume is high, configure a high priority for CAPWAP
management packets.
CAPWAP tunnels use Datagram Transport Layer Security (DTLS) encryption and sensitive
information encryption and integrity check and heartbeat detection to ensure security.
l DTLS encryption: When an AP establishes CAPWAP tunnels with an AC, the AP
determines whether to perform DTLS negotiation with the AC. The DTLS protocol can
be used to encrypt packets exchanged between the AP and AC to ensure integrity and
privacy of management packets. Currently, the device can only encrypt management
packets using the pre-shared key (PSK).
l Sensitive information encryption: When sensitive information is transmitted between an
AP and an AC, the information can be encrypted to ensure information security.
Sensitive information includes the FTP user name, FTP password, AP login user name,
AP login password, and service configuration key.
l Integrity check: When CAPWAP packets are transmitted between an AP and an AC,
these packets may be forged or tampered or attackers may construct malformed packets
to launch attacks. Integrity check can protect CAPWAP packets between the AP and AC.
l Heartbeat detection: The AP and AC periodically exchange Echo packets to determine
whether the control tunnel is working properly and periodically exchange Keepalive
packets to determine whether the data tunnel is working properly. If the AP or AC does
not receive any response from each other after Echo or Keepalive packets are sent for the
specified number of times, the AP and AC consider that the control or data tunnel is
terminated. The tunnel needs to be re-established.
Procedure
Step 2 Configure CAPWAP tunnel parameters as required.

Procedure Command Description
Configure the priority capwap control-link- A larger priority value indicates

of CAPWAP priority { local | remote } a higher priority and link
management packets. priority-value reliability. The default value 7 is
By default, the priority of recommended.
CAPWAP management NOTICE
packets is 7. Configure priority 4 to 7 for
CAPWAP management packets
from an AC to an AP, preventing
the CAPWAP management tunnel
from being interrupted due to large
traffic.
Configu Allow the capwap dtls psk- An AP can use a default or

re AP to mandatory-match enable configured PSK to establish a
DTLS establish a By default, an AP is disabled DTLS session with an AC.
encrypti DTLS to establish a DTLS session If an AP is allowed to use the
on. session with with an AC using the default default PSK to establish a DTLS
the AC pre-shared key. session with an AC, and a PSK
using the is configured for DTLS
default encryption, the following
PSK. situations occur:
Configure capwap dtls psk psk-value l The AP uses the default PSK
the PSK during login and uses the
By default, the pre-shared
used for configured PSK for re-login
key used for DTLS
DTLS after being restarted.
encryption is
encryption. huawei_seccwp. l When the AP and AC have
different PSKs, the AP uses
Enable capwap dtls control-link the default PSK to establish
DTLS encrypt a DTLS session with the AC
encryption By default, the function of after three consecutive
for control encrypting the CAPWAP attempts to establish a DTLS
tunnels. control tunnel using DTLS is session.
disabled. It is recommended that you
change the PSK in a timely
manner to ensure device
security.
Encrypt Configure a capwap sensitive-info psk -

sensitiv PSK for The default PSK used for
e encrypting sensitive information
informat sensitive encryption is WLAN-
ion. information. KEYSTRING-AES256.
Configu Enable undo capwap message- -

re integrity integrity check disable
integrity check of By default, integrity check of
check. CAPWAP CAPWAP packets is enabled.
packets.

Configure a capwap message-integrity

PSK for psk
checking The default PSK for checking
integrity of integrity of CAPWAP
CAPWAP packets is huawei_seccwp.
packets.
Set the Configure capwap echo interval After the CAPWAP heartbeat
CAPW the interval-value detection interval is configured,
AP heartbeat By default, the CAPWAP the interval for sending Echo
heartbea detection heartbeat detection interval is packets is configured.
t interval. 25s. After the number of CAPWAP
detectio heartbeat detections is
n. Configure capwap echo times times- configured, the number of times
the number value for sending Echo packets is
of By default, a maximum configured.
CAPWAP number of six CAPWAP
heartbeat If no response is received after
heartbeat detections can be
detections. packets are sent for the specified
performed.
number of times, the AP or AC
If dual-link backup is considers the link between them
enabled, a maximum of three is disconnected.
CAPWAP heartbeat
If you set the CAPWAP
detections can be performed.
heartbeat detection interval and
the number of CAPWAP
heartbeat detections smaller than
the default values, the CAPWAP
link reliability is degraded.
Exercise caution when you set
the values. The default values
are recommended.
If dual-link backup is enabled,
the CAPWAP heartbeat
detection interval is 25s and the
number of CAPWAP heartbeat
detections is 3. When the
Wireless Distribution System
(WDS) is required in dual-link
backup configuration, the WDS
link may be unstable and users
may not access the network.
You need to run this command
to set the interval for CAPWAP
heartbeat detection to 25
seconds and the number of
CAPWAP heartbeat detections
to 6.
Radio traffic statistics packets
are sent and received together
with Echo packets.

Configure the Echo capwap echo-timeout trace -

packet process trace logging
and diagnosis log By default, the Echo packet
record functions. process trace and diagnosis
log record functions are
enabled upon AP Echo
packet timeout.
----End

l Run the display capwap configuration command to check CAPWAP configurations.
5.9.7 (Optional) Configuring Automatic Upgrade When APs Go

Online
Context
APs can be upgraded on an AC in the following modes:
l Automatic upgrade: used when APs are not online on an AC yet. Usually, automatic
upgrade parameters are configured prior to AP access. When going online, APs upgrade
automatically.
For APs that are already online on the AC, you can trigger AP restart after configuring
the automatic upgrade parameters, and the APs upgrade automatically during restart.
Compared to the automatic upgrade, the in-service upgrade can reduce service
interruption time.
l In-service upgrade: mainly used when APs are already online on the AC and carry
WLAN services. For details about the in-service upgrade, see 6.4.4 Performing an In-
Service Upgrade on APs.
l Scheduled upgrade: mainly used when APs are already online on the AC and carry
WLAN services. A scheduled upgrade is recommended when the access traffic volume
on the network is low.
In automatic upgrade mode, an AP checks whether its version is the same as that configured
on the AC, SFTP server, or FTP server during login. If the two versions are different, the AP
upgrades its version, restarts, and goes online again. If the two versions are the same, the AP
does not upgrade its version.
Table 5-7 lists the automatic upgrade modes supported by APs.

Table 5-7 AP automatic upgrade modes

Upgrade Mode Function Scenario
AC mode An AP downloads the This mode applies to the

upgrade file from an AC. scenario where a small
number of APs need to go
online.
FTP mode An AP downloads the This mode applies to the

upgrade file from an FTP scenario where high
server. network security is not
required in file transmission.
In FTP mode, data is
transmitted in plain text,
bringing potential security
risks.
SFTP mode An AP downloads the This mode applies to the

upgrade file from an SFTP scenario demanding high
server. network security. In SFTP
mode, data is encrypted,
ensuring data integrity and
privacy.
NOTE
If multiple APs are upgraded simultaneously in AC mode, the upgrade takes a long time and many AC
resources are consumed. To reduce service interruption caused by AP upgrade, the FTP or SFTP mode is
recommended.
Prerequisites
The AP version file has been uploaded to the AC, SFTP server, or FTP server.
Procedure
Step 2 Run wlan
Step 3 Run the following commands as required.
l AC mode
Run ap update mode ac-mode
The AP upgrade mode is set to AC mode.
By default, the AP upgrade mode is AC mode.
l FTP mode
a. Run ap update mode ftp-mode

The AP upgrade mode is set to FTP mode.

b. Run ap update ftp-server ip-address server-ip-address ftp-username ftp-
username ftp-password cipher ftp-password
Basic FTP information is configured.
By default, no FTP server IP address is configured, the FTP server user name is
anonymous, the FTP server password is anonymous@huawei.com.
It is recommended that you use an external FTP server to upgrade APs. If the AC
functions as the FTP server, a maximum of five APs can be upgraded
simultaneously. When the AC functions as an FTP server, the number of VTY users
is the reduced number of APs that can be upgraded simultaneously.
The FTP server user name cannot contain the double quotation marks ("). Ensure
that the FTP server user name and unencrypted password configured on the AC do
not contain the preceding characters. Otherwise, FTP upgrade fails.
c. Run ap update ftp-server max-connect-number max-connect-number
The maximum number of APs to be upgraded simultaneously is configured.
By default, a maximum of 50 APs can be upgraded simultaneously in FTP mode.
An external FTP server can be used, which is recommended. The AC can also
function as the FTP server.
n When an external FTP server is used, the maximum number of APs that can be
upgraded simultaneously is the configured max-connect-number.
n If an AC is used as the FTP server, a maximum of five APs can be upgraded
simultaneously even if the specified number is larger than five.
When the AC functions as the FTP server, run the ap update ftp-server max-
connect-number max-connect-number command to set the maximum number
of APs that can be upgraded simultaneously. The value of max-connect-
number is an integer ranging from 1 to 5. During the upgrade, a maximum of 1
to 5 APs can be upgraded at a time until all APs are upgraded.
If the configured number of APs to be upgraded simultaneously is larger than
five, an error message will be displayed after the first five APs are upgraded.
The remaining APs cannot be automatically upgraded. You have to repeat the
command until all APs are upgraded.
When the AC functions as an FTP server, the number of VTY users is the
reduced number of APs that can be upgraded simultaneously.
l SFTP mode
a. Run ap update mode sftp-mode
The AP upgrade mode is set to SFTP mode.
b. Run ap update sftp-server ip-address server-ip-address sftp-username sftp-
username sftp-password cipher sftp-password
Basic SFTP information is configured.
By default, no SFTP server IP address is configured, the SFTP server user name is
anonymous, the SFTP server password is anonymous@huawei.com.
It is recommended that you use an external sftp server to upgrade APs. If the AC
functions as the sftp server, a maximum of five APs can be upgraded

simultaneously. When the AC functions as an SFTP server, the number of VTY

users is the reduced number of APs that can be upgraded simultaneously.
APs do not support the following characters:". Ensure that the sftp server user name
and unencrypted password configured on the AC do not contain the preceding
characters. Otherwise, sftp upgrade fails.
c. Run ap update sftp-server max-connect-number max-connect-number
By default, a maximum of 50 APs can be upgraded simultaneously in SFTP mode.
An external sftp server can be used, which is recommended. The AC can also
function as the sftp server.
n When an external sftp server is used, the maximum number of APs that can be
upgraded simultaneously is the configured max-connect-number.
n If an AC is used as the SFTP server, a maximum of five APs can be upgraded
When the AC functions as the SFTP server, run the ap update sftp-server
max-connect-number max-connect-number command to set the maximum
number of APs that can be upgraded simultaneously. The value of max-
connect-number is an integer ranging from 1 to 5. During the upgrade, a
maximum of 1 to 5 APs can be upgraded at a time until all APs are upgraded.
If max-connect-number is set larger than 5, an error message will be displayed
after the first five APs are upgraded. The remaining APs cannot be
automatically upgraded. You have to repeat the command until all APs are
upgraded.
When the AC functions as an SFTP server, the number of VTY users is the
reduced number of APs that can be upgraded simultaneously.
Step 4 Run ap update update-filename filename ap-type type-id [ ap-group ap-group-name ]
An upgrade file is configured for APs of a specified type.
----End

l Run the display ap update configuration command to check AP upgrade
configurations.
l Run the display ap-type { all | id type-id | type ap-type } command to check the AP
type.
l Run the display ap version { all | { ap-group ap-group-name | version-name version-
name } * } command to check the AP version.
5.9.8 Adding APs
Context
You can add APs in any of the following modes:
l Importing APs offline: The APs' MAC addresses and serial numbers (SNs) are
configured on an AC before APs go online. The AC starts to set up connections with the
APs if the MAC addresses or SNs of the APs match the configured ones.

l Configuring the AC to automatically discover an AP: The AP authentication mode is set

to no authentication; alternatively, the AP authentication mode is set to MAC or SN
authentication and the AP whitelist is configured on the AC. When an AP in the whitelist
connects to the AC, the AC discovers the AP, and the AP goes online.
l Manually confirming APs added to the list of unauthorized APs: The AP authentication
mode is set to MAC or SN authentication, and the AP whitelist is configured on the AC.
When an AP out of the whitelist connects to the AC, the AC adds the AP to the list of
unauthorized APs. After the AP identity is confirmed, the AP can go online.
When you add an AP in any of the preceding modes, the AP cannot connect to the AC if the
MAC address of the AP is in the AP blacklist.
After you add an AP to an AC offline and configure AP parameters, for example, AP group
which the AP joins by default, the AP can go online and use the configured data to work.
When the AC is configured to automatically discover APs, an AP uses the default parameters
to work after going online.
Adding an AP offline is recommended when the MAC address or SN of the AP is already

learned.
The AP blacklist and whitelist can be configured at the same time. However, the MAC
address of an AP cannot be added to the AP blacklist and whitelist at the same time.
If AP whitelist and blacklist are all configured, check whether an AP is on the blacklist first.
The number of APs managed by an AC is restricted by the following factors:

l License resource items: The total number of common APs and central APs does not
exceed the maximum number of local license resource items on the AC. RUs do not
occupy license resources.
l Maximum number of APs managed by an AC: The total number of central APs,
common APs, and RUs does not exceed the maximum number of APs that the AC can
manage.
Procedure
l Add an AP offline.
b. Run the wlan command to enter the WLAN view.
c. (Optional) Run the ap blacklist mac ap-mac1 [ to ap-mac2 ] command to add the
AP to an AP blacklist.
By default, no AP is in an AP blacklist.
d. Run the ap auth-mode { mac-auth | sn-auth } command to set the AP
authentication mode to MAC address authentication or SN authentication.
The default AP authentication mode is MAC address authentication.

e. Run the ap-id ap-id [ [ type-id type-id | ap-type ap-type ] { ap-mac ap-mac | ap-sn
ap-sn | ap-mac ap-mac ap-sn ap-sn } ] or ap-mac ap-mac [ type-id type-id | ap-
type ap-type ] [ ap-id ap-id ] [ ap-sn ap-sn ] command to import the AP offline and
enter the AP view.
f. Run the ap-name ap-name command to configure the AP name.
By default, no AP name is configured for an AP.

g. Run the ap-group group-name command to add the AP to an AP group.

By default, no AP group is configured.
l Configure the AC to automatically discover an AP.
NOTE
If no AP name or AP group is configured for an automatically discovered AP on the AC, the

configuration file of the AP name or AP group will not be generated in the AP view.
If an AP is deleted from the AC, the configuration in the AP view will be automatically deleted.
– Set the AP authentication mode to no authentication.
i. Run the system-view command to enter the system view.
ii. Run the wlan command to enter the WLAN view.
iii. (Optional) Run the ap blacklist mac ap-mac1 [ to ap-mac2 ] command to add
the AP to an AP blacklist.
iv. Run the ap auth-mode no-auth command to set the AP authentication mode
to no authentication.
NOTE
The non-authentication mode brings security risks. You are advised to set the
authentication mode to MAC address authentication or SN authentication, which is
more secure.
– Set the AP authentication mode to MAC address or SN authentication.
iv. Run the ap auth-mode { mac-auth | sn-auth } command to set the AP
v. Configure the AP whitelist.
○ Run the ap whitelist mac ap-mac1 [ to ap-mac2 ] command to add the
AP with the specified MAC address to the whitelist if the AP
authentication mode is set to MAC address authentication.
By default, no MAC address is added to the AP whitelist.
○ Run the ap whitelist sn ap-sn1 [ to ap-sn2 ] command to add the AP with
the specified SN to the whitelist if the AP authentication mode is set to
SN authentication.
By default, no SN is added to the AP whitelist.
l Manually confirm the AP added to the list of unauthorized APs.

e. Run the display ap unauthorized record command to check information about
unauthorized APs.
f. Run the ap-confirm { all | mac ap-mac | sn ap-sn } command to confirm the
unauthorized APs. After confirmation, the APs work in normal state.
----End

l Run the display ap global configuration command to check the AP authentication
mode.
l Run the display ap blacklist command to check the AP blacklist.
l Run the display ap whitelist { mac | sn } command to check the AP whitelist.
5.9.9 Checking Whether APs Can Go Online
Context
Before deploying APs onsite, complete network planning operations, for example, configure
the AC and involved NEs, and add APs on the AC. After APs are connected to the network
and powered on, they can automatically upgrade and go online. Users do not need to perform
other configurations on the APs onsite.
You can check whether the APs go online properly on the AC as planned. If the AP status
displays as normal, the APs have gone online properly.
Procedure
l Run the display ap all command to check whether APs go online on an AC.
AP state. For details, see Table 5-8.

Table 5-8 AP state list

AP State Description Possible Cause Handling
Suggestion
commit-failed WLAN service After the AP goes Check the network

configurations fail online on the AC, connection.
to be delivered to WLAN service
an AP after the AP configurations are
goes online on an performed for the
AC. AP. If the link
between the AP
and AC is
disconnected or the
peer end has no
response, the AP
enters the commit-
failed state.
committing WLAN service After the AP goes This is a normal

configurations are online on the AC, state, and no action
being delivered to WLAN service is required.
an AP after the AP configurations are
goes online on an being delivered to
AC. the AP.
config WLAN service After the AP This is a normal

configurations are establishes a link state, and no action
being delivered to with the AC, is required.
an AP when the AP WLAN service
is going online on configurations are
an AC. delivered to the AP.
During this
process, the AP is
in config state.
config-failed WLAN service After the AP Check the network

configurations fail establishes a link connection.
to be delivered to with the AC,
an AP when the AP WLAN service
is going online on configurations are
an AC. delivered to the AP.
If the configuration
delivery fails due
to various reasons
(such as link
disconnection), the
AP enters the
config-failed state.
download An AP is in When the AP is When the AP

upgrade state. performing an upgrade is
upgrade, it enters complete, check
the download state. the AP state.


Suggestion
fault An AP fails to go The AP fails to go Handle the AP

online. online, which is online failure. For
usually caused by details, see AP
the following: Online Failure in
l The AP fails to the
obtain an IP Troubleshooting
address or Insights.
obtains an
incorrect IP
address.
l The network
between the AP
and AC is
faulty.
l The AP fails to
be
authenticated.
l The number of
APs on an AC
has reached the
maximum
value.
l The AP is
faulty.


Suggestion
idle It is the The AP has not Perform the

initialization state established a following
of an AP before it CAPWAP link with operations.
establishes a link the AC, the MAC Check whether the
with the AC for the address and SN of AP is connected to
first time. the AP that is the network. If the
added offline are AP connection is
different from the normal, go to next
actual ones, or step.
license resources
are insufficient. Check the MAC
address and SN of
the AP that is
added offline are
different from the
actual MAC
address and SN of
the AP. If not,
perform the
following
operations:
1. Run the display
ap all command
to obtain AP
information.
2. Run the undo
ap { ap-name
ap-name | ap-id
ap-id | ap-mac
ap-mac | ap-
group group-
name | all }
command to
delete the AP.
3. Run the
ap-id ap-id
[ [ type-id type-
id | ap-type ap-
type ] { ap-mac
ap-mac | ap-sn
ap-sn | ap-mac
ap-mac ap-sn
ap-sn } ]
or ap-mac ap-
mac [ type-id
type-id | ap-
type ap-type ]
[ ap-id ap-id ]
[ ap-sn ap-sn ]


Suggestion
command to
add correct AP
information.
If the fault persists,
expand the license
capacity. Note that
RUs managed by
the AC do not
occupy license
resources of the
AC.
name-conflicted The name of an AP The name of an AP Run the ap-

conflicts with that conflicts with the rename ap-id ap-
of an existing AP. name of another id new-name ap-
AP that has been new-name
online on the same command to
AC. change the AP
name.
normal An AP is working An AP successfully This is a normal

properly. goes online on an state, and no action
AC. is required.
standby The AP is in In the HSB, dual- This is a normal

normal state on the link cold backup, state, and no action
standby AC. or N+1 backup is required.
scenario, if the link
between the active
and standby ACs is
established
properly, the AP is
in standby state on
the standby AC and
in normal state on
the active AC.


Suggestion
ver-mismatch The version of an The versions of the Log in to Huawei

AP does not match AP and the AC technical support
that of an AC on mismatch. website and
which the AP is to download the
go online. release notes.
Based on the
version mapping,
upgrade the AP or
AC to the matching
version.
l Enterprise
technical
support
website: http://
support.huawe
i.com/
enterprise
l Carrier
technical
support
website: http://
support.huawe
i.com
countryCode- The country code The current version The AP does not
mismatch of an AP does not of the AP does not support the country
match that of the support the country code. Upgrade the
AC on which the code configured on AP or change the
AP is about to go the AC. country code
online. configured on the
AC.
type-mismatch The AP type does The AP type Change the AP

not match that configured on the type configured on
configured on the AC does not match the AC.
AC. the actual AP type.
unauth The AP is not The AP fails to be Run the ap-

authenticated. authenticated. confirm command
to confirm
unauthenticated
APs and allow
them to go online.
----End

5.10 Configuring the Central AP and RUs to Go Online

Before configuring the central AP and RUs to go online, perform the task of CLI Login
Configuration.
The procedure for configuring the central AP and RUs to go online is similar to that for
configuring the APs to go online. For details, see 5.9 Configuring APs to Go Online. The
differences are as follows:
l The RUs and central AP reside on the same Layer 2 network on an agile distributed
WLAN. The default PVID of the central AP's downlink interfaces is the management
VLAN ID and cannot be changed. That is, the central AP's downlink interfaces join the
management VLAN (mVLAN) by default and cannot be removed from the mVLAN, but
they can be added to other VLANs. The working mode of the interfaces must be set to
middle.
l RUs can go online only after the central AP reports RU information to the AC.
Therefore, the central AP must go online first.
l Each RU can only discover one central AP. After the central AP and RUs go online, the
AC delivers configurations to the central AP, and the central AP delivers configurations
to its connected RUs.
5.10.1 Setting the Working Mode for the Central AP's Wired
Interface
Context
When the central AP is connected to RUs, set the working mode of the central AP's downlink
interfaces to middle.
Procedure
Step 2 Run wlan
Step 3 Run the wired-port-profile name profile-name command to create an AP wired port profile
and enter the profile view.
By default, the system provides the AP wired port profile default.
Step 4 Run the mode middle command to set the working mode of the AP's wired interface to
middle.
By default,

l On a common AP: Its GE interfaces work in root mode, Ethernet interfaces in endpoint
mode, and Eth-Trunk interfaces in root mode.
l On a central AP: Its uplink GE interfaces in root mode and downlink GE interfaces work
in middle mode.
l On an R230D: Its Ethernet interface works in root mode.
l On an R240D: Its Ethernet interface works in endpoint mode and GE interface in root
mode.
l On an R250D, R250D-E, AP2050DN, AP2051DN, AP2051DN-E, R251D, R251D-E
and AP2050DN-E: Their uplink GE interfaces work in root mode and downlink GE
interfaces in endpoint mode.
l On an R450D: Its GE interface works in root mode.
After changing the working mode of the central AP's wired interfaces, restart the AP to make
the change effective.
Step 5 Run quit
Step 6 Bind the AP wired port profile to the central AP.
1. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to enter the AP
view.
2. Run the wired-port-profile profile-name interface-type interface-number command to
bind the AP wired port profile to the AP.
By default, no AP wired port profile is bound to an AP.
----End
5.11 Configuring STAs to Go Online

Before configuring STAs to go online, perform the task of 5.9 Configuring APs to Go
Online.
5.11.1 Configuring a Radio and 5.11.2 Configuring a VAP can be performed in any
sequence. 5.11.4 Checking the STA Online Result is performed after all configuration tasks
are complete.
5.11.1 Configuring a Radio
5.11.1.1 Configuring Basic Radio Parameters
Context
You need to configure different radio parameters for AP radios based on actual WLAN
environments, enabling the AP radios to work at the optimal performance.

l If working channels of adjacent APs have overlapping frequencies, signal interference

occurs and affects AP working status. To prevent signal interference, enable APs to work
in the optimal status, and improve the WLAN quality, configure any two adjacent APs to
work on non-overlapping channels.
Working channels of radios vary according to countries and regions. To conform to local
laws and regulations, you need to configure different working channels under different
country codes. You can run the display ap configurable channel { ap-name ap-name |
ap-id ap-id } command to check the channels supported by the specified AP.
The channels you configure must be supported by the terminals; otherwise, the terminals
cannot discover wireless signals. For example, when the country code is set to China, 5
GHz channels 36, 40, 44, 48, 52, 56, 60, and 64 can be configured. However, most
terminals do not support these channels currently. If these channels are configured, the
terminals cannot discover wireless signals. In this case, you can configure 5 GHz
channels 149, 153, 157, 161, and 165, which are supported by the terminals.
If an AP detects radar signals on a channel, the channel cannot be configured as the radio
channel of the AP in 30 minutes. However, the channel can be configured as the radio
channel of other APs not detecting radar signals on it.
It is laborious to manually configure working channels of radios, and difficult to
maintain and modify the configuration. To facilitate configuration and maintenance,
configure radio calibration to dynamically adjust working channels of radios. For details,
see 7.7 Configuring Radio Calibration.
l Configure the transmit power and antenna gain for radios according to actual network
environments so that the radios provide sufficient signal strength, improving signal
quality of WLANs.
l In actual application scenarios, two APs may be connected over dozens of meters to
dozens of kilometers. Due to different AP distances, the time to wait for ACK packets
from the peer AP varies. A proper acktimeout value can improve data transmission
efficiency between APs.
You can configure basic radio parameters in the AP group radio view and AP radio view. The
configuration in the AP group radio view takes effect on all specified AP radios in an AP
group and that in the AP radio view takes effect only on a specified AP radio. The
configuration in the AP radio view has a higher priority than that in the AP group radio view.
Procedure
Step 2 Run wlan
Step 3 Enter the radio view.
l Enter the AP group radio view.
b. Run the radio radio-id command to enter the radio view.
l Enter the AP radio view.
AP view.

Step 4 Run channel { 20mhz | 40mhz-minus | 40mhz-plus | 80mhz | 160mhz } channel or channel
80+80mhz channel1 channel2.
The working bandwidth and channel are configured for a radio.
By default, the working bandwidth of a radio is 20 MHz, and no working channel is

configured for a radio.
To avoid signal interference, ensure that adjacent APs work in non-overlapping channels.
If an AP works in dual-5G mode, the channels of the two 5G radios must be separated by at
least one channel.
For example, a country supports 40 MHz 5G channels 36, 44, 52, and 60. When deploying 5G
radio channels, if one radio is deployed on channel 36, it is recommended that the other radio
be deployed on channel 52 or 60. Channel 44 is not recommended in this case.
The 80 MHz, 160 MHz, and 80+80 MHz working bandwidths are only supported in the 5G
radio view.
802.11ac APs support the 80 MHz configuration, whereas four-spatial-stream 802.11ac APs
allow for the 160 MHz or 80+80 MHz configuration.
Step 5 Run antenna-gain antenna-gain
The antenna gain is configured for the radio.
By default, no antenna gain is configured for AP radios.
The antenna gain is the ratio of the power density produced by an antenna to the power
density that should be obtained at the same point if the power accepted by the antenna were
radiated equally. It can measure the capability for an antenna to receive and send signals in a
specified direction, which is one of the most important parameters to select a BTS antenna. In
the same condition, if the antenna gain is high, the wave travels far.
The antenna gain of an AP radio configured using the command must be consistent with the
gain of the antenna connected to the AP.
The maximum antenna gain should comply with laws and regulations of the corresponding
country. For details, see the Country Code & Channel Compliance Table. You can obtain this
table at Huawei technical support website.
l Enterprise technical support website: http://support.huawei.com/enterprise

l Carrier technical support website: http://support.huawei.com
Step 6 Run eirp eirp
The transmit power is configured for the radio.
By default, the transmit power of a radio is 127 dBm. The transmit power that takes effect on
APs is related to the AP type, country code, channel, and channel bandwidth. It is the
maximum transmit power supported by the AP radio under the current configuration. Run the
display radio { ap-name ap-name | ap-id ap-id } command to check the maximum value.
You can configure the transmit power for a radio based on actual network environments,
enabling radios to provide the required signal strength and improving signal quality on
WLANs.

Step 7 Run coverage distance distance

The radio coverage distance parameter is specified.
By default, the radio coverage distance parameter is 3 (unit: 100 m) for all radios.
You can configure the radio coverage distance parameter based on distances between APs and
the APs automatically adjust the values of slottime, acktimeout, and ctstimeout based on the
configured distance parameter to improve data transmission efficiency.
Step 8 Run frequency { 2.4g | 5g }
The working frequency of radios is configured.
By default, radio 0 works on the 2.4 GHz frequency band, and radio 2 works on the 5 GHz
frequency band.
On APs supporting radio switching between the 2.4 GHz and 5 GHz frequency bands, some
radios support both the two bands. However, such radios can work on one band at a time.You
can configure the working frequency band of the AP based on the frequency band of STAs.
If an AP works in dual-5G mode, the channels of the two 5G radios must be separated by at
least one channel.
For example, a country supports 40 MHz 5G channels 36, 44, 52, and 60. When deploying 5G
radio channels, if one radio is deployed on channel 36, it is recommended that the other radio
be deployed on channel 52 or 60. Channel 44 is not recommended in this case.
Step 9 (Optional) Run undo radio disable
The radio is enabled.
By default, all AP radios are enabled.
A radio can work only after you enable it.
----End
5.11.1.2 Creating a Radio Profile
Context
Basic radio parameters are directly configured on radio interfaces, while other radio
parameters are configured in a radio profile. The radio profile is classified into the 2G and 5G
radio profiles. The configurations in the 2G and 5G radio profiles take effect on 2.4 GHz and
5 GHz radios, respectively. The commands in the 2G radio profile are used to configure 2.4
GHz radio parameters while those in the 5G radio profile are used to configure 5 GHz radio
parameters. 5.11.1.4 (Optional) Adjusting Radio Parameters describes different commands
used for the 2G and 5G radio profiles. Unless otherwise specified, the other commands are
applicable to both the 2G and 5G radio profiles.
The 2.4 GHz radio supports the 802.11bgn radio mode, and the 5 GHz radio supports the
802.11an and 802.11ac radio modes. Currently, 802.11ac is supported only by the 5 GHz radio
of the AP2030DN, AP7030DE, AP9330DN, AP8130DN-W, AD9430DN-12 (including the
mapping RUs), AD9430DN-24 (including the mapping RUs), AD9431DN-24X (including
the mapping RUs), AP3010DN-V2, AP4030DN, AP4030TN, AP4130DN, AP5030DN,
AP5130DN, AP8030DN, AP8130DN, AP9131DN, AP9132DN, AP1050DN-S, AP2050DN,
AP2050DN-E, AP2051DN, AP2051DN-E, AP4050DN, AP4050DN-E, AP4050DN-HD,

AP4050DN-S, AP4051DN, AP4051TN, AP4151DN, AP6050DN, AP6052DN, AP6150DN,

AP7050DN-E, AP7050DE, AP7052DN, AP7052DE, AP7152DN, AP8050DN, AP8050DN-
S, AP8050TN-HD, AP8150DN, AP8082DN, and AP8182DN. When connecting to a wireless
network, STAs automatically negotiate the radio mode with their connected APs.
By default, the system provides the 2G radio profile default and 5G radio profile default, and
the two radio profiles are bound to all AP groups. Using the default radio profiles can
simplify user operations. However, in actual scenarios, you are advised to create different
radio profiles and configure parameters in the profiles according to service requirements.
Procedure
Step 2 Run wlan
Step 3 Run radio-2g-profile name profile-name or radio-5g-profile name profile-name
A 2G or 5G radio profile is created and the radio profile view is displayed.
By default, the system provides the 2G radio profile default and 5G radio profile default.
----End
5.11.1.3 (Optional) Configuring Smooth Channel Switching
Context
When a STA associated with an AP detects a channel switching on the AP, the STA needs to
reassociate with the AP on the new channel. During this process, services of the STA are
interrupted, degrading Internet experience of users. After smooth channel switching is
configured, when the AP channel needs to be switched, the AP requests STAs to switch the
channel after a fixed number of Beacon intervals so that the STAs and AP switch the channel
simultaneously. Smooth channel switching can prevent STA reassociations and ensure rapid
service recovery to improve Internet experience of users.
The channel switching announcement function must be supported by both the AP and STA.
Procedure
Step 2 Run wlan
The 2G or 5G radio profile view is displayed.
Step 4 Run undo channel-switch announcement disable

The channel switch announcement function is enabled.

By default, an AP sends an announcement when the channel is switched.
Step 5 Run channel-switch mode continue-transmitting
The channel switch announcement mode is set to continue-transmitting.
By default, data transmission from STAs continues on the current channel when the channel is
switched.
----End
5.11.1.4 (Optional) Adjusting Radio Parameters
Context
You can adjust and optimize radio parameters to adapt to different network environments,
enabling APs to provide required radio capabilities and improving signal quality of WLANs.
After parameters in a radio profile are delivered to an AP, only the parameters supported by
the AP can take effect.
Procedure
Step 2 Run wlan
Step 4 Adjust radio parameters:
Configure the radio radio-type { dot11b | dot11g | Usually, the default radio type is
type dot11n } used and does not need to be
By default, the radio type in a modified. If the default radio
2G radio profile is dot11n. mode cannot meet requirements
or a fault needs to be located,
radio-type { dot11a | dot11ac | configure the radio type as
dot11n } required.
By default, the radio type in a l The radio-type { dot11b |
5G radio profile is dot11ac. dot11g | dot11n } command
can only be configured in a
2G radio profile.
l The radio-type { dot11a |
dot11ac | dot11n } command
5G radio profile.

Configure the radio dot11a basic-rate { dot11a-rate- All rates specified in the basic
rate value &<1-8> | all } rate set must be supported by
By default, a basic rate set of the both the AP and STA; otherwise,
802.11a protocol in a 5G radio the STA cannot associate with
profile includes rates 6 Mbps, 12 the AP.
Mbps, and 24 Mbps. l The dot11a basic-rate
{ dot11a-rate-value &<1-8> |
dot11bg basic-rate { dot11bg- all } command can only be
rate-value &<1-12> | all } configured in a 5G radio
By default, the basic rate set of profile.
the 802.11bg protocol includes l The dot11bg basic-rate
rates 1 Mbps and 2 Mbps in a 2G { dot11bg-rate-value
radio profile. &<1-12> | all } command
2G radio profile.
dot11a supported-rate The supported rate set contains

{ dot11a-rate-value &<1-8> | rates supported by the AP, except
all } the basic rates. The AP and STA
By default, the supported rate set can transmit data at all rates
of the 802.11a protocol in a 5G specified by the supported rate
radio profile includes rates 6 set.
Mbps, 9 Mbps, 12 Mbps, 18 l The dot11a supported-rate
Mbps, 24 Mbps, 36 Mbps, 48 { dot11a-rate-value &<1-8> |
Mbps, and 54 Mbps. all } command can only be
configured in a 5G radio
dot11bg supported-rate profile.
{ dot11bg-rate-value &<1-12> |
all } l The dot11bg supported-rate
{ dot11bg-rate-value
By default, the supported rate set &<1-12> | all } command
of the 802.11bg protocol in a 2G can only be configured in a
radio profile includes rates 1 2G radio profile.
Mbps, 2 Mbps, 5.5 Mbps, 6
Mbps, 9 Mbps, 11 Mbps, 12
Mbps, 18 Mbps, 24 Mbps, 36
Mbps, 48 Mbps, and 54 Mbps.
vht mcs-map nss nss-value Rates of 802.11ac radios depend

max-mcs max-mcs-value on the index value of
By default, the maximum MCS Modulation and Coding Scheme
value of the 802.11 ac radios is 9 (MCS). A larger MCS value
in the 5G radio profile. indicates a higher transmission
rate.
The MCS value can only be
configured in a 5G radio profile.

Configure the radio multicast-rate multicast-rate The configured multicast rate

multicast rate By default, the multicast rate of must be in the basic rate set or
wireless packets is not supported rate set, and supported
configured in a radio profile. by the STA; otherwise, the STA
That is, the multicast rate is set cannot receive multicast data.
to auto-sensing. The values of multicast-rate
differ in 2G and 5G radio
profiles. For details, see
descriptions of multicast-rate
multicast-rate.
Configure the beacon-interval beacon-interval An AP broadcasts Beacon

interval at which an By default, the interval for frames at intervals to notify
AP sends Beacon sending Beacon frames is 100 STAs of an existing 802.11
frames TUs. network. After receiving a
Beacon frame, a STA can
modify parameters used to
connect to the 802.11 network.
A long interval for sending
Beacon frames lengthens the
dormancy time of STAs, while a
short interval for sending Beacon
frames increases air interface
costs. Therefore, you are advised
to set the interval for sending
Beacon frames for an AP based
on the VAP quantity. The
following intervals for sending
Beacon frames are
recommended for APs with
different VAP quantities on a
single radio:
l No more than 4 VAPs: about
100 TUs
l 5 to 8 VAPs: about 200 TUs
l 9 to 12 VAPs: about 300 TUs
l 13 to 16 VAPs: about 400
TUs

Configure an AP to undo short-preamble disable The preamble is a section of bits

support the short By default, a radio profile in the header of a data frame. It
preamble supports the short preamble. synchronizes signals transmitted
between the sender and receiver
and can be a short or long
preamble.
l A short preamble ensures
better network
synchronization performance
and is recommended.
l A long preamble is usually
used for compatibility with
earlier network adapters of
clients.
Configure the fragmentation-threshold If an 802.11 MAC frame

packet fragmentation-threshold exceeds the packet
fragmentation By default, the packet fragmentation threshold, the
threshold fragmentation threshold is 2346 frame needs to be fragmented.
bytes. l When the packet
fragmentation threshold is
too small, packets are
fragmented into smaller
frames. These frames are
transmitted at a high extra
cost, resulting in low channel
efficiency.
l When the packet
fragmentation threshold is
too large, long packets are
not fragmented, increasing
the transmission time and
error probability. If an error
occurs, packets are
retransmitted. This wastes the
channel bandwidth.

Enable beamforming enable Beamforming can enhance

beamforming By default, Beamforming is signals at a particular angle (for
disabled. target users), attenuate signals at
another angle (for non-target
users or obstacles), and extend
the radio coverage area.
If nodes on the WDS or Mesh
network are fixed and distant
from each other, enable
Beamforming to increase WDS
or Mesh link SNR. Mobile nodes
may cause low link SNR in
WDS or Mesh scenarios. To
prevent this problem, disable
Beamforming.
Confi Configure rts-cts-mode { cts-to-self | The RTS/CTS handshake

gure the RTS- disable | rts-cts } mechanism prevents data
the CTS By default, the RTS-CTS transmission failures caused by
RTS operation operation mode is rts-cts. channel conflicts. If STAs
mecha mode perform RTS/CTS handshakes
nism before sending data, RTS frames
consume high channel
bandwidth. The default RTS-
CTS operation mode is
recommended.
l If the RTS/CTS handshake
mechanism is not used, there
may be hidden STAs. If base
stations A and C
simultaneously send
information to base station B
because base station C does
not know that base station A
is sending information to
base station B, signal conflict
occurs. As a result, signals
fail to be sent to base station
B.
l The RTS/CTS handshake
mechanism reduces the
transmission rate and even
causes the network delay.

Configure rts-cts-threshold rts-cts- If STAs perform RTS/CTS

an RTS- threshold handshakes before sending data,
CTS The default RTS-CTS alarm many RTS frames consume high
threshold threshold is 1400 bytes. channel bandwidth. To prevent
in a radio this problem, set the RTS
profile threshold and maximum number
of retransmission attempts for
long/short frames. The RTS
threshold specifies the length of
frames to be sent. When the
length of frames to be sent by a
STA is smaller than the RTS
threshold, no RST/CTS
handshake is performed. The
default RTS threshold is
recommended.
This configuration is applicable
only when the RTS-CTS
operation mode is rts-cts.
Confi Enable the undo ht a-mpdu disable An 802.11 packet is sent as an

gure MAC By default, aggregation of MPDU, requiring channel
802.1 Protocol MPDUs is enabled. competition and backoff and
1n Data Unit consuming channel resources.
param (MPDU) The 802.11n MPDU aggregation
eters aggregatio function aggregates multiple
n function. MPDUs into an aggregate MAC
Protocol Data Unit (A-MPDU),
Configure ht a-mpdu max-length- so that N MPDUs can be
the exponent max-length-exponent- transmitted through one channel
maximum index competition and backoff. This
length of By default, the index for the function saves the channel
an A- maximum length of an A-MPDU resources to be consumed for
MPDU is 3. The maximum length of the sending N-1 MPDUs. The
A-MPDU is 65535 bytes. MPDU aggregation function
improves channel efficiency and
802.11 network performance.
Before configuring the length of
an A-MPDU, run the undo ht a-
mpdu disable command to
enable the MPDU aggregation
function.

Confi Configure vht a-mpdu max-length- An 802.11 packet is sent as an

gure the exponent max-length-exponent- MPDU, requiring channel
802.1 maximum index competition and backoff and
1ac length of By default, the index for the consuming channel resources.
param an A- maximum length of an A-MPDU The 802.11ac MPDU
eters MPDU is 7. The maximum length of the aggregation function aggregates
A-MPDU is 1048575 bytes. multiple MPDUs into an
aggregate MAC Protocol Data
Unit (A-MPDU), so that
multiple MPDUs can be
transmitted through one channel
competition and backoff. This
function saves the channel
resources to be consumed for
sending multiple MPDUs. The
MPDU aggregation function
improves channel efficiency and
802.11 network performance.
The length of an A-MPDU can
only be configured in a 5G radio
profile.
Enable the vht a-msdu enable The function of sending 802.11

function By default, the function of frames in A-MSDU mode can
of sending sending 802.11 frames in A- reduce MAC layer costs of the
802.11ac MSDU mode is disabled. 802.11 packets and improve
packets in packet transmission efficiency
A-MSDU especially when short MSDUs
mode are aggregated.
The function can only be
configured in a 5G radio profile.
Configure vht a-msdu max-frame-num A-MSDU technology aggregates

the max-frame-number multiple MSDUs into an MPDU
maximum By default, a maximum of two to reduce the MAC layer cost of
number of subframes can be aggregated 802.11 packets.
subframes into an A-MSDU at one time. Before configuring the
that can be maximum number of subframes
aggregate that can be aggregated into an A-
d into an MSDU, run the vht a-msdu
A-MSDU enable command to enable the
function of sending 802.11
packets in A-MSDU mode.
The configuration can only be
performed in a 5G radio profile.

Configure the guard-interval-mode { short | The GI mode is classified into

guard interval (GI) normal } the short GI and normal GI. The
mode By default, the GI mode is short. normal GI is 800 ns, and the
short GI is 400 ns. The short GI
is applicable to 802.11n and
802.11ac standards, which can
raise the transmission rate of
802.11n and 802.11ac packets.
Enable the l auto-off service start-time In actual WLAN applications,

scheduled VAP start-time end-time end-time the network administrator wants
auto-off function By default, the scheduled VAP to disable WLAN services in a
auto-off function is disabled. specified period, ensuring
security and reducing power
consumption. You can disable
the VAP as scheduled.
This configuration is applicable
to enterprises that want to
disable WLAN services in a
specified period for security or at
midnight when the user service
traffic volume is low.
l The scheduled VAP auto-off
function enabled in a radio
profile takes effect only on
the APs using the profile.
l The scheduled VAP auto-off
function enabled in a VAP
profile view takes effect only
on the APs using the profile.
For details on how to
configure the scheduled VAP
auto-off function in a VAP
profile view, see 5.11.2.5
(Optional) Configuring the
Scheduled VAP Auto-Off
Function.

Disable radios from utmost-power This command is valid for all

sending packets at By default, radios are enabled to country codes. You can run the
maximum power send packets in adaptive mode. utmost-power enable command
to enable radios to send packets
at the maximum power or run
the utmost-power disable
command to enable radios to
send packets at the power
specified by the country code.
After you run the undo utmost-
power command to restore the
adaptive mode, radios send
packets at the maximum power
if the country code is CN or at
the power specified by other
country codes.
Enable self- agile-antenna-polarization Self-adaptive polarization for

adaptive enable agile antennas can reduce
polarization for By default, self-adaptive interference between transmit
agile antennas polarization is disabled for agile signals of antennas, and increase
antennas. the transmit power of antennas
and the demodulation SNR of
NOTE
Only the AP8130DN and
STAs. When an AP8130DN or
AP8130DN-W support this AP8130DN-W is deployed to
function. provide wireless coverage, you
can enable this function when
the following types of STA exist:
l STA with one transmit
antenna and one receive
antenna in 1x1 mode
l STA with two transmit
antennas and two receive
antennas in 2x2 mode
After this function is enabled,
the AP uses two mutually
orthogonal antennas to
communicate with STAs but not
a third antenna.
Prerequisites
Dual-polarized antennas have
been connected to radio ports A
and B on the same frequency
band.
----End

5.11.1.5 Binding a Radio Profile
Context
After the configuration in a radio profile is complete, you need to bind the radio profile to an
AP group, AP, AP radio, or AP group radioAfter being delivered to APs, the configuration in
a radio profile can take effect on the APs.
After a radio profile is applied to an AP group or AP, the parameter settings in the profile take
effect on all radios of the AP group or AP. After a radio profile is applied in the AP group
radio or AP radio view, the parameter settings in the profile take effect on the specified AP
radio or radios in the AP group. The configuration under an AP and AP radio has a higher
priority than that under an AP group and AP group radio. The 2G and 5G radio profiles take
effect on 2G and 5G radios, respectively.
Procedure
l Bind a radio profile to an AP group.
c. Run the ap-group name group-name command to enter the AP group view.
d. Run the radio-2g-profile profile-name { radio { radio-id | all } } or radio-5g-
profile profile-name { radio { id | all } } command to bind the radio profile to the
radio.
By default, the 2G radio profile default and 5G radio profile default are bound to
an AP group.
l Bind a radio profile to an AP.
c. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to enter the
AP view.
d. Run the radio-2g-profile profile-name { radio { radio-id | all } } or radio-5g-
radio.
By default, no 2G radio profile or 5G radio profile is bound to an AP.
l Apply a radio profile in the AP group radio view.
d. Run the radio radio-id command to enter the radio view.
e. Run the radio-2g-profile profile-name or radio-5g-profile profile-name command
to bind the radio profile to the radio.
By default, the 2G radio profile default and 5G radio profile default are bound to
an AP group radio.
l Apply a radio profile in the AP radio view.


AP view.
e. Run the radio-2g-profile profile-name or radio-5g-profile profile-name command
to bind the radio profile to the radio.
By default, no 2G radio profile and 5G radio profile are bound to an AP radio.
----End
5.11.1.6 Verifying the Radio Configuration
Prerequisites
The radio profile configuration is complete.
Procedure
l Run the display radio-2g-profile { all | name profile-name } command to check
configuration and reference information about a 2G radio profile.
configuration and reference information about a 5G radio profile.
l Run the display references radio-2g-profile name profile-name command to check
reference information about a 2G radio profile.
reference information about a 5G radio profile.
l Run the display ap configurable channel { ap-name ap-name | ap-id ap-id } [ radio-id
radio-id ] command to check configurable channels supported by an AP.
l Run the display ap config-info { ap-name ap-name | ap-id ap-id } command to check
the AP configuration.
----End
5.11.2 Configuring a VAP
5.11.2.1 Creating a VAP Profile
Context
After you create a VAP profile, configure parameters in the profile. After the profile is applied
in the AP group view, AP view, AP radio view, or AP group radio view, VAPs are generated
and can provide wireless access services for STAs. You can configure different parameters in
the VAP profile to enable APs to provide different wireless services.
Procedure


Step 2 Run wlan
Step 3 Run vap-profile name profile-name
A VAP profile is created, and the VAP profile view is displayed.
By default, the system provides the VAP profile default.
----End
5.11.2.2 Configuring a Data Forwarding Mode
Context
Data on a WLAN involves control packets (management packets) and data packets. Control
packets are forwarded through CAPWAP control tunnels. Data packets are forwarded in
tunnel forwarding (centralized forwarding) or direct forwarding (local forwarding) mode
according to whether data packets are forwarded through CAPWAP data tunnels.
Table 5-9 compares tunnel forwarding and direct forwarding.
Table 5-9 Comparison of tunnel forwarding and direct forwarding

Data Advantage Disadvantage
Forwarding
Mode
Tunnel An AC forwards data packets in Service data must be forwarded by an

forwarding a centralized manner, ensuring AC, reducing packet forwarding
security and facilitating efficiency and burdening the AC.
centralized management and
control. New devices are easy to
deploy and configure, with
small changes to the current
network.
Direct Service data packets do not need Service data packets cannot be
forwarding to be forwarded by an AC, centrally managed or controlled. New
improving packet forwarding device deployment causes large
efficiency and reducing the changes to the existing network.
burden on the AC.
Procedure
Step 2 Run wlan


The VAP profile view is displayed.
Step 4 Run forward-mode { direct-forward | tunnel }
A data forwarding mode is configured in a VAP profile.
By default, the forwarding mode is direct-forward in the VAP profile.
----End
5.11.2.3 Configuring Service VLANs
Context
Layer 2 data packets delivered from a VAP to an AP carry the service VLAN IDs.
Since WLANs provide flexible access modes, STAs may connect to the same WLAN at the
office entrance or stadium entrance, and then roam to different APs.
l If a single VLAN is configured as the service VLAN, IP address resources may become
insufficient in areas where many STAs access the WLAN, and IP addresses in the other
areas are wasted.
l After a VLAN pool is created, add multiple VLANs to the VLAN pool and configure the
VLANs as service VLANs. In this way, an SSID can use multiple service VLANs to
provide wireless access services. STAs are dynamically assigned to VLANs in the
VLAN pool, which reduces the number of STAs in each VLAN and also the size of the
broadcast domain. Additionally, IP addresses are evenly allocated, preventing IP address
waste.
VLAN assignment algorithms include even and hash.
– When the VLAN assignment algorithm is set to even, service VLANs are assigned
to STAs from the VLAN pool based on the order in which STAs go online. Address
pools mapping the service VLANs evenly assign IP addresses to STAs. If a STA
goes online many times, it obtains different IP addresses.
– When the VLAN assignment algorithm is set to hash, VLANs are assigned to STAs
from the VLAN pool based on the harsh result of their MAC addresses. As long as
the VLANs in the VLAN pool do not change, the STAs obtain fixed service
VLANs. A STA is preferentially assigned the same IP address when going online at
different times.
Note the following when adding service VLANs to the VLAN pool:
l After a VLAN pool is configured to provide service VLANs, VLANs in the VLAN pool
cannot be deleted. To delete the VLAN pool, cancel the service VLAN configuration of
the VLAN pool.
l In scenarios where a dual-stack address pool is configured, a STA successfully obtains
an IP address if the VLAN pool has assigned an IPv4 or IPv6 address to it. In this case,
the VLAN pool will not assign a new VLAN to the STA.
Procedure

Step 2 Configure a VLAN pool.

This step is required when VLANs in a VLAN pool are used as service VLANs.
1. Run the vlan batch { vlan-id1 [ to vlan-id2 ] } &<1-10> command to create VLANs in a
batch.
2. Run the vlan pool pool-name command to create a VLAN pool and enter the VLAN
pool view.
By default, no VLAN pool is created on a device.
3. Run the vlan { start-vlan [ to end-vlan ] } &<1-10> command to add VLANs to the
VLAN pool.
By default, no VLAN is available in a VLAN pool.
4. (Optional) Run the assignment { even | hash } command to configure a VLAN
assignment algorithm in the VLAN pool.
By default, the VLAN assignment algorithm is hash in a VLAN pool.
The VLAN assignment algorithm configuration affects only newly connected STAs, but
not those that have been connected to the network.
5. Run the quit command to return to the system view.
Step 3 Run wlan
Step 5 Run service-vlan { vlan-id vlan-id | vlan-pool pool-name }
A service VLAN is configured for a VAP.
By default, VLAN 1 is the service VLAN of a VAP.
----End
5.11.2.4 (Optional) Configuring the VAP Type
Context
Configure the VAP type based on the site requirements. Different VAP types are used
depending on scenarios as follows:
l If the type of a VAP is set to service, STAs connected to the VAP can only access
network resources but not APs. Service VAPs are used in regular WLAN deployment
scenarios.
l If the type of a VAP is set to ap-management, STAs connected to the VAP can only
access APs but not network resources. AP management VAPs are used in STA access
and AP management scenarios.
l If the type of a VAP is set to service-backup ap-offline, STAs can access the network
through the backup service VAP after the AP goes offline. For example, on a
headquarters-branch network, when APs at branches connect to the AC at the
headquarters through a WAN, APs may go offline due to the WAN instability. You can

configure a backup service VAP to allow new STAs to access the network if the AP goes
offline.
l If the type of a VAP is set to service-backup auth-server-down, the VAP is
automatically enabled to allow network access of associated STAs when the
authentication server is not accessible. When the authentication server recovers, this
VAP is not automatically disabled. You can manually disable it if needed. If the
authentication server is accessible but rejects user access, this VAP is not automatically
enabled. You can manually enable it if needed. To enable or disable this VAP, run the
vap-service-backup auth-server-down command.
When configuring VAP types, pay attention to the following points:

l After the VAP type is configured in the VAP profile view, the VAPs generated by the
VAP profile use the configured VAP type. The new VAP type will overwrite the old one.
l For an AP management VAP:
– Portal, MAC address, and 802.1X authentication using an external server is not
supported.
– After the type of a VAP is set to ap-management, a STA can connect to the AP
only when the IP address 169.254.2.x/24 (except 169.254.2.1, 169.254.2.100 is
recommended) is configured for the STA.
– The VAP profile in which the VAP type is set to ap-management can be applied
only to one radio of an AP.
l For an AP-offline backup service VAP:
– Only the open system, WEP, WPA+PSK, WPA2+PSK, and WAP-WPA2+PSK
authentication modes are supported.
– Service data can be forwarded only in direct mode.
– When the number of configured AP-offline backup service VAPs reaches the
maximum on the AP, if the offline management VAP function is enabled, the offline
management VAP does not take effect when the AP goes offline.
l For an authentication-server-down backup service VAP:
– Only the open system, WEP, WPA+PSK, WPA2+PSK, and WAP-WPA2+PSK
authentication modes are supported.
– This VAP type is exclusive with the AP management VAP and AP-offline backup
service VAP.
Procedure
Step 2 Run wlan
Step 4 Run type { ap-management | service | service-backup ap-offline }
The VAP type is configured.

By default, the type of a VAP is service.

----End
5.11.2.5 (Optional) Configuring the Scheduled VAP Auto-Off Function
Context
In actual WLAN applications, the network administrator wants to disable WLAN services in a
specified period, ensuring security and reducing power consumption. You can disable the
VAP as scheduled.
This configuration is applicable to enterprises that want to disable WLAN services in a
specified period for security or at midnight when the user service traffic volume is low.
l The scheduled VAP auto-off function enabled in a VAP profile view takes effect only on
the APs using the profile.
l The scheduled VAP auto-off function enabled in a radio profile takes effect only on the
APs using the profile. For details on how to configure the scheduled VAP auto-off
function in a VAP profile view, see 5.11.1.4 (Optional) Adjusting Radio Parameters.
Procedure
Step 2 Run wlan
Step 4 Run undo service-mode disable
The service mode of a VAP is enabled.
By default, the service mode of a VAP is enabled.
Enabling the service mode of a VAP is the prerequisite for normal VAP working.
Step 5 Run auto-off service start-time start-time end-time end-time
The scheduled VAP auto-off function is enabled and the time range when the VAP is disabled
is set.
By default, the scheduled VAP auto-off function is disabled.
----End
5.11.2.6 (Optional) Configuring MU-MIMO
Context
Carrier sense multiple access with collision avoidance (CSMA-CA) allows an air interface
channel to be occupied only by one STA, and other STAs cannot communicate with the AP.

After MU-MIMO is enabled, STAs supporting MU-MIMO can form an MU group to

simultaneously receive downlink data from the same air interface channel, improving channel
efficiency and overall downlink throughput.
In Figure 5-39, before MU-MIMO is enabled, when the AP is communicating with STA_1,
other STAs such as STA_2 cannot communicate with the AP. After MU-MIMO is enabled,
the AP can communicate with multiple STAs simultaneously, improving air interface
efficiency.
Figure 5-39 Communication before and after MU-MIMO is enabled
Backoff
Backoff STA_4
Before MU-MIMO is After MU-MIMO is
enabled enabled
STA_2 STA_3
AP AP
STA_2
STA_1
STA_1
l Only the 802.11ac wave2 APs support MU-MIMO on 5 GHz radios.

l In WDS scenarios, ensure that the number of spatial streams on STA VAPs is smaller
than that on AP VAPs. Otherwise, MU-MIMO cannot take effect. For example, if STA
VAPs and AP VAPs are both configured with three spatial streams, an AP VAP can
communicate with only one STA VAP even if MU-MIMO has been enabled.
l MU-MIMO is not supported on a Mesh network.
Procedure
Step 2 Run wlan
Step 3 Run ssid-profile name profile-name
An SSID radio profile is created and the SSID profile view is displayed.
By default, the system provides the SSID profile default.
Step 4 Run undo mu-mimo disable
MU-MIMO is enabled.
By default, the MU-MIMO function is enabled.

Step 5 (Optional) Run mu-mimo optimize enable

MU-MIMO optimization is enabled.
In an environment with less interference, you can enable the MU-MIMO optimization
function to meet requirements for high downlink throughput of the AP.
Step 7 Run ssid-profile profile-name
The SSID profile is bound to a VAP profile.
By default, the SSID profile default is bound to a VAP profile.
----End
5.11.2.7 (Optional) Configuring the Device to Forcibly Disconnect STAs Without

Traffic
Context
After the device is enabled to monitor user traffic and forcibly disconnect STAs without
traffic, a STA meeting all the following conditions is forcibly disconnected after reassociation
and going online:
l The STA does not send DHCP Request messages or receive ARP Reply packets within
5s after going online.
l The IP address of the STA changes after roaming.
l The STA has only uplink traffic but no downlink traffic.
Procedure
Step 2 Run wlan
Step 3 Run undo sta-network-detect disable
The device is enabled to monitor user traffic and forcibly disconnect STAs without traffic.
By default, the device is enabled to monitor user traffic and forcibly disconnect STAs without
traffic.
----End
5.11.2.8 (Optional) Adjusting VAP Parameters
Context
You can flexibly adjust VAP parameters to adapt to different network requirements.

Procedure
Step 2 Run wlan
Step 4 Adjust VAP parameters.
Enable the service mode of a VAP undo service-mode Enabling the service
disable mode of a VAP is the
By default, the service prerequisite for normal
mode of a VAP is VAP working.
enabled.
Configure an AP Enable an AP to dhcp option82 insert A STA obtains an IP

to insert the insert the Option enable address through DHCP
Option 82 field in 82 field in By default, the function after going online.
DHCP packets DHCP packets of adding the Option 82 When the DHCP
sent from a STA sent from a STA field to DHCP packets Request packet sent by
sent by STAs is the STA reaches an AP,
disabled. the AP inserts the
Option 82 field in the
Configure the dhcp option82 packet to send the AP's
format of the { circuit-id | remote- MAC address, SSID or
Option 82 field id } format { ap-mac name to the DHCP
inserted in [ mac-format { normal server. According to the
DHCP packets | compact | hex } ] | ap- Option 82 field, the
sent from a STA mac-ssid [ mac-format DHCP server can
{ normal | compact } ] determine the AP
| user-defined text | ap- through which the STA
name | ap-name-ssid } goes online.
By default, the format
of the Option 82 field
inserted in DHCP
packets sent by STAs is
ap-mac.
----End
5.11.2.9 Configuring a Security Profile
Context
As WLAN technology uses radio signals to transmit service data, service data can easily be
intercepted or tampered by attackers when being transmitted on the open wireless channels.

Security is critical to WLANs. You can create a security profile to configure security policies,
which protect privacy of users and ensure data transmission security on WLANs.
A security profile provides four WLAN security policies: Wired Equivalent Privacy (WEP),
Wi-Fi Protected Access (WPA), WPA2, and WLAN Authentication and Privacy Infrastructure
(WAPI). Each security policy has a series of security mechanisms, including the link
authentication mechanism used to establish a wireless link, user authentication mechanism
used when users attempt to connect to a wireless network, and data encryption mechanism
used during data transmission.
If no security policy is configured during the creation of a security profile, the default
authentication mode (open system authentication) is used. When a user searches for a wireless
network, the user can connect to the wireless network without being authenticated.
The default security policy has low security. You are advised to configure a proper security
policy. For details on how to configure security policies, see Security Policy Configuration.
Procedure
Step 2 Run wlan
Step 3 Run security-profile name profile-name
A security profile is created, and the security profile view is displayed.
By default, security profiles default, default-wds, and default-mesh are available in the
system.
After a security profile is created, you need to configure a proper security policy according to
service requirements because the default security policy has security risks. For the detailed
configuration, see Security Policy Configuration.
Step 4 Run quit
Step 6 Run security-profile profile-name
The security profile is bound to a VAP profile.
By default, the security profile default is bound to a VAP profile.
----End
5.11.2.10 Configuring an SSID Profile
Context
on your laptop, the displayed wireless network names are SSIDs. In an SSID profile, you can

define an SSID name and configure related parameters. After the SSID profile configuration
is complete, bind the SSID profile to a VAP profile.
Procedure
Step 2 Run wlan
An SSID profile is created, and the SSID profile view is displayed.
Step 4 Run ssid ssid
An SSID name is configured.
By default, the SSID HUAWEI-WLAN is configured in an SSID profile.
The value is a string of 1 to 32 case-sensitive characters. It supports Chinese characters or

Chinese + English characters, without tab characters.
Step 5 (Optional) Run ssid-hide enable
SSID hiding in Beacon frames is enabled.
By default, SSID hiding in Beacon frames is disabled in an SSID profile.
When creating a WLAN, configure an AP to hide the SSID of the WLAN to ensure security.
Only the users who know the SSID can connect to the WLAN.
Step 6 (Optional) Run advertise-ap-name enable
Beacon frames are enabled to carry the AP name.
By default, Beacon frames do not carry the AP name.
Step 7 (Optional) Run max-sta-number max-sta-number
The maximum number of successfully associated STAs on a VAP is configured.
By default, a VAP allows for a maximum of 64 successfully associated STAs.
More access users on a VAP indicate fewer network resources that each user can occupy. To
ensure Internet experience of users, you can configure a proper maximum number of access
users on a VAP according to actual network situations.
Step 8 (Optional) Run reach-max-sta hide-ssid disable
APs are disabled from automatically hiding SSIDs when the number of users reaches the
maximum.
By default, automatic SSID hiding is enabled when the number of users reaches the
maximum.

After automatic SSID hiding is enabled, SSIDs are automatically hidden when the number of
users connected to the WLAN reaches the maximum, and SSIDs are unavailable for new
users.
Step 9 (Optional) Run legacy-station [ only-dot11b ] disable
Access of non-HT STAs is denied.
By default, access of non-HT STAs is permitted.
Non-HT STAs support only 802.11a/b/g and provide a data transmission rate far smaller than
the rate of 802.11n/ac STAs. If the non-HT STAs access the wireless network, the data
transmission rate of 802.11n/ac STAs will be reduced. To prevent the transmission rate of
802.11n/ac STAs from being affected, you can run the legacy-station [ only-dot11b ] disable
command to deny access of all or only 802.11b-compliant non-HT STAs.
After the legacy-station disable command is run, the access of non-HT STAs supporting only
802.11a/b/g fails to be denied if any of the following functions is configured on the non-HT
STAs:
l WMM function in a 2G or 5G radio profile enabled using the wmm disable command
l Pre-shared key authentication and TKIP encryption for WPA/WPA2 configured using the
security { wpa | wpa2 | wpa-wpa2 } psk { pass-phrase | hex } key-value tkip
command
l 802.1X authentication and TKIP encryption for WPA/WPA2 configured using the
security { wpa | wpa2 | wpa-wpa2 } dot1x tkip command
l WEP shared key authentication mode configured using the security wep [ share-key ]
command
l 802.11b/g radio type in the 2G radio profile configured using the radio-type { dot11b |
dot11g } command
l 802.11a radio type in the 5G radio profile configured using radio-type dot11a command
After the legacy-station only-dot11b disable command is run, the access of non-HT STAs
supporting only 802.11b is denied. If 802.11b radio type in the 2G radio profile has been
configured using the radio-type dot11b command, the access of non-HT STAs supporting
only 802.11b fails to be denied.
Step 10 (Optional) Run single-txchain enable
The single-antenna transmission mode is enabled.
By default, the single-antenna transmission mode is disabled.
Only 802.11ac Wave 2 APs support the single-antenna transmission mode.
Step 11 (Optional) Run association-timeout association-timeout
The association aging time of STAs is configured.
By default, the association aging time is 5 minutes.
After the association aging time of STAs is configured, if the AP receives no data packet from
a STA in a specified time, the STA goes offline after the association aging time expires.
Step 12 (Optional) Run dtim-interval dtim-interval
A DTIM interval is configured.
By default, the DTIM interval is 1.

The DTIM interval specifies how many Beacon frames are sent before the Beacon frame that
contains the DTIM. An AP sends a Beacon fame to wake a STA in power-saving mode,
indicating that the saved broadcast and multicast frames will be transmitted to the STA.
l A short DTIM interval helps transmit data in a timely manner, but the STA is wakened
frequently, causing high power consumption.
l A long DTIM interval lengthens the dormancy time of a STA and saves power, but
degrades the transmission capability of the STA.
Step 13 (Optional) Run u-apsd enable
The U-APSD function is enabled.
By default, the U-APSD function is disabled.
If some STAs on the network do not support the U-APSD function, disable the U-APSD
function.
Step 14 (Optional) Run active-dull-client enable
The function of preventing terminals from entering energy-saving mode is enabled.
By default, the function of preventing terminals from entering energy-saving mode is
disabled.
Due to individual reasons, some terminals may not run services normally when entering
energy-saving mode. You can run the active-dull-client enable command to enable the
function of preventing terminals from entering energy-saving mode. After that, an AP
frequently sends null data frames to these terminals to prevent them from entering energy-
saving mode, ensuring normal services.
Step 15 (Optional) Run qbss-load enable
APs are enabled to notify STAs of their load.
By default, the function of notifying STA of the AP load is disabled.
Step 16 Run quit
----End
5.11.2.11 Binding VAP Profiles
Context
After the configuration in a VAP profile is complete, you need to bind the VAP profile to an
AP group, AP, AP radio, or AP group radio.After being delivered to APs, the configuration in
a VAP profile can take effect on the APs.

After a VAP profile is applied to an AP group or AP, the parameter settings in the profile take
radio or radios in the AP group.
Procedure
l Bind a VAP profile to an AP group.
d. Run the vap-profile profile-name wlan wlan-id { radio { radio-id | all } }
command to bind the VAP profile to the radio.
By default, no VAP profile is bound to a radio.

l Bind a VAP profile to an AP.
AP view.

l Apply a VAP profile in the AP group radio view.
e. Run the vap-profile profile-name wlan wlan-id command to bind the VAP profile
to the radio.

l Apply a VAP profile in the AP radio view.
AP view.
to the radio.
----End
5.11.2.12 Verifying the VAP, Security, and SSID Profile Configuration

Prerequisites
The configuration of the VAP, security, and SSID profiles is complete.
Procedure
l Run the display vap { all | ssid ssid } or display vap { ap-group ap-group-name | { ap-
name ap-name | ap-id ap-id } [ radio radio-id ] } [ ssid ssid ] command to check service
VAP information.
l Run the display vap-profile { all | name profile-name } command to check
configuration and reference information about a VAP profile.
l Run the display references vap-profile name profile-name command to check reference
information about a VAP profile.
l Run the display security-profile { all | name profile-name } command to check
configuration and reference information about a security profile.
l Run the display references security-profile name profile-name command to check
reference information about a security profile.
l Run the display ssid-profile { all | name profile-name } command to check
configuration and reference information about an SSID profile.
l Run the display references ssid-profile name profile-name command to check
reference information about an SSID profile.
l Run the display vlan pool { name pool-name | all [ verbose ] } command to check
configurations in a VLAN pool.
l Run the display references vlan pool pool-name command to check reference
information about a VLAN pool.
l Run the display vap create-fail-record all command to check records about VAP
creation failures.
l Run the display wlan config-errors command to check WLAN configuration errors.
----End
5.11.3 (Optional) Configuring the STA Offline Delay Function
Context
On a WLAN, some online STAs may go offline due to reasons such as screen lock. When
these STAs go online again, they are reauthenticated, increasing the load on the authentication
server. After the STA offline delay function is enabled, STAs can go offline and online again
in the aging time without being authenticated by the external or built-in authentication server.
This reduces the load on the authentication server and avoids multiple authentication
operations. This function takes effect for STAs only in Portal, MAC address, or MAC
address-prioritized Portal authentication mode.
Procedure
Step 2 Run wlan

Step 3 Run sta-offline-delay enable
The STA offline delay function is enabled.
By default, the STA offline delay function is disabled.
Step 4 Run sta-offline-delay max-number max-number
The maximum number of STAs that are allowed to delay going offline is set.
The default maximum number of STAs that are allowed to delay going offline is one fifth of
the maximum number of STAs supported by an AC.
Step 5 Run sta-offline-delay aging-time time
The aging time of the STA offline delay state is configured.
The default aging time for STA offline delay is 180 seconds.
Step 6 Run undo sta-offline-delay full-sta-reject enable
APs are enabled to force STAs in offline delay state to go offline and allow STAs are allowed
to go online after the number of STAs reaches the maximum.
By default, an AP is enabled to force STAs in offline delay state to go offline and allow new
STAs to go online after the number of STAs reaches the maximum.
----End

l Run the display sta-offline-delay configuration command to view the configuration of
the STA offline delay function.
5.11.4 Checking the STA Online Result
Context
After basic WLAN service configurations are complete, APs generate WLAN signals in their
coverage ranges. Users can use STAs, such as mobile phones and laptops with wireless
network adapters to associate with WLANs of the configured SSIDs. After entering the user
names and passwords, users can associate with the WLANs. By checking the STA online
result, you can know STAs connected to the WLAN.
Procedure
l Run the display station { ap-group ap-group-name | ap-name ap-name | ap-id ap-id |
ssid ssid | sta-mac sta-mac-address | vlan vlan-id | all } command to check STA access
information.
----End

5.12 Configuring STAs to Go Online (Agile Distributed

WLAN)
Before configuring STAs to go online, perform the task of 5.10 Configuring the Central AP
and RUs to Go Online.
Procedure
The procedure for configuring STAs to go online on an agile distributed WLAN is the same
as that on a common WLAN. For details, see 5.11 Configuring STAs to Go Online.
On an agile distributed WLAN, the central AP does not have radios. The RUs act as radios of
the central AP. Therefore, the radio and VAP configurations need to be delivered to RUs, but
not the central AP.
5.13 Maintaining Basic WLAN Services
5.13.1 Checking Wireless Link Quality Between an AP and a STA
Context
On wireless networks, wireless radio, as the transmission media, is easily interfered by
surroundings. The transmission quality of service data changes greatly depending on the
interference. Therefore, you must evaluate and check the transmission quality of wireless
links to ensure better service data transmission and efficient cooperation between densely
deployed wireless networks, and reduces signal interference.
Use the RF ping function and exchange data packets between APs and STAs to check the
transmission quality of wireless links. The link check result includes the signal strength, radio
interface rate, packet sending delay, which can comprehensively indicate the transmission
quality of wireless links.
Procedure
Step 2 Run wlan
Step 3 Run the rf-ping [ -m time | -c number ] * mac-address command to check wireless link
quality.
----End

5.13.2 Checking Connectivity Between an AP and a Network

Device
Context
When a network fault occurs, use an AP to ping other network devices to check the
connectivity.
Procedure
Step 2 Run wlan
Step 3 Run the ap-ping { ap-name ap-name | ap-id ap-id } [ -c count | -s packetsize | -m time | -t
timeout ] * host command to ping a network device from an AP to check network connectivity
between them.
----End
5.13.3 Checking AP Running Statistics
Context
After AP online and management AP configurations are complete, run the following
commands in any view to check AP running statistics.
Procedure
l Run the display ap run-info { ap-name ap-name | ap-id ap-id } command to check AP
running information.
l Run the display ap performance statistics { ap-name ap-name | ap-id ap-id }
command to check AP performance statistics.
l Run the display radio { all | ap-group ap-group-name | ap-name ap-name | ap-id ap-
id } command to check AP radio information.
l Run the display ap asyn-message err-info { all | ap-name ap-name | ap-id ap-id }
command to check records about AP restart failures.
l Run the display ap uncontrol all command to check unauthorized APs.
l Run the display channel switch-record { all | ap-name ap-name radio radio-id | ap-id
ap-id radio radio-id | reason reason } command to check channel switching records.
l Run the display ap traffic statistics wireless { ap-name ap-name | ap-id ap-id } radio
radio-id [ ssid ssid ] command to check packet statistics on an AP radio.
l Run the display ap elabel { ap-name ap-name | ap-id ap-id } command to check AP
electronic label information.
l Run the display ap service-config acl { ap-name ap-name | ap-id ap-id } command to
check ACL configurations on an AP.

l Run the display ap port { all | ap-name ap-name | ap-id ap-id | ap-mac ap-mac }
command to check the AP port status and traffic information.
l Run the display distribute-ap { all | ap-id ap-id | ap-mac ap-mac | ap-name ap-name |
central-ap-id central-ap-id | central-ap-mac central-ap-mac | central-ap-name
central-ap-name } command to check RU information.
l Run the display ap statistics command to check statistics on the types of APs added to
an AC.
----End
5.13.4 Checking AP Online Failure and Offline Records
Context
You can check the AP online failure and offline records to locate the reason for AP online
failures and offline reasons. This helps the maintenance personnel manage and maintain the
APs.
Procedure
l Run the display ap online-fail-record { all | mac mac-address } command to check AP
online failure records.
l Run the display ap offline-record { all | mac mac-address } command to check AP
offline records.
----End
5.13.5 Clearing AP Online Failure and Offline Records
Context
Before re-collecting AP online failure and offline records, you can clear AP online failure
records and offline records. This helps the maintenance personnel manage and maintain APs.
NOTE
The cleared records cannot be restored. Therefore, exercise caution when performing these operations.
Procedure
l Run the reset ap online-fail-record { all | mac mac-address } command to clear AP
online failure records.
l Run the reset ap offline-record { all | mac mac-address } command to clear AP offline
records.
----End
5.13.6 Clearing the List of Unauthorized APs

Context
You can clear the list of unauthorized APs to clear the removed or unauthenticated APs that
disconnect with an AC. This operation helps re-collect and confirm unauthenticated APs.
NOTE
Procedure
Step 2 Run wlan
Step 3 Run reset ap unauthorized record
Clear the list of unauthorized APs.
----End
5.13.7 Checking STA Running Statistics
Context
After STAs successfully associate with an AP, you can run the following commands in any
view to monitor the STA running status.
Procedure
l Run the display station { ap-group ap-group-name | ap-name ap-name | ap-id ap-id |
ssid ssid | sta-mac sta-mac-address | vlan vlan-id | all } command to check STA access
information.
l Run the display station statistics [ sta-mac sta-mac-address | ap-name ap-name | ap-id
ap-id ] command to check STA statistics.
l Run the display ap sta-signal strength { ap-name ap-name | ap-id ap-id } [ radio
radio-id ] command to check the average signal strength of STAs on an AP.
----End
5.13.8 Checking STA Online Failure and Offline Records
Context
You can check STA online failure and offline records to locate online failure and offline
reasons. This helps the maintenance personnel rectify the fault, enabling STAs to connect to
the wireless network properly.

Procedure
l Run the display station online-fail-record { all | ap-name ap-name | ap-id ap-id | sta-
mac sta-mac-address } command to check records about STA online failures.
l Run the display station offline-record { all | ap-name ap-name | ap-id ap-id | sta-mac
sta-mac-address } command to check STA offline records.
----End
5.13.9 Clearing STA Online Failure and Offline Records
Context
Before re-collecting STA online failure and offline records, clear STA online failure records
and offline records. This helps the maintenance personnel manage and maintain STAs.
NOTE
Procedure
l Run the reset station online-fail-record { all | ap-name ap-name | ap-id ap-id | sta-
mac sta-mac-address } command to clear STA online failure records.
l Run the reset station offline-record { all | ap-name ap-name | ap-id ap-id | sta-mac
sta-mac-address } command to clear STA offline records.
----End
5.13.10 Enabling the Function of Recording Successful STA

Associations in the Log
Context
After the function of recording successful STA associations in the log is enabled, successfully
associated STAs are recorded in the log, so that the administrator can view information about
successful STA associations.
Procedure
Step 2 Run wlan
Step 3 Run report-sta-assoc enable
The function of recording successful STA associations in the log is enabled.
By default, this function is disabled.
----End

5.14 Configuration Examples for WLAN Services
5.14.1 Example for Configuring WLAN Services on a Small-Scale

Network
Configuration Process
You need to configure and maintain WLAN features and functions in different profiles. These
WLAN profiles include regulatory domain profile, radio profile, VAP profile, AP system
profile, AP wired port profile, WIDS profile, WDS profile, and Mesh profile. When
configuring WLAN services, you need to set related parameters in the WLAN profiles and
bind the profiles to the AP group or APs. Then the configuration is automatically delivered to
and takes effect on the APs. WLAN profiles can reference one another; therefore, you need to
know the relationships among the profiles before configuring them. For details about the
profile relationships and their basic configuration procedure, see WLAN Service
Configuration Procedure.
Networking Requirements
As shown in Figure 5-40, the AP is directly connected to the AC. An enterprise branch needs
to deploy WLAN services for mobile office so that branch users can access the enterprise
internal network from anywhere at any time.
The following requirements must be met:
l A WLAN named wlan-net is available.
l Branch users are assigned IP addresses on 10.23.101.0/24.

Figure 5-40 Networking diagram of configuring WLAN services on a small-scale network
Internet
GE0/0/2
VLAN 101
AC
GE0/0/1
GE0/0/2 VLAN 100
VLAN 100
SwitchA
GE0/0/1
VLAN 100
AP
STA STA
Management VLAN: VLAN 100

Configuration Roadmap
The configuration roadmap is as follows:
1. Configure Layer 2 connections between the AP, AC, Switch, and upstream device.
2. Configure the AC to function as a DHCP server to assign IP addresses to the STAs and
AP.
3. Configure the AP to go online.
a. Create an AP group and add the AP to the group. The APs that require the same
configuration can be added to the group for unified configuration.
b. Configure AC system parameters, including the country code and source interface
used by the AC to communicate with the AP.
c. Configure the AP authentication mode and import the AP offline so that the AP can
go online properly.
4. Configure WLAN service parameters for STAs to access the WLAN.
Table 5-10 Data planning

Item Data
DHCP The AC functions as a DHCP server to assign IP addresses to the STAs and
server AP.

Item Data
IP address 10.23.100.2-10.23.100.254/24
pool for the
AP
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs
AC's source VLANIF 100: 10.23.100.1/24

interface
address
AP group l Name: ap-group1

l Referenced profiles: VAP profile wlan-vap and regulatory domain
profile domain1
Regulatory l Name: domain1

domain l Country code: CN
profile
SSID l Name: wlan-ssid

profile l SSID name: wlan-net
Security l Name: wlan-security

profile l Security policy: WPA2+PSK+AES
l Password: a1234567
VAP profile l Name: wlan-vap

l Forwarding mode: tunnel forwarding
l Service VLAN: VLAN 101
l Referenced profiles: SSID profile wlan-ssid and security profile wlan-
security
Configuration Notes
l For details about common WLAN configuration notes, see 2 General Precautions for
WLAN. For more deployment and configuration suggestions, see 3 Wireless Network
Deployment and Configuration Suggestions.
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. If a large number of such multicast packets are sent
from the network side, the air interfaces may be congested. You are advised to configure
multicast packet suppression to reduce impact of a large number of low-rate multicast
packets on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.

For details on how to configure traffic suppression, see "How Do I Configure Multicast
Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?" in WLAN QoS Configuration of the Configuration Guide -
WLAN-AC of the corresponding product version.
l Configure port isolation on the interfaces of the device directly connected to APs. If port
isolation is not configured and direct forwarding is used, a large number of unnecessary
broadcast packets may be generated in the VLAN, blocking the network and degrading
user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the
same. Only packets from the management VLAN are transmitted between the AC and
APs. Packets from the service VLAN are not allowed between the AC and APs.
Procedure
Step 1 Set the NAC mode to unified on the AC so that users can connect to the network properly.
[HUAWEI] authentication unified-mode
NOTE
If the NAC mode is changed from traditional to unified, the unified mode takes effect after you save the
configuration and restart the device.
Step 2 Configure SwitchA and the AC so that the AP and AC can transmit CAPWAP packets.
# Add GE0/0/1 that connects SwitchA to the AP to management VLAN 100 and add GE0/0/2
that connects SwitchA to the AC to the same VLAN.
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 100
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port link-type trunk
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet0/0/1] quit
# Add GE0/0/1 that connects the AC to SwitchA to VLAN 100.

[HUAWEI] sysname AC
[AC] vlan batch 100 101
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet0/0/1] quit
Step 3 Configure the AC to communicate with the upstream device.

NOTE
Configure AC uplink interfaces to transparently transmit packets of service VLANs as required and
communicate with the upstream device.
# Add AC uplink interface GE0/0/2 to service VLAN 101.


Step 4 Configure the AC as a DHCP server to allocate IP addresses to STAs and the AP.
# Configure the AC as the DHCP server to allocate an IP address to the AP from the IP
address pool on VLANIF 100, and allocate IP addresses to STAs from the IP address pool on
VLANIF 101.
NOTE
Configure the DNS server as required. The common methods are as follows:
l In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the
VLANIF interface view.
l In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool
view.
[AC] dhcp enable
[AC] interface vlanif 100
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC-Vlanif101] quit
Step 5 Configure the AP to go online.

# Create an AP group and add the AP to the AP group.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and apply
the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-view] quit
# Configure the AC's source interface.

[AC] capwap source interface vlanif 100
# Import the AP offline on the AC and add the AP to AP group ap-group1. Assume that the
AP's MAC address is 60de-4476-e360. Configure a name for the AP based on the AP's
deployment location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in Area 1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name area_1

Warning: This operation may cause AP reset. Continue? [Y/N]:y

[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configuration
s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the AP goes online normally.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [1]
Extra information:
P : insufficient power supply
----------------------------------------------------------------------------------
----------------
ID MAC Name Group IP Type State STA
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
Step 6 Configure WLAN service parameters.
# Create security profile wlan-security and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA2+PSK+AES and password to a1234567. In actual
situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name wlan-security

[AC-wlan-sec-prof-wlan-security] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-security] quit
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[AC-wlan-ssid-prof-wlan-ssid] quit
# Create VAP profile wlan-vap, set the data forwarding mode and service VLAN, and apply
the security profile and SSID profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] quit
# Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1 of
the AP.
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio all
Step 7 Set channels and power for the AP radios.

NOTE
Automatic channel and power calibration functions are enabled by default. The manual channel and power
configurations take effect only when these two functions are disabled. The channel and power configuration
for the AP radios in this example is for reference only. In actual scenarios, configure channels and power for
AP radios based on country codes of APs and network planning results.
# Disable automatic channel and power calibration functions of radio 0, and configure the
channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
[AC-wlan-ap-0] quit
Step 8 Verify the configuration.

After the service configuration is complete, run the display vap ssid wlan-net command. If
Status in the command output is displayed as ON, the VAPs have been successfully created
on AP radios.
[AC-wlan-view] display vap ssid wlan-net
WID : WLAN ID
--------------------------------------------------------------------------------
AP ID AP name RfID WID BSSID Status Auth type STA SSID
--------------------------------------------------------------------------------
0 area_1 0 1 60DE-4476-E360 ON WPA2-PSK 0 wlan-net
-------------------------------------------------------------------------------
Total: 2
Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567. Run the
display station ssid wlan-net command on the AC. The command output shows that the
STAs are connected to the WLAN wlan-net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
---------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End

Configuration Files
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
#
#
return
l AC configuration file
#
sysname AC
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select interface
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
capwap source interface vlanif100
#
wlan
security-profile name wlan-security
security wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^
%# aes
ssid-profile name wlan-ssid
ssid wlan-net
vap-profile name wlan-vap
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-ssid
security-profile wlan-security
regulatory-domain-profile name domain1
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile wlan-vap wlan 1
radio 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
calibrate auto-channel-select disable

calibrate auto-txpower-select disable

radio 1
channel 20mhz 149
eirp 127
#
return
5.14.2 Example for Configuring WLAN Services on a Medium-

Scale Network
As shown in Figure 5-41, an enterprise AC connects to the egress gateway Router of the
campus network and connects to the AP through access switch SwitchA.
The enterprise requires a WLAN with SSID wlan-net so that users can access the enterprise
internal network from anywhere at any time. The Router needs to function as a DHCP server
to assign IP addresses to users and manage users on the AC.
A large number of users connect to the WLAN. To reduce broadcast domains and ensure that
sufficient IP addresses are available, configure a VLAN pool to use VLANs in the VLAN
pool as service VLANs and configure interface address pools corresponding to the VLANs to
allocate addresses to STAs.

Figure 5-41 Networking diagram of configuring WLAN services on a medium-scale network
Internet
Router
GE2/0/0
GE0/0/2 VLAN 200
VLAN 200
AC
GE0/0/1
GE0/0/2 VLAN 100
VLAN 100
GE0/0/1 GE0/0/3
VLAN 100 VLAN 100
Switch_A
AP: AP:
area_1 area_2
STA STA STA STA
Management VLAN: VLAN 100 Management VLAN: VLAN 100

Service VLAN: VLAN pool Service VLAN: VLAN pool
1. Configure connections between the AP, AC, and upstream device.
2. Configure the AC as a DHCP server to assign an IP address to the AP from an interface
IP address pool, configure the AC as a DHCP relay agent, and configure the Router
connected to the AC to assign IP addresses to STAs.
3. Configure a VLAN pool for service VLANs.
4. Configure the APs to go online.
a. Create an AP group and add APs that require the same configuration to the group
for unified configuration.
used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to allow the APs
to go online.


Item Data
DHCP The AC functions as a DHCP server to assign IP addresses to the APs, the
server Router functions as a DHCP server to assign IP addresses to the STAs.
IP address 10.23.100.2-10.23.100.254/24
pool for the
APs
IP address 10.23.101.2-10.23.101.254/24
pool for 10.23.102.2-10.23.102.254/24
STAs
VLAN pool l Name: sta-pool

l VLAN 101 and VLAN 102 are added to the VLAN pool.

interface
address

l Referenced profile: VAP profile wlan-vap and regulatory domain profile
domain1

profile



l Service VLAN: VLANs in the VLAN pool
l Referenced profile: SSID profile wlan-ssid and security profile wlan-
security
Configuration Notes


user experience.
Procedure
NOTE
Step 2 Configure Switch_A and the AC so that the AP and AC can transmit CAPWAP packets.
# Add GE0/0/1 to GE0/0/3 on Switch_A to VLAN 100 (management VLAN).
[HUAWEI] sysname Switch_A
[Switch_A] vlan batch 100
[Switch_A] interface gigabitethernet 0/0/1
[Switch_A-GigabitEthernet0/0/1] port link-type trunk
[Switch_A-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/1] port-isolate enable
[Switch_A-GigabitEthernet0/0/1] quit
# Add GE0/0/1 that connects the AC to Switch_A to VLAN 100.

[HUAWEI] sysname AC
[AC] vlan batch 100



# Configure VLAN 101 (service VLAN), VLAN 102 (service VLAN) and VLANIF 102.
NOTE
[AC] vlan batch 101 102 200
[AC-Vlanif101] quit
[AC-Vlanif102] quit
[AC-Vlanif200] quit
# Configure a default route on the AC.

[AC] ip route-static 0.0.0.0 0.0.0.0 10.23.200.1
# Add GE0/0/2 that connects the AC to the Router to VLAN 200.

Step 4 Configure the AC to assign an IP address to the AP and the Router to assign IP addresses to
STAs.
# Configure the AC to assign an IP address to the AP from an interface IP address pool.
[AC] dhcp enable
[AC-Vlanif100] quit
# Configure the AC as the DHCP relay agent and enable user entry detection on the AC.
[AC-Vlanif101] dhcp select relay
[AC-Vlanif101] dhcp relay server-ip 10.23.200.1
[AC-Vlanif101] quit
[AC-Vlanif102] quit
# Configure the Router as a DHCP server to allocate IP addresses to STAs.
NOTE
view.
<Huawei> system-view
[Huawei] sysname Router
[Router] dhcp enable

[Router] ip pool sta-ip-pool1

[Router-ip-pool-sta-ip-pool1] gateway-list 10.23.101.1
[Router-ip-pool-sta-ip-pool1] network 10.23.101.0 mask 24
[Router-ip-pool-sta-ip-pool1] quit
[Router] vlan batch 200
[Router] interface vlanif 200
[Router-Vlanif200] ip address 10.23.200.1 24
[Router-Vlanif200] dhcp select global
[Router-Vlanif200] quit
[Router] interface gigabitethernet 2/0/0
[Router-GigabitEthernet2/0/0] port link-type trunk
[Router-GigabitEthernet2/0/0] port trunk allow-pass vlan 200
[Router-GigabitEthernet2/0/0] quit
[Router] ip route-static 10.23.101.0 24 10.23.200.2
Step 5 Configure a VLAN pool for service VLANs.
# Create a VLAN pool, add VLAN 101 and VLAN 102 to the pool, and set the VLAN
assignment algorithm to hash in the VLAN pool.
NOTE
This example uses the VLAN assignment algorithm hash as an example. The default VLAN assignment
algorithm is hash. If the default setting is not changed before, you do not need to run the assignment hash
command.
In this example, only VLAN 101 and VLAN 102 are added to the VLAN pool. You can add multiple VLANs
to a VLAN pool. Similar to adding VLAN 101 and VLAN 102 to a VLAN pool, you need to create
corresponding VLANIF interfaces and configure IP addresses and interface address pools.
[AC] vlan pool sta-pool
[AC-vlan-pool-sta-pool] vlan 101 102
[AC-vlan-pool-sta-pool] assignment hash
[AC-vlan-pool-sta-pool] quit
Step 6 Configure the APs to go online.
# Create an AP group and add the APs to the AP group.

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

# Import the APs offline on the AC and add the APs to AP group ap-group1. Assume that the
APs' MAC addresses are 60de-4476-e360 and 60de-4474-9640. Configure names for the APs

based on the APs' deployment locations, so that you can know where the APs are deployed
from their names. For example, name the AP area_1 if it is deployed in Area 1.
NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
[AC-wlan-view] ap-id 1 ap-mac 60de-4474-9640
[AC-wlan-ap-1] quit
# After the APs are powered on, run the display ap all command to check the AP state. If the
State field is displayed as nor, the APs have gone online.
nor : normal [2]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 5M:
2S -
1 60de-4474-9640 area_2 ap-group1 10.23.100.253 AP5030DN nor 0 5M:
4S -
----------------------------------------------------------------------------------
----------------
Total: 2

NOTE

# Create VAP profile wlan-vap, set the data forwarding mode and service VLANs, and apply
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-pool sta-pool
the APs.

NOTE
[AC-wlan-ap-0] quit
on AP radios.
WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
1 area_2 0 1 60DE-4474-9640 ON WPA2-PSK 0 wlan-net
-------------------------------------------------------------------------------
Total: 4

---------------------------------------------------------------------------------
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 38/64 -68 102
10.23.102.254
14cf-9202-13dc 1 area_2 0/1 2.4G 11n 3/34 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 2 2.4G: 1 5G: 1
----End
Configuration Files
l Switch_A configuration file
#
sysname Switch_A
#
vlan batch 100
#
port-isolate enable group 1
#
#
#
return
l Router configuration file

#
sysname Router
#
vlan batch 200
#
dhcp enable
#
ip pool sta-ip-pool1
gateway-list 10.23.101.1
network 10.23.101.0 mask 255.255.255.0
#
network 10.23.102.0 mask 255.255.255.0
#
interface Vlanif200
ip address 10.23.200.1 255.255.255.0
dhcp select global
#


#
ip route-static 10.23.101.0 255.255.255.0 10.23.200.2
ip route-static 10.23.102.0 255.255.255.0 10.23.200.2
#
return
#
sysname AC
#
vlan batch 100 to 102 200
#
vlan pool sta-pool
vlan 101 to 102
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.23.200.1
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
dhcp select relay
#
interface Vlanif200
ip address 10.23.200.2 255.255.255.0
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.23.200.1
#
#
wlan
%# aes
ssid wlan-net
forward-mode tunnel
service-vlan vlan-pool sta-pool
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6

eirp 127
radio 1
channel 20mhz 149
eirp 127
ap-id 1 type-id 35 ap-mac 60de-4474-9640 ap-sn 210235419610D2000097
ap-name area_2
ap-group ap-group1
#
return
5.14.3 Example for Configuring WLAN Services on a Large-Scale

Network
On a network of a large enterprise in Figure 5-42, an aggregation switch Switch_B connects
to an access switch Switch_A and an upstream Router. The enterprise needs to deploy a
WLAN, with as few changes to the current network structure as possible.
The enterprise requirements are as follows:
l A WLAN with the SSID guest is deployed in the lobby of the office building to provide
wireless access services for visitors.
l A WLAN with the SSID employee is deployed in office areas to provide wireless access
services for employees.

Figure 5-42 Networking diagram of configuring WLAN services on a large-scale network
Internet
Router
GE2/0/0
VLANIF 201: 10.67.201.1/24
GE1/0/3 GE1/0/2 GE0/0/1

VLANIF 201: 10.67.201.2/24 VLANIF 200: VLAN 200:
10.45.200.2/24 10.45.200.1/24
Switch_B
GE1/0/1 AC
VLANIF 100: 10.23.100.1/24
VLANIF 101: 10.23.101.1/24
VLANIF 102: 10.23.102.1/24
VLANIF 103: 10.23.103.1/24
VLANIF 104: 10.23.104.1/24
Switch_A GE0/0/5
GE0/0/1 GE0/0/4
GE0/0/2
GE0/0/3
AP: AP: AP: AP:

lobby_1 lobby_2 office2_1 office2_2
STA STA STA STA

Management VLAN: 100 Management VLAN: 100
Service VLAN: sta-pool1 Service VLAN: sta-pool2
Lobby Office area
1. Configure Switch_A and Switch_B to implement Layer 2 interconnection and configure
Switch_B, Router, and AC to implement Layer 3 interconnection.
2. Configure the Router as a DHCP server to assign IP addresses from a global address
pool to STAs and APs.

c. Configure the AP authentication mode and import the APs offline so that the APs
can go online properly.

Item Data
DHCP server Router functions as a DHCP server to allocate IP addresses to the

STAs and APs.
IP address pool for the 10.23.100.2-10.23.100.254/24

APs
IP address pool for the l IP addresses for visitors:

STAs 10.23.101.2-10.23.101.254/24
10.23.102.2-10.23.102.254/24
l IP addresses for enterprise users:
10.23.103.2-10.23.103.254/24
10.23.104.2-10.23.104.254/24
VLAN pool l Name: sta-pool1

Assigns IP addressees to visitors.
VLAN 101 and VLAN 102 are added to the VLAN pool.
l Name: sta-pool2
Assigns IP addressees to enterprise employees.
VLAN 103 and VLAN 104 are added to the VLAN pool.
AC's source interface VLANIF 200: 10.45.200.1/24

address
AP group Name: guest

Referenced profile: VAP profile guest and regulatory domain
profile domain1
Name: employee
Referenced profile: VAP profile employee and regulatory domain
profile domain1
Regulatory domain Name: domain1

profile Country code: CN
SSID profile Name: guest

SSID name: guest
Name: employee
SSID name: employee

Item Data
Security profile Name: guest

l Security policy: WPA2+PSK+AES
Name: employee
l Password: b1234567
VAP profile Name: guest

l Forwarding mode: direct forwarding
l Service VLAN: sta-pool1
l Referenced profile: SSID profile guest and security profile
guest
Name: employee
l Service VLAN: sta-pool2
l Referenced profile: SSID profile employee and security
profile employee

NOTE
l For details about common WLAN configuration notes, see 2 General Precautions for WLAN. For
more deployment and configuration suggestions, see 3 Wireless Network Deployment and
Configuration Suggestions.
l In this example, Switch_A is a Huawei fixed switch, and Switch_B is a Huawei modular switch.
l When a VLAN pool is used to provide service VLANs on a large network, many VLANs are usually
added to the VLAN pool, and interfaces of many devices need to be added to these VLANs. In this
situation, quite a lot of broadcast domains are created if you configure the direct forwarding mode.
To reduce the number of broadcast domains, set the data forwarding mode to direct forwarding.
l No ACK mechanism is provided for multicast packet transmission on air interfaces. In addition,
wireless links are unstable. To ensure stable transmission of multicast packets, they are usually sent
at low rates. If a large number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet suppression to reduce
impact of a large number of low-rate multicast packets on the wireless network. Exercise caution
when configuring the rate limit; otherwise, the multicast services may be affected.
l In direct forwarding mode, you are advised to configure multicast packet suppression on
switch interfaces connected to APs.
l In tunnel forwarding mode, you are advised to configure multicast packet suppression in
traffic profiles of the AC.
For details on how to configure traffic suppression, see "How Do I Configure Multicast Packet
Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets on the Wireless
Network?" in WLAN QoS Configuration of the Configuration Guide - WLAN-AC of the
corresponding product version.
l Configure port isolation on the interfaces of the device directly connected to APs. If port isolation is
not configured and direct forwarding is used, a large number of unnecessary broadcast packets may
be generated in the VLAN, blocking the network and degrading user experience.
l In tunnel forwarding mode, the management VLAN and service VLAN cannot be the same. Only
packets from the management VLAN are transmitted between the AC and APs. Packets from the
service VLAN are not allowed between the AC and APs.
Procedure
NOTE
Step 2 Configure networking parameters.

# Configure access switch Switch_A. Add GE0/0/1 to GE0/0/5 to VLAN 100 (management
VLAN), GE0/0/1 and GE0/0/2 to VLAN 101 and VLAN 102 (service VLANs), and GE0/0/3
and GE0/0/4 to VLAN 103 and VLAN 104 (service VLANs).
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 102


[Switch_A-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 103 to 104
[Switch_A-GigabitEthernet0/0/4] port trunk allow-pass vlan 100 103 to 104
# Configure aggregation switch Switch_B. Add GE1/0/1 to VLAN 100 to VLAN 104,
GE1/0/2 to VLAN 200, and GE1/0/3 to VLAN 201.
[HUAWEI] sysname Switch_B
[Switch_B] vlan batch 100 to 104 200 201
[Switch_B] interface gigabitethernet 1/0/1
[Switch_B-GigabitEthernet1/0/1] port link-type trunk
[Switch_B-GigabitEthernet1/0/1] port trunk allow-pass vlan 100 to 104
[Switch_B-GigabitEthernet1/0/1] quit
[Switch_B-GigabitEthernet1/0/2] port trunk allow-pass vlan 200
# Create VLANIF interfaces VLANIF 100 to VLANIF 104, VLANIF 200, and VLANIF 201
on Switch_B and configure their IP addresses. VLANIF 100 works as the gateway of APs.
VLANIF 101 and VLANIF 102 work as the gateways of visitors while VLANIF 103 and
VLANIF 104 work as the gateways of enterprise employees. Switch_B uses VLANIF 200 to
communicate with the AC and VLANIF 201 to communicate with Router.
[Switch_B] interface vlanif 100
[Switch_B-Vlanif100] ip address 10.23.100.1 24
[Switch_B-Vlanif100] quit
# On the AC, add GE0/0/1 connected to Switch_B to VLAN 200.

[HUAWEI] sysname AC
[AC] vlan batch 101 to 104 200
[AC-Vlanif200] quit
# Add GE2/0/0 on Router to VLAN 201 and configure an IP address for VLANIF 201 so that
Router can communicate with Switch_B.
# Configure routes from the Router to Switch_B.

# Configure a default route on Switch_B with the outbound interface as the Router's VLANIF
201.
[Switch_B] ip route-static 0.0.0.0 0.0.0.0 10.67.201.1
# Configure a route on the AC with the next hop as Switch_B's VLANIF 200.
[AC] ip route-static 10.23.100.0 24 10.45.200.2
Step 3 Configure a DHCP server to allocate IP addresses to APs and STAs.

# Configure Switch_B as a DHCP relay agent.
[Switch_B] dhcp enable
[Switch_B-Vlanif100] dhcp select relay
[Switch_B-Vlanif100] dhcp relay server-ip 10.67.201.1
# Configure the Router as a DHCP server to allocate IP addresses to APs and STAs. If the AP
and AC communicate through a Layer 3 network, configure Option 43 to notify the AP of the
AC's IP address.

NOTE
view.
[Router] ip pool ap
[Router-ip-pool-ap] network 10.23.100.0 mask 24
[Router-ip-pool-ap] gateway-list 10.23.100.1
[Router-ip-pool-ap] option 43 sub-option 3 ascii 10.45.200.1
[Router-ip-pool-ap] quit
[Router] ip pool sta1
[Router-ip-pool-sta1] network 10.23.101.0 mask 24
[Router-ip-pool-sta1] gateway-list 10.23.101.1
[Router-ip-pool-sta1] quit

# Create VLAN pools sta-pool1 and sta-pool2. Add VLAN 101 and VLAN 102 to VLAN
pool sta-pool1, and VLAN 103 and VLAN 104 to VLAN pool sta-pool2. Set the VLAN
assignment algorithm to hash for the two VLAN pools.
NOTE
command.
corresponding VLANIF interfaces and configure IP addresses on Switch_B, and configure interface address
pools on Router.
[AC] vlan pool sta-pool1
[AC-vlan-pool-sta-pool1] vlan 101 102
[AC-vlan-pool-sta-pool1] assignment hash
[AC-vlan-pool-sta-pool1] quit
[AC] vlan pool sta-pool2
[AC-vlan-pool-sta-pool2] vlan 103 104
[AC-vlan-pool-sta-pool2] assignment hash
[AC-vlan-pool-sta-pool2] quit

# Create AP groups guest and employee.
[AC] wlan
[AC-wlan-view] ap-group name guest
[AC-wlan-ap-group-guest] quit
[AC-wlan-view] ap-group name employee
[AC-wlan-ap-group-employee] quit

the profile to the AP groups.
[AC-wlan-ap-group-guest] regulatory-domain-profile domain1
e?[Y/N]:y
[AC-wlan-ap-group-employee] regulatory-domain-profile domain1
e?[Y/N]:y
[AC-wlan-view] quit

# Import the APs offline on the AC. Add APs deployed in the lobby to AP group guest and
APs in office areas to AP group employee. Configure names for the APs based on the APs'
deployment locations, so that you can know where the APs are deployed from their names.
For example, if the AP with MAC address 60de-4474-9640 is deployed in room 1 of the
second floor of the office building, name the AP office2-1.
NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] ap-name lobby-1
[AC-wlan-ap-0] ap-group guest
[AC-wlan-ap-0] quit
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] ap-name office2-1
[AC-wlan-ap-2] ap-group employee
[AC-wlan-ap-2] quit


[AC-wlan-ap-3] quit
nor : normal [4]
Extra information:
----------------------------------------------------------------------------------
------------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
------------------
0 60de-4474-9640 office2-1 employee 10.23.100.253 AP5030DN nor 0 2H:
30M:1S -
35M:2S -
2 60de-4476-e360 lobby-1 guest 10.23.100.254 AP5030DN nor 0 2H:
29M:29S -
34M:11S -
----------------------------------------------------------------------------------
------------------
Total: 4

# Create security profiles guest and employee and configure the security policy in the profile.
NOTE
In this example, the security policy is set to WPA2+PSK+AES and passwords to a1234567 and b1234567,
respectively. In actual situations, the security policy must be configured according to service requirements.
[AC-wlan-view] security-profile name guest
[AC-wlan-sec-prof-guest] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-guest] quit
[AC-wlan-view] security-profile name employee
[AC-wlan-sec-prof-employee] security wpa2 psk pass-phrase b1234567 aes
[AC-wlan-sec-prof-employee] quit
# Create SSID profiles guest and employee, and set the SSID names to guest and employee,
respectively.
[AC-wlan-view] ssid-profile name guest
[AC-wlan-ssid-prof-guest] ssid guest
[AC-wlan-ssid-prof-guest] quit
[AC-wlan-view] ssid-profile name employee
[AC-wlan-ssid-prof-employee] ssid employee
[AC-wlan-ssid-prof-employee] quit
# Create VAP profiles guest and employee, set the data forwarding mode and service
VLANs, and apply the security profiles and SSID profiles to the VAP profiles.
[AC-wlan-view] vap-profile name guest
[AC-wlan-vap-prof-guest] forward-mode direct-forward
[AC-wlan-vap-prof-guest] service-vlan vlan-pool sta-pool1
[AC-wlan-vap-prof-guest] security-profile guest
[AC-wlan-vap-prof-guest] ssid-profile guest
[AC-wlan-vap-prof-guest] quit
[AC-wlan-view] vap-profile name employee
[AC-wlan-vap-prof-employee] forward-mode direct-forward
[AC-wlan-vap-prof-employee] service-vlan vlan-pool sta-pool2
[AC-wlan-vap-prof-employee] security-profile employee

[AC-wlan-vap-prof-employee] ssid-profile employee

[AC-wlan-vap-prof-employee] quit
# Bind VAP profiles to the AP groups and apply the VAP profiles to radio 0 and radio 1 of the
APs.
[AC-wlan-ap-group-guest] vap-profile guest wlan 1 radio 0
[AC-wlan-ap-group-guest] vap-profile guest wlan 1 radio 1
[AC-wlan-ap-group-employee] vap-profile employee wlan 1 radio 0

NOTE
[AC-wlan-ap-0] quit

After the service configuration is complete, run the display vap ssid guest and display vap
ssid employee commands. If Status in the command output is displayed as ON, the VAPs
have been successfully created on AP radios.
[AC-wlan-view] display vap ssid guest
WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
0 lobby-1 0 1 60DE-4476-E360 ON WPA2-PSK 1 guest
-------------------------------------------------------------------------------
Total: 4
[AC-wlan-view] display vap ssid employee
WID : WLAN ID
--------------------------------------------------------------------------------
AP ID AP name RfID WID SSID BSSID Status Auth type STA
--------------------------------------------------------------------------------

2 office2-1 0 1 employee 60DE-4474-9640 ON WPA2-PSK 0

-------------------------------------------------------------------------------
Total: 4
Connect STAs to the WLANs with SSIDs guest and employee and enter the passwords
a1234567 and b1234567 respectively. Run the display station ssid guest and display station
ssid employee commands on the AC. The command output shows that the STAs are
connected to the WLANs guest and employee.
[AC-wlan-view] display station ssid guest
------------------------------------------------------------------------------
address
------------------------------------------------------------------------------
581f-28fc-7ead 0 lobby-1 0/1 2.4G 11n 2/4 -53 101
10.23.101.254
------------------------------------------------------------------------------
Total: 1 2.4G: 1 5G: 0
[AC-wlan-view] display station ssid employee
------------------------------------------------------------------------------
address
------------------------------------------------------------------------------
e019-1dc7-1e08 2 office2-1 1/1 5G 11n 26/51 -61 102
10.23.103.254
------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
#
sysname Switch_A
#
vlan batch 100
#
port trunk allow-pass vlan 100 to 102
#
#
port trunk allow-pass vlan 100 103 to 104
#
port trunk allow-pass vlan 100 103 to 104


#
#
return
l Switch_B configuration file
#
sysname Switch_B
#
vlan batch 100 to 104 200 201
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select relay
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select relay
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
dhcp select relay
#
interface Vlanif103
ip address 10.23.103.1 255.255.255.0
dhcp select relay
#
interface Vlanif104
ip address 10.23.104.1 255.255.255.0
dhcp select relay
#
interface Vlanif200
ip address 10.45.200.2 255.255.255.0
#
interface Vlanif201
ip address 10.67.201.2 255.255.255.0
#
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.67.201.1
#
return
#
sysname Router
#
vlan batch 201
#
dhcp enable

#
ip pool ap
network 10.23.100.0 mask 255.255.255.0
option 43 sub-option 3 ascii 10.45.200.1
#
ip pool sta1
network 10.23.101.0 mask 255.255.255.0
#
ip pool sta2
network 10.23.102.0 mask 255.255.255.0
#
ip pool sta3
network 10.23.103.0 mask 255.255.255.0
#
ip pool sta4
network 10.23.104.0 mask 255.255.255.0
#
interface Vlanif201
ip address 10.67.201.1 255.255.255.0
dhcp select global
#
#
ip route-static 10.23.100.0 255.255.255.0 10.67.201.2
ip route-static 10.23.101.0 255.255.255.0 10.67.201.2
ip route-static 10.23.102.0 255.255.255.0 10.67.201.2
ip route-static 10.23.103.0 255.255.255.0 10.67.201.2
ip route-static 10.23.104.0 255.255.255.0 10.67.201.2
#
return
#
sysname AC
#
#
vlan pool sta-pool1
vlan 101 to 102
vlan pool sta-pool2
vlan 103 to 104
#
interface Vlanif200
ip address 10.45.200.1 255.255.255.0
#
port trunk allow-pass vlan 101 to 104 200
#
ip route-static 10.23.100.0 255.255.255.0 10.45.200.2
#
#
wlan
security-profile name guest
%# aes
security-profile name employee
security wpa2 psk pass-phrase %^%#H{1<-b]4~"*+Y:4-'/URy;$+,33UgQf)@9I(Yl]V%^
%# aes
ssid-profile name guest
ssid guest
ssid-profile name employee

ssid employee
vap-profile name guest
service-vlan vlan-pool sta-pool1
ssid-profile guest
security-profile guest
vap-profile name employee
service-vlan vlan-pool sta-pool2
ssid-profile employee
security-profile employee
ap-group name guest
radio 0
vap-profile guest wlan 1
radio 1
ap-group name employee
radio 0
vap-profile employee wlan 1
radio 1
ap-name lobby-1
ap-group guest
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
ap-id 1 type-id 35 ap-mac 60de-4476-e380 ap-sn 210235419610D2000066
ap-name lobby-2
ap-group guest
ap-id 2 type-id 35 ap-mac 60de-4474-9640 ap-sn 210235554710CB000075
ap-name office2-1
ap-group employee
ap-name office2-2
ap-group employee
#
return
5.14.4 Example for Configuring Seamless Channel Switching


An enterprise deploys WLAN area A to provide WLAN services. As shown in Figure 5-43,
AP1 and AP2 are directly connected to the switch, service data is directly forwarded in AC
bypass deployment mode, and the switch connects to the Internet through the egress route.
The enterprise requires that WLAN services not be interrupted even when the APs change
their working channels.

Figure 5-43 Networking diagram for configuring seamless channel switching
Intranet
Switch AC
GE0/0/3
GE1/0/1
/2
GE
/0
E0
0 /0/
G

areaA
AP2 AP1
1. Configure basic WLAN services.
2. Configure seamless channel switching to improve WLAN service reliability so that
services are not interrupted even when APs change their working channels.
Table 5-13 Data plan

Item Data
DHCP server Switch, which assigns IP addresses to STAs and APs
IP address pool for APs 10.1.1.3-10.1.1.254/24
IP address pool for STAs 10.1.2.2-10.1.2.254/24
Gateway address for APs 10.1.1.1/24
Gateway address for STAs 10.1.2.1/24
AC source interface VLANIF100: 10.1.1.2/24

l Referenced profile: 2G radio profile wlan-radio2g,
VAP profile wlan-vap, and regulatory domain
profile domain
Regulatory domain profile l Name: domain

l Country code: CN
SSID profile l Name: wlan-ssid

l SSID name: wlan-net
Security profile l Name: wlan-security


l Referenced profile: SSID profile wlan-ssid and
security profile wlan-security
2G radio profile l Name: wlan-radio2g

l Channel switch announcement: enabled
l Channel switch announcement mode: continue-
transmitting

Configuration Notes
user experience.
Procedure
NOTE
Step 2 Configure the switch and AC to enable the AC to communicate with the APs.
# Create VLAN100 (management VLAN) and VLAN101 (service VLAN) on the switch. Set
the link type of GE0/0/1 that connects the switch to AP1 and GE0/0/2 that connects the switch
to AP2 to trunk and PVID of the interfaces to 100, and configure the interfaces to allow
packets of VLAN100 and VLAN101 to pass. Set the link type of GE0/0/3 on the switch to
trunk, and configure the interface to allow packets of VLAN100 to pass.
[HUAWEI] sysname Switch
[Switch] vlan batch 100 101
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch-GigabitEthernet0/0/1] port-isolate enable
[Switch-GigabitEthernet0/0/1] quit


[Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 100
# Add GE0/0/1 that connects the AC to the switch to VLAN100.

[HUAWEI] sysname AC
Step 3 Configure the DHCP function on the switch to allocate IP addresses to APs and STAs.
# Configure VLANIF100 to use the interface address pool to allocate IP addresses to APs.
[Switch] dhcp enable
[Switch] interface vlanif 100
[Switch-Vlanif100] ip address 10.1.1.1 255.255.255.0
[Switch-Vlanif100] dhcp select interface
[Switch-Vlanif100] dhcp server excluded-ip-address 10.1.1.2
[Switch-Vlanif100] quit
# Configure VLANIF101 to use the interface address pool to allocate IP addresses to STAs.
NOTE
view.

[AC] wlan
[AC-wlan-view] regulatory-domain-profile name domain
[AC-wlan-regulate-domain-domain] country-code cn
[AC-wlan-regulate-domain-domain] quit
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain
e?[Y/N]:y
[AC-wlan-view] quit


[AC-Vlanif100] ip address 10.1.1.2 255.255.255.0
[AC-Vlanif100] quit
# Import the APs offline on the AC and add AP1 and AP2 to the AP group ap-group1. In this
example, the MAC addresses of AP1 and AP2 are 60de-4476-e360 and dcd2-fc04-b500,
respectively. Configure names for the APs based on the APs' deployment locations, so that
you can know where the APs are located. For example, if AP1 with MAC address 60de-4476-
e360 is deployed in area 1, name AP1 area_1.
NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
[AC-wlan-view] ap-id 1 ap-mac dcd2-fc04-b500
[AC-wlan-ap-1] quit
nor : normal [2]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.1.1.253 AP6010DN-AGN nor 0
10S -
1 dcd2-fc04-b500 area_2 ap-group1 10.1.1.254 AP6010DN-AGN nor 0
10S -
----------------------------------------------------------------------------------
----------------
Total: 2
NOTE


# Create the 2G radio profile wlan-radio2g and the 5G radio profile wlan-radio5g, and
configure the seamless channel switching function.
NOTE
The following example configures a 2G radio profile. The configuration of a 5G radio profile is similar.
[AC-wlan-view] radio-2g-profile name wlan-radio2g
[AC-wlan-radio-2g-prof-wlan-radio2g] undo channel-switch announcement disable
[AC-wlan-radio-2g-prof-wlan-radio2g] channel-switch mode continue-transmitting
[AC-wlan-radio-2g-prof-wlan-radio2g] quit
[AC-wlan-radio-5g-prof-wlan-radio5g] undo channel-switch announcement disable
[AC-wlan-radio-5g-prof-wlan-radio5g] channel-switch mode continue-transmitting
[AC-wlan-vap-prof-wlan-vap] forward-mode direct-forward
# Bind the 2G radio profile, 5G radio profile and VAP profile to the AP group and apply the
VAP profile to radio 0 and radio 1 of the AP.
[AC-wlan-ap-group-ap-group1] radio-2g-profile wlan-radio2g
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0

The WLAN with SSID wlan-net is available for STAs connected to AP1 and AP2, and these
STAs can connect to the WLAN without authentication. When radio calibration for AP1 or
AP2 is implemented to change the channel of AP1 or AP2, service data forwarding for
wireless users in area A is not affected. You can run the display radio all command to check
working channels of all APs.
[AC-wlan-view] display radio all
CH/BW:Channel/Bandwidth
CE:Current EIRP (dBm)
ME:Max EIRP (dBm)
CU:Channel utilization
ST:Status
WM:Working Mode (normal/monitor/monitor dual-band-scan)
----------------------------------------------------------------------------------
--
AP ID Name RfID Band Type ST CH/BW CE/ME STA CU WM
----------------------------------------------------------------------------------
--
0 area_1 0 2.4G bgn on 11/20M 23/23 0 8% normal
0 area_1 1 5G an11ac on 149/20M 23/23 0 7% normal

1 area_2 0 2.4G an11ac on 1/20M 23/23 0 30% normal

1 area_2 1 5G an on 149/20M 23/23 0 21% normal
----------------------------------------------------------------------------------
--
Total:4
----End
Configuration Files
l Switch configuration file
#
sysname Switch
#
#
dhcp enable
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
dhcp server excluded-ip-address 10.1.1.2
#
interface Vlanif101
ip address 10.1.2.1 255.255.255.0
#
#
#
#
return
#
sysname AC
#
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
#
#
wlan
%# aes
ssid wlan-net
forward-mode direct-forward


regulatory-domain-profile name domain
radio-2g-profile name wlan-radio2g
regulatory-domain-profile domain
radio 0
radio-2g-profile wlan-radio2g
radio 1
ap-name area_1
ap-group ap-group1
ap-id 1 type-id 19 ap-mac dcd2-fc04-b500 ap-sn 210235419610D2000097
ap-name area_2
ap-group ap-group1
#
return
5.14.5 Example for Configuring an Agile Distributed WLAN
A school plans to deploy a WLAN to cover its dormitory building. However, the dormitory
building has a high density of rooms, and WLAN signals are likely to attenuate severely when
passing through obstacles between rooms, such as walls.
As shown in Figure 5-44, the AC connects to a central AP through the switch, and the central
AP connects to and supplies PoE power for remote units (RUs). All RUs (one for each room)
and the central AP are uniformly managed by the AC to provide a high-quality WLAN.

Figure 5-44 Agile distributed WLAN
Intranet
AC
GE0/0/1
GE0/0/2
Switch
GE0/0/1
GE0/0/25
Central AP
GE0/0/1 GE0/0/2
RU: ru_1 RU: ru_2
STA STA
Dormitory room 1 Dormitory room 2
1. Configure the central AP, RUs, Switch, AC, and upper-layer devices to communicate at
Layer 2.
2. Configure the AC as a DHCP server to assign IP addresses to the central AP, RUs, and
STAs.
3. Configure the central AP and RUs to go online.
a. Create an AP group and add the central AP and RUs that require the same
configuration to the group for unified configuration.
b. Configure AC system parameters, including the country code and source interface.
c. Configure the AP authentication mode and import the central AP and RUs offline
so that they can go online normally.
Item Data
DHCP The AC works as a DHCP server to assign IP addresses to the central AP,
server RUs, and STAs.

Item Data
IP address 10.23.100.2-10.23.100.254/24
pool for the
central AP
and RUs
IP address 10.23.101.2-10.23.101.254/24
pool for the
STAs
IP address VLANIF 100: 10.23.100.1/24

of the AC's
source
interface

profile domain1

profile



security
Configuration Notes


user experience.
Procedure
NOTE
Step 2 Configure the AC and switch to enable it to transmit CAPWAP packets to the central AP and
RUs.
# Add GE0/0/1 that connects Switch to the AP to management VLAN 100 and add GE0/0/2
that connects Switch to the AC to the same VLAN.
[SwitchA-GigabitEthernet0/0/1] port-isolate enable

[HUAWEI] sysname AC
Step 3 Configure the AC to communicate with upper-layer network devices.
# Configure the AC to communicate with upper-layer network devices according to your

network requirements (the configuration procedure is not provided here).
Step 4 Configure the AC as a DHCP server to assign IP addresses to the central AP, RUs, and STAs.

# Configure the AC as a DHCP server to allocate IP addresses to the central AP and RUs
from the IP address pool on VLANIF 100, and allocate IP addresses to STAs from the IP
address pool on VLANIF 101.
NOTE
view.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit
Step 5 Configure the central AP and RUs to go online.

# Create an AP group to which the central AP and RUs with the same configuration can be
added.
[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

# Import the central AP and RUs offline on the AC and add the central AP and RUs to the AP
group ap-group1. Assume that the central AP has the MAC address 68a8-2845-62fd and is
named central_AP, and two RUs have the MAC addresses fcb6-9897-c520 and fcb6-9897-
ca40, and are named rru_1 and rru_2.
NOTE
[AC] wlan
[AC-wlan-view] ap-id 0 ap-mac 68a8-2845-62fd
[AC-wlan-ap-0] ap-name central_AP


[AC-wlan-ap-0] quit
[AC-wlan-view] ap-id 1 ap-mac fcb6-9897-c520
[AC-wlan-ap-1] ap-name rru_1
[AC-wlan-ap-1] quit
[AC-wlan-view] ap-id 2 ap-mac fcb6-9897-ca40
[AC-wlan-ap-2] ap-name rru_2
[AC-wlan-ap-2] quit
# After the central AP and RUs are powered on, run the display ap all command to check
their states. If the State field displays nor, the central AP and RUs have gone online.
nor : normal [3]
Extra information:
----------------------------------------------------------------------------------
------------------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
------------------------
0 68a8-2845-62fd central_AP ap-group1 10.23.100.254 AD9430DN-24 nor 0
2M:25S -
1 fcb6-9897-c520 rru_1 ap-group1 10.23.100.253 R240D nor 0
3M:5S -
2 fcb6-9897-ca40 rru_2 ap-group1 10.23.100.252 R240D nor 0
3M:14S -
----------------------------------------------------------------------------------
------------------------
Total: 3
# Create the security profile wlan-security and set the security policy in the profile.
NOTE
# Create the SSID profile wlan-ssid and set the SSID name to wlan-net.
# Create the VAP profile wlan-vap, set the data forwarding mode and service VLAN, and
apply the security profile and SSID profile to the VAP profile.


# Bind the VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1.
Step 7 Set channels and power for the RU radios.

NOTE
configurations take effect only when these two functions are disabled. The settings of the RU channel and
power in this example are for reference only. You need to configure the RU channel and power based on the
actual country code and network planning.
[AC-wlan-ap-1] quit

Status in the command output displays as ON, the VAPs have been successfully created on
AP radios.
WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
1 rru_1 0 1 FCB6-9897-C520 ON WPA2-PSK 0 wlan-net
1 rru_1 1 1 FCB6-9897-C530 ON WPA2-PSK 0 wlan-net
2 rru_2 0 1 FCB6-9897-CA40 ON WPA2-PSK 0 wlan-net
2 rru_2 1 1 FCB6-9897-CA50 ON WPA2-PSK 0 wlan-net
--------------------------------------------------------------------------------
Total: 4
----------------------------------------------------------------------------------
-------


address
----------------------------------------------------------------------------------
-------
e019-1dc7-1e08 1 rru_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
----------------------------------------------------------------------------------
-------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
wlan
%# aes
ssid wlan-net
forward-mode tunnel
radio 0


radio 1
ap-id 0 type-id 52 ap-mac 68a8-2845-62fd ap-sn 2102350KGF10F8000012
ap-name central_AP
ap-group ap-group1
ap-id 1 type-id 46 ap-mac fcb6-9897-c520 ap-sn 21500826402SF4900166
ap-name rru_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
ap-id 2 type-id 46 ap-mac fcb6-9897-ca40 ap-sn 21500826402SF4900207
ap-name rru_2
ap-group ap-group1
#
return

Configuration Guide - WLAN-AC 6 AP Management Configuration Guide
6 AP Management Configuration Guide

AP
by the device.
V200R007C10.
V200R012C00 V200R009C00
V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C10 V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10

V200R011C00 V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R010C00 V200R007C10
V200R006C20
V200R006C10
V200R009C00 V200R006C20
V200R006C10
V200R008C00 V200R005C30
V200R005C20
V200R005C10
V200R007 V200R005C20
V200R005C10
V200R006 V200R005C00
agent.
Required


Required

S5730HI: V200R012
6.2 Configuring AP Online Parameters (AP Provisioning

View)
You can configure AP online parameters on an AC, including the AP name, group to which an
AP belongs, mode of obtaining an IP address, static IP address, gateway address, and AC IP
address list. You do not need to log in to APs one by one to configure these parameters.
You can configure AP online parameters in either of the following views:

l AP view
l AP provisioning view
You are advised to configure AP online parameters for a large number of APs in the AP
provisioning view or for a single AP in the AP view. In this case, configure AP online
parameters in the AP provisioning view.
6.2.1 Configuring AP Online Parameters
Context
By default, no online parameter is configured in the AP provisioning view, namely, APs do
not change default online parameter configurations. You can run the display provision-ap
parameter-list command to view online parameter configurations in the AP provisioning
view.
l After configurations are delivered to APs using the commit { ap-name ap-name | ap-
mac ap-mac-address | ap-id ap-id | ap-group ap-group-name | all } command, the
parameters displayed as - in the command output retain the default settings,
l and the other parameters use the configured values.
Procedure
Step 2 Run wlan
Step 3 Run provision-ap
The AP provisioning view is displayed.

Step 4 Run ap-name ap-new-name
A name is configured for an AP.
By default, no AP name is configured.
NOTE
The new AP name cannot be the same as the existing AP name.
Step 5 Run ap-group ap-group
The AP group to which an AP belongs is modified.
Step 6 Run the address-mode { dhcp | static } command to configure the method used by an AP to
obtain an IPv4 address.
By default, the mode in which an AP obtains an IP address is not configured.
Step 7 (Optional) Run the ip-address ip-address { mask-length | mask } [ gateway gateway ]
command to configure a static IPv4 address and gateway for an AP.
By default, no static IPv4 address and gateway are configured for an AP.
NOTE
This step is performed only if APs obtain IP addresses in static mode.
Step 8 Run the ac-list ipv4-address &<1-4> command to configure an AC IPv4 address list for an
AP.
By default, no AC IPv4 address list is configured.
----End

l Run the display provision-ap parameter-list command to check parameter
configurations in the AP provisioning view.
6.2.2 Delivering Configurations
Context
Configurations in the AP provisioning view are not automatically delivered to APs. You have
to manually deliver them to APs.
After the configuration is committed, the AP receives the configuration and compares the
configuration with its local configuration.
l If they are consistent, the AP does not process the received configuration.
l If they are different, the AP saves the committed configuration and automatically
restarts, and the received configuration takes effect.

NOTE
If the name or static IP address of an AP is specified in the AP provisioning view, the configuration is
delivered only to the AP by specifying the AP name or MAC address, but cannot be delivered to APs in the
specified AP group.
If you commit configurations to a large number of APs simultaneously, some of the APs may fail to receive
the configurations. In this case, you are advised to commit the configurations again.
Procedure
Step 2 Run wlan
Step 4 Run commit { ap-name ap-name | ap-mac ap-mac-address | ap-id ap-id | ap-group ap-
group-name | all }
The configurations are delivered to an AP, a group of APs, or all APs.
----End
6.2.3 Clearing Configurations
Context
Before re-configuring online parameters of APs in the AP provisioning view, clear existing
configurations. The cleared configurations cannot be restored. Exercise caution when you run
the following command.
Procedure
Step 2 Run wlan
Step 4 Run clear configuration this
All configurations are cleared in the AP provisioning view.
----End

6.3 Configuring AP Online Parameters (AP View)

You can configure AP online parameters on an AC, including the AP name, group to which an
AP belongs, mode of obtaining an IP address, static IP address, gateway address, and AC IP
address list. You do not need to log in to APs one by one to configure these parameters.
You can configure AP online parameters in either of the following views:
l AP view
l AP provisioning view
You are advised to configure AP online parameters for a large number of APs in the AP
provisioning view or for a single AP in the AP view. In this case, configure AP online
parameters in the AP view.
6.3.1 Configuring AP Online Parameters
Context
By default, no online parameters are configured on APs in the AP view. If AP online
parameters are configured in the AP view, run the display ap provision command to display
the configurations.
Procedure
Step 2 Run wlan
Step 3 Run ap-id ap-id, ap-mac ap-mac, or ap-name ap-name
The AP view is displayed.
Step 4 Run ap-name ap-new-name
A name is configured for an AP.
NOTE
Step 5 Run ap-group ap-group

The AP group to which an AP belongs is modified.
Step 6 Run address-mode { dhcp | static }
The method used by an AP to obtain an IPv4 address is configured.
By default, the mode in which an AP obtains an IP address is not configured.

Step 7 (Optional) Run ip-address ip-address { mask-length | mask } [ gateway gateway ]
A static IPv4 address and gateway for an AP are configured.
By default, no static IPv4 address and gateway are configured for an AP.
NOTE
This step is performed only if APs obtain IP addresses in static mode.
Step 8 Run ac-list ipv4-address &<1-4>
An AC IPv4 address list for an AP is configured.
By default, no AC IPv4 address list is configured.
----End

l Run the display ap provision ap-id ap-id command to display the parameter
configurations in the AP view.
6.4 Managing APs
6.4.1 Modifying AP Names
Context
When an AP name conflicts with another AP name or you need to change an AP name to a
more suitable name, you can modify the AP name.
You can also modify AP names in the AP provisioning view. For details, see 6.2.1
Configuring AP Online Parameters.
Procedure
Step 2 Run wlan
Step 3 Run ap-rename { ap-name name | ap-mac ap-mac-address | ap-id ap-id } new-name ap-
new-name
A new name is configured for an AP.
NOTE
----End

6.4.2 Modifying the AP Group to Which APs Belong
Context
If the current AP group is not applicable to an AP or the AP is added to an incorrect AP
group, you can modify configurations to add the AP to a new AP group.
NOTICE
Modifying the AP group results in AP restart and service interruption. Exercise caution when
performing this operation.
You can also modify AP groups in the AP provisioning view. For details, see 6.2.1
Configuring AP Online Parameters.
Procedure
Step 2 Run wlan
Step 3 Run ap-regroup { ap-name ap-name | ap-id ap-id } new-group new-group-name
An AP is added to a new AP group.
NOTE
The AP group to which an AP is added must have been created using the ap-group name group-name
command.
----End
6.4.3 Configuring the Default Domain Name Suffix for APs

Context
Devices with the same system name may exist in different domains. In this case, you can
configure a fully qualified domain name (FQDN) for a device to uniquely identify it. The
FQDN of a device consists of the default domain name suffix and device name. You can
configure the default domain name suffix for a device.
Procedure
l Configure the default domain name suffix for an AP in the AP view.
AP view.

d. Run the ip domain-name domain-name command to configure the default domain

name suffix.
By default, no default domain name suffix is provided.

l Configure the default domain name suffix for APs in the AP group view.
d. Run the ip domain-name domain-name command to configure the default domain
name suffix.
By default, no default domain name suffix is provided.
----End
6.4.4 Performing an In-Service Upgrade on APs
Context
To upgrade the functions or versions of an existing WLAN, perform an in-service upgrade on
APs on the WLAN.
In an in-service upgrade, an AP is already online. If the AP finds that its version is different
from the version of the AP upgrade file specified on the AC, the AP starts to upgrade its
version.
Unlike automatic upgrade, an in-service upgrade allows an AP to work properly without

affecting services. To minimize the impact of an AP upgrade, you are advised to configure
APs to download upgrade files in the daytime and reset the APs in batches at night. For
details about automatic upgrade, see 5.9.7 (Optional) Configuring Automatic Upgrade
When APs Go Online.
In an in-service upgrade, APs support the upgrade modes of single AP upgrade, upgrade
based on the AP type and upgrade based on the AP group.
l Upgrade of a single AP: allows you to upgrade a single AP to check whether the upgrade
version can function properly. If the upgrade is successful, upgrade other APs in batches.
l AP upgrade based on the AP type: allows you to upgrade APs of the same type.
l AP upgrade based on the AP group: allows you to upgrade APs in the same AP group.
NOTE
l In an in-service upgrade, if APs fail to load the upgrade file and are reset, APs are upgraded
automatically.
l Upgrading multiple APs in AC mode takes a long period of time. To reduce the service interruption
time, you are advised to use the FTP or SFTP mode.
Prerequisites

Procedure
Step 2 Run wlan

l AC mode
The default upgrade mode is ac-mode.
l FTP mode
NOTE
An external FTP server can be used, which is recommended. The AC can also function as the FTP
server.
n When an external FTP server is used, the maximum number of APs that can be upgraded
simultaneously is the configured max-connect-number.
n If an AC is used as the FTP server, a maximum of five APs can be upgraded simultaneously
even if the specified number is larger than five.
When the AC functions as the FTP server, run the ap update ftp-server max-connect-
number max-connect-number command to set the maximum number of APs that can be
upgraded simultaneously. The value of max-connect-number is an integer ranging from 1 to
5. During the upgrade, a maximum of 1 to 5 APs can be upgraded at a time until all APs are
upgraded.
If the configured number of APs to be upgraded simultaneously is larger than five, an error
message will be displayed after the first five APs are upgraded. The remaining APs cannot
be automatically upgraded. You have to repeat the command until all APs are upgraded.
When the AC functions as an FTP server, the number of VTY users is the reduced number
of APs that can be upgraded simultaneously.
l SFTP mode


NOTE
An external sftp server can be used, which is recommended. The AC can also function as the sftp
server.
n When an external sftp server is used, the maximum number of APs that can be upgraded
When the AC functions as the SFTP server, run the ap update sftp-server max-connect-
upgraded.
If max-connect-number is set larger than 5, an error message will be displayed after the first
five APs are upgraded. The remaining APs cannot be automatically upgraded. You have to
repeat the command until all APs are upgraded.
When the AC functions as an SFTP server, the number of VTY users is the reduced number
Step 4 Configure in-service upgrade.

l Perform an in-service upgrade on a single AP.
a. Run ap update load { ap-name ap-name | ap-mac ap-mac | ap-id ap-id } update-
filename update-file-name
The specified AP is upgraded.
b. Run ap update reset { ap-name ap-name | ap-mac ap-mac | ap-id ap-id }
The specified AP is reset for upgrade.
l Upgrade APs of the same AP type.
a. Run ap update update-filename filename ap-type type-id [ ap-group ap-group-
name ]
The upgrade file name for APs of a type is specified.
b. Run ap update multi-load ap-type type-id [ ap-group group-name | { ap-name
ap-name | ap-id ap-id } &<1-10> ]
APs are upgraded in batches based on the AP type.
c. Run ap update multi-reset ap-type type-id [ ap-group group-name | { ap-name
APs of the specified AP type are reset in batches.
l Upgrade APs in the specified AP group in batches.
name ]
The upgrade file name for APs in an AP group is specified.

b. Run ap update multi-load ap-group group-name [ { ap-name ap-name }

&<1-10> | { ap-id ap-id } &<1-10> ]
APs in the specified AP group are upgraded in batches.
c. Run ap update multi-reset ap-group group-name [ { ap-name ap-name }
&<1-10> | { ap-id ap-id } &<1-10> ]
APs in the specified AP group are reset in batches.
----End
6.4.5 Configuring a Scheduled AP Upgrade Task
Context
You can configure a scheduled AP upgrade task to upgrade APs in a specified time period,
such as off-peak hours.
Similar to in-service upgrades, scheduled upgrades do not affect services. APs can properly
work during the upgrade file download. Different from in-service upgrades, scheduled
upgrade tasks can be pre-configured so that APs are upgraded at the specified time, without
the need to manually configure commands.
Prerequisites
Procedure
Step 2 Run wlan
l AC mode
l FTP mode


NOTE
server.
upgraded.
l SFTP mode
NOTE
server.
upgraded.

Step 4 Run ap update update-filename filename ap-type type-id [ ap-group ap-group-name ]

An upgrade file is configured for APs of a specified type.
Step 5 Configure a scheduled AP upgrade task.
Run the ap update schedule-task task-id task-id start-time start-time start-date stop-time
stop-time stop-date ap-type type-id [ ap-group group-name | { { ap-name ap-name }
&<1-10> } | { { ap-id ap-id } &<1-10> } ] or ap update schedule-task task-id task-id start-
time start-time start-date stop-time stop-time stop-date ap-group group-name command to
configure a scheduled AP upgrade task.
NOTE
l For scheduled AP upgrade tasks with the same start time, the task with a smaller task-id task-id is
executed preferentially.
l During the scheduled AP upgrade, if the time for task B is reached before task A is completed, task B
waits until task A is completed. Subsequent scheduled AP upgrade tasks wait in sequence until the
previous task is completed.
l When the time specified by stop-time stop-time stop-date is reached, ongoing upgrade tasks continue
until the upgrade is completed and those tasks waiting in queues stop.
l After APs in a scheduled upgrade task are all upgraded, the APs automatically restart. The APs that fail
the upgrade do not restart.
l After a scheduled AP upgrade task is configured, if the AP group or all APs are deleted, the task fails to
be executed, which is not recorded as upgrade failure information.
l If an AP is performing the automatic upgrade when you configure a scheduled AP upgrade task, the
upgrade continues until the upgrade is completed. APs that have not started the automatic upgrade will
not execute the automatic upgrade.
----End
6.4.6 Switching the Working Mode of an AP
Context
The working mode of an AP is configured on the AC and delivers to the AP. After a restart,
the AP will switch the working mode accordingly.
However, an AP cannot change its working mode through scheduled upgrade.
Procedure
Step 2 Run wlan
l AC mode

l FTP mode
NOTE
server.
upgraded.
l SFTP mode

NOTE
server.
upgraded.
Step 4 Configure upgrade.

Run the following commands as required.
l Perform an in-service upgrade on a single AP.
a. Run ap update load { ap-name ap-name | ap-mac ap-mac | ap-id ap-id } update-
filename update-file-name
The specified AP is upgraded.
l Upgrade APs of the same AP type.
name ]
The upgrade file name for APs of a specified type is specified.
b. Run ap update multi-load ap-type type-id [ ap-group group-name | { ap-name
APs are upgraded in batches based on the AP type.
l Upgrade APs in the specified AP group in batches.
name ]
The upgrade file name for APs in an AP group is specified.
b. Run ap update multi-load ap-group group-name [ { ap-name ap-name }
&<1-10> | { ap-id ap-id } &<1-10> ]
APs in the specified AP group are upgraded in batches.
Step 6 Run ap-mode { fat | cloud }
The AP working mode is configured.
By default, an AP works in Fit mode.
Step 7 Run commit { ap-name ap-name | ap-mac ap-mac-address | ap-id ap-id | ap-group ap-
group-name | all }

The configuration is committed, and the working mode of an AP or APs in an AP group is

switched.
----End
6.4.7 Resetting an AP
Context
If an AP cannot work properly after being upgraded, reset the AP. You can run the display ap
all command to check the AP State field to determine whether an AP is working properly. If
the State field displays name-conflicted, ver-mismatch, config, config-failed, committing,
or commit-failed, an AP fails to work properly.
NOTICE
Exercise caution when resetting an AP because services on the AP will be interrupted.
Procedure
Step 2 Run wlan
Step 3 Run ap-reset { all | ap-name ap-name | ap-mac ap-mac | ap-id ap-id | ap-group ap-group |
ap-type { type type-name | type-id type-id } }
APs are reset.
----End
6.4.8 Restoring the Factory Settings of an AP
Context
You can delete the current and historical user configurations and restore the factory settings of
APs.
When the configuration on an AP is incorrect or deleted, you can restore the factory settings
of the AP.
NOTICE
Restoring the factory settings of an AP will reset the AP and restore all the AP configurations
to factory settings.

Procedure
Step 2 Run wlan
Step 3 Run ap manufacturer-config { ap-name ap-name | ap-mac ap-mac | ap-id ap-id }
The factory settings of the specified AP are restored.
----End
6.4.9 Deleting an AP
Context
To disconnect an AP from the current AC or enable an AP to go online on another AC, you
can delete the AP from the current AC.
NOTICE
Deleting an AP will interrupt services of STAs connected to the AP. Exercise caution when
you delete an AP.
Procedure
Step 2 Run wlan
Step 3 Run undo ap { ap-name ap-name | ap-id ap-id | ap-mac ap-mac | ap-group group-name |
all }
An AP is deleted.
----End
6.4.10 Configuring an AC to Report STA Traffic Statistics and

Online Duration on APs
Context
You can enable an AC to report information about STA traffic statistics and online duration on
APs to the eSight. After the function is enabled, the AC collects and reports the information to

the eSight when STAs get offline or roam within the AC, which facilitates data query on the
eSight.
Procedure
Step 2 Run wlan
Step 3 Run report-sta-info enable
An AC is enabled to report information about STA traffic statistics and online duration on
APs.
By default, an AC is disabled from reporting information about STA traffic statistics and
online duration on APs.
----End
6.4.11 Setting the Longitude and Latitude of an AP
Context
The longitude and latitude of an AP enables you to quickly view the AP location.
Procedure
Step 2 Run wlan
Step 3 Run ap-id ap-id, or ap-mac ap-mac, or ap-name ap-name
The AP view is displayed.
Step 4 Run coordinate longitude { e | w } longitude-value latitude { s | n } latitude-value
The longitude and latitude of the AP are set.
----End
6.4.12 Verifying the AP Configuration
Procedure
l Run the display ap { all | ap-group ap-group } command to check AP information.
l Run the display ap update configuration command to check the AP upgrade
configuration.

l Run the display ap update status { all | downloading | failed | succeed | ap-name ap-
name | ap-id ap-id } command to check the AP upgrade progress.
l Run the display ap update schedule-task command to view information about
scheduled AP upgrade tasks.
l Run the display ap-type { all | id type-id | type ap-type } command to check
information about AP types.
l Run the display ap version { all | { ap-group ap-group-name | version-name version-
name } * } command to check information about AP versions.
l Run the display ap coordinate { all | ap-group ap-group-name } command to check
longitudes and latitudes of APs.
----End
6.5 Managing Wired Login for APs
Context
You can log in to an AP through the console port, STelnet, SFTP, or Telnet in wired mode.
When an AP does not need to be logged in, the login modes are disabled to ensure AP
security, preventing unauthorized users from using these modes to log in. To log in to the AP,
enable one or more login modes.
Procedure
Step 2 Run wlan
Step 3 Run ap username username password cipher
The user name and password for AP login are configured.
By default, the user name is admin and password is admin@huawei.com.
Step 4 (Optional) Configure AP login password policies.
1. Run the ap password policy command to enable the password policy function and enter
the AP password policy view.
By default, the AP login password policy function is disabled.
2. Run the password expire days command to set the password expiration time.
By default, the password validity period is 90 days.
3. Run the password alert before-expire days command to set the password expiration
prompt days.
By default, the number of password expiration prompt days is 30 days.
4. Run the password alert original command to enable the device to prompt users to
change initial passwords.

By default, the initial password change prompt function is enabled.

5. Run the password history record number number command to set the maximum
number of historical passwords recorded for each user.
By default, a maximum of five historical passwords are recorded for each user.
6. Run the quit command to return to the WLAN view.
Step 5 Run ap-system-profile name profile-name
An AP system profile is created, and the AP system profile view is displayed.
By default, the system provides the AP system profile default.
Step 6 Run undo stelnet server disable
The STelnet service function is enabled.
By default, the STelnet server function is enabled on an AP.
Step 7 (Optional) Run undo console disable
AP login through the console port is enabled.
By default, a user can log in to the AP through a console interface.
Step 8 (Optional) Run undo sftp server disable
The SFTP service function is enabled.
By default, the SFTP server function is enabled on an AP.
Step 9 (Optional) Run telnet enable
The Telnet service function is enabled.
By default, Telnet is disabled on an AP.
Step 10 Run quit
Step 11 Bind an AP system profile to an AP group or AP.

l Binding an AP system profile to an AP group.
b. Run the ap-system-profile profile-name command to bind the AP system profile to
the AP group.
By default, the AP system profile default is bound to an AP group.
l Binding an AP system profile to an AP.
AP view.
the AP.
By default, no AP system profile is bound to an AP.
----End


l Run the display ap username [ ap-name ap-name | ap-id ap-id ] command to check the
user information for AP login.
l Run the display ap-system-profile { all | name profile-name } command to check
configuration and reference information about an AP system profile.
l Run the display references ap-system-profile name profile-name command to check
reference information about an AP system profile.
6.6 Managing Wireless Login for APs
Context
In addition to logging in through a wired interface, you can log in to an AP through Telnet
over WLANs. Currently, only the Telnet login mode is supported in wireless mode. To log in
to an AP through Telnet in wireless mode, set the VAP type to management AP, change the
STA's IP address to 169.254.2.x/24 (except 169.254.2.1, 169.254.2.100 is recommended), and
set telnet to the IP address of the AP.
NOTE
l If the type of a VAP is set to service, STAs connected to the VAP can only access network resources but
not APs. Service VAPs are used in regular WLAN deployment scenarios.
l If the type of a VAP is set to ap-management, STAs connected to the VAP can only access APs but not
network resources. AP management VAPs are used in STA access and AP management scenarios.
l If the type of a VAP is set to service-backup ap-offline, STAs can access the network through the
backup service VAP after the AP goes offline. For example, on a headquarters-branch network, when
APs at branches connect to the AC at the headquarters through a WAN, APs may go offline due to the
WAN instability. You can configure a backup service VAP to allow new STAs to access the network if
the AP goes offline.
l If the type of a VAP is set to service-backup auth-server-down, the VAP is automatically enabled to
allow network access of associated STAs when the authentication server is not accessible. When the
authentication server recovers, this VAP is not automatically disabled. You can manually disable it if
needed. If the authentication server is accessible but rejects user access, this VAP is not automatically
enabled. You can manually enable it if needed. To enable or disable this VAP, run the vap-service-
backup auth-server-down command.
Procedure
Step 2 Run wlan
Step 3 Run ap username username password cipher
The user name and password for AP login are configured.
By default, the user name is admin and password is admin@huawei.com.
Step 4 (Optional) Configure AP login password policies.
1. Run the ap password policy command to enable the password policy function and enter
the AP password policy view.

By default, the AP login password policy function is disabled.

2. Run the password expire days command to set the password expiration time.
By default, the password validity period is 90 days.
3. Run the password alert before-expire days command to set the password expiration
prompt days.
By default, the number of password expiration prompt days is 30 days.
4. Run the password alert original command to enable the device to prompt users to
change initial passwords.
By default, the initial password change prompt function is enabled.
5. Run the password history record number number command to set the maximum
number of historical passwords recorded for each user.
By default, a maximum of five historical passwords are recorded for each user.
Step 6 Run telnet enable
The Telnet service function is enabled.
By default, Telnet is disabled on an AP.
Step 7 Run quit
Step 9 Run type ap-management
The VAP type is set to management AP.
By default, the type of a VAP is service.
NOTE
The VAP profile in which the VAP type is set to management AP can only be applied to one radio of an AP.
Step 10 Run quit

Step 11 Bind an AP system profile and a VAP profile to an AP group or AP.
l Bind a VAP profile and an AP system profile to an AP group.
the AP group.


c. Run the vap-profile profile-name wlan wlan-id radio { radio-id | all } command to
bind the VAP profile to the radio.
l Bind a VAP profile and an AP system profile to an AP.
AP view.
the AP.
c. Run the vap-profile profile-name wlan wlan-id radio { radio-id | all } command to
bind the VAP profile to the radio.
----End

l Run the display ap username [ ap-name ap-name | ap-id ap-id ] command to check the
user information for AP login.
information about a VAP profile.
6.7 Configuring Offline Management and Antenna

Alignment VAPs
Context
l APs are often installed in hidden places or at high positions. When an AP becomes
faulty, it is inconvenient to connect to the AP through a console port or network cable to
troubleshoot faults.
After the offline management VAP function is configured, if an AP goes offline
unexpectedly, maintenance personnel only need to set the IP address of a STA to
169.254.2.x/24 (except 169.254.2.1, 169.254.2.100 is recommended). After the STA
associates with the offline management VAP, maintenance personnel can connect the
STA to the AP in Telnet or STelnet mode to locate and rectify faults, saving the need to
connect to the AP through the console port or a network cable.
l During WDS/Mesh network deployment, you can configure antenna alignment VAPs for
WDS/Mesh nodes to facilitate antenna alignment between neighboring APs. During
onsite commissioning, you can use a mobile STA to access an antenna alignment VAP
and enable the WiFi Go app to obtain information such as RSSI of the peer AP radio.

Based on this information, you can easily complete antenna alignment. The SSID of the
generated antenna alignment VAP is hidden and will be automatically deleted 24 hours
after being created.
After the offline management VAP and antenna alignment VAP functions are configured, the
VAP generated when an AP goes offline is an offline management VAP. When the AP works
properly, the VAP generated in WDS/Mesh scenarios is an antenna alignment VAP.
Configure an offline management VAP and an antenna alignment VAP using either of the
following methods:
l Configure the default offline management VAP and antenna alignment VAP: After the
offline management VAP and antenna alignment VAP functions are enabled, the AP
automatically creates an offline management VAP when it goes offline unexpectedly.
When the AP works properly, the AP automatically creates an antenna alignment VAP in
WDS/Mesh scenarios. The default SSID and password of the antenna alignment VAP are
hw_manage_xxxx and hw_manage respectively. xxxx indicates the last four bits of the
AP's MAC address. For security purposes, you are advised to change the password of the
default SSID (hw_manage_xxxx) of the offline management VAP and antenna
alignment VAP.
l Create a new offline management VAP and a new antenna alignment VAP: If any
wireless user can use the default SSID and password to log in to an AP, leading to high
security risks. To improve security of the offline management VAP and antenna
alignment VAP, bind a security profile of a high security level to a VAP profile, set new
SSIDs and passwords, and configure the VAPs generated in the VAP profile as the
offline management VAP and antenna alignment VAP. In this case, the default offline
management VAP and antenna alignment VAP will not be created.
The procedure for configuring an offline management VAP is the same as that for configuring
an antenna alignment VAP.
Procedure
l Configure the default offline management VAP and antenna alignment VAP.
c. Run the ap-system-profile name profile-name command to create an AP system
profile and enter the AP system profile view.

d. Run the undo temporary-management disable command to enable the offline
management VAP and antenna alignment VAP functions.
By default, offline management VAP and antenna alignment VAP functions are
enabled.
e. (Optional) Run the temporary-management psk command to change the password
for the default SSID (hw_manage_xxxx) of the offline management VAP and
antenna alignment VAP.
The default password of an offline management VAP or antenna alignment VAP is

hw_manage.
f. Run the quit command to return to the WLAN view.
g. Apply the AP system profile using any of the following methods:

n Bind the AP system profile to an AP group.

1) Run the ap-group name group-name command to enter the AP group
view.
2) Run the ap-system-profile profile-name command to bind the AP system
profile to an AP group.
By default, the AP system profile default is bound to an AP group, but no
AP system profile is bound to an AP.
n Bind the AP system profile to an AP.
1) Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to
enter the AP view.
profile to an AP.
l Create an offline management VAP and an antenna alignment VAP.
c. Configure a security profile.
i. Run the security-profile name profile-name command to create a security
profile used by the offline management VAP and antenna alignment VAP and
enter the security profile view.
By default, security profiles default, default-wds, and default-mesh are
available in the system.
ii. Run the security { wpa | wpa2 | wpa-wpa2 } psk { pass-phrase | hex } key-
value { aes | tkip | aes-tkip } command to configure a security policy and a
key.
By default, the security policy is open system.
NOTE
The offline management VAP and antenna alignment VAP support only the WEP or WPA/
WPA2 PSK authentication mode. You can run the security wep share-key and wep key
key-id { wep-40 | wep-104 | wep-128 } { pass-phrase | hex } key-value commands to
configure WEP authentication.
iii. Run the quit command to return to the WLAN view.
d. Configure an SSID profile.
i. Run the ssid-profile name profile-name command to create an SSID profile
and enter the SSID profile view.
ii. Run the ssid ssid command to configure an SSID name.
e. Configure a VAP profile, and bind it to the SSID profile and the security profile.
i. Run the vap-profile name profile-name command to create a VAP profile and
enter the VAP profile view.

ii. Run the temporary-management enable command to configure the VAPs as

an offline management VAP and an antenna alignment VAP.
By default, a VAP is a service VAP.
iii. Run the ssid-profile profile-name command to bind the SSID profile to the
VAP profile.
iv. Run the security-profile profile-name command to bind the security profile to
the VAP profile.
v. Run the quit command to return to the WLAN view.
f. Configure an AP system profile, and enable the offline management VAP and
antenna alignment VAP functions in the AP system profile.
i. Run the ap-system-profile name profile-name command to create an AP
system profile and enter the AP system profile view.
ii. Run the undo temporary-management disable command to enable the
offline management VAP and antenna alignment VAP functions.
enabled.
g. Apply the VAP profile using any of the following methods:
NOTE
l VAPs 1 to 12 and VAP 15 are used for the offline management VAP and antenna alignment
VAP configuration. Before using these VAPs, ensure that they are not used by other WLAN
services.
l VAPs 13 and 14 are used for the WDS service. Before using these VAPs, ensure that they are
not used by other WLAN services.
l VAP 16 is used for the Mesh service. Before using this VAP, ensure that it is not used by other
WLAN services.
n Bind the VAP profile to an AP group.
view.
2) Run the vap-profile profile-name wlan wlan-id radio { radio-id | all }
n Bind the VAP profile to an AP.
enter the AP view.
n Bind the VAP profile to radios of an AP group.
view.

2) Run the radio radio-id command to enter the radio view.

3) Run the vap-profile profile-name wlan wlan-id command to bind the
VAP profile to radios.
n Bind the VAP profile to an AP radio.
enter the AP view.
h. Run the quit command until you return to the WLAN view.
i. Apply the AP system profile using any of the following methods:
view.
enter the AP view.
profile to an AP.
----End
6.8 Configuring AP System Management
6.8.1 Configuring AP Indicators
Context
Different states of AP indicators reflect different meanings, thereby facilitating installation
and management. Configuring meanings reflected by blinking of the Wireless indicator on
APs helps installation personnel to know the current signal strength or traffic status in real
time. However, blinking indicators of indoor APs deployed in hospitals and hotels may affect
people's nighttime rest. Therefore, you can turn off AP indicators after APs are installed and
run properly.

Procedure
Step 2 Run wlan
Step 4 Run led off [ time-range time-range-name ]
AP indicators are configured to turn off or turn off during the specified time range.
By default, AP indicators are allowed to turn on.
Step 5 Run quit
A 2G or 5G radio profile is created and the radio profile view is displayed.
By default, the system provides the 2G radio profile default and 5G radio profile default.
Step 7 Run wifi-light { signal-strength | traffic }
The information reflected by the blinking frequency of the Wireless indicator on an AP is

configured.
By default,
l If the Mesh function is enabled on the AP, the blinking frequency of the Wireless LED
reflects the weakest signal strength of all neighboring APs.
l If WDS is enabled on an AP, the blinking frequency of the Wireless LED reflects the
strength of signals received from a WDS AP.
– If the AP works in leaf mode, the blinking frequency of the Wireless LED reflects
the strength of signals received from a middle AP.
– If the AP works in middle mode, the blinking frequency of the Wireless LED
reflects the strength of signals received from a root AP.
– If the AP works in root mode, the blinking frequency of the Wireless LED reflects
the weakest signal strength of middle APs.
l If the WDS and Mesh functions are disabled on an AP, the blinking frequency of the
Wireless LED reflects the service traffic volume on the radio.
On a WDS network, you need to adjust AP locations and antenna directions to obtain strong
signals between WDS-capable APs. The blinking frequency of the Wireless LED shows the
signal strength.

NOTE
This command takes effect only when the AP has the WDS or Mesh function enabled. If the WDS and Mesh
functions are disabled on the AP, the Wireless LED always shows service traffic volume.
Only APs having Wireless LEDs support this command.
Step 8 Run quit

Step 9 Bind an AP system profile and a radio profile to an AP group or AP.
l Binding an AP system profile and a radio profile to an AP group
the AP group.
c. Run the radio-2g-profile profile-name { radio { radio-id | all } } or radio-5g-
radio.
By default, the 2G radio profile default is bound to the 2G radio, and the 5G radio
profile default is bound to the 5G radio.
l Bind an AP system profile and a radio profile to an AP
AP view.
the AP.
c. Run the radio-2g-profile profile-name { radio { radio-id | all } } or radio-5g-
radio.
By default, the 2G radio profile default is bound to the 2G radio, and the 5G radio
profile default is bound to the 5G radio.
----End
6.8.2 Configuring the USB Function on an AP
Context
When users need to save or transfer files using the USB interface provided on some APs, the
USB function can be enabled using the usb enable command. When the USB function is
enabled, the power consumption of the AP will increase, which may affect other functions.
You are advised to run the undo usb enable command to disable the USB function after using
it.
Procedure

Step 2 Run wlan
Step 4 Run usb enable
The USB function on the AP is enabled.
By default, the USB function on an AP is disabled.

NOTE
The USB function is supported only by the R250D-E, R251D-E, AP2051DN, AP2051DN-E, AP2050DN,
AP2050DN-E, AP4050DN-E, AP4051DN, AP4151DN, AP6052DN, AP7052DN, AP7152DN, AP7052DE,
AP6050DN, AP6150DN, AP7050DE, and AP7050DN-E.
Some AP functions may be affected after the USB function is enabled.

l The 2.4 GHz radio on the AP6150DN, AP6050DN, AP7050DE, and AP7050DN-E
supports only dual spatial streams at most.
l The AP4050DN-E, AP2051DN-E, and R251D-E cannot provide PoE power supply.
l The USB function does not take effect when the AP2050DN, AP2050DN-E, R250D-E,
AP2051DN, R251D-E, AP2051DN-E, AP4030TN, AP4050DN-E, AP4051DN,
AP4151DN, AP4051TN, AP6050DN, AP6150DN, and AP7050DE use the IEEE
802.3af PoE for power supply.
The affected AP functions are restored after the USB function is disabled.
Step 5 Run quit

the AP group.
AP view.
the AP.
----End
6.8.3 Configuring the AP Channel Mode

Context
In scenarios where indoor and outdoor boundaries are unclear, such as subway and train
platforms, it is recommended that outdoor APs be deployed. When a large volume of data is
transmitted, outdoor APs in outdoor channel mode have no sufficient channels to meet data
transmission requirements. In this case, you can run the channel-load-mode indoor
command to set the channel mode of the APs to indoor mode, so that data can be transmitted
on more channels.
NOTE
This function is supported only by the AP8030DN, AP8130DN, AP8050DN, AP8050DN-S, AP8150DN,
AP8130DN-W, AP8050TN-HD, AP8082DN, and AP8182DN.
Procedure
Step 2 Run wlan
A regulatory domain profile is created, and the regulatory domain profile view is displayed.
Step 4 Run channel-load-mode indoor
The AP channel mode is set to indoor mode.
The default channel mode of an AP is outdoor mode.
Step 5 Run quit
AP view.
----End
6.8.4 Configuring a Management VLAN on an AP

Context
In practice, the PVID of an AP wired interface is usually set to the management VLAN ID.
For details, see 5.5 Configuration Limitations for WLAN. When management packets from
the AP or data packets forwarded in tunnel mode reach the access device through the
CAPWAP tunnel, the access device tags the packets with the PVID.
If the PVID of the access device has been used for other purposes (for example, as the default
VLAN ID of wired users), the PVID cannot be configured as the management VLAN ID on
the access device interface. In this case, configure CAPWAP packets sent from an AP wired
interface to carry the management VLAN tag. The AP then adds the management VLAN ID
to the CAPWAP packets sent to the AC. You only need to configure the access device to
allow the packets carrying the management VLAN ID to pass.
Procedure
Step 2 Run wlan
Step 4 Run management-vlan vlan-id
CAPWAP packets sent from the AP wired interface are configured to carry a management
VLAN tag.
By default, CAPWAP packets sent from an AP wired interface do not carry a management
VLAN tag.
NOTE
On a Mesh network, ensure that CAPWAP packets sent from all APs carry the same management VLAN.
Otherwise, MPs cannot go online.
The configuration takes effect only after the AP is restarted.
Step 5 Run quit

the AP group.
AP view.


the AP.
----End
6.8.5 Configuring the Rate Limit for Broadcast and Multicast

Packets of APs
Context
A large number of broadcast or multicast packets on a device occupy many network
resources, affecting network services. To ensure normal running of network services, you can
limit the rate of broadcast and multicast packets on APs with a proper range.
The following table lists the method for limiting the rate of broadcast and multicast packets.
Table 6-3 Method for limiting the rate of broadcast and multicast packets
Granular Description Configuration
ity
AP-based Limit the rate of downlink traffic on the 6.8.5 Configuring the Rate Limit
AP's wired interface and CAPWAP for Broadcast and Multicast
tunnel. Packets of APs
STA- Limit the rate of uplink traffic on the air 11.8.5 Configuring Flood Attack
based interface from STAs. Detection
Procedure
Step 2 Run wlan
Step 4 Run traffic-optimize broadcast-suppression { all | arp | igmp | nd | other } disable
Rate limit for broadcast and multicast packets is enabled.
By default, rate limit for broadcast and multicast packets is enabled on an AP.
Step 5 (Optional) Run traffic-optimize broadcast-suppression { arp | igmp | nd | other } rate-
threshold threshold-value
The rate threshold is configured for broadcast and multicast packets on an AP.

The default rate threshold for ARP broadcast packets, ND broadcast packets, IGMP multicast
packets, and other types of broadcast packets is 256 pps.
After you run the traffic-optimize broadcast-suppression rate-threshold command to
configure a rate threshold for broadcast and multicast packets on an AP, the configured
threshold will override the default rate threshold. The actual rate of broadcast and multicast
packets will not exceed the configured rate threshold. If a large rate threshold is set, the
expected network protection effect is not achieved. If a small rate threshold is set, broadcast
and multicast packets may be lost. In most cases, use the default rate threshold unless
otherwise specified.
Step 6 Run quit
the AP group.
AP view.
the AP.
----End
6.8.6 Configuring Terminal Attributes for the VTY User Interface
Context
You can configure terminal attributes for the VTY user interface, including the timeout
disconnection function and the number of lines on each terminal screen.
Procedure
Step 2 Run wlan
Step 4 Run user-interface vty ui-number idle-timeout minutes [ seconds ]

The timeout disconnection function is configured.

By default, the timeout period is 5 minutes.
Step 5 Run user-interface vty ui-number screen-length screen-length
The number of lines on each terminal screen is set.
By default, the number of lines to be displayed on a terminal screen is 24.
Step 6 Run quit
the AP group.
AP view.
the AP.
----End
6.8.7 Configuring ACL-based Login Control for the VTY User

Interface of APs
Context
You can use the ACL to restrict login permissions on the VTY user interface. Before
configuring restrictions on login permissions on the VTY user interface, run the acl command
in the system view to create an ACL and enter the ACL view, and run the rule command to
add rules for accessing the ACL.

NOTE
l The user interface supports basic ACLs (2000-2999) and advanced ACLs (3000-3999).
l ACL rule:
l When permit is used in the ACL rule:
l If the ACL is applied in the inbound direction, other devices that match the ACL rule
can access the local device.
l If the ACL is applied in the outbound direction, the local device can access other devices
that match the ACL rule.
l When deny is used in the ACL rule:
l If the ACL is applied in the inbound direction, other devices that match the ACL rule
cannot access the local device.
l If the ACL is applied in the outbound direction, the local device cannot access other
devices that match the ACL rule.
l When the ACL rule is configured but packets from other devices do not match the rule:
l If the ACL is applied in the inbound direction, other devices cannot access the local
device.
l If the ACL is applied in the outbound direction, the local device cannot access other
devices.
l When the ACL contains no rule:
l If the ACL is applied in the inbound direction, any other devices can access the local
device.
l If the ACL is applied in the outbound direction, the local device can access any other
devices.
l For details on how to configure the ACL, see "ACL Configuration" in the S1720, S2700, S5700, and
S6720 V200R012C00 Configuration Guide - Security.
Procedure
Step 2 Run wlan
Step 4 Run user-interface vty ui-number acl acl-number { inbound | outbound }
ACL restrictions on VTY login permissions are configured.
By default, login rights are not restricted.
l To restrict users at a specified address or address segment from logging in to the device,
use the inbound parameter.
l To restrict users who have log in to a device from logging in to other devices, use the
outbound parameter.
Step 5 Run user-interface vty ui-number screen-length screen-length
The number of lines on each terminal screen is set.

By default, the number of lines to be displayed on a terminal screen is 24.
Step 6 Run quit

the AP group.
AP view.
the AP.
----End
6.8.8 Configuring the Alarm Function on an AP
Context
l You can configure alarm thresholds on an AP to monitor the AP in real time. When the
configured thresholds are exceeded, the AP generates alarms or logs to notify the AC of
AP status.
The default alarm thresholds are recommended.
l If a STA cannot go online due to security type mismatch, UAC, or access user upper
limit exceeding, the STA will automatically re-connect to the AP. During this period, the
AP sends a large number of STA association failure alarms to the AC, which degrades
the system performance.
To solve this problem, enable alarm suppression for the AP. The AP then does not report
alarms repeatedly in the alarm suppression period, preventing alarm storms.
Procedure
Step 2 Run wlan

Step 4 Run cpu-usage threshold threshold
A CPU usage alarm threshold is configured for an AP.
By default, the CPU usage alarm threshold of APs is 90.
Step 5 Run memory-usage threshold threshold
A memory usage alarm threshold is configured for an AP.
By default, the memory usage alarm threshold on an AP is 80.
Step 6 Run high-temperature threshold threshold-value
A high temperature alarm threshold is configured for an AP.
Table 6-4 Default upper temperature alarm threshold for APs

AP Model Default Value (°C)
R230D/R240D 40
AD9431DN-24X/AD9430DN-24 71
AP7110SN-GN 76
AP4050DN-HD 79
AP6510DN-AGN-US 81
AP8050DN/AP8050DN-S/AP8150DN/ 83
AP9330DN/AP7030DE
AP9131DN/AP9132DN/AP8130DN-W 84
AP6010SN-GN 85
AP8030DN/AP6050DN/AP6150DN 86
AP4030TN/AP5030DN/AP5130DN 87
AP8130DN/AP7050DE/AP7052DN/ 88
AP7152DN/AP6052DN/AP4051TN/
AP6510DN-AGN
AP7050DN-E/AP7110DN-AGN 89
AP8082DN/AP8182DN/AP8050TN-HD/ 91
AD9430DN-12
AP4050DN-E 92
AP6310SN-GN 94
AP7052DE/R251D/R251D-E 95
AP4050DN/AP1050DN-S/R450D 96
AP6610DN-AGN-US 100
R250D/R250D-E/AP6010DN-AGN 102

AP6610DN-AGN 104
NOTE
The AP2010DN, AP3010DN-AGN, AP5010DN-AGN, AP5010SN-GN, AP2030DN, AP2051DN,

AP2051DN-E, AP2050DN, AP2050DN-E, AP430-E, AP4030DN, AP4050DN-S, AP4051DN, AP4151DN,
and AP4130DN do not support this command.
Step 7 Run low-temperature threshold threshold-value

A low temperature alarm threshold is configured for an AP.
Table 6-5 Default lower temperature alarm threshold for APs

R230D/R240D 0
AD9430DN-24/AD9431DN-24X/R250D/ -3
R250D-E/R251D/R251D-E
AP5130DN/AP5030DN/AP6150DN/ -13
AP4050DN-HD/AP4050DN-E/AP4030TN/
AP4050DN/AP1050DN-S/AP7052DN/
AP7152DN/AP7052DE/AP6052DN/
AP4051TN/AD9430DN-12/AP6050DN/
AP7050DE/AP7050DN-E/R450D/
AP6010DN-AGN/AP6010SN-GN/
AP6310SN-GN/AP7110SN-GN/
AP7110DN-AGN/AP9330DN
AP7030DE -23
AP8030DN/AP8050DN/AP8150DN/ -43
AP8050DN-S/AP8130DN/AP9131DN/
AP9132DN/AP8082DN/AP8182DN/
AP8050TN-HD/AP8130DN-W/
AP6510DN-AGN/AP6510DN-AGN-US/
AP6610DN-AGN/AP6610DN-AGN-US
NOTE
The AP2010DN, AP3010DN-AGN, AP5010DN-AGN, AP5010SN-GN, AP2030DN, AP2051DN,

AP2051DN-E, AP2050DN, AP2050DN-E, AP430-E, AP4030DN, AP4050DN-S, AP4051DN, AP4151DN,
and AP4130DN do not support this command.
Step 8 Configure the alarm suppression function on an AP.

1. Run the alarm-restriction period period command to configure the alarm suppression
period on the AP.
The default alarm suppression period is 60 seconds on an AP.

2. Run the undo alarm-restriction disable command to enable the alarm suppression
function on an AP.
By default, alarm suppression is enabled for an AP.
Step 9 Run quit
the AP group.
AP view.
the AP.
----End
6.8.9 Configuring the Log Backup and Log Suppression Functions

on an AP
Context
l Logs record user operations and system running information. After logs are backed up to
a server, network administrators can summarize and analyze AP logs to learn the
operations performed on APs for fault location.
The device supports automatic log backup. After automatic log backup is configured,
logs generated by an AP are automatically sent to the log server.
l If a STA keeps attempting to connect to an AP because of signal interference or
instability, the AP sends a large number of duplicate login and logout logs to the AC in a
short period, causing a huge waste of resources.
To address this problem, enable log suppression. The AP sends only one log about a user
to the AC within the log suppression period.
Procedure
Step 2 Run access-user syslog-restrain period period
The period of system log suppression is configured.
By default, the period of system log suppression is 300s.

Step 3 Run access-user syslog-restrain enable
The system log suppression function is enabled.
By default, system log suppression is enabled.
Step 4 Run wlan
Step 6 Run log-record-level { alert | critical | debug | emergency | error | info | notice | warning }
The level of AP logs to be backed up is configured.
By default, the level of AP logs that need to be backed up is info.
Step 7 Run log-server ip-address server-ip-address
A log server IP address is configured, and log backup is enabled.
By default, the log server IP address is not configured in an AP system profile and log backup
is disabled on an AP.
Step 8 Run quit

the AP group.
AP view.
the AP.
----End
6.8.10 Configuring LLDP on an AP
Context
The Link Layer Discovery Protocol (LLDP) helps the NMS obtain detailed Layer 2
information, such as the network topology, device interface status, and management address.

After LLDP is configured on an AP, the AP can send LLDP packets carrying local system
status information to directly connected neighbors and parse LLDP packets received from
neighbors.
To enable an AP to discover neighbors, enable LLDP on the AP and access device to which
the AP directly connects.
Procedure
Step 2 Run wlan
Step 3 Run ap lldp enable
LLDP is enabled in the WLAN view.
By default, LLDP is enabled in the WLAN view.
NOTE
An AP can send and receive LLDP packets only after LLDP is enabled in both the WLAN view and the AP
wired port link profile view.
Step 4 (Optional) Configure LLDP in the AP wired port link profile view.
1. Run the port-link-profile name profile-name command to create an AP wired port link
profile and enter the AP wired port link profile view.
By default, the system provides the AP wired port link profile default.
2. Run the lldp enable command to enable LLDP on an AP wired port.
By default, LLDP is enabled on AP wired interfaces.
NOTE
An AP can send and receive LLDP packets only after LLDP is enabled in both the WLAN view and the
AP wired port link profile view.
3. Run the lldp tlv-enable basic-tlv { all | management-address | port-description |
system-capability | system-description | system-name } command to specify the types
of TLVs that can be advertised from an AP's wired port.
By default, an AP wired interface advertises all types of TLVs.
4. Run the quit to return to the WLAN view.
5. Run the wired-port-profile name profile-name command to create an AP wired port
profile and enter the AP wired port profile view.
6. Run the port-link-profile profile-name command to bind the AP wired port link profile
to an AP wired port profile.
By default, the AP wired port link profile default is bound to an AP wired port profile.
Step 5 Configure LLDP in the WLAN view.

1. Run the ap-system-profile name profile-name command to create an AP system profile

and enter the AP system profile view.

2. Run the lldp admin-status { rx | tx | txrx } command to configure the LLDP mode on
the AP.
By default, the LLDP operation mode of an AP is TxRx.

3. (Optional) Run lldp restart-delay delay-time
The delay in re-enabling LLDP on the AP is configured.
By default, the delay in re-enabling LLDP on an AP is 2 seconds.

4. (Optional) Run lldp message-transmission interval interval
The interval at which the AP sends LLDP packets to neighbors is configured.
The default LLDP packet transmission interval is 30 seconds.

5. (Optional) Run lldp message-transmission delay delay
The delay in sending LLDP packets to neighbors on the AP is configured.
The default LLDP packet transmission delay is 2 seconds.

6. (Optional) Run lldp message-transmission hold-multiplier hold
The hold time multiplier of AP information on neighbors is configured.
The default hold time multiplier is 4.

Step 6 Bind the AP system profile and AP wired port profile to an AP group or AP.
l Binding the AP system profile and AP wired port profile to an AP group
the AP group.
c. Run the wired-port-profile profile-name interface-type interface-number command
to bind the AP wired port profile to the AP group.
By default, the AP wired port profile default is bound to an AP group.
l Binding the AP system profile and AP wired port profile to an AP.
AP view.
the AP.
to bind the AP wired port profile to the AP.
----End

6.8.11 Configuring an AP to Report Information About Its LLDP

Neighbors
Context
After the AP discovers a neighbor, the AP sends neighbor information to the AC. The NMS
then obtains AP's LLDP information from the AC to learn the network topology.
Procedure
Step 2 Run wlan
Step 4 Run lldp report enable
The AP is enabled to report information about its LLDP neighbors.
By default, an AP does not report information about its LLDP neighbors.
Step 5 (Optional) Run lldp report-interval interval-time
The interval at which the AP reports neighbor information to an AC is configured.
By default, an AP reports LLDP neighbor information to an AC at an interval of 30 seconds.
Step 6 Run quit
the AP group.
AP view.
the AP.
----End

6.8.12 Configuring Sampling Parameter on an AP
Context
Within each sampling interval, an AP collects desired statistics based on APs, radios, and
STAs (when the AP collects data based on STAs, it collects only data displayed by the
display command). Within each statistics collection interval, the AP computes the average of
sampled values and reports results to the AC. You can view all statistics collected by the AP
on the AC.
Procedure
Step 2 Run wlan
Step 4 Run sample-time sample-time
The sampling interval is configured for an AP.
The default sampling interval of an AP is 30s.
Step 5 Run quit

the AP group.
AP view.
the AP.
----End

6.8.13 Configuring Service Holding upon CAPWAP Link

Disconnection
Context
To mitigate impact of link disconnections on users in direct forwarding mode and improve
service reliability, you can configure the function of service holding upon CAPWAP link
disconnection. To allow new users to access APs after CAPWAP link disconnection, you can
configure the function of user access upon CAPWAP link disconnection. After the
disconnected CAPWAP link is restored, the AP forces all the STAs that went online during
CAPWAP link disconnection to go offline. The AP then reassociates with these STAs and
reports STA information through logs. For Portal or MAC address authentication STAs, after
the broken CAPWAP link is restored, the AP forces all these STAs to go offline and reports
STA information through logs.
NOTE
l Service holding upon CAPWAP link disconnection is only applicable to the direct forwarding mode.
l User access upon CAPWAP link disconnection can be configured only when direct forwarding is used
and open system, Portal, MAC address, WEP, or WPA/WPA2-PSK authentication is used.
l WDS networks do not support service holding and user access upon CAPWAP link disconnection.
l The offline management VAP function and service holding upon CAPWAP link disconnection are
mutually exclusive. When the two functions are configured at the same time, the offline management
VAP function cannot take effect.
l When rogue device containment and service holding upon CAPWAP link disconnection are both
configured, service holding upon CAPWAP link disconnection does not take effect.
Procedure
Step 2 Run wlan
Step 4 Run keep-service enable
Service holding upon CAPWAP link disconnection is enabled. After that, the AP can still
provide data services when the CAPWAP link is disconnected.
By default, all services on the AP are interrupted after the CAPWAP link between the AP and
AC is disconnected.
Step 5 Run keep-service enable allow new-access [ no-auth ]
User access upon CAPWAP link disconnection is enabled. After that, the AP can still allow
new users to access when the CAPWAP link is disconnected.
By default, the APs in fault state are disabled from allowing access of new STAs.

Step 6 Run quit

the AP group.
AP view.
the AP.
----End
6.8.14 Optimizing AP System Profile Parameters
Context
This task is to configure an AP to directly respond to association requests of STAs and
configure the MTU of Ethernet port in the AP system profile and the Extensible
Authentication Protocol (EAP) packet conversion function.
Procedure
Step 2 Run wlan
Step 4 Run mtu mtu-value
The MTU of the management VLANIF is configured in an AP system profile.
By default, the MTU value of the management VLANIF and CAPWAP on an AP is 1500
bytes.
The size of data packets is limited at the network layer. When a network layer device receives
an IP packet, it determines the outbound interface and obtains the MTU configured on the
interface.

The device then compares the MTU with the IP packet length. If the IP packet length is longer
than the MTU, the device fragments the IP packet. Each fragment has the smaller or equal
size as the MTU.
NOTE
If the MTU value is smaller than the DHCP packet length, the AP may be disconnected. In this case, restart
the AP.
Step 5 Configure EAP packet conversion.

Different vendors use different methods to encapsulate EAP packets in broadcast, multicast,
or unicast packets.
In 802.1X authentication, when an AP sends EAPOL-Start and EAPOL-Response packets to
an AC, the method that the AP uses to encapsulate the two types of packets must be the same
as the method that the access device directly connected to the AC uses. Otherwise, the two
types of packets cannot be processed by the access device directly connected to the AP.
Consequently, the user cannot pass 802.1X authentication.
1. Run the eapol-start dest-address transform-condition { always | equal-bssid }
command to specify EAPOL-Start packets to be encapsulated.
By default, an AP encapsulates only the EAPOL-start packets with the destination MAC
addresses being the AP's BSSID.
2. Run the eapol-start dest-address transform-to { broadcast | multicast | mac mac-
address } command to configure the AP to encapsulate EAPOL-Start packets into
broadcast, multicast, or unicast packets.
By default, an AP encapsulates EAPOL-start packets into multicast packets.
3. Run the eapol-response dest-address transform-condition { always | equal-bssid }
command to specify EAPOL-Response packets to be encapsulated.
By default, an AP encapsulates only the EAPOL-response packets with the destination
MAC addresses being the AP's BSSID.
4. Run the eapol-response dest-address transform-to { broadcast | multicast | mac mac-
address | learning } command to configure the AP to encapsulate EAPOL-Response
packets into broadcast, multicast, or unicast packets.
By default, an AP encapsulates EAPOL-response packets into unicast packets and
actively learns the destination MAC address.
Step 6 Run quit
the AP group.
AP view.


the AP.
----End
6.8.15 Verifying the AP System Configuration
Procedure
----End
6.9 Managing an AP's Wired Interface
Context
Managing an AP's wired interface includes configuring AP wired interface parameters and
link layer parameters.
Procedure
Step 2 Run wlan
Step 3 Run wired-port-profile name profile-name
An AP wired port profile is created, and the AP wired port profile view is displayed.
Step 4 Configure parameters for an AP's wired interface. Run the following commands as required.
l Run the eth-trunk trunk-id command to add an AP's wired interface to an Eth-Trunk.
By default, an AP interface is not added to any Eth-Trunk.
To improve the connection reliability and increase the bandwidth, you can run this
command to bind multiple interfaces into an Eth-Trunk.
NOTE
APs that have only one physical uplink network interface do not support this command.
The physical interface to be added to an Eth-Trunk cannot have other configurations. Before adding a
physical interface to an Eth-Trunk, clear all configurations on it except the interface status, descriptions,
LLDP function, and alarm function for CRC errors.
l Run the stp enable command to enable STP on an AP's wired interface.

By default, STP is disabled on an AP's wired interface.

STP on the AP's wired interfaces takes effect only when the AP forms a single loop with
wired devices. As shown in Figure 6-1, the AC, SwitchA, SwitchB, and AP form a loop.
To break the loop, configure STP on the AP's wired interfaces. After STP is configured,
the AP's wired interfaces are engaged in STP calculation of the loop and will be blocked
based on the calculation results.

Figure 6-1 STP networking
AC
SwitchA Loop SwitchB

NOTE
– The STP cost on Huawei switches (including ACs) complies with 802.1t, while the STP cost on
Huawei APs complies with 802.1d. When a Huawei AP is connected to a Huawei switch or an AC
and STP is enabled on the AP, run the stp pathcost-standard dot1d-1998 command in the system
view of the switch or AC to set the correct STP cost. Incorrect STP cost may block the link between
the AP and AC.
l Run the mode { root | endpoint | middle } command to configure a working mode for
an AP's wired interface.
By default,
– On a common AP: Its GE interfaces work in root mode, Ethernet interfaces in
endpoint mode, and Eth-Trunk interfaces in root mode.
– On a central AP: Its uplink GE interfaces in root mode and downlink GE interfaces
work in middle mode.
– On an R230D: Its Ethernet interface works in root mode.
– On an R240D: Its Ethernet interface works in endpoint mode and GE interface in
root mode.
– On an R250D, R250D-E, AP2050DN, AP2051DN, AP2051DN-E, R251D, R251D-
E and AP2050DN-E: Their uplink GE interfaces work in root mode and downlink
GE interfaces in endpoint mode.
– On an R450D: Its GE interface works in root mode.
When working as an uplink interface to connect to an AC, an AP's wired interface must
work in root mode. In root mode, the AP's wired interface automatically joins service
VLANs and user-specific VLANs (for example, VLANs assigned by the RADIUS
server).
When working as a downlink interface to connect to a wired terminal, the AP's wired
interface must work in endpoint mode. In endpoint mode, the AP's wired interface does
not join any VLAN by default.
NOTE
The AP's wired interface supports user isolation in endpoint mode, but not in root or middle mode.
l Run the dhcp trust port command to enable a DHCP trusted port on an AP's wired
interface.
By default, the DHCP trusted interface is disabled in the VAP profile view and enabled
on the AP's uplink interface in the AP wired port profile view.
This command takes effect only on the AP's uplink interface.
Before WLAN services are delivered to an AP, run the dhcp trust port command in the
AP wired port profile view. After the command is run, the AP receives the DHCP
OFFER, ACK, and NAK packets sent by the authorized DHCP server and forwards the
packets to STAs so that the STAs can obtain valid IP addresses and go online.
NOTE
If a bogus DHCP server is deployed at the user side, STAs may obtain incorrect IP addresses and
network configuration parameters and cannot communicate properly. After the dhcp trust port
command is executed in the VAP profile view, an AP discards the DHCP OFFER, ACK, and NAK
packets sent by the bogus DHCP server and reports to the AC about the IP address of the unauthorized
DHCP server. For details, see 11.8.3 Configuring Defense Against Bogus DHCP Server Attacks.
l Run the learn-client-address enable command to enable terminal address learning on
an AP's wired interface.

By default, terminal address learning is disabled on an AP's wired interface.

After terminal address learning is enabled on an AP's wired interface, if a wired terminal
connected to the AP wired interface successfully obtains an IP address, the AP
automatically reports the IP address of the terminal to the AC, helping to maintain the
ARP binding entries of wired terminals.
This configuration takes effect only on AP's wired interfaces working in endpoint mode.
l Run the ipsg enable command to enable IP source guard (IPSG) on an AP's wired
interface.
By default, IPSG is disabled on an AP's wired interface.
Attackers often use packets with the source IP addresses or MAC addresses of
authorized users to access or attack networks. As a result, authorized users cannot obtain
stable and secure network services. You can enable the IPSG function to prevent the
situation.
To make the configuration take effect, terminal address learning must be enabled on the
AP's wired interface using the learn-client-address enable command.
l Run the dai enable command to enable dynamic ARP inspection (DAI) on an AP's
wired interface.
By default, DAI is disabled on an AP's wired interface.
You can enable DAI using this command to prevent Man in The Middle (MITM) attacks
and theft on authorized user information. When a device receives an ARP packet, it
compares the source IP address, source MAC address, interface number, and VLAN ID
of the ARP packet with DHCP snooping binding entries. If the ARP packet matches a
binding entry, the device allows the packet to pass through. If the ARP packet does not
match any binding entry, the device discards the packet.
To make the configuration take effect, terminal address learning must be enabled on the
AP's wired interface using the learn-client-address enable command.
l Run the traffic-optimize { broadcast-suppression | multicast-suppression | unicast-
suppression } packets packets-rate command to set the maximum volume of broadcast,
multicast, or unknown unicast traffic on an AP's wired interface.
By default, the volume of broadcast, multicast, or unknown unicast traffic is not
suppressed on an AP's wired interface.
When a large number of broadcast, multicast, and unknown unicast packets are
transmitted on a network, a lot of network resources are occupied, and services on the
network are affected. When the traffic volume of broadcast, multicast, and unknown
unicast packets reaches the maximum on an AP's wired interface, the system discards
excess packets to control the traffic volume in a proper range and prevent flooding
attacks.
l Run the stp auto-shutdown enable command to enable the STP-triggered port
shutdown function on an AP's wired interface.
By default, the STP-triggered port shutdown function is disabled on an AP's wired
interface.
After the STP-triggered port shutdown function is enabled, the AP automatically shuts
down the interface when STP detects a loop. The AP will periodically recover the
interface and re-executes STP detection. If the loop still exists on the interface, the AP
shuts down the interface again. If the loop is removed, the AP reports a clear alarm to the
network management system (NMS).
To make the configuration take effect, the stp enable command must be run first.

l Run the stp auto-shutdown recovery-time recovery-time command to set an auto-

recovery interval for an AP's wired interface on which the STP-triggered port shutdown
function is enabled.
By default, the auto-recovery interval is 600s.
After the STP-triggered port shutdown function is enabled, the AP automatically shuts
down the interface when STP detects a loop. The AP will periodically recover the
interface and re-executes STP detection. If the loop still exists on the interface, the AP
shuts down the interface again. If the loop is removed, the AP reports a clear alarm to the
network management system (NMS).
To make the configuration take effect, the stp auto-shutdown enable command must be
run first.
l Run the igmp-snooping enable command to enable IGMP snooping on an AP's wired
interface.
By default, IGMP snooping is disabled on an AP's wired port.
IGMP snooping is a basic Layer 2 multicast function that forwards and controls
multicast traffic at the data link layer. IGMP snooping runs on a Layer 2 device and
analyzes IGMP messages exchanged between a Layer 3 device and hosts to set up and
maintain a Layer 2 multicast forwarding table. The Layer 2 device forwards multicast
packets based on the Layer 2 multicast forwarding table.
l Run the vlan { tagged | untagged } { vlan-id1 [ to vlan-id2 ] } &<1-10> command to
configure the VLAN to which an AP's wired interface is added.
By default, an AP wired interface allows packets from all VLANs to pass. The wired
interface is added to VLAN 1 in untagged mode and to other VLANs in tagged mode.
An AP's wired interface directly connects to a host. Add the wired interface to a VLAN
or a group of VLANs in untagged mode using the untagged parameter. After the wired
interface is added to the VLAN, the interface removes VLAN tags of frames before
sending frames to the host.
When an AP's wired interface connects to a Layer 2 network, add the wired interface to a
VLAN or a group of VLANs in tagged or untagged mode based on the condition of peer
devices using the tagged or untagged parameter, respectively.
l Run the traffic-filter { inbound | outbound } ipv4 acl { acl-number | name acl-name }
command to configure ACL-based packet filtering on an AP's wired interface.
By default, ACL-based IPv4 packet filtering is not configured on an AP's wired
interface.
Before the traffic-remark command is run, an ACL rule must have been created.
– acl (system view)
– acl name
l Run the traffic-remark { inbound | outbound } ipv4 acl { acl-number | name acl-
name } { dot1p dot1p-value | dscp dscp-value } command to configure ACL-based
priority re-marking on an AP's wired interface.
By default, ACL-based priority re-marking is not configured on an AP's wired interface.
Before the traffic-remark command is run, an ACL rule must have been created.
– acl (system view)
– acl name
l Run the user-isolate { all | l2 } command to configure the user isolation function on an
AP wired port profile.

By default, user isolation is disabled on an AP's wired interface.

The user isolation function prevents users on the same wired interface from
communicating with each other. All user traffic on the wired interface is forwarded by
the gateway. Therefore, this function ensures communication security on wired interfaces
and allows uniform charging for users.
Precautions
Eth-Trunk member interfaces do not support the user isolation function.
l Run the vlan pvid vlan-id command to configure a PVID for an AP's wired interface.
By default, no PVID is configured for an AP wired interface.
When receiving an untagged packet from a peer device, the AP wired interface adds a
VLAN tag to the packet. After the PVID is configured on the wired interface, the
interface adds the PVID to all the received untagged packets.
Precautions
Eth-Trunk member interfaces do not support PVID setting.
The PVID can be configured in different modes for an AP's wired interface.
– If the AP's wired interface works in root mode and has been configured to transmit
packets carrying the management VLAN tag using the management-vlan vlan-id
command, the PVID for the AP's wired interface must be configured the same as
the management VLAN ID.
– If the AP's wired interface works in endpoint mode, the PVID can be configured
directly. The configuration takes effect after the system restarts.
– If the AP's wired interface works in middle mode, the PVID cannot be configured.
Step 5 Run quit
Step 6 Configure link layer parameters for an AP's wired interface

1. Run the port-link-profile name profile-name command to create an AP wired port link
profile and enter the profile view.
2. Run the crc-alarm enable [ high-threshold high-threshold-value | low-threshold low-
threshold-value ]* command to configure the alarm function for CRC errors on an AP's
wired interface, and set the alarm threshold and clear alarm threshold.
By default, the alarm function for CRC errors is disabled on the AP wired interface. The
alarm threshold for CRC errors is 50 and the clear alarm threshold is 20.
3. Run the shutdown command to disable the AP's wired interface.
By default, an AP's wired interface is enabled.
If malicious users launch attacks to the network through an AP's wired interface, the
administrator can deliver the shutdown command on the AC to shut down the interface.
The shutdown command takes effect only on AP's wired interfaces working in endpoint
or middle mode but not on those working in root mode.
5. Run the wired-port-profile name profile-name command to enter the AP wired port
profile view.

6. Run the port-link-profile profile-name command to bind the AP wired port link profile
to the AP wired port profile.
Step 7 Bind the AP wired port profile to an AP group or AP.
l Bind the AP wired port profile to an AP group.
b. Run the wired-port-profile profile-name interface-type interface-number command
to bind the AP wired port profile to an AP group.
l Bind the AP wired port profile to to an AP.
AP view.
b. Run the wired-port-profile profile-name interface-type interface-number command
to bind the AP wired port profile to an AP.
----End

l Run the display wired-port-profile { all | name profile-name } command to check
configuration and reference information about an AP wired port profile.
l Run the display port-link-profile { all | name profile-name } command to check
configuration and reference information about an AP wired port link profile.
l Run the display references wired-port-profile name profile-name command to check
reference information about an AP wired port profile.
l Run the display references port-link-profile name profile-name command to check
reference information about an AP wired port link profile.
l Run the display mac-address mac-address [ verbose ] ap-all command to check MAC
address entries on all APs.
l Run the display mac-address { ap-id ap-id | ap-name ap-name } interface-type
interface-number command to check all dynamic MAC address entries on an AP's wired
interface.
l Run the display ap wired-port interface-type interface-number { ap-name ap-name |
ap-id ap-id } command to display configuration of an AP's wired interface.
6.10 Managing the PoE Function of an AP

6.10.1 Overview of PoE
Definition
Power over Ethernet (PoE) provides power through the Ethernet. It is also called Power over
LAN (PoL) or active Ethernet.

Purpose
As IP phones, network video monitoring, and wireless Ethernet networks are widely applied,
the power supply requirements on the Ethernet become urgent. In most situations, access
point devices need DC power supply, but access point devices are often installed outdoors or
on the ceiling that has a long distance from the ground. The nearby proper power socket is
difficult to find. Even if the proper power socket is available, the network administrator finds
it hard to install the DC converter required by access point devices. On many large-scale
LANs, administrators need to manage multiple access point devices that require uniform
power supply and management. In this case, power supply management is difficult. The PoE
function addresses this problem.
The PoE technology is used on the wired Ethernet and is most widely used on local LANs.
The PoE function transmits power together with data to terminals over cables or transmits
power without data over idle lines. This technology provides power on the 2.5GE Base-T,
1000Base-T, 100Base-TX, or 10Base-T Ethernet at a distance of up to 100 m. PoE can be
used to effectively provide centralized power for terminals such as IP phones, Access Points
(APs), chargers of portable devices, POS machines, cameras, and data collection devices.
Terminals are provided with power when they access the network. Therefore, indoor cabling
of power supply is not required.
The PoE has the following advantages:
l Reliable: Multiple PDs are powered by one device, facilitating power backup.
l Easy to deploy: Network terminals can be powered over network cables, without a need
for external power sources.
l Standard: The PoE function complies with IEEE 802.3bt, IEEE 802.3af and 802.3at, and
all PoE devices use uniform power sources.
Benefits
l Saves the costs on the cabling of power supply and facilitates power module installation.
l Works with the Uninterruptible Power Supply (UPS) to provide backup power supply for
IP cameras, video servers, and IP phones, and prevents power-off.
6.10.2 Understanding PoE
Components in a PoE System

A PoE system involves the following devices:
l Power-sourcing equipment (PSE): The PSE provides power for powered devices (PDs)
on the Ethernet, and supports detection, analysis, and intelligent power management.
l PD: PDs are provided with power, such as wireless APs, portable device chargers, POS
machines, and cameras. According to whether a PD conforms to an IEEE standard, PDs
are classified into standard and non-standard PDs.
l PoE power supply: The PoE power supply provides power for the PoE system. The
number of PDs connected to the PSE is limited by power of the PoE power supply.
According to whether a PoE power supply is swappable, PoE power supplies are
classified into built-in and external power supplies.

PoE Power Supply Standards

PoE power supply standards include IEEE 802.3bt, IEEE 802.3at, and IEEE 802.3af. PoE
technical specifications vary depending on the PoE power supply standard. For details, see
Table 6-8.
APs are classified as follows by the supported PoE power supply standard:
l 802.3bt AP: is also called UPoE AP, and supports IEEE 802.3bt and IEEE 802.3at.
Functions supported by APs vary depending on the PoE power supply standard. For
details, see Table 6-6.
l 802.3at AP: supports IEEE 802.3at and IEEE 802.3af. Functions supported by APs vary
depending on the PoE power supply standard. For details, see Table 6-7.
l 802.3af AP: supports only IEEE 802.3af.
Function Comparison for APs in Different Power Supply Standards

802.3bt AP
802.3bt APs support IEEE 802.3bt and IEEE 802.3at. Table 6-6 compares the function
support by 802.3bt APs in different power supply standards.
Table 6-6 Function support by 802.3bt APs

AP Model 802.3bt Power Supply 802.3at Power Supply
AP7050DN-E The functions are not The USB function and PoE
restricted when the AP is out are not supported.
powered by 90 W 802.3bt. l The 2.4 GHz radio
l When the AP is powered supports 2x2 MIMO, and
by 90 W 802.3bt, the the maximum transmit
functions are not power of each spatial
restricted, and the stream is adjusted to 20
maximum power dBm.
supported by PoE out is l The 5 GHz radio
45 W. supports 3x3 MIMO, and
l When the AP is powered the maximum transmit
by 60 W 802.3bt, PoE power of each spatial
out is not supported. stream is adjusted to 25
dBm.

AP7052DN and AP7152DN The functions are not The USB function is not
restricted. supported. The radio power
is managed in self-adaptive
mode. The IoT card power
is restricted within 0.5 W.
When the AP is powered by
802.3at through an Ethernet
port, only this Ethernet port
is enabled while other ports
are shut down. When two
Ethernet ports are used to
power the AP, the two ports
are both enabled.
AP6052DN The functions are not The USB function and GE

restricted. port are not supported. The
radio power is managed in
self-adaptive mode.
AP7052DE The functions are not The USB function is not

restricted. supported. The radio power
is managed in self-adaptive
mode.
When the AP is powered by
802.3at through an Ethernet
port, only this Ethernet port
is enabled while other ports
are shut down. When two
Ethernet ports are used to
power the AP, the two ports
are both enabled.

AP8082DN and AP8182DN l The functions are not PoE out is not supported.
restricted when the The 5GE and optical ports
PoE_OUT port has no can work only in Up state.
power output. The GE/POE_OUT port is
l When the PoE_OUT port shut down. The radio power
has power output, the is reduced. The 2.4G radio
5GE/PoE_IN port and works in 2T4R mode.
optical ports that go Up The 2T4R mode indicates
first can work. The radio that a radio transmits signals
power is reduced, and through two spatial streams
the 2.4 GHz and 5 GHz and receives signals through
radios work in 3T4R four spatial streams.
mode.
The 3T4R mode
indicates that a radio
transmits signals through
three spatial streams and
receives signals through
four spatial streams.
The AP9430DN-12 supports only DC power supply through the matching power adapter.
802.3at AP
802.3at APs support IEEE 802.3at and IEEE 802.3af. Table 6-7 compares the function
support by 802.3at APs in different power supply standards.
Table 6-7 Function support by 802.3at APs
AP Model 802.3at Power Supply 802.3af Power Supply
AP4050DN-HD l When the PoE_OUT port PoE out is not supported,

has no power output, the and the maximum transmit
maximum transmit power is adjusted to 13 dBm
power is adjusted to 19 (2.4 GHz radio) and 17 dBm
dBm (2.4 GHz and 5 (5 GHz radio).
GHz radios).
l When the PoE_OUT port
has power output, the
maximum transmit
power is adjusted to 13
dBm (2.4 GHz radio)
and 17 dBm (5 GHz
radio).
R250D-E and AP2050DN-E The USB function and 10 W The USB function is
PoE out are supported. disabled, and PoE out is not
supported.

AP2050DN, AP4051DN, The functions are not The USB function is

and AP4151DN restricted. disabled.
AP8050DN, AP8150DN, The functions are not All radios are disabled.
AP8030DN, AP8130DN, restricted.
AP9131DN, and
AP9132DN
AP4030TN The functions are not The USB function and all
restricted. radios are disabled.
AP4051TN The functions are not The USB function is not

restricted. supported. All the three
radios transmit signals
through one spatial stream
and receives signals through
N spatial streams. N
specifies the maximum
number of spatial streams
for receiving signals.
AP4050DN-E l When the AP has no IoT The USB function and all
card connected and does radios are disabled, and PoE
not use the USB port, the out is not supported.
maximum PoE out
power is 7 W.
l When the AP has an IoT
card connected and does
not use the USB port, the
maximum PoE out
power is 5.5 W.
l When the AP has two or
more IoT cards
connected or uses the
USB port, PoE out is
disabled.
AP6050DN, AP6150DN, l When the AP has a USB The USB function and all
and AP7050DE device connected, the 2.4 radios are disabled.
GHz radio supports 2x2
MIMO.
l When the AP has no
USB device connected,
the 2.4 GHz radio
supports 4x4 MIMO.
AP8050TN-HD The functions are not All the three radios transmit
restricted. signals through one spatial
stream and receives signals
through two spatial streams.

R251D The functions are not The functions are not

restricted. restricted.
AP2051DN The functions are not The USB function is

restricted. disabled.
R251D-E, AP2051DN-E The PoE out and USB The USB function is
functions are mutually disabled, and PoE out is not
exclusive. The PoE out supported.
function is enabled by
default.
802.3af AP
802.3af APs support IEEE 802.3af, and their functions are not restricted.
All other APs support IEEE 802.3af except the 802.3bt and 802.3at APs listed in the
preceding table.
Working Process of PoE Power Supply

802.3bt AP
Figure 6-2 shows the PoE working process of an 802.3bt AP.

Figure 6-2 PoE working process of an 802.3bt AP
802.3at AP
Figure 6-3 shows the PoE working process of an 802.3at AP.

Figure 6-3 PoE working process of an 802.3at AP
802.3at APs that support hardware detection include the AP4050DN-HD, R250D-E,
AP2050DN, AP2050DN-E, AP4051DN, and AP4151DN.
802.3at APs that do not support hardware detection include the AP8030DN, AP8130DN,
AP9131DN, AP9132DN, AP4030TN, AP4050DN-E, AP6050DN, AP6150DN, AP7050DE,
AP4051TN, AP8050DN-HD, AP8050DN, and AP8150DN.
802.3af AP
APs always work in 802.3af power supply mode after being started.
PoE Power Management Mode

When PDs connected to the PSE increase, the PoE power supply cannot provide power for all
PDs. Therefore, the PSE should manage the power supply. Power management is classified
into two modes: automatic and manual.
l Automatic mode: The PSE automatically powers on or powers off PDs based on power
priorities. You can configure a power priority of each port as Critical, High, or Low

based on the importance of the PD connected to each port. When providing power nearly
at full capacity, the PSE provides power first for the PD connected to the port of Critical
priority and then provides power for the PD connected to the port of High priority. If
multiple PoE ports have the same priority, the system first supply power to the PDs
connected to the ports with smaller port numbers.
l Manual mode: You can manually power on or power off ports. In manual mode, the PSE
provides power for a port without considering the priority. Powering on or powering off
a single port does not affect the power supply status. When providing power nearly at
full capacity, the PSE cannot continue to power on a new PD.
Power Supply Mode of PSEs

As defined in IEEE standard, PSEs provide power for PDs and are classified into MidSpan
(the PoE module is installed out of the device) and Endpoint (the PoE module is integrated to
device) PSEs. Huawei's PoE modules are Endpoint PSEs. The Endpoint PSE is compatible
with 1000Base-T, 100Base-TX, and 10Base-T ports. The Endpoint PSE is more widely used
than the Midspan PSE.
Endpoint PSEs can work in Alternative A (line pair 1/2 and line pair 3/6) and Alternative B
(Line pair 4/5 and line pair 7/8) power supply modes according to different copper line pairs.
l Alternative A mode: Power is transmitted over pairs of lines that transmit data.
The PSE provides power for the PD over copper line pairs connected to pins 1 and 2 and
pins 3 and 6. Pins 1 and 2 use the positive voltage and pins 3 and 6 use the negative
voltage.
10Base-T and 100Base-TX ports use copper line pairs connected to pins 1 and 2 and pins
3 and 6 to transmit data, and 1000Base-T ports use four line pairs to transmit data. DC
power and data frequency are independent. Therefore, the power and data can be
transmitted in one pair of lines.
l Alternative B mode: Power is transmitted over idle pairs of lines.
The PSE provides power for the PD over copper line pairs connected to pins 4 and 5 and
pins 7 and 8. Pins 4 and 5 use the positive voltage and pins 7 and 8 use the negative
voltage.
Generally, a standard PD supports the two modes, whereas the PSE only needs to support one
mode. Huawei PSE supports only Alternative A.
PoE Technical Specifications

PoE technical specifications vary depending on PoE technologies. You can select the required
PoE technology to power on PDs according to PD requirements.
Table 6-8 PoE technical specifications

Power supply PoE PoE+ PoE++
technology
Power supply 100 m 100 m 100 m

distance
Power class 0-3 0-4 0-8
Maximum current 350 mA 600 mA 1730 mA

Power supply PoE PoE+ PoE++

technology
PSE output voltage 44 V DC-57 V DC 50 V DC-57 V DC 50 V DC-57 V DC
PSE output power ≤ 15400 mW ≤ 30000 mW ≤ 90000 mW
PD input voltage 36 V DC-57 V DC 42.5 V DC-57 V DC 42.5 V DC-57 V DC
Maximum PD 12950 mW 25500 mW 81600 mW

power
Cable requirements Unstructured CAT-5e or better CAT-5e or better
Power supply cable 2 2 4

pairs
l PoE technology complies with IEEE 802.3af.

l PoE+ technology complies with IEEE 802.3at.
l PoE++ technology complies with IEEE 802.3bt.
6.10.3 Configuration Limitations for PoE
PoE features supported by devices include: power management, power-on and power-off in
multiple modes, non-standard PD compatibility, and power-on and power-off management.
Feature Limitations
l When the PoE power supply standard of an AP changes from 802.3af to 802.3at or from
802.3at to 802.3bt, the AP will not restart. When the PoE power supply standard of an
AP changes from 802.3bt to 802.3at or from 802.3at to 802.3af, the AP may restart.
l When an 802.3at AP that does not support hardware detection is connected to a switch
whose power supply mode is 802.3af, the AP restarts repeatedly if the LLDP function is
disabled on the switch.
l When an 802.3at AP that supports hardware detection is connected to a Cisco switch
whose power supply mode is 802.3af, the AP restarts repeatedly if the LLDP function is
disabled on the switch.
l The AP8050DN and AP8150DN cannot be connected to a switch whose power supply
mode is 802.3af because the APs will restart repeatedly after their power consumption
exceeds the power allowed by 802.3af. When the AP8050DN and AP8150DN are
connected to a Cisco switch whose power supply mode is 802.3at, the APs will restart
repeatedly after their power consumption exceeds the power allowed by 802.3at if the
LLDP function is disabled on the switch.
l An 802.3bt AP cannot be connected to an 802.3af switch or a Cisco's 802.3at switch.
l If the interval for sending LLDP packets is longer than 90 seconds, LLDP negotiation
may time out, causing the device to incorrectly consider that the LLDP function is not
supported or disabled.

PoE Functions Provided by the Device

l The device supports power supply capability negotiation using Link Layer Discovery
Protocol (LLDP).
l PoE power supply is independent of the system power supply. You can configure
maximum power, alarm threshold, and reserved PoE to the total power supply.
l The device supports automatic, manual, and forcible power-on and power-off mode.
l The device can detect PDs that are compliant with 802.3af or 802.3at and provides
power for these PDs.
l The device can be configured with the power-off time range to facilitate PD
management.
l PoE OUT is supported only by the AP8082DN, AP8182DN, AP4050DN-E, AP4050DN-
HD, AP7050DN-E, AP2050DN-E, AD9431DN-24X, AP2051DN-E, R251D-E,
AD9430DN-24, and AD9430DN-12.
6.10.4 Enabling the PoE Function
Context
Before using an AP to provide power for PDs connected to its interfaces, ensure that the PoE
function is enabled on the interfaces.
Procedure
Step 2 Run wlan
Step 3 Run the port-link-profile name profile-name command to create an AP wired port link
Step 4 Run the undo poe disable command to enable the PoE function on the AP's interfaces.
By default, the PoE function is enabled on an AP's interface.
----End
6.10.5 (Optional) Configuring the LLDP Power Capacity

Negotiation
Context
You can configure the TLV in LLDP so that the device can classify PDs through the LLDP
function enabled on the device. The device that is not configured with the LLDP function
detects and classifies PDs through analyzing current and resistance between the device and
PDs. Compared with current and resistance analysis, the LLDP function provides a more
comprehensive and accurate analysis.

Procedure
Step 2 Run wlan
Step 3 Run ap lldp enable
LLDP is enabled in the WLAN view.
By default, LLDP is enabled in the WLAN view.
Step 4 Run the port-link-profile name profile-name command to create an AP wired port link
profile and enter the AP wired port link profile view.
Step 5 Run the lldp enable command to enable LLDP on an AP wired port.
By default, LLDP is enabled on AP wired interfaces.
NOTE
An AP can send and receive LLDP packets only after LLDP is enabled in both the WLAN view and the AP
wired port link profile view.
Step 6 Run lldp tlv-enable dot3-tlv power

LLDP is configured to advertise Power Via MDI TLV.
By default, LLDP is configured to advertise Power Via MDI TLV.
NOTE
After LLDP is configured advertise Power Via MDI TLV, the device can analyze the interface type,
whether the PSE supports MDI, status of MDI power supply, whether the PSE can control the line pairs
and analyze the line pairs and power priority.
Step 7 Run lldp dot3-tlv power { 802.1ab | 802.3at }

The standard with which the 802.3 Power via MDI TLV sent by the interface complies is set.
By default, the 802.3 Power via MDI TLV advertised by a UPoE interface and a PoE interface
complies with 802.3bt and 802.3at, respectively.
Step 8 (Optional) Run lldp tlv-enable legacy-tlv four-pair-power
The AP wired port is configured to advertise Cisco's proprietary TLVs.
By default, an AP's wired interface advertises Cisco's proprietary TLVs.
----End
6.10.6 Configuring PoE Power Management

Context
You can configure the maximum power, percentage of the reserved PoE power to the total
PoE power, and PoE power alarm threshold. Setting power parameters based on requirement
of PDs connected to the AP helps you effectively use PoE power and ensures the AP stability.

Procedure
l Configure the maximum output power of the AP.
If the power that the network provides for the PoE device is unstable, for example, the
mains voltage fluctuates, the power that the PoE device provides for PDs is affected and
begins to fluctuate. As a result, PDs are not provided with sufficient power and some
PDs are powered off. You can configure the maximum output power of the AP to ensure
power stability for a PD.


d. Run the poe max-power max-power command to set the maximum output power of
the AP.
By default, the maximum output power of the AP is the total power that the PoE
power supply provides for PDs.
This command takes effect only on the AP7052DN, AP7152DN, AP7050DN-E,

AP4050DN-E, AP4050DN-HD, AD9431DN-24X, AD9430DN-24, and
AD9430DN-12.
l Configure the reserved PoE power percentage.
The power of a PD keeps changing when the PD is running. Sometimes, the power
consumption increases sharply and the available power of the device cannot support the
burst increase of power. In this case, the device cuts off PDs on low-priority interfaces to
enable overload protection on PoE power. As a result, all PDs are powered off.
You can configure proper reserved power to solve the problem. When the power
consumption increases sharply, the reserved power can support the system running. Then
the device can immediately power off PDs on low-priority interfaces to ensure stable
running of other PDs.

d. Run the poe power-reserved power-reserved command to configure the percentage
of the reserved PoE power against the total PoE power on the AP.
By default, the percentage of the reserved PoE power against the total PoE power
on an AP is 0%.
l Configure the alarm threshold of power consumption percentage.
When the power consumption increases sharply within a range, the reserved power can
satisfy the power requirement. However, if the power consumption exceeds the range,
some PDs are powered off. To solve this problem, configure the alarm threshold for the
power consumption percentage. When the power consumption exceeds the threshold, the
system generates an alarm so that administrators can take measures to reduce the power
consumption.



d. Run the poe power-threshold threshold-value command to configure the alarm
threshold of PoE power consumption percentage.
By default, the alarm threshold is 100%.
----End
6.10.7 Configuring the Device to Allow High Inrush Current

During Power-On
Context
High inrush current is generated when a non-standard PD is powered on. In this case, the AP
cuts off the power of the PD to protect itself. If the AP is required to provide power to the PD,
the PSE must allow high inrush current.
NOTICE
If high inrush current is allowed, the self-protection function of the AP is disabled. This may
damage components of the PD.
Procedure
Step 2 Run wlan
Step 3 Run the ap-system-profile name profile-name command to create an AP system profile and
enter the profile view.
Step 4 Run the poe high-inrush enable command to configure the AP to allow high inrush current
during power-on.
By default, interfaces do not allow high inrush current during power-on.
This command takes effect only on the AP7052DN, AP7152DN, AP7050DN-E, AP4050DN-
E, AP4050DN-HD, AD9431DN-24X, AD9430DN-24, and AD9430DN-12.
----End

6.10.8 Configuring PoE Power-on and Power-off Management
Context
PoE power-on and power-off management includes the following functions:
l Setting the power priority of PoE interfaces
l Setting power-on and power-off time ranges
l Configuring compatibility with non-standard PDs
l Setting a PoE standard
l Configuring forcible PoE power supply
Procedure
l Set the power priority of PoE interfaces on the AP.
You can configure power priorities for PoE interfaces: critical, high, and low. When the
available power is insufficient, the AP provides power first for the PDs connected to
high-priority interfaces.
The priorities in descending order are critical, high, and low.

c. Run the port-link-profile name profile-name command to create an AP wired port
link profile and enter the profile view.
d. Run the poe priority { critical | high | low} command to set the power priority of
PoE interfaces on the AP.
By default, the power supply priority of an interface is low.

l Set the power-off time range of a PoE interface.
PDs connected to an interface do not keep working. You can set the power-off time range
of a PoE interface so that it can automatically power off when it is idle to save energy.
b. Run the time-range time-name { start-time to end-time { days } &<1-7> | from
time1 date1 [ to time2 date2 ] } command to define a power-off time range of PoE.
c. Run the wlan command to enter the WLAN view.
d. Run the port-link-profile name profile-name command to create an AP wired port
l Configure the device to be compatible with non-standard PDs
When a non-standard PD is connected to the AP, the AP cannot detect the proper
resistance and cannot identify the PD. When compatibility check is enabled, the AP can
detect and provide power for the PD that does not comply with the IEEE 802.3af or
IEEE 802.3at standard.


d. Run the poe legacy enable command to enable PD compatibility check on the AP.
By default, an AP does not check compatibility of the connected PDs.

l Configure the PoE standard type.
The AP that supports IEEE 802.3at provides a maximum power of 30 W, and the AP that
supports IEEE 802.3af provides a maximum power of 15.4 W. The former AP provides
higher current than the latter AP when they power on PDs.
Some non-standard PDs cannot be powered on in high current. To power on these PDs,
configure the AP to provide power with low current in conformance to IEEE 802.3af.


d. Run the poe af-inrush enable command to configure the AP to provide PoE power
in compliance with IEEE 802.3af.
By default, an AP provides PoE power in compliance with IEEE 802.3at.
This command takes effect only on the AP7052DN, AP7152DN, AP7050DN-E,

AP4050DN-E, AP4050DN-HD, AD9431DN-24X, AD9430DN-24, and
AD9430DN-12.
NOTE
After running the poe af-inrush enable command, remove the non-IEEE 802.3at PDs and
then install them so that the PDs can be powered on.
l Power on PDs on an interface forcibly.
After this function is configured, an interface forcibly powers on the connected PD even
if the PSE cannot identify the PD. Before powering on the interface, ensure that the
system power is sufficient.

d. Run the poe force-power command to enable PoE power supply on the AP's
interfaces.
By default, forcible PoE power supply is disabled on an interface.
----End
6.10.9 Applying Profiles

Context
After the configuration is complete, apply profiles to an AP group or AP so that the
configuration can be automatically delivered to specific APs and takes effect.
Procedure
Step 2 Run wlan
The AP wired port profile view is displayed.
Step 4 Run port-link-profile profile-name
The AP wired port link profile is bound to the AP wired port profile.
Step 5 Run quit
Step 6 Apply the AP wired port profile and AP system profile.

l Binding the AP wired port profile and AP system profile to an AP group
the AP group.
to bind the AP wired port profile to the AP group.
l Binding the AP wired port profile and AP system profile to an AP
AP view.
the AP.
to bind the AP wired port profile to the AP.
----End

6.10.10 Verifying the PoE Configuration
Prerequisites
After the working mode of an AP's wired interface and the PoE function of a PSE have been
configured, run the following commands to check the configuration:
Procedure
l Run the display wired-port-profile { all | name profile-name } command to check
configuration and reference information about an AP wired port profile.
l Run the display port-link-profile { all | name profile-name } command to check
configuration and reference information about an AP wired port link profile.
reference information about an AP wired port profile.
l Run the display references port-link-profile name profile-name command to check
reference information about an AP wired port link profile.
----End
6.11 Configuring APs to Report KPIs
Context
Wi-Fi networks are open and shared, and work on free wireless frequency bands. Therefore,
co-channel interference may easily occur in wireless environments, causing Wi-Fi network
instability. These always-changing factors make post-event backtracking difficult. To improve
troubleshooting efficiency, configure APs to report key performance indicators (KPIs) to a
WLAN Maintaining Insight (WMI) server for possible fault cause analysis. In addition, data
statistics are centrally collected for observing device and network trends and identifying
potential device and network faults.
APs can report the following KPI information to the server:

l Device monitoring data
l Radio monitoring data
l SSID monitoring data
l Interface monitoring data
l STA data
l STA location data
l Log data
l Security data

NOTE
Only WMI-supported APs can report KPIs to a WMI server.

The WMI function is supported by all APs except the AP2010DN, AP3010DN, AP5010SN, AP5010DN,
AP6010SN, AP6010DN, AP6310SN, AP6510DN, AP6610DN, AP7110SN, AP7110DN, AP2030DN,
AP7030DE, AP9330DN, AP9131DN, AP9132DN, AP4030DN, AP4130DN, AP5030DN, and AP5130DN.
Currently, only cloud APs can report STA location data, log data, and security data to the WMI server.
Procedure
Step 2 Run wlan
Step 3 Run wmi-serverwmi-server name profile-name
A WMI profile is created and the WMI profile view is displayed.
By default, no WMI profile is created.
Step 4 Run server ip-address ip-address port port
The destination IP address and port number are configured for APs to report KPI information.
By default, no destination IP address or port number is configured for APs to report KPI
information.
Step 5 (Optional) Run keepalive { interval interval | retry-interval retry-interval | retry-number

retry-number } *
Connection parameters between APs and the WMI server are set.
By default, the heartbeat interval is 3 minutes, the reconnection interval is 5 minutes, and the
number of reconnection attempts is 0.
The value 0 indicates that the server and APs always attempt to reconnect to each other.
Step 6 (Optional) Run max-packet-size size
The maximum data length of KPI information sent by APs to a WMI server is specified.
By default, the maximum data length of KPI information sent by APs to a WMI server is 5
KB.
Step 7 (Optional) Run report-interval interval
The interval for APs to report KPI information to a WMI server is specified.
By default, APs report KPI information to a WMI server at an interval of 60 seconds.
Step 8 (Optional) Run at least one of the following commands to configure whether APs report
collected data to the WMI server and set the data collection interval:
l collect-item device-data { interval interval1 | disable }
l collect-item interface-data { interval interval2 | disable }
l collect-item location-data { interval interval3 | disable }

l collect-item log-data { interval interval4 | disable }

l collect-item radio-data { interval interval5 | disable }
l collect-item security-data { interval interval6 | disable }
l collect-item ssid-data { interval interval7 | disable }
l collect-item terminal-data { interval interval8 | disable }
By default, APs report all types of collected data to a WMI server. The data collection interval
varies depending on the data type, as listed in Table 1.
Step 9 Run quit
Step 11 Run wmi-server profile-name
The WMI profile is bound to the AP system view.
By default, no WMI profile is bound to an AP system profile.
Step 12 Run quit

the AP group.
AP view.
the AP.
----End

l Run the display wmi-server { all | name wmi-server-name } command to check
configuration and reference information about a WMI profile.
l Run the display references wmi-server name wmi-server-name command to check
reference information about a WMI profile.

6.12 Maintaining APs

6.12.1 Checking Wireless Link Quality Between an AP and a STA
Context
On wireless networks, wireless radio, as the transmission media, is easily interfered by
surroundings. The transmission quality of service data changes greatly depending on the
interference. Therefore, you must evaluate and check the transmission quality of wireless
links to ensure better service data transmission and efficient cooperation between densely
deployed wireless networks, and reduces signal interference.
Use the RF ping function and exchange data packets between APs and STAs to check the
transmission quality of wireless links. The link check result includes the signal strength, radio
interface rate, packet sending delay, which can comprehensively indicate the transmission
quality of wireless links.
Procedure
Step 2 Run wlan
Step 3 Run the rf-ping [ -m time | -c number ] * mac-address command to check wireless link
quality.
----End
6.12.2 Checking Connectivity Between an AP and a Network

Device
Context
When a network fault occurs, use an AP to ping other network devices to check the
connectivity.
Procedure
Step 2 Run wlan

Step 3 Run the ap-ping { ap-name ap-name | ap-id ap-id } [ -c count | -s packetsize | -m time | -t
timeout ] * host command to ping a network device from an AP to check network connectivity
between them.
----End
6.12.3 Checking AP Running Statistics
Context
After AP online and management AP configurations are complete, run the following
commands in any view to check AP running statistics.
Procedure
l Run the display ap run-info { ap-name ap-name | ap-id ap-id } command to check AP
running information.
l Run the display ap performance statistics { ap-name ap-name | ap-id ap-id }
command to check AP performance statistics.
l Run the display radio { all | ap-group ap-group-name | ap-name ap-name | ap-id ap-
id } command to check AP radio information.
l Run the display ap asyn-message err-info { all | ap-name ap-name | ap-id ap-id }
command to check records about AP restart failures.
l Run the display ap uncontrol all command to check unauthorized APs.
l Run the display channel switch-record { all | ap-name ap-name radio radio-id | ap-id
ap-id radio radio-id | reason reason } command to check channel switching records.
l Run the display ap traffic statistics wireless { ap-name ap-name | ap-id ap-id } radio
radio-id [ ssid ssid ] command to check packet statistics on an AP radio.
l Run the display ap elabel { ap-name ap-name | ap-id ap-id } command to check AP
electronic label information.
l Run the display ap service-config acl { ap-name ap-name | ap-id ap-id } command to
check ACL configurations on an AP.
l Run the display ap port { all | ap-name ap-name | ap-id ap-id | ap-mac ap-mac }
command to check the AP port status and traffic information.
l Run the display distribute-ap { all | ap-id ap-id | ap-mac ap-mac | ap-name ap-name |
central-ap-id central-ap-id | central-ap-mac central-ap-mac | central-ap-name
central-ap-name } command to check RU information.
l Run the display ap statistics command to check statistics on the types of APs added to
an AC.
----End
6.12.4 Checking AP Neighbor Information
Context
You can view neighbor information on a specified AP radio to determine the AP location and
neighbor relationship, helping locate rogue APs and plan the WLAN.

Procedure
Step 1 Run the display ap lldp neighbor { { ap-name ap-name | ap-id ap-id } [ interface interface-
type interface-number ] | brief } command to check LLDP neighbor information on an AP.
Step 2 Run the display ap neighbor { ap-name ap-name | ap-id ap-id } [ radio radio ] command to
check information about neighbors of a radio.
Step 3 Run the display ap around-ssid-list { ap-name ap-name | ap-id ap-id } command to check
SSIDs of an AP's neighbors.
----End
6.13 Configuration Examples for AP Management
6.13.1 Example for Configuring Service Holding upon CAPWAP

Link Disconnection
the AP is directly connected to the switch, service data is directly forwarded in AC bypass
deployment mode, and the switch connects to the Internet through the egress route. The
enterprise requires that data forwarding is not affected even when the AC is faulty to improve
data transmission reliability.

Figure 6-4 Networking diagram for configuring service holding upon CAPWAP link
disconnection
Network
Switch AC
GE0/0/2
GE0/0/1
GE0/0/1
l
ne
n
AP
tu
AP
W
Area A
AP
C
STA
Control packet
Data packet
1. Configure basic WLAN services.
2. Configure service holding upon CAPWAP link disconnection to improve data
transmission reliability so that data forwarding is not affected even when the AC is
faulty.
Table 6-9 Data plan

Item Data
DHCP server Switch, which assigns IP addresses to STAs and APs
Gateway address for APs 10.1.1.1/24
Gateway address for STAs 10.1.2.1/24
AC source interface VLANIF100: 10.1.1.2/24

Item Data

l Referenced profile: AP system profile wlan-
system, VAP profile wlan-vap, and regulatory
domain profile domain
Regulatory domain profile l Name: domain

l Country code: CN



AP system profile l Name: wlan-system

l Service holding upon CAPWAP link
disconnection: enabled
Configuration Notes
user experience.

Procedure
NOTE
the link type of GE0/0/1 that connects the switch to the APs to trunk and PVID of the
interface to 100, and configure the interface to allow packets of VLAN100 and VLAN101 to
pass. Set the link type of GE0/0/2 on the switch to trunk, and configure the interface to allow
packets of VLAN100 to pass.
# Add GE0/0/1 that connects the AC to the switch to VLAN100.

[HUAWEI] sysname AC
NOTE
view.
[Switch-Vlanif100] dhcp server excluded-ip-address 10.1.1.2


[AC] wlan
[AC-wlan-view] regulatory-domain-profile name domain
[AC-wlan-regulate-domain-domain] country-code cn
[AC-wlan-regulate-domain-domain] quit
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain
e?[Y/N]:y
[AC-wlan-view] quit

[AC-Vlanif100] ip address 10.1.1.2 255.255.255.0
[AC-Vlanif100] quit
NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
----------------------------------------------------------------------------------
---
Uptime

----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.1.1.254 AP6010DN-AGN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 1

NOTE
# Create the AP system profile wlan-system and configure the service holding function.
[AC-wlan-view] ap-system-profile name wlan-system
[AC-wlan-ap-system-prof-wlan-system] keep-service enable
[AC-wlan-ap-system-prof-wlan-system] quit
[AC-wlan-vap-prof-wlan-vap] forward-mode direct-forward
# Bind the AP system profile and VAP profile to the AP group and apply the VAP profile to
radio 0 and radio 1 of the AP.
[AC-wlan-ap-group-ap-group1] ap-system-profile wlan-system

The WLAN with SSID wlan-net is available for STAs connected to the AP, and these STAs
can connect to the WLAN without authentication. If the AC is powered off, service data
forwarding for wireless users in area A is not affected.
----End
Configuration Files
#
sysname Switch
#
#

dhcp enable
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif101
ip address 10.1.2.1 255.255.255.0
#
#
#
return
#
sysname AC
#
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
#
#
wlan
%# aes
ssid wlan-net
forward-mode direct-forward
regulatory-domain-profile name domain
ap-system-profile name wlan-system
keep-service enable
ap-system-profile wlan-system
regulatory-domain-profile domain
radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
return

6.14 Common Configuration Errors

This section describes the common configuration errors and provides the troubleshooting
methods.
6.14.1 After the AP's Uplink Wired Interface Is Configured to

Work in Endpoint Mode, the AP Cannot Go Online After a
Restart
Fault Symptom
After the AP's uplink wired interface is configured to work in endpoint mode, the AP cannot
go online after a restart.
Procedure
1. Check whether the AP's uplink wired interface is configured to work in endpoint mode.
Error-prone configuration:
When working as an uplink interface to connect to an AC, an AP's wired interface must
work in root mode. In root mode, the AP's wired interface automatically joins service
VLANs and user-specific VLANs (for example, VLANs assigned by the RADIUS
server).
When working as a downlink interface to connect to a wired terminal, the AP's wired
interface must work in endpoint mode. In endpoint mode, the AP's wired interface does
not join any VLAN by default.
NOTE
This configuration takes effect only after the AP is restarted.
[HUAWEI] wlan
[HUAWEI-wlan-view] wired-port-profile name wired
[HUAWEI-wlan-wired-port-wired] mode endpoint
Warning: If the AP goes online through a wired port, the incorrect port mode
configuration will cause the AP to go out of management.
This fault can be recovered only by modifying the configuration on the AP.
Continue? [Y/N]:y
[HUAWEI-wlan-wired-port-wired] return
Suggestion:
– Hold down the Default button to restore factory settings of the AP.
– Log in to the AP and perform the following operations:
i. Configure a static ARP entry on the access switch.
<Switch> system-view
[Switch] arp static 169.254.1.1 a858-40dd-ef80 //The default IP
address of the AP is 169.254.1.1. The MAC address of the AP is
specified because devices on the network may have the same IP
address.
ii. Configure an IP address on the same network segment as that of the AP for the
switch.
[Switch] interface Vlanif1

iii. Configure the PVID for the port connecting the switch directly to the AP.
[Switch] interface GigabitEthernet0/0/1
iv. Log in to the AP from the access switch through STelnet.

v. Run the work-mode root command in the interface view of the AP to set the
working mode of the interface to root. Alternatively, run the reset factory-
configuration command in the user view to restore factory settings of the AP.
[Huawei] interface GigabitEthernet
0/0/0
[Huawei-GigabitEthernet0/0/0] work-mode root
vi. Restart the AP.

<Huawei> reboot

Configuration Guide - WLAN-AC 7 Radio Resource Management
7 Radio Resource Management
7.1 Overview of Radio Resource Management

Definition
WLAN technology uses radio signals (such as 2.4 GHz or 5 GHz radio waves) as a
transmission medium. Radio signals are attenuated during transmission in the air, degrading
service quality for wireless users. Radio resource management (RRM) enables APs to monitor
the surrounding radio environment and adapt to changes in the radio environment by
dynamically adjusting working channels and transmit power, reducing radio signal
interference, and evenly distributing access to users.
Purpose
RRRM helps reduce radio signal interference, adjust radio coverage, and enable a wireless
network to quickly adapt to changes in the radio environment. With the RRM function, the
wireless network can provide high service quality for wireless users and maintain an optimal
radio resource utilization.
7.2 Understanding Radio Resource Management

7.2.1 Radio Calibration
Overview
On a WLAN, the operating status of APs is affected by the radio environment. For example,
adjacent APs using the same working channel interfere with each other, and a large-power AP
can interfere with adjacent APs if they work on overlapping channels. Radio calibration can
dynamically adjust channels and power of APs managed by the same AC to ensure that the
APs work in a way that optimizes performance.
Channel Adjustment
On a WLAN, adjacent APs must work on non-overlapping channels to avoid radio
interference. For example, the 2.4 GHz frequency band is divided into 14 overlapping 20
MHz channels, as shown in Figure 7-1.

NOTE
For channels supported in different countries, see the Country Code & Channel Compliance Table. You can
obtain this table at Huawei technical support website.
Figure 7-1 Channels on the 2.4 GHz frequency band

1 3 5 7 9 11 13
2.412 2.422 2.432 2.442 2.452 2.462 2.472
2 4 6 8 10 12 14
2.417 2.427 2.437 2.447 2.457 2.467 2.484
1: channel
2.412: center frequency
(GHz)
The 5 GHz frequency band has even richer spectrum resources. In addition to 20 MHz
channels, APs working on the 5 GHz frequency band support 40 MHz and 80 MHz channels,
as shown in Figure 7-2.
Figure 7-2 Channels
IEEE Channel#
100
104
108
120
124
128
132
136
140
149
153
157
161
165
112
116
36
40
44
48
52
56
60
64
20MHz
40MHz
80MHz
l Two neighboring 20 MHz channels are bundled into a 40 MHz channel. One of the two
20 MHz channels is the primary channel, and the other the auxiliary channel. The
primary channel is used for transmission of the management and control packets, and the
auxiliary channel for other packets, including the data packets.
l Two neighboring 40 MHz channels are bundled into an 80 MHz channel. In an 80 MHz
channel, one 20 MHz channel is selected as the primary channel. The other 20 MHz
channel making up the 40 MHz channel with the primary channel is called the auxiliary
20 MHz channel. The 40 MHz channel not containing the primary channel is called the
auxiliary 40 MHz channel.
Figure 7-3 shows an example of channel distribution before and after channel adjustment.
Before channel adjustment, both AP2 and AP4 use channel 6. After channel adjustment, AP4
uses channel 11 so that it does not interfere with AP2.
After channel adjustment, each AP is allocated an optimal channel to minimize or avoid
adjacent-channel or co-channel interference, ensuring reliable data transmission on the
network.

Figure 7-3 Channel adjustment

Before channel After channel
adjustment adjustment
AP2 AP2
Channel 6 Channel 6
AP1 AP1
Channel 1 Channel 1
AP4 AP4
AP3 Channel 6 AP3 Channel 11
Channel 11 Channel 6
Note: A circle represents an AP's coverage area

Channel X indicates an AP's working channel
In addition to optimizing radio performance, channel adjustment can also be used for dynamic
frequency selection (DFS). In some regions, radar systems work in the 5 GHz frequency band,
which can interfere with radio signals of APs working in the 5 GHz frequency band. The DFS
function enables APs to automatically switch to other channels when they detect interference
on their current working channels.
Power Adjustment
An AP's transmit power determines its radio coverage area. APs with higher power have
larger coverage areas. A traditional method to control the radio power is to set the transmit
power to the maximum value to maximize the radio coverage area. However, a high transmit
power may cause interference with other wireless devices. Therefore, an optimal power is
required to balance the coverage area and signal quality.
The power adjustment function helps dynamically allocate proper power to APs according to
the real-time radio environment. Power adjustment works according to the following:
l When an AP is added to the network, the transmit power of neighboring APs decreases,
as shown in Figure 7-4. The area of the circle around an AP represents the AP's
coverage area after transmit power adjustment. When AP4 is added to the network, the
transmit power of each AP decreases automatically.

Figure 7-4 Transmit power of APs decreases
AP1 AP2
AP3
AC Switch
When AP4 is added,

power of each
existing AP decreases
AP1 AP2 Channel 1

AP3 AP4 Channel 6
AC Switch Channel 11
l When an AP goes offline or fails, power of neighboring APs increases, as shown in

Figure 7-5.

Figure 7-5 Transmit power of APs increases
AP1 AP2
AP3 AP4
AC Switch
Issue 04 (2018-08-17) When

Copyright © Huawei AP4 goes Co.,
Technologies offline
Ltd.or 295
is removed, power of other
APs increases to ensure
radio coverage
Redundant Radio Adjustment

As shown in Figure 7-6, a 2.4 GHz redundant radio (hereinafter referred to as redundant
radio) has co-channel interference with neighboring radios. The area covered by the redundant
radio is also within the coverage area of neighboring radios.
Figure 7-6 Redundancy radio diagram
Redundant radios on a WLAN not only generate co-channel interference but also waste
network capacity. Therefore, the following policies are available to process redundant radios:
l Switched to 5G: If many 5 GHz channel resources are available, a redundant radio is
switched to the 5 GHz mode, increasing the maximum capacity of 5 GHz radios.
l Switched to monitor: If no more 5 GHz channel resources are available, a redundant
radio is switched to the monitor mode and used for scanning services.
l Disabled: Disabling a redundant radio decreases co-channel interference but does not
affect coverage.
Manually identifying, switching, or disabling redundant radios will greatly increase network
maintenance costs. To resolve this issue, Dynamic Frequency Assignment (DFA) is adopted to
automatically identify, switch, or disable redundant radios, reducing 2.4 GHz co-channel
interference and increasing system capacity.
Implementation
Radio calibration requires the following components for implementation:
l AP: actively or passively collects radio environment information and sends the
information to the AC. The AC then delivers the calibration results.

l AC: maintains the AP neighbor topology based on radio environment information

received from the AP, uses calibration algorithms to allocate AP channels and transmit
power, sends calibration results to APs.
ACs support global radio calibration and partial radio calibration:
l Global radio calibration:
Global radio calibration takes effect on all APs managed by an AC. The AC controls
channels and transmit power of all APs in the region to achieve best radio performance.
Generally, this calibration mode is used on a newly deployed WLAN or a WLAN with a
few services.
The Figure 7-7 shows the global radio calibration process.
Figure 7-7 Implementation of global radio calibration

AC AP
Request AP to start
1 neighbor probing.
Report probe
3 Allocate 2 results.
channels and
power to AP
based on Deliver calibration results
algorithms. 4 to AP.
The global radio calibration process is as follows:

a. After global radio calibration is enabled, the AC sends a notification to each AP,
requesting the AP to start neighbor probing.
b. The APs periodically implement neighbor probing and report neighbor information
to the AC.
c. After the AC receives probe results from all of the APs, it uses a global radio
calibration algorithm to allocate channels and power to the APs.
Global radio calibration algorithms include the Dynamic Channel Allocation (DCA)
algorithm, DFA algorithm, and Transmit Power Control (TPC) algorithm.
d. The AC delivers calibration results to the APs. After the AC implements global
radio calibration for the first time, the AC starts the next global radio calibration
until it receives neighboring information of all APs. The AC continuously
implements global radio calibration in order to obtain the optimal and accurate
calibration results.
Neighbor probe
Two neighbor probe modes are available.
– Active probe: The AP actively sends Probe Request frames to notify surrounding
APs of its existence. Active probe is used to establish neighbor relationships and
obtain the maximum interference signal strength.

The active probe process is as follows:

i. An AP periodically sends Probe Request frames destined for a specified
multicast address on different channels.
ii. After receiving the frames, surrounding APs learn that the AP is a neighbor
and collects information about the AP, in which the Received Signal Strength
Indicator (RSSI) is the key factor.
– Passive probe: The AP receives neighbor information to detect neighboring APs.
The passive probe is used to collect interference information from neighboring APs
and rogue APs.
Global calibration algorithm
The global calibration algorithm achieves global optimization through partial
optimizations. Global calibration is implemented through AP channel and power
adjustment. Instead of being coupled to each other, the algorithms for channel
adjustment (DCA) and power adjustment (TPC) are independent of each other.
– DCA algorithm
Global calibration divides all APs into several calibration groups based on the
relationships between the APs and allocates channels to each group. In each radio
calibration group, simple exhaustion and iteration algorithms are used to list all
possible AP-Channel combinations and choose the optimal combination.
– DFA algorithm
The DFA algorithm is used to automatically identify and adjust redundant radios.
DFA process a redundant radio as follows:
i. After identifying a radio as a redundant radio, the DCA algorithm switched the
radio to the 5 GHz or monitor mode based on the channel, bandwidth, and
interference of other radios on the network.
ii. After the redundant radio is switched to the 5 GHz mode, it works on the
default 5 GHz channel. In this case, the DCA algorithm is used again to adjust
the radio channel.
iii. During this process, if a coverage hole is detected on 2.4 GHz radios, the 5
GHz radio is switched back to the 2.4 GHz mode.
iv. If the AC restarts, APs go online again with the previous configurations
including the channel, power, frequency band, and radio status. If an AP goes
online after a long period of time, the AC determines redundant radios and
allocates the band to radios again.
v. When the DFA function is disabled, the redundant radio configuration is
restored. For example, the radio in 5 GHz or monitor mode will be restored to
the 2.4 GHz.
– TPC algorithm: The TPC algorithm aims to choose the proper transmit power
which can meet coverage requirements, without causing large interference to
neighboring APs. The TPC algorithm works in the following ways:
i. The algorithm estimates the deployment density of APs based on the number
of AP neighbors, and determines the initial transmit power, lower and upper
interference thresholds.
The level of interference specified by the lower interference threshold is low,
and within the allowed range. In this case, two neighboring APs cannot detect
interference from each other and can send packets simultaneously.

The level of interference specified by the upper interference threshold is large.

In this case, two neighboring APs can easily detect the interference and must
compete to send packets through CSMA.
ii. The algorithm re-detects RSSIs of neighbors. If the interference caused by the
neighbor is smaller than the lower interference threshold, the algorithm
determines whether to raise transmit power according to their difference. If the
interference caused by the neighbor is greater than the upper interference
threshold, the algorithm determines whether to reduce transmit power
according to their difference.
l Partial radio calibration
Partial radio calibration aims to adjust working channels and power of some APs to
optimize the radio environment if it deteriorates in only some areas. Similar to the global
radio calibration, the partial radio calibration uses DCA and TPC algorithms. Partial
radio calibration is triggered in the following scenarios:
– An AP goes online: When detecting that an AP goes online, the AC allocates a
working channel and power to the new AP. To achieve the optimal performance, the
AC may re-allocate the working channels and transmit power of neighboring APs.
For example, to prevent interference between the new AP and its neighbors, the AC
will reduce the transmit power of the AP neighbors.
– An AP goes offline: When detecting that an AP goes offline, the AC executes the
calibration algorithm to increase the transmit power of neighboring APs to
eliminate coverage holes. An AP may be restarted unexpectedly or manually
restarted for temporary maintenance. In this situation, the AC does not start the
calibration algorithm immediately. Instead, the AC starts radio calibration only after
the neighbor information is updated.
– Interference from a rogue AP is detected: If a rogue AP is identified through
neighbor probes, interference information is collected and used for radio
calibration. If the interference value exceeds the threshold (-65 dBm by default), the
interference is considered serious, and partial radio calibration is triggered. The
device adjusts working channels of neighboring APs to avoid interference from the
rogue AP.
– The radio environment deteriorates: Radio environment deteriorates due to an
increase in lost packets and error codes caused by interference or weak signals. In
scenario, partial radio calibration may be triggered if it can improve the radio
environment.
– Interference from non-Wi-Fi devices is detected: Non-Wi-Fi devices, including
microwave ovens and cordless phones, work on the same frequency as the APs, and
may cause interference. If the spectrum analysis module identifies interference from
non-Wi-Fi devices. If the interference is serious or large interference occurs
multiple times in a specified period, the module triggers partial radio calibration and
adjusts AP channels and power to avoid interference.
– Partial radio calibration is manually triggered: You can trigger partial radio
calibration based on the AP or AP group.
7.2.2 AP-based Load Balancing
Overview
Load balancing can evenly distribute AP traffic loads to ensure high bandwidth for each STA.
The load balancing function applies to wireless networks with high user densities to ensure

access of STAs. Two load balancing technologies are available: AP-based load balancing and
radio-based load balancing.
In Figure 7-8, AP_1 and AP_2 associate with an AC. Four users (STA_1 to STA_4) associate
with AP_1, and one user (STA_5) associates with AP_2. If too many users connect to the
Internet through AP_1, AP_1 will be overloaded, whereas resources on AP_2 are not used.
After load balancing is configured on an AC, the AC uses a load balancing algorithm to
determine whether a new STA (STA_6 in Figure 7-8) can associate with an AP. The load
balancing algorithm prevents new STAs from associating with heavily-loaded APs to reduce
loads on these APs.
NOTE
Load balancing can be implemented among APs only when the APs are connected to the same AC and all
these APs can be discovered by a STA.
Currently, the load balancing function is implemented in the STA access phase. In scenarios with complex
user service types and unstable traffic, the expected load balancing effect cannot be achieved. In this case,
you are not advised to enable load balancing based on the channel usage.
Figure 7-8 WLAN load balancing
Internet
AC
Switch
AP_1 AP_2
STA_1 STA6
(a new STA)
STA_2
STA_3 STA_4 STA_5
Implementation
Depending on whether a load balancing group needs to be manually created, load balancing is
classified as either static or dynamic load balancing:
l Static load balancing: APs providing the same services are manually added to a load
balancing group. Each AP periodically reports STA association information to the AC,
and the AC distributes user traffic among APs based on received STA association

information. When a STA sends an association request, the AP uses a load balancing
algorithm to determine whether to accept the association request. Static load balancing
can be implemented when the following conditions are met:
– APs in Figure 7-8 are single-band APs that support only one frequency band. If
dual-band APs are used, traffic is load balanced among APs working on the same
frequency band.
– Each load balancing group supports a maximum of 16 APs.
l Dynamic load balancing: A STA sends broadcast Probe Request frames to scan available
APs. The APs that receive the Probe Request frames all report the received STA
information to the AC. The AC adds these APs to a load balancing group and then uses a
load balancing algorithm to determine whether to permit access from the STA. Static
load balancing supports a limited number of group members, and all members must be
manually added to the group and work on the same frequency band. Dynamic load
balancing overcomes these limitations.
Depending on the load balancing algorithm used, load balancing is classified as either traffic-
based load balancing or session-based load balancing:
The AC calculates the load percentage of each radio in a load balancing group using the
formula:
Load percentage of a radio = (Number of associated STAs on the radio/Maximum number of
STAs allowed on the radio) x 100%
The AC compares the load percentages of all of the radios in the load balancing group and
obtains the smallest load percentage value. When a STA requests to associate with an AP
radio, the AC calculates the difference between the radio's load percentage and the smallest
load percentage value and compares the load difference with a specified threshold.
If the load difference is smaller than the threshold, the AC allows the STA to associate with
the radio. If not, the AC rejects the association request of the STA. If the STA continues
sending association requests to this AP, the AC allows the STA to associate with the AP when
the number of consecutive association attempts of the STA exceeds the maximum number of
rejection times configured on the AC.
NOTE
In the formula, the value of Maximum number of STAs allowed on the radio depends on AP types,
which can be obtained using the display ap-type { id type-id | type ap-type } command. Maximum
number of STAs allowed on the radio refers to the value of the field Maximum station number in the
command output.
The following example explains the implementation of static load balancing.

As shown in Figure 7-8, four STAs (STA_1 to STA_4) are online on AP_1, and only STA_5
is online on AP_2. Assume that AP_1 and AP_2 each allow a maximum of 10 users, the start
threshold for load balancing is set to 5, and the load difference threshold is set to 5%. Now,
STA_6 requests to associate with AP_1.
STA_6 is the sixth STA requesting to associate, and the number exceeds the start threshold;
therefore, the AC uses a load balancing algorithm to determine whether to allow STA_6 to
associate.
According to the load percentage calculation formula, the load percentage of AP_1's radio is
40% (4/10 x 100% = 40%), and the load percentage of AP_2's radio is 10% (1/10 x 100% =
10%). Therefore, the smallest load percentage value is 10%. When STA_6 associates with
AP_1, the load percentage of AP_1 will reach 50% (5/10 x 100% = 50%). The difference

between this load percentage and the smallest value is 40% (50% - 10% = 40%), larger than
the load difference threshold (5%). Therefore, the AC determines that traffic is not evenly
distributed between the two APs and prevents STA_6 from associating with AP_1.
7.2.3 Band Steering
Overview
Most STAs support both 5 GHz and 2.4 GHz frequency bands but usually associate with the
2.4 GHz radio by default when connecting to the network. As a result, the 2.4 GHz frequency
band with fewer channels is congested, heavily-loaded, and has severe interference. The 5
GHz frequency band with more channels and less interference is not well used. When the 2.4
GHz frequency band has many users or severe interference, the 5 GHz frequency band can
provide better access service for wireless users. Users must manually select the 5 GHz radio
to connect to it.
The band steering function enables an AP to steer STAs to the 5 GHz radio first, which
reduces traffic load and interference on the 2.4 GHz radio and improves user experience.
NOTE
To implement band steering, an AP must have the same SSID and security policy on the 5 GHz and 2.4 GHz
radios.
Implementation
Figure 7-9 shows the implementation of band steering, involving two phases:
Figure 7-9 Band steering

5GHz
Radio
Internet
STA_1 AP Switch AC
2.4GHz
Radio
1. 5G-prior access
Before the number of access STAs on an AP exceeds the start threshold for load
balancing between radios, the AP preferentially connects a new STA to the 5 GHz radio.
As shown in the figure, when the AP receives a Probe Request frame from the STA
(STA_1), it checks the radio that receives the frame. If the Probe Request frame is
received by the 5 GHz radio, the AP returns a Probe Response frame. The STA then
associates with the 5 GHz radio, and the AC records the supported frequency band of the
STA as the 5 GHz frequency band.
If the 2.4 GHz radio continuously receives Probe Request frames but the 5 GHz radio
does not receive any, the AP returns a Probe Response frame through the 2.4 GHz radio.
The STA then associates with the 2.4 GHz radio, and the AC records the supported
frequency band of the STA as the 2.4 GHz frequency band.

When STA_1 associates with the AP again, the AP first checks the frequency band
supported by the STA. If STA_1 supports only the 2.4 GHz frequency band, the AP
immediately permits the STA to access the 2.4 GHz radio.
2. Load balancing between radios
After the number of access STAs on an AP exceeds the start threshold for load balancing
between radios, the AP determines the radio to which the STA connects based on the
difference between the number of access STAs on the 2.4 GHz radio and that on the 5
GHz radio.
For example, if a STA requests to associate with the AP on the 2.4 GHz radio but the number
of access STAs on the AP has exceeded the start threshold for load balancing between radios,
the AP implements load balancing between the 2.4 GHz and 5 GHz radios according to the
value computed based on the formula: (Number of access STAs on the 5 GHz radio –
Number of access STAs on the 2.4 GHz radio)/Number of access STAs on the 5 GHz radio x
100%. If the value is greater than the load difference threshold, the AP preferentially
associates with the STA on the 2.4 GHz radio; otherwise, the AP preferentially associates
with the STA on the 5 GHz radio.
7.2.4 Smart Roaming
Overview
Some terminals on networks have low roaming aggressiveness. As a result, they stick to the
initially connected APs regardless of whether they move far from the APs, and have weak
signals or low rates. The terminals fail to roam to neighboring APs with better signals. They
are called sticky terminals.
Sticky terminals may bring the following problems:

l Poor service experience: The terminals stick to weak-signal APs, causing a sharp
decrease in the wireless channel rate.
l Channel performance degradation: The terminals have poor signals or low rates, and
frequent packet loss and retransmissions occur. As a result, the terminals occupy the
wireless channels for a long time, which prevents terminals with good signals from using
the wireless channel for enough time.
Smart roaming addresses the problems. After smart roaming is configured, the system
actively steers the terminals to neighboring APs with better signals.
Benefits of smart roaming:

l Improved performance
– Common coverage scenarios: The smart roaming function allows terminals with
poor signals to roam to better APs. The service experience of the terminals and
overall wireless channel performance are therefore improved.
– High-density coverage scenarios: Terminals usually have good signals in the
scenarios but may not connect to the optimal APs. The smart roaming function
allows the terminals to associate with the optimal APs, which greatly improves the
wireless channel performance.
l Traffic load balancing
With smart roaming, each terminal associates with the nearest AP, enabling APs to load
balance traffic.

Implementation
Figure 7-10 shows the implementation of smart roaming.
Figure 7-10 Smart roaming

3
AC
1 1
1
2
AP_1 AP_2 AP_3
4
5
STA_1
Area1 Area2 Area3
1. An AP collects terminal information, discovers neighboring APs, and periodically

reports the terminal and neighbor information to the AC.
Neighboring APs can be discovered in the following modes:
– The AP listens on Probe frames of terminals.
– The AP periodically switches working channels to scan terminals.
– If the Beacon report mechanism of the 802.11k protocol is used, terminals report
the detected neighboring APs.
The AC maintains a terminal neighbor table based on the information reported by APs.
The terminal neighbor table records the neighboring APs of each terminal and the
corresponding SNR.
2. When STA_1 associates with AP_1, AP_1 collects the SNR and rate of STA_1 in real
time and determines whether STA_1 is a sticky terminal. If STA_1 is a sticky terminal,
AP_1 reports the terminal to the AC.
AP_1 considers STA_1 a sticky terminal if the AP detects that the signal strength of
STA_1 remains lower than the threshold in a certain period.

In Figure 7-10, STA_1 moves from Area1 to Area2. AP_1 detects that the signal
strength of STA_1 is lower than the threshold in a specified period of time and considers
STA_1 a sticky STA.
3. After receiving the reported information, the AC selects the optimal neighboring AP of
STA_1 (AP_2) as the target AP to which STA_1 is to roam and delivers the target AP
information to AP_1.
The AC determines the target AP to which a sticky terminal is to roam as follows:
a. The AC checks the terminal neighbor table and selects neighboring APs whose
SNR exceeds that of the AP currently associated with the terminal based on the
specified threshold. The selected neighboring APs are candidate APs to which the
terminal is to roam.
b. Among all candidate APs, the AC selects the optimal AP based on the STA's SNR,
rate and load balancing information, and then triggers terminal roaming.
To prevent frequent terminal roamings due to terminal movements or signal fluctuations,
terminal roaming is triggered only when the terminal is detected a sticky terminal for
three consecutive times.
4. AP_1 forces STA_1 to roam to AP_2 based on the BSS transition mechanism defined in
the 802.11v protocol or the forced logout mode.
After roaming to AP_2, STA_1 is blacklisted on AP_1 to prevent it from connecting to
AP_1 again.
5. STA_1 roams to AP_2.
Due to individual differences, some terminals do not roam to APs with better signals but stick
to the initially associated APs even if they are disconnected forcibly. These terminals may not
initiate association requests if forced offline. The AC will record these terminals unable to
roam. When an "unable to roam" terminal is classified as a sticky terminal, the AP does not
trigger roaming of the terminal in a specified period to prevent service interruption.
7.2.5 User CAC

On WLANs where many users exist, such as in high density scenarios, as the number of
online users increases users compete fiercely to occupy channels. As a result, network quality
deteriorates. To ensure online users' network access, configure the user Calling Access
Control (CAC) function. User CAC allows an AP to control user access based on the
thresholds specified according to the radio channel usage, number of online users, or terminal
SNR, which enables high-quality network access services.
CAC uses two types of thresholds to control access of new users and roaming users
respectively. When a new user connects to the AP, the AP checks whether the current channel
usage or the number of online users reaches the threshold set for new users. If so, the AP
denies the new user access and hides its SSID to prevent new users from accessing WLAN
services provided by the radio. To ensure that online users of another AP can roam to the
current AP, some resources are reserved for roaming users.
However, too many users roaming to the AP deteriorated online users' experience of the AP.
Therefore, a CAC threshold for roaming users is required. When a user roams to an AP, the
AP accepts them provided the number of users on the AP does not reach the CAC threshold
for roaming users.
CAC is implemented in the following modes:

l Based on channel usage:

This implementation mode uses a complex algorithm but is accurately implemented to

ensure service quality. It is recommended when service types and traffic volumes differ
greatly among users.
– When receiving a new access request, the AP calculates the channel usage on the
current radio and checks whether the channel usage reaches the threshold set for
new users. If so, the user is denied access. If not, the AP allows the user to go
online.
– If channel usage reaches the threshold after the new user goes online, the AP rejects
access requests from new users and hide its SSID. When a user roams to the AP, the
AP checks whether the current channel usage reaches the threshold set for roaming
users. If so, the AP denies the user access and sends an alarm.
– The AP periodically detects radio channel usage. Once channel usage falls below
the threshold set for new users, the AP sends a clear alarm and unhides the SSID,
allowing new users to go online.
l Based on the number of users:
This implementation mode is less accurate but uses a simple algorithm. It is
recommended when most users have the same type of services and similar service traffic
volumes.
– When receiving a new access request, the AP calculates the number of online users
on the current radio and checks whether the number reaches the threshold set for
new users. If so, the user is denied access. If not, the AP allows the user to go
online.
– If the number of online users reaches the threshold after the user goes online, the
AP rejects access requests from new users, sends an alarm, and hide its SSID. When
a user roams to the AP, the AP checks whether the channel usage reaches the
threshold set for roaming users. If so, the AP denies the user access and sends an
alarm.
– When the number of online users falls below the threshold set for new users, the AP
sends a clear alarm and unhides the SSID, allowing new users to go online.
l Based on the terminal SNR
SNR-based UAC controls access from weak-signal users, and is applicable to scenarios
where the WLAN has good signal coverage and weak signals only at the edge of WLAN
coverage areas at the edge of WLAN coverage areas.
When receiving a new access request, the AP checks whether the terminal SNR reaches
the threshold specified for new users. If so, the user is denied access. If not, the AP
allows the user to go online.
7.3 Summary of Radio Resource Management

Configuration Tasks
Table 7-1 describes the radio resource management configuration tasks.

Table 7-1 Radio resource management configuration tasks

Scenario Description Task
Configure interference Wireless channels of 7.6 Configuring Interference

detection WLANs are vulnerable to Detection
interference in surrounding
radio environments, and
the service quality is
therefore degraded. If
interference detection is
configured, a monitor AP
can know the radio
environment in real time
and report alarms to an AC
in a timely manner.
Interference detection
enables an AP to detect AP
co-channel interference,
AP adjacent-channel
interference, and STA
interference.
l AP co-channel
interference: Two APs
working on the same
frequency band
interfere with each
other. For example, on
a large-scale WLAN (a
university campus
network), different APs
often use the same
channel. When there
are overlapping areas
among these APs, co-
channel interference
exists, degrading
l AP adjacent-channel
interference: Two APs
with different center
frequencies have
overlapping areas,
resulting in adjacent-
channel interference.
Therefore, if APs are
placed too close to each
other or they have
strong signals, more
noise will be produced,
degrading network
performance.

l STA interference: If
there are many STAs
that are managed by
other APs around an
AP, services of the
STAs managed by the
local AP may be
affected.

Configure radio calibration On a WLAN, operating 7.7 Configuring Radio

status of APs is affected by Calibration
the radio environment. For
example, a large-power AP
can interfere with adjacent
APs if they work on
overlapping channels. The
radio calibration function
can dynamically adjust
channels and power of APs
managed by the same AC
to ensure that the APs
work at the optimal
performance.
Depending on the scope of
radio calibration, two radio
calibration modes are
available:
l Global radio
calibration: The AC
dynamically allocates
channels and power to
all the APs in an AP
region. Generally, this
calibration mode is
used on a newly
deployed WLAN or a
WLAN where the radio
environment
deteriorates in most
areas.
l Partial radio
calibration: The AC
dynamically allocates
channels and power to
specified APs.
Generally, this
calibration mode is
used when new APs are
added to the network or
the radio environment
deteriorates in some
areas.

Configure load balancing Load balancing can evenly 7.8 Configuring Load
distribute AP traffic loads Balancing
to ensure high bandwidth
for each STA. The load
balancing function applies
to wireless networks with
high user densities to
ensure proper access of
STAs.
Configure band steering When an AP and STA 7.9 Configuring Band

support both 5 GHz and Steering
2.4 GHz frequency bands,
the AP can steer the STA
to the 5 GHz radio first.
Most STAs support both 5
GHz and 2.4 GHz
frequency bands and
usually associate with the
2.4 GHz radio by default
when connecting to the
Internet. To connect the
STAs to the 5 GHz radio,
you need to manually
select the 5 GHz radio.
When the 2.4 GHz
frequency band has many
users or severe
interference, the 5 GHz
frequency band can
provide better access
service for wireless users.
The band steering function
enables APs to steer STAs
to the 5 GHz radio first.

Configure High Density Dense AP deployment is 7.13 Configuring Dynamic

Boost an important measure to EDCA Parameter
improve user experience in Adjustment
scenarios with high-density 7.12 Configuring User CAC
users and a high volume of
traffic, such as sports 7.15 Configuring Automatic
stadiums, libraries, lecture Per Packet Power
halls, conference sites, and Adjustment
dormitories.
A WLAN has only three
non-overlapping channels
on the 2.4 GHz frequency
band. When APs are
deployed densely, multiple
APs have to work on the
same channel, resulting in
co-channel interference.
This interference degrades
network performance. The
High Density Boost
function enables an AP to
adjust the antenna, power
and signal receive
threshold using specific
algorithms. This function
reduces co-channel
interference between APs
and improves users'
Internet experience.
This function applies to
high-density WLANs
where APs are deployed
densely, such as sports
stadiums, libraries, lecture
halls, dormitories, and
conference sites.
7.4 Licensing Requirements and Limitations for Radio

Resource Management
AP

by the device.
V200R007C10.

V200R012C00 V200R009C00
V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C10 V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C00 V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R010C00 V200R007C10
V200R006C20
V200R006C10
V200R009C00 V200R006C20
V200R006C10
V200R008C00 V200R005C30
V200R005C20
V200R005C10
V200R007 V200R005C20
V200R005C10
V200R006 V200R005C00

agent.
Required

S5730HI: V200R012
Feature Limitations
Configuring Radio Calibration
l Radio calibration does not take effect on radios enabled with WDS or Mesh functions.
l When configuring 40 MHz or 80 MHz calibration bandwidth, check whether channels of
the corresponding bandwidth exist under the country code.
l To ensure a good calibration effect, you are advised to configure at least three calibration
channels.
l When configuring a radio calibration set, avoid using radar channels.
l In high-density scenarios, directional antennas are mostly used. It is recommended that
the radio calibration function be disabled. If this function is enabled, the radio calibration
effect is affected.
Configuring Load Balancing
The load balancing function applies to scenarios where there is a high degree of overlap
between APs' coverage ranges. If APs engaged in load balancing are far from each other, a
STA may connect to a distant AP, which affects wireless experience of users.

When the load difference between APs reaches the load difference threshold, some STAs may
access the network slowly because the APs will reject access requests of STAs according to
the load balancing algorithm. If a STA continues sending association requests to an AP, the
AP allows the STA to associate when the number of consecutive association attempts of the
STA exceeds the maximum number of rejection times.
In static load balancing mode, APs providing the same services are manually added to a load
balancing group. When a STA needs to access a WLAN, it sends an Association Request
packet to an AC through an AP. The AC determines whether to permit access from the STA
according to a load balancing algorithm. The implementation of static load balancing must
meet the following conditions.
l If dual-band APs are used, traffic is load balanced among APs working on the same
frequency band.
l Each load balancing group supports a maximum of 16 AP radios.
When the number of STAs is higher than 3000, the dynamic load balancing function is not
recommended. If this function is enabled, AC performance is affected.
Configuring Smart Roaming
The smart roaming function applies to high-density scenarios, for example, lecture hall. This
function is not recommended in scenarios where STAs move frequently. If the smart roaming
function is enabled in such a scenario, it is recommended that the default roaming threshold
value.
If a high roaming threshold is configured, STAs may go offline frequently. If a small roaming
threshold is configured, STAs cannot roam to APs with better signals in a timely manner.
Configuring Band Steering
l To allow an STA to preferentially associate with the 5 GHz radio and achieve a better
access effect, configure larger power for the 5 GHz radio than the 2.4 GHz radio.
l Single-radio devices do not support the band steering function.
l The AP2010DN does not support the band steering function.
Configuring Dynamic EDCA Parameter Adjustment
The AP3010DN-AGN, AP5010DN-AGN, AP5010SN-GN, and AP6310SN-GN do not

support this function.
Configuring Automatic Per Packet Power Adjustment
The AP7030DE and AP9330DN do not support this function.
Configuring the Smart Antenna Function
l Models supporting smart antennas: AP7030DE, AP7050DE, and AP7052DE.

l The smart antenna function cannot take effect if beamforming or MU-MIMO has been
configured.
Configuring APs to Disconnect Weak-Signal STAs
This function is recommended in high-density stadium and higher education scenarios, but
not recommended in wireless city scenarios.

7.5 Default Settings for Radio Resource Management

Table 7-4 Default settings for radio resource management
Automatic channel selection Enabled
Automatic transmit power selection Enabled
Radio calibration Enabled
Band steering Enabled
Interference detection Disabled
Smart roaming Disabled
Dynamic EDCA parameter adjustment Disabled
Automatic per packet power adjustment Disabled
7.6 Configuring Interference Detection

Background
After the interference detection function is configured, an AP sends an alarm to an AC when
one of the following interference values exceeds the alarm threshold:
l Co-channel interference: WLAN_1.3.6.1.4.1.2011.6.139.16.1.1.1.5
hwAPCoInterfDetectedTrap
l Adjacent-channel interference: WLAN_1.3.6.1.4.1.2011.6.139.16.1.1.1.7
hwNerborInterfDetectedTrap
l STA interference: WLAN_1.3.6.1.4.1.2011.6.139.16.1.1.1.9 hwStaInterfDetectedTrap
Before configuring interference detection, perform the task of Configuring Basic WLAN
Services.
Procedure
Step 2 Run wlan


Step 4 Run interference detect-enable
The interference detection function is enabled.
By default, the interference detection function is disabled.
Step 5 (Optional) Configure interference detection thresholds.
l Run the interference co-channel threshold threshold-value command to configure the
alarm threshold for co-channel interference.
By default, the alarm threshold for co-channel interference is 50%.
l Run the interference adjacent-channel threshold threshold-value command to
configure the alarm threshold for adjacent-channel interference.
By default, the alarm threshold for adjacent-channel interference is 50%.
l Run the interference station threshold threshold-value command to configure the alarm
threshold for STA interference.
By default, the alarm threshold for STA interference is 32.
Step 6 Run quit
Step 7 Bind the radio profile to an AP group or a specific AP. For the detailed procedure, see 5.11.1.5
Binding a Radio Profile.
----End

l Run the display radio-2g-profile name profile-name command to check the interference
detection configuration in a 2G radio profile.
l Run the display radio-5g-profile name profile-name command to check the interference
detection configuration in a 5G radio profile.
7.7 Configuring Radio Calibration

Context
The radio calibration function can dynamically adjust channels and transmit power of APs
managed by the same AC to ensure that the APs work at the optimal performance.
There are three radio calibration modes:
l Auto mode: The device periodically implements global radio calibration at regular
intervals (the interval is specified by interval and the default interval is 1440 minutes,
and the start time for radio calibration is 03:00:00).
NOTE
In auto mode, the device continuously detects neighbors and updates neighbor information. When
a radio calibration interval is reached, global radio calibration is triggered. The auto mode applies
to coverage hole compensation, coverage hole compensation reversal, and partial radio calibration.
l Manual mode: The device does not proactively perform radio calibration. You need to
run the calibrate manual startup command to trigger global calibration.

l Schedule mode: The device triggers global radio calibration at a time specified by the
parameter time.
The three modes cannot be configured simultaneously. You can choose any of the modes as
required. Schedule mode is recommended, which can be specified using the calibrate enable
schedule time time-value command. You can configure the device to perform radio
calibration in off-peak hours, for example, between 00:00 am and 06:00 am.
Before configuring radio calibration, perform the task of 5 WLAN Service Configuration.
Configuration Notes
l Global radio calibration is implemented on all APs.
l Radio calibration is not applicable to scenarios where APs cannot detect each other, for
example, APs use directional antennas, are far from each other, or have obstacles
between them.
l Radio calibration is not applicable to high-density, WDS/Mesh backhaul, rail
transportation, or external directional-antenna scenarios.
l Radios in monitoring mode do not participate in calibration.
l Some functions are dependent on channel scanning, for example, radio calibration, smart
roaming, and WIDS. After such a function is configured, a channel switchover during
the scanning increases the users service data delay, which may affect wireless service
experience.
Procedure
Step 2 Run wlan
Step 3 Configure automatic channel selection and automatic transmit power selection for APs.
Configuration based on the AP group
1. Run the ap-group name group-name command to enter the AP group view.
2. Run the radio radio-id command to enter the radio view.
3. Run the undo calibrate auto-channel-select disable command to enable automatic
channel selection.
By default, automatic channel selection is enabled.

4. Run the undo calibrate auto-txpower-select disable command to enable automatic
transmit power selection.
By default, automatic transmit power selection is enabled.

5. Run the quit command to return to the AP group view.
Configuration based on the AP

view.
2. Run the radio radio-id command to enter the radio view.
3. Run the undo calibrate auto-channel-select disable command to enable automatic
channel selection.
By default, automatic channel selection is enabled.
4. Run the undo calibrate auto-txpower-select disable command to enable automatic
transmit power selection.
By default, automatic transmit power selection is enabled.
5. Run the quit command to return to the AP view.
Step 4 Run the quit command to return to the WLAN view.
Step 5 Configure the DFS smart selection, noise floor threshold, TPC for APs.
1. Run the rrm-profile name profile-name command to enter the RRM profile view.
2. (Optional) Run the dfs smart-selection disable command to disable the DFS smart
selection function.
By default, the DFS smart selection function is enabled.
3. (Optional) Run the dfs recover-delay delay-time command to set the delay in switching
back the DFS channel.
By default, the delay in switching back the DFS channel is 0 minutes. That is, the
channel is switched back to the manually planned channel when the legitimate aging
time (30 minutes) expires.
4. (Optional) Run the calibrate noise-floor-threshold threshold command to specify the
noise floor threshold for triggering radio calibration.
The default noise floor threshold for triggering radio calibration is -75 dBm.
5. (Optional) Run the calibrate tpc threshold threshold command to configure the TPC
coverage threshold.
The default TPC coverage threshold is –60 dBm.
6. (Optional) Run the calibrate max-tx-power power command to set the maximum
transmit power that can be adjusted through radio calibration.
By default, the maximum transmit power that can be adjusted through radio calibration is
127 dBm.
7. (Optional) Run the calibrate min-tx-power power command to set the minimum
transmit power that can be adjusted through radio calibration.
By default, the minimum transmit power that can be adjusted through radio calibration is
9 dBm.
8. (Optional) Run the calibrate error-rate-threshold error-rate-threshold command to set
the BER threshold.
By default, the BER threshold is 60%.
9. (Optional) Run the calibrate error-rate-check interval interval traffic-threshold
traffic-threshold command to set the interval and traffic threshold for checking the BER.
The default interval and traffic threshold for checking the BER are 1 minute and 1250
kbit/s, respectively.


11. Run the radio-2g-profile name profile-name or radio-5g-profile name profile-name
command to enter the 2G or 5G radio profile view.
12. Run the rrm-profile profile-name command to bind the RRM profile to the 2G or 5G
radio profile.
Step 6 Run calibrate enable { auto [ interval interval-value [ start-time start-time ] ] | manual |
schedule time time-value }
The radio calibration mode is configured.
By default, the radio calibration mode is auto, the radio calibration interval is 1440 minutes,
and the start time for radio calibration is 03:00:00.
Step 7 (Optional) Run calibrate policy { rogue-ap | load | non-wifi | noise-floor }
The radio calibration policy is created.
By default, no radio calibration policy is created. Radio calibration policies can be used
together. You can run the command multiple times to configure different radio calibration
policies according to service requirements.
NOTE
If the noise floor threshold for radio calibration is configured in the RRM profile, select noise-floor in the
radio calibration policy. Otherwise, the function cannot take effect.
Radio calibration policies are classified into:

NOTE
The noise floor, rogue AP and non-Wi-Fi policies take effect only in automatic radio calibration mode.
l Rogue AP policy: When rogue APs (out of control by an AC) exist on a network, set the
radio calibration policy to rogue-ap. The device then immediately takes actions to avoid
interference. This policy may lead to frequency channel switchovers. You are advised to
use this policy under the instruction of technical support personnel.
l Load policy: When this radio calibration policy is used, the AP traffic load difference is
considered for channel allocation. The device allocates channels with less interference to
APs with heavier loads. The AP load changes with times. You are advised to use this
policy under the instruction of technical support personnel.
l Non-Wi-Fi policy: When non-Wi-Fi interference occurs on a network, the device
immediately takes actions to avoid interference.
l Noise floor policy: When the noise floor of APs is high due to special external
interference, service experience may deteriorate. With this radio calibration policy, the
device takes actions to avoid interference. When detecting that the noise floor of the
current channel exceeds the threshold for three consecutive times, an AP notifies the AC
of the high noise floor. The AC then allocates another channel to the AP and does not
allocate the current channel to the AP in 30 minutes.
Step 8 (Optional) Run calibrate sensitivity { low | medium | high }
The radio calibration sensitivity is set for the device.
By default, the radio calibration sensitivity of the device is medium.
Step 9 (Optional) Configure the calibration bandwidth and calibration channel set.

1. Run the regulatory-domain-profile name profile-name command to enter the

regulatory domain profile view.
2. Run the dca-channel 5g bandwidth { 20mhz | 40mhz | 80mhz } command to configure
the calibration bandwidth.
By default, the global calibration bandwidth is 20 MHz. This command takes effect only
on the 5 GHz frequency band.
3. Run the dca-channel { 2.4g | 5g } channel-set channel-value command to configure a
calibration channel set.
By default, a calibration channel set contains channels 1, 6, and 11 on the 2.4G radio and
contains all channels supported by the corresponding country code on the 5G radio. If
the country code is China, the calibration channel set does not contain channels 36 to 64.
When configuring the calibration channels, users can specify channels as prompted.
NOTE
When configuring a calibration channel set, avoid using radar channels.

The channels you configure must be supported by the terminals; otherwise, the terminals cannot
discover wireless signals. For example, when the country code is set to China, 5 GHz channels 36,
40, 44, 48, 52, 56, 60, and 64 can be configured. However, most terminals do not support these
channels currently. If these channels are configured, the terminals cannot discover wireless signals.
In this case, you can configure 5 GHz channels 149, 153, 157, 161, and 165, which are supported
by the terminals.
Only the AP1050DN-S, AP2030DN, AP2050DN, AP2050DN-E, AP2051DN, AP2051DN-E,
AP8050DN, AP8050DN-S, AP8150DN, AP4050DN, AP4050DN-S, AP4051DN, AP4151DN,
AP4030DN, AP4130DN, AP5030DN, AP4030TN, AP4050DN-E, AP4050DN-HD, AP6050DN,
AP6150DN, AP7050DN-E, AP7050DE, AP5130DN; AP4051TN; AP6052DN; AP7030DE;
AP7052DN; AP7152DN; AP7052DE; AP8050TN-HD; AP8082DN; AP8182DN, AP9330DN,
AP9131DN, AP9132DN, AD9430DN-24 central AP (including the mapping RUs),
AD9430DN-12 central AP (including the mapping RUs), AD9431DN-24X central AP (including
the mapping RUs), AP8030DN, AP8130DN-W, and AP8130DN support 80 MHz calibration
bandwidth.
When configuring 40 MHz or 80 MHz calibration bandwidth, check whether channels of the
corresponding bandwidth exist under the country code.
To ensure a good calibration effect, you are advised to configure at least three calibration channels.
To prevent signal interference, ensure that adjacent APs work in non-overlapping channels. The
2.4 GHz frequency band has overlapping channels. When configuring calibration channels, you
are advised to configure a non-overlapping calibration channel set containing channels 1, 6, and 11
or containing channels 1, 5, 9, and 13.
Step 10 Configure the Dynamic Frequency Assignment (DFA) function.
1. (Optional) Run the calibrate flexible-radio manual-recognize command to manually
trigger redundant radio identification.
2. Run the calibrate flexible-radio { auto-switch | auto-off } command to enable the
global DFA function and configure the mode for processing a redundant radio.
By default, global DFA is disabled.
3. Enter the radio view.
– Enter the AP group radio view.
i. Run the ap-group name group-name command to enter the AP group view.
ii. Run the radio radio-id command to enter the radio view.
iii. (Optional) Run the calibrate flexible-radio disable command to disable the
DFA function of the specified radio.

By default, DFA is enabled.

iv. Run the quit command to return to the AP group view.
– Enter the AP radio view.
i. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to enter
the AP view.
ii. Run the radio radio-id command to enter the radio view.
iii. (Optional) Run the calibrate flexible-radio disable command to disable the
DFA function of the specified radio.
By default, DFA is enabled.
iv. Run the quit command to return to the AP view.
Step 11 Configure the air scan function for radio calibration.

The configured air scan profile applies to the radio calibration, smart roaming, spectrum
analysis, WLAN location, and WIDS functions.
1. Run the air-scan-profile name profile-name command to create an air scan profile and
enter the air scan profile view.
2. Run the undo scan-disable command to enable the air scan function.
By default, the air scan function is enabled.

3. Run the scan-channel-set { country-channel | dca-channel | work-channel }
command to configure an air scan channel set.
By default, an air scan channel set contains all channels supported by the corresponding
country code of an AP.
If the radio working mode is set to monitor, the AP scans all channels supported by the
country code.
4. Run the scan-interval scan-time command to set the air scan interval.
By default, the air scan interval is 10000 ms.

5. Run the scan-period scan-time command to set the air scan period.
By default, the air scan period is 60 ms.
8. Run the air-scan-profile profile-name command to bind the air scan profile to the 2G or
5G radio profile.
Step 12 Bind the radio profile and regulatory domain profile to an AP group or AP. For the detailed
procedure of binding a radio profile, see 5.11.1.5 Binding a Radio Profile.
Binding the radio profile and regulatory domain profile to an AP group
2. Run the regulatory-domain-profile profile-name command to bind the regulatory
Binding the radio profile and regulatory domain profile to an AP

view.
2. Run the regulatory-domain-profile profile-name command to bind the regulatory
----End

l Run the display wlan calibrate channel-set ap-group { name ap-group-name | all }
command to check the calibration channel and bandwidth that take effect.
l Run the display regulatory-domain-profile name profile-name command to check the
configured calibration channel set and calibration bandwidth.
l Run the display rrm-profile name profile-name command to check whether the
automatic channel selection and transmit power selection functions are enabled for APs.
l Run the display air-scan-profile name profile-name command to check the air scan
profile configuration.
l Run the display radio-2g-profile name profile-name command to check the RRM
profile and air scan profile bound to a 2G radio profile.
profile and air scan profile bound to a 5G radio profile.
l Run the display flexible-radio status command to check the status and switching result
of the redundant radio.
l Run the display flexible-radio switch-record command to check the switching record
of the redundant radio.
Follow-up Procedure
In any mode, you can run the calibrate manual startup command to trigger the calibration.
In manual mode, the device implements radio calibration only after the calibrate manual
startup command is executed.
7.8 Configuring Load Balancing

Before configuring load balancing, complete the following tasks:
l Perform the task of 5 WLAN Service Configuration.

l Associate APs engaged in load balancing with the same AC.
You can configure static load balancing and dynamic load balancing as required:
7.8.1 Configuring Static Load Balancing

Context
In static load balancing mode, APs providing the same services are manually added to a load
balancing group. When a STA needs to access a WLAN, it sends an Association Request
packet to an AC through an AP. The AC determines whether to permit access from the STA
according to a load balancing algorithm. The implementation of static load balancing must
meet the following conditions.
l If dual-band APs are used, traffic is load balanced among APs working on the same
frequency band.
l Each load balancing group supports a maximum of 16 APs.
l Under the agile distributed network architecture composed of the central AP and RUs,
you only need to add radios of the RUs to a static load balancing group.
Procedure
Step 2 Run wlan
Step 3 Run sta-load-balance static-group name group-name
A static load balancing group is created and the static load balancing group view is displayed.
By default, no static load balancing group is available in the system.
Step 4 Run member { { ap-name ap-name | ap-id ap-id } [ radio radio-id ] }&<1-8>
An AP radio is added to the static load balancing group.
By default, no AP radio is added to a static load balancing group.
Step 5 (Optional) Configure the static load balancing mode and related parameters.
Configure static load balancing based on the number of users and channel usage.
Static load balancing based on the channel usage is configured.
1. Run the mode channel-utilization command to configure static load balancing based on
the channel usage.
By default, static load balancing based on the number of users is used.

2. Run the channel-utilization start-threshold start-threshold command to set the start
threshold for static load balancing based on the channel usage.

By default, the start threshold for static load balancing based on the channel usage is
50%.
3. Run the channel-utilization gap-threshold gap-threshold command to set the channel
usage difference threshold for load balancing in a static load balancing group.
By default, the channel usage difference threshold for load balancing in a static load
balancing group is 20%.
Configure static load balancing based on the number of users.
1. Run the mode sta-number command to configure static load balancing based on the
number of users.
By default, static load balancing based on the number of users is used.
2. Run the sta-number start-threshold start-threshold-value command to set the start
threshold for static load balancing based on the number of users.
By default, the start threshold for load balancing in a static load balancing group is 10.
3. Run the sta-number gap-threshold { percentage percentage-value | number number-
value } command to set the load difference threshold for static load balancing based on
the number of users.
By default, the load difference threshold of a static load balancing group based on the
percentage of users is 20%.
Step 6 (Optional) Run deny-threshold deny-threshold
The maximum number of times an AP rejects association requests of a STA is configured for
the static load balancing group.
By default, the maximum number of times an AP rejects association requests of a STA is 3 for
a static load balancing group.
----End

l Run the display sta-load-balance static-group { all | name group-name } command to
check information about a static load balancing group.
7.8.2 Configuring Dynamic Load Balancing

Background
Static load balancing limits the maximum number of AP radios to 16 and allows only radios
on the same frequency band to join a load balancing group. Additionally, a static load
balancing group needs to be manually specified. Dynamic load balancing overcomes the
limitations of static load balancing.

In dynamic load balancing mode, a STA broadcasts Probe Request frames to scan available
APs. The APs that receive the Probe Request frames all report the STA information to the
AC. The AC adds these APs to a load balancing group and then uses a load balancing
algorithm to determine whether to permit access from the STA. If the RSSI threshold of
member devices in a dynamic load balancing group is set, an AP compares the RSSI of a STA
with the configured RSSI threshold after receiving the Probe Request packet sent by the STA.
If the STA's RSSI exceeds the configured RSSI threshold, the AP reports the STA information
to the AC, and the AP is added to the dynamic load balancing group. Otherwise, the AP
directly filters the STA information and does not report the information to the AC, and the AP
will not be added to the dynamic load balancing group.
Procedure
Step 2 Run wlan
Step 3 Run rrm-profile name profile-name
An RRM profile is created and the RRM profile view is displayed.
Step 4 Run sta-load-balance dynamic enable
Dynamic load balancing is enabled.
By default, the dynamic load balancing function is disabled.
Step 5 (Optional) Run sta-load-balance dynamic rssi-threshold rssi-threshold
An RSSI threshold is configured for member devices in the dynamic load balancing group.
By default, the RSSI threshold of member devices in a dynamic load balancing group is -70
dBm.
Step 6 (Optional) Configure the dynamic load balancing mode and related parameters.
Configure dynamic load balancing based on the number of users and channel usage.
Configure dynamic load balancing based on the channel usage.
1. Run the sta-load-balance mode channel-utilization command to configure dynamic
load balancing based on the channel usage.
By default, dynamic load balancing based on the number of users is used.
2. Run the sta-load-balance dynamic channel-utilization start-threshold start-threshold
command to set the start threshold for dynamic load balancing based on the channel
usage.
By default, the start threshold for dynamic load balancing based on the channel usage is
50%.
3. Run the sta-load-balance dynamic channel-utilization gap-threshold gap-threshold
command to set the channel usage difference threshold for load balancing in a dynamic
load balancing group.
By default, the channel utilization difference threshold for load balancing in a dynamic
load balancing group is 20%.

Configure dynamic load balancing based on the number of users.

1. Run the sta-load-balance mode sta-number command to configure dynamic load
balancing based on the number of users.
By default, dynamic load balancing based on the number of users is used.

2. Run the sta-load-balance dynamic sta-number start-threshold start-threshold-value
command to set the start threshold for dynamic load balancing based on the number of
users.
By default, the start threshold for load balancing in a dynamic load balancing group is
10.
3. Run the sta-load-balance dynamic sta-number gap-threshold command to set the
channel load difference threshold for load balancing in a dynamic load balancing group.
By default, the load difference threshold of a dynamic load balancing group based on the
percentage of users is 20%.
Step 7 (Optional) Run sta-load-balance dynamic deny-threshold deny-threshold
The maximum number of times an AP rejects association requests of a STA is configured for
dynamic load balancing
By default, the maximum number of rejections is 3.
Step 8 Run quit
Step 9 Bind the RRM profile to a radio profile.

radio profile.
----End

l Run the display rrm-profile name profile-name command to check settings of dynamic
load balancing parameters.
profile referenced by a 2G radio profile.
l Run the display station load-balance sta-mac mac-address command to check
information about the dynamic load balancing group of the specified STA.

7.9 Configuring Band Steering

The band steering function enables an AP to steer STAs to the 5 GHz radio first, which
reduces traffic load and interference on the 2.4 GHz radio and improves user experience.
Before configuring band steering, complete the following tasks:
l Use APs that support both 5 GHz and 2.4 GHz frequency bands and configure the same
SSID and security policy on the 5 GHz and 2.4 GHz radios.
Background
NOTE
To allow a STA to preferentially associate with the 5 GHz radio and achieve a better access effect,
configure larger power for the 5 GHz radio than the 2.4 GHz radio.
Single-radio devices do not support the band steering function.
The AP2010DN does not support the band steering function.
Procedure
Step 2 Run wlan
A VAP profile is created and the VAP profile view is displayed.
Step 4 Run undo band-steer disable
The band steering function is enabled.
By default, the band steering function is enabled.
Step 5 Run quit
Step 6 (Optional) Configure band steering parameters.
1. Run the rrm-profile name profile-name command to create an RRM profile and enter
the RRM profile view.
2. Run the band-steer balance start-threshold start-threshold command to set the start
threshold for load balancing between radios.
By default, the start threshold for load balancing between radios is 100.
3. Run the band-steer balance gap-threshold gap-threshold command to set the load
difference threshold for load balancing between radios.

By default, the load difference threshold for load balancing between radios is 90%.
4. Run the band-steer snr-threshold snr-threshold command to configure a start SNR
threshold for triggering 5G-prior access.
The default start SNR threshold for triggering 5G-prior access is 20 dB.
5. Run the band-steer deny-threshold deny-threshold command to set the maximum
number of times an AP rejects association requests of a STA for band steering.
By default, the maximum number of rejections is 0.

6. Run the band-steer client-band-expire probe-counters command to set the aging
condition for terminal band information.
By default, band information of a terminal will be aged out under conditions that an AP
has consecutively received Probe frames of the terminal more than 35 times from the
same frequency band.
Step 7 Run quit
Only the band steering parameters configured in the 2G radio profile take effect in the system.

2. Run the rrm-profile profile-name command to bind the RRM profile to the 2G radio
profile. Binding the RRM profile to the 5G radio profile does not take effect.
Step 9 Bind the radio profile and VAP profile to an AP group or a specific AP. See 5.11.1.5 Binding
a Radio Profile for the detailed procedure of binding a radio profile and 5.11.2.11 Binding
VAP Profiles for the detailed procedure of binding a VAP profile.
----End

l Run the display vap-profile name profile-name command to check the status of the
band steering function.
l Run the display rrm-profile name profile-name command to check settings of band
steering parameters.
7.10 Configuring Smart Roaming

Before configuring smart roaming, perform the task of 5 WLAN Service Configuration.

Procedure
Step 2 Run wlan
The RRM profile view is displayed.
Step 4 Run undo smart-roam disable
Smart roaming is enabled.
By default, smart roaming is enabled.
Step 5 (Optional) Run undo smart-roam advanced-scan disable
The coordinated scanning function of smart roaming is enabled.
By default, the coordinated scanning function of smart roaming is enabled.
Step 6 (Optional) Run smart-roam roam-threshold { check-snr | check-rate } *

The trigger mode of smart roaming is configured.
By default, the trigger mode of smart roaming is check-snr.
Step 7 (Optional) Run smart-roam roam-threshold { snr snr-threshold | rate rate-threshold }
The smart roaming threshold is configured.
By default, the SNR threshold for smart roaming is 20 dB, and the rate threshold is 20%.
Step 8 (Optional) Run smart-roam snr-margin high-level-margin high-level-margin low-level-
margin low-level-margin
The SNR difference threshold that triggers terminal roaming is configured.
By default, the higher and lower SNR difference thresholds that trigger terminal roaming is 15
dB and 6 dB, respectively.
Step 9 (Optional) Run smart-roam quick-kickoff-snr check-interval check-interval
The terminal SNR check interval is configured.
By default, the terminal SNR check interval is 500 ms.
Step 10 (Optional) Run smart-roam quick-kickoff-snr p-n criteria observe-time observe-value
qualify-time qualify-value
The PN threshold for quickly disconnecting STAs is specified.
By default, the number of PN observation times is 6, and the number of PN observation times
criteria are met is 4.
Step 11 (Optional) Run smart-roam unable-roam-client expire-time expire-time
The aging time of "unable to roam" record is configured for terminals.

By default, the aging time of "unable to roam" records is 120 minutes.
Step 12 (Optional) Run smart-roam quick-kickoff back-off-time back-off-time
The backoff time for quickly disconnecting STAs is set.
By default, the backoff time for quickly disconnecting STAs is 60 seconds.
Step 13 (Optional) Run sta-load-balance dynamic btm-fail-times btm-fail-times
The maximum number of attempts is set to steer STAs in BTM mode.
By default, the maximum number of attempts to migrate STAs in BTM mode is 5.
Step 14 (Optional) Run sta-load-balance dynamic deauth-fail-times deauth-fail-times
The maximum number of attempts to steer STAs in deauthentication mode is set.
By default, the maximum number of attempts to migrate STAs in deauthentication mode is 2.
Step 15 (Optional) Run sta-load-balance dynamic steer-restrict probe-threshold probe-threshold
The maximum number of times is set for non-target APs to suppress probing of STAs during
STA steering.
By default, the maximum number of times non-target APs suppress probing of STAs during
migration of the STAs is 5.
Step 16 (Optional) Run sta-load-balance dynamic steer-restrict auth-threshold auth-threshold
The maximum number of times is set for non-target APs to suppress authentication of STAs
during STA steering.
By default, the maximum number of times non-target APs suppress authentication of STAs
during migration of the STAs is 0.
Step 17 (Optional) Run sta-load-balance dynamic steer-restrict restrict-time restrict-time
The duration within which non-target APs suppress association of STAs during STA steering
is set.
By default, the duration with which non-target APs suppress association of STAs during
migration of the STAs is 5 seconds.
Step 18 Run quit

radio profile.
----End


l Run the display rrm-profile name profile-name command to check settings of smart
roaming parameters.
l Run the display station neighbor sta-mac mac-address command to check the neighbor
list of a specified STA.
l Run the display station steer-history command to check historical steering information
about a specified STA.
l Run the display station steer-statistics command to check STA steering statistics.
7.11 Configuring the Function of Quickly Disconnecting

STAs
Context
After the function of quickly disconnecting STAs is enabled, an AP disconnects STAs whose
SNR or access rate is lower than the specified threshold. The STAs then can connect to or
roam to another AP.
Before configuring this function, complete the following task:
l Configure basic WLAN services.
Procedure
Step 2 Run wlan
Step 4 Run undo smart-roam quick-kickoff-threshold disable
The function of quickly disconnecting STAs is enabled.
By default, the function of quickly disconnecting STAs is enabled.
Step 5 (Optional) Run smart-roam quick-kickoff-threshold { check-snr | check-rate } *

The mode for triggering the function of quickly disconnecting STAs is specified.
The default mode for triggering the function of quickly disconnecting STAs is check-snr.

Step 6 (Optional) Run smart-roam quick-kickoff-threshold { snr snr-threshold | rate rate-

threshold }
The threshold for quickly disconnecting STAs is specified. The function of quickly
disconnecting STAs is configured to allow the STAs to connect to or roam to another AP with
stronger APs.
By default, the SNR-based threshold for quickly disconnecting STAs is 15 dB, and the rate-
based threshold is 20%.
Step 7 (Optional) Run smart-roam quick-kickoff-snr check-interval check-interval
The interval for checking the SNR to determine whether to quickly disconnect STAs is
specified.
The default interval for checking the SNR to determine whether to quickly disconnect STAs is
500 ms.
Step 8 (Optional) Run smart-roam quick-kickoff-snr p-n criteria observe-time observe-value
qualify-time qualify-value
The PN threshold for quickly disconnecting STAs is specified.
By default, the number of PN observation times is 6, and the number of PN observation times
criteria are met is 4.
Step 9 Run quit
Step 10 Bind the specified RRM profile to a radio profile.
radio profile.
----End

l Run the display rrm-profile name profile-name command to check the configuration
about the function of quickly disconnecting STAs.
profile bound to the 2G radio profile.
7.12 Configuring User CAC

Context
On WLANs where many users exist, such as WLANs in high density scenarios, users
compete fiercely to occupy the channels as the number of online users increases. As a result,

network quality deteriorates. To ensure network access experience of online users, configure
the user CAC function. The user CAC function allows an AP to control user access based on
the thresholds specified according to the radio channel usage, number of online users, or
terminal SNR, which enables provisioning of high-quality network access services.
CAC is implemented in three modes:

l CAC based on channel usage uses a complex algorithm but is accurately implemented to
ensure service quality. This mode is recommended when service types and traffic
volumes differ greatly among users.
l CAC based on the number of users is less accurate but uses a simple algorithm. This
mode is recommended when most users have the same type of services and similar
service traffic volumes.
l SNR-based CAC controls access from weak-signal users, This mode is recommended
when the WLAN has good signal coverage and weak signals only at the edge of WLAN
coverage areas.
Before configuring user CAC, perform the task of 5 WLAN Service Configuration.
Procedure
Step 2 Run wlan
Step 4 Configure the CAC implementation mode and threshold, and enable CAC.
You can configure any of the preceding CAC implementation modes as required.
User CAC based on channel usage and user CAC based on the number of access users cannot
be configured simultaneously, but either of them can be configured together with user CAC
based on terminal SNR.
l CAC based on the number of users

a. Run the uac client-number enable command to enable CAC based on the number
of users.
b. Run the uac client-number threshold access access-threshold [ roam roam-
threshold ] command to configure the CAC threshold based on the number of users.
NOTE
By default, the user CAC access and roaming thresholds based on the number of users are both
64.
l CAC based on channel usage
a. Run the uac channel-utilization enable command to enable CAC based on channel
usage.

b. Run the uac channel-utilization threshold access access-threshold [ roam roam-

threshold ] command to configure the CAC threshold based on channel usage.
NOTE
By default, the user CAC access and roaming thresholds based on channel usage are both 80%.
l CAC based on terminal SNR
a. Run the uac client-snr enable command to enable CAC based on terminal SNR.
b. Run the uac client-snr threshold threshold command to configure the CAC
threshold based on terminal SNR.
NOTE
By default, the user CAC threshold based on terminal SNR is 20 dB.
Step 5 (Optional) Run uac reach-access-threshold hide-ssid
The AP is configured to automatically hide its SSID when the CAC threshold is reached.
By default, an AP does not hide its SSID when the CAC threshold is reached.
Step 6 Run quit

radio profile.
----End

l Run the display rrm-profile name profile-name command to check settings of user
CAC parameters.
7.13 Configuring Dynamic EDCA Parameter Adjustment

Context
You can configure dynamic EDCA parameter adjustment to reduce co-channel interference
when APs are densely deployed. Dynamic EDCA parameter adjustment allows APs to adjust
EDCA parameters flexibly based on the number of users to reduce the possibility of collision,
improve the throughput, and enhance user experience.

Before configuring dynamic EDCA parameter adjustment, perform the task of 5 WLAN
Service Configuration.
Procedure
Step 2 Run wlan
Step 4 Run dynamic-edca enable
Dynamic EDCA parameter adjustment is enabled.
By default, dynamic EDCA parameter adjustment is disabled.
Step 5 Run quit
radio profile.
----End

l Run the display rrm-profile name profile-name command to check settings of dynamic
EDCA parameter adjustment in an RRM profile.
7.14 Configuring the AMC Algorithm for a Radio

Context
Adaptive Modulation and Coding (AMC) Algorithm for a Radio

Radios need to adjust the AMC algorithm according to different scenarios to deliver the
optimal user experience. Three AMC algorithms are available:
l auto-balance: applicable to most wireless scenarios
l high-stability: applicable to scenarios with continuous interference.
l high-throughput: applicable to scenarios with good wireless signals and non-continuous
interference.
AMC Optimization in High-Density Scenarios
In typical high-density scenarios, a large number of hidden nodes exist, which interfere in
communication between APs and STAs and affect product performance. The AMC
optimization function can reduce such interference and improve the AMC algorithm
performance.
l It is recommended that this function be enabled in high-density scenarios where
directional antennas are used.
l This function is not applicable to scenarios where STAs move fast between APs.
Before configuring the adaptive modulation and coding (AMC) algorithm, perform the task of
5 WLAN Service Configuration.
Procedure
Step 2 Run wlan
An RRM profile is created, and the RRM profile view is displayed.
Step 4 Run amc-policy { auto-balance | high-stability | high-throughput }
An AMC algorithm is configured for the radio.
By default, a radio uses the AMC algorithm auto-balance.
NOTE
This takes effect only on APs in compliance with 802.11n.
Step 5 Run high-density amc-optimize enable

The AMC optimization function in high-density scenarios is enabled.
By default, the AMC optimization function is disabled in high-density scenarios.
l This takes effect only on APs in compliance with 802.11ac Wave 2.
l This function does not take effect in MU-MIMO mode.
Step 6 Run quit


radio profile.
----End

l Run the display rrm-profile name profile-name command to check the AMC algorithm
configured for radios in the RRM profile.
7.15 Configuring Automatic Per Packet Power Adjustment

Context
You can configure automatic per packet power adjustment on WLANs to reduce AP power
consumption and interference to surrounding devices. This configuration applies to WLANs
with good signal coverage.
Before configuring automatic per packet power adjustment, perform the task of 5 WLAN
Service Configuration.
Procedure
Step 2 Run wlan
Step 4 Run power auto-adjust enable
Automatic per packet power adjustment is enabled for APs.
By default, automatic per packet power adjustment is disabled for an AP.

Step 5 Run quit
----End

l Run the display radio-2g-profile name profile-name command to check the automatic
per packet power adjustment configuration of an AP in a 2G radio profile.
l Run the display radio-5g-profile name profile-name command to check the automatic
per packet power adjustment configuration of an AP in a 5G radio profile.
7.16 Configuring the Smart Antenna Function

Before configuring the smart antenna function, perform the task of 5 WLAN Service
Configuration.
Context
After the smart antenna function is enabled, an AP can select a proper antenna array based on
STAs' locations, improving signal strength and user experience.
In the smart antenna algorithm, an AP uses different antenna combinations to send training
packets for antenna training. During smart antenna training, the transmit end (AP) sends
training packets to a receive end (STA). The receive end measures the PER and RSSI in the
received packets, and then sends the PER and RSSI to the transmit end. The transmit end
collects information about all antenna combinations and corresponding PERs and RSSIs to
determine the optimal antenna combination for the receiver.
l The AP2051DN, AP2051DN-E, R251D, R251D-E, AP7030DE, AP7050DE and

AP7052DE support the smart antenna function.
Procedure
Step 2 Run wlan
Step 4 Run smart-antenna enable
The smart antenna function is enabled for APs.

By default, the smart antenna function is disabled for APs but enabled for the AP7052DE,
AP2051DN, AP2051DN-E, R251D and R251D-E.
Step 5 Configure smart antenna related parameters.
1. Run the smart-antenna valid-per-scope { high-per-threshold high-per-threshold | low-
per-threshold low-per-threshold } command to configure the upper and lower valid
PER thresholds in the smart antenna algorithm.
The default upper and lower valid PER thresholds are 80% and 20%, respectively.
The PER is a key basis for the smart antenna algorithm. After proper upper and lower
valid PER thresholds are configured, the smart antenna algorithm can select a proper
antenna combination to improve the coverage and anti-interference capability of a
WLAN in indoor coverage scenarios.
2. Run the smart-antenna throughput-triggered-training threshold threshold command
to configure a sudden performance change threshold that triggers antenna training.
The default sudden performance change threshold that triggers smart antenna training is
10%.
In a smart antenna system, the device monitors performance (throughput) of transmit
ends. If the detected throughput of a transmit end exceeds the sudden performance
change threshold specified using the smart-antenna throughput-triggered-training
command, a new round of antenna training is triggered.
– In a good air interface environment, set a high sudden performance change
threshold to prevent frequent antenna training from affecting user services.
– In a poor air interface environment, set a low sudden performance change threshold
to improve the WLAN's anti-interference capability.
3. Run the smart-antenna training-interval training-interval command to configure the
smart antenna training interval.
The default smart antenna training interval is auto, indicating that a smart antenna is
trained in self-adaptation mode.
Configure the smart antenna training interval based on actual situations.
– A short antenna training interval causes frequency antenna training and affects user
services.
– A long antenna training interval causes the device's failure to switch the antenna
combination in time to adapt to WLAN environment changes.
When the default smart antenna training interval is restored, that is, smart antennas are
trained in self-adaptation mode, the device adaptively calculates the antenna training
interval based on the number of concurrent STAs.
4. Run the smart-antenna training-mpdu-number training-mpdu-number command to
configure the number of MAC protocol data units (MPDUs) sent by an AP to a STA
during smart antenna training.
By default, 640 MPDUs are sent by an AP to a STA during smart antenna training.
If the traffic rate, bandwidth, and air interface rate of the STA are high, set a small value.
Otherwise, set a large value.
Step 6 Run quit

----End

l Run the display radio-2g-profile name profile-name command to check the smart
antenna configuration of an AP in a 2G radio profile.
l Run the display radio-5g-profile name profile-name command to check the smart
antenna configuration of an AP in a 5G radio profile.
7.17 Configuring a CCA Threshold

Before configuring a CCA threshold, complete the following task:
Context
The CCA mechanism enables a WLAN chip to determine whether the channel is idle before
transmitting signals to the air interface. If so, the chip transmits signals. If not, the chip waits
until the channel is idle.
The CCA threshold is used by a WLAN chip to determine whether the channel is idle. If the
noise on the channel exceeds the threshold, the chip considers the channel busy. Otherwise,
the chip considers the channel idle.
When deploying a WLAN, set a proper CCA threshold to reduce signal interference and
improve the channel reuse rate.
l If APs densely are deployed, a high CCA threshold is recommended to narrow down the
coverage and skip remote weak signals.
l If APs are sparsely deployed, a low CCA threshold is recommended to maximize the
effective coverage of signals.
Procedure
Step 2 Run wlan
Step 4 Run cca-threshold cca-threshold
A CCA threshold is configured.
By default, no CCA threshold is specified. APs use the default CCA threshold of the chip.

NOTE
This command takes effect only on the AD9430DN-12 (including matching RUs), AD9430DN-24 (including
matching RUs), AD9431DN-24X (including matching RUs), AP1050DN-S, AP2030DN, AP2050DN,
AP2050DN-S, AP2050DN-E, AP2051DN, AP2051DN-E, AP3030DN, AP4030DN, AP4130DN,
AP4030DN-E, AP4030TN, AP4050DN-E, AP4050DN-HD, AP4050DN, AP4050DN-S, AP4051DN,
AP4151DN, AP4051DN-S, AP4051TN, AP430-E, AP5030DN, AP5030DN-S, AP5130DN, AP6050DN,
AP6150DN, AP6052DN, AP7050DN-E, AP7050DE, AP7052DN, AP7152DN, AP7052DE, AP8030DN,
AP8130DN, AP8130DN-W, AP8050DN, AP8150DN, AP8050DN-S, AP8050TN-HD, AP8082DN,
AP8182DN, AP9131DN, AP9132DN, and AP9330DN.
Step 5 Run quit
----End

l Run the display radio-2g-profile name profile-name command to check the CCA
threshold for APs in a 2G radio profile.
l Run the display radio-5g-profile name profile-name command to check the CCA
threshold for APs in a 5G radio profile.
7.18 Maintaining Radio Resource Management
7.18.1 Displaying Radio Calibration Statistics
Context
During radio calibration, run the following command to view radio calibration statistics.
Procedure
l Run the display wlan calibrate statistics { ap-name ap-name | ap-id ap-id } radio
radio-id command to check radio calibration statistics.
----End
7.18.2 Clearing Radio Calibration Statistics
Context
Before recollecting radio calibration statistics, run the following command to clear the
existing statistics.

NOTICE
The cleared radio calibration statistics cannot be restored. Exercise caution when you run the
command.
Procedure
Step 1 Run the reset wlan calibrate statistics { ap-name ap-name | ap-id ap-id } radio radio-id
command in the user view to clear radio calibration statistics.
----End
7.18.3 Checking Roam-Incapable Records of STAs in Smart

Roaming
Context
After smart roaming is configured, you can check roam-incapable records of STAs.
Procedure
l Run the display station unsteerable command to check roam-incapable records of
STAs.
----End
7.19 Configuration Examples for Radio Resource

Management
7.19.1 Example for Configuring Radio Calibration

As shown in Figure 7-11, a large number of APs are deployed in an office building. The APs
connect to the AC through Switch_A to provide wireless services for users.

It will be a heavy workload to manually configure radio parameters (such as the channel) for
the APs one by one. The enterprise IT department requires that the AC automatically allocate
channels to the APs based on radio environments to simplify network deployment.
Figure 7-11 Networking diagram for configuring radio calibration
Internet
Router
GE2/0/0
GE0/0/2 VLAN 200
VLAN 200
AC
GE0/0/1
GE0/0/2 VLAN 100
VLAN 100
GE0/0/1 GE0/0/3
VLAN 100 VLAN 100
Switch_A
AP: AP:
area_1 area_2
STA STA STA STA

1. Configure the APs, AC, and upper-layer devices to communicate with each other.
2. Configure the AC as a DHCP server to assign IP addresses to the APs and STAs.
to go online.
6. Configure radio calibration so that the AC can automatically allocate the optimal
working channels to the APs.

Table 7-5 Data required for completing the configuration

Item Data
DHCP The AC functions as the DHCP server to assign IP addresses to the APs and
server STAs.
IP address 10.23.100.2-10.23.100.254/24
pool for the
APs
IP address 10.23.101.2-10.23.101.254/24
pool for the 10.23.102.2-10.23.102.254/24
STAs

l VLANs in the VLAN pool: VLAN 101 and VLAN 102

of the AC's
source
interface

l Referenced profiles: VAP profile wlan-vap, regulatory domain profile
domain1, 5G radio profile radio5g, and 2G radio profile radio2g

profile



security
5G radio l Name: radio5g

profile l Referenced profiles: RRM profile wlan-net and air scan profile wlan-
airscan

profile l Referenced profiles: RRM profile wlan-net and air scan profile wlan-
airscan
RRM Name: wlan-net

profile

Item Data
Air scan l Name: wlan-airscan

profile l Air scan channel set: all channels supported by the corresponding
country code of an AP
l Air scan interval: 80000 ms
l Air scan duration: 80 ms
Configuration Notes
user experience.
Procedure
NOTE



[HUAWEI] sysname AC
[AC] vlan batch 100

NOTE
[AC-Vlanif101] quit
[AC-Vlanif102] quit
[AC-Vlanif200] quit


STAs.
[AC] dhcp enable
[AC-Vlanif100] quit


[AC-Vlanif101] quit
[AC-Vlanif102] quit
NOTE
view.
NOTE
command.

[AC] wlan

e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
[AC-wlan-ap-1] quit
nor : normal [2]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
2S -
4S -
----------------------------------------------------------------------------------

----------------
Total: 2
NOTE
the APs.
Step 8 Configure radio calibration.
# Enable automatic channel selection and automatic transmit power selection. By default,
automatic channel selection and automatic transmit power selection are enabled.
[AC-wlan-ap-group-ap-group1] radio 0
[AC-wlan-group-radio-ap-group1/0] undo calibrate auto-channel-select disable
[AC-wlan-group-radio-ap-group1/0] undo calibrate auto-txpower-select disable
[AC-wlan-group-radio-ap-group1/0] quit
[AC-wlan-group-radio-ap-group1/1] undo calibrate auto-channel-select disable
[AC-wlan-group-radio-ap-group1/1] undo calibrate auto-txpower-select disable
# Create the air scan profile wlan-airscan and configure the scan channel set, scan interval,
and scan duration. By default, an air scan channel set contains all channels supported by the
corresponding country code of an AP.
[AC-wlan-view] air-scan-profile name wlan-airscan
[AC-wlan-air-scan-prof-wlan-airscan] scan-channel-set country-channel
[AC-wlan-air-scan-prof-wlan-airscan] scan-period 80
[AC-wlan-air-scan-prof-wlan-airscan] scan-interval 80000
[AC-wlan-air-scan-prof-wlan-airscan] quit
# Create the 2G radio profile radio2g and bind the RRM profile wlan-net and air scan profile
wlan-airscan to the 2G radio profile.

[AC-wlan-view] radio-2g-profile name radio2g

[AC-wlan-radio-2g-prof-radio2g] rrm-profile wlan-net
[AC-wlan-radio-2g-prof-radio2g] air-scan-profile wlan-airscan
[AC-wlan-radio-2g-prof-radio2g] quit
# Create the 5G radio profile radio5g and bind the RRM profile wlan-net and air scan profile
wlan-airscan to the 5G radio profile.
[AC-wlan-radio-5g-prof-radio5g] rrm-profile wlan-net
# Bind the 5G radio profile radio5g and 2G radio profile radio2g to the AP group ap-
group1.
[AC-wlan-ap-group-ap-group1] radio-5g-profile radio5g radio 1
# Set the radio calibration mode to manual and trigger radio calibration. By default, the radio
calibration mode is manual.
[AC-wlan-view] calibrate enable manual
[AC-wlan-view] calibrate manual startup

l Connect STAs to the WLAN with SSID wlan-net and enter the password a1234567.
Run the display station ssid wlan-net command on the AC. The command output
shows that the STAs are connected to the WLAN wlan-net.
------------------------------------------------------------------------------
----------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN
IP address
------------------------------------------------------------------------------
----------
e019-1dc7-1e08 0 area_1 0/1 2.4G 11n 65/38 -29 101
10.23.101.254
b878-2eb4-2689 1 area_2 0/1 2.4G 11n 78/43 -33 102
10.23.102.254
------------------------------------------------------------------------------
----------
Total: 2 2.4G: 2 5G: 0
l # Run the display radio all command on the AC to check radio calibration results.
[AC-wlan-view] display radio all
CH/BW:Channel/Bandwidth
CE:Current EIRP (dBm)
ME:Max EIRP (dBm)
CU:Channel utilization
ST:Status
----------------------------------------------------------------------
AP ID Name RfID Band Type Status CH/BW CE/ME STA CU
----------------------------------------------------------------------
1 area_2 0 2.4G bgn on 1/20M 28/28 1 10%
1 area_2 1 5G an on 149/20M 29/29 0 15%
0 area_1 0 2.4G bgn on 6/20M 28/28 1 15%
0 area_1 1 5G an on 153/20M 29/29 0 49%
----------------------------------------------------------------------
Total:4

l # Radio calibration stops one hour after the radio calibration is manually triggered. The
following configuration steps are not provided in the configuration file. After that, you
can perform either of the following configurations:
– (Recommended) Set the radio calibration mode to scheduled. Configure the APs to
perform radio calibration in off-peak hours, for example, between 00:00 am and
06:00 am.
[AC-wlan-view] calibrate enable schedule time 03:00:00
– Manually fix the working channels of APs: disable automatic channel selection and
automatic transmit power selection in the RRM profile. Manually trigger radio
calibration when new APs are added to the network.
[AC-wlan-view] rrm-profile name wlan-net
[AC-wlan-rrm-prof-wlan-net] calibrate auto-channel-select disable
[AC-wlan-rrm-prof-wlan-net] calibrate auto-txpower-select disable
[AC-wlan-rrm-prof-wlan-net] quit
[AC-wlan-view] calibrate enable manual
[AC-wlan-view] calibrate manual startup
----End
Configuration Files
#
sysname Switch_A
#
vlan batch 100
#
#
#
#
return

#
sysname Router
#
vlan batch 200
#
dhcp enable
#
network 10.23.101.0 mask 255.255.255.0
#
network 10.23.102.0 mask 255.255.255.0
#
interface Vlanif200
ip address 10.23.200.1 255.255.255.0
dhcp select global
#

#
ip route-static 10.23.101.0 255.255.255.0 10.23.200.2
ip route-static 10.23.102.0 255.255.255.0 10.23.200.2
#
return
#
sysname AC
#
#
vlan pool sta-pool
vlan 101 to 102
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select relay
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
dhcp select relay
#
interface Vlanif200
ip address 10.23.200.2 255.255.255.0
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.23.200.1
#
#
wlan
%# aes
ssid wlan-net
forward-mode tunnel
air-scan-profile name wlan-airscan
scan-period 80
scan-interval 80000
rrm-profile name wlan-net
radio-2g-profile name radio2g
rrm-profile wlan-net
air-scan-profile wlan-airscan

radio 0
radio-2g-profile radio2g
radio 1
ap-name area_1
ap-group ap-group1
ap-name area_2
ap-group ap-group1
#
return
7.19.2 Example for Configuring Static Load Balancing

bind the profiles to the AP group or APs. Then the configuration is delivered to and takes
effect on the APs. WLAN profiles can reference one another; therefore, you need to know the
relationships among the profiles before configuring them. For details about the profile
relationships and their basic configuration procedure, see WLAN Service Configuration
Procedure.
As shown in Figure 7-12, the AC connects to the upper layer network and manages the APs
through the access and aggregation switches.
AP area_1 and AP area_2 are deployed in the same conference room. The customer requires
that data traffic be balanced on AP radios to prevent one AP radio from being heavily loaded.

Figure 7-12 Networking diagram for configuring static load balancing
Internet
Router
GE2/0/0
GE0/0/2 VLAN 200
VLAN 200
AC
GE0/0/1
GE0/0/2 VLAN 100
VLAN 100
GE0/0/1 GE0/0/3
VLAN 100 VLAN 100
Switch_A
AP: AP:
area_1 area_2
STA STA STA STA

to go online.
6. Configure static load balancing to prevent one AP from being heavily loaded.


Item Data
IP address 10.23.100.2-10.23.100.254/24
pool for the
APs
IP address 10.23.101.2-10.23.101.254/24
pool for the 10.23.102.2-10.23.102.254/24
STAs


of the AC's
source
interface

profile domain1

profile



security
Static load l Name: wlan-static

balancing l Start threshold for load balancing: 15
group
l Load difference threshold for load balancing: 5%
Configuration Notes

user experience.
Procedure
NOTE

[HUAWEI] sysname AC

[AC] vlan batch 100


NOTE
[AC-Vlanif101] quit
[AC-Vlanif102] quit
[AC-Vlanif200] quit


STAs.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit
[AC-Vlanif102] quit
NOTE
view.

NOTE
command.

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit


NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
[AC-wlan-ap-1] quit
nor : normal [2]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
2S -
4S -
----------------------------------------------------------------------------------
----------------
Total: 2
NOTE



the APs.

NOTE
[AC-wlan-ap-0] quit
Step 9 Configure static load balancing.
# Create the static load balancing group and set the start threshold for static load balancing to
15 and load difference threshold to 5%.
[AC-wlan-view] sta-load-balance static-group name wlan-static
[AC-wlan-sta-lb-static-wlan-static] start-threshold 15
[AC-wlan-sta-lb-static-wlan-static] gap-threshold 5
# Add AP area_1 and AP area_2 to the static load balancing group.

[AC-wlan-sta-lb-static-wlan-static] member ap-name area_1
[AC-wlan-sta-lb-static-wlan-static] member ap-name area_2
[AC-wlan-sta-lb-static-wlan-static] quit


------------------------------------------------------------------------------
----------
IP address
------------------------------------------------------------------------------
----------
e019-1dc7-1e08 0 area_1 0/1 2.4G 11n 65/38 -29 101
10.23.101.254
b878-2eb4-2689 1 area_2 0/1 2.4G 11n 78/43 -33 102
10.23.102.254
------------------------------------------------------------------------------
----------
Total: 2 2.4G: 2 5G: 0
l Run the display sta-load-balance static-group name wlan-static command on the AC

to check the static load balancing configuration.
[AC-wlan-view]display sta-load-balance static-group name wlan-static
------------------------------------------------------------
Group name : wlan-static
Load-balance status : balance
Start threshold : 15
Gap threshold(%) : 5
Deny threshold : 3
------------------------------------------------------------
RfID: Radio ID
CurEIRP: Current EIRP (dBm)
Act CH: Actual channel, Cfg CH: Config channel
------------------------------------------------------------
AP ID AP Name RfID Act CH/Cfg CH CurEIRP/MaxEIRP Client
------------------------------------------------------------
0 area_1 0 6/- 20/28 1
0 area_1 1 153/- 29/29 0
1 area_2 0 1/- 20/28 1
1 area_2 1 149/- 29/29 0
------------------------------------------------------------
Total: 4
l When a new STA requests to connect to AP area_1, the AC uses a static load balancing
algorithm to redirect the STA to the AP with a light load based on the configured load
balancing group.
----End
Configuration Files
#
sysname Switch_A
#
vlan batch 100
#
#


#
#
return

#
sysname Router
#
vlan batch 200
#
dhcp enable
#
network 10.23.101.0 mask 255.255.255.0
#
network 10.23.102.0 mask 255.255.255.0
#
interface Vlanif200
ip address 10.23.200.1 255.255.255.0
dhcp select global
#
#
ip route-static 10.23.101.0 255.255.255.0 10.23.200.2
ip route-static 10.23.102.0 255.255.255.0 10.23.200.2
#
return
#
sysname AC
#
#
vlan pool sta-pool
vlan 101 to 102
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select relay
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
dhcp select relay
#
interface Vlanif200
ip address 10.23.200.2 255.255.255.0
#

#
#
ip route-static 0.0.0.0 0.0.0.0 10.23.200.1
#
wlan
%# aes
ssid wlan-net
forward-mode tunnel
sta-load-balance static-group name wlan-static
start-threshold 15
gap-threshold 5
member ap-name area_1
member ap-name area_2
rrm-profile wlan-net ap-group name ap-group1
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
ap-name area_2
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return
7.19.3 Example for Configuring Dynamic Load Balancing

As shown in Figure 7-13, the AC connects to the upper layer network and manages the APs
through the access and aggregation switches.
When a large number of STAs access the Internet through the same AP, the AP is heavily
loaded, lowering user experience. The enterprise requires that data traffic be balanced on AP
radios to prevent one AP radio from being heavily loaded.
Figure 7-13 Networking diagram for configuring dynamic load balancing
Internet
Router
GE2/0/0
GE0/0/2 VLAN 200
VLAN 200
AC
GE0/0/1
GE0/0/2 VLAN 100
VLAN 100
GE0/0/1 GE0/0/3
VLAN 100 VLAN 100
Switch_A
AP: AP:
area_1 area_2
STA STA STA STA



to go online.
6. Configure dynamic load balancing to prevent one AP from being heavily loaded.

Item Data
IP address 10.23.100.2-10.23.100.254/24
pool for the
APs
IP address 10.23.101.2-10.23.101.254/24
pool for the 10.23.102.2-10.23.102.254/24
STAs


of the AC's
source
interface

domain1, 5G radio profile radio5g, and 2G radio profile radio2g

profile



Item Data

security

profile l Referenced profile: RRM profile loadbalance-dynamic

profile l Referenced profile: RRM profile loadbalance-dynamic
RRM l Name: loadbalance-dynamic

profile l Start threshold for dynamic load balancing: 15
l Load difference threshold for dynamic load balancing: 25%
Configuration Notes
user experience.
Procedure

NOTE


[HUAWEI] sysname AC
[AC] vlan batch 100
NOTE
[AC-Vlanif101] quit
[AC-Vlanif102] quit
[AC-Vlanif200] quit



STAs.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit
[AC-Vlanif102] quit
NOTE
view.


NOTE
command.

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit


[AC-wlan-ap-1] quit
nor : normal [2]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
2S -
4S -
----------------------------------------------------------------------------------
----------------
Total: 2

NOTE
the APs.

NOTE

[AC-wlan-ap-0] quit
Step 9 Configure dynamic load balancing.

# Create the RRM profile loadbalance-dynamic and enable dynamic load balancing in the
RRM profile loadbalance-dynamic and set the start threshold for dynamic load balancing to
15 and load difference threshold to 25%.
[AC-wlan-view] rrm-profile name loadbalance-dynamic
[AC-wlan-rrm-prof-loadbalance-dynamic] sta-load-balance dynamic enable
[AC-wlan-rrm-prof-loadbalance-dynamic] sta-load-balance dynamic start-threshold
15
[AC-wlan-rrm-prof-loadbalance-dynamic] sta-load-balance dynamic gap-threshold 25
[AC-wlan-rrm-prof-loadbalance-dynamic] quit
# Create the 2G radio profile radio2g and bind the RRM profile loadbalance-dynamic to the
2G radio profile.
[AC-wlan-radio-2g-prof-radio2g] rrm-profile loadbalance-dynamic
# Create the 5G radio profile radio5g and bind the RRM profile loadbalance-dynamic to the
5G radio profile.
[AC-wlan-radio-5g-prof-radio5g] rrm-profile loadbalance-dynamic
group1.
[AC-wlan-ap-group-ap-group1] radio-5g-profile radio5g

------------------------------------------------------------------------------

----------
IP address
------------------------------------------------------------------------------
----------
e019-1dc7-1e08 0 area_1 0/1 2.4G 11n 65/38 -29 101
10.23.101.254
b878-2eb4-2689 1 area_2 0/1 2.4G 11n 78/43 -33 102
10.23.102.254
------------------------------------------------------------------------------
----------
Total: 2 2.4G: 2 5G: 0
l Run the display rrm-profile name loadbalance-dynamic command on the AC to check

the dynamic load balancing configuration.
[AC-wlan-view] display rrm-profile name loadbalance-dynamic
------------------------------------------------------------
Auto channel select : enable
Auto transmit power select : enable
PER threshold for trigger channel/power select(%) : 60
Airtime fairness schedule : disable
Dynamic adjust EDCA parameter : disable
UAC check client's SNR : disable
UAC client's SNR threshold(dB) : 20
UAC check client number : disable
UAC client number access threshold : 64
UAC client number roam threshold : 64
UAC check channel utilization : disable
UAC channel utilization access threshold : 80
UAC channel utilization roam threshold : 80
UAC hide SSID : disable
Band steer deny threshold : 2
Band balance start threshold : 10
Band balance gap threshold(%) : 20
Client's band expire based on continuous probe counts : 35
Station load balance : enable
Station load balance start threshold : 15
Station load balance gap threshold(%) : 25
Station load balance deny threshold : 3
Smart-roam : disable
Smart-roam check SNR : enable
Smart-roam standing SNR threshold(dB) : 20
Smart-roam SNR quick-kickoff-threshold(dB) : 15
Smart-roam check rate : disable
AMC policy : auto-balance
Smart-roam rate threshold(%) : 20
Smart-roam rate quick-kickoff-threshold(%) : 20
Smart-roam high level SNR margin(dB) : 15
Smart-roam low level SNR margin(dB) : 6
Smart-roam SNR check interval(s) : 3
Smart-roam unable roam client expire time(m) : 120
------------------------------------------------------------
l Run the display station load-balance sta-mac e019-1dc7-1e08 command on the AC to

check AP radios participating in dynamic load balancing.
[AC-wlan-view] display station load-balance sta-mac e019-1dc7-1e08
Station load balance status: balance
------------------------------------------------------------------------------
AP name Radio ID
------------------------------------------------------------------------------
area_1 1
area_1 0
area_2 1
area_2 0
------------------------------------------------------------------------------
Total: 2

l When a new STA requests to connect to AP area_1, the AC uses a dynamic load
balancing algorithm to redirect the STA to the AP with a light load according to the
information reported by APs.
----End
Configuration Files
#
sysname Switch_A
#
vlan batch 100
#
#
#
#
return

#
sysname Router
#
vlan batch 200
#
dhcp enable
#
network 10.23.101.0 mask 255.255.255.0
#
network 10.23.102.0 mask 255.255.255.0
#
interface Vlanif200
ip address 10.23.200.1 255.255.255.0
dhcp select global
#
#
ip route-static 10.23.101.0 255.255.255.0 10.23.200.2
ip route-static 10.23.102.0 255.255.255.0 10.23.200.2
#
return
#
sysname AC
#
#
vlan pool sta-pool

vlan 101 to 102

#
dhcp enable
#
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select relay
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
dhcp select relay
#
interface Vlanif200
ip address 10.23.200.2 255.255.255.0
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.23.200.1
#
#
wlan
%# aes
ssid wlan-net
forward-mode tunnel
rrm-profile name loadbalance-dynamic
sta-load-balance dynamic enable
sta-load-balance dynamic start-threshold 15
sta-load-balance dynamic gap-threshold 25
rrm-profile loadbalance-dynamic
rrm-profile loadbalance-dynamic
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
ap-name area_2

ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return
7.19.4 Example for Configuring Band Steering

As shown in Figure 7-14, 2.4 GHz and 5 GHz wireless networks are deployed in the
conference hall. An AP works on dual frequency bands and directly connects to an AC. STAs
connected to the AP support both 2.4 GHz and 5 GHz frequency bands.
To improve user experience and reduce burden on the 2.4 GHz frequency band, the customer
requires that STAs preferentially connect to the 5 GHz frequency band.

Figure 7-14 Networking diagram for configuring band steering
Internet
GE0/0/2
VLAN 101
AC
GE0/0/1
GE0/0/2 VLAN 100
VLAN 100
SwitchA
GE0/0/1
VLAN 100
AP
STA STA

1. Configure the AP, AC, switch, and upper-layer devices to communicate at Layer 2.
2. Configure the AC as a DHCP server to assign IP addresses to the STAs and AP.
a. Create an AP group for unified configuration. The APs that require the same
configuration can be added to the group.
used by the AC to communicate with the AP.
c. Configure the AP authentication mode and import the AP offline so that the AP can
go online properly.
5. Configure the band steering function and proper band steering parameters so that STAs
can preferentially access the 5 GHz frequency band.


Item Data
server AP.
IP address 10.23.100.2-10.23.100.254/24
pool for the
AP
IP address 10.23.101.2-10.23.101.254/24
pool for the
STAs

interface
address

domain1, and 2G radio profile radio2g

profile



security

profile l Referenced profile: RRM profile band-steer
RRM Name: band-steer

profile
Configuration Notes

user experience.
Procedure
NOTE

[HUAWEI] sysname AC

NOTE

VLANIF 101.
NOTE
view.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit


NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
10S -
----------------------------------------------------------------------------------
----------------
Total: 1

NOTE
the AP.


Step 7 Configure the band steering function.

# Enable the band steering function in the VAP profile wlan-vap. By default, the band
steering function is enabled.
NOTE
When band steering is enabled on one radio of an AP, the function takes effect on the SSID of the AP. If
different VAP profiles are applied to two radios of the AP, you only need to enable the band steering function
in the VAP profile of one radio.
[AC-wlan-vap-prof-wlan-vap] undo band-steer disable
# Create the RRM profile band-steer and configure load balancing between radios in the
profile to prevent heavy load on a single radio. The start threshold for load balancing between
radios is 15, and the load difference threshold is 25%.
[AC-wlan-view] rrm-profile name band-steer
[AC-wlan-rrm-prof-band-steer] band-steer balance start-threshold 15
[AC-wlan-rrm-prof-band-steer] band-steer balance gap-threshold 25
[AC-wlan-rrm-prof-band-steer] quit
# Create the 2G radio profile radio2g and bind the RRM profile band-steer to the 2G radio
profile.
NOTE
If different RRM profiles are bound to the 2G and 5G radio profiles and configured with different band
steering parameters, parameters in the 2G radio profile preferentially take effect.
[AC-wlan-radio-2g-prof-radio2g] rrm-profile band-steer
# Bind the 2G radio profile radio2g to the AP group ap-group1.


------------------------------------------------------------------------------
---
IP address
------------------------------------------------------------------------------
---
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
------------------------------------------------------------------------------
---
Total: 1 2.4G: 0 5G: 1
l Run the display vap-profile name wlan-vap command on the AC. The command
output shows that the band steering function is enabled in the VAP profile.

[AC-wlan-view] display vap-profile name wlan-vap

------------------------------------------------------------------------------
--
Service enable : enable
Type : service
Forward mode : tunnel
mDNS centralized-control : disable
Offline management : disable
Service VLAN ID : 101
Service VLAN Pool : -
Auto off service switch : disable
Auto off starttime : -
Auto off endtime : -
STA access mode : disable
STA blacklist profile :
STA whitelist profile :
VLAN mobility group : 1
Band steer : enable
Learn client address : enable
Learn client DHCP strict : disable
Learn client DHCP blacklist : disable
IP source check : disable
ARP anti-attack check : disable
DHCP option82 insert : disable
DHCP option82 format : Insert AP-MAC
DHCP trust port : disable
SSID profile : wlan-ssid
Security profile : wlan-security
Traffic profile : default
Authentication profile :
------------------------------------------------------------------------------
--
l Run the display rrm-profile name band-steer command on the AC to check the band
steering configuration.
[AC-wlan-view] display rrm-profile name band-steer
------------------------------------------------------------
Dynamic adjust EDCA parameter : enable
Station load balance : disable


------------------------------------------------------------
l In the conference hall, most STAs connect to the 5 GHz frequency band, and users enjoy
good service experience.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
wlan
%# aes
ssid wlan-net
forward-mode tunnel
rrm-profile name band-steer
band-steer balance start-threshold 15
band-steer balance gap-threshold 25


rrm-profile band-steer
ap whitelist mac 60de-4476-e360 auto
radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
return
7.19.5 Example for Configuring Smart Roaming

bind the profiles to the AP group or APs. Then the configuration is delivered to and takes
effect on the APs. WLAN profiles can reference one another; therefore, you need to know the
relationships among the profiles before configuring them. For details about the profile
relationships and their basic configuration procedure, see WLAN Service Configuration
Procedure.
Usually, a large number of APs are deployed on the stadium stand. The APs in Figure 7-15
connect to the AC through Switch_A to provide wireless services for users.
To ensure optimal user experience, the IT Dept of the stadium requires that users associate
with the nearest APs when moving on the stadium stand.

Figure 7-15 Networking diagram for configuring smart roaming
Internet
Router
GE2/0/0
GE0/0/2 VLAN 200
VLAN 200
AC
GE0/0/1
GE0/0/2 VLAN 100
VLAN 100
GE0/0/1 GE0/0/3
VLAN 100 VLAN 100
Switch_A
AP: AP:
area_1 area_2
STA STA STA STA

Data Planning
Table 7-9 AC data planning

Item Data
RRM profile l Name: wlan-rrm

l Smart roaming threshold type: SNR-
based
l SNR threshold for smart roaming: 15

l Referenced profile: RRM profile wlan-
rrm

l Referenced profile: RRM profile wlan-
rrm

Configure smart roaming and proper smart roaming parameters to forcibly disconnect weak-
signal users (especially sticky terminals) so that the users can reconnect or roam to APs with
strong signals.
NOTE
Some terminals on live networks have low roaming aggressiveness. As a result, they stick to the initially
connected APs regardless of whether they move far from the APs, and have weak signals or low rates. The
terminals fail to roam to neighbor APs with better signals. They are called sticky terminals.
Configuration Notes
user experience.
Procedure
NOTE
Step 2 Check the basic configuration of the WLAN.
Check Item Command Data
Check the AP group to display ap all AP group: ap-group1

which an AP belongs.

Check Item Command Data
Check all profiles display ap-group name ap- VAP profile: wlan-net
referenced by the AP group. group1
Check all profiles display vap-profile name SSID profile: wlan-net

referenced by the VAP wlan-net
profile.
Step 3 Configure smart roaming.

# Create the RRM profile wlan-rrm, enable smart roaming in the RRM profile, configure
SNR-based roaming trigger mode and roaming threshold to 15 dB.
[HUAWEI] sysname AC
[AC] wlan
[AC-wlan-view] rrm-profile name wlan-rrm
[AC-wlan-rrm-prof-wlan-rrm] undo smart-roam disable
[AC-wlan-rrm-prof-wlan-rrm] smart-roam roam-threshold check-snr
[AC-wlan-rrm-prof-wlan-rrm] smart-roam roam-threshold snr 15
[AC-wlan-rrm-prof-wlan-rrm] quit
# Create the 2G radio profile wlan-radio2g and bind the RRM profile wlan-rrm to the 2G
radio profile.
[AC-wlan-radio-2g-prof-wlan-radio2g] rrm-profile wlan-rrm
# Create the 5G radio profile wlan-radio5g and bind the RRM profile wlan-rrm to the 5G
radio profile.
[AC-wlan-radio-5g-prof-wlan-radio5g] rrm-profile wlan-rrm
# Bind the 5G radio profile wlan-radio5g and 2G radio profile wlan-radio2g to the AP group
ap-group1.
[AC-wlan-ap-group-ap-group1] radio-5g-profile wlan-radio5g radio 1

# Run the display rrm-profile name wlan-rrm command on the AC to check the smart
roaming configuration.
[AC-wlan-view] display rrm-profile name wlan-rrm
------------------------------------------------------------
...
Smart-roam : enable

...
------------------------------------------------------------
# When a large number of users in the stadium access the WLAN, they can still enjoy good
Internet experience.
----End
Configuration Files
#
sysname AC
#
wlan
rrm-profile name wlan-rrm
smart-roam roam-threshold check-snr
smart-roam roam-threshold snr 15
rrm-profile wlan-rrm
rrm-profile wlan-rrm
radio 0
vap-profile wlan-net wlan 1
radio 1
#
return
Related Topics
l 5.14.2 Example for Configuring WLAN Services on a Medium-Scale Network
7.19.6 Example for Configuring User Connection Access Control

(CAC)
As shown in Figure 7-16, a wireless network is deployed in the conference hall. The AC
connects to the upper-layer network.
To improve Internet experience of wireless users and prevent fierce competition for wireless
channels among too many access users, the customer requires that the number of access users
be controlled on each AP.

Figure 7-16 Networking diagram for configuring user CAC
Internet
GE0/0/2
VLAN 101
AC
GE0/0/1
GE0/0/2 VLAN 100
VLAN 100
SwitchA
GE0/0/1
VLAN 100
AP
STA STA

to go online.
5. Configure user CAC and adjust CAC parameters to control the number of access users
on each AP.


Item Data
DHCP The AC functions as a DHCP server to assign IP addresses to the APs and
server STAs.
IP address 10.23.100.2-10.23.100.254/24
pool for the
APs
IP address 10.23.101.2-10.23.101.254/24
pool for the
STAs

of the AC's
source
interface

domain1, and 2G radio profile radio2g

profile



security

profile l Referenced profile: RRM profile user-cac
RRM l Name: user-cac

profile l User CAC based on the number of users
– CAC threshold for new STAs: 32
– CAC threshold for roaming STAs: 32
l RSSI threshold for rejecting access from weak-signal STAs: 25 dB

Configuration Notes
user experience.
Procedure
NOTE

[HUAWEI] sysname AC



NOTE

VLANIF 101.
NOTE
view.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit


NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
10S -
----------------------------------------------------------------------------------
----------------
Total: 1

NOTE


the AP.

NOTE
[AC-wlan-ap-0] quit
Step 8 Configure user CAC.
# In the RRM profile user-cac, enable user CAC based on the number of users and set the
CAC thresholds for new STAs and roaming STAs to 32; enable the function of rejecting
access from weak-signal STAs and set the RSSI threshold to 25 dB; enable the APs to
automatically hide SSIDs when the user count reaches the CAC threshold.
[AC-wlan-view] rrm-profile name user-cac
[AC-wlan-rrm-prof-user-cac] uac client-number enable
[AC-wlan-rrm-prof-user-cac] uac client-number threshold access 32 roam 32
[AC-wlan-rrm-prof-user-cac] uac client-snr enable
[AC-wlan-rrm-prof-user-cac] uac client-snr threshold 25
[AC-wlan-rrm-prof-user-cac] uac reach-access-threshold hide-ssid
[AC-wlan-rrm-prof-user-cac] quit
# Create the 2G radio profile radio2g and bind the RRM profile user-cac to the 2G radio
profile.
[AC-wlan-radio-2g-prof-radio2g] rrm-profile user-cac
# Bind the 2G radio profile radio2g to the AP group ap-group1.



------------------------------------------------------------------------------
----------
IP address
------------------------------------------------------------------------------
----------
e019-1dc7-1e08 0 area_1 0/1 2.4G 11n 65/38 -29 101
10.23.101.254
------------------------------------------------------------------------------
----------
Total: 1 2.4G: 1 5G: 0
l Run the display rrm-profile name user-cac command on the AC to check the user
CAC configuration.
[AC-wlan-view] display rrm-profile name user-cac
------------------------------------------------------------
Dynamic adjust EDCA parameter : enable
UAC check client's SNR : enable
UAC check client number : enable
UAC hide SSID : enable
------------------------------------------------------------
l When the number of users connected to an AP reaches 32 in the conference hall, new
users and roaming users cannot find the SSID wlan-net on their terminals.
----End

Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
return
l Configuration file of the AC

#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
wlan
%# aes
ssid wlan-net
forward-mode tunnel
rrm-profile name user-cac
uac client-snr enable
uac client-snr threshold 25
uac client-number enable
uac client-number threshold access 32 roam 32
uac reach-access-threshold hide-ssid
rrm-profile user-cac
radio 0

radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return
7.20 FAQ About Radio Resource Management

7.20.1 Where Are Interference Sources in WLAN and How Is the
Interference Strength?
Two frequency bands are available on WLANs: 2.4 GHz and 5 GHz.
The 2.4 GHz frequency band is the Industrial, Scientific, and Medical (ISM) open frequency
band. Interference sources in the 2.4 GHz frequency band include cordless phones, baby
monitors, microwave ovens, wireless cameras, bluetooth devices, infrared sensors, and
fluorescent light ballasts.
Compared with 2.4 GHz frequency band, 5 GHz frequency band has fewer interference
sources and more devices begin to use the 5 GHz frequency band, such as cordless phones,
radars, wireless sensors, and digital satellites.
In most cases, microwave ovens work at the frequency band ranging from 2.4 to 2.5 GHz,
which overlaps the 2.4 GHz frequency band used by WLAN devices. In addition, the power
of microwave ovens ranges between 800 W and 2000 W, which is much higher than the
transmit power of APs and STAs. Even though interference shielding is performed,
microwave ovens still have severe interference on WLAN devices. Microwave ovens greatly
reduce the throughput of WLAN devices if they are within a distance shorter than 8 meters
around WLAN devices.
The power of cordless phones is about 3 W, which is higher than the AP's transmit power.
According to the test analysis on the interference caused by cordless phones on WLAN
devices, when the distance between cordless phones and APs (or STAs) is within 1 meter,
interference increases significantly. When the distance is shorter than 0.5 meter, WLAN
devices are even offline and the cordless phone voice is not clear. Therefore, you are advised
to deploy cordless phones more than 2 meters away from APs or STAs.
The transmit power of wireless cameras ranges from 500 mW to 1000 mW. In indoor
scenarios, wireless cameras may affect the WLAN network but have lighter interference than
microwave ovens and cordless phones. Therefore, you are advised to deploy wireless cameras
far away from WLAN devices during WLAN planning.
Bluetooth devices use the frequency hopping spread spectrum (FHSS) technology and 1 MHz
channel bandwidth. If a bluetooth device is sending data at the frequency band overlapping
with a WLAN channel that is being monitored by a WLAN device, the WLAN device selects
a random backoff period. During this period, the bluetooth device changes to work at a non-
overlapping channel, allowing the WLAN device to send data. Therefore, bluetooth devices

have small interference on WLAN devices. This interference can be ignored during WLAN
planning.
7.20.2 What Are the Requirements for a Radio to Join a Load

Balancing Group?
The capabilities of an AP are limited. If a large number of STAs exist in a hotspot area, the
user deploys multiple APs in this area to meet requirements of the STAs. In this case, certain
APs are connected to more STAs whereas other APs are connected to a few STAs. To solve
this problem, load balancing is used. In load balancing, AP radios in a hotspot area are added
into a group. When load is unbalanced in the group, STAs are automatically associated with
lightly loaded AP radios but not heavily loaded radios.
The requirements for a radio to join a load balancing group are as follows:
l A radio can join only one load balancing group.
l The new radios must be of the same type as other radios in the load balancing group.
– Radios in a hotspot area must be of the same type. Otherwise, load balancing cannot
be achieved.
– The radio type in a load balancing group is decided by the type of the first added
radio.
l The channel of a new radio must be different from channels of other radios in the load
balancing group.
– If the channel of a new radio is the same as channels of other radios in the load
balancing group, radio signal collision occurs. To minimize collisions, APs in a
hotspot area must be configured with different channels.
– To detect channel collision, check the configured channel and actual channel of the
radio.
l The load balancing group still has the capability to carry radios.
– In a load balancing group, radios must be configured with different channels and all
these radios must be of the same type. In addition, radios of the same type support
the limited and fixed channels. Therefore, the number of radios in a load balancing
group is limited.
7.21 References for Radio Resource Management

The following table lists the references for radio resource management.
Table 7-11 References for radio resource management

Document Description
IEEE 802.11k Standards for channel selection, roaming services, and

transmit power control

Configuration Guide - WLAN-AC 8 Spectrum Analysis
8 Spectrum Analysis
8.1 Overview of Spectrum Analysis

Definition
In spectrum analysis, the WLAN device detects different types of interference resources on
wireless networks, and the spectrum analysis server analyzes the characteristics of collected
wireless signals to identify and locate non-Wi-Fi devices, eliminating the impact of
interference on WLANs.
Purpose
802.11 wireless technology has been widely used on home networks, SOHOs, and enterprise
networks. Users can easily access the Internet over WLANs. The 802.11 wireless technology
uses public spectrum resources which are also used by Bluetooth devices, cordless phones,
and many other wireless devices. Therefore, severe wireless signal conflict and interference
occur on wireless networks, resulting in poor user experience.
Spectrum analysis allows WLAN devices to identify and display the interference resources,
helping users locate the interference sources to eliminate interference and improve user
experience.
8.2 Understanding Spectrum Analysis

Network Architecture
As shown in Figure 8-1, the network architecture of spectrum analysis contains the spectrum
sampling engine, spectrum analyzer, and interference visualization module.
l Spectrum sampling engine: collects and sends the spectrum information on a wireless
network to a spectrum analyzer.
l Spectrum analyzer: analyzes spectrum data, identifies interference resource types, and
sends the report on interference devices to the interference visualization module.
l Interference visualization module: displays interference resource information in graphs,
including realtime spectrum graphs.

Figure 8-1 Spectrum analysis network architecture

Interference
source Spectrum sampling
engine
Spectrum server
Interference
visualization
module
Interference Network
source
AP AC eSight
Interference
source
Principles
Spectrum analysis is implemented as follows:
1. The AP functions as the spectrum sampling engine to scan and sample the spectrum.
a. The AP periodically scans the wireless environment.
b. The AP obtains original spectrum sample data from channel scanning. Each
spectrum sample data contains a group of subcarriers used for interference
identification.
2. As a spectrum analyzer, the spectrum analysis module of the AP computes the sample
data based on a certain algorithm to identify the non-Wi-Fi devices.
A common algorithm includes pulse signal extraction, pulse signal combining, pulse
clustering, extraction of time signature, extraction of frequency characteristics, period
calculation, and duty cycle calculation.
After the AP computes the characteristics, it can compare one or more characteristics
with the interference source feature database to identify non-Wi-Fi devices.
Currently, the AC can identify baby monitors, Bluetooth devices, digital cordless phones
(at 2.4 GHz frequency band only), wireless audio transmitters, wireless game controllers,
and microwave ovens. Due to differences of individual devices, some of these non-Wi-Fi
devices may not be identified.
The AP records the identified devices into the non-Wi-Fi device list, which you can
query through command lines or on the web platform. If the type of an identified device
is not in the non-Wi-Fi device list, the AP reports an alarm. If the type of the identified
device is already in the list, the AP does not report an alarm. If the device ages, is
manually deleted, or is removed from the detected range, the AP reports a clear alarm.
3. The AP reports the data to the spectrum drawing server for interference visualization.
The AP can report the data to the spectrum drawing server directly or through the AC.
Currently, Huawei only supports the eSight as the spectrum drawing server.
Spectrum Graphs of Non-Wi-Fi Devices

The AP reports the spectrum data to the spectrum drawing server which then displays the data
in graphs. Through the spectrum graphs, users can learn channels, interference strength, and
types of interference sources in the wireless environments.
The spectrum density determines the frequencies where interference sources are distributed.
The signal strength is differentiated by colors. The following paragraphs describe spectrum

graphs of typical non-Wi-Fi devices. When analyzing the spectrum graphs, users can identify
the interference source types based on the spectrum characteristics.
Typical non-Wi-Fi devices are classified into frequency-hopping devices and fixed-frequency
devices.
l Frequency-hopping devices
Frequency of frequency-hopping devices changes over time. Typical frequency-hopping
devices include cordless phones, Bluetooth devices, and game controllers. A Bluetooth
device is used as an example here. Figure 8-2 shows its spectrum graphs (the horizontal
axis indicates time whereas the vertical axis indicates frequency). Red squares indicate
signals of the Bluetooth device. The Bluetooth device works at the 2465M frequency
point at time point [6, 9] and at the 2475M frequency point at time point [9, 12].
Figure 8-2 Spectrum of frequency-hopping devices
l Fixed-frequency devices
The frequency of fixed-frequency devices remains unchanged. Fixed-frequency devices
include microwave ovens, wireless cameras, and wireless video and audio transmitters.
In terms of occupied bandwidth, fixed-frequency devices are classified into broadband
and narrowband devices.
– Broadband devices: occupy a large bandwidth, such as microwave ovens which
cover channels 11, 12, and 13. Figure 8-3 shows the realtime spectrum of a
microwave oven (the horizontal axis indicates time whereas the vertical axis
indicates frequency). In addition to bandwidth characteristics, the microwave oven
also has obvious frequency scanning features, that is, the center frequency point
drifts up and down.

Figure 8-3 Spectrum of broadband devices
– Narrowband devices: occupy a small bandwidth, such as wireless cameras, wireless

video and audio transmitters, and baby monitors. Figure 8-4 shows the realtime
spectrum of a baby monitor (the horizontal axis indicates time whereas the vertical
axis indicates frequency).
Figure 8-4 Spectrum of narrowband devices

8.3 Application Scenarios for Spectrum Analysis

On the 2.4 GHz WLAN shown in Figure 8-5, user access experience is still unsatisfactory
after radio calibration is performed. For example, packet loss occurs when users ping a
website address. In this case, users can use one or more APs to detect whether non-WLAN
interference exists around the WLAN.
Figure 8-5 Spectrum analysis networking
Send sampled
Digital
data to the AC
cordless
phone
STA
Switch AC (has NMS(Interference
spectrum
visualization module)
analysis
enabled)
8.4 Licensing Requirements and Limitations for Spectrum

Analysis
AP
by the device.
V200R007C10.

V200R012C00 V200R009C00
V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C10 V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C00 V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R010C00 V200R007C10
V200R006C20
V200R006C10
V200R009C00 V200R006C20
V200R006C10
V200R008C00 V200R005C30
V200R005C20
V200R005C10
V200R007 V200R005C20
V200R005C10
V200R006 V200R005C00
agent.



Required

S5730HI: V200R012
Feature Limitations
Configuring Spectrum Analysis
l The AP3010DN-AGN and AP9330DN do not support this function.

l Spectrum analysis can be enabled only on one radio at one time.
l If WDS and Mesh services are configured on an AP radio, WIDS, spectrum analysis, or
WLAN location on the radio does not take effect.
8.5 Default Settings for Spectrum Analysis

Table 8-3 Default settings for spectrum analysis
Spectrum profile None
Aging time of non-Wi-Fi devices on the 3 minutes

AC
Spectrum data report Disabled

8.6 Configuring Spectrum Analysis

Context
You can configure spectrum analysis to detect non-Wi-Fi interference on WLANs. Based on
the identified interference type, interfering channel, and interference strength, you can locate
the interference source to eliminate interference.
NOTE
The AP3010DN-AGN, AP3010DN-V2, and AP9330DN do not support this function.

If WDS and Mesh services are configured on an AP radio, WIDS, spectrum analysis, or WLAN location
on the radio does not take effect.
Spectrum analysis can only help identify the interference source type but not the specific device.
Currently, the AC can identify baby monitors, Bluetooth devices, digital cordless phones (at 2.4 GHz
frequency band only), wireless audio transmitters, wireless game controllers, and microwave ovens. Due
to differences of individual devices, some of these non-Wi-Fi devices may not be identified.
Before configuring spectrum analysis, perform the task of 5 WLAN Service Configuration.
Table 8-4 Pre-configuration tasks

Task Description
Create an AP group Each AP will be added and

can be added to only one AP
group. An AP group is
typically used to provide the
same configurations for
multiple APs. By default,
the system has an AP group
default. To create an AP
group, execute this task. For
details, see 5.8 Creating an
AP Group.
Configure an AP to go Configure a DHCP server To go online normally, APs

online and STAs must obtain IP
addresses. You can
configure an AC as a DHCP
server or use an independent
DHCP server to allocate IP
addresses to APs and STAs.
For details, see 5.9.1
Configuring a DHCP
Server.

Task Description
Configure network To enable APs and STAs to

interconnections obtain IP addresses, APs to
discover the AC and go
online on the AC, and STAs
to access the network,
configure interconnections
between network devices.
Configuring Network
Interconnections.
Configure country codes Correct country code

configuration ensures that
radio attributes of APs
comply with laws and
regulations of countries and
regions to which the APs are
delivered. For details, see
5.9.3 Configuring Country
Codes.
, radio parameters in
compliance with local laws
and regulations, such as the
working channel and power
Configure a source interface Before an AP establishes a

CAPWAP tunnel with an
AC, a source interface or
source address must be
specified for the AC. For
details, see 5.9.4
Configuring a Source
Interface or Source
Address.
Add APs You can add APs in any of

the following modes:
l Importing APs offline
l Configuring AC to
automatically discover
an AP
l Manually confirming
APs added to the list of
unauthorized APs
Adding an AP offline is
recommended when the
MAC address or SN of the
AP is already learned. For
details, see 5.9.8 Adding
APs.

8.6.1 Configuring Spectrum Analysis on an AC
Context
You can configure spectrum analysis on a WLAN with severe interference to determine
whether non-Wi-Fi interference exists on the WLAN.
Procedure
Step 2 Run wlan
Step 4 Run spectrum-analysis server ip-address ip-address port port-number [ via-ac ac-port ac-
port-number ]
The IP address and port number of a spectrum server are configured.
NOTE
l If the AP uploads the collected data directly to the spectrum server, you do not need to configure the via-
ac ac-port ac-port-number command.
l If the AP uploads the collected data to the spectrum server via the AC, configure the via-ac ac-port ac-
port-number command.
l If no spectrum server is available, to view the spectrum in the web system, specify a valid IP address and
port number for the spectrum server (The specified values do not take effect.) and configure the via-ac
ac-port ac-port-number command.
Step 5 (Optional) Run spectrum-analysis non-wifi-device aging-time aging-time
The aging time of non-Wi-Fi devices on the AC during spectrum analysis is configured.
By default, the aging time of non-Wi-Fi devices on an AC during spectrum analysis is 3

minutes.
Step 6 Run quit
Step 7 (Optional) Run spectrum-analysis source ip-address ip-address
The source IP address of packets sent by the AC to a spectrum server is configured.

By default, an AC uses the IP address of the outbound interface on the matched route as the
source IP address of packets sent to a spectrum server.
NOTE
l Ensure that the AC IP address manually configured on the spectrum server is the same as that configured
using the spectrum-analysis source command.
l The source IP address must exist on the AC; otherwise, the configuration does not take effect.
l The configured source IP address and the IP address of the spectrum server must be routable to each
other.
Step 8 Configure the air scan function.

The configured air scan profile applies to radio calibration, smart roaming, spectrum analysis,
terminal location, and WIDS. The channels to be scanned for spectrum analysis are fixed as
all channels supported by the corresponding country code of an AP and are irrelevant to the
configuration in an air scan profile.
In spectrum analysis scenarios, to obtain enough sampling data, it is recommended that the
scanning interval be set no more than 10 seconds and the scanning duration to 100 ms.
1. Run the air-scan-profile name profile-name command to create an air scan profile and
enter the air scan profile view.
2. Run the undo scan-disable command to enable the air scan function.
3. Run the scan-interval scan-time command to configure an air scan interval.
4. Run the scan-period scan-time command to configure an air scan period.
6. Enter the radio profile view.
By default, the system provides the 2G radio profile default and 5G radio profile
default.
– When the configured air scan channel set contains only 2.4 GHz channels, run the
radio-2g-profile name profile-name command to enter the 2G radio profile.
– When the configured air scan channel set contains only 5 GHz channels, run the
– When the configured air scan channel set contains both 2.4 GHz and 5 GHz
channels, enter the 2G and 5G radio profiles.
NOTE
You can bind the created air scan profile to the current radio profile bound to the AP. To bind the air
scan profile to a new radio profile, bind the radio profile to the radio of an AP group or a specific AP
first. For details, see 5.11.1.5 Binding a Radio Profile.
7. Run the air-scan-profile profile-name command to bind the air scan profile to the 2G or
5G radio profile.
By default, the air scan profile default is bound to a radio profile.

A VAP profile is created.
NOTE
When a VAP profile exists in the system, you can use the existing one or create a new one.
Step 10 Run quit
Step 11 Bind the VAP profile to radios of an AP group or a specific AP as required to make the radios
properly work. For details, see 5.11.2.11 Binding VAP Profiles.
Step 12 Run quit
Step 13 Bind the radio profile and spectrum profile to an AP group or AP. For the detailed procedure
of binding a radio profile, see 5.11.1.5 Binding a Radio Profile.
Binding the radio profile and spectrum profile to an AP group
2. Run the ap-system-profile profile-name command to bind the specified AP system
profile to the AP group.
Binding the radio profile and spectrum profile to an AP
view.
2. Run the ap-system-profile profile-name command to bind the specified AP system
profile to the AP.
Step 14 Enable spectrum analysis on an AP radio.

Enabling spectrum analysis on the specified radio in an AP group.
2. Run the radio radio-id command to enter the AP group radio view.
3. Run the spectrum-analysis enable command to enable spectrum analysis on the radio.
Enabling spectrum analysis on the specified AP radio.
view.
2. Run the radio radio-id command to enter the AP radio view.
3. Run the spectrum-analysis enable command to enable spectrum analysis on the AP
radio.
4. Run the quit command to return to the AP view.
Step 15 Run the quit command to return to the WLAN view.
Step 16 (Optional) Run spectrum-report { ap-name ap-name | ap-id ap-id } radio radio-id
The function of reporting spectrum analysis data is enabled on an AP radio. The spectrum
server uses the reported data to analyze spectrum and draw spectrum graphs.

By default, the function of reporting spectrum data is disabled on an AP radio.
----End

l Run the display spectrum-analysis server-reporter command to check the list of APs
reporting spectrum analysis data to a spectrum server.
l Run the display air-scan-profile name profile-name command to check the air scan
l Run the display radio-2g-profile name profile-name command to check the air scan
profile bound to a 2G radio profile.
l Run the display radio-5g-profile name profile-name command to check the air scan
profile bound to a 5G radio profile.
l Run the display ap-group name ap-group-name command to check the 2G or 5G radio
profile bound to an AP group.
8.6.2 Checking Spectrum Graphs
Context
After spectrum analysis is enabled on the AC, you can view AP spectrum on the eSight
(V300R003C20) to learn interferences surrounding APs in deployment sites. This helps
identify and locate interference devices on the WLAN in a timely manner so that radio
calibration can be implemented on the WLAN.
NOTE
As for dual-band APs, you can view the 2.4 GHz or 5 GHz spectrum graph.
Spectrum graphs include real-time FFT, depth, channel quality, channel quality trend, and
device percentage charts.
Procedure
Step 1 Choose Business > WLAN Management > Region Monitor from the main menu.
Step 2 Use either of the following methods to access the region object manager.
l In the monitoring mode, right-click a region in Resource on the left pane, and select
Region Object Manager.
l In the 360 topology view, click a region name in the region list at the bottom of page to
display the object manager of the selected region.
NOTE
In the region object manager view, you can click to select other regions.
Step 3 Choose AP from the navigation tree of the Region Object Manager.
Step 4 In the AP list, click and select Spectrum Analysis in the Operation column.
Step 5 Click Index Configure, choose a spectrum graph type, and click Confirm to view the
spectrum graph of the selected AP.

----End
8.7 Maintaining Spectrum Analysis
8.7.1 Checking Information About Non-Wi-Fi Devices on an AC
Prerequisites
The task of 8.6 Configuring Spectrum Analysis has been performed.
Procedure
l Run the display wlan non-wifi-device { all | { ap-name ap-name | ap-id ap-id } radio
radio-id } command to check information about the detected non-Wi-Fi devices.
l Run the display wlan non-wifi-device history { all | { ap-name ap-name | ap-id ap-id }
radio radio-id } command to check information about non-Wi-Fi devices in the
historical list.
----End
8.7.2 Clearing Information About Non-Wi-Fi Devices on an AC
Context
Before recollecting information about non-Wi-Fi devices in a period on an AC, clear existing
information.
NOTICE
The cleared information cannot be restored. Exercise caution when you perform these
operations.
Procedure
l Run the reset wlan non-wifi-device { all | { ap-name ap-name | ap-id ap-id } radio
radio-id } command to clear information about non-Wi-Fi devices.

l Run the reset wlan non-wifi-device history { all | { ap-name ap-name | ap-id ap-id }
radio radio-id } command to clear information about non-Wi-Fi devices in the historical
list.
----End
8.8 Configuration Examples for Spectrum Analysis
8.8.1 Example for Configuring Spectrum Analysis

As shown in Figure 8-6, an enterprise deploys basic WLAN services to enable mobile users
to connect to the enterprise network from anywhere at any time. The WLAN SSID is wlan-
net, and STAs automatically obtain IP addresses.
The enterprise is located in an open place and the WLAN is therefore easy to be interfered.
When discovering severe interference on the WLAN, the network administrator can detect
whether non-Wi-Fi interference exists on the WLAN through the spectrum analysis function.

Figure 8-6 Networking diagram for configuring spectrum analysis
Internet
GE0/0/2
VLAN 101
AC
GE0/0/1
GE0/0/2 VLAN 100
VLAN 100
SwitchA
GE0/0/1
VLAN 100
AP
STA STA

to go online.
5. Configure spectrum analysis so that the APs can detect non-Wi-Fi devices and send
alarms to the AC.


Item Data
DHCP The AC functions as a DHCP server to assign IP addresses to the APs and
server STAs.
IP address 10.23.100.2-10.23.100.254/24
pool for the
APs
IP address 10.23.101.2-10.23.101.254/24
pool for the
STAs

of the AC's
source
interface

domain1, 2G radio profile radio2g, 5G radio profile radio5g, and
spectrum profile spectrum01

profile



security

profile l Referenced profile: air scan profile wlan-airscan

profile l Referenced profile: air scan profile wlan-airscan
Air scan l Name: wlan-airscan

profile l Air scan interval: 80000 ms
l Air scan duration: 80 ms

Item Data
Spectrum l Name: spectrum01

profile l IP address of the spectrum server: 10.137.43.4
l Port number of the spectrum server: 55555
l Port number used by the AC to receive spectrum information
(encapsulated in UDP packets) from APs when the AC is used to send
data to the spectrum server: 5001
l Aging time of non-Wi-Fi devices on an AC during spectrum analysis: 5
minutes
Configuration Notes
user experience.
Procedure
NOTE


[HUAWEI] sysname AC

NOTE

VLANIF 101.
NOTE
view.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit

[AC] wlan

e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
10S -
----------------------------------------------------------------------------------
----------------
Total: 1

NOTE


the AP.
Step 7 Configure spectrum analysis.

[AC-wlan-view] ap-system-profile name spectrum01
[AC-wlan-ap-system-prof-spectrum01] spectrum-analysis server ip-address
10.137.43.4 port 55555 via-ac ac-port 5001
[AC-wlan-ap-system-prof-spectrum01] spectrum-analysis non-wifi-device aging-time 5
[AC-wlan-ap-system-prof-spectrum01] quit
# Create the air scan profile wlan-airscan and configure the scan interval and scan duration.
[AC-wlan-view] air-scan-profile name wlan-airscan
[AC-wlan-air-scan-prof-wlan-airscan] scan-period 80
[AC-wlan-air-scan-prof-wlan-airscan] scan-interval 80000
[AC-wlan-air-scan-prof-wlan-airscan] quit
# Create the 2G radio profile radio2g and bind the air scan profile wlan-airscan to the 2G
radio profile.
# Create the 5G radio profile radio5g and bind the air scan profile wlan-airscan to the 5G
radio profile.
group1.
# Bind the AP system profile spectrum01 to the AP group ap-group1 and enable spectrum
analysis in the AP group.


[AC-wlan-ap-group-ap-group1] ap-system-profile spectrum01
[AC-wlan-group-radio-ap-group1/0] spectrum-analysis enable
[AC-wlan-group-radio-ap-group1/1] spectrum-analysis enable

------------------------------------------------------------------------------
---
IP address
------------------------------------------------------------------------------
---
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
------------------------------------------------------------------------------
---
Total: 1 2.4G: 0 5G: 1
l Run the display ap-system-profile name spectrum01 command on the AC to check
spectrum analysis configuration.
[AC-wlan-view] display ap-system-profile name spectrum01
------------------------------------------------------------------------------
AC priority : -
Protect AC IP address : -
AP management VLAN : -
Keep service : disable
Keep service allow new access : disable
Temporary management switch : disable
Mesh role : mesh-node
STA access mode : disable
STA whitelist profile : -
STA blacklist profile : -
EAPOL start mode : multicast
EAPOL start transform : equal-bssid
EAPOL response mode : unicast learning
EAPOL response transform : equal-bssid
AP LLDP message transmission delay time(s): 2
AP LLDP message transmission hold multiplier: 4
AP LLDP message transmission interval time(s): 30
AP LLDP restart delay time(s) : 2
AP LLDP admin status : txrx
AP LLDP report interval time(s): 30
AP high temperature threshold(degree C): -
AP low temperature threshold(degree C): -
AP CPU usage threshold(%) : 90
AP memory usage threshold(%) : 80
Alarm restriction : enable
Alarm restriction period(s) : 60
Log server IP address : 0.0.0.0
Log record level : info
Ethernet port MTU(byte) : 1500
Telnet : disable
STelnet server : enable
SFTP server : enable
Console : enable
Antenna output mode : split
Led : on

Sample time(s) : 30
Dynamic blacklist aging time(s): 600
MPP active reselection : disable
AP report to : AC
Server IP : 10.137.43.4
Server port : 55555
AC port : 5001
Device aging-time(minute) : 5
PoE max power : 380000
PoE power reserved(%) : 0
PoE power threshold(%) : 100
PoE af inrush : disable
PoE high inrush : disable
------------------------------------------------------------------------------
l Run the display spectrum-analysis server-reporter command on the AC to check the

APs that report spectrum packets to the spectrum server.
[AC-wlan-view] display spectrum-analysis server-reporter
------------------------------------------------------------
ID AP name Radio ID
------------------------------------------------------------
1 area_1 0
1 area_1 1
------------------------------------------------------------
Total: 2
l Run the display wlan non-wifi-device all command on the AC to check the detected
non-Wi-Fi devices.
[AC-wlan-view] display wlan non-wifi-device all
----------------------------------------------------------------
Detect AP name : huawei
Detect AP radio ID : 1
Detect AP channel : 36
Non-Wi-Fi device type : 9
Non-Wi-Fi device name : Unknown fix freq device
Non-Wi-Fi device frequency type : Narrow bandwidth
Non-Wi-Fi device channel : 149,150
Non-Wi-Fi device RSSI : -62,-66
Non-Wi-Fi device detect time last : 2015-07-02/08:16:56
Non-Wi-Fi device center frequency(MHz) : 5749
Non-Wi-Fi device bandwidth(KHz) : 70
Non-Wi-Fi device duty(%) : 100
Non-Wi-Fi device interfere level : 3
----------------------------------------------------------------
Total: 1
l View AP spectrum on eSight to learn AP channel interference in deployment sites.

a. ChooseBusiness > WLAN Management > Region Monitor from the main menu.
b. Use either of the following methods to access the region object manager.
n In the monitoring mode, right-click a region in Resource on the left pane, and
select Region Object Manager.
n In the 360 topology view, click a region name in the region list at the bottom
of page to display the object manager of the selected region.
NOTE
In the region object manager view, you can click to select other regions.
c. Choose AP from the navigation tree of the Region Object Manager.
d. In the AP list, click and select Spectrum Analysis in the Operation column.
e. Click Index Configure, choose a spectrum graph type, and click Confirm to view
the spectrum graph of the selected AP.

f. The spectrum graphs show that the interference is mostly within the range of -80
dBm to -40 dBm and most serious on channel 11.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
wlan
%# aes


ssid wlan-net
forward-mode tunnel
air-scan-profile name wlan-airscan
scan-period 80
scan-interval 80000
ap-system-profile name spectrum01
spectrum-analysis server ip-address 10.137.43.4 port 55555 via-ac ac-port
5001
spectrum-analysis non-wifi-device aging-time 5
ap-system-profile spectrum01
radio 0
spectrum-analysis enable
radio 1
spectrum-analysis enable
ap-name area_1
ap-group ap-group1
#
return

Configuration Guide - WLAN-AC 9 Roaming Configuration
9 Roaming Configuration
9.1 Overview of Roaming

Definition
WLAN roaming allows a STA to move from an AP to another AP in the same ESS on a
WLAN network with nonstop service transmission. In Figure 9-1, the STA moves from AP_1
to AP_2.
Figure 9-1 WLAN roaming networking
Internet
AC
AP_1 AP_2
SSID: Huawei SSID: Huawei

Roaming
Channel 1 Channel 6
STA
STA
WLAN roaming includes roaming between APs in the same service VLAN and roaming
between APs in different service VLANs:

l Roaming between APs in the same service VLAN: APs before and after STA roaming
belong to the same service VLAN.
l Roaming between APs in different service VLANs: APs before and after STA roaming
belong to different service VLANs. To prevent services of a user from being interrupted
during WLAN roaming, ensure that the service VLAN of the user remains unchanged
after the user roams between two APs.
Comparison of WLAN roaming modes
Table 9-1 Comparison of WLAN roaming modes
Roaming Mode Whether the STA Applied Security Policy

Support Is Required
Common roaming Not involved All security policies
PMK fast roaming Yes WPA2–802.1X
802.11r roaming Yes Open system authentication/

WPA2–PSK/WPA2–
802.1X
Roaming Mode Description
Common roaming It is applicable to all scenarios and allows

for easy configuration. Services may be
interrupted for a short period of time during
roaming.
PMK fast roaming It is applicable to a few scenarios. During

roaming, users do not need to perform
802.1X authentication again and only need
to perform key negotiation. The latency is
low.
802.11r roaming It is applicable to multiple scenarios. During

roaming, users do not need to perform
authentication or key negotiation. The
latency is low.
Purpose
The biggest advantage of WLAN networks is that a STA can move within a WLAN network
regardless of physical media locations. WLAN roaming ensures that a STA moves within a
WLAN network without interrupting services. An ESS includes multiple APs. When a STA
moves from an AP to another AP, WLAN roaming ensures seamless transition of STA
services between APs.
WLAN roaming has the following advantages:

l Prevents packet loss or service interruption caused by long-term authentication.

If a STA needs to be authenticated before accessing the Internet, the authentication
process (for example, 802.1X authentication) may take a long period of time. Fast
roaming prevents STA re-authentication, ensuring nonstop user service transmission.
l Ensures that users' IP addresses remain unchanged.
Application protocol packets are transmitted using IP addresses and TCP/UDP
connections. STAs' IP addresses must remain unchanged after WLAN roaming so that
the TCP/UDP connections established for the STAs are not interrupted.
9.2 Understanding Roaming

9.2.1 Roaming Between APs in the Same Service VLAN
As shown in Figure 9-2, a STA moves between two APs that connect to the same AC and
belong to the same service VLAN, without service interruption.
Figure 9-2 Roaming between APs in the same service VLAN
Internet
AC
VLAN 10 VLAN 10
AP_1 AP_2

Roaming
Channel 1 Channel 6
STA
STA
Roaming between APs in the same service VLAN is classified into fast and non-fast roaming.
Non-Fast Roaming
Non-fast roaming technology is used when a STA uses a non-WPA2-802.1X security policy.
If a STA uses WPA2-802.1X but does not support fast roaming, the STA still needs to
complete 802.1X authentication before roaming between two APs.

NOTE
If a STA needs to roam between two APs, the APs must have the same SSID and security policy profile.
The names of security profiles can be different but configurations in the security profiles must be the
same.
In Figure 9-2, the STA accesses the Internet through AP_1 and needs to roam from AP_1 to
AP_2. The STA roaming process is as follows:
1. The STA sends a Probe Request frame on each channel. After receiving this, the APs
send Probe Response frames to the STA. After AP_2 receives the Probe Request frame
on channel 6, it sends a Probe Response frame to the STA on channel 6. When the STA
receives Probe Response frames, it selects an AP to associate with according to signal
strength and quality. In this scenario, assume that the STA selects AP_2 to associate
with, as shown in Figure 9-2.
2. The STA sends AP_2 a Re-authentication Request packet on channel 6. After AP_2
authenticates the STA, it sends a Re-authentication Response packet to the STA.
3. The STA sends a Re-association Request packet to AP_2, which then sends the packet to
the AC. The AC sends a Re-association Response packet, allowing the STA to re-
associate with AP_2.
4. The STA re-associates with AP_2 and then disassociates from AP_1. To do so, the STA
sends a Disassociation frame to AP_1 on channel 1.
– If the STA uses the WEP security policy, the STA roaming process is complete.
– If the STA uses the WPA/WPA2-PSK or WPA/WPA2-802.1X security policies, the
STA needs to perform access authentication and key negotiation again. For details
about key negotiation, see Key Negotiation in 12.1.2 WPA/WPA2.
Fast Roaming
When STAs uses the WPA2-802.1X security policy and support fast roaming, they do not
need to perform 802.1X authentication again during roaming. They only need to perform key
negotiation. In this case, fast roaming reduces the roaming delay and improves WLAN
services.
Fast roaming is implemented using pairwise master key (PMK) caching. In Figure 9-2, the
fast roaming process is as follows:
1. The STA accesses the Internet through AP_1 for the first time. When the AC
authenticates the STA and a PMK is generated, the STA and AC save the PMK
information. Each PMK has a PMK-ID, which is calculated based on the PMK, SSID,
STA MAC address, and BSSID.
2. During roaming, the STA sends AP_2 a Re-association Request packet that carries the
PMK-ID.
3. After AP_2 receives this packet, it notifies the AC that the STA needs to roam from
AP_1 to AP_2.
4. The AC searches the PMK caching table for the PMK of the STA. It does so according to
the PMK-ID carried in the Re-association Request packet. If the AC finds a matching
PMK, the AC considers that 802.1X authentication has been performed on the STA and
uses the cached PMK for key negotiation.
9.2.2 Roaming Between APs in Different Service VLANs

To prevent broadcast storms, users on enterprise WLANs, like wired LANs, are assigned
different VLANs according to their floors and departments. If APs deployed on different

floors belong to different VLANs, a user's services are interrupted when they roam between
those APs. Inter-VLAN Layer 3 roaming prevents service interruption in this case, improving
WLAN services.
In roaming between APs in different service VLANs, APs belong to different service VLANs
before and after roaming. To prevent a user's services from being interrupted during WLAN
roaming, ensure that their service VLAN remains unchanged after they roam between two
APs.
Figure 9-3 Roaming between APs in different service VLANs
Internet
AC
VLAN10 VLAN20
AP_1 AP_2

Roaming
Channel 1 Channel 6
STA
STA
Roaming between APs in different service VLANs includes fast and non-fast roaming,
depending on STA support fast roaming. For details on the implementation of fast and non-
fast roaming, see 9.2.1 Roaming Between APs in the Same Service VLAN. In Figure 9-3,
when the STA roams from AP_1 to AP_2 in different VLANs, the process of keeping the
service VLAN of the STA unchanged is as follows:.
1. When the STA accesses the Internet through AP_1 in VLAN 10, the AC determines that
the STA has done so for the first time. The AC then creates and saves STA service data,
including the service VLAN of the AP, AP name, radio, and VAP information.
2. The STA moves from AP_1 to AP_2 in VLAN 20 and re-associates with the AC through
AP_2. The AC determines that the STA is roaming based on user information, so it
updates the service database. It also updates the AP name, radio, and VAP information to
be consistent with AP_2 information, without changing the VLAN ID. The VLAN is still
the service VLAN to which AP_1 belongs.
3. The STA disassociates from AP_1. Although the STA resides on different subnets after
roaming between two APs, the AC still considers that the STA accesses the Internet from
the first VLAN (VLAN 10). This allows the STA to retain its IP address to ensure
nonstop service interruption.

9.2.3 Inter-AC Roaming
Figure 9-4 shows the inter-AC roaming network architecture. AC_1 and AC_2 manage APs
on the WLAN. AP_1 associates with AC_1, and AP_2 associates with AC_2. A STA roams
on the WLAN. During roaming, the STA associates with different APs. The roaming process
is as follows:
The STA moves from the coverage area of AP_1 to AP_2. Since AP_1 and AP_2 associate
with AC_1 and AC_2, respectively, the STA implements inter-AC roaming. AP_1 and AC_1
are the STA's home AP (HAP) and home AC (HAC), and AP_2 and AC_2 are the STA's
foreign AP (FAP) and foreign AC (FAC). AC_1 and AC_2 must belong to the same
mobility group. The STA can only roam between ACs in the same mobility group. ACs in a
mobility group synchronize data of each other and forward packets over the inter-AC tunnel.
Figure 9-4 Network architecture
l HAC: AC in a mobility group with which a STA associates for the first time, for
example, AC_1 in Figure 9-4
l HAP: AP in a mobility group with which a STA associates for the first time, for
example, AP_1 in Figure 9-4
l FAC: AC to which a STA roams, for example, AC_2 in Figure 9-4
l FAP: AP to which a STA roams, for example, AP_3 in Figure 9-4

l Inter-AC roaming: A STA roams between different ACs. As shown in Figure 9-4, the
STA roams between different ACs when roaming from AP_1 to AP_3.
l Mobility group: You can add ACs on a WLAN to different groups. STAs can roam
between ACs in the same group. This group is called mobility group.
l Inter-AC tunnel: Inter-AC roaming requires that ACs in a mobility group synchronize
STA and AP information with each other. To enable inter-AC roaming, the ACs set up a
tunnel to synchronize data and forward packets. An inter-AC tunnel is also a CAPWAP
tunnel. For example, AC_1 and AC_2 in Figure 9-4 set up a tunnel for data
synchronization and packet forwarding.
Layer 2 Roaming
As shown in Figure 9-4, after Layer 2 roaming, the STA remains in the same subnet. The
FAP/FAC processes packets of the Layer 2 roaming STA in the same way as it processes
packets of a common online STA. The FAP/FAP forwards the packets on the local network
but does not send the packets back to the HAP/HAC over the inter-AC tunnel.
Before Roaming After Roaming
1. The STA sends a service packet to the 1. The STA sends a service packet to the
HAP. FAP.
2. After receiving the service packet, the 2. After receiving the service packet, the
HAP sends it to the HAC. FAP sends it to the FAC.
3. The HAC forwards the service packet to 3. The FAC forwards the service packet to
the upper-layer network. the upper-layer network.
9.2.4 802.11r Fast Roaming

The 802.11r protocol uses the Fast BSS Transition (FT) function to reduce the number of
information exchanges between users in the same mobile domain (MD) and does not require
802.1X authentication or key negotiation during STA roaming. Users are unaware of service
interruption and experience low-latency data services during roaming, so their online
experience is improved.
802.11r fast roaming supports the following two modes:
l Over-the-Air: STAs communicate directly with the FAP for FT authentication.
l Over-the-DS: STAs communicate with an AP for FT authentication through the HAP.
NOTE
Currently, Huawei ACs support only the over-the-Air mode.
Intra-AC 802.11r Fast Roaming

Figure 9-5 shows the intra-AC 802.11r fast roaming process.

Figure 9-5 Intra-AC 802.11r fast roaming
STA AP_1 AP_2
① Associated with AP_1
② FT Auth Request Generate

and install
the PTK
Generate ③ FT Auth Response
and install
the PTK ④ FT Reassociation
Request
⑤ FT Reassociation
Response
⑥ Roaming to AP_2
1. When a STA is connected to the Internet through AP_1 for the first time, the STA is
authenticated by AC and a PMK is generated.
a. The AC generates PMK-R0 (calculated based on the SSID, MDID, AC MAC
address, and STA MAC address) and PMK-R1 of each AP based on the PMK
(calculated based on the PMK-R0, AP MAC address, and STA MAC address), and
delivers the PMK-R1 to AP_1.
b. The STA and AC generate and install the pairwise transient key (PTK) and the
group temporal key (GTK) by performing the 4-way and 2-way handshakes.
NOTE
If open system authentication is used, no PMK is generated.
2. The STA initiates an 802.11 FT authentication request to AP_2 during roaming, and
delivers the PMK-R1 to AP_2.
3. After receiving the request, AP_2 generates and installs a PTK according to PMK-R1
and information contained in the request frame. At the same time, AP_2 starts the re-
association timer, and sends an 802.11 FT authentication response to the STA.
NOTE
If 802.1X authentication is used, the AP reports FT authentication information to the AC for processing
during FT authentication. If open system or PSK authentication is used, the AP does not report FT
authentication information.
4. After receiving the response, the STA generates and installs a PTK based on the
information contained in the response frame. The STA sends AP_2 a re-association
request.
5. After receiving the re-association request, AP_2 disables the re-association timer, and
then sends a re-association response to the STA.

NOTE
If a STA blacklist or whitelist is configured on the AC, the AP reports re-association responses to the
STA during FT re-association and then reports the STA's re-association request to the AC for
processing.
6. After the STA receives the response frame, the roaming is complete.
9.2.5 Agile Distributed SFN Roaming
Overview
In healthcare scenarios, handheld healthcare terminals do not comply with the 802.11k,
802.11v, or 802.11r protocol. Therefore, roaming aggressiveness is poor during the services
such as ward round, infusion check, and vital sign recording. This may easily cause a high
packet loss ratio and long delay. Users will have to re-log in to the application software or
scan the terminal code. The network access service is interrupted, greatly affecting working
efficiency of doctors and nurses.
To address these issues, Huawei launches the agile distributed SFN roaming function. (SFN is
short for same-frequency network.) On an agile distributed WLAN network, all RUs
associated with a central AP are deployed on the same channel and communicate with STAs
using the public BSSID. Within the coverage of the SSID signal, freely moving STAs do not
perceive roaming, and services are not interrupted during the roaming.
Compared with traditional intra-central AP roaming, agile distributed SFN roaming
eliminates the impact of STA differences on the roaming effect. Additionally, this roaming
mode is smooth and fast, and significantly reduces the packet loss ratio, without the user
reassociation, authentication, and key negotiation processes.
Implementation
Figure 9-6 shows the implementation of agile distributed SFN roaming.

Figure 9-6 Implementation of agile distributed SFN roaming
Two phases are involved:
l STA access
a. All RUs broadcast Beacon frames to STAs using the public BSSID automatically
generated by the central AP based on the MAC address.
b. A STA sends a Probe Request frame. After receiving the Probe Request frame, all
RUs respond with a Probe Response frame using the public BSSID.
c. The STA sends an Auth Request frame. After receiving the Auth Request frame, all
RUs respond with an Auth Response frame using the public BSSID.
d. The STA sends an Assoc Request frame. After receiving the Assoc Request frame,
all RUs forward it to the central AP and notifies the central AP of the STA's signal-
to-noise ratio (SNR).
e. The central AP selects an RU with the optimal SNR to respond to the STA with an
Assoc Response. Within a specified period, the central AP discards Assoc Request
frames reported by other RUs. Subsequently, only the selected RU communicates
with the STA.
f. The central AP reports the Assoc Request frame of the STA to the AC. Then the AC
adds STA information to the STA association table.
g. The central AP, RU, and STA perform unicast and multicast key negotiation.
l Roaming switchover
a. The HAP (RU with which the STA first associates) periodically reports the STA
RSSI to the central AP. The FAP (RU to which the STA roams) periodically reports
the RSSI of neighbors to the central AP.

b. The central AP selects the optimal RU as the FAP using the roaming decision
algorithm, and synchronizes STA information to the FAP. The central AP checks the
following switchover conditions in sequence. If any of the conditions is met, a
roaming switchover occurs. If multiple RUs meet the following three conditions,
the RU with the highest RSSI is selected for the roaming switchover.
i. The cumulative RSSI change value of the STA reaches the specified threshold.
ii. The number of times the RSSI of surrounding RUs is higher than that of the
local RU reaches the specified value.
iii. The RSSI gap between the local RU and surrounding RUs reaches the
specified value.
Packet Processing
The following assumes that service data packets are forwarded in direct mode. Figure 9-7
shows how intranet and extranet data packets for agile distributed SFN roaming are
processed. In tunnel forwarding mode, intranet and extranet data packets are forwarded
between the central AP and RUs in the same way as that in direct forwarding mode.
Figure 9-7 Processing agile distributed SFN roaming packets

Table 9-2 Directions of intranet data packets

1. The STA sends service packets to RU_1. 1. The STA sends service packets to RU_2.
2. After receiving the service packets, 2. After receiving the service packets,
RU_1 forwards them to the central AP. RU_2 forwards them to the central AP.
3. After receiving the service packets, the 3. After receiving the service packets, the
central AP forwards them to the upper- central AP forwards them to the upper-
layer network through the user gateway. layer network through the user gateway.
Table 9-3 Directions of extranet data packets

1. The STA sends service packets to RU_1. 1. The STA sends service packets to RU_2.
2. After receiving the service packets, 2. After receiving the service packets,
RU_1 sends them to the central AP. RU_2 sends them to the central AP.
3. After receiving the service packets, the 3. After receiving the service packets, the
central AP forwards them to the upper- central AP forwards them to the upper-
layer network through the user gateway layer network through the user gateway
and egress route. and egress route.
9.3 Licensing Requirements and Limitations for Roaming

AP
by the device.
V200R007C10.


V200R012C00 V200R009C00
V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C10 V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C00 V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R010C00 V200R007C10
V200R006C20
V200R006C10
V200R009C00 V200R006C20
V200R006C10
V200R008C00 V200R005C30
V200R005C20
V200R005C10
V200R007 V200R005C20
V200R005C10
V200R006 V200R005C00
Client
l To implement the fast roaming feature, the client must support fast roaming technology.

agent.
Table 9-5 Products and minimum version supporting roaming

Required

S5730HI: V200R012
Feature Limitations
l The APs on which WLAN roaming is implemented must use the same SSID and security
profiles, and the security profiles must have the same configurations.
l In direct forwarding mode, if the ARP entry of a user is not aged out in time on the
access device connected to the AP after the user roams, services of the user will be
temporarily interrupted. You are advised to enable STA address learning on the AC.
After the function is enabled, the AP will send a gratuitous ARP packet to the access
device so that the access device can update ARP entries in a timely manner. This ensures
nonstop service transmission during user roaming.
You can use either of the following methods to enable STA address learning according to
the version of your product:
– Run the learn client ip-address enable command in the service set view.
l IEEE 802.11r supports open system, WPA2-PSK, and 802.1X authentication.
l The 802.11r fast roaming and Protected Management Frame (PMF) functions are
mutually exclusive. If the 802.11r fast roaming function has been configured, the PMF
function cannot be configured.
l STAs that are not compatible with 802.11r cannot associate with WLANs on which the
802.11 fast roaming function is enabled. To guarantee normal network services for users,
replace the earlier STA model with the one that supports 802.11r, or create two VAPs
using the same SSID with one enabling 802.11r and the other disabling it, and retain
other configurations.

l When 802.1X authentication is used for 802.11r, some STAs may get offline and online
again during reauthentication due to compatibility issues if 802.1X reauthentication is
enabled.
l Pay attention to the following precautions when configuring agile distributed SFN
roaming:
– Network planning precautions:
n Agile distributed SFN roaming is supported only by the AD9430DN-12
(including matching RUs) and AD9430DN-24 (including matching RUs). RUs
support agile distributed SFN roaming in the following combination modes:
○ Between the R230D and R240D (Note: Only the 2.4 GHz radio of the
R230D and R240D supports agile distributed SFN roaming, and the 5
GHz radio does not support.)
○ Among the R250D, R250D-E, R251D, R251D-E, and R450D
n For the central AP, after agile distributed SFN roaming is enabled, the total
number of agile distributed SFN roaming STAs on a single frequency band
(2.4 GHz or 5 GHz) of all RUs does not exceed 128, and that of STAs
associated with other VAPs on the same band does not exceed 128.
n After agile distributed SFN roaming is enabled, configure all RUs to work on
the same channel. When agile distributed SFN roaming is enabled on the 5
GHz frequency band, configure non-radar channels.
n RUs involved in roaming must be associated with the same central AP but do
not support agile distributed SFN roaming between central APs.
n Inter-RU roaming is Layer 2 roaming within a central AP. Agile distributed
SFN roaming is not performed on Layer 3.
– Configuration precautions:
n When agile distributed SFN roaming is enabled for both the 2.4 GHz and 5
GHz radios, it is recommended that different SSIDs be used. Otherwise, the
radio switchover may occur, affecting user experience.
n Agile distributed SFN roaming can be enabled only on one VAP of a radio. If
multiple VAPs are configured on a radio, it is recommended that the total VAP
rate limit on all VAPs with agile distributed SFN roaming disabled be set to 5
Mbit/s.
n Radios enabled with agile distributed SFN roaming do not support channel
scanning, channel calibration, or smart roaming.
n Agile distributed SFN roaming can be configured based only on AP groups but
not based on APs.
n RUs involved in agile distributed SFN roaming need to have the following
items configured the same:
○ SSID
○ VAP profile and VAP ID
○ Security policy. Agile distributed SFN roaming supports these encryption
modes: WPA+PSK, WPA2+PSK, WPA-WPA2+PSK, WPA+802.1X
(EAP authentication), WPA2+802.1X (EAP authentication), WPA-
WPA2+802.1X (EAP authentication), and Portal+PSK.
l Pay attention to the following points when configuring inter-AC roaming:
– Inter-AC roaming is supported only in distributed VXLAN gateway scenarios, and
only Layer 2 inter-AC roaming is supported.

– ACs in the same mobility group must run the same system software of the C
version. Otherwise, inter-AC roaming may fail.
– The mobility group name and IP address for establishing an inter-AC tunnel must
be configured on each AC in the mobility group. ACs must be added to the mobility
group.
– The IP addresses used for establishing an inter-AC tunnel between ACs in a
mobility group must be the CAPWAP source IP addresses of the ACs. When
multiple CAPWAP source IP addresses are configured, only on CAPWAP source IP
address can be used to establish an inter-AC tunnel.
– The mobility group name must be the same on each AC.
– A maximum of 16 ACs can be added to a mobility group, and one AC can be added
only to one mobility group.
9.4 Default Settings for Roaming

Table 9-6 Default settings for roaming
Inter-VLAN roaming on an AC Enabled
Inter-AC roaming Disabled
802.11r roaming Disabled
Agile distributed SFN roaming Disabled
9.5 Configuring Roaming Between APs in the Same

Service VLAN
If neighboring APs have the same service VLAN, configure roaming between the APs in the
same service VLAN. After the configuration, services are not interrupted when an STA moves
from an AP to another AP in the same service VLAN.
Before configuring roaming between APs in the same service VLAN, complete the following
tasks:

l Perform the following operations for each AP involved in roaming:
– Associate the APs to the same AC.
– Configure the same security policy.
– Set the same SSID.
– Configure the same service VLAN.

You can perform the following operations in any sequence based on the site requirements:
9.5.1 Configuring Non-Fast Roaming Between APs in the Same

Service VLAN
Procedure
Step 1 Configure non-fast roaming.
Any of the following security policies can be configured for an AP:
l WEP open system authentication
l WEP shared key authentication
l WPA/WPA2-PSK
l WPA-802.1X
l WPA2-802.1X (PMK fast roaming is not supported by STAs.)
After basic service configurations are complete, the STAs can implement non-fast roaming.
----End
9.5.2 Configuring PMK Fast Roaming Between APs in the Same

Service VLANs
Procedure
Step 1 Configure PMK fast roaming.
Before configuring PMK fast roaming, ensure that STAs support PMK fast roaming
technology and the security policy configured for each AP involved in roaming is
WPA2-802.1X. After basic service configurations are complete, the STAs can implement
PMK fast roaming.
----End
9.5.3 (Optional) Configuring 802.11r Fast Roaming

Procedure
Step 2 Run wlan
The SSID profile view is displayed.
Step 4 Run dot11r enable [ reassociate-timeout time ]

802.11r fast roaming is enabled.
By default, 802.11r fast roaming is disabled on an AC.
After 802.11r fast roaming is enabled, the re-association timeout period is 1 second by
default.
Step 5 Run quit
----End

l Run the display ssid-profile { all | name profile-name } command to check information
about the 802.11r fast roaming function in the SSID profile.
9.5.4 Verifying the Roaming Configuration
Procedure
l Run the display station roam-track sta-mac mac-address command to check the
specified STA roaming track.
l Run the display station sta-mac mac-address command to check the access information
about the specified STA and check whether the AP connected to the STA changes.
----End
9.6 Configuring Roaming Between APs in Different

Service VLANs
If neighboring APs have different service VLANs, configure roaming between the APs in
different service VLANs. After the configuration, services are not interrupted when a STA
moves from an AP to another AP in different service VLANs.
Before configuring roaming between APs in different service VLANs, complete the following
tasks:

l Perform the following operations for each AP involved in roaming:
– Associate the APs to the same AC.


– Configure different service VLANs.
Context
The service VLANs of the APs before and after roaming are different. When roaming
between APs in different VLANs is implemented, the service VLAN of the STA must remain
the original one after the STA roams to another AP. Therefore, the VLAN configuration varies
depending on the forwarding mode. This topic uses a Layer 2 network between the APs and
AC as an example to describe different VLAN configurations.
l Direct forwarding mode
As shown in Figure 9-8, in direct forwarding mode, when a STA roams from AP_1 to
AP_2 and the data packets arrive at AP2, AP_2 tags the packets with VLAN101 and
forwards them to the upper-level network. When a STA roams from AP_2 to AP_1 and
the data packets arrive at AP_1, AP_1 tags the packets with VLAN102 and forwards
them to the upper-level network.
Figure 9-8 Networking diagram of roaming between APs in different service VLANs in
direct forwarding mode
STA: 802.11 Payload

AP1: VLAN101 802.3 Payload
Switch1: VLAN101 802.3 Payload
AC: VLAN101 802.3 Payload
Service VLAN: 101

SSID: test
Channel 1
AP_1 Switch1
STA
Internet
Roaming
AC
AP_2 Switch2
STA
Service VLAN: 102
SSID: test
Channel 6
Data packet
STA: 802.11 Payload
AP2: VLAN101 802.3 Payload
Switch2: VLAN101 802.3 Payload
If the direct forwarding mode is used, configure the interfaces on Switch1 and Switch2
between the APs and AC and the AC interfaces (including the uplink, and downlink
interfaces) to permit packets from VLAN101 and VLAN102 to pass through.
NOTE
If no switch exists between the APs and AC, configure the AC interfaces (including the uplink, and
downlink interfaces) to permit packets from VLAN101 and VLAN102 to pass through.
l Tunnel forwarding mode

As shown in Figure 9-9, in tunnel forwarding mode, when a STA roams from AP_1 to
AP_2 and the data packets arrive at AP_2, AP_2 tags the packets with VLAN101,
encapsulates the packets in the CAPWAP tunnel, tags the packets with VLAN200, and
forwards them to the AC. When the packets arrive at the AC, the AC decapsulates the
CAPWAP packets, and forwards the packets to the upper-level network device. When a
STA roams from AP_2 to AP_1 and the data packets arrive at AP_1, AP_1 tags the
packets with VLAN102, encapsulates the packets in the CAPWAP tunnel, tags the
packets with VLAN100, and forwards them to the AC. When the packets arrive at the
AC, the AC decapsulates the CAPWAP packets, and forwards the packets to the upper-
level network device.
Figure 9-9 Networking diagram of roaming between APs in different service VLANs in
tunnel forwarding mode
STA: 802.11 Payload
AP1: VLAN100 802.3 UDP/IP CAPWAP VLAN101 802.3 Payload
Switch1: VLAN100 802.3 UDP/IP CAPWAP VLAN101 802.3 Payload

Service VLAN: 101

Management VLAN: 100
SSID: test
Channel 1
AP_1 Switch1
STA
Internet
Roaming
AC
SSID: test
AP_2 Switch2
Channel 6 STA
Service VLAN: 102
STA: 802.11 Payload Data packet
AP2: VLAN200 802.3 UDP/IP CAPWAP VLAN101 802.3 Payload
Switch2: VLAN200 802.3 UDP/IP CAPWAP VLAN101 802.3 Payload

If the tunnel forwarding mode is used, configure the uplink interface on the AC to permit
packets from VLAN101 and VLAN102 to pass through.
Procedure
You can perform the following operations in any sequence based on the site requirements:
9.6.1 Configuring Non-Fast Roaming Between APs in Different

Service VLANs
Procedure
Step 1 Configure non-fast roaming.
Any of the following security policies can be configured for an AP:

l WEP open system authentication

l WEP shared key authentication
l WPA/WPA2-PSK
l WPA-802.1X
l WPA2-802.1X (PMK fast roaming is not supported by STAs.)
After basic service configurations are complete, the STAs can implement non-fast roaming.
----End
9.6.2 Configuring Fast Roaming Between APs in Different Service

VLANs
Procedure
Step 1 Configure fast roaming.
Before configuring PMK fast roaming, ensure that STAs support PMK fast roaming
technology and the security policy configured for each AP involved in roaming is
WPA2-802.1X. After basic service configurations are complete, the STAs can implement
PMK fast roaming.
----End
Procedure
Step 2 Run wlan
default.
Step 5 Run quit


----End

9.6.4 Verifying the Roaming Configuration

Procedure
l Run the display station roam-track sta-mac mac-address command to check the
specified STA roaming track.
l Run the display station sta-mac mac-address command to check the access information
about the specified STA and check whether the AP connected to the STA changes.
----End
9.7 Configuring Inter-AC Roaming

Multiple ACs are required on medium and large WLAN networks to meet the coverage
requirements. When a STA roams between different ACs, services are not interrupted.
Before configuring inter-AC roaming, complete the following tasks:
l Perform the following configurations on the APs:
– Associate the APs to different ACs.
– If NAC is configured on ACs, ensure that all ACs engaged in roaming are
configured with the same authentication and authorization policies and deliver the
same authentication and authorization policies to all APs.
9.7.1 (Optional) Configuring DTLS Encryption of an Inter-AC

Tunnel
Context
ACs of a mobility group set up tunnels to synchronize data and transmit packets. After DTLS
encryption of an inter-AC tunnel is enabled, and the AC obtains the IP address of another AC

through the discovery mechanism, the ACs enter the DTLS negotiation stage, in which the
ACs use DTLS to set up a tunnel and encrypt UDP packets forwarded in the tunnel. This
improves packet transmission security.
It is recommended that you configure the same PSK on the ACs at both ends before enabling
DTLS encryption. In this way, the ACs have the same PSK. If you enable DTLS encryption
first, and the ACs have different PSKs, DTLS negotiation fails. As a result, the tunnel cannot
be set up between the two ACs.
Procedure
Step 2 Run capwap dtls inter-controller psk psk-value
The default PSK for DTLS encryption of an inter-AC tunnel is huawei_seccwp.
The default PSK for DTLS encryption of an inter-AC tunnel is huawei_seccwp.
Step 3 Run capwap dtls inter-controller control-link encrypt
DTLS encryption for an inter-AC control tunnel is enabled.
By default, DTLS encryption for an inter-AC control tunnel is disabled.
----End
9.7.2 (Optional) Configuring Encryption for Sensitive Information

Between ACs
Context
In inter-AC roaming scenarios, ACs may need to exchange sensitive information such as the
user name and password. The PSK is required to protect data transmitted between the ACs.
Procedure
Step 2 Run capwap inter-controller sensitive-info psk key-value
A PSK is configured for encrypting sensitive information between ACs.
By default, no PSK is configured for encrypting sensitive information between ACs.
----End

9.7.3 Configuring a Mobility Group

Context
On a WLAN, STAs can roam between ACs only in a mobility group, instead of any two ACs.
Perform the following operations on each AC to specify the IP address for setting up links
with other ACs, create a mobility group, and add member ACs to the mobility group.
Procedure
Step 2 Run wlan
Step 3 Run mobility-server local ip-address ipv4-address
A local IP address is configured for setting up links between ACs in a mobility group.
By default, no local IP address is configured for setting up links between ACs in a mobility
group.
Step 4 Run mobility-group name group-name
The mobility group view is displayed.
By default, no mobility group is created.
Step 5 Run member ip-address ipv4-address [ description description ]
A member AC is added to the mobility group.
By default, no member AC is added to a mobility group.
The IP address added in this step is the AC's source IP address.
----End

Procedure
Step 2 Run wlan


default.
Step 5 Run quit
----End

9.7.5 Verifying the Inter-AC Roaming Configuration

Prerequisites
WLAN roaming configuration is complete.
Procedure
l Run the display mobility-group { name group-name | all } command to view
configurations of a mobility group.
----End
9.8 Configuring Agile Distributed SFN Roaming

Context
In the agile distributed Wi-Fi networking, some scenarios require high network connection
stability, such as healthcare scenarios. In this case, you can run the sfn-roam enable
command to enable agile distributed SFN roaming. All RUs are deployed to work on the same
channel and use the same BSSID for communicating with STAs. When the STAs move within
the signal coverage of the same SSID, they are not aware of roaming and services are not
interrupted.
Before configuring agile distributed SFN roaming, complete the following tasks:
l Configure the central AP and RUs to go online.
l Configure STAs to go online.

l Configure all RUs to work on the same channel. For details, see 5.11.1.1 Configuring
Basic Radio Parameters.
Procedure
Step 2 Run wlan
Step 4 Run sfn-roam enable
Agile distributed SFN roaming is enabled.
By default, agile distributed SFN roaming is disabled.
Step 5 Bind the VAP profile to an AP group. For details, see 5.11.2.11 Binding VAP Profiles.
Step 6 Run quit
Step 7 (Optional) Configure agile distributed SFN roaming parameters.
1. Run the rrm-profile name profile-name command to create an RRM profile and enter
the RRM profile view.
By default, the system provides the RRM profile default.
2. Configure agile distributed SFN roaming decision parameters.
– Run the sfn-roam roam-check check-interval check-interval-value command to
set the decision period for agile distributed SFN roaming.
The default decision period for agile distributed SFN roaming is 700 milliseconds.
– Run the sfn-roam report-interval report-interval-value command to set the
interval for RUs to report STA RSSIs.
By default, RUs report STA RSSIs to the central AP at an interval of 400
milliseconds.
– Run the sfn-roam roam-check sta-holding times sta-holding-times command to
set the number of STA holding times for agile distributed SFN roaming.
By default, the number of STA holding times for agile distributed SFN roaming is
3.
– Configure parameters that affect criteria for determining the cumulative RSSI
change value of STAs.
n Run the sfn-roam roam-check rssi-accumulate threshold rssi-accumulate-
value command to set the cumulative RSSI change threshold for agile
distributed SFN roaming.
By default, the cumulative RSSI change threshold of agile distributed SFN
roaming STAs is 8 dB.

– Configure parameters that affect criteria for determining the RSSI gap.
n Run the sfn-roam roam-check gap-rssi gap-rssi command to set the RSSI
gap for agile distributed SFN roaming RUs.
The default RSSI gap for agile distributed SFN roaming RUs is 6 dB.
– Configure parameters that affect criteria for determining the higher RSSI of agile
distributed roaming RUs than that of the local RU.
n Run the sfn-roam roam-check better-times better-times command to set the
number of times the RSSI of agile distributed SFN roaming RUs is higher than
that of the local RU.
By default, the number of times the RSSI of agile distributed SFN roaming
RUs is higher than that of the local RU is 2.
n Run the sfn-roam roam-check high-threshold high-threshold-value
command to set the upper RSSI threshold for agile distributed SFN roaming.
By default, the upper RSSI threshold for agile distributed SFN roaming is -55
dBm.
n Run the sfn-roam roam-check low-threshold low-threshold-value command
to set the lower RSSI threshold for agile distributed SFN roaming.
By default, the lower RSSI threshold for agile distributed SFN roaming is -60
dBm.
4. Enter the AP group radio view.
5. Configure radio parameters related to agile distributed SFN roaming.
– Run the cts disable command to disable RUs from responding to STAs with CTS
packets.
By default, RUs are enabled to respond to STAs with CTS packets.
– Run the cts delay delay-time command to set a delay for RUs to respond to STAs
with CTS packets.
By default, RUs respond to STAs with CTS packets with no delay.
– Run the beacon disable command to disable RUs from sending Beacon frames.
By default, RUs are enabled to send Beacon frames.
radio profile.
11. Bind the radio profile to an AP group. For details, see 5.11.1.5 Binding a Radio Profile.
----End


l Run the display vap-profile { all | name profile-name } command to check the agile
distributed SFN roaming state in the VAP profile.
l Run the display rrm-profile { all | name profile-name } command to check agile
distributed SFN roaming parameters in the RRM profile.
9.9 Configuration Examples for Roaming
9.9.1 Example for Configuring Non-Fast Roaming Between APs in

the Same Service VLAN
As shown in Figure 9-10, a department in a campus network deploys two APs that are
managed and controlled by an AC. The AC dynamically assigns IP addresses to the APs and
STAs. All users in the department belong to the same VLAN, that is, AP1 and AP2 use the
same service VLAN. User data is forwarded through tunnels.
The department requires that services should not be interrupted when a STA moves from AP1
to AP2.

Figure 9-10 Networking diagram for configuring non-fast roaming between APs in the same
service VLAN
Internet
GE0/0/3
VLAN 101
AC
GE0/0/1
VLAN 100 GE0/0/3
VLAN 100
GE0/0/1 GE0/0/2
VLAN 100 SwitchA VLAN 100
AP1: AP2:
area_1 area_2
1. Configure parameters used for communication between the AC and APs to transmit
CAPWAP packets.
APs.
3. Configure basic WLAN services to enable the STAs to connect to the WLAN.

Item Data
server APs.
IP address 10.23.100.2-10.23.100.254/24
pool for the
APs
IP address 10.23.101.2-10.23.101.254/24
pool for the
STAs

interface
address

domain1

profile



security

Configuration Notes
user experience.
Procedure
NOTE
Step 2 Configure the AC and Switch_A so that the APs and AC can transmit CAPWAP packets.
# Configure Switch_A: add interfaces GE0/0/1, GE0/0/2, and GE0/0/3 to management VLAN
100.


[HUAWEI] sysname AC
[AC] vlan batch 100

# Add AC uplink interface GE0/0/3 to VLAN 101.
[AC] vlan batch 101
Step 4 Configure the AC as a DHCP server to allocate IP addresses to STAs and APs.
# Configure a DHCP server to assign IP addresses to the APs from the IP address pool on
VLANIF 100 and assign IP addresses to STAs from the IP address pool on VLANIF 101.
NOTE
view.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit


NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
[AC-wlan-ap-1] quit
nor : normal [2]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
2S -
4S -
----------------------------------------------------------------------------------
----------------
Total: 2
NOTE



the AP.

NOTE
[AC-wlan-ap-0] quit
on AP radios.
Info: This operation may take a few seconds, please wait.
WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Total: 4
In the coverage area of AP1, connect the STA to the wireless network with SSID wlan-net
and enter the password a1234567. After the STA successfully associates with the network,
run the display station ssid wlan-net command on the AC. The command output shows that
the STA with MAC address e019-1dc7-1e08 has associated with AP1.
---------------------------------------------------------------------------------
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 38/64 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
When the STA moves from the coverage of AP1 to AP2, run the display station ssid wlan-
net command on the AC to check the STA access information. The STA is associated with
AP2.
----------------------------------------------------------------------------------
------
address
----------------------------------------------------------------------------------
------
e019-1dc7-1e08 1 area_2 1/1 5G 11n 46/59 -58 101
10.23.101.254
----------------------------------------------------------------------------------
------
Total: 1 2.4G: 0 5G: 1
Run the display station roam-track sta-mac e019-1dc7-1e08 command on the AC to check
the STA roaming track.
[AC-wlan-view] display station roam-track sta-mac e019-1dc7-1e08
Access SSID:huawei
Rx/Tx:link receive rate/link transmit rate(Mbps)
c:PMK Cache Roam r:802.11r Roam s:Same Frequency Network
------------------------------------------------------------------------------
L2/L3 AC IP AP name Radio ID
BSSID TIME In/Out RSSI Out Rx/Tx
------------------------------------------------------------------------------
-- 10.23.100.1 area_1 0
60de-4476-e360 2015/02/07 17:48:30 -51/-48 46/13
L2 10.23.100.1 area_2 0
60de-4474-9640 2015/02/07 17:54:50 -58/- -/-
------------------------------------------------------------------------------
Number: 1
----End
Configuration Files
#
sysname Switch_A
#
vlan batch 100
#


#
#
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
wlan
%# aes
ssid wlan-net
forward-mode tunnel

radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1

channel 20mhz 149

eirp 127
ap-name area_2
ap-group ap-group1
#
return
9.9.2 Example for Configuring Fast Roaming Between APs in the

Same Service VLAN
As shown in Figure 9-11, a department in a campus network deploys two APs that are
managed and controlled by an AC. The AC dynamically assigns IP addresses to the APs and
STAs. All users in the department belong to the same VLAN, that is, AP1 and AP2 use the
same service VLAN. The security policy WPA2-802.1X is used. User data is forwarded
through tunnels.
to AP2.

Figure 9-11 Networking diagram for configuring fast roaming between APs in the same
service VLAN
Internet
GE0/0/3
VLAN 101 RADIUS server
GE0/0/4 10.23.103.1:1812
VLAN 102
AC
GE0/0/1
VLAN 100 GE0/0/3
VLAN 100
GE0/0/1 GE0/0/2
VLAN 100 Switch_A VLAN 100
AP1: AP2:
area_1 area_2
1. The security policy WPA2+802.1X+AES is used and access authentication is required,
which results in longer roaming switchover time. Configure fast roaming between APs in
the same service VLAN to ensure nonstop service transmission during roaming.
CAPWAP packets.
APs.

Item Data
server APs.
IP address 10.23.100.2-10.23.100.254/24
pool for the
APs
IP address 10.23.101.2-10.23.101.254/24
pool for the
STAs
AC's source VLANIF100: 10.23.100.1/24

interface
address
RADIUS l Name of a RADIUS server template: radius_huawei

authenticati l IP address: 10.23.103.1
on
parameters l Authentication port number: 1812
l Shared key: huawei@123
l Authentication scheme: radius_huawei
User name l User name: test@huawei.com

and l Password: 123456
password of
STAs
802.1X l User name: wlan-dot1x

access l Authentication mode: EAP
profile
Authenticati l Name: wlan-authentication

on profile l Referenced profile, authentication scheme, and template: 802.1X access
profile wlan-dot1x, authentication scheme radius_huawei, and
RADIUS server template radius_huawei

Item Data

domain1

profile


profile l Security policy: WPA2+802.1X+AES

security
Configuration Notes
user experience.

Procedure
NOTE
100.

[HUAWEI] sysname AC
[AC] vlan batch 100

# Add AC uplink interface GE0/0/3 to VLAN 101 and add GE0/0/4 of the AC connecting to
the RADIUS server to VLAN 102.
[AC-GigabitEthernet0/0/4] port trunk pvid vlan 102
Step 4 Configure the AC as a DHCP server to allocate IP addresses to STAs and APs, and configure
VLANIF 102 to allow the AC to communicate with the RADIUS server.
# Configure a DHCP server to assign IP addresses to the APs from the IP address pool on
VLANIF 100 and assign IP addresses to STAs from the IP address pool on VLANIF 101.

NOTE
view.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit
# Configure VLANIF 102.

[AC-Vlanif102] quit

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan


[AC-wlan-ap-0] quit
[AC-wlan-ap-1] quit
nor : normal [2]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
2S -
4S -
----------------------------------------------------------------------------------
----------------
Total: 2
Step 6 Configure RADIUS authentication parameters.

NOTE
Configure the same shared key for the AC and RADIUS server.
# Create a RADIUS server template.

[AC] radius-server template radius_huawei
[AC-radius-radius_huawei] radius-server authentication 10.23.103.1 1812
[AC-radius-radius_huawei] radius-server shared-key cipher huawei@123
[AC-radius-radius_huawei] quit
# Configure a RADIUS authentication scheme.

[AC] aaa
[AC-aaa] authentication-scheme radius_huawei
[AC-aaa-authen-radius_huawei] authentication-mode radius
[AC-aaa-authen-radius_huawei] quit
# Create an AAA domain and configure the RADIUS server template and authentication
scheme.
[AC-aaa] domain huawei.com
[AC-aaa-domain-huawei.com] radius-server radius_huawei
[AC-aaa-domain-huawei.com] authentication-scheme radius_huawei
[AC-aaa-domain-huawei.com] quit
[AC-aaa] quit
NOTE
If the domain name huawei.com is configured, you need to add the domain name when entering the user
name.

# Test whether a STA can be authenticated using RADIUS authentication. A user name
test@huawei.com and password 123456 have been configured on the RADIUS server.
[AC] test-aaa test@huawei.com 123456 radius-template radius_huawei
Info: Account test succeed.
Step 7 Configure an 802.1X access profile to manage 802.1X access control parameters.
# Create the 802.1X access profile wlan-dot1x.

[AC] dot1x-access-profile name wlan-dot1x
# Set the authentication mode to EAP relay.

[AC-dot1x-access-profile-wlan-dot1x] dot1x authentication-method eap
[AC-dot1x-access-profile-wlan-dot1x] quit
Step 8 Configure an authentication profile named wlan-authentication, apply the 802.1X access
profile, and configure a forcible authentication domain.
[AC] authentication-profile name wlan-authentication
[AC-authen-profile-wlan-authentication] dot1x-access-profile wlan-dot1x
[AC-authen-profile-wlan-authentication] access-domain huawei.com dot1x force
[AC-authen-profile-wlan-authentication] quit
[AC-wlan-sec-prof-wlan-security] security wpa2 dot1x aes
[AC-wlan-vap-prof-wlan-vap] authentication-profile wlan-authentication
the APs.

NOTE

[AC-wlan-ap-0] quit

After the configuration is complete, the STA can discover the WLAN with the SSID wlan-net
in the coverage area of AP1. Use 802.1X authentication on the STA and enter the user name
and password. If the authentication succeeds, the STA can connect to the Internet. Configure
the STA according to the configured authentication mode PEAP.
l Configuration on the Windows XP operating system:
a. On the Association tab page of the Wireless network properties dialog box, add
SSID wlan-net, set the authentication mode to WPA2, encryption mode to CCMP,
and encryption algorithm to AES.
b. On the Authentication tab page, set EAP type to PEAP and click Properties. In
the Protected EAP Properties dialog box, deselect Validate server certificate and
click Configure. In the displayed dialog box, deselect Automatically use my
Windows logon name and password and click OK.
l Configuration on the Windows 7 operating system:
a. Access the Manage wireless networks page, click Add, and select Manually
create a network profile. Add SSID wlan-net. Set the authentication mode to
WPA2-Enterprise, and encryption algorithm to AES. Click Next.
b. Click Change connection settings. On the Wireless Network Properties page that
is displayed, select the Security tab page and click Settings. On the Protected EAP
Properties page, deselect Validate server certificate and click Configure. On the
dialog box that is displayed, deselect Automatically use my Windows logon name
and password and click OK.
c. On the Wireless Network Properties page, click Advanced settings. On the
Advanced settings page that is displayed, select Specify authentication mode, set
the identity authentication mode to User authentication, and click OK.
and enter the password 123456. After the STA successfully associates with the network, run
the display station ssid wlan-net command on the AC. The command output shows that the
STA with MAC address e019-1dc7-1e08 has associated with AP1.
---------------------------------------------------------------------------------


address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 38/64 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
AP2.
----------------------------------------------------------------------------------
------
address
----------------------------------------------------------------------------------
------
e019-1dc7-1e08 1 area_2 1/1 5G 11n 46/59 -58 101
10.23.101.254
----------------------------------------------------------------------------------
------
Total: 1 2.4G: 0 5G: 1
Access SSID:huawei
------------------------------------------------------------------------------
------------------------------------------------------------------------------
-- 10.23.100.1 area_1 0
60de-4476-e360 2015/02/07 17:48:30 -51/-48 46/13
L2 10.23.100.1 area_2 0
60de-4474-9640 2015/02/07 17:54:50 -58/- -/-
------------------------------------------------------------------------------
Number: 1
----End
Configuration Files
#
sysname Switch_A
#
vlan batch 100
#
#
#


#
return
#
sysname AC
#
#
authentication-profile name wlan-authentication
dot1x-access-profile wlan-dot1x
authentication-scheme radius_huawei
radius-server radius_huawei
#
dot1x-access-profile name wlan-dot1x
#
dhcp enable
#
radius-server template radius_huawei
radius-server shared-key cipher %^%#*7d1;XNof/|Q0:DsP!,W51DIYPx}ÀARBdJ'0B^$
%^%#
radius-server authentication 10.23.103.1 1812 weight 80
#
aaa
authentication-mode radius
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.103.2 255.255.255.0
#
#
#
#
#
wlan
security wpa2 dot1x aes
ssid wlan-net
forward-mode tunnel
authentication-profile wlan-authentication
radio 0

radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
ap-name area_2
ap-group ap-group1
#
return
9.9.3 Example for Configuring Non-Fast Roaming Between APs in

Different Service VLANs
As shown in Figure 9-12, two APs are deployed in a campus network to provide WLAN
services for employees of two departments, and are managed and controlled by an AC. The
AC dynamically assigns IP addresses to the APs and STAs. The employees of the two
departments belong to different VLANs, that is, AP1 belongs to VLAN101 and AP2 belongs
to VLAN102. The default security policy (WEP open system authentication) is used. User
data is forwarded through tunnels.
to AP2.

Figure 9-12 Networking diagram for configuring non-fast roaming between APs in different
service VLANs
Internet
GE0/0/3
VLAN 101
VLAN 102
AC
GE0/0/1
VLAN 100 GE0/0/3
VLAN 100
GE0/0/1 GE0/0/2
AP1: AP2:
area_1 area_2
Channel 1 Roam Channel 6
STA STA

Service VLAN: 101 Service VLAN: 102
CAPWAP packets.
APs.
Item Data
server APs.
IP address 10.23.100.2-10.23.100.254/24
pool for the
APs

Item Data
IP address 10.23.101.2-10.23.101.254/24
pool for the 10.23.102.2-10.23.102.254/24
STAs

interface
address

l Referenced profile: VAP profile wlan-vap1 and regulatory domain
profile domain1
l Name: ap-group2
profile domain1

profile


VAP profile l Name: wlan-vap1

security
l Name: wlan-vap2
security
Configuration Notes


user experience.
Procedure
NOTE
100.

[HUAWEI] sysname AC
[AC] vlan batch 100

Step 3 Connect the AC to the upper-level network device.
# Add the AC uplink interface GE0/0/3 to VLAN101 and VLAN102.

[AC-GigabitEthernet0/0/3] port trunk allow-pass vlan 101 102
Step 4 Configure the AC to function as a DHCP server to assign IP addresses to the STAs and APs.
# Configure the DHCP server based on the interface address pool. VLANIF100 provides IP
addresses for AP1 and AP2, VLANIF101 provides IP addresses for STAs connected to AP1,
and VLANIF102 provides IP addresses for STAs connected to AP2.
NOTE
view.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit
[AC-Vlanif102] quit

[AC] wlan
e?[Y/N]:y
e?[Y/N]:y
[AC-wlan-view] quit


# Import APs offline on the AC and add AP1 to AP group ap-group1 and AP2 to AP group
ap-group2. Assume that the APs' MAC addresses are 60de-4476-e360 and 60de-4474-9640.
Configure names for the APs based on the APs' deployment locations, so that you can know
where the APs are deployed from their names. For example, name the AP area_1 if it is
deployed in Area 1.
NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
[AC-wlan-ap-1] quit
nor : normal [2]
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
2S -
4S -
----------------------------------------------------------------------------------
----------------
Total: 2
NOTE


# Create VAP profiles wlan-vap1 and wlan-vap2, set the data forwarding mode and service
VLANs, and apply the security profile wlan-security and SSID profile wlan-ssid to the VAP
profiles.
[AC-wlan-view] vap-profile name wlan-vap1
[AC-wlan-vap-prof-wlan-vap1] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap1] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap1] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap1] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap1] quit
# Bind VAP profile wlan-vap1 to AP group ap-group1, and VAP profile wlan-vap2 to AP
group ap-group2, and apply the VAP profiles to radio 0 and radio 1 of the APs.
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap1 wlan 1 radio 0

NOTE
[AC-wlan-ap-0] quit

on AP radios.
Info: This operation may take a few seconds, please wait.
WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Total: 4
and enter the password a1234567. After the STA successfully associates with the network,
run the display station ssid wlan-net command on the AC. The command output shows that
the STA with MAC address e019-1dc7-1e08 has associated with AP1.
---------------------------------------------------------------------------------
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 38/64 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
AP2.
----------------------------------------------------------------------------------
------
address
----------------------------------------------------------------------------------
------
e019-1dc7-1e08 1 area_2 1/1 5G 11n 46/59 -58 101
10.23.101.254
----------------------------------------------------------------------------------
------
Total: 1 2.4G: 0 5G: 1
Access SSID:huawei
------------------------------------------------------------------------------
------------------------------------------------------------------------------
-- 10.23.100.1 area_1 0
60de-4476-e360 2015/02/07 17:48:30 -51/-48 46/13
L2 10.23.100.1 area_2 0
60de-4474-9640 2015/02/07 17:54:50 -58/- -/-

------------------------------------------------------------------------------
Number: 1
----End
Configuration Files
#
sysname Switch_A
#
vlan batch 100
#
#
#
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
#
#
#
wlan
%# aes
ssid wlan-net
vap-profile name wlan-vap1

forward-mode tunnel
forward-mode tunnel
radio 0
vap-profile wlan-vap1 wlan 1
radio 1
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
ap-name area_2
ap-group ap-group2
#
return
9.9.4 Example for Configuring Fast Roaming Between APs in

Different Service VLANs
As shown in Figure 9-13, two APs are deployed in a campus network to provide WLAN
services for employees of two departments, and are managed and controlled by an AC. The
AC dynamically assigns IP addresses to the APs and STAs. The employees of the two

departments belong to different VLANs, that is, AP1 belongs to VLAN101 and AP2 belongs
to VLAN102. The security policy WPA2+802.1X+AES is used. User data is forwarded
through tunnels.
to AP2.

Figure 9-13 Networking diagram for configuring fast roaming between APs in different
service VLANs
Internet
GE0/0/3
VLAN 101
VLAN 102 GE0/0/4 RADIUS server
10.23.103.1:1812
VLAN 103
AC
GE0/0/1
VLAN 100 GE0/0/3
VLAN 100
GE0/0/1 GE0/0/2
AP1: AP2:
1. The security policy WPA2+802.1X+AES is used and access authentication is required,
which results in longer roaming switchover time. Configure fast roaming between APs in
the same service VLAN to ensure nonstop service transmission during roaming.
CAPWAP packets.
APs.
5. Configure key negotiation between STAs and APs to shorten the roaming switchover
time.

Item Data
server APs.
IP address 10.23.100.2-10.23.100.254/24
pool for the
APs
IP address 10.23.101.2-10.23.101.254/24
pool for the 10.23.102.2-10.23.102.254/24
STAs

interface
address
RADIUS l Name of a RADIUS server template: radius_huawei

on
User name l User name: test@huawei.com

and l Password: 123456
password of
STAs
802.1X l User name: wlan-dot1x

profile
Authenticati l Name: wlan-authentication

on profile l Referenced profile, authentication scheme, and template: 802.1X access
profile wlan-dot1x, authentication scheme radius_huawei, and
RADIUS server template radius_huawei

Item Data

profile domain1
l Name: ap-group2
profile domain1

profile



l Referenced profile: SSID profile wlan-ssid , security profile wlan-
security, and authentication profile wlan-authentication
l Name: wlan-vap2
l Referenced profile: SSID profile wlan-ssid , security profile wlan-
security, and authentication profile wlan-authentication
Configuration Notes

user experience.
Procedure
NOTE
100.

[HUAWEI] sysname AC
[AC] vlan batch 100
Step 3 Connect the AC to the upper-level network device.

# Add the AC uplink interface GE0/0/3 to VLAN 101 and VLAN 102, and add GE0/0/4 of
the AC connecting to the RADIUS server to VLAN 103.
[AC] vlan batch 101 to 103


Step 4 Configure the AC to function as a DHCP server to assign IP addresses to the STAs and APs,
and configure VLANIF 103 to allow the AC to communicate with the RADIUS server.
# Configure the DHCP server based on the interface address pool. VLANIF100 provides IP
addresses for AP1 and AP2, VLANIF101 provides IP addresses for STAs connected to AP1,
and VLANIF102 provides IP addresses for STAs connected to AP2.
NOTE
view.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit
[AC-Vlanif102] quit
# Configure VLANIF 103.

[AC-Vlanif103] quit

NOTE


[AC] aaa
scheme.
[AC-aaa] quit

NOTE
name.


[AC] wlan
e?[Y/N]:y
e?[Y/N]:y
[AC-wlan-view] quit

# Import APs offline on the AC and add AP1 to AP group ap-group1 and AP2 to AP group
ap-group2. Assume that the APs' MAC addresses are 60de-4476-e360 and 60de-4474-9640.
Configure names for the APs based on the APs' deployment locations, so that you can know
where the APs are deployed from their names. For example, name the AP area_1 if it is
deployed in Area 1.

NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
[AC-wlan-ap-1] quit
nor : normal [2]
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
2S -
4S -
----------------------------------------------------------------------------------
----------------
Total: 2

# Create VAP profiles wlan-vap1 and wlan-vap2, set the data forwarding mode and service
VLANs, and apply the security profile wlan-security, SSID profile wlan-ssid, and
authentication profile wlan-authentication to the VAP profiles.

[AC-wlan-vap-prof-wlan-vap1] authentication-profile wlan-authentication

[AC-wlan-vap-prof-wlan-vap2] authentication-profile wlan-authentication
# Bind VAP profile wlan-vap1 to AP group ap-group1, and VAP profile wlan-vap2 to AP
group ap-group2, and apply the VAP profiles to radio 0 and radio 1 of the APs.

NOTE
[AC-wlan-ap-0] quit
After the configuration is complete, the STA can discover the WLAN with the SSID wlan-net
in the coverage area of AP1. Use 802.1X authentication on the STA and enter the user name
and password. If the authentication succeeds, the STA can connect to the Internet. Configure
the STA according to the configured authentication mode PEAP.
a. On the Association tab page of the Wireless network properties dialog box, add
SSID wlan-net, set the authentication mode to WPA2, encryption mode to CCMP,
and encryption algorithm to AES.

b. On the Authentication tab page, set EAP type to PEAP and click Properties. In
the Protected EAP Properties dialog box, deselect Validate server certificate and
click Configure. In the displayed dialog box, deselect Automatically use my
Windows logon name and password and click OK.
a. Access the Manage wireless networks page, click Add, and select Manually
b. Click Change connection settings. On the Wireless Network Properties page that
is displayed, select the Security tab page and click Settings. On the Protected EAP
Properties page, deselect Validate server certificate and click Configure. On the
dialog box that is displayed, deselect Automatically use my Windows logon name
and password and click OK.
c. On the Wireless Network Properties page, click Advanced settings. On the
Advanced settings page that is displayed, select Specify authentication mode, set
the identity authentication mode to User authentication, and click OK.
and enter the password 123456. After the STA successfully associates with the network, run
the display station ssid wlan-net command on the AC. The command output shows that the
STA with MAC address e019-1dc7-1e08 has associated with AP1.
---------------------------------------------------------------------------------
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 38/64 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
AP2.
----------------------------------------------------------------------------------
------
address
----------------------------------------------------------------------------------
------
e019-1dc7-1e08 1 area_2 1/1 5G 11n 46/59 -58 101
10.23.101.254
----------------------------------------------------------------------------------
------
Total: 1 2.4G: 0 5G: 1
Access SSID:huawei
------------------------------------------------------------------------------
------------------------------------------------------------------------------

-- 10.23.100.1 area_1 0
60de-4476-e360 2015/02/07 17:48:30 -51/-48 46/13
L2 10.23.100.1 area_2 0
60de-4474-9640 2015/02/07 17:54:50 -58/- -/-
------------------------------------------------------------------------------
Number: 1
----End
Configuration Files
#
sysname Switch_A
#
vlan batch 100
#
#
#
#
return
#
sysname AC
#
#
access-domain huawei.com dot1x force
#
dhcp enable
#
%^%#
#
aaa
domain huawei.com
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
interface Vlanif102

ip address 10.23.102.1 255.255.255.0

#
interface Vlanif103
ip address 10.23.103.2 255.255.255.0
#
#
#
#
#
wlan
ssid wlan-net
forward-mode tunnel
forward-mode tunnel
radio 0
radio 1
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
ap-name area_2
ap-group ap-group2
#

#
return
9.9.5 Example for Configuring Inter-AC Layer 2 Roaming

Enterprise users expect to access the Internet through a WLAN to meet the basic mobile
office requirements. They also require that services be uninterrupted when roaming within the
coverage area of the WLAN.
l AC networking mode: AC_1 and AC_2 in the same mobility group
l DHCP deployment mode: Configure AC_1 as a DHCP server to assign IP addresses to
APs and STAs.
l Service data forwarding mode: tunnel forwarding

Figure 9-14 Networking for configuring inter-AC Layer 2 roaming

1. Configure network connectivity between APs, ACs, and other network devices.
4. Configure WLAN roaming on AC_1 and AC_2 to enable inter-AC Layer 2 roaming.

Item Data
DHCP AC_1 functions as a DHCP server to assign IP addresses to APs and STAs.
server
IP address 10.23.100.3 to 10.23.100.254/24

pool for
APs
IP address 10.23.101.3 to 10.23.101.254/24

pool for
STAs
AC's source Source interface: VLANIF 100

interface IP l AC_1: 10.23.100.1/24
address
l AC_2: 10.23.100.2/24

l Referenced profiles: VAP profile wlan-net and regulatory domain profile
default
Regulatory l Name: default

profile
SSID l Name: wlan-net

Security l Name: wlan-net

profile l Security policy: WPA-WPA2+PSK+AES
VAP profile l Name: wlan-net

l Referenced profiles: SSID profile wlan-net and security profile wlan-
net

Item Data
Roaming l AC_1
parameters – IP address for establishing an inter-AC tunnel in the mobility group:
10.23.100.1
– Mobility group name: mobility
– Mobility group members: AC_1 and AC_2
l AC_2
– IP address for establishing an inter-AC tunnel in the mobility group:
10.23.100.2
– Mobility group name: mobility
– Mobility group members: AC_1 and AC_2
Configuration Precautions
l Inter-AC roaming is supported only in distributed VXLAN gateway scenarios, and only
Layer 2 inter-AC roaming is supported.
l ACs in the same mobility group must run the same system software of the C version.
Otherwise, inter-AC roaming may fail.
l The mobility group name and IP address for establishing an inter-AC tunnel must be
configured on each AC in the mobility group. ACs must be added to the mobility group.
l The IP addresses used for establishing an inter-AC tunnel between ACs in a mobility
group must be the CAPWAP source IP addresses of the ACs. When multiple CAPWAP
source IP addresses are configured, only on CAPWAP source IP address can be used to
establish an inter-AC tunnel.
l The mobility group name must be the same on each AC.
l A maximum of 16 ACs can be added to a mobility group, and one AC can be added only
to one mobility group.
Procedure
Step 1 Set the NAC mode to unified on AC_1 and AC_2 so that STAs can connect to the WLAN.
NOTE
configuration and restart the ACs.
Step 2 Configure the switches.

# Add GE0/0/1 and GE0/0/2 on Switch_1 to VLAN 100 (default VLAN of GE0/0/1).
[HUAWEI] sysname Switch_1
[Switch_1] vlan batch 100
[Switch_1] interface gigabitethernet 0/0/1
[Switch_1-GigabitEthernet0/0/1] port link-type trunk
[Switch_1-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch_1-GigabitEthernet0/0/1] quit


# Add GE0/0/1 and GE0/0/2 on Switch_2 to VLAN 100 (default VLAN of GE0/0/1).
[Switch_2] vlan batch 100
Step 3 Configure the ACs to communicate with other network devices.

# Add GE0/0/1 on AC_1 to VLAN 100, and GE0/0/2 to VLAN 100 and VLAN 101.
[HUAWEI] sysname AC_1
[AC_1] vlan batch 100 101
[AC_1] interface gigabitethernet 0/0/1
[AC_1-GigabitEthernet0/0/1] port link-type trunk
[AC_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC_1-GigabitEthernet0/0/1] quit
[AC_1-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[AC_1] interface vlanif 100
[AC_1-Vlanif100] ip address 10.23.100.1 255.255.255.0
[AC_1-Vlanif100] quit
# Add GE0/0/1 on AC_2 to VLAN 100, and GE0/0/2 to VLAN 100 and VLAN 101.
[AC_2-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
Step 4 Configure a DHCP server to assign IP addresses to APs and STAs.

# Configure VLANIF 100 on AC_1 to assign IP addresses to APs and VLANIF 101 to assign
IP addresses to STAs.
NOTE
view.

[AC_1] dhcp enable

[AC_1-Vlanif100] dhcp select interface
[AC_1-Vlanif100] dhcp server excluded-ip-address 10.23.100.2
[AC_1-Vlanif101] dhcp select interface
[AC_1-Vlanif101] dhcp server excluded-ip-address 10.23.100.2
Step 5 Configure APs to go online on AC_1.

# Create an AP group to which APs with the same configuration are to be added.
[AC_1] wlan
[AC_1-wlan-view] ap-group name ap-group1
[AC_1-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the country code for AC_1 in the profile, and
bind the profile to the AP group.
[AC_1-wlan-view] regulatory-domain-profile name default
[AC_1-wlan-regulate-domain-default] country-code cn
[AC_1-wlan-regulate-domain-default] quit
[AC_1-wlan-ap-group-ap-group1] regulatory-domain-profile default
e?[Y/N]:y
[AC_1-wlan-view] quit
# Configure the source interface on AC_1.

[AC_1] capwap source interface vlanif 100
# Import an AP offline on AC_1 and add the AP to the AP group ap-group1. Assume that the
deployment location, so that you will know where the AP is deployed from its name. If the
AP with MAC address 60de-4476-e360 is in area 1, name the AP area_1.
NOTE
radio).
[AC_1] wlan
[AC_1-wlan-view] ap auth-mode mac-auth
[AC_1-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC_1-wlan-ap-0] ap-name area_1
[AC_1-wlan-ap-0] ap-group ap-group1
[AC_1-wlan-ap-0] quit
State field displays nor, the AP has gone online.
[AC_1-wlan-view] display ap all
nor : normal [1]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------

----------------
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
# Create security profile wlan-net and configure a security policy in the profile.
NOTE
The following example sets the security policy to WPA-WPA2+PSK+AES and password to a1234567. In
actual situations, configure the security policy based on service requirements.
[AC_1-wlan-view] security-profile name wlan-net
[AC_1-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC_1-wlan-sec-prof-wlan-net] quit
# Create SSID profile wlan-net and set the SSID name to wlan-net.
[AC_1-wlan-view] ssid-profile name wlan-net
[AC_1-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC_1-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and bind the
security profile and SSID profile to the VAP profile.
[AC_1-wlan-view] vap-profile name wlan-net
[AC_1-wlan-vap-prof-wlan-net] forward-mode tunnel
[AC_1-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC_1-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC_1-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC_1-wlan-vap-prof-wlan-net] quit
# Bind the VAP profile to the AP group, and apply configurations of VAP profile wlan-net to
radios 0 and 1 of the AP.
[AC_1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0
[AC_1-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 1
Step 7 Configure APs to go online on AC_2 and set WLAN service parameters.
Configure APs on AC_2 to go online and set WLAN service parameters according to the
configuration process on AC_1. For details about the configurations, see the configuration file
of AC_2. The following lists configuration differences between AC_1 and AC_2:
l An AP5030DN with MAC address dcd2-fc04-b500 is configured to go online on AC_2
and the AP name is set to area_2.
Step 8 Configure WLAN roaming on AC_1.
# Configure IP addresses for establishing an inter-AC tunnel.

[AC_1-wlan-view] mobility-server local 10.23.100.1
[
# Create a mobility group, and add AC_1 and AC_2 to the mobility group.
[AC_1-wlan-view] mobility-group name mobility
[AC_1-mc-mg-mobility] member ip-address 10.23.100.1
[AC_1-mc-mg-mobility] quit
Step 9 Configure WLAN roaming on AC_2.
# Configure IP addresses for establishing an inter-AC tunnel.

[AC_2-wlan-view] mobility-server local 10.23.100.2

[
# Create a mobility group, and add AC_1 and AC_2 to the mobility group.
[AC_2-wlan-view] mobility-group name mobility
[AC_2-mc-mg-mobility] quit

# The ACs automatically deliver WLAN service configurations to the APs. After the
configuration is complete, run the display vap ssid wlan-net command on AC_1 and AC_2
to check VAP information. If Status in the command output displays ON, the VAPs have
been successfully created on AP radios.
[AC_1-wlan-view] display vap ssid wlan-net
WID : WLAN ID
----------------------------------------------------------------------------------
----
AP ID AP name RfID WID BSSID Status Auth type STA
SSID
----------------------------------------------------------------------------------
----
0 area_1 0 1 60DE-4476-E360 ON WPA/WPA2-PSK 0
wlan-net
0 area_1 1 1 60DE-4476-E370 ON WPA/WPA2-PSK 0
wlan-net
----------------------------------------------------------------------------------
-----
Total: 2
[AC_2-wlan-view] display vap ssid wlan-net
WID : WLAN ID
----------------------------------------------------------------------------------
----
----------------------------------------------------------------------------------
----
1 area_2 0 1 DCD2-FC04-B500 ON WPA/WPA2-PSK 0
wlan-net
1 area_2 1 1 DCD2-FC04-B510 ON WPA/WPA2-PSK 0
wlan-net
----------------------------------------------------------------------------------
---
Total: 2
# Run the display mobility-group name mobility command on AC_1 to check working
states of AC_1 and AC_2. If State displays normal, AC_1 and AC_2 work properly.
# In the coverage area of AP_1, connect a STA to the WLAN with SSID wlan-net and enter
the password a1234567. After the STA successfully associates with the WLAN, run the
display station ssid wlan-net command on AC_1 to check STA information. The command
output shows that the STA with MAC address e019-1dc7-1e08 is associated with AP_1.
[AC_1-wlan-view] display station ssid wlan-net
----------------------------------------------------------------------------------
--
address
----------------------------------------------------------------------------------
--
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -57 101
10.23.101.254
----------------------------------------------------------------------------------
--
Total: 1 2.4G: 0 5G: 1

# After the STA moves from the coverage area of AP_1 to that of AP_2, run the display
station assoc-info sta all command on AC_2 to check the STA's access information. The
command output shows that the STA is associated with AP_2.
[AC_2-wlan-view] display station ssid wlan-net
----------------------------------------------------------------------------------
--
address
----------------------------------------------------------------------------------
--
e019-1dc7-1e08 1 area_2 1/1 5G 11n 46/59 -58 101
10.23.101.254
----------------------------------------------------------------------------------
--
Total: 1 2.4G: 0 5G: 1
# Run the display station roam-track sta-mac e019-1dc7-1e08 command on AC_2 to check
[AC_2-wlan-view] display station roam-track sta-mac e019-1dc7-1e08
Access SSID:wlan-net
------------------------------------------------------------------------------
------------------------------------------------------------------------------
-- 10.23.100.1 area_1 1
60de-4476-e360 2015/02/09 16:11:51 -57/-57 22/3
L2 10.23.100.2 area_2 1
dcd2-fc04-b500 2015/02/09 16:13:53 -58/- -/-
------------------------------------------------------------------------------
Number: 1
----End
Configuration Files
l Switch_1 configuration file
#
sysname Switch_1
#
vlan batch 100
#
#
#
return

#
sysname Switch_2
#
vlan batch 100
#
#

#
return
l AC_1 configuration file
#
sysname AC_1
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
wlan
security-profile name wlan-net
security wpa2 psk pass-phrase %^%#]:krYrz_r<ee}|Cq@9V(W{ZD$"\-R-HD_y.4#U4,%^
%# aes
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
forward-mode tunnel
ssid-profile wlan-net
security-profile wlan-net
regulatory-domain-profile name default
mobility-server local ip-address 10.23.100.1
mobility-group name mobility
member ip-address 10.23.100.1
radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
return
#
sysname AC_2
#
#
interface Vlanif100
ip address 10.23.100.2 255.255.255.0
#

interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
#
port trunk allow-pass vlan 100 101
#
#
wlan
security wpa2 psk pass-phrase %^%#]:krYrz_r<ee}|Cq@9V(W{ZD$"\-R-HD_y.4#U4,%^
%# aes
ssid wlan-net
forward-mode tunnel
dca-channel 5g channel-set 149,153,157,161
mobility-server local ip-address 10.23.100.2
mobility-group name mobility
radio 0
radio 1
ap-id 1 type-id 35 ap-mac dcd2-fc04-b500 ap-sn 210235554710CB000078
ap-name area_2
ap-group ap-group1
#
return
9.9.6 Example for Configuring Agile Distributed SFN Roaming
A hospital wants to deploy an agile distributed WLAN to provide WLAN access to doctors
and nurses, meeting their basic office requirements. The administrator requires that STA
roaming within the coverage area be not perceived by STAs and do not interrupt services.
l AC networking mode: Layer 2 bypass mode

l DHCP deployment mode:

– The AC functions as a DHCP server to assign IP addresses to the central AP and
RUs.
– SwitchA functions as a DHCP server to assign IP addresses to STAs.
l Service data forwarding mode: direct forwarding

Figure 9-15 Networking for configuring agile distributed SFN roaming
Internet
Router
GE1/0/0
SwitchA GE0/0/3
GE0/0/1 GE0/0/4 Information
AC
GE0/0/2 system
GE0/0/1
GE0/0/25
Central AP
GE0/0/1 GE0/0/2
ru_1 ru_2
Roam
STA STA

1. Configure the central AP, AC, RUs, and upper-layer devices to communicate at Layer 2.
2. Configure DHCP servers to assign IP addresses to the central AP, RUs, and STAs.
3. Configure the central AP and RUs to go online.
5. Configure agile distributed SFN roaming.
Item Data
DHCP l The AC functions as a DHCP server to assign IP addresses to the central

server AP and RUs.
l SwitchA functions as a DHCP server to assign IP addresses to STAs.
IP address 10.23.100.2-10.23.100.254/24
pool for the
central AP
and RUs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

interface
address

default

domain l Country: China
profile


VAP Profile l Name: wlan-net

net

Item Data
Working l ru_1: channel 6

channel of l ru_2: channel 6
RUs
Agile Enabled
distributed
SFN
roaming
Configuration Notes
l Network planning precautions:
– Agile distributed SFN roaming is supported only by the AD9430DN-12 (including
matching RUs) and AD9430DN-24 (including matching RUs). RUs support agile
distributed SFN roaming in the following combination modes:
n Between the R230D and R240D (Note: Only the 2.4 GHz radio of the R230D
and R240D supports agile distributed SFN roaming, and the 5 GHz radio does
not support.)
n Among the R250D, R250D-E, R251D, R251D-E and R450D
– For the central AP, after agile distributed SFN roaming is enabled, the total number
of agile distributed SFN roaming STAs on a single frequency band (2.4 GHz or 5
GHz) of all RUs does not exceed 128, and that of STAs associated with other VAPs
on the same band does not exceed 128.
– After agile distributed SFN roaming is enabled, configure all RUs to work on the
same channel. When agile distributed SFN roaming is enabled on the 5 GHz
frequency band, configure non-radar channels.
– RUs involved in roaming must be associated with the same central AP but do not
support agile distributed SFN roaming between central APs.
– Inter-RU roaming is Layer 2 roaming within a central AP. Agile distributed SFN
roaming is not performed on Layer 3.
l Configuration precautions:
– When agile distributed SFN roaming is enabled for both the 2.4 GHz and 5 GHz
radios, it is recommended that different SSIDs be used. Otherwise, the radio
switchover may occur, affecting user experience.
– Agile distributed SFN roaming can be enabled only on one VAP of a radio. If
multiple VAPs are configured on a radio, it is recommended that the total VAP rate
limit on all VAPs with agile distributed SFN roaming disabled be set to 5 Mbit/s.
– Radios enabled with agile distributed SFN roaming do not support channel
scanning, channel calibration, or smart roaming.
– Agile distributed SFN roaming can be configured based only on AP groups but not
based on APs.
– RUs involved in agile distributed SFN roaming need to have the following items
configured the same:
n SSID
n VAP profile and VAP ID

n Security policy. Agile distributed SFN roaming supports these encryption

modes: WPA+PSK, WPA2+PSK, WPA-WPA2+PSK, WPA+802.1X (EAP
authentication), WPA2+802.1X (EAP authentication), WPA-WPA2+802.1X
(EAP authentication), and Portal+PSK.
Procedure
NOTE
Step 2 Configure the network devices.

# On SwitchA, add GE0/0/1 to VLAN 100 (management VLAN) and VLAN 101 (service
VLAN), set the default VLAN of GE0/0/1 to VLAN 100, add GE0/0/2 to VLAN 100, and
add GE0/0/3 and GE0/0/4 to VLAN 101.
[SwitchA] vlan batch 100 101
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
# Configure an IP address for GE1/0/0 on Router.

[Router-GigabitEthernet1/0/0] ip address 10.23.101.2 24
Step 3 Configure the AC to communicate with the network devices.

# Add GE0/0/1 on the AC to VLAN 100.
[HUAWEI] sysname AC
Step 4 Configure DHCP servers to assign IP addresses to the central AP, RUs, and STAs.
# On the AC, configure VLANIF 100 to assign IP addresses to the central AP and RUs.
[AC] dhcp enable


[AC-Vlanif100] quit
# On SwitchA, configure VLANIF 101 to assign IP addresses to STAs, and configure a

default route with the next hop of the address of Router.
NOTE
view.
[SwitchA] dhcp enable
[SwitchA] interface vlanif 101
[SwitchA-Vlanif101] ip address 10.23.101.1 24
[SwitchA-Vlanif101] dhcp select interface
[SwitchA-Vlanif101] dhcp server excluded-ip-address 10.23.101.2
[SwitchA-Vlanif101] quit
[SwitchA] ip route-static 0.0.0.0 0.0.0.0 10.23.101.2
Step 5 Configure a central AP and RUs to go online.

# Create an AP group to which the APs with the same configuration can be added.
[AC] wlan
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
e?[Y/N]:y
[AC-wlan-view] quit

# Import the central AP and RUs offline on the AC and add the central AP and RUs to AP
group ap-group1. Assume that the central AP's MAC address is 68a8-2845-62fd, name the
central AP central_AP; the RU's MAC addresses are fcb6-9897-c520 and fcb6-9897-ca40,
name the RUs ru_1 and ru_2, respectively.
NOTE
[AC] wlan
[AC-wlan-view] ap-id 0 ap-mac 68a8-2845-62fd
[AC-wlan-ap-0] ap-name central_AP
[AC-wlan-ap-0] quit
[AC-wlan-view] ap-id 1 ap-mac fcb6-9897-c520
[AC-wlan-ap-1] ap-name ru_1


[AC-wlan-ap-1] quit
[AC-wlan-view] ap-id 2 ap-mac fcb6-9897-ca40
[AC-wlan-ap-2] ap-name ru_2
[AC-wlan-ap-2] quit
# After the central AP is powered on, run the display ap all command to check the AP state.
If the State field is displayed as nor, the RUs go online successfully.
nor : normal [3]
Extra information:
----------------------------------------------------------------------------------
--------------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
--------------------
0 68a8-2845-62fd central_AP ap-group1 10.23.100.254 AD9430DN-24 nor 0
2M:25S -
1 fcb6-9897-c520 ru_1 ap-group1 10.23.100.253 R240D nor 0
3M:5S -
2 fcb6-9897-ca40 ru_2 ap-group1 10.23.100.252 R240D nor 0
3M:14S -
----------------------------------------------------------------------------------
--------------------
Total: 3
# Create security profile wlan-net and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA-WPA2+PSK+AES and password to a1234567. In actual
[AC-wlan-view] security-profile name wlan-net
[AC-wlan-sec-prof-wlan-net] security wpa-wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wlan-net] quit
[AC-wlan-view] ssid-profile name wlan-net
[AC-wlan-ssid-prof-wlan-net] ssid wlan-net
[AC-wlan-ssid-prof-wlan-net] quit
# Create VAP profile wlan-net, set the data forwarding mode and service VLAN, and apply
[AC-wlan-view] vap-profile name wlan-net
[AC-wlan-vap-prof-wlan-net] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-net] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-net] security-profile wlan-net
[AC-wlan-vap-prof-wlan-net] ssid-profile wlan-net
[AC-wlan-vap-prof-wlan-net] quit
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 of the AP.
[AC-wlan-ap-group-ap-group1] vap-profile wlan-net wlan 1 radio 0

Step 7 Configure the RU channel and power.

NOTE
The automatic channel and power calibration function is enabled for radios by default. When this function is
enabled, the manual calibration configuration does not take effect. The settings of the RU channel and power
in this example are for reference only. You need to configure the RU channel and power based on the actual
country code and network planning.
# Disable the automatic channel and power calibration function for radio 0 of RUs, and
configure the channel and power for for radio 0 of RUs.
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit
Step 8 Enable agile distributed SFN roaming.

[AC-wlan-vap-prof-wlan-net] sfn-roam enable
Warning: This feature requires that radios work on the same channel. Enabling th
is feature will disable the channel calibration, channel scanning, and smart roa
ming functions on the AP and disconnect STAs connected to the VAP. Open, WEP, an
d WAPI encryption modes are not supported. The PSK + WPA2 mode is recommended. A
radio allows SFN to be enabled only for one VAP. Continue?[Y/N]:y
Step 9 Configure parameters related to agile distributed SFN roaming.

# Retain the default settings for roaming decision parameters.
# Set radio parameters related to roaming based on the network planning result. The
configuration is not mentioned here.
# Run the display vap ssid wlan-net command. If Status in the command output is displayed
as ON, the VAPs have been successfully created on the RU radios.
WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
1 ru_1 0 1 68A8-2845-62E0 ON WPA/WPA2-PSK 0 wlan-net
2 ru_2 0 1 68A8-2845-62E0 ON WPA/WPA2-PSK 0 wlan-net
--------------------------------------------------------------------------------
Total: 2
# In the coverage area of ru_1, connect a STA to the WLAN with the SSID wlan-net and
enter the password a1234567 to associate with the WLAN. Run the display station ssid
wlan-net command on the AC. The command output shows that the STA has associated with
ru_1.


---------------------------------------------------------------------------------
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 1 ru_1 0/1 2.4G 11n 38/64 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 1 5G: 0
# When the STA moves from the coverage area of ru_1 to that of ru_2, run the display
station ssid wlan-net command on the AC. The command output shows that the STA has
associated with ru_2.
----------------------------------------------------------------------------------
------
address
----------------------------------------------------------------------------------
------
e019-1dc7-1e08 2 ru_2 0/1 2.4G 11n 38/64 -68 101
10.23.101.254
----------------------------------------------------------------------------------
------
Total: 1 2.4G: 1 5G: 0
# Run the display station roam-track sta-mac e019-1dc7-1e08 command on the AC to

check the STA roaming track.
Access SSID:wlan-net
------------------------------------------------------------------------------
------------------------------------------------------------------------------
-- 10.23.100.1 ru_1 0
68a8-2845-62e0 2017/10/12 16:52:58 -51/-48 46/13
L2(s) 10.23.100.1 ru_2 1
68a8-2845-62e0 2016/10/12 16:55:45 -58/- -/-
------------------------------------------------------------------------------
Number: 1
----End
Configuration Files
#
sysname SwitchA
#
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#

#
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.23.101.2
#
return
#
sysname Router
#
ip address 10.23.101.2 255.255.255.0
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
#
wlan
security wpa-wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/
Mc!,}s`X*B]}A%^%# aes
ssid wlan-net
sfn-roam enable
radio 0
ap-id 0 type-id 52 ap-mac 68a8-2845-62fd ap-sn 2102350KGF10F8000012
ap-name central_AP
ap-group ap-group1
ap-id 1 type-id 55 ap-mac fcb6-9897-c520 ap-sn 21500826402SF4900166
ap-name ru_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127

ap-id 2 type-id 55 ap-mac fcb6-9897-ca40 ap-sn 21500826402SF4900207

ap-name ru_2
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
#
return

Configuration Guide - WLAN-AC 10 WLAN QoS Configuration
10 WLAN QoS Configuration
10.1 Overview of WLAN QoS

Definition
WLAN Quality of Service (QoS) provides wireless users with differentiated services to
satisfy their traffic requirements. WLAN QoS has the following functions:
1. High-efficiency use of wireless channels: The Wi-Fi multimedia (WMM) standard

enables high-priority users to preempt wireless channels.
2. Efficient bandwidth use: Priority mapping preferentially transmits the data of high-
priority users.
3. Network congestion prevention: Traffic policing limits users' transmission rate,
preventing network congestion.
4. Fairness in wireless channel usage: Airtime scheduling assigns users on the same radio
with equal channel occupation time.
5. Differentiated service (DiffServ) for different types of packets: Packets of the same type
are identified by matching packet information with ACLs. The same QoS policy is
provided for packets of the same type to achieve DiffServ for different types of packets.
Purpose
Applications have differentiated network requirements. The traditional WLAN is typically
used to transmit data due to its low transmission rate. With the development of new WLAN
technologies, WLANs have been applied to media, financial, education, and enterprise
networks. In addition to data traffic, WLANs also transmit delay-sensitive multimedia data,
such as voice and video. By enforcing QoS policies on a WLAN, the network administrator
can properly plan and assign network resources based on service characteristics. The WLAN
then provides differentiated access services for applications, meeting customer requirements
and improving network use efficiency.
10.2 Understanding WLAN QoS

10.2.1 WMM

Background
It is vital to understand the 802.11 link layer transport mechanism before learning about
WMM.
The 802.11 MAC layer uses the coordination function to determine the data transmitting and
receiving methods used between STAs in a BSS. The 802.11 MAC layer consists of two sub-
layers:
l Distributed Coordination Function (DCF): uses the carrier sense multiple access with
collision avoidance (CSMA/CA) mechanism. STAs compete for channels to obtain the
authority to transmit data frames.
l Point Coordination Function (PCF): uses centralized control to authorize STAs to
transmit data frames in turn. This method prevents conflict.
NOTE
In the 802.11 protocol, DCF is mandatory, and PCF is optional.
Figure 10-1 shows how CSMA/CA is implemented.
Figure 10-1 CSMA/CA working mechanism

STA A sends
data to STA B
DIFS
Idle
STA A channel Frame
SIFS
STA B ACK
DIFS
CW
Other STAs NAV (busy channel) Frame
Wait
1. Before sending data to STA B, STA A detects the channel status. When detecting an idle
channel, STA A sends a data frame after Distributed Inter-Frame Space (DIFS) times out
and waits for a response from STA B. The data frame contains NAV information. After
receiving the data frame, STA B updates the NAV information, indicating that the
channel is busy and that data transmission will be delayed.
NOTE
According to the 802.11 protocol, the receiver must return an ACK frame each time it receives a
data frame.
2. STA B receives the data frame, waits until Short Interframe Space (SIFS) times out, and
sends an ACK frame to STA A. After the ACK frame is transmitted, the channel
becomes idle. After the DIFS times out, the STAs use the exponential backoff algorithm
to compete for channels. The STA of which the backoff counter is first reduced to 0
starts to send data frame.
Concepts

l InterFrame Space (IFS): According to the 802.11 protocol, after sending a data frame,
the STA must wait until the IFS times out to send the next data frame. The IFS length
depends on the data frame type. High-priority data frames are sent earlier than low-
priority data frames. There are three IFS types:
– Short IFS (SIFS): The time interval between a data frame and its ACK frame. SIFS
is used for high priority transmissions, such as ACK and CTS frame transmissions.
– PCF IFS (PIFS): PIFS length is SIFS plus slot time. PCF-enabled access points wait
for the duration of PIFS to occupy the wireless medium. If a STA accesses a
channel when the slot time starts, the other STAs in the BSS detect that the channel
is busy.
– DCF IFS (DIFS): DIFS length is PIFS plus slot time. Data frames and management
frames are transmitted at the DIFS interval.
l Contention window: backoff time. Backoff time is a multiple of slot time, and its length
depends on the physical layer technology. When multiple STAs need to transmit data but
detect that all channels are busy, the STAs use the backoff algorithm. The STAs wait for
a random number of slot times, and then transmit data. A STA detects channel status
during the slot time interval. When detecting an idle channel, the STA starts the backoff
timer. If all channels become busy, the STA freezes the remaining time in the backoff
timer. When a channel becomes idle, the STA waits until DIFS times out, and continues
the backoff timer. When the backoff timer is reduced to 0, the STA starts to send data
frames. Figure 10-2 shows the data frame transmission process.
Figure 10-2 Backoff algorithm diagram

DIFS DIFS DIFS
STA C Frame
Delay
STA D Frame
Delay
Delay
STA E Delay
Delay Delay Frame

STA F
t1 t2
t2
t3
t3
Frame : Frames to be transmitted by STA
: Passing backoff time

: Remaining backoff time
a. STA C is occupying a channel to send data frames. STA D, STA E, and STA F also
need to send data frames. They detect that the channel is busy and wait.
b. After STA C finishes data frame transmission, the other STAs wait until DIFS times
out. When DIFS times out, the STAs generate a random backoff time and start their
backoff timers. For example, the backoff time of STA D is t1, the backoff time of
STA E is t1+t3, and the backoff time of STA F is t1+t2.

c. When t1 times out, the backoff timer of STA D is reduced to 0. STA D starts to send
data frames.
d. STA E and STA F detect that the channel is busy, so they freeze their backoff timers
and wait. After STA D completes data transmission, STA E and STA F wait until
DIFS times out, and continue their backoff timers.
e. When t2 times out, the backoff timer of STA F is reduced to 0. STA F starts to send
data frames.
Principles
Channel competition is based on DCF. To all STAs, the DIFS is fixed and backoff time is
random. Therefore, all the STAs fairly compete for channels. WMM enhances the 802.11
protocol, changing the channel competition mode.
l EDCA parameters
WMM defines a set of Enhanced Distributed Channel Access (EDCA) parameters,
which distinguishes high priority packets and enables these packets to preempt channels.
WMM classifies data packets into four access categories (ACs). Table 10-1 shows the
mappings between ACs and 802.11 user preferences (UPs). A large UP value indicates a
high priority.
Table 10-1 Mappings between ACs and UPs

UP AC
7 AC_VO (Voice)
5 AC_VI (Video)
3 AC_BE (Best Effort)
2 AC_BK (Background)
Each AC queue defines a set of EDCA parameters, which determines the capability of
occupying channels. These parameters ensure that high priority ACs have a higher
probability of preempting channels than low priority ones.
Table 10-2 describes the EDCA parameters.

Table 10-2 EDCA parameter description
Parameter Meaning
Arbitration Interframe Spacing The DIFS has a fixed value. WMM provides
Number (AIFSN) different DIFS values for different ACs. A large
AIFSN value means that the STA must wait for a
long time and has a low priority.
Exponent form of CWmin ECWmin specifies the minimum backoff time, and
(ECWmin) and exponent form ECWmax specifies the maximum backoff time.
of CWmax (ECWmax) Together, they determine the average backoff time.
Large ECWmin and ECWmax values mean a long
average backoff time for the STA and a low STA
priority.
Transmission Opportunity Limit After preempting a channel, the STA can occupy
(TXOPLimit) the channel within the period of TXOPLimit. A
large TXOPLimit value means that the STA can
occupy the channel for a long time. If the
TXOPLimit value is 0, the STA can only send one
data frame every time it preempts a channel.
As shown in Figure 10-3, the AIFSN (AIFSN[6]) and the backoff time of voice packets
are shorter than those of Best Effort packets. When both voice packets and Best Effort
packets need to be sent, voice packets preempt the channel.
Figure 10-3 WMM working mechanism

AIFSN[0] AIFSN[0]
AIFSN[6] AIFSN[6]
Frame
Delay
Voice Frame Frame
Best Delay Delay Delay
Effort
Frame : Frames to be transmitted by STA
: Backoff time
: Remaining backoff time
l ACK policy
WMM defines two ACK policies: normal ACK and no ACK.

– Normal ACK: The receiver must return an ACK frame each time it receives a
unicast packet.
– No ACK: The receiver does not need to return ACK frames after receiving packets.
This mode is applicable to environments with high communication quality and little
interference.
NOTE
l The ACK policy is only valid to APs.

l If communication quality is poor, the no ACK policy may cause more packets to be lost.
10.2.2 Priority Mapping

Packets of different types have different priorities. For example, 802.11 packets sent by STAs
carry user priorities or DSCP priorities, VLAN packets on wired networks carry 802.1p
priorities, and IP packets carry DSCP priorities. Priority mapping must be configured on
network devices to retain the priorities of packets that traverse different networks.
Figure 10-4 Priority mapping diagram
As shown in Figure 10-4:

1. In the upstream direction, the AP performs priority mapping of 802.11 packets received
from STAs as follows:
a. Maps the user or DSCP priority of 802.11 packets to the DSCP or 802.1p priority of
tunnel packets.
b. Maps the user priority of 802.11 packets to the DSCP or 802.1p priority of 802.3
packets.
c. Maps the DSCP priority of 802.11 packets to the DSCP priority of 802.3 packets.
2. In the downstream direction: The AC forwards 802.3 packets received from the Internet
to the AP directly or through a tunnel. The AP maps the DSCP priority of the 802.3
packets to the user priority of 802.11 packets.
Precedence Field
As defined in RFC 791, the 8-bit ToS field in an IP packet header contains a 3-bit IP
precedence field, as shown in Figure 10-5.

Figure 10-5 Precedence/DSCP field

Version ToS Flags/
Len ID TTL Proto FCS IP-SA IP-DA Data
Length 1 Byte offset
0 1 2 3 4 5 6 7
Precedence D T R C
IP Precedence
DSCP
Bits 0 to 2 constitute the Precedence field, representing precedence values 7, 6, 5, 4, 3, 2, 1

and 0 in descending order of priority.
Apart from the Precedence field, a ToS field also contains the following sub-fields:
l Bit D indicates the delay. The value 0 represents a normal delay and the value 1
represents a short delay.
l Bit T indicates the throughput. The value 0 represents normal throughput and the value 1
represents high throughput.
l Bit R indicates the reliability. The value 0 represents normal reliability and the value 1
represents high reliability.
DSCP Field
RFC 1349 initially defined the ToS field in IP packets and added bit C. Bit C indicates the
monetary cost. Later, the IETF DiffServ Working Group redefined bits 0 to 5 of a ToS field as
the DSCP field in RFC 2474. In RFC 2474, the field name is changed from ToS to
differentiated service (DS). Figure 10-5 shows the DSCP field in packets.
In the DS field, the first six bits (bits 0 to 5) are the DS Code Point (DSCP) and the last two
bits (bits 6 and 7) are reserved. The first three bits (bits 0 to 2) are the Class Selector Code
Point (CSCP), which represents the DSCP type. A DS node selects a Per-Hop Behavior
(PHB) based on the DSCP value.
802.1p Field
Layer 2 devices exchange Ethernet frames. As defined in IEEE 802.1Q, the PRI field (802.1p
field) in the Ethernet frame header identifies the Class of Service (CoS) requirement. Figure
10-6 shows the PRI field in Ethernet frames.

Figure 10-6 802.1p field in the VLAN frame header

Destination Source 802.1Q Length
Data FCS
address address Tag /Type
16bits 3bits 1bit 12bits

TPID PRI CFI VLAN ID
The 802.1Q header contains a 3-bit PRI field, representing eight service priorities 7, 6, 5, 4, 3,
2, 1 and 0 in descending order of priority.
10.2.3 Traffic Policing

To limit traffic within a specified range and protect network resources, traffic policing
discards excess traffic.
Traffic policing is implemented using the token bucket.
A token bucket has a specified capacity to store tokens. The system places tokens into a token
bucket at the configured rate. If the token bucket is full, excess tokens overflow and no token
is added.
When assessing traffic, a token bucket forwards packets based on the number of tokens in the
token bucket. Only if there are enough tokens in the token bucket to forward packets is the
traffic rate within the rate limit.
The working mechanisms of token buckets include single bucket at a single rate, dual buckets
at a single rate, and dual buckets at dual rates.
Single Bucket at a Single Rate

If burst traffic is not allowed, one token bucket is used.

Figure 10-7 Single bucket at a single rate

Tokens
CIR
CBS
NO
B≦Tc
YES
Packets (B)
Violate
Conform
In Figure 10-7, the bucket is called bucket C. Tc indicates the number of tokens within. A
single bucket at a single rate uses the following parameters:
l Committed Information Rate (CIR): indicates the rate at which tokens are put into bucket
C, that is, the average traffic rate permitted by bucket C.
l Committed burst size (CBS): indicates the capacity of bucket C, that is, maximum
volume of burst traffic allowed by bucket C each time.
The system places tokens into the bucket at the CIR. If Tc is smaller than the CBS, Tc
increases. If Tc is greater than or equal to the CBS, Tc remains unchanged.
B indicates the size of an arriving packet:
l If B is smaller than or equal to Tc, the packet is colored green, and Tc decreases by B.
l If B is greater than Tc, the packet is colored red, and Tc remains unchanged.
Dual Buckets at a Single Rate

Dual buckets at a single rate use A Single Rate Three Color Marker (srTCM) defined in RFC
2697 to assess traffic and mark packets in green, yellow, and red based on the assessment
result.

Figure 10-8 Dual buckets at a single rate

Tokens
CIR
Overflow
CBS EBS
NO NO
B≦Tc B≦Te
YES YES
Packets (B)
Conform Exceed Violate
As shown in Figure 10-8, the two buckets are called bucket C and bucket E. Tc indicates the
number of tokens in bucket C, and Te indicates the number of tokens in bucket E. Dual
buckets at a single rate use the following parameters:
l CIR: indicates the rate at which tokens are put into bucket C, that is, average traffic rate
permitted by bucket C.
l CBS: indicates the capacity of bucket C, that is, maximum volume of burst traffic
allowed by bucket C each time.
l Excess burst size (EBS): indicates the capacity of bucket E, that is, maximum volume of
excess burst traffic allowed by bucket E each time.
The system places tokens into the bucket at the CIR:
l If Tc is smaller than the CBS, Tc increases.
l If Tc is equal to the CBS and Te is smaller than the EBS, Te increases.
l If Tc is equal to the CBS and Te is equal to the EBS, Tc and Te do not increase.
l If B is smaller than or equal to Tc, the packet is colored green, and Tc decreases by B.
l If B is larger than Tc and smaller than or equal to Te, the packet is colored yellow and Te
decreases by B.
l If B is larger than Te, the packet is colored red, and Tc and Te remain unchanged.
Dual Buckets at Dual Rates

Dual buckets at dual rates use A Two Rate Three Color Marker (trTCM) defined in RFC 2698
to assess traffic and mark packets in green, yellow, and red based on the assessment result.

Figure 10-9 Dual buckets at dual rates

Tokens Tokens
PIR CIR
PBS CBS
NO NO
B>Tp B>Tc
YES YES
Packets (B)
Violate Exceed Conform
As shown in Figure 10-9, the two buckets are called bucket P and bucket C. Tp indicates the
number of tokens in bucket P, and Tc indicates the number of tokens in bucket C. Dual
buckets at dual rates use the following parameters:
l Peak information rate (PIR): indicates the rate at which tokens are put into bucket P, that
is, maximum traffic rate permitted by bucket P. The PIR must be greater than the CIR.
l CIR: indicates the rate at which tokens are put into bucket C, that is, average traffic rate
permitted by bucket C.
l Peak burst size (PBS): indicates the capacity of bucket P, that is, maximum volume of
burst traffic allowed by bucket P each time.
l CBS: indicates the capacity of bucket C, that is, maximum volume of burst traffic
allowed by bucket C each time.
The system places tokens into bucket P at the PIR and places tokens into bucket C at the CIR:
l If Tp is smaller than the PBS, Tp increases. If Tp is larger than or equal to the PBS, Tp
remains unchanged.
l If Tc is smaller than the CBS, Tc increases. If Tc is larger than or equal to the CBS, Tp
remains unchanged.

l If B is larger than Tp, the packet is colored red.
l If B is larger than Tc and smaller than or equal to Tp, the packet is colored yellow and
Tp decreases by B.
l If B is smaller than or equal to Tc, the packet is colored green, and Tp and Tc decrease
by B.

Implementation of Traffic Policing
Figure 10-10 Traffic policing components
Result
Packet Packet
Meter Marker Action
Stream Stream
As shown in Figure 10-10, traffic policing involves the following components:
l Meter: measures the network traffic using the token bucket mechanism and sends the
measurement result to the marker.
l Marker: colors packets in green, yellow, or red based on the measurement result received
from the meter.
l Action: performs actions based on packet coloring results received from the marker. The
following actions are defined:
– Pass: forwards packets that meet network requirements.
– Remark + pass: changes the local priorities of packets and forwards them.
– Discard: drops packets that do not meet network requirements.
By default, green and yellow packets are forwarded, while red packets are discarded.
If the rate of a type of traffic exceeds the threshold, the device reduces the packet priority. It
then either forwards the packets or directly discards them, based on traffic policing
configuration. By default, the packets are discarded.
10.2.4 Airtime Scheduling
Overview
Airtime scheduling schedules channel resources based on the channel occupation time of
users connected to the same radio. Each user is assigned equal time to occupy the channel,
ensuring fairness in channel usage.
On a WLAN, the physical layer rates of users differ greatly. This is due to different radio
modes, supported by either the terminals or the radio environment where the terminals reside.
If users with lower physical layer rates occupy wireless channels for a long period, user
experience of the entire WLAN is affected. When airtime scheduling is enabled, users on the
WLAN occupy the wireless channel equally. This improves the overall user experience when
high- and low-speed users are connected at the same time.
Principles
After airtime scheduling is enabled, the device does the following:
l Collects statistics on the time within which each user occupies a wireless channel to send
packets on the same radio.

l Calculates the total sum of time that each user occupies the wireless channel.
l Sequences the STAs in ascending order of channel occupation time.
Compared with traditional scheduling modes, airtime scheduling provides the following
additional functions:
l Inserts new users to specified positions according to their wireless channel occupation
time. In traditional scheduling modes, new users are placed at the end of the user queue.
l Checks whether a user continues to send data after they finish sending the first queue of
data. If yes, they are inserted into the queue according to their wireless channel
occupation time. The device preferentially schedules channel resources for the user with
the shortest channel occupation time. If the user does not continue to send data, the
device directly schedules channel resources for the second user.
Figure 10-11 shows the airtime scheduling process.
Figure 10-11 Airtime scheduling process

3 1 5 2 5 3
User1
4 4 8
User2
6 6 6
User3
7 7 7
User4
7 4 5
User1
8 8
User2
6 12 ……
User3
7 7
User4
There are four users on a radio waiting to transmit data. They have occupied the channel for a
time of 3, 4, 6, and 7 respectively, and require a corresponding time of 2, 4, 6, and 7 for a
round of data transmission.
1. After airtime scheduling is enabled, the device collects the channel occupation time of
the four users. The channel occupation times of User1, User2, User3, and User4 become
3, 4, 6, and 7 respectively. User1 occupies the channel for the shortest time. Therefore,
the device allocates channel resources to User1 first.
2. It takes a time of 2 for User1 to finish a round of data transmission. The channel
occupation time of User1 increases to 5. The channel occupation times of User1, User2,
User3, and User4 become 5, 4, 6, and 7 respectively. User2 occupies the channel for the
shortest time. Therefore, the data of User2 is preferentially transmitted.
occupation time of User2 increases to 8. The channel occupation times of User1, User2,
User3, and User4 become 5, 8, 6, and 7 respectively. User1 occupies the channel for the
shortest time. Therefore, the device preferentially schedules channel resources for User1.
4. If User1 finishes all data transmissions, the device only collects the channel occupation
time of the remaining users. The channel occupation times of User2, User3, and User 4

are 8, 6, and 7 respectively. User3 occupies the channel for the shortest time. Therefore,
the data of User3 is preferentially transmitted.
occupation time of User3 increases to 12. Channel occupation time of User2, User3, and
User4 becomes 8, 12, and 7 respectively. User4 occupies the channel for the shortest
time. Therefore, channel resources are preferentially scheduled for User4.
The device preferentially schedules channel resources for the user that occupies the channel
for the shortest time. In this way, each user is assigned equal time to occupy the channel,
ensuring fairness in channel usage.
To prevent that the first access users fail to occupy the wireless channels to transmit data, the
device periodically clears all users' wireless channel occupation time. In this way, all access
users have the same occupation weight.
After WMM is enabled on the device and terminals, user packets are scheduled based on
different types (service types include VI, VO, BE, and BK). For example, voice packets are
only scheduled with other voice packets, and video packets with other video packets.
NOTE
If the packets of multiple users are of different types, airtime scheduling does not take effect. For example, if
one user transmits voice packets and the other transmits video packets, airtime scheduling is not performed.
10.2.5 ACL-based Packet Filtering

A device with an ACL-based simplified traffic policy can match packet characteristics with
ACLs, and provide the same QoS for packets that match ACL rules. This implements
differentiated services.
To control traffic entering a network, configure an ACL to match information such as the
source IP address, fragment flag, destination IP address, source port number, and source MAC
address. Then, configure an ACL-based simplified traffic policy so that the device can filter
packets that match ACL rules.
Compared with a traffic policy based on traffic classifiers, an ACL-based simplified traffic
policy is easy to configure because there is no need to independently configure a traffic
classifier, traffic behavior, or traffic policy. However, an ACL-based simplified traffic policy
defines less matching rules than a traffic policy based on traffic classifiers.
10.2.6 Priority Increase of Lync Packets

Microsoft Lync is a set of communication software that provides voice, video, desktop
sharing, and file transfer functions.
UDP is used for voice and video transmission, and desktop sharing, and port numbers are in
the range of 1025 to 65535. TCP is used for file transfer, and port numbers are in the range of
1025 to 65535.
Lync voice and video signaling negotiation is performed in encryption mode. Wireless
terminals use HTTPS and TCP destination port 443 to negotiate with the Lync server.
The Lync client and Lync server perform session negotiation in encryption mode, and network
devices cannot identify an Lync session. That is, when Lync packets are transmitted on a
network, network devices cannot determine that service flows are originated from Lync
application. As a result, the priority of these service flows cannot be ensured. Microsoft
provides a set of Application Programming Interfaces (APIs), which can be used by the Lync

SDN Manager (LSM for short) to notify the network controller of the Lync session content
through HTTP or HTTPS. The network controller can identify Lync packets, and then
processes Lync packets based on priorities.
On a network, a switch can replace the network controller to interwork with the LSM and
obtain information about Lync packets. The switch delivers a rule for increasing the priority
of Lync packets based on the Lync session. When Lync packets are forwarded on the network,
the priority is increased and QoS guarantee is achieved, thereby improving user experience.
Figure 10-12 Increasing the priority of Lync packets
SwitchA SwitchB
Network devices
Access switch
Access Access
switch switch
Lync
LSM LDL
server
AP AP
Lync client Lync client
In Figure 10-12, the entities and their functions are described as follows:
l Lync client: wireless terminal that has the Lync client software installed.
l Lync server: provides services including Lync voice, video, desktop sharing, and file
transfer.
l Lync Dialog Listener (LDL): monitors signaling of Lync clients and sends information
such as session setup and deletion to the LSM.
l LSM: collects session information about the LDL and sends information such as session
setup and deletion to SwitchA and SwitchB.
l SwitchA and SwitchB: functions as the AC and replaces the network controller to
monitor flow information of the LSM and deliver it to the local device.
l Access switch: provides the priority service.
When Lync clients communicate with each other, the procedure for increasing the priority of
Lync packets is as follows:
1. SwitchA and SwitchB establish HTTP or HTTPS sessions with the LSM.

2. The LDL detects signaling sent by Lync clients. After a Lync client sends a service
request to the server, the LDL detects session establishment.
3. The LDL notifies the LSM that the Lync session is set up.
4. The LSM notifies SwitchA and SwitchB that the Lync session is set up.
5. SwitchA and SwitchB obtain Lync flow information from the LSM. The information
includes the application type (voice, video, desktop sharing, or file transfer) of Lync
flows and 5-tuple information (source IP address, destination IP address, source port
number, destination port number, and protocol). Then SwitchA and SwitchB deliver
Lync session entries based on priorities of the Lync flows.
After the procedure, the priority of the service flow is increased when service flows
exchanged between Lync clients pass through SwitchA and SwitchB.
After Lync clients complete communication, the sessions between Lync clients and the Lync
server will be deleted. The LDL detects the Lync SDN Manager that the Lync session is
deleted and notifies the LSM, and then the LSM notifies SwitchA and SwitchB that the Lync
session is deleted. The switches delete the corresponding Lync session entries.
10.2.7 SVP Voice Traffic Optimization
SpectraLink Voice is a voice protocol defined by Spectralink (a Wi-Fi phone company). To

ensure Spectralink voice transmission quality on WLANs, SpectraLink defines SpectraLink
Voice Priority (SVP) to describe the requirements of SpectraLink Voice on WLANs.
WLAN devices are required as follows when transmitting SpectraLink Voice packets:
l The SpectraLink Voice packets are always in the header of the sending queue, so that
they can be sent preferentially.
l The air interface backoff time is 0.
Working Mechanism
After the SVP service is enabled, its working mechanism is as follows:
l When receiving packets, an air interface identifies Spectralink Voice packets and
modifies the priority of the Spectralink Voice packets.
In Spectralink Voice packets, the IP protocol number is 119. When receiving packets
with the IP protocol number of 119, a WLAN device marks the packets as Spectralink
Voice packets, and modifies the DSCP priority of the packets to 46 and 802.1p priority to
6.
l When the air interface sends packets, the WLAN device schedules Spectralink Voice
packets into the SVP-dedicated queue with the CWmin and CWmax of 0. The queue has
the same default transmit opportunity (TXOP) limit and ACK policy as the Video
Optimization (VO) queue.
10.3 Application Scenarios for WLAN QoS

As shown in Figure 10-13, network bandwidth is limited. The device needs to provide
differentiated services for services, for example, reducing jitter and latency of voice packets
and guaranteeing bandwidth for key services.

Figure 10-13 WLAN QoS networking diagram

Video
conference
HTTP
browse AP1
Internet
Voice
chat AC
HTTP
browse
AP2
l By using WMM, voice or video data can preempt wireless channels.

l By using priority mapping, high priority data is transmitted first.
l By using traffic policing, user rate is limited and network congestion is prevented.
l By using airtime scheduling, channel occupation time of each user is scheduled. In this
way, users on the same radio are assigned equal time to occupy the channel, ensuring
fairness in channel usage.
l By using ACL-based packet filtering, the wireless packets matching ACL rules are
permitted or rejected to control network traffic.
l By using ACL-based priority remarking, the priorities of wireless packets matching ACL
rules are remarked. The packets matching the same ACL rule are provided with the same
QoS service, and thus differentiated services are provided.
10.4 Summary of WLAN QoS Configuration Tasks

After basic WLAN service configurations are complete, APs can go online and STAs can
access the wireless network. In addition to specific WLAN QoS policies, you can also
configure other WLAN QoS policies according to the reference sections provided in the
following table.
Table 10-3 WLAN QoS configuration tasks

Task Description Task
Configure WMM You can configure radio profiles 10.7.1 Configuring WMM
and SSID profiles to provide
different capabilities for different
services on STAs or APs to
compete for channels to determine
the quality of services.

Task Description Task
Configure You can configure priority 10.7.2 Configuring Priority

Priority Mapping mapping to distinguish data Mapping
priority and ensure that data of
high-priority users is transmitted
first.
Configure Traffic You can configure traffic policing 10.7.3 Configuring Traffic
Policing to limit the STA transmission rate Policing
or AP forwarding rate, which
prevents network congestion.
Configure You can configure airtime 10.7.4 Configuring Airtime Fair

Airtime scheduling to assign users on the Scheduling
Scheduling same radio with equal channel
occupation time.
Configure ACL- By configuring ACL-based packet 10.7.5 Configuring ACL-based

based Packet filtering, the device permits or Packet Filtering
Filtering rejects packets matching ACL
rules to control network traffic.
Configure ACL- By configuring ACL-based 10.7.6 Configuring ACL-based

based Priority priority remarking, the device Priority Remarking
Remarking remarks the priorities of wireless
packets matching ACL rules to
provide differentiated services.
Configure voice You can set WMM parameter l For all voice and video traffic:
and video service settings and priorities of voice and 10.7.9 Configuring
traffic video traffic to improve users' Multimedia Air Interface
optimization voice and video service Optimization
experience. l For SVP traffic:10.7.10
Configuring SVP Voice
Traffic Optimization

QoS
AP
by the device.
V200R007C10.

V200R012C00 V200R009C00
V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C10 V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C00 V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R010C00 V200R007C10
V200R006C20
V200R006C10
V200R009C00 V200R006C20
V200R006C10
V200R008C00 V200R005C30
V200R005C20
V200R005C10
V200R007 V200R005C20
V200R005C10
V200R006 V200R005C00
agent.



Required

S5730HI: V200R012
Feature Limitations
Configuring WMM
By default, WMM is disabled on a terminal. To implement the WMM function, you must
enable WMM on terminals and devices concurrently.
Configuring Priority Mapping
The tunnel priority mapping is applicable to scenarios where data packets are transmitted in
tunnel forwarding mode.
Configuring Priorities for Lync Packets
The switch supports priority configuration for Lync packets since V200R010C00.
The switch can be interconnected to one server where Lync SDN Manager is installed. The
version of Lync SDN Manager must be 2.0.
10.6 Default Settings for WLAN QoS

Table 10-6 Default settings for WLAN QoS
WMM Enabled

Whether STAs that do not support Yes

WMM are allowed to connect to a
WMM-enabled AP
Priorities of AC queues AC_VO (Voice) > AC_VI (Video) > AC_BE

(Best Effort) > AC_BK (Background)
Traffic policing Disabled
Mapping of the priority of 802.11 For the default mapping from the user priority
packets to the DSCP priority of tunnel of 802.11 packets to the DSCP priority of
packets when packets are sent from an tunnel packets, see priority-map tunnel-
AP to an AC upstream dot11e dscp.
For the default mapping from the user priority
of 802.11 packets to the 802.1p priority of
tunnel packets, see priority-map tunnel-
upstream dot11e dot1p.
Mapping from the user priority of 802.11 The priority mapping from 802.11 packets to
packets to the 802.3 packet priority when 802.3 packets is 802.11.
packets are sent from an AP to an AC.
Mapping from the 802.3 packet priority For the default mapping from the DSCP
to the 802.11 packet priority when priority of 802.3 packets to the user priority of
packets are sent to an AP from upper- 802.11 packets, see priority-map downstream
layer devices. dscp.
For the default mapping from the 802.1p
priority of 802.3 packets to the user priority of
802.11 packets, see priority-map downstream
dot1p.
Airtime scheduling Disabled
ACL-based packet filtering Not configured
ACL-based priority remarking Not configured
Lync packet priority No priority is configured for Lync packets.
Multimedia air interface optimization Disabled
SVP traffic optimization Disabled
10.7 Configuring WLAN QoS
10.7.1 Configuring WMM

Context
Adjust WMM parameter settings as follows:

l Manual adjustment: You can manually adjust EDCA parameter settings and ACK
policies for APs and STAs.
l Automatic adjustment: After multimedia air interface optimization is enabled, the system
automatically adjusts EDCA parameter settings and ACK policies for APs and STAs.
For details about the configuration for automatic adjustment, see 10.7.9 Configuring
Multimedia Air Interface Optimization.
Before configuring WMM, perform the task of 5 WLAN Service Configuration.
Procedure
Step 2 Run wlan
Step 4 Run undo wmm disable
WMM is enabled.
By default, WMM is enabled.
NOTE
802.11n and 802.11ac STAs must support WMM. If the WMM function is disabled in a radio, 802.11n and
802.11ac cannot work and STAs can access the network only in 802.11a/b/g mode.
If the WMM function is disabled, the access of non-HT STAs fails to be denied.
Step 5 (Optional) Run wmm mandatory enable
STAs that do not support WMM are forbidden to connect to a WMM-enabled AP.
By default, STAs that do not support WMM are allowed to connect to a WMM-enabled AP.
On a WLAN, wireless channels are open and all STAs have an equal chance to occupy the
wireless channels. You can configure WMM to assign different priorities to packets and
enable high-priority packets to preferentially use wireless channel resources, meeting
differentiated service requirements. You can also disable STAs that do not support WMM
from connecting to a WMM-enabled AP, which prevents those STAs from preempting
channels of WMM-capable STAs.
Step 6 Run wmm edca-ap { ac-vo | ac-vi | ac-be | ac-bk } { aifsn aifsn-value | ecw ecwmin
ecwmin-value ecwmax ecwmax-value | txoplimit txoplimit-value | ack-policy { normal |
noack } } *
EDCA parameters and ACK policies are set for APs.
Table 10-7 lists the default EDCA parameter settings and ACK policies for APs.

Table 10-7 Default EDCA parameter settings and ACK policies for APs
Packet ECWmax ECWmin AIFSN TXOPLimi ACK

Type t Policy
AC_VO 3 2 1 47 normal
AC_VI 4 3 1 94 normal
AC_BE 6 4 3 0 normal
AC_BK 10 4 7 0 normal
As shown in the table, queues of AC_VO, AC_VI, AC_BE, and AC_BK are in descending
order of priority.
NOTE
After the high-density function is enabled on an AP, the AP will optimize EDCA parameters of AC_BE
packets, for example, adjusting the contention window size. In this way, the probability of user collisions will
be reduced, and users can enjoy better service experience in high-density scenarios. If you configure EDCA
parameters in the WMM profile on the AP, the configuration does not take effect on AC_BE packets.
Step 7 Run quit
Step 9 Run wmm edca-client { ac-vo | ac-vi | ac-be | ac-bk } { aifsn aifsn-value | ecw ecwmin
ecwmin-value ecwmax ecwmax-value | txoplimit txoplimit-value } *
EDCA parameters are set for STAs.
Table 10-8 lists the default EDCA parameter settings for STAs.
Table 10-8 Default EDCA parameter settings for STAs
Packet Type ECWmax ECWmin AIFSN TXOPLimit
AC_VO 3 2 2 47
AC_VI 4 3 2 94
AC_BE 10 4 3 0
AC_BK 10 4 7 0
As shown in the table, queues of AC_VO, AC_VI, AC_BE, and AC_BK are in descending
order of priority.
----End


l Run the display radio-5g-profile name profile-name or display radio-2g-profile name
profile-name command to check the WMM configuration in a radio profile.
l Run the display ssid-profile name profile-name command to check the WMM
configuration in an SSID profile.
10.7.2 Configuring Priority Mapping
Before configuring priority mapping, perform the task of 5 WLAN Service Configuration.
Procedure
Step 2 Run wlan
Step 3 Run traffic-profile name profile-name
A traffic profile is created and the traffic profile view is displayed.
By default, the system provides the traffic profile default.
Step 4 Configure priority mapping as required.
l Configure priority mapping for packets sent to an AP from upper-layer devices.
a. Run the priority-map downstream trust { dot1p | dscp } command to configure a
trusted priority type used in mapping from 802.3 packets to 802.11 packets when
packets are sent to an AP from upper-layer devices.
By default, the DSCP priority is used in mapping from 802.3 packets to 802.11
packets when packets are sent to an AP from upper-layer devices.
b. Configure priority mapping.
n When the DSCP priority is specified as the trusted priority type, perform the
following configuration:
Run the priority-map downstream dscp { dscp-value1 [ to dscp-value2 ] }
&<1-10> dot11e dot11e-value command to configure mapping from the DSCP
priority of 802.3 packets to the user priority of 802.11 packets.
Table 10-9 describes the default mapping from the DSCP priority of 802.3
packets to the user priority of 802.11 packets.
Table 10-9 Default mapping from the DSCP priority of 802.3 packets to the
user priority of 802.11 packets
DSCP UP
0-7 0
8-15 1

DSCP UP
16-23 2
24-31 3
32-39 4
40-47 5
48-55 6
56-63 7
n When the 802.1p priority is specified as the trusted priority type, perform the
Run the priority-map downstream dot1p { dot1p-value1 [ to dot1p-
value2 ] } &<1-7> dot11e dot11e-value command to configure mapping from
the 802.1p priority of 802.3 packets to the user priority of 802.11 packets when
packets are sent to an AP from upper-layer devices.
By default, 802.1p priority 0 of 802.3 packets maps to user priority 0 of 802.11
packets, 802.1p priority 1 to user priority 1, and similarly, 802.1p priority 7 to
user priority 7.
l Configure tunnel priority mapping when data packets are sent from APs to an AC.
NOTE
The tunnel priority mapping is applicable to scenarios where data packets are sent in tunnel forwarding
mode.
a. Run the priority-map tunnel-upstream trust { dot11e | dscp } command to

configure a trusted priority type used in mapping from 802.11 packets to tunnel
packets.
By default, the 802.11e priority is used in mapping from 802.11 packets to tunnel
packets when packets are sent to the AC from an AP.
b. Configure tunnel priority mapping.
n When the 802.11 priority is specified as the trusted priority type, perform the
Run the priority-map tunnel-upstream dot11e { dot11e-value1 [ to dot11e-
value2 ] } &<1-7> dscp dscp-value command to configure mapping from the
user priority of 802.11 packets to the DSCP priority of tunnel packets.
Table 10-10 describes the default mapping from the user priority of 802.11
packets to the DSCP priority of tunnel packets.
NOTE
The CAPWAP header refers to the tunnel header.

Table 10-10 Default mapping from the user priority of 802.11 packets to the
DSCP priority in the CAPWAP header
User Priority of 802.11 Packets DSCP Priority in the CAPWAP
Header
0 0
1 8
2 16
3 24
4 32
5 40
6 48
7 56
Run the priority-map tunnel-upstream dot11e { dot11e-value1 [ to dot11e-

value2 ] } &<1-7> dot1p dot1p-value command to configure mapping from
the user priority of 802.11 packets to the 802.1p priority of tunnel packets
when packets are sent to an AC from an AP.
By default, user priority 0 of 802.11 packets maps to 802.1p priority 0 of
tunnel packets, user priority 1 to 802.1p priority 1, and similarly, user priority
7 to 802.1p priority 7.
n When the DSCP priority is specified as the trusted priority type, perform the
Run the priority-map tunnel-upstream dscp { dscp-value [ to dscp-
value1 ] } &<1-10> tunnel-dscp dscp-value2 command to configure mapping
from the DSCP priority of 802.11 packets to the DSCP priority of tunnel
packets.
By default, DSCP priority 1 of 802.11 packets maps DSCP priority 1 of tunnel
packets, DSCP priority 2 of 802.11 packets maps DSCP priority 2 of tunnel
packets, and so on. DSCP priority 63 of 802.11 packets maps DSCP priority
63 of tunnel packets.
Run the priority-map tunnel-upstream dscp { dscp-value1 [ to dscp-
value2 ] } &<1-10> dot1p dot1p-value command to configure mapping from
the DSCP priority of 802.11 packets to the 802.1p priority of tunnel packets
when packets are sent to an AC from an AP.
Table 10-11 describes the default mapping from DSCP priorities of 802.11
packets to 802.1p priorities of tunnel packets.
NOTE
The CAPWAP header refers to the tunnel header.

Table 10-11 Default mapping from DSCP priorities of 802.11 packets to

802.1p priorities of in CAPWAP headers
DSCP Priority of 802.11 Packets 802.1p Priority in the CAPWAP
Header
0-7 0
8-15 1
16-23 2
24-31 3
32-39 4
40-47 5
48-55 6
56-63 7
l Configure packet priority mapping when packets are sent to an AC from an AP.
Run the priority-map upstream trust { dot11e | dscp } command to configure mapping
from the 802.11 packet priority to the 802.3 packet priority when packets are sent to an
AC from an AP.
By default, the 802.11e priority is mapped from 802.11 packets to 802.3 packets when
packets are sent from an AP to upper-layer devices.
Currently, the priority mappings are fixed and described in the following table.
Table 10-12 Mapping between the DSCP and 802.11p priorities

DSCP Priority of 802.11 Packets 802.1p Priority of 802.3 Packets
0-7 0
8-15 1
16-23 2
24-31 3
32-39 4
40-47 5
48-55 6
56-63 7

Table 10-13 Mapping from the user priority to the 802.1p and DSCP priorities
User Priority of 802.11 DSCP Priority of 802.3 802.1p Priority of 802.3
Packets Packets Packets
0 0 0
1 8 1
2 16 2
3 24 3
4 32 4
5 40 5
6 48 6
7 56 7
Step 5 Run quit

Step 7 Run traffic-profile profile-name
The traffic profile is bound to the VAP profile.
By default, the traffic profile default is bound to a VAP profile.
----End

l Run the display traffic-profile { all | name profile-name } command to check the
priority mapping configuration in a traffic profile.
10.7.3 Configuring Traffic Policing

Context
To protect network resources and prevent network congestion, configure traffic policing to
limit the rate of traffic entering the WLAN.
Traffic policing on a WLAN can be configured in a traffic profile or user profile.

Monitored Object Description Command
SSID-based QoS CAR If the QoS CAR in an SSID qos car (SSID profile view)
profile is set to car-value,
the total bandwidth of all
the STAs associating with
all the VAPs with this SSID
profile bound does not
exceed car-value.
Rate limiting for a single If the rate limit in a traffic rate-limit vap { up |
VAP profile is set to limit, the down } rate-value
total bandwidth of all the
STAs associating with a
single VAP with this SSID
profile bound does not
exceed limit.
Rate limiting for a single l Static rate limiting: If l Static rate limiting: rate-
STA the rate limit in a traffic limit client { up |
profile is set to limit, the down } rate-value
bandwidth of a single l Dynamic rate limiting:
STA with a VAP with rate-limit client
this SSID profile bound dynamic disable and
does not exceed limit. rate-limit client
l Dynamic rate limiting: dynamic rate-value
After dynamic rate
limiting is enabled, the
device determines
whether to perform
three-phase rate limiting
for wireless users
depending on whether
the air interface is
congested. This
improves network
experience of wireless
users.
For the implementation
of dynamic rate limiting,
see Implementation of
Dynamic Rate
Limiting.
If static rate limiting has
been enabled, static rate
limiting takes precedence
over dynamic rate limiting.
Dynamic rate limiting is implemented as follows:

The system calculates the channel usage periodically (every 2 seconds). Assume that the
lower limit in a traffic profile is set to limit, the three-phase rate limits are limit (phase-1 rate
limit), limit/2 (phase-2 rate limit), and 2×limit (phase-3 rate limit).
Check whether the air interface is congested as follows:
l If the channel usage is higher than 80% for five consecutive periods (10s), the air
interface is congested.
l If the channel usage is lower than 70% for 30 consecutive periods (1 minute), the
congestion of the air interface is eliminated.
The following figure illustrates transition of the three-phase rate limiting states.
Figure 10-14 Dynamic rate limiting
Before configuring traffic policing, perform the task of 5 WLAN Service Configuration.
Procedure
l Configure traffic policing in a traffic profile.
a. Run system-view
b. Run wlan
c. Run traffic-profile name profile-name
d. Run rate-limit { client | vap } { up | down } rate-value
The rate limit is configured for upstream and downstream traffic of all STAs or a
single STA on a VAP.
n By default, the rate limit for upstream and downstream traffic of all STAs on a
VAP is 4294967295 kbit/s.

n By default, the rate limit for upstream and downstream traffic of a single STA
on a VAP is 4294967295 kbit/s.
e. Run rate-limit client dynamic disable
Dynamic rate limiting is enabled for a single STA in a VAP.
By default, dynamic rate limiting is enabled for a single STA in a VAP.

f. Run rate-limit client dynamic rate-value
The dynamic rate limit threshold is set for a single STA in a VAP.
By default, the dynamic rate limit threshold of a single STA in a VAP is 16 Mbit/s.
g. Run quit
Exit from the traffic profile view.

h. Run vap-profile name profile-name

i. Run traffic-profile profile-name
A traffic profile is bound to the VAP profile.

l Configure traffic policing in an SSID profile.
a. Run system-view
NOTE
QoS CAR parameters configured in an SSID profile are valid only when the service data
forwarding mode is set to tunnel forwarding.

b. Run wlan

c. Run ssid-profile name profile-name

d. Run qos car inbound cir cir-value [ cbs cbs-value [ pbs pbs-value ] | pir pir-value
[ cbs cbs-value pbs pbs-value ] ]
QoS CAR parameters are configured.
By default, no QoS CAR parameters are configured in an SSID profile.
----End

configuration of the rate limit for upstream and downstream traffic of the STAs on the
VAP in the traffic profile.
l Run the display ssid-profile { all | name profile-name } command to check QoS CAR
parameter settings in the SSID profile.

10.7.4 Configuring Airtime Fair Scheduling
Context
Airtime fair scheduling computes wireless channel occupation time of users in the same VAP
and preferentially schedules users who occupy the channel for a relatively short time. In this
way, each user is assigned equal time to occupy the channel, ensuring fairness in channel
usage.
Before configuring airtime fair scheduling, perform the task of 5 WLAN Service
Configuration.
Procedure
Step 2 Run wlan
Step 4 Run airtime-fair-schedule enable
Airtime fair scheduling is enabled on an AP radio.
By default, airtime fair scheduling is disabled on an AP radio.
Step 5 Run quit

radio profile.
----End

l Run the display rrm-profile { all | name profile-name } command to check airtime fair
scheduling status in an RRM profile.

10.7.5 Configuring ACL-based Packet Filtering

Context
When ACL-based packet filtering is configured in a traffic profile, the device permits or
denies packets based on ACL rules, therefore controlling network traffic.
Before configuring ACL-based packet filtering, complete the following tasks:
l Create corresponding ACL rules.
The traffic-filter command can reference a numbered ACL that is not configured. You
can configure the referenced ACL after running this command.
Procedure
Step 2 Run wlan
The traffic profile view is displayed.
Step 4 Run traffic-filter { inbound | outbound } ipv4 acl { acl-number | name acl-name }
The ACL-based packet filtering in the traffic profile is configured.
By default, ACL-based packet filtering is not configured in a traffic profile.
You can only configure a maximum of eight ACL rules in the same direction. The sequence in
which ACL rules takes effect follows the sequence in which the rules are configured. To
change the current packet filtering rules, delete all the related configurations and reconfigure
the ACL-based packet filtering.
When multiple traffic-filter commands are configured for ACL-based packet filtering in the
same direction in the same traffic profile, packets are matched against the next rule in the
sequence in which the commands are configured. If packets match a rule, the device executes
the specified policy and stops the matching process. Otherwise, the device continues to match
packets against the next rule. If no rule is matched, the packets are allowed to pass through.
Step 5 Run quit

----End
10.7.6 Configuring ACL-based Priority Remarking
Context
By configuring ACL-based priority remarking, the device remarks the priorities of wireless
packets matching ACL rules to provide differentiated services.
Before configuring ACL-based priority remarking, complete the following tasks:
l 5 WLAN Service Configuration

l Create ACL rules.
Procedure
Step 2 Run wlan
Step 4 Run the traffic-remark { inbound | outbound } ipv4 acl { acl-number | name acl-name }
{ dot11e dot11e-value | dscp dscp-value } to configure ACL-based priority remarking in the
traffic profile.
By default, ACL-based priority re-marking is not configured in a traffic profile.
The traffic-remark command can reference a numbered ACL rule that is not configured. You
can configure the referenced ACL rule after running this command.
You can only configure a maximum of eight ACL-based packet re-marking rules in the same
direction. The sequence in which ACL rules takes effect follows the rule configuration
sequence. To change the current packet re-marking rules, delete all the related configurations
and reconfigure the ACL-based packet re-marking.
Step 5 Run quit


----End
10.7.7 Configuring User Isolation on a VAP
Context
In a traffic profile, user isolation prevents packets of users on a VAP from being forwarded to
each other. That is, users on a VAP cannot communicate with each other after user isolation is
enabled. This improves user communication security and enables the gateway to centrally
forward user traffic, facilitating user management.
Procedure
Step 2 Run wlan
A traffic profile is created, and the traffic profile view is displayed.
Step 4 Run user-isolate l2
The user isolation function is enabled.
By default, user isolation is disabled in a traffic profile.
Step 5 Run quit
----End

l Run the display traffic-profile { all | name profile-name } command to check the user
isolation configuration in a traffic profile.

10.7.8 Configuring Priorities for Lync Packets

Context
Microsoft Lync is a set of communication software that provides voice, video, desktop
sharing, and file transfer functions. To ensure QoS guarantee for Lync packets and improve
user experience, configure the switch to communicate with the Lync server and set the priority
of Lync packets.
Procedure
Step 2 Run lync listener { http-port port-num | https-port port-num ssl-policy ssl-policy }
The switch is configured to communicate with the Lync server and the port number is
specified.
By default, the switch is not configured to communicate with the Lync server and the port
number is not specified.
NOTE
To prevent the impact on the exchange with the Lync server, you are advised to use the port number that
is not in use. You can run the display ip socket register-port command to check used port numbers.
Step 3 (Optional) Run lync acl acl-number

The switch is configured to use an ACL to filter packets sent by the Lync server. This function
protects the switch against many packets sent by bogus Lync servers.
NOTE
To ensure that the packet filtering function takes effect in time, create a basic or advanced ACL and
configure rules before you run this command.
Step 4 Run ucc-profile name profile-name

A UCC profile is created and the UCC profile view is displayed.
By default, no UCC profile is created.
l Run app-share remark { 8021p 8021p-value | dscp { dscp-value | dscp-name } | local-
precedence { local-precedence-value | local-precedence-name } }
The priority of Lync desktop sharing packets is set.
l Run file-transfer remark { 8021p 8021p-value | dscp { dscp-value | dscp-name } |
local-precedence { local-precedence-value | local-precedence-name } }
The priority of Lync file transfer packets is set.
By default, the priority of Lync file transfer packets is not set.
l Run video remark { 8021p 8021p-value | dscp { dscp-value | dscp-name } | local-
The priority of Lync video packets is set.
By default, the priority of Lync video packets is not set.

l Run voice remark { 8021p 8021p-value | dscp { dscp-value | dscp-name } | local-

The priority of Lync voice packets is set.
By default, the priority of Lync voice packets is not set.
Step 6 Run quit
Exit from the UCC profile view.
Step 7 Run wlan
A VAP profile is created and the VAP profile view is displayed.
By default, no VAP profile is created.
Step 9 Run ucc-profile profile-name
The UCC profile is bound to the VAP profile.
By default, no UCC profile is bound to a VAP profile.
----End

Run the display ucc-profile { all | name profile-name } command to check the UCC profile
configuration and application.
10.7.9 Configuring Multimedia Air Interface Optimization
Context
Adjust WMM parameter settings as follows:
l Manual adjustment: You can manually adjust EDCA parameter settings and ACK
policies for APs and STAs.
l Automatic adjustment: After multimedia air interface optimization is enabled, the system
automatically adjusts EDCA parameter settings and ACK policies for APs and STAs.
After multimedia air interface optimization is enabled, the system dynamically adjusts EDCA
parameter settings and ACK policies based on the number of different types of access users,
improving user experience on voice and video applications.
The number of voice or video users is identified based on the user packet density threshold
configured using the multimedia-air-optimize threshold command. If the number of voice
or video packets sent by a user through the internal statistics queue of a radio with the unit
time (1 second) exceeds the threshold, the user is considered a voice or video user.
The multimedia air interface optimization and dynamic EDCA parameter adjustment
functions are mutually exclusive.
After the multimedia-air-optimize enable command is executed, the wmm edca-ap and
wmm edca-client (SSID profile view) commands do not take effect.

For details about the configuration for manual EDCA parameter adjustment, see 10.7.1
Configuring WMM.
Before configuring multimedia air interface optimization, complete the following tasks:
Procedure
Step 2 Run wlan
A radio resource management (RRM) profile is created, and the RRM profile view is
displayed.
Step 4 Run multimedia-air-optimize enable
Multimedia air interface optimization is enabled.
By default, multimedia air interface optimization is disabled.
Step 5 (Optional) Run multimedia-air-optimize threshold { video video | voice voice } *
The user packet density threshold is set for multimedia air interface optimization.
By default, the video user packet density threshold is 100 per second, and the default voice
user packet density threshold is 30 per second.
Step 6 Run quit
Step 7 The RRM profile is bound to a radio profile.

radio profile.
----End

l Run the display rrm-profile name profile-name command to check configuration of the
multimedia air interface optimization function.

10.7.10 Configuring SVP Voice Traffic Optimization
Before configuring Spectralink Voice Priority (SVP) voice traffic optimization, complete the
following task:
l Configuring Basic WLAN Services
Procedure
Step 2 Run wlan
Step 4 Run svp-voice enable
SVP voice traffic optimization is enabled.
By default, the SVP voice traffic optimization function is disabled.
Step 5 Run quit
The traffic profile is bound to a VAP profile.
----End

l Run the display traffic-profile { all | name profile-name } command to check the SVP
voice traffic optimization configuration in the traffic profile.
10.8 Configuration Examples for WLAN QoS
10.8.1 Example for Configuring WMM and Priority Mapping

As shown in Figure 10-15, the AP is directly connected to the AC. An enterprise branch
needs to deploy basic WLAN services for mobile office so that branch users can access
internal network resources anywhere at any time.
Voice, video, and data services are transmitted within the coverage of the AP. Users expect
that video services are preferentially forwarded by the AP and AC and have the highest
priority to use wireless network resources.
Figure 10-15 Networking diagram for configuring priority mapping
Internet
GE0/0/2
VLAN 101
AC
GE0/0/1
GE0/0/2 VLAN 100
VLAN 100
SwitchA
GE0/0/1
VLAN 100
AP
STA STA


1. Configure basic WLAN services so that users can connect to the wireless network.
2. Configure parameters used by the AP so that video services have higher priorities over
voice and data services and preferentially use the bandwidth.
3. Configure priority mapping in the traffic profile so that video services have higher
priorities over voice and data services and preferentially use the bandwidth.
Item Data
server AP.
IP address 10.23.100.2-10.23.100.254/24
pool for the
AP
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs

interface
address

l Referenced profile: VAP profile wlan-vap, regulatory domain profile
domain1 and 2G radio profile wlan-radio2g

profile



l Referenced profile: SSID profile wlan-ssid, security profile wlan-
security and traffic profile traffic
2G radio l Name: wlan-radio2g

profile l Configuring WMM.
Traffic l Name: traffic

profile l Configuring priority mapping.

Configuration Notes
user experience.
Procedure
NOTE

[HUAWEI] sysname AC



NOTE

VLANIF 101.
NOTE
view.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit


NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
10S -
----------------------------------------------------------------------------------
----------------
Total: 1

NOTE


the AP.

NOTE
[AC-wlan-ap-0] quit
Step 8 Configure the WMM function.

# Create the 2G radio profile wlan-radio2g and configure the WMM function to enable video
services to preferentially use network bandwidth.
NOTE
The following example configures a 2G radio profile. The configuration of the 5G radio profile is similar.
[AC-wlan-radio-2g-prof-wlan-radio2g] wmm edca-ap ac-vo ecw ecwmin 3 ecwmax 4
txoplimit 94
[AC-wlan-radio-2g-prof-wlan-radio2g] wmm edca-ap ac-vi ecw ecwmin 2 ecwmax 3
txoplimit 47
# Bind the 2G radio profile wlan-radio2g to the AP group ap-group1.

# In the SSID profile wlan-ssid, configure the WMM function to enable video services to
preferentially use network bandwidth.
[AC-wlan-ssid-prof-wlan-ssid] wmm edca-client ac-vo ecw ecwmin 3 ecwmax 4

txoplimit 94
[AC-wlan-ssid-prof-wlan-ssid] wmm edca-client ac-vi ecw ecwmin 2 ecwmax 3
txoplimit 47
Step 9 Configure priority mapping.

# Create the traffic profile traffic and configure priority mapping in the profile.
NOTE
By default, the user priority of voice packets is set to 6 or 7 on the terminal, and that of the video packets is
set to 4 or 5.
[AC-wlan-view] traffic-profile name traffic
[AC-wlan-traffic-prof-traffic] priority-map downstream trust dscp
[AC-wlan-traffic-prof-traffic] priority-map downstream dscp 48 to 55 dot11e 4
[AC-wlan-traffic-prof-traffic] priority-map tunnel-upstream trust dot11e
[AC-wlan-traffic-prof-traffic] priority-map tunnel-upstream dot11e 6 dscp 32
[AC-wlan-traffic-prof-traffic] quit
# Bind the traffic profile traffic to the VAP profile wlan-vap.

[AC-wlan-vap-prof-wlan-vap] traffic-profile traffic

Run the display radio-2g-profile command on the AC to check the configuration of the 2G
radio profile.
[AC-wlan-view] display radio-2g-profile name wlan-radio2g
------------------------------------------------------------
Radio type : 802.11n
Power auto adjust : disable
Beacon interval(TUs) : 100
Beamforming switch : disable
Support short preamble : support
Fragmentation threshold(Byte) : 2346
Channel switch announcement : enable
Channel switch mode : continue
Guard interval mode : normal
HT A-MPDU switch : enable
HT A-MPDU length limit : 3
RTS-CTS-mode : cts-to-self
RTS-CTS-threshold : 2347
802.11bg basic rate : 1 2
802.11bg support rate : 1 2 5 6 9 11 12 18 24 36 48 54
Multicast rate 2.4G : auto adapt
Interference detect switch : disable
Co-channel frequency interference threshold(%) : 50
Adjacent-channel frequency interference threshold(%) : 50
Station interference threshold : 32
WMM switch : enable
Mandatory switch : disable
Auto-off start time : -
Auto-off end time : -
Wifi-light mode : signal-strength
Utmost power switch : enable
Rrm-profile :
default
Air-scan-profile : default

Smart-antenna : disable
------------------------------------------------------------
AP EDCA parameters:
---------------------------------------------------
ECWmax ECWmin AIFSN TXOPLimit(32us) Ack-Policy
AC_VO 4 3 1 94
normal
AC_VI 3 2 1 47
normal
AC_BE 6 4 3 0
normal
AC_BK 10 4 7 0 normal
---------------------------------------------------
Run the display ssid-profile command on the AC to check the configuration of the SSID
profile.
[AC-wlan-view] display ssid-profile name wlan-ssid
-------------------------------------------------------------------
Profile ID : 1
SSID : wlan-net
SSID hide : disable
Association timeout(min) : 5
Max STA number : 64
Reach max STA SSID hide : enable
Legacy station : enable
DTIM interval : 1
Beacon 2.4G rate(Mbps) : 1
Beacon 5G rate(Mbps) : 6
Deny-broadcast-probe : disable
Probe-response-retry num : 1
QOS CAR inbound CIR(kbit/s) : -
QOS CAR inbound PIR(kbit/s) : -
QOS CAR inbound CBS(byte) : -
QOS CAR inbound PBS(byte) : -
U-APSD : disable
Active dull client : disable
MU-MIMO : disable
-------------------------------------------------------------------
WMM EDCA client parameters:
-------------------------------------------------------------------
ECWmax ECWmin AIFSN TXOPLimit
AC_VO 4 3 2 94
AC_VI 3 2 2 47
AC_BE 10 4 3 0
AC_BK 10 4 7 0
-------------------------------------------------------------------
Run the display traffic-profile command on the AC to check the configuration of the traffic
profile.
[AC-wlan-view] display traffic-profile name traffic
----------------------------------------------------
Profile ID : 1
Priority map downstream trust : DSCP
User isolate mode : disable
Rate limit client up(Kbps) : 4294967295
Rate limit client down(Kbps) : 4294967295
Rate limit VAP up(Kbps) : 4294967295
Rate limit VAP down(Kbps) : 4294967295
IGMP snooping : disable
IGMP snooping report suppress : disable
IGMP snooping max bandwith(kbps) : -
IGMP snooping max user : -
Traffic optimize sta bridge forward : enable
Traffic optimize broadcast suppression(pps): -
Traffic optimize multicast suppression(pps): -
Traffic optimize unicast suppression(pps): -
Traffic optimize multicast to unicast: disable

Dynamic adaptive : enable

Traffic remark inbound IPv4 ACL : -
Traffic remark inbound IPv4 type : -
Traffic remark inbound IPv4 value : -
Traffic remark outbound IPv4 ACL: -
Traffic remark outbound IPv4 type : -
Traffic remark outbound IPv4 value: -
Priority map upstream trust : 8021e
CAPWAP priority upstream map mode: 802.11e map DSCP
0 map 0
1 map 8
2 map 16
3 map 24
6 map 32
7 map 40
4 map 48
5 map 56
CAPWAP priority upstream map mode: 802.11e map 802.1p
0 map 0
1 map 1
2 map 2
3 map 3
4 map 4
5 map 5
6 map 6
7 map 7
WMM priority downstream map mode: DSCP map 802.11e
0-7 map 0
8-15 map 1
16-23 map 2
24-31 map 3
48-55 map 4
56-63 map 5
32-39 map 6
40-47 map 7
WMM priority downstream map mode: 802.1p map 802.11e
0 map 0
1 map 1
2 map 2
3 map 3
4 map 4
5 map 5
6 map 6
7 map 7
----------------------------------------------------------------------------------
-----------
Traffic Type Direction AppliedRecord
----------------------------------------------------------------------------------
-----------
----------------------------------------------------------------------------------
-----------
----------------------------------------------------
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#


#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
wlan
traffic-profile name traffic
priority-map downstream dscp 48 to 55 dot11e 4
priority-map tunnel-upstream dot11e 6 dscp 32
%# aes
ssid wlan-net
wmm edca-client ac-vi aifsn 2 ecw ecwmin 2 ecwmax 3 txoplimit 47
wmm edca-client ac-vo aifsn 2 ecw ecwmin 3 ecwmax 4 txoplimit 94
forward-mode tunnel
traffic-profile traffic
rrm-profile name default
wmm edca-ap ac-vi aifsn 1 ecw ecwmin 2 ecwmax 3 txoplimit 47 ack-policy
normal
wmm edca-ap ac-vo aifsn 1 ecw ecwmin 3 ecwmax 4 txoplimit 94 ack-policy
normal
radio 0
radio 1


ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return
10.8.2 Example for Configuring Traffic Policing
The enterprise network administrator needs to set the rate limit of upstream traffic on each
STA associated with the AP to 2 Mbit/s and the limit of total rates of upstream traffic on all
STAs associated with the VAP to 30 Mbit/s.

Figure 10-16 Networking diagram for configuring traffic policing
Internet
GE0/0/2
VLAN 101
AC
GE0/0/1
GE0/0/2 VLAN 100
VLAN 100
SwitchA
GE0/0/1
VLAN 100
AP
STA STA

2. Set the rate for upstream packets in the traffic profile used by the AP to implement traffic
policing on upstream packets on a specified STA and on all STAs associated with the
VAP.

Item Data
server AP.
IP address 10.23.100.2-10.23.100.254/24
pool for the
AP
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs

Item Data

interface
address

domain1

profile




profile l Configuring traffic policing.
Configuration Notes

user experience.
Procedure
NOTE

[HUAWEI] sysname AC

NOTE

VLANIF 101.

NOTE
view.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit

nor : normal [1]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
10S -
----------------------------------------------------------------------------------
----------------
Total: 1

NOTE
the AP.

NOTE


[AC-wlan-ap-0] quit
Step 8 Configure traffic policing.

# Create the traffic profile traffic and set traffic policing parameters in the profile.
[AC-wlan-traffic-prof-traffic] rate-limit client up 2048
[AC-wlan-traffic-prof-traffic] rate-limit vap up 30720


Run the display traffic-profile name traffic command on the AC to check the traffic profile
configuration. The command output shows that the uplink rate limit of a single STA is 2048
kbit/s (2 Mbit/s) and the total uplink rate limit of all STAs on a VAP is 30720 kbit/s (30
Mbit/s).
----------------------------------------------------
Profile ID : 1

0 map 0
1 map 8
2 map 16
3 map 24
4 map 32
5 map 40
6 map 48
7 map 56
0 map 0
1 map 1
2 map 2
3 map 3
4 map 4
5 map 5
6 map 6
7 map 7
0-7 map 0
8-15 map 1
16-23 map 2
24-31 map 3
32-39 map 4
40-47 map 5
48-55 map 6
56-63 map 7
0 map 0
1 map 1
2 map 2
3 map 3
4 map 4
5 map 5
6 map 6
7 map 7
----------------------------------------------------------------------------------
-----------
----------------------------------------------------------------------------------
-----------
----------------------------------------------------------------------------------
-----------
----------------------------------------------------
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
return
#
sysname AC
#


#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
wlan
rate-limit client up 2048
rate-limit vap up 30720
%# aes
ssid wlan-net
forward-mode tunnel
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return
10.8.3 Example for Configuring Airtime Fair Scheduling

The enterprise network administrator expects that users can be assigned equal bandwidth
occupation time so that the overall user experience can be improved.
Figure 10-17 Networking diagram for configuring airtime fair scheduling
Internet
GE0/0/2
VLAN 101
AC
GE0/0/1
GE0/0/2 VLAN 100
VLAN 100
SwitchA
GE0/0/1
VLAN 100
AP
STA STA

2. Enable airtime fair scheduling to ensure that users on the same radio have equal
bandwidth occupation time to improve user experience.


Item Data
server AP.
IP address 10.23.100.2-10.23.100.254/24
pool for the
AP
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs

interface
address

domain1 and 2G radio profile wlan-radio2g

profile



security
2G radio l Name: wlan-radio2g

profile l Configuring WMM.
RRM l Name: rrm

profile l Configuring airtime fair scheduling.
Configuration Notes

user experience.
Procedure
NOTE

[HUAWEI] sysname AC

NOTE

VLANIF 101.
NOTE
view.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit


NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
10S -
----------------------------------------------------------------------------------
----------------
Total: 1

NOTE
the AP.


Step 7 Configure airtime fair scheduling.

# Create the 2G radio profile wlan-radio2g.
NOTE
The following example configures a 2G radio profile. The configuration of the 5G radio profile is similar.
# Bind the 2G radio profile wlan-radio2g to the AP group ap-group1.

# Create the RRM profile rrm and enable airtime fair scheduling.
[AC-wlan-view] rrm-profile name rrm
[AC-wlan-rrm-prof-rrm] airtime-fair-schedule enable
[AC-wlan-rrm-prof-rrm] quit
# Bind the RRM profile rrm to the 2G radio profile wlan-radio2g.

[AC-wlan-radio-2g-prof-wlan-radio2g] rrm-profile rrm

NOTE
The channel and power configuration for the AP radios in this example is for reference only. In actual
scenarios, configure channels and power for AP radios based on country codes of APs and network planning
results.
# Disable the automatic channel and power calibration functions.

Automatic channel and power calibration functions are enabled by default. The manual
channel and power configurations take effect only when these two functions are disabled.
[AC-wlan-view] rrm-profile name rrm
[AC-wlan-rrm-prof-rrm] calibrate auto-channel-select disable
[AC-wlan-rrm-prof-rrm] calibrate auto-txpower-select disable
[AC-wlan-rrm-prof-rrm] quit
# Set a channel and power for radio 0 of the AP.

# Set a channel and power for radio 1 of the AP.

[AC-wlan-ap-0] quit

Run the display rrm-profile command on the AC to check the configuration of the RRM
profile. The command output shows that airtime fair scheduling has been enabled. Therefore,
users on the network can fairly use the network bandwidth.

[AP-wlan-view] display rrm-profile name rrm

------------------------------------------------------------
Auto channel select : disable
Auto transmit power select : disable
Airtime fairness schedule : enable
Dynamic adjust EDCA parameter : disable
------------------------------------------------------------
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0


#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
wlan
%# aes
ssid wlan-net
forward-mode tunnel
rrm-profile name rrm
airtime-fair-schedule enable
rrm-profile rrm
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return
10.8.4 Example for Configuring ACL-based Packet Filtering

The enterprise network administrator expects that an ACL can be configured to prohibit
packets with the source IP address 10.23.100.10 and destination IP address 10.23.100.11.
Figure 10-18 Networking diagram for configuring ACL-based packet filtering
Internet
GE0/0/2
VLAN 101
AC
GE0/0/1
GE0/0/2 VLAN 100
VLAN 100
SwitchA
GE0/0/1
VLAN 100
AP
STA STA

2. Configure an ACL to filter packets.

Item Data
server AP.
IP address 10.23.100.2-10.23.100.254/24
pool for the
AP
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs

interface
address

domain1

profile




profile l Configuring ACL-based packet filtering.
Configuration Notes


user experience.
Procedure
NOTE

[HUAWEI] sysname AC

NOTE


VLANIF 101.
NOTE
view.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).

[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
NOTE

the AP.

NOTE
[AC-wlan-ap-0] quit
Step 8 Configure ACL-based packet filtering.
# Configure an advanced ACL that meet requirements.

[AC-wlan-view] quit
[AC] acl 3001
[AC-acl-adv-3001] rule deny ip source 10.23.100.10 0 destination 10.23.100.11 0
[AC-acl-adv-3001] quit
[AC] wlan
[AC-wlan-traffic-prof-traffic] traffic-filter inbound ipv4 acl 3001

Run the display traffic-profile command on the AC to check applications of ACL-based

packet filtering. The command output shows that the ACL has been applied to the traffic
profile.
----------------------------------------------------
Profile ID : 1


0 map 0
1 map 8
2 map 16
3 map 24
4 map 32
5 map 40
6 map 48
7 map 56
0 map 0
1 map 1
2 map 2
3 map 3
4 map 4
5 map 5
6 map 6
7 map 7
0-7 map 0
8-15 map 1
16-23 map 2
24-31 map 3
32-39 map 4
40-47 map 5
48-55 map 6
56-63 map 7
0 map 0
1 map 1
2 map 2
3 map 3
4 map 4
5 map 5
6 map 6
7 map 7
----------------------------------------------------------------------------------
-----------
----------------------------------------------------------------------------------
-----------
traffic-filter inbound IPv4 ACL 3001
----------------------------------------------------------------------------------
-----------
----------------------------------------------------
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#

#
#
return
#
sysname AC
#
#
dhcp enable
#
acl number 3001
rule 5 deny ip source 10.23.100.10 0 destination 10.23.100.11 0
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
wlan
traffic-filter inbound ipv4 acl 3001
%# aes
ssid wlan-net
forward-mode tunnel
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127

radio 1
channel 20mhz 149
eirp 127
#
return
10.8.5 Example for Configuring Priorities of Lync Packets

In Figure 10-19, to ensure that employees of an enterprise can access network resources of
departments, the enterprise needs to deploy WLAN services to implement mobile office. To
facilitate instant communication of employees, wireless terminals need to perform voice and
video communication, desktop sharing, and file transfer through Lync software.
The enterprise network administrator wants to increase priorities of Lync packets so that Lync
packets are processed preferentially during forwarding.

Figure 10-19 Networking for configuring priorities of Lync packets
GE0/0/2 GE0/0/2
VLAN 101 VLAN 201
AC GE AC1
1/0 /3
/3 1/0
GE0/0/1 Network devices GE GE0/0/1
VLAN 100 VLAN 200
GE0/0/2
GE0/0/2
VLAN 100 SwitchC VLAN 200
SwitchA SwitchB
GE0/0/1 GE0/0/1
VLAN 100 VLAN 200
Lync server LSM LDL
AP AP1
Lync client 1 Lync client 2

(STA) (STA)

Service VLAN: VLAN 101 Service VLAN: VLAN 201
2. Increase priorities of Lync packets so that Lync packets are processed preferentially
during forwarding.

Item Data
DHCP l AC functions as a DHCP server to assign IP addresses to the STAs and

server AP.
l AC1 functions as a DHCP server to assign IP addresses to the STAs and
AP1.
IP address l AP: 10.23.100.2-10.23.100.254/24

pools for l AP1: 10.23.200.2-10.23.200.254/24
AP and AP1

Item Data
IP address l AC side: 10.23.101.2-10.23.101.254/24

pools for l AC1 side: 10.23.201.2-10.23.201.254/24
STAs
Source l VLANIF100 on AC: 10.23.100.1/24

interface l VLANIF200 on AC1: 10.23.200.1/24
addresses of
AC and
AC1

domain1

profile



l Service VLAN of AC: VLAN 101
l Service VLAN of AC1: VLAN 201
security, and UCC profile lync-service
UCC profile l Name: lync-service

l Priorities of different Lync packets
NOTE
According to the networking and data plan, the configuration of AC1 is similar to that of the AC and the
configuration of SwitchB is similar to that of SwitchA. The AC and SwitchA are used as an example.
The configurations of AC1 and SwitchB are not mentioned here.
Configuration Notes


user experience.
Procedure
NOTE

[HUAWEI] sysname AC


NOTE
Configure routes based on the actual networking to ensure that the AC can communicate with each
device on the network. The route configuration is not provided here.
VLANIF 101.
NOTE
view.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).

[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
NOTE

the AP.

NOTE
[AC-wlan-ap-0] quit
Step 8 Configure priorities of Lync packets.

# Enable the AC to communicate with the Lync server and specify the port number.
[AC-wlan-view] quit
[AC] lync listener http-port 2000
# Configure a UCC profile and configure priorities of Lync packets.

[AC] ucc-profile name lync-service
[AC-ucc-prof-lync-service] app-share remark 8021p 3
[AC-ucc-prof-lync-service] file-transfer remark 8021p 2
[AC-ucc-prof-lync-service] video remark 8021p 6
[AC-ucc-prof-lync-service] voice remark 8021p 5
[AC-ucc-prof-lync-service] quit
# Bind the UCC profile lync-service to the VAP profile wlan-vap.

[AC] wlan
[AC-wlan-vap-prof-wlan-vap] ucc-profile lync-service

Run the display ucc-profile command on the AC to check priorities of Lync packets.
[AC-wlan-view] display ucc-profile name lync-service
--------------------------------------------------------------------------------
Lync app share 802.1p precedence : 3
Lync app share DSCP precedence : -
Lync app share local precedence : -
Lync file transfer 802.1p precedence : 2
Lync file transfer DSCP precedence : -
Lync file transfer local precedence : -
Lync video 802.1p precedence : 6
Lync video DSCP precedence : -
Lync video local precedence : -
Lync voice 802.1p precedence : 5

Lync voice DSCP precedence : -

Lync voice local precedence : -
--------------------------------------------------------------------------------
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
return
#
sysname AC
#
#
dhcp enable
#
ucc-profile name lync-service
app-share remark 8021p 3
file-transfer remark 8021p 2
video remark 8021p 6
voice remark 8021p 5
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
lync listener http-port 2000
#
#
wlan
security wpa2 psk pass-phrase %^%#V,P<>[Alx9w#65(;}U1*:RPcYv`/L!$/Xk6Mv1f>%^
%# aes
ssid wlan-net
forward-mode tunnel

ucc-profile lync-service
radio 0
radio 1
ap-id 0 ap-mac 60de-4476-e360
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return
l SwitchB configuration file
#
sysname SwitchB
#
vlan batch 200
#
#
#
return
l AC1 configuration file
#
sysname AC1
#
#
dhcp enable
#
ucc-profile name lync-service
app-share remark 8021p 3
file-transfer remark 8021p 2
video remark 8021p 6
voice remark 8021p 5
#
interface Vlanif200
ip address 10.23.200.1 255.255.255.0
#
interface Vlanif201
ip address 10.23.201.1 255.255.255.0
#
#
#
lync listener http-port 2000

#
#
wlan
security wpa2 psk pass-phrase %^%#ms[7Zm;\N"2e3w/`NzNHlj)u/NX[+F*]U1Pv.tuG%^
%# aes
ssid wlan-net
forward-mode tunnel
ucc-profile lync-service
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return
10.9 FAQ
10.9.1 What Is the Relationship Between WMM and 802.11e?
802.11e defines Quality of Service (QoS) for the wireless LAN, which provides the required
service quality for voice and multimedia applications and enhances network performance. Wi-
Fi Multimedia (WMM) defines four access categories, including voice, video, best effort, and
background to optimize network communication quality and ensure stable access of
corresponding applications to network resources. The WMM standard is a subset of IEEE
802.11e.
10.9.2 How Do I Configure Multicast Packet Suppression to

Reduce Impact of a Large Number of Low-Rate Multicast Packets
on the Wireless Network?
No ACK mechanism is provided for multicast packet transmission on air interfaces. In
addition, wireless links are unstable. To ensure stable transmission of multicast packets, they
are usually sent at low rates. If a large number of such multicast packets are sent from the
network side, the air interfaces may be congested. You are advised to configure multicast
packet suppression to reduce impact of a large number of low-rate multicast packets on the
wireless network. Exercise caution when configuring the rate limit; otherwise, the multicast
services may be affected.

l In direct forwarding mode, you are advised to configure multicast packet suppression on
switch interfaces connected to APs.
l In tunnel forwarding mode, you are advised to configure multicast packet suppression on
WLAN-ESS interfaces of the AC in V200R8C00 and earlier versions and in traffic
profiles of the AC in versions later than V200R008C00.
Example for Configuring Multicast Packet Suppression In Direct Forwarding

Mode
1. Create the traffic classifier test and define a matching rule.
[SwitchA] traffic classifier test
[SwitchA-classifier-test] if-match destination-mac 0100-5e00-0000 mac-address-
mask ffff-ff00-0000 //Match the destination MAC address of multicast
packets.
[SwitchA-classifier-test] quit
2. Create the traffic behavior test, enable traffic statistics collection, and set the traffic rate
limit.
[SwitchA] traffic behavior test
[SwitchA-behavior-test] statistic enable
[SwitchA-behavior-test] car cir 100 //Set the rate limit to 100 kbit/s. If
multicast services are available, you are advised to set the rate limit
according to the service traffic.
[SwitchA-behavior-test] quit
3. Create the traffic policy test and bind the traffic classifier and traffic behavior to the
traffic policy.
[SwitchA] traffic policy test
[SwitchA-trafficpolicy-test] classifier test behavior test
[SwitchA-trafficpolicy-test] quit
4. Apply the traffic policy to inbound or outbound directions of interfaces.

[SwitchA-GigabitEthernet0/0/1] traffic-policy test inbound
[SwitchA-GigabitEthernet0/0/1] traffic-policy test outbound
Example for Configuring Multicast Suppression in Tunnel Forwarding Mode

In V200R8C00 and earlier versions, the configuration procedure is as follows:
1. Create the traffic classifier test and define a matching rule.
[HUAWEI] sysname AC
[AC] traffic classifier test
[AC-classifier-test] if-match destination-mac 0100-5e00-0000 mac-address-mask
ffff-ff00-0000 //Match the destination MAC address of multicast packets.
[AC-classifier-test] quit
2. Create the traffic behavior test, enable traffic statistics collection, and set the traffic rate
limit.
[AC] traffic behavior test
[AC-behavior-test] statistic enable
[AC-behavior-test] car cir 100 //Set the rate limit to 100 kbit/s. If
[AC-behavior-test] quit
3. Create the traffic policy test and bind the traffic classifier and traffic behavior to the
traffic policy.

[AC] traffic policy test

[AC-trafficpolicy-test] classifier test behavior test
[AC-trafficpolicy-test] quit
4. Apply the traffic policy to inbound or outbound directions of interfaces.

[AC] interface wlan-ess 1
[AC-Wlan-Ess1] traffic-policy test inbound
[AC-Wlan-Ess1] traffic-policy test outbound
[AC-Wlan-Ess1] quit
In versions later than V200R008C00, the configuration procedure is as follows:

1. Create the traffic profile test and set the maximum traffic volume of multicast packets in
the profile.
[HUAWEI] sysname AC
[AC] wlan
[AC-wlan-view] traffic-profile name test
[AC-wlan-traffic-prof-test] traffic-optimize multicast-suppression packets
100 //Set the maximum traffic volume of multicast packets to 100 pps. If
[AC-wlan-traffic-prof-test] quit
2. Bind the traffic profile to the VAP profile.

[AC-wlan-view] vap-profile name test
[AC-wlan-vap-prof-test] traffic-profile test
[AC-wlan-vap-prof-test] quit

Configuration Guide - WLAN-AC 11 WLAN Security Configuration
11 WLAN Security Configuration
11.1 Overview of WLAN Security

Definition
WLAN security involves the following concepts:
l Perimeter security: An 802.11 network is subject to threats from unauthorized APs and
users, ad-hoc networks, and denial of service (DoS) attacks. A wireless intrusion
detection system (WIDS) can detect unauthorized users and APs. A wireless intrusion
prevention system (WIPS) can protect an enterprise network against unauthorized access
from wireless networks.
l User access security: Link authentication, access authentication, and data encryption are
used to ensure validity and security of user access on wireless networks.
l Service security: This feature protects service data of authorized user from being
intercepted by unauthorized users during transmission.
Purpose
WLAN technology uses radio signals to transmit service data, meaning that service data can
easily be intercepted or tampered by attackers when being transmitted on the open wireless
channels. Ensuring WLAN security is crucial to building safe and effective wireless networks.
WLAN technology can provide the following mechanisms to guarantee data security for
wireless users:
l WIDS and WIPS mechanisms that detect and defend against intrusion from unauthorized
users
l Security policies for wireless users, including link authentication, access authentication,
and data encryption
l Security mechanisms for wireless services.
11.2 Understanding WLAN Security
11.2.1 Wireless Intrusion Detection

Monitor APs can be configured to prevent intrusion to the network. When configured, the
wireless intrusion detection system (WIDS) can detect unauthorized users and APs by
periodically listen on wireless signals. The AC obtains information about wireless devices and
can take countermeasures on unauthorized devices.
Before configuring WIDS on an AP, configure the working mode of the AP.
An AP can work in two modes:
l normal: indicates the normal mode.
– If the air scan function is disabled on a radio, including WIDS, spectrum analysis,
and terminal location, the radio is used to transmit common WLAN services.
– If the air scan function is enabled on a radio, the radio transmits common WLAN
services and also implements detection. Transmission of common WLAN services
may be affected.
l monitor: indicates the monitor mode.
In this mode, the radio can only transmit WLAN services scanned by the air interface but
cannot transmit common WLAN services.
Intrusion detection consists of two phases: wireless device identification and rogue device
identification.
Monitor APs can be deployed on a network to prevent intrusions to the network. When
configured with the Wireless Intrusion Detection System (WIDS) function, monitor APs
periodically listen on wireless signals. The AC can obtain information about wireless devices
from the monitor APs and take measures to prevent access from rogue devices.
Before configuring rogue device detection on an AP, configure the AP working mode.
may be affected.
Rogue device detection involves two phases: wireless device detection and rogue device
identification.
Wireless Device Detection

The AP enabled with the WIDS function can determine the types of surrounding wireless
devices based on detected 802.11 frames. The wireless device detection process is as follows:
1. Configure the AP working mode and enable the WIDS function.
2. The AC delivers the configuration to the AP.
3. The AP listens on frames sent from neighboring wireless devices to collect information
about wireless devices. The AP determines frame types and device types according to the
received 802.11 MAC frames. For details about the 802.11 MAC frame format, see 5.2.2
802.11 Standards.

An AP can identify the following device types: AP, STA, wireless bridge, and ad-hoc
device.
– Wireless bridge: a device serving as a wireless communication bridge between two
or more networks.
– Ad-hoc device: a device on an ad-hoc network. An ad-hoc network is a temporary
wireless network composed of several devices with wireless network adapters, as
Figure 11-1 Ad-hoc network
STA STA
STA
An AP identifies device types in the following ways:

– When receiving a Probe Request, Association Request, or Reassociation Request
frame, the AP determines whether the sender is an ad-hoc device or STA based on
the network type specified in the Frame Body field of the 802.11 MAC frame.
n Ad-hoc: The network type is independent basic service set (IBSS).
n STA: The network type is basic service set (BSS).
– When receiving a Beacon, Probe Response, Association Response, or Reassociation
Response frame, the AP determines whether the sender is an ad-hoc device or AP
based on the network type specified in the Frame Body field of the 802.11 MAC
frame.
n Ad-hoc: The network type is IBSS.
n AP: The network type is BSS.
– The AP listens on all 802.11 data frames and checks the DiffServ (DS) field of the
data frames to determine whether the sender is an ad-hoc device, wireless bridge,
STA, or AP.
n Ad-hoc device: In the Frame Control field of the 802.11 MAC frame, both the
To DS and From DS fields are 0.
n Wireless bridge: In the Frame Control field of the 802.11 MAC frame, both the
To DS and From DS fields are 1.
n STA: In the Frame Control field of the 802.11 MAC frame, the To DS field 1
and the From DS field is 0.
n AP: In the Frame Control field of the 802.11 MAC frame, the To DS field is 0
and the From DS field is 1.

Rogue Device Identification

APs periodically report collected device information to an AC, and the AC identifies rogue or
interference devices according to the reported device information.
l Authorized AP: a local AP or an AP in the WIDS whitelist
l Authorized wireless bridge: a local wireless bridge or a wireless bridge in the WIDS
whitelist
l Authorized STA: a STA associated with an authorized AP
l Rogue AP: an AP that is not in the WIDS whitelist and has the same SSID as a local AP
or has a spoofing SSID
l Rogue wireless bridge: a wireless bridge that is not in the WIDS whitelist and has the
same SSID as a local wireless bridge or has a spoofing SSID
l Rogue STA: a STA associated with a rogue AP
l Rogue ad-hoc device: all ad-hoc devices detected
l Interference AP: an AP that is not an authorized AP or a rogue AP
l Interference wireless bridge: a wireless bridge that is not an authorized wireless bridge or
a rogue wireless bridge
l Interference STA: a STA associated with an interference AP
NOTE
An AC can implement countermeasures on rogue devices to prevent them from accessing the network. For
details about countermeasures, see 11.2.2 Wireless Intrusion Prevention
11.2.2 Wireless Intrusion Prevention

An AC can prevent wireless intrusion from three types of unauthorized devices:
l Rogue or interference
After an AC identifies a rogue or interference AP, it sends information about the rogue or
interference AP to a monitor AP. The monitor AP uses the identity information about the
rogue or interference AP to broadcast a Deauthentication frame. After STAs that
associate with the rogue or interference AP receive the Deauthentication frame, they
disassociate from the rogue or interference AP. This countermeasure prevents STAs from
associating with rogue or interference APs.
NOTE
l Deauthentication frames are used to terminate established wireless links. Either an AP or a STA can
send a Deauthentication frame to terminate the current link.
l Currently, an AC supports containment against rogue or interference APs that have the same or
similar SSIDs as authorized APs managed by the AC and open-authentication APs.
l Unauthorized or interference STA
After an AC identifies an unauthorized or interference STA, it sends information about
the unauthorized or interference STA to a monitor AP. The monitor AP uses the identity
information about the unauthorized or interference STA to unicast a Deauthentication
frame. After the AP with which the unauthorized or interference STA associates receives
the Deauthentication frame, the AP disassociates from the unauthorized or interference
STA. This countermeasure prevents APs from associating with unauthorized or
interference STAs.
l Ad-hoc device

After an AC identifies an ad-hoc device, it sends information about the ad-hoc device to
a monitor AP. The monitor AP uses the identity information about the ad-hoc device's
(BSSID and MAC address of the device) to unicast a Deauthentication frame. After the
STAs that associate with the ad-hoc device receive the Deauthentication frame, the STAs
disassociate from the ad-hoc device. This countermeasure prevents STAs from
associating with ad-hoc devices.
11.2.3 Attack Detection

On small- and medium-scale WLANs, attack detection can be enabled to allow an AP to add
attackers to a dynamic blacklist and send alarms to the AC to alert administrators. When
enabled, attack detection can detect the following:
l Flooding attacks
l Weak initialization vector (IV) attacks
l Spoofing attacks
Flooding Attack Detection
Figure 11-2 Flooding attack
AC
LAN
AP
Attack
STA Unauthorized STA
In Figure 11-2, the AP receives a large number of management packets or empty data packets
that have the same type and source MAC address within a short period. This is a flooding
attack. As a result, the system is busy processing these attack packets and cannot process
packets from authorized STAs.
Flooding attack detection allows an AP to monitor the traffic volume of each STA to prevent
flooding attacks. When the traffic of a STA exceeds the allowed threshold (for example, the
AP receives more than 100 packets from a STA within 1 second), the AP considers this STA
to be flooding packets and reports an alarm to the AC. If a dynamic blacklist is configured,
the AP adds the detected device to the dynamic blacklist and discards all of the packets from
the attack device until the dynamic blacklist expires.
An AP can detect flooding attacks of the following packets:

l Authentication Request
l Deauthentication
l Association Request
l Disassociation
l Reassociation Request
l Probe Request
l Action
l EAPOL Start
l EAPOL-Logoff
Weak IV Detection
Figure 11-3 Weak IV
AC
LAN
AP
Listen on
Account, and
password, and decrypt
user information
STA
Unauthorized STA
In Figure 11-3, when WEP encryption is used, a STA uses a 3-byte IV and a fixed shared key
to encrypt each packet to be sent so that the same shared key generates different encryption
effects. If the STA uses the weak IV (the first byte of the IV ranges from 3 to 15 and the
second byte is 255), attackers can easily decrypt the shared key and access network resources
because the IV of the packet sent by the STA is sent in plain text as one part of the header.
Weak IV detection identifies the IV of each WEP packet to prevent attackers from decrypting
the shared key. When the AP detects a packet carrying a weak IV, the AP sends an alarm to
the AC so that users can use other security policies to prevent STAs from using the weak IV
for encryption.

Spoofing Attack Detection
Figure 11-4 Spoofing attack
AC
LAN
Attack AP
AP
Normal data
communication is
Deassociation interupted
frame
STA
In Figure 11-4, an attacker (a rogue AP or malicious user) forges an authorized user'

information to send spoofing attack packets to STAs, which then fail to go online. This is a
spoofing attack, which is also called man-in-the-middle attack. Spoofing attack packets
includes broadcast Disassociation packets and Deauthentication packets.
After the spoofing attack detection function is enabled, an AP checks whether the source
MAC address of a packet is its MAC address when receiving either of the two types of
packets. If so, the WLAN is under the spoofing attack of Disassociation or Deauthentication
packets.
11.2.4 Defense Against Brute Force Attacks Using Keys

During a brute force attack, the attacker searches for a password by trying to use all possible
password combinations. This method is also called the exhaustive attack method. For
example, a 4-digit password that contains only digits may have a maximum of 10,000
combinations. Therefore, the password can be decrypted after a maximum of 10,000 attempts.
In theory, the brute force method can decrypt any password. Attackers, however, are always
looking for ways to shorten the time required to decrypt the password. When a WLAN uses
WPA/WPA2-PSK, WAPI-PSK, or WEP-Shared-Key as the security policy, attackers can use
the brute force method to decrypt the password.
Using a key can defend against brute force attacks on WLANs by prolonging the time needed
to decrypt passwords. An AP checks whether the number of key negotiation attempts during
WPA/WPA2-PSK, WAPI-PSK, or WEP-Shared-Key authentication exceeds the configured
threshold. If the threshold is exceeded, the AP assumes that the user is using the brute force
method to decrypt the password and reports an alarm to the AC. If the dynamic blacklist
function is enabled, the AP adds the user to the dynamic blacklist and discards all the packets
of the user until the dynamic blacklist entry expires.

11.3 Application Scenarios for WLAN Security

11.3.1 Rogue Device Detection and Containment
In Figure 11-5, an employee connects to a rogue fat AP from the campus network or uses
simulation software to simulate a fat AP and deceive users into connecting to the
corresponding SSID. After WIDS and WIPS are configured, the AC identifies the rogue AP.
The monitor AP then uses the rogue AP's identity information to broadcast a Deauthentication
frame. After STAs associating with the rogue AP receive the Deauthentication frame, they
disassociate from the rogue AP. This countermeasure prevents STAs from associating with the
rogue AP.
Figure 11-5 Configuring WIDS and WIPS against devices
Internet
AC Switch
Monitor AP
Authorized AP Rogue AP
SSID: huawei SSID: huawei
STA dissociates
from rogue AP.
STA goes
online.
STA
11.3.2 Attack Device Detection

In Figure 11-6, the campus wireless network uses the WPA2-PSK authentication mode.
Attackers use terminals to initiate flood attacks to the wireless network and attempts to use the
brute force method to decrypt the password. After detecting the attack device, the AC adds the
attack device to the dynamic blacklist and does not process any packet of the device to
prevent attacks.

Figure 11-6 Configuring WIDS and WIPS against attack devices
Internet
AC
AP refuses to receive any

AP packet of the attack device.
(WPA2-PSK)
Flood attack
PSK brute
Authorized force attack
STA

Security
AP
by the device.
V200R007C10.


V200R012C00 V200R009C00
V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C10 V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C00 V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R010C00 V200R007C10
V200R006C20
V200R006C10
V200R009C00 V200R006C20
V200R006C10
V200R008C00 V200R005C30
V200R005C20
V200R005C10
V200R007 V200R005C20
V200R005C10
V200R006 V200R005C00
AAA server
l Huawei servers such as the Policy Center and Agile Controller or third-party AAA
servers perform authentication, accounting, and authorization on users.
Portal server
l Huawei servers such as the Policy Center and Agile Controller or third-party Portal
servers, receive authentication requests from Portal clients, provide free Portal services
and a web authentication interface, and exchange authentication information of the

authentication clients with access devices. This component is required only in Portal
authentication mode.
agent.
Table 11-2 Products and minimum version supporting WLAN security

Required

S5730HI: V200R012
Feature Limitations
WIDS/WIPS
l APs that have WDS or Mesh services configured cannot work in monitor mode.
l If WIDS, spectrum analysis, background neighbor probing, or terminal location is
enabled on a radio, the radio cannot be used to establish a WDS bridge or Mesh link.
l V200R006C00, V200R007C00, and V200R008C00: When an AP working in hybrid
mode periodically scans channels, services may be interrupted for a short time. The AP
can only perform containment on the channel used by WLAN services. To perform
containment on all channels, you need to configure the AP to work in monitor mode.
However, the WLAN services are unavailable in this mode.
l V200R009C00, V200R010C00 V200R011C00 and V200R011C10: When an AP
working in normal mode periodically scans channels, services may be interrupted for a
short time. The AP working in normal mode can only perform containment on the
channel used by WLAN services. To perform containment on all channels, you need to

configure the AP to work in monitor mode. However, WLAN services are unavailable in
this mode.
l V200R011C00, V200R011C10 and V200R012C00: When an AP working in normal
mode periodically scans channels, services may be interrupted for a short time. The AP
can perform containment on all channels.
l V200R006C00, V200R007C00, and V200R008C00: The configured WIDS or WIPS
takes effect on an AP only after a service set is bound to the AP on the AC and the AC
delivers the configurations to the AP.
l If the number of STAs is larger than 3K, you are advised to disable the WIDS function.
This function affects the AC performance and reduces CPU performance by about 10%.
Security Policy
l The AP7030DE and AP9330DN do not support WAPI.
11.5 Default Settings for WLAN Security

Table 11-3 Default settings for WLAN security
WIDS WIDS profile WIDS profile default, which has referenced the following
profiles:
l No referenced WIDS confident profile
l No referenced WIDS spoof SSID profile
Device detection Disabled
WIDS spoof SSID None

profile
WIDS whitelist profile None
Device containment Disabled
Device containment None

mode
Attack detection Disabled
Dynamic blacklist Disabled

11.6 Configuring Device Detection and Containment


Task Description

AP Group.

addresses. You can
Configuring a DHCP
Server.

Configuring Network
Interconnections.

Task Description

Codes.

details, see 5.9.4
Interface or Source
Address.

l Configuring AC to
an AP
unauthorized APs
APs.

11.6.1 Creating a WIDS Profile
Context
In a WIDS profile, you can configure various WIDS and WIPS services. You can create
multiple WIDS profiles to carry different WIDS services and apply the profiles to different
APs as required.
Procedure
Step 2 Run wlan
Step 3 Run wids-profile name profile-name
A WIDS profile is created and the WIDS profile view is displayed.
By default, the system provides the WIDS profile default.
----End
11.6.2 Configuring the Radio Working Mode
Context
Before configuring rogue device detection and containment, you need to configure the radio
working mode to determine whether a radio only transmits common WLAN services or both
transmits common WLAN services and performs the monitoring function.
may be affected.
Procedure
Step 2 Run wlan

Step 3 Set the working mode for radios in an AP group or for a specified radio.
You can set the radio working mode in the AP radio view or AP group radio view. The
configuration in the AP group radio view takes effect on all AP radios in an AP group and
that in the AP radio view takes effect only on a specified AP radio. The configuration in the
AP radio view has a higher priority than that in the AP group radio view.
l Set the working mode for all radios in an AP group.

c. Run the work-mode { normal | monitor [ dual-band-scan enable ] } command to
set the working mode for radios in an AP group.
By default, radios in an AP group work in normal mode.
d. Run the quit command to return to the AP group view.
l Set the working mode for a specified AP radio.
AP view.
set the working mode for a specified AP radio.
By default, an AP radio works in normal mode.
d. Run the quit command to return to the AP view.
----End
11.6.3 (Optional) Setting Air Scan Parameters
Context
When the default air scan profile cannot meet user requirements, you can create a new one
and set air scan parameters as required, for example, air scan channel set, air scan period, and
air scan interval. The configured air scan profile applies to the radio calibration, smart
roaming, WLAN location, and WIDS functions.
Procedure
Step 2 Run wlan
Step 3 Run the air-scan-profile name profile-name command to create an air scan profile and enter
the air scan profile view.
By default, the system provides the air scan profile default.
Step 4 Run the undo scan-disable command to enable the air scan function.

Step 5 (Optional) Run the scan-channel-set { country-channel | dca-channel | work-channel }

Step 6 (Optional) Run the scan-period scan-time command to set the air scan period.
NOTE
A longer air scan period indicates more collected data and a more accurate data analysis result. However, if
the air scan period is set too large, WLAN services are affected. You are advised to use the default value.
Step 7 (Optional) Run the scan-interval scan-time command to set the air scan interval.
NOTE
l The air scan interval also applies to radio calibration, smart roaming, WLAN location, and WIDS
functions.
l If the customer has high requirements on real-time data analysis, configure a small air scan interval using
the scan-interval command to improve the scan frequency; however, higher scan frequency indicates
much larger impact on the services.
Step 8 Run quit

Step 9 Enter the radio profile view.
l When the configured air scan channel set contains only 2.4 GHz channels, run the
l When the configured air scan channel set contains only 5 GHz channels, run the
l When the configured air scan channel set contains both 2.4 GHz and 5 GHz channels,
enter the 2G and 5G radio profiles.
NOTE
You can bind the created air scan profile to the current radio profile bound to the AP. To bind the air scan
profile to a new radio profile, bind the radio profile to the radio of an AP group or a specific AP first. For
details, see 5.11.1.5 Binding a Radio Profile.
Step 10 Run the air-scan-profile profile-name command to apply the air scan profile.
----End
11.6.4 Configuring Device Detection

Context
Rogue or interference devices on WLANs create security risks. To identify these devices, the
administrator can enable the device detection function so that the AP can periodically report
the detected device information to the AC, and the AC can identify rogue or interference
devices.
The AP periodically reports the detected wireless device information to the AC, including the
incremental and modified device information in detection intervals. Information may be lost

on WLAN networks, resulting in inconsistent device information on the AC and AP. To

address this problem, the AP periodically reports all the detected device information. Then the
AC and AP periodically synchronize wireless device information.
Procedure
Step 2 Run wlan
Step 3 Enable device detection on radios in an AP group or on a specified AP radio.
You can enable device detection in the AP group radio view or AP radio view. The
l Enable device detection on radios in an AP group.

c. Run the wids device detect enable command to enable device detection.
By default, device detection is disabled on radios in an AP group.
l Enable device detection on an AP radio.
AP view.
c. Run the wids device detect enable command to enable device detection.
By default, device detection is disabled on an AP radio.
Step 4 (Optional) Set the intervals at which an AP reports the incremental detected wireless device
information.
2. Run the wids-profile name profile-name command to enter the WIDS profile view.
3. Run the device report-interval interval command to set the interval at which an AP
reports the incremental detected wireless device information.
By default, an AP reports incremental wireless device information to an AC at an

interval of 300 seconds.
----End

11.6.5 (Optional) Configuring Fuzzy Matching Rules for

Identifying Spoofing SSIDs
Context
WLAN services are available in public places, such as banks and airports. Users can connect
to the WLANs after associating with corresponding SSIDs. If a rogue AP is deployed and
provides spoofing SSIDs similar to authorized SSIDs, the users may be misled and connect to
the rogue AP, which brings security risks. To address this problem, configure a fuzzy
matching rule to identify spoofing SSIDs. The device compares a detected SSID with the
matching rule. If the SSID matches the rule, the SSID is considered a spoofing SSID. The AP
using the spoofing SSID is a rogue AP. After rogue AP containment is configured, the device
contains the rogue AP and disconnects users from the spoofing SSID.
Procedure
Step 2 Run wlan
Step 3 Run wids-spoof-profile name profile-name
A WIDS spoof SSID profile is created and the WIDS spoof SSID profile view is displayed.
By default, no WIDS spoof SSID profile exists in the system.
Step 4 Run spoof-ssid fuzzy-match regex regex-value
The fuzzy matching rule is configured for spoofing SSIDs.
By default, no fuzzy matching rule is configured for spoofing SSIDs.
Step 5 Run quit
The WIDS profile view is displayed.
Step 7 Run wids-spoof-profile profile-name
The WIDS spoof SSID profile is applied to the WIDS profile.
By default, no WIDS spoof SSID profile is bound to a WIDS profile.
----End
11.6.6 (Optional) Configuring a WIDS Whitelist

Context
After the rogue device containment function is enabled, rogue APs can be detected and
contained. However, there may be APs of other vendors or on other networks working in the

existing signal coverage areas. If these APs are contained, their services will be affected. To
prevent this situation, you can configure the WIDS whitelist profile to add these APs to a
WIDS whitelist which includes an authorized MAC address list, OUI list, and SSID list.
The device determines whether a detected AP is authorized as follows:
1. Check whether the AP's MAC address is in the authorized MAC address list.
– If so, the AP is an authorized AP.
– If not, go to step 2.
2. Check whether the AP's OUI and SSID are in the OUI and SSID lists.
– If only the SSID is configured, check whether the AP's SSID is in the authorized
SSID list.
n If so, the AP is an authorized AP.
n If not, the AP is an unauthorized AP.
– If only the OUI is configured, check whether the AP's OUI is in the authorized OUI
list.
n If not, the AP is an unauthorized AP.
– Check whether the AP's OUI and SSID are in the OUI and SSID lists.
n If neither or either of them is in the list, the AP is an unauthorized AP.
Procedure
Step 2 Run wlan
Step 3 Run wids-whitelist-profile name profile-name
A WIDS whitelist profile is created and the WIDS whitelist profile view is displayed.
By default, no WIDS whitelist profile exists in the system.
Step 4 Run permit-ap { mac-address mac-address | oui oui | ssid ssid }
A WIDS whitelist is configured.
By default, no WIDS whitelist is configured.
Step 5 Run quit
Step 7 Run wids-whitelist-profile profile-name
The WIDS whitelist profile is applied to the WIDS profile.

By default, no WIDS whitelist profile is bound to a WIDS profile.
----End
11.6.7 Configuring Device Containment
Context
After the AC identifies a rogue or interference device, you can configure the APs to contain
the rogue or interference device. After the containment mode is set, the APs periodically send
control frames to disconnect authorized users from the rogue or interference device or
disconnect unauthorized users.
Currently, the AC supports rogue or interference device containment against rogue or

interference APs using spoofing SSIDs and open-authentication rogue or interference APs.
The monitor AP uses the MAC address of a rogue or interference AP using a spoofing SSID
or an open-authentication rogue or interference AP to broadcast deauthentication frames to
counter the rogue or interference AP, preventing STAs from connecting to the rogue or
interference AP again. After the containment mode is set against rogue or interference STAs
or Adhoc devices, the monitor AP uses the MAC address of a rogue or interference device to
continuously send unicast deauthentication frames.
Rogue or interference devices can be contained automatically or manually. rogue or

interference devices can be specified to be contained manually. Other rogue or interference
devices are contained automatically.
You can run the wids manual-contain command in the WLAN view to manually contain a
specified rogue or interference device in a complicated environment.
Procedure
Step 2 Run wlan
Step 3 Enable rogue or interference device containment on radios in an AP group or on a specified

AP radio.
You can enable rogue or interference device containment in the AP group radio view or AP
radio view. The configuration in the AP group radio view takes effect on all AP radios in an
AP group and that in the AP radio view takes effect only on a specified AP radio. The
configuration in the AP radio view has a higher priority than that in the AP group radio view.
l Enable rogue or interference device containment on radios in an AP group.

c. Run the wids contain enable command to enable rogue or interference device
containment.
By default, rogue or interference device containment is disabled on radios in an AP
group.


l Enable rogue or interference device containment on a specified AP radio.
AP view.
c. Run the wids contain enable command to enable rogue or interference device
containment.
By default, rogue or interference device containment is disabled on an AP radio.
Step 4 Run quit
Step 6 Run contain-mode { open-ap | spoof-ssid-ap | client [ protect sta-whitelist-profile profile-

name ] | adhoc }
The rogue or interference device containment mode is configured for APs.
By default, no containment mode against rogue or interference devices is set.
Step 7 Run contain-mode { open-ap | spoof-ssid-ap | client [ protect sta-whitelist-profile profile-

name ] | adhoc }
The rogue or interference device containment mode is configured for APs.
By default, no containment mode against rogue or interference devices is set.
----End
11.6.8 Applying the Configuration to an AP Group or a Specific

AP
Context
WIDS services are implemented on APs, including WLAN device detection and containment,
attacking device detection, and dynamic blacklist; therefore, the WIDS profile carrying the
WIDS services must be applied to an AP group or a specific AP.
Procedure
Step 2 Run wlan
Step 3 Bind the VAP profile to radios of an AP group or a specific AP.

NOTE
This step is optional when a radio works in monitor mode. When a radio works in monitor mode, the device
automatically checks whether the radio has a VAP bound. If not, the device automatically creates a VAP and
binds it to the radio to ensure normal scanning.
1. Run the vap-profile name profile-name command to create a VAP profile.

NOTE
3. Bind the VAP profile to radios of an AP group or a specific AP as required to make the
radios properly work. For details, see 5.11.2.11 Binding VAP Profiles.
Step 4 Bind a WIDS profile to an AP group or a specific AP.

l Binding a WIDS profile to an AP group.
b. Run the wids-profile profile-name command to bind the WIDS profile to a radio in
an AP group.
By default, the WIDS profile default is bound to an AP group.
l Binding a WIDS profile to a specific AP.
AP view.
b. Run the wids-profile profile-name command to bind the WIDS profile to a radio of
a specific AP.
By default, no WIDS profile is bound to a specific AP.
----End
11.6.9 Verifying the Device Detection and Containment

Configuration
Context
After the WIDS configuration is complete, you can check profiles on the device, including
their configuration and profile reference information.
Procedure
l Run the display wids-profile { all | name profile-name } command to check information
about the WIDS profile.
l Run the display wids-whitelist-profile { all | name profile-name } command to check
information about the WIDS confident profile.
l Run the display wids-spoof-profile { all | name profile-name } command to check
information about the WIDS spoof SSID profile.
l Run the display references wids-profile name profile-name command to check
reference information about the WIDS profile.

l Run the display references wids-whitelist-profile name profile-name command to

check reference information about the WIDS confident profile.
l Run the display references wids-spoof-profile name profile-name command to check
reference information about the WIDS spoof SSID profile.
----End
11.7 Configuring Attack Detection and a Dynamic

Blacklist

Task Description

AP Group.

addresses. You can
Configuring a DHCP
Server.

Configuring Network
Interconnections.

Task Description

Codes.

details, see 5.9.4
Interface or Source
Address.

l Configuring AC to
an AP
unauthorized APs
APs.

11.7.1 Creating a WIDS Profile

Context
In a WIDS profile, you can configure various WIDS and WIPS services. You can create
multiple WIDS profiles to carry different WIDS services and apply the profiles to different
APs as required.
Procedure
Step 2 Run wlan
A WIDS profile is created and the WIDS profile view is displayed.
By default, the system provides the WIDS profile default.
----End
11.7.2 Configuring the Radio Working Mode

Context
Before configuring attack detection and dynamic blacklist, you need to configure the radio
working mode to determine whether a radio only transmits common WLAN services or both
transmits common WLAN services and performs the monitoring function.
may be affected.
cannot transmit common WLAN services. When an AP is configured to work in monitor
mode, the dynamic blacklist function does not take effect.
Procedure
Step 2 Run wlan


AP view.
----End
11.7.3 (Optional) Setting Air Scan Parameters
Context
When the default air scan profile cannot meet user requirements, you can create a new one
and set air scan parameters as required, for example, air scan channel set, air scan period, and
air scan interval. The configured air scan profile applies to the radio calibration, smart
roaming, WLAN location, and WIDS functions.
Procedure
Step 2 Run wlan
Step 3 Run the air-scan-profile name profile-name command to create an air scan profile and enter
the air scan profile view.

Step 5 (Optional) Run the scan-channel-set { country-channel | dca-channel | work-channel }

Step 6 (Optional) Run the scan-period scan-time command to set the air scan period.
NOTE
A longer air scan period indicates more collected data and a more accurate data analysis result. However, if
the air scan period is set too large, WLAN services are affected. You are advised to use the default value.
Step 7 (Optional) Run the scan-interval scan-time command to set the air scan interval.
NOTE
l The air scan interval also applies to radio calibration, smart roaming, WLAN location, and WIDS
functions.
Step 8 Run quit

Step 9 Enter the radio profile view.
l When the configured air scan channel set contains only 2.4 GHz channels, run the
l When the configured air scan channel set contains only 5 GHz channels, run the
l When the configured air scan channel set contains both 2.4 GHz and 5 GHz channels,
enter the 2G and 5G radio profiles.
NOTE
You can bind the created air scan profile to the current radio profile bound to the AP. To bind the air scan
profile to a new radio profile, bind the radio profile to the radio of an AP group or a specific AP first. For
details, see 5.11.1.5 Binding a Radio Profile.
Step 10 Run the air-scan-profile profile-name command to apply the air scan profile.
----End
11.7.4 Configuring WIDS Attack Detection and a Dynamic

Blacklist
Context
To identify attacks on a WLAN in a timely manner, you can configure attack detection. Attack
detection enables WLAN devices to detect attacks such as flood attacks, weak IV attacks,
spoofing attacks, and brute force WPA-PSK/WPA2-PSK/WAPI-PSK/WEP-SK key cracking
attacks, and to record information about the attacking devices. If the dynamic blacklist

function is enabled, the WLAN devices automatically add the attacking devices to a dynamic
blacklist and discard packets sent from the attacking devices.
Procedure
Step 2 Run wlan
Step 3 Enable attack detection on radios in an AP group or on a specified AP radio.
You can enable attack detection in the AP group radio view or AP radio view. The
l Enable attack detection on radios in an AP group.

c. Run the wids attack detect enable { all | flood | weak-iv | spoof | wpa-psk | wpa2-
psk | wapi-psk | wep-share-key } command to enable attack detection on radios in
an AP group.
By default, attack detection is disabled on radios in an AP group.
l Enable attack detection on a specified AP radio.
AP view.
c. Run the wids attack detect enable { all | flood | weak-iv | spoof | wpa-psk | wpa2-
psk | wapi-psk | wep-share-key } command to enable attack detection on a
specified AP radio.
By default, attack detection is disabled on an AP radio.
Step 4 Run quit
Step 6 Configure parameters according to the attack detection type set in Step 3.
l Flood attack detection
a. Run the flood-detect interval interval command to set the flood attack detection
interval.
By default, the flood attack detection interval is 10 seconds.

b. Run the flood-detect threshold threshold command to set the flood attack detection
threshold.
By default, the flood attack detection threshold is 500.
c. Run the flood-detect quiet-time quiet-time-value command to set the quiet time for
an AP to report the detected flood attacks to the AC.
By default, the quiet time is 600 seconds for an AP to report the detected flood
attacks to the AC.
l Weak IV attack detection
a. Run the weak-iv-detect quiet-time quiet-time-value command to set the quiet time
for an AP to report the detected weak IV attacks to the AC.
By default, the quiet time is 600 seconds for an AP to report the detected weak IV
attacks to the AC.
l Spoofing attack detection
a. Run the spoof-detect quiet-time quiet-time-value command to set the quiet time for
an AP to report the detected spoofing attacks to the AC.
By default, the quiet time is 600 seconds for an AP to report the detected spoofing
attacks to the AC.
l Detection of brute force key cracking attacks
a. Run the brute-force-detect interval interval command to set the interval for
detecting brute force key cracking attacks.
By default, the interval for brute force key cracking detection is 60 seconds.
b. Run the brute-force-detect threshold threshold command to set the maximum
number of key negotiation failures allowed within the period of the detection of
brute force key cracking attacks.
By default, an AP allows a maximum of 20 key negotiation failures within a brute
force key cracking attack detection period.
c. Run the brute-force-detect quiet-time quiet-time-value command to set the quiet
time for an AP to report the detected brute force key cracking attacks to the AC.
By default, the quiet time for an AP to report brute force key attacks to an AC is
600 seconds.
Step 7 Run dynamic-blacklist enable
The dynamic blacklist function is enabled.
By default, the dynamic blacklist function is disabled.
NOTE
l The dynamic blacklist is saved on APs. After the dynamic blacklist function is enabled, the detected
attacking devices are added to the dynamic blacklist. Within the aging time of the dynamic blacklist, the
device discards packets sent from the blacklisted devices. You can run the dynamic-blacklist aging-time
command to set the aging time of the dynamic blacklist.
l When an AP is configured to work in monitor mode, the dynamic blacklist function does not take effect.
----End

11.7.5 Applying the Configuration to an AP Group or a Specific

AP
Context
WIDS services are implemented on APs, including WLAN device detection and containment,
attacking device detection, and dynamic blacklist; therefore, the WIDS profile carrying the
WIDS services must be applied to an AP group or a specific AP.
Procedure
Step 2 Run wlan
Step 3 Bind the VAP profile to radios of an AP group or a specific AP.

NOTE
This step is optional when a radio works in monitor mode. When a radio works in monitor mode, the device
automatically checks whether the radio has a VAP bound. If not, the device automatically creates a VAP and
binds it to the radio to ensure normal scanning.
1. Run the vap-profile name profile-name command to create a VAP profile.

NOTE
3. Bind the VAP profile to radios of an AP group or a specific AP as required to make the
radios properly work. For details, see 5.11.2.11 Binding VAP Profiles.
Step 4 Bind a WIDS profile to an AP group or a specific AP.

l Binding a WIDS profile to an AP group.
b. Run the wids-profile profile-name command to bind the WIDS profile to a radio in
an AP group.
By default, the WIDS profile default is bound to an AP group.
l Binding a WIDS profile to a specific AP.
AP view.
b. Run the wids-profile profile-name command to bind the WIDS profile to a radio of
a specific AP.
By default, no WIDS profile is bound to a specific AP.
----End

11.7.6 Verifying the Attack Detection and Dynamic Blacklist

Configuration
Context
After the WIDS configuration is complete, you can check WIDS profiles on the device,
including their configuration and profile reference information, WIDS device attacking device
list and dynamic blacklist.
Procedure
l Run the display wids-profile { all | name profile-name } command to check information
about the WIDS profile.
l Run the display references wids-whitelist-profile name profile-name command to
check reference information about the WIDS whitelist profile.
l Run the display ap-system-profile { all | name profile-name } command to check the
configuration of the AP system profile.
----End
11.8 Configuring WLAN Security
To improve VAP and WLAN security, you can enable strict STA IP address learning through
DHCP, dynamic ARP inspection (DAI), and IP source guard (IPSG), and disable the DHCP
and ND trusted port on an AP.
You can perform the following tasks in any sequence.
11.8.1 Configuring Strict STA IP Address Learning Through

DHCP
Context
When a STA associates with an AP, the following situation occurs after strict STA IP address
learning through DHCP is enabled:
l If the STA obtains an IP address through DHCP, the AP will automatically report the IP
address to the AC. The STA IP address can be used to maintain the mapping entries
between STA IP addresses and MAC addresses.
l If the STA uses a static IP address, configure related parameters to control the
association of the STA with the AP.
Procedure

Step 2 Run wlan

Step 4 Run undo learn-client-address disable ipv4 disable
STA address learning is enabled.
By default, STA address learning is enabled.
Step 5 Strict STA IP address learning through DHCP is enabled.
Run the learn-client-address dhcp-strict [ blacklist enable ] command to enable strict STA
IP address learning through DHCP.
If the STA uses a static IP address:
l If blacklist enable is specified, the STA will be added to the dynamic blacklist of the AP
and cannot associate with the AP before the blacklist entry ages.
l If blacklist enable is not specified, the STA can associate with the AP and the AP does
not learn the STA IP address. In this case, enable IPSG to prevent communication
through bogus IP addresses.
NOTE
l After strict STA IP address learning through DHCP is enabled, if the AC has learned the STA IP address
through DHCP or statically, the STA using a bogus IP address will not be added to the blacklist. In this
case, enable IPSG to prevent services from the bogus IP address from running.
l After strict STA IP address learning is enabled, it is recommended that you run the ip source check user-
bind enable and arp anti-attack check user-bind enable commands to enable IP source guard and
dynamic ARP inspection so that STAs cannot communicate with the network before obtaining an IP
address through DHCP.
----End
11.8.2 Configuring DAI
Context
After dynamic ARP inspection (DAI) is enabled, an AP detects the ARP request and reply
packets transmitted on the VAPs, discards invalid and attack ARP packets, and sends an alarm
to the connected AC. DAI prevents unauthorized users from connecting to external networks
through the AP and protects authorized users from interference and ARP spoofing attacks. In
addition, DAI protects the AP's CPU from ARP attacks, which, if not prevented, will cause
unavailability of some functions on the AP or even make the AP break down.
Procedure
Step 2 Run wlan


Step 4 Run arp anti-attack check user-bind enable
DAI is enabled.
By default, DAI is disabled.
----End
11.8.3 Configuring Defense Against Bogus DHCP Server Attacks
Context
If a bogus DHCP server is deployed at the user side, STAs may obtain incorrect IP addresses
and network configuration parameters, and cannot communicate properly. After the DHCP
trusted port is disabled on an AP, the AP considers that a bogus DHCP server is deployed at
the user side when receiving DHCP OFFER, ACK, and NAK packets. The AP discards the
packets and reports the IP address of the bogus DHCP server to the connected AC.
In most cases, you need to enable the DHCP trusted port in an AP wired port profile. When
receiving DHCP OFFER, ACK, and NAK packets sent by authorized DHCP servers, the AP
forwards the packets to STAs so that the STAs can obtain valid IP addresses and go online.
For the detailed configuration, see 6.9 Managing an AP's Wired Interface.
Procedure
Step 2 Run wlan
Step 4 Run undo dhcp trust port
The DHCP trusted port is disabled on the AP.
By default, the DHCP trusted interface is disabled in the VAP profile view and enabled on the
AP's uplink interface in the AP wired port profile view.
----End
11.8.4 Configuring the IPSG Function
Context
To defend against IP address spoofing attacks, enable the IP source guard (IPSG) function to
check IP packets against a binding table. This function prevents unauthorized packets from
passing through an AP and ensures network security.

Procedure
Step 2 Run wlan
Step 4 Run ip source check user-bind enable
The IPSG function is enabled on the AP.
By default, IP source guard is disabled on APs.
NOTE
After the IPSG function is enabled, run the undo learn-client-address ipv4 disable command to enable STA
address learning to make the IPSG function take effect.
----End
11.8.5 Configuring Flood Attack Detection
Context
A large number of broadcast or multicast packets on a device occupy many network
resources, affecting network services. To ensure normal running of network services, you can
limit the rate of broadcast and multicast packets on APs with a proper range.
Procedure
Step 2 Run wlan
Step 4 Configure flood attack detection.
l Configure broadcast flood attack detection.
a. Run the undo anti-attack broadcast-flood disable command to enable flood
attack detection.
By default, the broadcast flood detection function is enabled.
b. Run the anti-attack broadcast-flood sta-rate-threshold sta-rate-threshold
command to set the rate threshold for broadcast flood attack detection.
By default, the broadcast flood threshold is 10 pps.

c. (Optional) Run the anti-attack broadcast-flood blacklist enable command to

enable the broadcast flood blacklist function. The device then adds STAs that
launch broadcast flood attacks to the blacklist.
By default, the broadcast flood blacklist function is disabled.
----End
11.8.6 Applying the Configuration
Context
After WLAN network security is configured in a VAP profile, you need to bind the VAP
profile to an AP group, AP, AP radio, or AP group radio. After being delivered to APs, the
configuration in a VAP profile can take effect on the APs.
After a VAP profile is applied to an AP group or AP, the parameter settings in the profile take
radio or radios in the AP group.
Procedure
l Bind a VAP profile to an AP group.

l Bind a VAP profile to an AP.
AP view.

l Apply a VAP profile in the AP group radio view.
to the radio.

l Apply a VAP profile in the AP radio view.

AP view.
to the radio.
----End
11.8.7 Verifying the WLAN Security Configuration
Prerequisites
WLAN network security has been configured in a VAP profile.
Procedure
----End
11.9 Maintaining WLAN Security
11.9.1 Verifying the Configuration of Device Detection and

Containment
Context
After configuring device detection and containment, you can check information about
detected WLAN devices, historical records of detected devices, and information about
contained devices.
Procedure
l Run the display wlan ids device-detected { all | [ interference | rogue ] ap | [ rogue ]
bridge | [ rogue ] client | adhoc | [ rogue ] ssid | mac-address mac-address | monitor-
ap { ap-name ap-name | ap-id ap-id } [ radio-id radio-id ] } command to check
information about the detected WLAN devices.
l Run the display wlan ids device-detected statistics, command to display statistics on all
wireless devices detected on a WLAN.
l Run the display wlan ids rogue-history { all | ap | bridge | client | adhoc | ssid | mac-
address mac-address } command to check historical records of the detected devices.

l Run the display wlan ids contain { all | ap | adhoc | client | ssid | mac-address mac-
address | monitor-ap { ap-name ap-name | ap-id ap-id } [ radio-id radio-id ] }
command to check information about the contained devices.
----End
11.9.2 Verifying the Configuration of Attack Detection and

Dynamic Blacklist
Context
After the WIDS configuration is complete, you can check WIDS profiles on the device,
including their configuration and profile reference information, WIDS device attacking device
list and dynamic blacklist.
Procedure
l Run the display wlan ids attack-detected { all | flood | spoof | wapi-psk | weak-iv |
wep-share-key | wpa-psk | wpa2-psk | mac-address mac-address } command to check
information about the detected attacking devices.
l Run the display wlan ids attack-history { all | flood | spoof | wapi-psk | weak-iv | wep-
share-key | wpa-psk | wpa2-psk | mac-address mac-address } command to check
historical records of the detected attacking devices.
l Run the display wlan ids attack-detected statistics command to check statistics on the
detected attacks.
l Run the { all | ap-id ap-id | ap-name ap-name | mac-address mac-address } command
to check attacking devices added to the dynamic blacklist.
l Run the display station dynamic-blacklist { ap-id ap-id | ap-name ap-name }
command to check the dynamic blacklist.
----End
11.9.3 Checking Air Interface Environment Information About AP

Radios
Context
You can check air interface environment information about an AP radio to know the situation
of the radio's air interface quality.
After you run the display ap radio-environment { ap-name ap-name | ap-id ap-id } [ radio
radio-id ] command is executed, radio scanning of the AP is automatically enabled, and the
AP starts to scan the air interface environment of the radio. When you run this command for
the first time, no scanning result is displayed. To view the air interface environment scanning
result, run this command again.
Procedure
l Run display ap radio-environment { ap-name ap-name | ap-id ap-id } [ radio radio-
id ]

Air interface environment information about the AP radio is displayed.
----End
11.9.4 Clearing WLAN Security Information
Context
After the WLAN security configuration is complete, check the configuration results. If the
configuration results are unnecessary or you need to re-collect the configuration results, clear
the existing configuration results.
Procedure
l Run the reset wlan ids attack-detected { all | flood | spoof | wapi-psk | weak-iv | wep-
share-key | wpa-psk | wpa2-psk | mac-address mac-address } command to clear
information about the detected attacking devices.
l Run the reset wlan ids attack-detected statistics command to clear statistics on the
detected attacks.
l Run the reset wlan ids attack-history { all | flood | spoof | wapi-psk | weak-iv | wep-
share-key | wpa-psk | wpa2-psk | mac-address mac-address } command to clear
historical records of the detected attacking devices.
l Run the reset wlan ids device-detected { all | [ interference | rogue ] ap | [ rogue ]
bridge | [ rogue ] client | adhoc | ssid [ ssid ] | mac-address mac-address } command to
clear the detected WLAN device list.
l Run the { ap-id ap-id | ap-name ap-name | mac-address mac-address | all } command
to clear information in the dynamic blacklist.
l Run the reset wlan ids rogue-history { all | ap | bridge | client | adhoc | ssid [ ssid ] |
mac-address mac-address } command to clear historical records of the detected rogue
devices.
----End
11.10 Configuration Examples for WLAN Security
11.10.1 Example for Configuring WIDS and WIPS

As shown in Figure 11-7, an enterprise branch deploys WLAN basic services and provides a
WLAN with the SSID of wlan-net for employees to access enterprise network resources.
STAs automatically obtain IP addresses.
The branch locates in an open place, making the WLAN vulnerable to attacks. A rogue AP
(AP2) having the same SSID wlan-net is deployed on the WLAN and attempts to steal
enterprise business information by establishing connections with STAs. This rogue AP
threatens information security on the enterprise network. To prevent such attack, deploy a
monitor AP (AP3) and configure WIDS and WIPS functions to enable the AC to detect AP2
(neither managed by the local AC nor in the authorized AP list), preventing STAs from
associating with AP2.
Figure 11-7 Networking diagram for configuring WIDS and WIPS
IP Network
GE1/0/2
VLAN 101
GE0/0/1 AC
VLAN 100
GE0/0/2
SwitchA VLAN 100
GE0/0/1 GE0/0/3
VLAN 100 VLAN 100
Authorized AP Rogue AP Monitor AP

(AP1) (AP2) (AP3)
SSID: wlan-net
STA STA
Service VLAN: 101
1. Configure basic WLAN services to enable STAs to connect to the WLAN.
2. Configure AP3 to work in monitor mode so that AP3 can detect and report information
about wireless devices to the AC.
3. Configure WIDS and WIPS so that the AC can contain the detected rogue APs (AP2 in
this example) and disconnect STAs from AP2.

NOTE
The following example configures WIDS and WIPS on the 2.4G radio of AP3. The configuration on the 5G
radio is similar.

Item Data
server AP.
IP address 10.23.100.2-10.23.100.254/24
pool for the
AP
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs

interface
address

profile domain1
l Name: ap-group2
l Referenced profile: VAP profile wlan-vap2, regulatory domain profile
domain1, and WIDS profile wlan-wids
l Working mode of radio 0 in an AP group: monitor
l Device detection and rogue device containment on radio 0 in an AP
group: enabled.

profile


profile l Security policy: WPA2-PSK-AES

security

Item Data
l Name: wlan-vap2
l Referenced profile: SSID profile wlan-ssid
WIDS l Name: wlan-wids

profile l Rogue device containment mode for AP3: containing rogue APs
Configuration Notes
user experience.
Procedure
NOTE
Step 2 Configure the SwitchA and AC so that the AP and AC can transmit CAPWAP packets.
# Add GE0/0/1 and GE0/0/3 that connects SwitchA to the AP to management VLAN 100 and
add GE0/0/2 that connects SwitchA to the AC to the same VLAN.



[HUAWEI] sysname AC

NOTE

VLANIF 101.
NOTE
view.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit

# Create AP groups ap-group1 and ap-group2.
[AC] wlan


e?[Y/N]:y
e?[Y/N]:y
[AC-wlan-view] quit

# Import the AP offline on the AC and add the AP1 and AP3 to ap-group1 and ap-group2.
Assume that the AP1's MAC address is 60de-4476-e360 and the AP3's MAC address is dcd2-
fc04-b500..
NOTE
In this example, the AP6010DN-AGN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz
radio).
[AC] wlan
[AC-wlan-ap-0] ap-name AP1
[AC-wlan-ap-0] quit
[AC-wlan-ap-1] ap-name AP3
[AC-wlan-ap-1] quit
nor : normal [2]
--------------------------------------------------------------------------------
Uptime
--------------------------------------------------------------------------------
0 60de-4476-e360 AP1 ap-group1 10.23.100.253 AP6010DN-AGN nor 0 10S
1 dcd2-fc04-b500 AP3 ap-group2 10.23.100.254 AP6010DN-AGN nor 0 15S
--------------------------------------------------------------------------------
Total: 2

# Create the VAP profile wlan-vap1, set the data forwarding mode and service VLAN, and
# Create the VAP profile wlan-vap2,and apply the SSID profile to the VAP profile.
# Bind the VAP profile wlan-vap1 to the AP group ap-group1.

# Bind the VAP profile wlan-vap2 to the AP group ap-group2.

Step 7 Configure radio 0 of AP3 to work in monitor mode.

[AC-wlan-group-radio-ap-group2/0] work-mode monitor
Warning: Modify the work mode may cause business interruption, continue?(y/n):y
Step 8 Configure WIDS and WIPS.
# Enable device detection and rogue device containment.

[AC-wlan-group-radio-ap-group2/0] wids device detect enable
[AC-wlan-group-radio-ap-group2/0] wids contain enable
# Create the WIDS profile wlan-wids and set the containment mode to containing rogue APs.
[AC-wlan-view] wids-profile name wlan-wids
[AC-wlan-wids-prof-wlan-wids] contain-mode spoof-ssid-ap
[AC-wlan-wids-prof-wlan-wids] quit
Step 9 Bind the WIDS profile wlan-wids to the AP group ap-group2.

[AC-wlan-ap-group-ap-group2] wids-profile wlan-wids


Run the display wlan ids contain ap command. The command output shows information
about the contained AP2.
[AC-wlan-view] display wlan ids contain ap
#Rf: Number of monitor radios that have contained the device
CH: Channel number
-------------------------------------------------------------------------------
MAC address CH Authentication Last detected time #Rf SSID
-------------------------------------------------------------------------------
000b-6b8f-fc6a 11 open 2014-11-20/16:16:57 1 wlan-net
-------------------------------------------------------------------------------
Total: 1, printed: 1
STAs attempt to connect to the network through AP2. Countermeasures are taken on AP2, so
traffic between STAs and AP2 is stopped and then STAs connect to AP1.
C:\Documents and Settings\huawei> ping 10.23.101.22
Pinging 10.23.101.22 with 32 bytes of data:
Request timed out.

Request timed out.
Request timed out.
Request timed out.
Reply from 10.23.101.22: bytes=32 time=1433ms TTL=255
----End
Configuration Files
l Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 100
#
#
#
#
return
l Configuration file of the AC

#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0


#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
wlan
%# aes
ssid wlan-net
forward-mode tunnel
wids-profile name wlan-wids
contain-mode spoof-ssid-ap
radio 0
radio 1
wids-profile wlan-wids
radio 0
work-mode monitor
wids device detect enable
wids contain enable
radio 1
ap-name AP1
ap-group ap-group1
ap-id 1 type-id 28 ap-mac dcd2-fc04-b500 ap-sn 210235419610D2000097
ap-name AP3
ap-group ap-group2
#
return
11.10.2 Example for Configuring Attack Detection

As shown in Figure 11-8, the AC and AP are connected through access switch SwitchA. The
enterprise branch has deployed WLAN services for mobile office applications. To protect the
network against flood attacks and PSK cracking, configure the attack detection and dynamic
blacklist functions and add the attacking devices to the blacklist. Packets from the attacking
devices are discarded to ensure network stability and security.
Figure 11-8 Networking diagram for configuring attack detection
Internet
GE0/0/2
VLAN 101
AC
GE0/0/1
GE0/0/2 VLAN 100
VLAN 100
SwitchA
GE0/0/1
VLAN 100
AP
STA STA

1. Configure basic WLAN services to enable STAs to connect to the WLAN.
2. Configure detection of brute force key cracking attacks for WPA2-PSK authentication
and detection of flood attacks so that the device can detect information about the
attacking devices.
3. Configure the dynamic blacklist function and add devices that initiate attacks to the
dynamic blacklist so that packets from the devices are discarded during the configured
aging time.

NOTE
The following example configures attack detection on the 2.4G radio. The configuration on the 5G radio is
similar.

Item Data
server AP.
IP address 10.23.100.2-10.23.100.254/24
pool for the
AP
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs

interface
address

domain1, and WIDS profile wlan-wids
l Attack detection mode on radio 0 in an AP group: detection of brute
force key cracking attacks for WPA2-PSK authentication and detection
of flood attacks

profile



security

Item Data
WIDS l Name: wlan-wids

profile l Interval for brute force PSK cracking attack detection: 70s
l Quiet time for brute force PSK cracking attack detection: 700s
l Maximum number of key negotiation failures allowed within a brute
force PSK cracking attack detection period: 25
l Flood attack detection interval: 70s
l Quiet time for flood attack detection: 700s
l Flood attack detection threshold: 350
l Dynamic blacklist: enabled
AP system l Name: wlan-system

profile l Aging time of the dynamic blacklist: 200s
Configuration Notes
user experience.
Procedure

NOTE

[HUAWEI] sysname AC

NOTE

VLANIF 101.
NOTE
view.
[AC] dhcp enable
[AC-Vlanif100] quit


[AC-Vlanif101] quit

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
10S -

----------------------------------------------------------------------------------
----------------
Total: 1
Step 6 Configure attack detection.

# Enable brute force attack detection for WPA2-PSK authentication and flood attack
detection.
[AC-wlan-group-radio-ap-group1/0] wids attack detect enable wpa2-psk
[AC-wlan-group-radio-ap-group1/0] wids attack detect enable flood
# Create the WIDS profile wlan-wids.

[AC-wlan-view] wids-profile name wlan-wids
# Set the interval for brute force attack detection to 70 seconds in WPA2-PSK authentication,
the maximum number of key negotiation failures allowed within the detection period to 25,
and quiet time to 700s.
[AC-wlan-wids-prof-wlan-wids] brute-force-detect interval 70
[AC-wlan-wids-prof-wlan-wids] brute-force-detect threshold 25
[AC-wlan-wids-prof-wlan-wids] brute-force-detect quiet-time 700
# Set the interval for flood attack detection to 70 seconds, flood attack detection threshold to
350, and quiet time to 700s.
[AC-wlan-wids-prof-wlan-wids] flood-detect interval 70
[AC-wlan-wids-prof-wlan-wids] flood-detect threshold 350
[AC-wlan-wids-prof-wlan-wids] flood-detect quiet-time 700
# Enable the dynamic blacklist function.

[AC-wlan-wids-prof-wlan-wids] dynamic-blacklist enable
[AC-wlan-wids-prof-wlan-wids] quit
# Create the AP system profile wlan-system and set the aging time of dynamic blacklist to
200s.
[AC-wlan-ap-system-prof-wlan-system] dynamic-blacklist aging-time 200



# Bind the VAP profile wlan-vap, WIDS profile wlan-wids, and AP system profile wlan-
system to the AP group.
[AC-wlan-ap-group-ap-group1] wids-profile wlan-wids

After the configuration is complete, run the display wlan ids attack-detected all command to
check the detected attacking devices.
[AC-wlan-view] display wlan ids attack-detected all
#AP: Number of monitor APs that have detected the device
AT: Last detcted attack type
CH: Channel number
act: Action frame asr: Association request
aur: Authentication request daf: Deauthentication frame
dar: Disassociation request wiv: Weak IV detected
pbr: Probe request rar: Reassociation request
eaps: EAPOL start frame eapl: EAPOL logoff frame
saf: Spoofed disassociation frame
sdf: Spoofed deauthentication frame
otsf: Other types of spoofing frames
-------------------------------------------------------------------------------
MAC address AT CH RSSI(dBm) Last detected time #AP
-------------------------------------------------------------------------------
000b-c002-9c81 pbr 165 -87 2014-11-20/15:51:13 1
0024-2376-03e9 pbr 165 -84 2014-11-20/15:51:13 1
0046-4b74-691f act 165 -67 2014-11-20/15:51:13 1
-------------------------------------------------------------------------------
Run the display wlan dynamic-blacklist all command to check devices on the dynamic
blacklist.
[AC-wlan-view] display wlan dynamic-blacklist all
#AP: Number of monitor APs that have detected the device
act: Action frame asr: Association request
aur: Authentication request daf: Deauthentication frame
dar: Disassociation request eapl: EAPOL logoff frame
pbr: Probe request rar: Reassociation request
eaps: EAPOL start frame
-------------------------------------------------------------------------------
MAC address Last detected time Reason #AP
-------------------------------------------------------------------------------
000b-c002-9c81 2014-11-20/16:15:53 pbr 1
0024-2376-03e9 2014-11-20/16:15:53 pbr 1
0046-4b74-691f 2014-11-20/16:15:53 act 1
-------------------------------------------------------------------------------
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#

#
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
wlan
security wpa2 psk pass-phrase %^%#4R-.UpLuaWW`dGKS3R':Hg.h4g.hh:ygc7*P$q("%^
%# aes
ssid wlan-net
forward-mode tunnel
wids-profile name wlan-wids
flood-detect interval 70
flood-detect threshold 350
flood-detect quiet-time 700
brute-force-detect interval 70
brute-force-detect threshold 25
brute-force-detect quiet-time 700
dynamic-blacklist enable
dynamic-blacklist aging-time 200
wids-profile wlan-wids
radio 0
wids attack detect enable flood
wids attack detect enable wpa2-psk
radio 1

ap-name area_1
ap-group ap-group1
#
return
11.11 References for WLAN Security

The following table lists the reference for WLAN security.
Table 11-8 Reference for WLAN security

IEEE 802.11i Medium Access Control (MAC) Security Enhancements

Configuration Guide - WLAN-AC 12 Security Policy Configuration
12 Security Policy Configuration
12.1 Understanding WLAN Security Policies

Four WLAN security policies are available: Wired Equivalent Privacy (WEP), Wi-Fi
Protected Access (WPA), WPA2, WLAN Authentication and Privacy Infrastructure (WAPI).
Each security policy has a series of security mechanisms, including the link authentication
mechanism used to establish a wireless link, user authentication mechanism used when users
attempt to connect to a wireless network, and data encryption mechanism used during data
transmission.
Carriers can combine WLAN security policies with port authentication to enhance security of
wireless users. Port authentication methods include 802.1X authentication, MAC address
authentication, and Portal authentication. For details about the authentication methods, see
NAC Configuration (Unified Mode).
12.1.1 WEP
Wired Equivalent Privacy (WEP), defined in IEEE 802.11, is used to protect the data of
authorized users from tampering during transmission on a WLAN. WEP uses the RC4
algorithm to encrypt data using a 64-bit, 128-bit, or 152-bit encryption key. An encryption key
contains a 24-bit initialization vector (IV) generated by the system, so the length of key
configured on the WLAN server and client is 40-bit, 104-bit, or 128-bit. WEP uses a static
encryption key. That is, all STAs associating with the same SSID use the same key to connect
to the wireless network.
A WEP security policy defines a link authentication mechanism and a data encryption
mechanism.
Link authentication mechanisms include open system authentication and shared key
authentication. For details about link authentication, see "Link Authentication" in 5.2.6 STA
Access.
l If open system authentication is used, data is not encrypted during link authentication.
After a user goes online, service data can be encrypted by WEP or not, depending on the
configuration.
l If shared key authentication is used, the WLAN client and server complete key
negotiation during link authentication. After a user goes online, service data is encrypted
using the negotiated key.

12.1.2 WPA/WPA2
WEP shared key authentication uses the RC4 symmetric stream cipher to encrypt data. This
authentication method requires the same static key pre-configured on the server and client.
Both the encryption mechanism and encryption algorithm can bring security risks to the
network.
The Wi-Fi Alliance developed Wi-Fi Protected Access (WPA) to overcome the shortcomings
of WEP before more secure policies were provided in 802.11i. WPA still uses the RC4
algorithm, but it uses an 802.1X authentication framework and supports Extensible
Authentication Protocol-Protected Extensible Authentication Protocol (EAP-PEAP) and EAP-
Transport Layer Security (EAP-TLS) authentication, and defines the Temporal Key Integrity
Protocol (TKIP) encryption algorithm.
Later, 802.11i defined WPA2. WPA2 uses Counter Mode with CBC-MAC Protocol (CCMP),
a more secure encryption algorithm than those used in WPA.
Both WPA and WPA2 support 802.1X authentication and the TKIP/CCMP encryption
algorithms, ensuring better compatibility. The two protocols provide almost the same security
level and their difference lies in the protocol packet format.
The WPA/WPA2 security policy involves four steps:

1. Link authentication
2. Access authentication
3. Key negotiation
4. Data encryption
Link Authentication
Link authentication can be completed in open system authentication or shared key
authentication mode. WPA and WPA2 support only open system authentication.For details,
see "Link Authentication" in 5.2.6 STA Access.
Access Authentication
WPA and WPA2 have an enterprise edition and a personal edition.
l The WPA/WPA2 enterprise edition (WPA/WPA2-802.1X authentication) uses a
RADIUS server and the EAP protocol for authentication. Users provide authentication
information, including the user name and password, and are authenticated by an
authentication server (generally a RADIUS server).
Large-scale enterprise networks usually use the WPA/WPA2 enterprise edition.
NOTE
For details about 802.1X authentication, see Principles of 802.1X Authentication in the Configuration
Guide - User Access and Authentication Configuration Guide.
WPA/WPA2 implements 802.1X authentication using EAP-TLS and EAP-PEAP. Figure
12-1 and Figure 12-2 show the EAP-TLS 802.1X authentication and EAP-PEAP 802.1X
authentication processes.

Figure 12-1 EAP-TLS 802.1X authentication

STA AP AC RADIUS server
Open system
authentication
Association
EAP start
EAP authentication request

User identity
Authenticate EAP authentication response authentication
AC certificates
AC certificate
and generate
AC certificate (public key) (public key)
PMK by using Authenticate
public key to STA certificate STA
encrypt STA certificate (universal key (universal key encrypted certificates and
universal key encrypted using public key) using public key) generate PMK
Authentication by using
Authentication succeeds succeeds, and a PMK private key to
is generated decrypt
universal key

Figure 12-2 EAP-PEAP 802.1X authentication
STA AP AC RADIUS Server
Open system
authentication
Association
EAP start
EAP authentication request

User identity
EAP authentication response authentication
PEAP authentication
PEAP authentication start start
Send encryption
Send encryption algorithm list, algorithm list, TLS
TLS version, and session ID version ,and session ID
AC certificate
Authenticate AC AC certificate (public key)
(public key)
certificates and
generate PMK by STA certificate
using public key STA certificate (universal key (universal key Authenticate STA
to encrypt encrypted using public key) encrypted using certificates and
universal key public key) generate PMK by
Authentication using private key
Authentication succeeds succeeds, and a PMK to decrypt
is generated universal key
l WPA/WPA2 personal edition:

A dedicated authentication server is expensive and difficult to maintain for small- and
medium-scale enterprises and individual users. The WPA/WPA2 personal edition
provides a simplified authentication mode: pre-shared key authentication (WPA/WPA2-
PSK). This mode does not require a dedicated authentication server. Users only need to
set a pre-shared key (PSK) on each WLAN node (including WLAN server, wireless
router, and wireless network adapter).
A WLAN client can access the WLAN if its pre-shared key is the same as that
configured on the WLAN server. The PSK is not used for encryption; therefore, it does
not pose security risks like the 802.11 shared key authentication.
802.1X authentication can be used to authenticate wireless and wired users, whereas PSK
authentication is specific to wireless users.
PSK authentication requires that a STA and an AC be configured with the same PSK. The
STA and AC authenticate each other through key negotiation. During key negotiation, the
STA and AC use their PSKs to decrypt the message sent from each other. If the messages are
successfully decrypted, the STA and AC have the same PSK. If they use the same PSK, PSK
authentication is successful; otherwise, PSK authentication fails.

Key Negotiation
802.11i defines two key hierarchies: pairwise key hierarchy and group key hierarchy. The
pairwise key hierarchy protects unicast data exchanged between STAs and APs. The group
key hierarchy protects broadcast or multicast data exchanged between STAs and APs.
During key negotiation, a STA and an AC use the pairwise master key (PMK) to generate a
pairwise transient key (PTK) and a group temporal key (GTK). The PTK is used to encrypt
unicast packets, and the GTK is used to encrypt multicast and broadcast packets.
l In 802.1X authentication, a PMK is generated in the process shown in Figure 12-1.
l In PSK authentication, the method to generate a PMK varies according to the form of the
PSK, which is configured using a command:
– If the PSK is a hexadecimal numeral string, it is used as the PMK.
– If the PSK is a character string, the PMK is calculated using a hash algorithm based
on the PSK and service set identifier (SSID).
Key negotiation consists of unicast key negotiation and multicast key negotiation.
l Unicast key negotiation
Key negotiation is completed through a four-way handshake between a STA and an AC,
during which the STA and AC send EAPOL-Key frames to exchange information, as
Figure 12-3 Unicast key negotiation
STA AC
Generate a Generate a
random number random number
SNonce ANonce
① EAPOL-Key(ANonce)
Generate PTK
② EAPOL-Key(Snonce, MIC, RSNE )

Generate PTK
③ EAPOL-Key(Key RSC, Anonce, MIC,
RSNE, GTK, IGTK)
Install PTK
④ EAPOL-Key(MIC)
Install PTK
The unicast key negotiation process consists of the following steps:

a. The AC sends an EAPOL-Key frame with a random value (ANonce) to the STA.
b. The STA calculates the PTK using its own MAC addresses and the MAC address of
the AC, the PMK, ANonce, and SNonce, and sends an EAPOL-Key frame to the
AC. The EAPOL-Key frame carries the SNonce, robust security network (RSN)
information element, and message integrity code (MIC) of the EAPOL-Key frame.
The AC calculates the PTK using the MAC addresses of its own and the STA,
PMK, ANonce, and SNonce, and validates the MIC to determine whether STA's
PMK is the same as its own PMK.

c. The AC sends an EAPOL-Key frame to the STA to request the STA to install the
PTK. The EAPOL-Key frame carries the ANonce, RSN information element, MIC,
and encrypted GTK.
d. The STA sends an EAPOL-Key frame to the AC to notify the AC that the PTK has
been installed and will be used. The AC installs the PTK after receiving the
EAPOL-Key frame.
l Multicast key negotiation
Multicast key negotiation is completed through a two-way handshake. The two-way
handshake begins after the STA and AC generate and install a PTK through a four-way
handshake. Figure 12-4 shows the two-way handshake process.
Figure 12-4 Multicast key negotiation
STA AC
Generate a
random number
① EAPOL-Key(Gnonce, Key RSC, GNonce
MIC,GTK, IGTK)
② EAPOL-Key(Gnonce, MIC)
The multicast key negotiation process consists of the following steps:

a. The AC calculates the GTK, uses the unicast key to encrypt the GTK, and sends an
EAPOL-Key frame to the STA.
b. After the STA receives the EAPOL-Key frame, it validates the MIC, decrypts the
GTK, installs the GTK, and sends an EAPOL-Key ACK frame to the AC. After the
AC receives the EAPOL-Key ACK frame, it validates the MIC and installs the
GTK.
Data Encryption
WPA and WPA2 support the TKIP and CCMP encryption algorithms.
l TKIP
Unlike WEP, which uses a static shared key, TKIP uses a dynamic key negotiation and
management mechanism. Each user obtains an independent key through dynamic
negotiation. Each user obtains an independent key through dynamic negotiation. User
keys are calculated using the PTK generated in key negotiation, the MAC address of the
sender, and the packet sequence number.
TKIP uses MICs to ensure the integrity of frames received on the receiver and validity of
data sent by the sender and receiver. This mechanism protects information integrity. A
MIC is calculated using the MIC key generated during key negotiation, the destination
MAC address, source MAC address, and data frame.
l CCMP

While WEP and TKIP use a stream cipher algorithm, CCMP uses an Advanced
Encryption Standard (AES) block cipher. The block cipher algorithm overcomes defects
of the RC4 algorithm and provides a higher level of security.
12.1.3 WAPI
WLAN Authentication and Privacy Infrastructure (WAPI) is a Chinese national standard for
WLANs, which was developed based on IEEE 802.11. WAPI provides higher security than
both WEP and WPA and consists of the following:
l WLAN Authentication Infrastructure (WAI): authenticates user identities and manages
keys.
l WLAN Privacy Infrastructure (WPI): protects data transmitted on WLANs and provides
the encryption, data verification, and anti-replay functions.
WAPI uses the elliptic curve cryptography (ECC) algorithm, which is based on public key
cryptography and the block key algorithm based on symmetric-key cryptography. The ECC
algorithm is used for digital certificate authentication and key negotiation between wireless
devices. The block key algorithm is used to encrypt and decrypt data transmitted between
wireless devices. The two algorithms implement identity authentication, link authentication,
access control, and user information encryption.
WAPI has the following features:
l Bidirectional identity authentication
Bidirectional identity authentication prevents access from unauthorized STAs and
protects a WLAN against attacks from unauthorized WLAN devices.
l Digital certificate as identity information
A WAPI system has an independent certificate server. STAs and WLAN devices use
digital certificates to prove their identities, improving network security. When a STA
requests to join or leave a network, the administrator only needs to issue a certificate to
the STA or revoke the certificate of the STA.
l Well-developed authentication protocol
WAPI uses digital certificates to identify STAs and wireless devices. During identity
authentication, the elliptic curve digital signature algorithm is used to verify a digital
certificate. In addition, the secure message hash algorithm is used to ensure message
integrity, which prevents attackers from tampering or forging information transmitted
during identity authentication.
WAPI involves identity authentication and key negotiation, which begin after a STA
associates with an AC, as shown in Figure 12-5.

Figure 12-5 WAPI networking
② Identity authentication
ASU
① STA associates with AC
Internet
STA AP AC
③ Key negotiation
Identity Authentication
WAPI provides two identity authentication modes: certificate-based mode (WAPI-CERT) and
pre-shared key-based mode (WAPI-PSK).
l WAPI-CERT: A STA and an AC authenticate each other's certificate. The certificates
must be loaded on the STA and AC and verified by an authentication service unit (ASU).
After certificate authentication is complete, the STA and AC use the temporal public key
and private key to generate a base key (BK) for key negotiation.
The WAPI-CERT mode is applicable to large-scale enterprise networks or carrier
networks that can deploy and maintain an expensive certificate system.
Figure 12-6 shows the WAPI certificate authentication process.
Figure 12-6 WAPI certificate authentication
STA AC ASU
① Authentication
activation
② Access
authentication request
③ Certificate
authentication request
④ Certificate
authentication response
⑤ Access
authentication response
The WAPI certificate authentication process is as follows:

a. Authentication activation
When a STA requests to associate or re-associate with an AC, the AC checks
whether the user is a WAPI user. If the user is a WAPI user, the AC sends an
authentication activation packet to trigger the certificate authentication process.
b. Access authentication request
The STA sends an access authentication request carrying the STA's certificate and
the system time to the AC. The system time is the access authentication request
time.
c. Certificate authentication request
When the AC receives the access authentication request, it records the access
authentication request time and sends a certificate authentication request to the
ASU. The certificate authentication request carries the STA's certificate, access
authentication request time, the AC's certificate, and a signature generated using the
AC's private key and the preceding information.
d. Certificate authentication response
When the ASU receives the certificate authentication request, it authenticates the
AC's signature and certificate. If the AC's signature and certificate are invalid, the
authentication fails. If they are valid, the ASU authenticates the STA's certificate.
After the authentication is complete, the ASU constructs a certificate authentication
response with the STA's certificate authentication result, AC's certificate
authentication result, and a signature generated using the authentication results, and
sends the certificate authentication response to the AC.
e. Access authentication response
When the AC receives the certificate authentication response, it checks the
signature to obtain the STA's certificate authentication result, and controls access of
the STA based on the certificate authentication result. The AC then forwards the
certificate authentication response to the STA. The STA checks the signature
generated by the ASU to obtain the AC's certificate authentication result, and
determines whether to associate with the AC based on the result.
If the certificate authentication succeeds, the AC accepts the access request. If the
certificate authentication fails, the AC disassociates the STA from the network.
l WAPI-PSK: The STA and AC have the same PSK configured before authentication. The
PSK is converted into a BK during authentication.
The WAPI-PSK mode does not require an expensive certificate system, so it is applicable
to individual users or small-scale enterprise networks.
Key Negotiation
After the AC is authenticated by the ASU, the AC initiates key negotiation with the STA. Key
negotiation consists of two stages: unicast key negotiation and multicast key negotiation.
l Unicast key negotiation
The STA and AC obtain a unicast encryption key and unicast integrity key through
unicast key negotiation and use these keys to ensure the security of unicast data
exchanged between them.
During unicast key negotiation, the STA and AC use the KD-HMAC-SHA256 algorithm
to calculate a unicast session key (USK) based on the BK. In addition to the USK, the
STA and AC also negotiate the encryption key and identity key used to generate the
multicast key.

Figure 12-7 shows the unicast key negotiation process.
Figure 12-7 WAPI unicast key negotiation
STA AC
① Unicast key
negotiation request
② Unicast key
negotiation response
③ Unicast key
negotiation ACK
Obtain or deliver
unicast key
The unicast key negotiation process is as follows:

a. Unicast key negotiation request
After a BK is generated, the AC sends a unicast key negotiation request packet to
the STA.
b. Unicast key negotiation response
After the STA receives the unicast key negotiation request packet, it performs the
following steps:
i. Checks whether this negotiation process is triggered to update the unicast key.
○ If so, the STA proceeds to step b.
○ If not, the STA proceeds to step c.
NOTE
WAPI allows the STA to directly send a unicast key negotiation response to the AC to
initiate a unicast key update.
ii. Checks whether the challenge of the AC is the same as the challenge that is
obtained in last unicast key negotiation and saved locally. If the two challenges
are different, the STA drops the unicast key negotiation request packet.
iii. Generates a random challenge, and then uses the KD-HMAC-SHA256
algorithm to calculate a USK and the AC's challenge used for the next unicast
key negotiation based on the BK, the AC's challenge, and the STA's challenge.
iv. Uses the message authentication key and HMAC-SHA256 algorithm to
calculate a message authentication code, and sends it to the AC with a unicast
key negotiation response packet.
c. Unicast key negotiation ACK
After the AC receives the unicast key negotiation response packet, it performs the
following steps:
i. Checks whether the AC's challenge is correct. If the AC's challenge is
incorrect, the AC drops the unicast key negotiation response packet.
ii. Uses the KD-HMAC-SHA256 algorithm to calculate a USK and the AC's
challenge used for the next unicast key negotiation based on the BK, AC's

challenge, STA's challenge. The AC then calculates the local message

authentication code using the message authentication key and HMAC-SHA256
algorithm, and compares the local message authentication code with that in the
received unicast key negotiation response packet. If the two message
authentication codes are different, the AC drops the unicast key negotiation
response packet.
iii. Checks the WAPI information element in the response packet if this is the first
unicast key negotiation after the BK is generated. If the network type is BSS,
the AC checks whether the WAPI information element in the response packet
is the same as that in the association request packet it received before. If they
are different, the AC sends a Deauthentication frame to disassociate the STA.
If the network type is IBSS (ad-hoc network), the AC checks whether the
unicast key algorithm supports the information element in the response packet.
If not, the AC sends a Deauthentication frame to disassociate the STA.
iv. Uses the message authentication key and HMAC-SHA256 algorithm to
calculate a message authentication code, and sends it to the STA with a unicast
key negotiation ACK packet.
l Multicast key negotiation
Multicast key negotiation is performed after unicast key negotiation is complete. The AC
advertises the multicast keys to the STA in this process.
The AC uses the multicast encryption key and multicast integrity key derived from the
multicast master key (MMK) to encrypt broadcast or multicast data it sends, and sends a
multicast key advertisement packet to the STA. The STA obtains the multicast
encryption key and multicast integrity key from the multicast key advertisement packet
to decrypt the broadcast or multicast data it receives.
Figure 12-8 shows the multicast key negotiation process.
Figure 12-8 WAPI multicast key negotiation
STA AC
① Multicast key
advertisement
② Multicast key
response
Obtain or deliver
multicast key
The multicast key negotiation process is as follows:

a. Multicast key advertisement
The AC uses the random number algorithm to calculate an MMK, encrypts the
MMK using the negotiated unicast key, and sends an advertisement packet to notify
the STA of the MMK.
b. Multicast key response
After the STA receives the multicast key advertisement packet, it performs the
following steps:

i. Calculates the checksum using the message authentication key identified by

the unicast key identifier, and compares the checksum with the message
authentication code. If the checksum is different from the message
authentication code, the STA drops the multicast key advertisement packet.
ii. Checks whether the key advertisement identifier is increasing. If not, the STA
drops the multicast key advertisement packet.
iii. Decrypts the multicast key to obtain the 16-byte master key and uses the KD-
HMAC-SHA256 algorithm to extend it to 32 bytes. The first 16 bytes indicate
the encryption key, and the last 16 bytes indicate the integrity key.
iv. Saves the key advertisement identifier and sends a multicast key response
packet to the AC.
v. After the AC receives the multicast key response packet, it performs the
following steps:
1) Calculates the checksum using the message authentication key identified
by the unicast key identifier, and compares the checksum with the
message authentication code. If the checksum is different from the
message authentication code, the AC drops the multicast key response
packet.
2) Compares fields (such as key advertisement identifier) in the multicast
key response packet with corresponding fields in the multicast key
advertisement packet it has sent. If all the fields are the same, the
multicast key negotiation is successful. Otherwise, the AC drops the
multicast key response packet.
Key Update
WAPI features a dynamic key negotiation mechanism, but there may still be security risks if a
STA uses the same encryption key for a long time. To enhance security, WAPI provides a
time-based key update mechanism.
Time-based key update: The unicast and multicast keys of a STA have an aging time
(configured using a command). When the aging time of the current unicast or multicast key
expires, the STA and AC negotiate a new unicast or multicast key.
12.2 Application Scenarios for WLAN Security Policies

Commonly Used Security Policy for Households and SOHO Networks
Households and SOHO networks do not require high security. They usually use the WPA/
WPA2 personal edition and do not require an authentication server.
Commonly Used Security for Enterprise Networks

Enterprise networks require high security. They usually use the 802.1X-based WPA/WPA2
enterprise edition and deploy an authentication server.
Commonly Used Security Policy for Carrier Networks

Besides WEP, WPA/WPA2, and WAPI that are specific to wireless users, carriers can
combine WLAN security policies with port authentication to enhance security of wireless

users. Port authentication methods include 802.1X authentication, MAC address

authentication, and Portal authentication. For details about the authentication methods, see
NAC Configuration (Unified Mode).
As shown in Figure 12-9, a carrier WLAN network usually uses WEP (no authentication, no
encryption) and Portal authentication. When a STA attempts to connect to wireless network,
the AC pushes the Portal authentication web page to the user. The user must enter the user
name and password on the displayed web page. If the user is successfully authenticated by the
RADIUS server, the user can connect to the Internet wirelessly.
Figure 12-9 WEP+Portal authentication
RADIUS Server
STA1
Internet
AC
AP
STA2 Portal Server
12.3 Default Settings for WLAN Security Policies

Table 12-1 Default settings for WLAN security policies
WLAN security policy WEP open system authentication: no authentication and no

encryption
12.4 Configuring a WLAN Security Policy

You can configure WLAN security policies to authenticate identities of wireless terminals and
encrypt user packets, protecting the security of the WLAN and users. The supported WLAN
security policies include open system authentication, WEP, WPA/WPA2-PSK, WPA/
WPA2-802.1X, WAPI-PSK, and WAPI-certificate. You can configure one of them in a
security profile. Open system authentication and WPA/WPA2-802.1X need to be configured
together with NAC to manage user access.For details about NAC, see NAC Configuration
(Unified Mode).
Before configuring security policy, perform the task of 5 WLAN Service Configuration.

WLAN security policies are configured using profiles. Figure 12-10 shows the configuration
flowchart.

Figure 12-10 WLAN security policy configuration
Issue 04 (2018-08-17) Copyright

AP group © HuaweiAP
Technologies Co., Ltd. 671
VAP profile
The configuration procedure is as follows:
12.4.1 Creating a Security Profile
Context
WLAN security policies are configured in security profiles, and only one security policy can
be configured in a security profile. You can create multiple security profiles with different
security policies and apply the profiles to different VAPs as required.
Procedure
Step 2 Run wlan
A security profile is created and the security profile view is displayed.
system.
----End
12.4.2 Configuring a Security Policy
Context
The following table gives recommendations on configuring a WLAN security policy.For the
NAC configuration, see NAC Configuration (Unified Mode).
Table 12-2 Recommendations on configuring a WLAN security policy
Security Policy Parameter Description
Public places with high user

mobility, such as airports,
stations, business centers,
conference halls, and sports
stadiums. Open system
Open system Recommended Configuration authentication is configured
authentication Scenario together with Portal
authentication, based on which
user authentication, accounting,
and authorization are supported,
and customized pages can be
pushed.

It is not secure to use open

system authentication
independently. Any wireless
terminals can access the
network without authentication.
Description
You are advised to configure
open system authentication
together with Portal
authentication or MAC address
authentication.
l External Portal
User Access Authentication Mode authentication
l MAC address authentication
Recommended Configuration
None
Scenario
The WEP security policy is not

WEP
Description recommended due to its low
security.
User Access Authentication Mode None
Individual or home networks
Scenario
The WPA/WPA2-PSK security

policy has higher security than
WPA/WPA2-PSK
Description WEP. Additionally, no third-
party server is required, and the
costs is low.
Scenarios with fixed users and

requiring high security, and
Recommended Configuration centralized management and
Scenario authorization, such as mobile
office, campus networks, and
WPA/ mobile administration
WPA2-802.1X
The security policy provides
Description high security and requires a
third-party server.
User Access Authentication Mode 802.1X authentication
WAPI-PSK None
Scenario

WAPI-PSK has higher security

than WEP and requires no
Description
third-party server. Only some
terminals support the protocol.
None
Scenario
The WAPI-certificate security

policy has high security and
WAPI-certificate
Description requires a third-party server.
Only some terminals support
the protocol.
Choose one of the preceding security policies to configure.
12.4.2.1 Configuring Open System Authentication
Context
Open system authentication means no authentication and no encryption, and any one can
connect to the network without authentication. To ensure network security, you are advised to
configure open system authentication together with Portal authentication or MAC address
authentication. For configuration of Portal authentication and MAC address authentication,
see NAC Configuration (Unified Mode).
Procedure
Step 2 Run wlan
The security profile view is displayed.
Step 4 Run security open
The security policy is set to open system authentication.
----End

12.4.2.2 Configuring WEP
Context
WEP uses a shared key to authenticate users and encrypt service packets. Since the shared key
is easy to be deciphered, the WEP security policy is not recommended due to its low security.
When configuring WEP, you are advised to enable detection of brute force key cracking
attacks. For details, see 11.7.4 Configuring WIDS Attack Detection and a Dynamic
Blacklist.
Procedure
Step 2 Run wlan
Step 4 Run security wep [ share-key ]
The security policy is set to WEP.
When the share-key parameter is present, WEP uses the configured shared key to
authenticate wireless terminals and encrypt service packets. If the parameter is not present,
WEP only encrypts the service packets. A shared key is configured on the wireless terminals
regardless of whether the parameter is present.
Each AP can have at most four key indexes configured. The key indexes used by different
VAPs cannot be the same. That is, at most four VAPs can be configured on an AP using the
security wep [ share-key ] command.
Step 5 Run wep key key-id { wep-40 | wep-104 | wep-128 } { pass-phrase | hex } key-value
The WEP shared key and key index are configured.
By default, WEP-40 is used, and the key is Admin.
Step 6 Run wep default-key key-id
The index of the shared key used by WEP is configured.
By default, key 0 is used for WEP authentication or encryption.
Four shared keys can be configured for WEP. You can run the command to make the key with
the specified index to take effect. The key index ID of the device starts from 0.
After an SSID of a WLAN is scanned, users cannot access the network by clicking or double-
clicking the SSID on some terminals due to default terminal settings. In this situation,
manually create a WLAN on the terminals, enter the SSID, identity authentication and
encryption modes, key, and key index configured on the device. After that, users can connect
to the WLAN through the terminals. The key index on some terminals starts from 1 and
ranges from 1 to 4. The key indexes configured on the terminal must map those configured on

the device in an ascending order. For example, if the key index 0 takes effect on the device,
the key index should be set to 1 on the terminal.
----End
12.4.2.3 Configuring WPA/WPA2-PSK
Context
Both WPA and WPA2 support PSK authentication and TKIP or AES encryption algorithm.
The WPA and WPA2 protocols provide almost the same security level and their difference lies
in the protocol packet format.
The WPA/WPA2-PSK security policy applies to individual, home, and SOHO networks that
do not require high security. The implementation of the security policy does not require an
authentication server. If a wireless terminal supports only WEP encryption, the terminal can
implement PSK+TKIP without hardware upgrading, whereas the terminal may need to
upgrade its hardware to implement PSK+AES.
Wireless terminals vary and support different authentication and encryption modes. To enable
terminals of various types to access the network and facilitate network management, you can
configure WPA and WPA2 simultaneously on the device. If the security policy is set to WPA-
WPA2, any terminal that supports WPA or WPA2 can be authenticated and access the
WLAN; if the encryption mode is set to TKIP-AES, any authenticated terminal that supports
TKIP or AES can implement service packet encryption.
Procedure
Step 2 Run wlan
Step 4 Run security { wpa | wpa2 | wpa-wpa2 } psk { pass-phrase | hex } key-value { aes | tkip |
aes-tkip }, or security wpa-wpa2 psk { pass-phrase | hex } key-value tkip aes
The security policy is set to WPA/WPA2-PSK.
Step 5 (Optional) Run wpa ptk-update enable
Periodic PTK update is enabled.
By default, periodic PTK update is disabled.
NOTE
When periodic PTK update is implemented, some terminals may go offline due to individual problems.
Step 6 (Optional) Run wpa ptk-update ptk-update-interval ptk-rekey-interval

The PTK update interval is configured.
By default, the interval for updating PTKs is 43200 seconds.

Step 7 (Optional) Run pmf { optional | mandatory }

The PMF function is configured.
By default, the PMF function is disabled for a VAP.
The authentication mode WPA2 and encryption mode AES are required.
----End
12.4.2.4 Configuring WPA/WPA2-802.1X
Context
Both WPA and WPA2 support 802.1X authentication and TKIP or AES encryption algorithm.
The WPA and WPA2 protocols provide almost the same security level and their difference lies
in the protocol packet format.
WPA/WPA2-802.1X applies to enterprise networks that require high security. An independent
authentication server needs to be deployed. If customers' devices support only WEP
encryption, the devices can implement 802.1X+TKIP without hardware upgrading, whereas
the devices may need to upgrade their hardware to implement 802.1X+AES.
Wireless terminals vary and support different authentication and encryption modes. To enable
terminals of various types to access the network and facilitate network management, you can
configure WPA and WPA2 simultaneously on the device. If the security policy is set to WPA-
WPA2, any terminal that supports WPA or WPA2 can be authenticated and access the
WLAN; if the encryption mode is set to TKIP-AES, any authenticated terminal that supports
TKIP or AES can implement service packet encryption.
Procedure
Step 2 Run wlan
Step 4 Run security { wpa | wpa2 | wpa-wpa2 } dot1x { aes | tkip | aes-tkip }, or security wpa-
wpa2 dot1x tkip aes
The security policy is set to WPA/WPA2-802.1X.
An authentication profile must be configured for 802.1X access authentication. For details,
see NAC Configuration (Unified Mode).
The authentication type in the security profile and authentication profile must both be set to
802.1X authentication. You can run the display wlan config-errors command to check
whether error messages are generated for authentication type mismatch between the security
profile and authentication profile.
Step 5 (Optional) Run wpa ptk-update enable

Periodic PTK update is enabled.
By default, periodic PTK update is disabled.
NOTE
When periodic PTK update is implemented, some terminals may go offline due to individual problems.
Step 6 (Optional) Run wpa ptk-update ptk-update-interval ptk-rekey-interval
The PTK update interval is configured.
By default, the interval for updating PTKs is 43200 seconds.
Step 7 (Optional) Run pmf { optional | mandatory }
The PMF function is configured.
By default, the PMF function is disabled for a VAP.
The authentication mode WPA2 and encryption mode AES are required.
----End
12.4.2.5 Configuring WAPI-PSK
Context
WAPI allows only robust security network association (RSNA), providing higher security
than WEP or WPA/WPA2.
WAPI-PSK applies to home networks or small-scale enterprise networks. No additional

certificate system is required.
WAPI defines a dynamic key negotiation mechanism, but there are still security risks if a STA
uses the same encryption key for a long time. Both the unicast session key (USK) and
multicast session key (MSK) have a lifetime. The USK or MSK needs to be updated when its
lifetime ends. To enhance security, WAPI provides the time-based key update mechanism.
NOTE
The AP7050DE, AP7030DE and AP9330DN do not support WAPI.
Procedure
Step 2 Run wlan
Step 4 Run security wapi psk { pass-phrase | hex } key-value
The security policy is set to WAPI-PSK.

Step 5 (Optional) Run wapi { bk-threshold bk-threshold | bk-update-interval bk-update-interval }

The interval for updating a Base Key (BK) and the BK lifetime percentage are set.
The value obtained by multiplying the interval for updating a BK by the BK lifetime
percentage should be greater than or equal to 300 seconds. If the interval for updating a BK is
less than 300s, the BK may be updated before negotiation is complete due to low STA
performance. In this case, some STAs may be forced offline or cannot go online.
By default, the interval for updating a BK is 43200s, and the BK lifetime percentage is 70%.
Step 6 (Optional) Run wapi sa-timeout sa-time
The timeout period of a security association is set.
By default, the timeout period for a SA is 60s.
If a STA is not authenticated within the timeout period, no SA is established and the STA
cannot go online.
Step 7 (Optional) Run wapi { usk | msk } key-update { disable | time-based }
The WAPI USK or MSK update mode is set.
By default, USKs and MSKs are updated based on time.
Step 8 (Optional) Run wapi { usk-update-interval usk-interval | usk-retrans-count usk-count }
The interval for updating a USK, and number of retransmissions of USK negotiation packets
are set.
By default, the interval for updating a USK is 86400s; the number of retransmissions of USK
negotiation packets is 3.
Step 9 (Optional) Run wapi { msk-update-interval msk-interval | msk-retrans-count msk-count }
The interval for updating an MSK, and number of retransmissions of MSK negotiation
packets are set.
By default, the interval for updating an MSK is 86400s; the number of retransmissions of
MSK negotiation packets is 3.
----End
12.4.2.6 Configuring WAPI-Certificate
Context
WAPI allows only robust security network association (RSNA), providing higher security
than WEP or WPA/WPA2.
WAPI-PSK applies to large-scale enterprise networks or carrier networks that can deploy and
maintain an expensive certificate system.
WAPI uses X.509 V3 certificates encoded in Base64 binary mode and saved in PEM format.
The X.509 V3 certificate file has the name extension .cer. Before importing a certificate for
WAPI, ensure that the certificate file is saved in the root directory of the storage medium.
WAPI defines a dynamic key negotiation mechanism, but there are still security risks if a STA
uses the same encryption key for a long time. Both the unicast session key (USK) and

multicast session key (MSK) have a lifetime. The USK or MSK needs to be updated when its
lifetime ends. To enhance security, WAPI provides the time-based key update mechanism.
NOTE
The AP7050DE, AP7030DE and AP9330DN do not support WAPI.
Procedure
Step 2 Run wlan
Step 4 Run security wapi certificate
The security policy is set to WAPI-certificate.
Step 5 Configure the certificate file and ASU server.
1. Run the wapi import certificate { ac | asu | issuer } format pkcs12 file-name file-
name password password or wapi import certificate { ac | asu | issuer } format pem
file-name file-name command to import the AC certificate file, certificate of the AC
certificate issuer, and ASU certificate file.
By default, the AC certificate file, certificate of the AC certificate issuer, and ASU
certificate file are not imported.
2. Run the wapi import private-key format pkcs12 file-name file-name password
password or wapi import private-key format pem file-name file-name command to
import the AC's private key file.
By default, no AC private key file is imported.
3. Run the wapi asu ip ip-address command to configure the ASU server's IP address.
By default, no IP address is specified for the ASU server.
4. (Optional) Run the wapi cert-retrans-count cert-count command to set the number of
retransmissions of certificate authentication packets.
By default, the number of retransmissions is 3.
Step 6 (Optional) Run the wapi source interface { vlanif vlan-id | loopback loopback-number }
command to configure a VLANIF interface or a loopback interface as the source interface for
the AC to communicate with the ASU server.
By default, no source interface is configured for an AC to communicate with an ASU server.
The IP address of the WAPI source interface on the AC must be on the same network segment
as the IP address of the ASU server. If no WAPI source interface is configured, the IP address
of the AC source interface is used as the source IP address for sending WAPI packets to the
WAPI server by default.
Step 7 (Optional) Run wapi { bk-threshold bk-threshold | bk-update-interval bk-update-interval }

The interval for updating a Base Key (BK) and the BK lifetime percentage are set.
The value obtained by multiplying the interval for updating a BK by the BK lifetime
percentage should be greater than or equal to 300 seconds. If the interval for updating a BK is
less than 300s, the BK may be updated before negotiation is complete due to low STA
performance. In this case, some STAs may be forced offline or cannot go online.
By default, the interval for updating a BK is 43200s, and the BK lifetime percentage is 70%.
Step 8 (Optional) Run wapi sa-timeout sa-time
The timeout period of a security association is set.
By default, the timeout period for a SA is 60s.
If a STA is not authenticated within the timeout period, no SA is established and the STA
cannot go online.
Step 9 (Optional) Run wapi { usk | msk } key-update { disable | time-based }
The WAPI USK or MSK update mode is set.
By default, USKs and MSKs are updated based on time.
Step 10 (Optional) Run wapi { usk-update-interval usk-interval | usk-retrans-count usk-count }
The interval for updating a USK, and number of retransmissions of USK negotiation packets
are set.
By default, the interval for updating a USK is 86400s; the number of retransmissions of USK
negotiation packets is 3.
Step 11 (Optional) Run wapi { msk-update-interval msk-interval | msk-retrans-count msk-count }
The interval for updating an MSK, and number of retransmissions of MSK negotiation
packets are set.
By default, the interval for updating an MSK is 86400s; the number of retransmissions of
MSK negotiation packets is 3.
----End
12.4.3 Applying the Security Policy Configuration to a VAP

Profile
Context
After a WLAN security policy is configured in a security profile, bind the security profile to a
VAP profile. Each VAP profile contains one security profile. Wireless terminals can connect
to the WLAN through an SSID only after they complete identity authentication according to
the security policy configured in the VAP profile.
Procedure

Step 2 Run wlan
The security profile is bound to the VAP profile.
----End
12.4.4 Verifying the WLAN Security Policy Configuration
Context
After the WLAN security policy configuration is complete, check the security profiles on the
device, including their configuration and profile reference information, and content of the
certificate imported during WAPI-certificate authentication.
Procedure
information about a security profile.
reference information about a security profile.
l Run the display wlan wapi certificate file-name file-name command to check the
content of the certificate imported during WAPI-certificate authentication.
----End
12.5 Configuration Examples for WLAN Security Policies
12.5.1 Example for Configuring a WEP Security Policy

As shown in Figure 12-11, the AC and AP are connected through access switch SwitchA. A
residential community provides a WLAN with the SSID wlan-net so that residents can access
the network anywhere at any time. STAs automatically obtain IP addresses.
Because the WLAN is open to users, there are potential security risks. Users do not require
high security, so a WEP security policy using shared key authentication and WEP encryption
can be configured.
Figure 12-11 Networking diagram for configuring a WEP security policy
Internet
GE0/0/2
VLAN 101
AC
GE0/0/1
GE0/0/2 VLAN 100
VLAN 100
SwitchA
GE0/0/1
VLAN 100
AP
STA STA

1. Configure WLAN basic services so that STAs can access the WLAN.
2. Configure a WEP security policy using shared key authentication and WEP-128
encryption in a security profile to ensure data security.
Item Data
server AP.

Item Data
IP address 10.23.100.2-10.23.100.254/24
pool for the
AP
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs

interface
address

domain1

profile


profile l Security policy: WEP-128 encryption
l Encryption key: a123456781234567

security
Configuration Notes


user experience.
Procedure
NOTE

[HUAWEI] sysname AC

NOTE


VLANIF 101.
NOTE
view.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan


[AC-wlan-ap-0] quit
nor : normal [1]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
# Create the security profile wlan-security and set the security policy to WEP.
[AC-wlan-sec-prof-wlan-security] security wep share-key
Warning: If the wmm disable command, TKIP, WEP, or radio type of 802.11a/b/g is
configured, the function of denying access of legacy STAs cannot take effect.
[AC-wlan-sec-prof-wlan-security] wep key 0 wep-128 pass-phrase a123456781234567
[AC-wlan-sec-prof-wlan-security] wep default-key 0
# Bind the VAP profile wlan-vap to the AP group and apply the profile to radio 0 and radio 1
of the AP.

NOTE

[AC-wlan-ap-0] quit

The WLAN with SSID wlan-net is available for STAs connected to the AP.
If a STA has an incorrect shared key configured, the STA cannot access the WLAN.
NOTE
After the PC scans an SSID, if you double-click the SSID and enter the key, association may fail. You
need to add a WLAN on the PC.
1. On the Association tab page of the Wireless network properties dialog box, add SSID wlan-
net, cancel the selection of The key is provided for me automatically, set the network
authentication mode to shared-key mode and encryption mode to WEP, and configure the
network key and corresponding key index.
1. Access the Manage wireless networks page, click Add, and select Manually create a
network profile. Add SSID wlan-net, set the encryption and authentication modes, and click
Next.
2. Click Change connection settings, click the Security tab, and set the key index on the
Security tab page.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
return

#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
wlan
security wep share-key
wep key 0 wep-128 pass-phrase %^%#n}@bOmft:IG"|%Sq.Rs0GYm=Sc.iX4k<_b9mL^LT%^
%#
ssid wlan-net
forward-mode tunnel
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return
12.5.2 Example for Configuring a WPA2-PSK-AES Security Policy


A residential community provides a WLAN with the SSID wlan-net so that residents can
access the network anywhere at any time. As shown in Figure 12-12, the AP deployed in a
resident's home is connected to the AC through access switch SwitchA. STAs automatically
obtain IP addresses.
Because the WLAN is open to users, there are potential security risks if no security policy is
configured on the WLAN. Users do not require high WLAN security, so no authentication
server is required. A WEP or WPA/WPA2 (pre-shared key) security policy can be configured.
STAs support WPA/WPA2, TKIP encryption, and AES encryption, so pre-shared key
authentication and AES encryption are used to secure data transmission. WEP security policy
that is easy to be deciphered is not used.
Figure 12-12 Networking diagram for configuring a WPA2-PSK-AES security policy
Internet
GE0/0/2
VLAN 101
AC
GE0/0/1
GE0/0/2 VLAN 100
VLAN 100
SwitchA
GE0/0/1
VLAN 100
AP
STA STA


2. Configure a WPA2 security policy using pre-shared key authentication and AES
encryption in a security profile to ensure data security.

Item Data
server AP.
IP address 10.23.100.2-10.23.100.254/24
pool for the
AP
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs

interface
address

domain1

profile



security
Configuration Notes


user experience.
Procedure
NOTE

[HUAWEI] sysname AC

NOTE

VLANIF 101.
NOTE
view.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit


NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
10S -
----------------------------------------------------------------------------------
----------------
Total: 1

# Create the security profile wlan-security and set the security policy to WPA2-PSK-AES.
of the AP.


NOTE
[AC-wlan-ap-0] quit

l The WLAN with SSID wlan-net is available for STAs connected to the AP.
l The wireless PC obtains an IP address after it associates with the WLAN. The STA can
access the WLAN after the wireless user enters the password.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100

ip address 10.23.100.1 255.255.255.0

#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
wlan
%# aes
ssid wlan-net
forward-mode tunnel
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return
12.5.3 Example for Configuring a WPA2-802.1X-AES Security

Policy

As shown in Figure 12-13, the enterprise's AC connects to the egress gateway (Router) and
RADIUS server, and connects to the AP through SwitchA. The WLAN with the SSID wlan-
net is available for employees to access network resources. The gateway also functions as a
DHCP server to provide IP addresses on the 10.23.101.0/24 network segment for STAs. The
AC controls and manages STAs.
Because the WLAN is open to users, there are potential security risks to enterprise
information if no security policy is configured for the WLAN. The enterprise requires high
information security, so a WPA2 security policy using 802.1X authentication and AES
encryption can be configured. The RADIUS server authenticates STA identities. The AC must
be configured to function as an EAP relay, so the AC supports 802.1X authentication.

Figure 12-13 Networking diagram for configuring 802.1X authentication
DNS Server
8.8.8.8
IP Network
Router
Gateway
GE2/0/0
RADIUS Server
GE0/0/2 10.23.103.1:1812
GE0/0/3
AC
GE0/0/1
GE0/0/2
SwitchA
GE0/0/1
AP
1. Configure the AP, AC, and upper-layer devices to communicate with each other.
2. Configure the AC to assign an IP address to the AP and the Router to assign IP addresses
to STAs.
3. Configure RADIUS authentication parameters.
4. Configure an 802.1X access profile to manage 802.1X access control parameters.
5. Configure an authentication profile, apply the 802.1X access profile, and configure a
forcible authentication domain.
7. Configure WLAN service parameters, set the security policy to WPA2-802.1X-AES, and
bind the security profile and authentication profile to the VAP profile to control access
from STAs.
NOTE
Ensure that the RADIUS server IP address, port number, and shared key are correct and consistent with
the RADIUS server. When the AC functions as an EAP relay, ensure that the RADIUS server supports
the EAP protocol. Otherwise, the RADIUS server cannot process 802.1X authentication requests.
Item Data
Management VLAN VLAN 100
Service VLAN VLAN 101
Source interface on the AC VLANIF 100: 10.23.100.1/24
SwitchA VLAN VLAN 100
DHCP server l IP address that the AC assigns to the AP:

10.23.100.2-10.23.100.254/24
l IP addresses that Router assigns to STAs:
10.23.101.2-10.23.101.254/24
l IP address of DNS server: 8.8.8.8
Gateway for the AP VLANIF 100: 10.23.100.1/24
Gateway for STAs VLANIF 101: 10.23.101.1/24
RADIUS authentication l Name of a RADIUS server template:

parameters radius_huawei
l IP address: 10.23.103.1
l Authentication port number: 1812
l AAA domain: huawei.com
User name and password of STAs l User name: test@huawei.com

l Password: 123456

Item Data
802.1X access profile l Name: wlan-dot1x

l Authentication mode: EAP
Authentication profile l Name: wlan-authentication

l Referenced profile: 802.1X access profile wlan-
dot1x
l Forcible authentication domain: huawei.com

l Referenced profile: VAP profile wlan-vap and
regulatory domain profile domain1
Regulatory domain profile l Name: domain1

l Country code: CN


l Security policy: WPA2-802.1X-AES

l Referenced profile: SSID profile wlan-ssid,
security profile wlan-security, and authentication
profile wlan-authentication
Configuration Notes

user experience.
Procedure
NOTE

[HUAWEI] sysname AC
[AC] vlan batch 100

# Configure VLANIF 101 (service VLAN), VLANIF 102, and VLANIF 103.
[AC-Vlanif101] quit
[AC-Vlanif102] quit
[AC-Vlanif103] quit


# Add GE0/0/3 that connects the AC to the RADIUS server to VLAN 103.
# On the AC, configure a static route.

STAs.
NOTE
view.
# Configure the AC to assign an IP address to the AP from an interface address pool.

[AC] dhcp enable
[AC-Vlanif100] quit
# Configure the AC as a DHCP relay agent, and specify the DHCP server IP address on the
DHCP relay agent.
[AC-Vlanif101] quit
# Configure the Router as a DHCP server to assign IP addresses to STAs from a global
address pool. The egress gateway address of the DHCP client is 10.23.101.1, and the network
segment of the global address pool is 10.23.101.0/24.
[Router] ip pool sta
[Router-ip-pool-sta] gateway-list 10.23.101.1
[Router-ip-pool-sta] dns-list 8.8.8.8
[Router-ip-pool-sta] network 10.23.101.0 mask 24
[Router-ip-pool-sta] quit

NOTE



[AC] aaa
scheme.
[AC-aaa] quit
NOTE
name.


[AC] wlan

e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
--------------------------------------------------------------------------------
Uptime
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Total: 1

apply the security profile, SSID profile, and authentication profile to the VAP profile.
[AC-wlan-vap-prof-wlan-vap] authentication-profile wlan-authentication

of the AP.

NOTE
[AC-wlan-ap-0] quit

l The WLAN with SSID wlan-net is available for STAs connected to the AP.
l The wireless PC obtains an IP address after it associates with the WLAN.
l Use the 802.1X authentication client on a STA and enter the correct user name and
password. The STA is authenticated and can access the WLAN. You must configure the
client for PEAP authentication.
– Configuration on the Windows XP operating system:
i. On the Association tab page of the Wireless network properties dialog box,
add SSID wlan-net, set the authentication mode to WPA2, and encryption
algorithm to AES.
ii. On the Authentication tab page, set EAP type to PEAP and click Properties.
In the Protected EAP Properties dialog box, deselect Validate server
certificate and click Configure. In the displayed dialog box, deselect
Automatically use my Windows logon name and password and click OK.
– Configuration on the Windows 7 operating system:
i. Access the Manage wireless networks page, click Add, and select Manually
ii. Click Change connection settings. On the Wireless Network Properties
page that is displayed, select the Security tab page and click Settings. On the

Protected EAP Properties page, deselect Validate server certificate and

click Configure. On the dialog box that is displayed, deselect Automatically
use my Windows logon name and password and click OK.
iii. On the Wireless Network Properties page, click Advanced settings. On the
Advanced settings page that is displayed, select Specify authentication
mode, set the identity authentication mode to User authentication, and click
OK.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
port-isolate enable
#
#
return

#
sysname Router
#
vlan batch 102
#
dhcp enable
#
ip pool sta
network 10.23.101.0 mask 255.255.255.0
dns-list 8.8.8.8
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
dhcp select global
#
#
ip route-static 10.23.101.0 255.255.255.0 10.23.102.2
#
return
#
sysname AC
#
#
#

dhcp enable
#
%^%#
#
aaa
domain huawei.com
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select relay
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
interface Vlanif103
ip address 10.23.103.2 255.255.255.0
#
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.23.102.1
#
#
wlan
ssid wlan-net
forward-mode tunnel
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6

eirp 127
radio 1
channel 20mhz 149
eirp 127
#
#
return
12.5.4 Example for Configuring a WAPI-PSK Security Policy

A residential community provides a WLAN with the SSID wlan-net so that residents can
access the network anywhere at any time. As shown in Figure 12-14, the AP deployed in a
resident's home is connected to the AC through access switch SwitchA. STAs automatically
obtain IP addresses.
Because the WLAN is open to users, there are potential security risks to service data. Users
do not require high WLAN security, so no extra authentication system is required. STAs
support WAPI, so a WAPI security policy using pre-shared key authentication can be
configured. Unicast and broadcast keys are updated based on time to secure data transmission.

Figure 12-14 Networking diagram for configuring a WAPI-PSK security policy
Internet
GE0/0/2
VLAN 101
AC
GE0/0/1
GE0/0/2 VLAN 100
VLAN 100
SwitchA
GE0/0/1
VLAN 100
AP
STA STA

2. Create a security profile and set the security policy to WAPI-PSK to meet security
requirements of users.
Item Data
server AP.
IP address 10.23.100.2-10.23.100.254/24
pool for the
AP
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs

interface
address

Item Data

domain1

profile


profile l Security policy: WAPI-PSK
l Encryption key: 1234567@

security
Configuration Notes
user experience.

Procedure
NOTE

[HUAWEI] sysname AC

NOTE

VLANIF 101.
NOTE
view.
[AC] dhcp enable


[AC-Vlanif100] quit
[AC-Vlanif101] quit

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
Extra information:
----------------------------------------------------------------------------------
----------------

Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
10S -
----------------------------------------------------------------------------------
----------------
Total: 1

# Create the security profile wlan-security, set the security policy to WAPI-PSK, configure
time-based unicast and multicast key updates, and set the update interval to 20,000s.
[AC-wlan-sec-prof-wlan-security] security wapi psk pass-phrase 1234567@
[AC-wlan-sec-prof-wlan-security] wapi usk key-update time-based
[AC-wlan-sec-prof-wlan-security] wapi msk key-update time-based
[AC-wlan-sec-prof-wlan-security] wapi usk-update-interval 20000
[AC-wlan-sec-prof-wlan-security] wapi msk-update-interval 20000
of the AP.

NOTE

[AC-wlan-ap-0] quit

l The WLAN with SSID wlan-net is available for mobile phones connected to the AP.
l The mobile phone obtains an IP address after it associates with the WLAN. The mobile
phone can access the WLAN after the wireless user enters the password.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
wlan
security wapi psk pass-phrase %^%#cWul9=qe~"#{UzRlWz["^Gzo<X/k8-21m37N4;n'%^
%#
wapi usk-update-interval 20000
wapi msk-update-interval 20000


ssid wlan-net
forward-mode tunnel
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return
12.5.5 Example for Configuring a WAPI-Certificate Security

Policy
As shown in Figure 12-15, the enterprise's AC connects to the egress gateway (Router) and
ASU certificate server, and connects to the AP through SwitchA. The WLAN with the SSID
wlan-net is available for employees to access network resources. The gateway also functions
as a DHCP server to provide IP addresses on the 10.23.101.0/24 network segment for STAs.
The AC controls and manages STAs.
information if no security policy is configured for the WLAN. To meet enterprise's high
information security requirement and implement bidirectional authentication between the
WLAN clients and server, configure a WAPI security policy. Compared with WPA/WPA2, an
ASU certificate server and WAPI encryption provide higher security for WLAN networks.

Figure 12-15 Networking diagram for configuring a WAPI-certificate security policy
IP Network
Router
Gateway
GE2/0/0 ASU Certificate Server
GE1/0/2 10.23.103.1
AC GE0/0/3
GE0/0/1
GE0/0/2
SwitchA
GE0/0/1
AP
STA STA
Service VLAN: 101
2. Configure a WAPI security policy using certificate authentication in a security profile
and import the obtained certificates to ensure data security.
Item Data
Management VLAN VLAN 100
Service VLAN VLAN 101
Source interface on the AC VLANIF 100: 10.23.100.1/24
SwitchA VLAN VLAN 100

Item Data
DHCP server l IP address that the AC assigns to the AP:

10.23.100.2-10.23.100.254/24
l IP addresses that Router assigns to STAs:
10.23.101.2-10.23.101.254/24
Gateway for the AP VLANIF 100: 10.23.100.1/24
Gateway for STAs VLANIF 101: 10.23.101.1/24

l Referenced profile: VAP profile wlan-vap and
regulatory domain profile domain1

l Country code: CN


l Security policy: WAPI-certificate

Configuration Notes

user experience.
Procedure
NOTE

[HUAWEI] sysname AC
[AC] vlan batch 100

# Configure VLANIF 101 (service VLAN), VLANIF 102, and VLANIF 103.
[AC-Vlanif101] quit
[AC-Vlanif102] quit
[AC-Vlanif103] quit


# Add GE0/0/3 that connects the AC to the ASU server to VLAN 103.
# On the AC, configure a static route.

STAs.
NOTE
view.
# Configure the AC to assign an IP address to the AP from an interface address pool.

[AC] dhcp enable
[AC-Vlanif100] quit
# Configure the AC as a DHCP relay agent, and specify the DHCP server IP address on the
DHCP relay agent.
[AC-Vlanif101] quit
# Configure the Router as a DHCP server to assign IP addresses to STAs from a global
address pool. The egress gateway address of the DHCP client is 10.23.101.1, and the network
segment of the global address pool is 10.23.101.0/24.
[Router] ip pool sta
[Router-ip-pool-sta] gateway-list 10.23.101.1
[Router-ip-pool-sta] network 10.23.101.0 mask 24
[Router-ip-pool-sta] quit

[AC] wlan

e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
--------------------------------------------------------------------------------
Uptime
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Total: 1

# Create the security profile wlan-security and set the security policy to WAPI-certificate.
[AC-wlan-sec-prof-wlan-security] security wapi certificate
[AC-wlan-sec-prof-wlan-security] wapi asu ip 10.23.103.1
[AC-wlan-sec-prof-wlan-security] wapi import certificate ac format pem file-name
flash:/ae.cer
[AC-wlan-sec-prof-wlan-security] wapi import certificate asu format pem file-name
flash:/as.cer
[AC-wlan-sec-prof-wlan-security] wapi import certificate issuer format pem file-
name flash:/as.cer
[AC-wlan-sec-prof-wlan-security] wapi import private-key format pem file-name

flash:/ae.cer
NOTE
l Before configuring WAPI-certificate authentication, upload the certificate file to the flash memory of the
device.
l If the authentication system uses only two certificates, the issuer certificate is the same as the ASU
certificate, with the same file name. If the authentication system uses three certificates, the issuer
certificate and ASU certificate are different from each other and both must be imported.
l The certificates must be valid and correct.
of the AP.

NOTE
[AC-wlan-ap-0] quit


l The WLAN with SSID wlan-net is available for mobile phones connected to the AP.
l The mobile phone obtains an IP address after it associates with the WLAN. The mobile
phone is automatically authenticated and can access the WLAN.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
port-isolate enable
#
#
return

#
sysname Router
#
vlan batch 102
#
dhcp enable
#
ip pool sta
network 10.23.101.0 mask 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
dhcp select global
#
#
ip route-static 10.23.101.0 255.255.255.0 10.23.102.2
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select relay


#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
interface Vlanif103
ip address 10.23.103.2 255.255.255.0
#
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.23.102.1
#
#
wlan
security wapi certificate
wapi asu ip 10.23.103.1
wapi import certificate ac format pem file-name flash:/ae.cer
wapi import certificate asu format pem file-name flash:/as.cer
wapi import certificate issuer format pem file-name flash:/as.cer
wapi import private-key format pem file-name flash:/ae.cer
ssid wlan-net
forward-mode tunnel
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return
12.5.6 Example for Configuring MAC Address Authentication

(AAA in RADIUS Mode)

As shown in Figure 12-16, an AC in an enterprise is connected to the AP through access
switch SwitchA. The enterprise deploys the WLAN wlan-net to provide wireless network
access for employees. The AC functions as the DHCP server to assign IP addresses on the
network segment 10.23.101.0/24 to wireless users.
information if no access control is configured for the WLAN. To meet the enterprise's security
requirements, configure MAC address authentication to authenticate dumb terminals such as
wireless network printers and wireless phones that cannot have an authentication client
installed. MAC addresses of terminals are used as user information and sent to the RADIUS
server for authentication. When users connect to the WLAN, authentication is not required.

Figure 12-16 Networking diagram for configuring MAC address authentication

RADIUS server
10.23.200.1:1812
Internet
GE0/0/2
VLAN 101
AC
GE0/0/1
GE0/0/2
VLAN 100
VLAN 100
SwitchA
GE0/0/1
VLAN 100
AP
area_1
STA STA
1. Configure basic WLAN services so that the AC can communicate with upper-layer and
lower-layer devices and the AP can go online.
3. Configure a MAC access profile to manage MAC access control parameters.
4. Configure an authentication profile to manage NAC configuration.
5. Configure WLAN service parameters, and bind a security policy profile and an
authentication profile to a VAP profile to control access from STAs.

Item Data
RADIUS Name of the RADIUS authentication scheme: radius_huawei

authenticati Name of the RADIUS server template: radius_huawei
on
parameters l IP address: 10.23.200.1
l Shared key: Huawei@123
AAA domain: huawei.com

Item Data
MAC l Name: m1
access l User name and password for MAC address authentication: MAC
profile addresses without hyphens (-)
Authenticati l Name: p1
on profile l Bound profile: MAC access profile m1
DHCP The AC functions as the DHCP server to assign IP addresses to the AP and
server STAs.
IP address 10.23.100.2 to 10.23.100.254/24

pool for the
AP
IP address 10.23.101.2 to 10.23.101.254/24

pool for the
STAs

of the AC's
source
interface

l Bound profile: VAP profile wlan-vap and regulatory domain profile
domain1

profile


profile l Security policy: Open

l Bound profile: SSID profile wlan-ssid, security profile wlan-security,
and authentication profile p1
Configuration Notes


user experience.
Procedure
NOTE

[HUAWEI] sysname AC

NOTE

Step 4 Configure the AC to function as the DHCP server to assign IP addresses to the AP and STAs.
# Configure the AC as the DHCP server to assign an IP address to the AP from the IP address
pool on VLANIF 100, and assign IP addresses to STAs from the IP address pool on VLANIF
101.
NOTE
view.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit
Step 5 Configure a route from the AC to the RADIUS server (Assume that the IP address of the
upper-layer device connected to the AC is 10.23.101.2).

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

# Import the APs offline on the AC and add the APs to AP group ap-group1. Configure a
name for the AP based on the AP's deployment location, so that you can know where the AP

is deployed from its name. This example assumes that the AP's MAC address is 60de-4476-
e360 and the AP is deployed in area 1. Name the AP area_1.
NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
[AC-wlan-view] quit
[AC] display ap all
nor : normal [1]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
Step 7 Configure a RADIUS server template, and a RADIUS authentication scheme.

NOTE
Ensure that the RADIUS server IP address, port number, and shared key are configured correctly and are
the same as those on the RADIUS server.
# Configure a RADIUS server template.

[AC-radius-radius_huawei] radius-server shared-key cipher Huawei@123

[AC] aaa
scheme.

[AC-aaa] quit
Step 8 Configure the MAC access profile m1.

NOTE
In a MAC access profile, a MAC address without hyphens (-) is used as the user name and password for
MAC address authentication.
[AC] mac-access-profile name m1
[AC-mac-access-profile-m1] quit
Step 9 Configure the authentication profile p1.

[AC] authentication-profile name p1
[AC-authen-profile-p1] mac-access-profile m1
[AC-authen-profile-p1] access-domain huawei.com mac-authen force
[AC-authen-profile-p1] quit

# Create security profile wlan-security and set the security policy in the profile. By default,
the security policy is open system.
[AC] wlan
# Create VAP profile wlan-vap, configure the data forwarding mode and service VLANs, and
[AC-wlan-vap-prof-wlan-vap] authentication-profile p1
the AP.

NOTE


[AC-wlan-ap-0] quit

After dumb terminals associate with the WLAN, authentication is performed automatically.
Users can directly access the network after the authentication succeeds.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
return
#
sysname AC
#
#
authentication-profile name p1
mac-access-profile m1
access-domain huawei.com mac-authen force
#
dhcp enable
#
radius-server shared-key cipher %^%#Oc6_BMCw#9gZ2@SMVtk!PAC6>Ou*eLW/"qLp+f#$
%^%#
#
aaa
domain huawei.com
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0

#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
ip route-static 10.23.200.0 255.255.255.0
10.23.101.2
#
#
wlan
ssid wlan-net
forward-mode tunnel
authentication-profile p1
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
mac-access-profile name m1
#
return
12.5.7 Example for Configuring MAC + 802.1X Authentication

(AAA Mode: RADIUS)

As the WLAN is open to users, there are potential security risks to enterprise information if
no access control is configured for the WLAN. To provide network access only to specified
STAs, an enterprise needs to authenticate STAs and then users operating the STAs. The MAC
+ 802.1X authentication mode can meet this requirement by authenticating wireless users
through a RADIUS server.
Figure 12-17 Networking diagram for configuring MAC + 802.1X authentication

RADIUS server
10.23.200.1:1812
Internet
GE0/0/2
VLAN 101
AC
GE0/0/1
GE0/0/2
VLAN 100
VLAN 100
SwitchA
GE0/0/1
VLAN 100
AP
area_1
STA STA
1. Configure basic WLAN services on the AC so that the AC can communicate with upper-
layer and lower-layer devices and the AP can go online.

3. Configure a MAC access profile to manage MAC access control parameters.

4. Configure an 802.1X access profile to manage 802.1X access control parameters.

Item Data

on
MAC l Name: m1
access l User name and password for MAC address authentication: MAC
profile addresses without hyphens (-)
802.1X l Name: wlan-dot1x

profile
on profile l Bound profile: MAC access profile m1 and 802.1X access profile wlan-
dot1x
l •Forcible authentication domain: huawei.com
DHCP The AC functions as a DHCP server to assign IP addresses to the AP and

server STAs.
IP address 10.23.100.2 to 10.23.100.254/24

pool for the
AP
IP address 10.23.101.2 to 10.23.101.254/24

pool for
STAs

of the AC's
source
interface

domain1

Item Data

profile



Configuration Notes
user experience.
Procedure

NOTE

[HUAWEI] sysname AC

NOTE

101.
NOTE
view.
[AC] dhcp enable
[AC-Vlanif100] quit


[AC-Vlanif101] quit

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
[AC-wlan-view] quit
[AC] display ap all
nor : normal [1]
Extra information:
----------------------------------------------------------------------------------
----------------

Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
10S -
----------------------------------------------------------------------------------
----------------
Total: 1

NOTE


[AC] aaa
scheme.
[AC-aaa] quit
Step 8 Configure the MAC access profile m1.

NOTE
MAC address authentication.
[AC] mac-access-profile name m1
[AC-mac-access-profile-m1] quit


[AC-authen-profile-p1] dot1x-access-profile wlan-dot1x
[AC-authen-profile-p1] mac-access-profile m1
[AC-authen-profile-p1] access-domain huawei.com mac-authen force


[AC] wlan
the AP.

NOTE
[AC-wlan-ap-0] quit

The WLAN with the SSID wlan-net is available for STAs. STAs specified by the enterprise
can be successfully authenticated in MAC mode and then authenticated using 802.1X. STAs
that are not specified by the enterprise fail authentication.
----End

Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
return
#
sysname AC
#
#
mac-access-profile m1
access-domain huawei.com mac-authen force
#
dhcp enable
#
%^%#
#
aaa
domain huawei.com
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
ip route-static 10.23.200.0 255.255.255.0
10.23.101.2
#
#
wlan

ssid wlan-net
forward-mode tunnel
radio 0
radio 1
ap-name area_1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
dot1x-access-profile name
dot1x_access_profile
#
mac-access-profile name
m1
#
return
12.5.8 Example for Configuring External Portal Authentication
As shown in Figure 12-18, there are a large number of STAs on an enterprise network. A
WLAN with the SSID guest is deployed in the lobby of the office building to provide
wireless access services for guests. A WLAN with the SSID employee is deployed in office
areas to provide wireless access services for employees.
To ensure network security, the enterprise needs to deploy an authentication system to

implement access control for all the wireless users who attempt to connect to the enterprise
network. Only authenticated users can connect to the enterprise network. Considering the

mobility feature of a large number of STAs, the administrator decides to configure Portal
authentication on the AC at Layer 3 network to control access.
Figure 12-18 Networking diagram for configuring External Portal authentication
Internet
Router
GE2/0/0
VLANIF 201: 10.67.201.1/24
Servers (Portal, RADIUS and DNS)
GE1/0/3 GE1/0/2 GE0/0/1
VLANIF 201: 10.67.201.2/24 VLANIF 200 VLANIF 200
10.45.200.2/24 10.45.200.1/24
Switch_B
GE1/0/1 AC
VLANIF 100: 10.23.100.1/24
VLANIF 101: 10.23.101.1/24
VLANIF 102: 10.23.102.1/24
Switch_A GE0/0/5
GE0/0/1 GE0/0/4
GE0/0/2
GE0/0/3
AP: AP: AP: AP:

lobby_1 lobby_2 office2_1 office2_2
STA STA STA STA

Lobby Office area
3. Configure a Portal server profile.
4. Configure a Portal access profile to manage access control parameters for Portal
authentication users.

5. Configure an authentication-free rule profile so that the AC allows packets to the DNS
server to pass through.

Item Data

authentication Name of the RADIUS server template: radius_huawei
parameters
Portal server profile l Name: abc

l Destination port number in the packets that the AC sends to
the Portal server: 50200
l Portal shared key: Admin@123
Portal access profile l Name: portal1

l Bound profile: Portal server profile abc
Authentication-free l Name: default_free_rule

rule profile l Authentication-free resource: IP address of the DNS server
(172.16.1.2)
Authentication profile l Name: p1

l Bound profile: Portal access profile p1, and authentication-
free rule profile default_free_rule
DHCP server The router functions as the DHCP server to assign IP addresses
to the STAs and APs.
IP address pool for the 10.23.100.2 to 10.23.100.254/24

APs
IP address pool for the 10.23.101.2 to 10.23.101.254/24

STAs 10.23.102.2 to 10.23.102.254/24
VLAN pool Name: sta-pool

VLANs added to the VLAN pool: VLAN 101 and VLAN 102
IP address of the AC's VLANIF100: 10.45.200.1/24

source interface

Item Data
AP group Name: guest

Bound profile: VAP profile guest and regulatory domain profile
domain1
Name: employee
Bound profile: VAP profile employee and regulatory domain
profile domain1
Regulatory domain Name: domain1

profile Country code: CN
SSID profile Name: guest

SSID name: guest
Name: employee
SSID name: employee

l Security policy: Open
VAP profile Name: guest

l Bound profile: SSID profile guest, security profile wlan-
security, and authentication profile p1
Name: employee
l Bound profile: SSID profile employee, security profile wlan-
security, and authentication profile p1
NOTE
l In this example, Switch_A is a Huawei modular switch, and Switch_B is a Huawei fixed switch.
l When a VLAN pool is used to provide service VLANs on a large network, many VLANs are usually
added to the VLAN pool, and interfaces of many devices need to be added to these VLANs. In this
situation, a lot of broadcast domains are created if you configure the direct forwarding mode. To
reduce the number of broadcast domains, set the data forwarding mode to tunnel forwarding.
l Configurations of RADIUS server parameters and Portal server parameters must be the same as the
configurations on the peer RADIUS server and Portal server. Configure the parameters as required.
l To ensure that the router and servers can communicate with each other, configure routes on the
RADIUS server and Portal server to the router.
Configuration Notes

user experience.
Procedure
NOTE
Step 2 Configure networking parameters.

# Configure access switch Switch_A. Add GE0/0/1 to GE0/0/5 to VLAN 100 (management
VLAN). Interfaces GE0/0/1 to GE0/0/4 have the same configuration. GE0/0/1 is used as an
example here.
# Configure aggregation switch Switch_B. Add GE1/0/1 to VLAN 100, GE1/0/2 to VLANs
101, 102, and 200, and GE1/0/3 to VLAN 201.
[Switch_B] vlan batch 100 101 102 200 201


[Switch_B-GigabitEthernet1/0/2] port trunk allow-pass vlan 101 102 200
# Create VLANIF interfaces VLANIF 100 to VLANIF 102, VLANIF 200, and VLANIF 201
on Switch_B and configure their IP addresses. VLANIF 100 works as the gateway of APs.
VLANIF 101 and VLANIF 102 are gateways of STAs. Switch_B uses VLANIF 200 to
communicate with the AC and VLANIF 201 to communicate with the router.
# On the AC, add GE0/0/1 connected to Switch_B to VLAN 101, VLAN 102, and VLAN
200.
[HUAWEI] sysname AC
[AC-Vlanif200] quit
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 101 102 200
# Add GE2/0/0 on the router to VLAN 201 and configure an IP address for VLANIF 201 so
that the router can communicate with Switch_B.
# On the router, configure a route to Switch_B.

# Configure a default route on Switch_B with the outbound interface as the router's VLANIF
201.
[Switch_B] ip route-static 0.0.0.0 0.0.0.0 10.67.201.1

# Configure routes from the AC to APs with the next hop as Switch_B's VLANIF 200.
Step 3 Configure a DHCP server to assign IP addresses to APs and STAs.

# Configure Switch_B as a DHCP relay agent.
[Switch_B] dhcp enable
# Configure the router as a DHCP server to assign IP addresses to APs and STAs.
NOTE
In this example, the AP and AC are on different network segments. To notify the AP of the AC's IP address
so that the AP can go online at Layer 3, configure Option 43 in the address pool used by the AP.
[Router] ip pool ap
[Router-ip-pool-ap] network 10.23.100.0 mask 24
[Router-ip-pool-ap] gateway-list 10.23.100.1
[Router-ip-pool-ap] option 43 sub-option 3 ascii 10.45.200.1
[Router-ip-pool-ap] quit
[Router-ip-pool-sta1] dns-list 172.16.1.2
[Router-ip-pool-sta2] dns-list 172.16.1.2

NOTE
algorithm is hash. If the default setting is retained, you do not need to run the assignment hash command.
corresponding VLANIF interfaces and configure IP addresses on Switch_B, and configure interface address
pools on the router.

# Create AP groups guest and employee.

[AC] wlan
[AC-wlan-ap-group-guest] regulatory-domain-profile domain1
e?[Y/N]:y
[AC-wlan-ap-group-employee] regulatory-domain-profile domain1
e?[Y/N]:y
[AC-wlan-view] quit

# Import the APs offline on the AC. Add APs deployed in the lobby to AP group guest and
APs in office areas to AP group employee. Configure names for the APs based on the APs'
deployment locations, so that you can know where the APs are deployed from their names.
For example, if the AP with MAC address 60de-4474-9640 is deployed in room 1 of the
second floor of the office building, name the AP office2-1.
NOTE
In this example, the AP6010DN-AGN is used and has two radios: radio 0 and radio 1.
[AC] wlan
[AC-wlan-ap-0] quit
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit

[AC-wlan-ap-3] quit
[AC-wlan-view] quit
# After an AP is powered on, run the display ap all command to check the AP state. If the
[AC] display ap all
nor : normal [4]
Extra information:
----------------------------------------------------------------------------------
------------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
------------------
30M:1S -
35M:2S -
29M:29S -
34M:11S -
----------------------------------------------------------------------------------
------------------
Total: 4


[AC] aaa
scheme.
[AC-aaa] quit
Step 7 Configure a Portal server profile.

[AC] web-auth-server abc
[AC-web-auth-server-abc] server-ip 172.16.1.1
[AC-web-auth-server-abc] shared-key cipher Admin@123
[AC-web-auth-server-abc] port 50200
[AC-web-auth-server-abc] url https://172.16.1.1:8443/webauth
[AC-web-auth-server-abc] quit
Step 8 Configure the Portal access profile portal1.

[AC] portal-access-profile name portal1
[AC-portal-access-profile-portal1] web-auth-server abc layer3
[AC-portal-access-profile-portal1] quit

Step 9 Configure an authentication-free rule profile.

[AC] free-rule-template name default_free_rule
[AC-free-rule-default_free_rule] free-rule 1 destination ip 172.16.1.2 mask 24
[AC-free-rule-default_free_rule] quit

[AC-authen-profile-p1] portal-access-profile portal1
[AC-authen-profile-p1] free-rule-template default_free_rule
[AC-authen-profile-p1] access-domain huawei.com portal force

[AC] wlan
# Create SSID profiles guest and employee, and set the SSID names to guest and employee,
respectively.
[AC-wlan-view] ssid-profile name guest
[AC-wlan-ssid-prof-guest] ssid guest
[AC-wlan-ssid-prof-guest] quit
[AC-wlan-view] ssid-profile name employee
[AC-wlan-ssid-prof-employee] ssid employee
[AC-wlan-ssid-prof-employee] quit
# Create VAP profiles guest and employee, set the data forwarding mode and service
VLANs, and apply the security profiles and SSID profiles to the VAP profiles.
[AC-wlan-view] vap-profile name guest
[AC-wlan-vap-prof-guest] forward-mode tunnel
[AC-wlan-vap-prof-guest] service-vlan vlan-pool sta-pool
[AC-wlan-vap-prof-guest] security-profile wlan-security
[AC-wlan-vap-prof-guest] ssid-profile guest
[AC-wlan-vap-prof-guest] authentication-profile p1
[AC-wlan-vap-prof-guest] quit
[AC-wlan-view] vap-profile name employee
[AC-wlan-vap-prof-employee] forward-mode tunnel
[AC-wlan-vap-prof-employee] service-vlan vlan-pool sta-pool
[AC-wlan-vap-prof-employee] security-profile wlan-security
[AC-wlan-vap-prof-employee] ssid-profile employee
[AC-wlan-vap-prof-employee] authentication-profile p1
[AC-wlan-vap-prof-employee] quit
# Bind VAP profiles to the AP groups and apply the VAP profiles to radio 0 and radio 1 of the
APs.
[AC-wlan-ap-group-guest] vap-profile guest wlan 1 radio all

NOTE

[AC-wlan-ap-0] quit

l After the configuration is complete, the WLAN with the SSID guest is available for
STAs in the lobby and the WLAN with the SSID employee is available for STAs in
office areas.
l The STAs obtain IP addresses when they successfully associate with the WLAN.
l When a user opens the browser and attempts to access the network, the user is
automatically redirected to the authentication page provided by the external Portal server.
After entering the correct user name and password on the page, the user can access the
network.
----End
Configuration Files
#
sysname Switch_A
#
vlan batch 100
#
#
#
#


#
#
return
#
sysname Switch_B
#
vlan batch 100 to 102 200 201
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select relay
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select relay
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
dhcp select relay
#
interface Vlanif200
ip address 10.45.200.2 255.255.255.0
#
interface Vlanif201
ip address 10.67.201.2 255.255.255.0
#
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.67.201.1
#
return
#
sysname Router
#
vlan batch 201
#
dhcp enable
#
ip pool ap
network 10.23.100.0 mask 255.255.255.0
option 43 sub-option 3 ascii 10.45.200.1
#
ip pool sta1
network 10.23.101.0 mask 255.255.255.0

dns-list 172.16.1.2
#
ip pool sta2
network 10.23.102.0 mask 255.255.255.0
dns-list 172.16.1.2
#
interface Vlanif201
ip address 10.67.201.1 255.255.255.0
dhcp select global
#
#
ip route-static 10.23.100.0 255.255.255.0 10.67.201.2
ip route-static 10.23.101.0 255.255.255.0 10.67.201.2
ip route-static 10.23.102.0 255.255.255.0 10.67.201.2
#
return
#
sysname AC
#
#
portal-access-profile portal1
free-rule-template default_free_rule
access-domain huawei.com portal force
#
vlan pool sta-pool
vlan 101 to 102
#
radius-server template
radius_huawei
radius-server shared-key cipher %^%#Ug1l9V#SI(JTFp+*)J7<%CUQB(74-4vSIKO!x:NI

%^%#
radius-server authentication 172.16.1.1 1812 weight
80
#
free-rule-template name
default_free_rule
free-rule 1 destination ip 172.16.1.2 mask

255.255.255.0
#
web-auth-server
abc
server-ip
172.16.1.1
port
50200
shared-key cipher %^%#4~ZXE3]6@BXu;2;aw}hA{rSb,@"L@T#e{%6G1AiD%^

%#
url https://172.16.1.1:8443/
webauth
#
portal-access-profile name
portal1
web-auth-server abc
layer3

#
aaa
authentication-scheme
radius_huawei
domain huawei.com
#
interface Vlanif200
ip address 10.45.200.1 255.255.255.0
#
#
ip route-static 10.23.100.0 255.255.255.0 10.45.200.2
#
#
wlan
ssid-profile name guest
ssid guest
ssid-profile name employee
ssid employee
vap-profile name guest
forward-mode tunnel
ssid-profile guest
vap-profile name employee
forward-mode tunnel
ssid-profile employee
ap-group name guest
radio 0
radio 1
ap-group name employee
radio 0
radio 1
ap-name lobby-1
ap-group guest
ap-name lobby-2
ap-group guest
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127


ap-name office2-1
ap-group employee
ap-name office2-2
ap-group employee
#
return
12.5.9 Example for Configuring Built-in Portal Authentication
information if no access control is configured for the WLAN. To meet the enterprise's security
requirements and save costs, configure built-in Portal authentication and use the RADIUS
server to authenticate identities of STAs.

Figure 12-19 Networking diagram for configuring built-in Portal authentication

RADIUS server DNS server
10.23.200.1:1812 10.23.200.2
Internet
GE0/0/2
VLAN 101 IP address of the built-in
AC Portal server: 10.1.1.1/24
GE0/0/1
GE0/0/2 VLAN 100
VLAN 100
SwitchA
GE0/0/1
VLAN 100
AP
area_1
STA STA
3. Configure a Portal access profile for the built-in Portal server to manage Portal access
control parameters.
4. Configure an authentication-free rule profile so that the AC allows packets to the DNS
server to pass through.


Item Data

on
Portal l Name: portal1

access l The built-in Portal server is used.
profile
– IP address of the built-in Portal server: 10.1.1.1/24
– SSL policy: sslserver
– TCP port number used by HTTPS: 400
Authenticati l Name: default_free_rule

on-free rule l Authentication-free resource: IP address of the DNS server (10.23.200.2)
profile
on profile l Bound profile: Portal access profile portal1, and RADIUS
authentication scheme radius_huawei
DHCP The AC functions as the DHCP server to assign IP addresses to the AP and
server STAs.
IP address 10.23.100.2 to 10.23.100.254/24

pool for the
AP
IP address 10.23.101.2 to 10.23.101.254/24

pool for the
STAs

of the AC's
source
interface

domain1

profile


Item Data

profile l Security policy: Open

Configuration Notes
user experience.
Procedure
NOTE


[HUAWEI] sysname AC

NOTE

101.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] dhcp server dns-list 10.23.200.2
[AC-Vlanif101] quit

[AC] wlan


e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan
[AC-wlan-view] ap-import ap-mac 60de-4476-e360 ap-group ap-group1 ap-name area_1
[AC-wlan-view] quit
[AC] display ap all
nor : normal [1]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
10S -
----------------------------------------------------------------------------------
----------------
Total: 1

NOTE


[AC] aaa


scheme.
[AC-aaa] quit
Step 8 Configure the Portal access profile portal1.

# Configure SSL policy sslserver and load a digital certificate.
For details, see Configuring an SSL Policy and Loading a Digital Certificate.
# Enable the built-in Portal server function.
[AC] interface loopback 1
[AC-LoopBack1] ip address 10.1.1.1 24
[AC-LoopBack1] quit
[AC] portal local-server ip 10.1.1.1
[AC] portal local-server https ssl-policy sslserver port 400
# Create the Portal access profile portal1 and configure it to use the built-in Portal server.
[AC-portal-access-profile-portal1] portal local-server enable
[AC-portal-access-profile-portal1] quit
Step 9 Configure an authentication-free rule profile.

[AC] free-rule-template name default_free_rule
[AC-free-rule-default_free_rule] free-rule 1 destination ip 10.23.200.2 mask 24
[AC-free-rule-default_free_rule] quit

[AC-authen-profile-p1] free-rule-template default_free_rule
[AC-authen-profile-p1] access-domain huawei.com portal force

[AC] wlan

the AP.

NOTE
[AC-wlan-ap-0] quit

l The WLAN with the SSID wlan-net is available for STAs after the configuration is
complete.
l The STAs obtain IP addresses when they successfully associate with the WLAN.
l When a user opens the browser and attempts to access the network, the user is
automatically redirected to the authentication page provided by the Portal server. After
entering the correct user name and password on the page, the user can access the
network.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#


#
#
return
#
sysname AC
#
portal local-server ip 10.1.1.1
portal local-server https ssl-policy sslserver port 400
#
#
free-rule-template default_free_rule
access-domain huawei.com portal force
#
dhcp enable
#
%^%#
#
free-rule-template name
default_free_rule
free-rule 1 destination ip 10.23.200.2 mask

255.255.255.0
#
portal-access-profile name portal1
portal local-server enable
#
aaa
domain huawei.com
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp server dns-list 10.23.200.2
#
#
#
interface LoopBack1
ip address 10.1.1.1 255.255.255.0
#
ip route-static 10.23.200.0 255.255.255.0 10.23.101.2
#
#

wlan
ssid wlan-net
forward-mode tunnel
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return

Configuration Guide - WLAN-AC 13 STA Blacklist and Whitelist Configuration
13 STA Blacklist and Whitelist

Configuration
13.1 Understanding STA Blacklist and Whitelist

On a WLAN, blacklist or whitelist can be configured to filter access from STAs based on
specified rules. The blacklist or whitelist allows authorized STAs to connect to the WLAN
and rejects access from unauthorized STAs.
l Whitelist
A whitelist contains MAC addresses of STAs that are allowed to connect to a WLAN.
After the whitelist function is enabled, only the STAs in the whitelist can connect to the
WLAN, and access from other STAs is rejected.
l Blacklist
A blacklist contains MAC addresses of STAs that are not allowed to connect to a
WLAN. After the blacklist function is enabled, STAs in the blacklist cannot connect to
the WLAN. Other STAs, however, can connect to the WLAN.
NOTE
If the STA whitelist or blacklist function is enabled but the whitelist or blacklist is empty, all STAs can
connect to the WLAN.
Figure 13-1 shows how STA blacklist and whitelist work.

Figure 13-1 STA blacklist and whitelist working process
Start
Check STA access

control mode
Whitelist Whitelist and Blacklist is

is enabled blacklist are enabled
disabled
Is whitelist Yes
empty?
No
Is Is
No packet source packet source Yes
MAC address in MAC address in
whitelist? blacklist?
Yes No
Allow user
access
Reject user
access
13.2 Application Scenarios for STA Blacklist and Whitelist

STA Whitelist
As shown in Figure 13-2, visiting employees often bring their laptops in an AP's coverage
area on a campus network. If only STAs of a few local employees are allowed to connect to
the wireless network, the enterprise can configure the whitelist function on the AC and add
MAC addresses of these STAs to the whitelist. In this example, STA2 is added to the
whitelist. Then only STA2 can connect to the wireless network, and STAs not in the whitelist
(STA1, STA3, and STA4 in Figure 13-2) cannot connect to the wireless network through the
AP.

Figure 13-2 STA whitelist application
STA1
STA2 Internet
AP AC
STA3
STA4
STA Blacklist
As shown in Figure 13-3, many STAs of local employees exist in an AP's coverage area on a
campus network. Guests or visiting employees sometimes bring their laptops to this AP's
coverage area. If only STAs of guests or visiting employees are not allowed to connect to the
wireless network, the enterprise can configure the blacklist function on the AC and add MAC
addresses of these STAs to the blacklist. In this example, STA4 is added to the blacklist. Then
STA4 cannot connect to the wireless network through the AP, and other STAs (STA1, STA2,
and STA3 in Figure 13-3) can connect to the wireless network.
Figure 13-3 STA blacklist application
STA1
STA2 Internet
AP AC
STA3
STA4

13.3 Default Settings for STA Blacklist and Whitelist

Table 13-1 Default settings for STA blacklist and whitelist
STA blacklist and None

whitelist profiles
13.4 Configuring STA Blacklist and Whitelist

Before configuring STA blacklists and whitelists, perform the tasks in 5 WLAN Service
Configuration.
Procedure
STA blacklists and whitelists are configured using profiles. Figure 13-4 shows the
configuration flowchart.
Figure 13-4 STA blacklist and whitelist configuration flowchart
AP group AP
In the same
profile, either the
STA whitelist
AP system profile or STA
VAP profile
profile blacklist profile
takes effect at one
time.
STA whitelist profile STA whitelist profile
STA blacklist profile STA blacklist profile
13.4.1 Configuring a STA Whitelist Profile
Context
A STA whitelist profile contains MAC addresses of STAs allowed to connect to the WLAN.
To allow only some STAs to connect to the WLAN, configure a STA whitelist profile and
apply the STA whitelist profile to an AP system profile or a VAP profile.
The effective scope of the STA whitelist profile differs according to the profiles to which it is
applied.

l AP system profile: The STA whitelist profile takes effect based on the AP. APs using the
AP system profile will use the STA whitelist. The STA whitelist profile takes effect on
all STAs connected to the APs (all VAPs).
l VAP profile: The STA whitelist profile takes effect based on the VAP. If the STA
whitelist profile is applied to an AP, the STA whitelist profile applies only to STAs
If the STA blacklist or whitelist profiles are configured in both an AP system profile and a
VAP profile, a STA can connect to the WLAN only when it is permitted by both the
configuration in the AP system profile and VAP profile.
NOTE
If a STA whitelist profile is empty, no STA can connect to the WLAN to access network resources.
Procedure
Step 2 Run wlan
Step 3 Run sta-whitelist-profile name profile-name
A STA whitelist profile is created and the STA whitelist profile view is displayed.
By default, no STA whitelist profile is created.
Step 4 Add STAs to the whitelist using either or both of the following methods based on actual
situations:
l Run the sta-mac mac-address command to add the MAC address of a STA.
l Run the oui oui command to add the OUI of STAs.
MAC addresses and OUIs share specifications in the whitelist. A maximum of 3276 MAC
addresses or OUIs can be added to a STA whitelist.
By default, the MAC address or OUI of a STA is not added to the whitelist.
----End
13.4.2 Configuring a STA Blacklist Profile
Context
A STA blacklist profile contains MAC addresses of wireless terminals forbidden to connect to
the WLAN. To forbid some STAs to connect to the WLAN, configure a STA blacklist profile
and apply the STA blacklist profile to an AP system profile or a VAP profile.
The effective scope of the STA blacklist profile differs according to the profiles to which it is
applied.
l AP system profile: The STA blacklist profile takes effect based on the AP. APs using the
AP system profile will use the STA blacklist profile. The STA blacklist profile takes
effect on all STAs connected to the APs (all VAPs).

l VAP profile: The STA blacklist profile takes effect based on the VAP. If the STA
blacklist profile is applied to an AP, the STA blacklist profile applies only to STAs
If the STA blacklist or whitelist profiles are configured in both an AP system profile and a
VAP profile, a STA can connect to the WLAN only when it is permitted by both the
configuration in the AP system profile and VAP profile.
Procedure
Step 2 Run wlan
Step 3 Run sta-blacklist-profile name profile-name
A STA blacklist profile is created and the STA blacklist profile view is displayed.
By default, no STA blacklist profile is created.
Step 4 Run sta-mac mac-address
The MAC address of a STA is added.
A maximum of 3276 STA MAC addresses can be added to a STA blacklist profile.
By default, the MAC address of a STA is not added to the blacklist.
----End
13.4.3 Applying the Configuration to a VAP Profile or an AP

System Profile
Context
You can configure multiple STA whitelist and blacklist profiles on the device and apply the
profiles to different VAP profiles or AP system profiles. In a VAP profile or AP system
profile, either the STA whitelist profile or STA blacklist profile takes effect at one time.
Procedure
Step 2 Run wlan
Step 3 Apply the configuration to make it take effect.

l Applying the configuration to a VAP profile
a. Run the vap-profile name profile-name command to enter the VAP profile view.

b. Run the sta-access-mode { blacklist | whitelist } profile-name command to specify

whether the STA blacklist or STA whitelist profile takes effect.
By default, no STA blacklist or whitelist profile applies to a VAP profile.
l Applying the configuration to an AP system profile.
a. Run the ap-system-profile name profile-name command to enter the AP system
profile view.
b. Run the sta-access-mode { blacklist | whitelist } profile-name command to specify
whether the STA blacklist or STA whitelist profile takes effect.
By default, no STA blacklist or whitelist profile is bound to an AP system profile.
----End
13.4.4 Verifying the STA Blacklist and Whitelist Configuration
Context
After the STA blacklist and whitelist configuration is complete, you can check STA whitelist
and blacklist profiles on the device, including their configuration and profile reference
information.
Procedure
l Run the display sta-whitelist-profile { all | name profile-name } command to check
information about the STA whitelist profile.
l Run the display sta-blacklist-profile { all | name profile-name } command to check
information about the STA blacklist profile.
l Run the display references sta-whitelist-profile name profile-name command to check
reference information about the STA whitelist profile.
l Run the display references sta-blacklist-profile name profile-name command to check
reference information about the STA blacklist profile.
----End
13.5 Configuration Examples for STA Blacklist and

Whitelist
13.5.1 Example for Configuring STA Blacklist and Whitelist

As shown in Figure 13-5, the AC and AP are connected through access switch SwitchA. An
enterprise provides a WLAN with the SSID wlan-net for management personnel to access the
enterprise network. STAs automatically obtain IP addresses.
The WLAN with a small number of management personnel can use the STA whitelist. MAC
addresses of management personnel's wireless terminals can be added to a STA whitelist,
preventing other employees from accessing the WLAN.
The management personnel found that some unauthorized STAs are online. To prevent this
situation, management personnel can add MAC addresses of the STAs to a blacklist to prevent
these STAs from accessing the WLAN. STAs that are not in the blacklist can access the
WLAN.
Figure 13-5 Networking diagram for configuring the STA blacklist and whitelist
Internet
GE0/0/2
VLAN 101
AC
GE0/0/1
GE0/0/2 VLAN 100
VLAN 100
SwitchA
GE0/0/1
VLAN 100
AP
STA1 STA3
0011-2233-4455 0011-2233-4477
STA2 STA4
0011-2233-4466 0011-2233-4488

Service VLAN: 101

2. Configure a STA whitelist. Add MAC addresses of management personnel's wireless
terminals to the whitelist. To prevent configuration impacts on other VAPs, configure the
STA whitelist for a VAP, instead of an AP.
3. Configure a STA blacklist for an AP. Add MAC addresses of some STAs to the blacklist
to prevent the STAs from associating with the AP, ensuing WLAN network security.
NOTE
The STA whitelist and blacklist cannot be configured simultaneously for a VAP or an AP, that is, the STA
whitelist and blacklist cannot take effect at the same time in a VAP profile or an AP system profile.

Item Data
server AP.
IP address 10.23.100.2-10.23.100.254/24
pool for the
AP
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs

interface
address
STA l Name: sta-whitelist

whitelist l STAs added to the STA whitelist: STA1 and STA2
profile
STA l Name: sta-blacklist

blacklist l STAs added to the STA blacklist: STA3 and STA4
profile
AP system l Name: wlan-system

profile l Referenced profile: STA blacklist profile sta-blacklist

l Referenced profile: VAP profile wlan-vap, AP system profile wlan-
system, and regulatory domain profile domain1

profile


Item Data

profile l Security policy: open system authentication

security, and STA whitelist profile sta-whitelist
Configuration Notes
user experience.
Procedure
NOTE


[HUAWEI] sysname AC

NOTE

VLANIF 101.
NOTE
view.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit

[AC] wlan

e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
Step 6 Configure a STA whitelist in a VAP profile.

# Create the STA whitelist profile sta-whitelist and add MAC addresses of STA1 and STA2
to the whitelist.
[AC-wlan-view] sta-whitelist-profile name sta-whitelist
[AC-wlan-whitelist-prof-sta-whitelist] sta-mac 0011-2233-4455

[AC-wlan-whitelist-prof-sta-whitelist] sta-mac 0011-2233-4466

[AC-wlan-whitelist-prof-sta-whitelist] quit
# Create the VAP profile wlan-vap and bind the STA whitelist profile to the VAP profile.
[AC-wlan-vap-prof-wlan-vap] sta-access-mode whitelist sta-whitelist
Step 7 Configure a global STA blacklist.

# Create the STA blacklist profile sta-blacklist and add MAC addresses of STA3 and STA4 to
the blacklist.
[AC-wlan-view] sta-blacklist-profile name sta-blacklist
[AC-wlan-blacklist-prof-sta-blacklist] sta-mac 0011-2233-4477
[AC-wlan-blacklist-prof-sta-blacklist] sta-mac 0011-2233-4488
[AC-wlan-blacklist-prof-sta-blacklist] quit
# Create the AP system profile wlan-system and bind the STA blacklist profile to the AP
system profile.
[AC-wlan-ap-system-prof-wlan-system] sta-access-mode blacklist sta-blacklist

# Create the security profile wlan-security.
# In the VAP profile wlan-vap, set the data forwarding mode and service VLAN, and bind the
security profile and SSID profile to the VAP profile.
# Bind the VAP profile wlan-vap and AP system profile wlan-system to the AP group.

NOTE

[AC-wlan-ap-0] quit

The WLAN with SSID wlan-net is available for STAs connected to the AP.
STA1 and STA2 can connect to the WLAN. STA3 and STA4 cannot connect to the WLAN.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#


#
#
wlan
sta-blacklist-profile name sta-blacklist
sta-mac 0011-2233-4477
sta-mac 0011-2233-4488
sta-whitelist-profile name sta-whitelist
sta-mac 0011-2233-4455
sta-mac 0011-2233-4466
ssid wlan-net
forward-mode tunnel
sta-access-mode whitelist sta-whitelist
sta-access-mode blacklist sta-blacklist
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return

Configuration Guide - WLAN-AC 14 WDS Configuration
14 WDS Configuration
14.1 Overview of WDS
Definition
A wireless distribution system (WDS) connects two or more wired or wireless LANs
wirelessly to establish a large network.
Purpose
On a traditional WLAN, APs exchange data with STAs using wireless channels and connect
to a wired network through uplinks. To expand the coverage area of a wireless network, APs
need to be connected by switches. This deployment involves high costs and takes a long time.
In some places, such as subways, tunnels, and docks, it is difficult to connect APs to the
Internet through wired links. WDS technology can connect APs wirelessly in these places,
which reduces network deployment costs, makes the network easy to expand, and allows
flexible networking.
14.2 Understanding WDS

WDS Concepts
Figure 14-1 WDS networking
Internet
WDS network
STA VAP: AP VAP:

AC
VAP13 VAP12
VAP0
AP3 AP2 AP1
(leaf) (middle) (root)
STA
Switch
STA
Root wired
Switch interface
Endpoint STA
wired interface
LAN : Wireless virtual link
PC
l Service VAP: On a traditional WLAN, an AP is a physical entity that provides WLAN

services to STAs. A service virtual access point (VAP) is a logical entity that provides
access service for users. Multiple VAPs can be created on an AP to provide access
service for multiple user groups. In Figure 14-1, VAP0 created on AP3 is a service VAP.
l WDS VAP: On a WDS network, an AP is a functional entity that provides WDS service
for neighboring devices. WDS VAPs include AP and STA VAPs. The ID of STA VAPs is
fixed as 13, and that of AP VAPs is fixed at 12. AP VAPs provide connections for STA
VAPs. In Figure 14-1, VAP13 created on AP3 is a STA VAP, and VAP12 created on AP2
is an AP VAP.
l Wireless virtual link (WVL): a connection set up between a STA VAP and an AP VAP
on neighboring APs, as shown in Figure 14-1.
l AP working mode: Depending on its location on a WDS network, an AP can work in
root, middle, or leaf mode, as shown in Figure 14-1.
– Root: The AP directly connects to an AC through a wired link and uses an AP VAP
to set up wireless virtual links with a STA VAP.
– Middle: The AP uses a STA VAP to connect to an AP VAP on an upstream AP and
uses an AP VAP to connect to a STA VAP on a downstream AP.
– Leaf: The AP uses a STA VAP to connect to an AP VAP on an upstream AP.
l Working mode of an AP's wired interface: On a WDS network, depending on the
location of the AP, a wired interface works in root or endpoint mode.
– Root: The wired interface connects to an upstream wired network.

– Endpoint: The wired interface connects to a downstream user host or LAN.

NOTE
On a WDS network, one wired interface must work in root mode to connect to the wired network.
WDS Implementation
l AP online process
After WDS is enabled on an AP, the AP automatically creates WDS VAPs (AP VAP and
STA VAP). The AP uses the WDS VAPs to set up WVLs with other APs. The AP
connects to the AC through the WVL and obtains configurations from the AC.
l Service intercommunication
On a WDS network, service data is transmitted over the WVLs. After an AP goes online,
it needs to set up service links through WVLs. Figure 14-2 shows how a service link is
set up between AP2 and AP3 on the WDS network shown in Figure 14-1.
Figure 14-2 Setting up a service link

AP3 AP2
(STA VAP) (AP VAP)
Probe Request
①
Probe Response
②
③
④
Association Request
⑤
Association Response
⑥
Access authentication
⑦
Key negotiation
⑧
a. Probe request
AP3 broadcasts a Probe Request frame carrying a WDS-Name field (similar to
SSID in WLAN service).
b. Probe response
AP2 receives the Probe Request frame and sends AP3 a Probe Response frame.
c. Authentication request
After AP3 receives the Probe Response frame, it sends AP2 an Authentication
Request frame.

d. Authentication response
After AP2 receives the Authentication Request frame, it determines whether to
allow access from AP3, depending on the WDS whitelist configuration:
n If the WDS whitelist is not enabled, AP2 allows access from AP3 and sends an
Authentication Response frame to notify AP3 that the authentication has
succeeded.
n If the WDS whitelist is enabled, AP2 checks whether the MAC address of AP3
is included in the WDS whitelist.
○ If the MAC address of AP3 is included in the WDS whitelist, AP2 allows
access from AP3 and sends an Authentication Response frame to notify
AP3 that the authentication has succeeded.
○ If the MAC address of AP3 is not included in the WDS whitelist, AP2
sends an Authentication Response frame with an error code, indicating
that the authentication has failed. The process ends and the service
wireless virtual link (WVL) cannot be set up.
e. Association request
After AP3 receives the Authentication Response frame indicating successful
authentication, it sends an Association Request frame to AP2.
f. Association response
After AP2 receives the Association Request frame, it sends an Association
Response frame to request AP3 to start the access authentication.
g. Access authentication
On a WDS network, the access authentication method for a STA VAP must be
WPA2-PSK. Therefore, AP3 and AP2 use a pre-configured shared key for
negotiation. If they decrypt messages sent from each other using the shared key,
they have the same shared key and the access authentication is successful.
h. Key negotiation
AP3 and AP2 negotiate an encryption key to encrypt service packets.
NOTE
l After a service link is set up, APs periodically send link status messages to each other. If one AP does not
receive any from the other AP, it disconnects the service link and starts to set up a new one.
l If the AC delivers new WDS parameter settings to APs, the APs use them to set up service links.
WDS Network Architecture

A WDS network can be deployed in point-to-point or point-to-multipoint mode.
l Point-to-point deployment
As shown in Figure 14-3, AP1 sets up wireless virtual links with AP2 to provide
wireless access service for users.

Figure 14-3 Point-to-point WDS deployment
AP1
STA Internet
AP2 Switch AC
STA
LAN
: Wireless virtual link
PC PC
l Point-to-multipoint deployment
As shown in Figure 14-4, AP1, AP2, and AP3 set up wireless virtual links with AP4.
Data from all STAs associating with AP1, AP2, and AP3 is forwarded by AP4.
Figure 14-4 Point-to-multipoint WDS deployment

PC
LAN
STA
Internet
AP1
AC
STA
STA
AP2 AP4 Switch
STA
AP3
STA
LAN : Management wireless virtual link
PC

14.3 Application Scenarios for WDS

In WDS application scenarios, APs can be deployed in the hand-in-hand or back-to-back
mode.
Hand-in-Hand WDS Networking

As shown in Figure 14-5, AP1 is a single-band AP that works at 2.4 GHz frequency band;
AP2 and AP3 are all dual-band APs. AP1 and AP2 use 2.4 GHz radio to set up wireless
virtual links (WVLs), while AP2 and AP3 use 5 GHz radio to set up WVLs. AP3 connects
STAs to the WLAN through the 2.4 GHz radio. On a hand-in-hand WDS network, AP1, AP2,
and AP3 use different radios to set up WVLs.
Figure 14-5 Hand-in-hand WDS networking applications

AP3 AP2 AP1
(leaf) (root/leaf) (root) Switch AC
Internet
5G 2.4G
STA STA PC PC
NOTE
In the figure, AP2 on 2.4 GHz radio functions as a leaf node for AP1 and AP2 on 5 GHz radio functions
as a root node for AP3.
If the APs supporting dual 5G radios, such as the AP8130DN, are used as AP1 and AP2, you can set
radio 0 of the two APs to the 5G radio.
Back-to-Back WDS Networking

In outdoor scenarios, such as school campus, plantations, and mountain areas, wired networks
are difficult to deploy. When networks to be connected are far from each other or blocked by
obstacles, APs can be cascaded as trunk bridges in back-to-back mode. This networking
ensures sufficient bandwidth on wireless links for long distance data transmission. Figure
14-6 shows the back-to-back WDS networking.

Figure 14-6 Back-to-back WDS networking
Internet
AC
Switch
PC
AP1
(root)
PC
AP2
(leaf)
AP3
(root)
AP4 AP5 AP6

(leaf) (leaf) (leaf)
STA STA STA STA STA STA
14.4 STP Scenarios Supported by a WDS Network
NOTE
l Only when wired interfaces of the preceding APs are not bound to an Eth-trunk interface, an AC can
deliver STP configurations to the APs.
A WDS network supports only transparent transmission of STP packets. An STP-enabled AP

does not forward STP packets to the wireless side. STP takes effect only on the AP's wired
side.
When deploying a WDS network, avoid network loops. In WDS networking, STP applies
only to scenarios where the WDS network forms a single loop with the wired network. Table
14-1 describes STP scenarios supported by a WDS network.

Table 14-1 STP scenarios supported by a WDS network

Scenario Description
WDS links form a

single loop with
wired links. STP
is enabled on non-
AP network
elements (NEs) on
the loop but not
enabled on NEs
connected to the
WDS network
that are not
involved in the
loop. In this case,
STP takes effect
and breaks the
loop.
As shown in the
figure, the switch
forms a single
loop with WDS
links. To break the
loop, enable STP
on the switch and
ensure that STP is
not enabled on
GE0/0/1
connecting the
AC to the root
node.

STP cannot be enabled on
GE0/0/1 of the AC.
AC Root Middle Leaf
GE 0/0/1
Leaf
AC Root
GE 0/0/1
Switch
GE0/0/1 of the AC. Leaf

The WDS
network connects
to an AP with
dual network
ports. A loop
exists on the AP's
wired-side
interfaces and the
wired-side
interfaces are not
bound to an Eth-
trunk interface. To
prevent
transparent
forwarding of
STA packets to
the wireless side,
enable STP on the
AP.
In the figure, the
AC, SwitchA,
SwitchB, and root
node form a loop
(loop 1), and
SwitchC,
SwitchD, and the
leaf node form a
loop (loop 2). If
STP packets are
transparently
transmitted over
WDS links, STP
on loop 1
incorrectly
includes SwitchC
and SwitchD on
loop 2 into its
calculation.
To prevent
calculation errors,
enable STP on the
root node and leaf
AC node so that STP
packets from loop
1 and loop 2 will
not be
transparently
forwarded to the
wireless side. The
SwitchA Loop 1 SwitchB
root node
implements STP
calculation of
Issue 04 (2018-08-17) STP needs Copyright
to be © Huawei Technologies Co., Ltd. loop 1 and blocks 789
enabled on the root Root wired-side
AP's wired port. interfaces based
on the calculation
STP needs to be results. The leaf
14.5 Understanding WDS Profiles

When configuring WDS services, use the WDS profile with the following profiles:
l Security profile: After a security profile is bound to a WDS profile, parameters in the
security profile will be used for WDS link setup to ensure security of WDS links, The
WPA2+PSK+AES security policy is recommended for a WDS security profile.
l WDS whitelist profile: A WDS whitelist profile contains MAC addresses of neighboring
APs allowed to set up WDS links with an AP. After a WDS whitelist profile is applied to
APs are denied. In the WDS, only APs with radios working in root mode and middle
mode can have a whitelist configured. APs in leaf mode require no whitelist.
NOTE
configuring the WDS function, configure the same channel for radios of WDS APs.
configure other radio parameters for WDS links through a radio profile.
security.
14.6 Licensing Requirements and Limitations for WDS

AP
by the device.
V200R007C10.

V200R012C00 V200R009C00
V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C10 V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C00 V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R010C00 V200R007C10
V200R006C20
V200R006C10
V200R009C00 V200R006C20
V200R006C10
V200R008C00 V200R005C30
V200R005C20
V200R005C10
V200R007 V200R005C20
V200R005C10
V200R006 V200R005C00
agent.


Table 14-3 Products and minimum version supporting WDS

Required

S5730HI: V200R012
Feature Limitations
l The AD9431DN-24X central AP (including the mapping RUs), AD9430DN-24 central
AP (including the mapping RUs), AD9430DN-12 central AP (including the mapping
RUs), AP2010DN, AP2030DN, AP2050DN, AP2050DN-E, AP7030DE, AP9330DN,
AP2051DN, AP2051DN-E, and AP6310SN-GN do not support the WDS function.
l On a WDS or Mesh network, an 802.11ac AP cannot interoperate with non-802.11ac
APs regardless of the radio types used by the AP. Only 802.11ac APs can interoperate
with each other.
NOTE
Among all WDS- or Mesh-capable APs, the AP1050DN-S, AP4050DN, AP4051DN, AP4151DN,
AP8050DN, AP8150DN, AP5030DN, AP5130DN, AP8130DN, AP8030DN, AP8130DN-W,
AP4030DN, AP4130DN, AP9131DN, AP9132DN, AP6050DN, AP6150DN, AP7050DE, AP7050DN-
E, AP4030TN, AP4050DN-E, AP4050DN-HD, AP4051TN, AP6052DN, AP7052DN, AP7152DN,
AP7052DE, AP8050TN-HD, AP8082DN, and AP8182DN are 802.11ac APs.
l If radio 0 of the AP8130DN is configured to work on the 5 GHz frequency band and
used for WDS or Mesh services, the software version of the AP connected to the
AP8130DN must be V200R005C10 or a later version.
l When planning a WDS network, pay attention to the following:
– Only one root node exists on the WDS network.
– A middle node sets up WDS links only with the leaf node and root node. Middle
nodes do not set up WDS links between each other.
– Each WDS link allows a maximum of three hops (a 3-hop WDS link includes a root
node, a middle node, and a leaf node).

– Each node on the WDS link supports a maximum of six subnodes.

l This section provides only WDS configurations. After the WDS configuration is
complete, APs can connect to an AC through wireless bridges. To use WLAN services,
you still need to configure basic WLAN services. For details, see Example for
Configuring WLAN Services on a Small-Scale Network.
l When WDS is configured on dual-band APs, the root AP and leaf AP cannot use radio 0
or radio 1 simultaneously to establish a WDS link.
l Ensure that the root, middle, and leaf nodes are bound to the same bridge profile;
otherwise, WDS links cannot be set up or the existing WDS links get disconnected.
l When configuring the WDS function, ensure that WDS nodes use the same channel.
l The security profile used by WDS or Mesh links supports only the security policy
WPA2+PSK+CCMP.
l You are advised to configure different names for the profiles used to configure the WDS
function than the profiles used to configure the WLAN service. These profiles are the
WMM profile, radio profile, and security profile. This configuration facilitates
maintenance on wireless bridges and WLAN service.
l Avoid using radar channels to configure WDS links; otherwise, the following problems
may occur:
– Establishing WDS links on radar channels takes several minutes or several ten
minutes longer than establishing WDS links on non-radar channels.
– Radar signals cause disconnection of established WDS links.
l A WDS bridge profile supports a maximum of 256 VLANs.
l The WLAN Mesh function and WLAN WDS function are mutually exclusive. If the
WLAN WDS function has been configured, the WLAN Mesh function cannot be
configured.
l During WDS network planning, if dual-band APs function as WDS nodes, AP radios
bound to WDS bridge profiles cannot be configured to work in monitor mode; if single-
band APs function as WDS nodes, AP radios cannot work in monitor mode.
l In V200R006, if you set the CAPWAP heartbeat interval or the number of heartbeat
packet transmissions to a small value using the capwap keep-alive interval interval-
value or capwap keep-alive times times-value command, WDS or Mesh links may fail
to be established. Therefore, you are advised to use the default values.
l In V200R007 and later versions, if you set the CAPWAP heartbeat interval or the
number of heartbeat packet transmissions to a small value using the capwap echo
interval interval-value or capwap echo times times-value command, WDS or Mesh
links may fail to be established. Therefore, you are advised to use the default values.
l In V200R006, if WDS or Mesh is enabled simultaneously with dual-link backup, the AC
sends CAPWAP heartbeat packets three times at an interval of 25 seconds by default.
This may cause unstable WDS or Mesh links and result in user access failures. You are
advised to run the capwap keep-alive times times-value command to set the number of
heartbeat packet transmissions to 6 or a larger value.
l In V200R007 and later versions, if WDS or Mesh is enabled simultaneously with dual-
link backup, the AC sends CAPWAP heartbeat packets three times at an interval of 25
seconds by default. This may cause unstable WDS or Mesh links and result in user

access failures. You are advised to run the capwap echo times times-value command to
set the number of heartbeat packet transmissions to 6 or a larger value.
14.7 Default Settings for WDS

Table 14-4 lists the default settings for WDS.
Table 14-4 Default settings for WDS

Security profile bound to a WDS profile default-wds
WDS mode of a WDS profile leaf
WDS name of a WDS profile HUAWEI-WLAN-WDS
Default WDS profile default
WDS whitelist profile None
14.8 Configuring WDS

Before configuring WDS, complete the following tasks:
l 5.8 Creating an AP Group
l 5.9.2 Configuring Network Interconnections
l 5.9.3 Configuring Country Codes
l 5.9.4 Configuring a Source Interface or Source Address
14.8.1 Adding an AP
Context

Depending on its location on a WDS network, an AP can work in root, middle, or leaf mode.
As shown in Figure 14-7, AP1 is a root node, AP2 is a middle node, and AP3 is a leaf node.
You can configure an AP's working mode based on actual situations.
Figure 14-7 WDS networking
Internet
AC
AP3 AP2 AP1
(leaf) (middle) (root)
STA Switch
LAN
STA : Wireless virtual link

PC
Procedure

enter the AP view.



NOTE

NOTE
more secure.
SN authentication.


unauthorized APs.
----End
14.8.2 (Optional) Enabling the Backhaul Function on the 4.9 GHz

Frequency Band
Context
WARNING
Before using the 4.9 GHz frequency band, ensure that you have obtained the 4.9 GHz license
from the local administrative department and use the band properly.
Only the AP8130DN-W supports the 4.9 GHz frequency band.
The 4.9 GHz frequency band is applicable to outdoor backhaul scenarios but not wireless
coverage services. It is mainly used by WDS and Mesh backhaul links. The 4.9 GHz
frequency band is out of the channel range reselected using DFS.
NOTE
The AP8130DN-W is sold only in regions outside China.
The following table lists channels and frequency distribution of the 4.9 GHz frequency band.
Channel Parameters Description

No.
184 Frequency Band 4.9G
Center Frequency 4920

(MHz)
Upper Frequency 4910

(MHz)
Lower Frequency 4930

(MHz)

(MHz)

(MHz)


No.

(MHz)

(MHz)

(MHz)

(MHz)

(MHz)

(MHz)

(MHz)
The 4.9 GHz frequency band supports channel bandwidths of 20 MHz and 40 MHz. Channels
184+188 or 192+196 can be bundled into a 40 MHz channel. Similar to the 5 GHz frequency
band, the 4.9 GHz frequency band complies with 802.11a/n/ac.
Procedure
Step 2 Run wlan
The regulatory domain profile is displayed.
Step 4 Run wideband enable
The wideband function, that is, the 4.9 GHz frequency band, of the regulatory domain profile
is enabled.
By default, the wideband function of the regulatory domain profile is disabled.
After the wideband function of the regulatory domain profile is enabled, APs bound to this
profile are automatically reset.

Only after the wideband function of the regulatory domain profile is enabled, you can
configure channels and bandwidth of the 4.9 GHz frequency band.
Step 5 Run quit
AP view.
----End

check the status of the wideband function in the regulatory domain profile.
check reference information about the regulatory domain profile.
14.8.3 Configuring WDS Radio Parameters
Context
To ensure that WDS links can be set up successfully on a WDS network, you need to
configure radio parameters for WDS links according to actual service requirements.
l On a WDS network, radios of APs must work on the same channel.
l You need to configure the radio coverage distance parameter based on distances between
APs. The APs automatically adjust the values of slottime, acktimeout, and ctstimeout
based on the configured distance parameter to set up WDS links correctly.
Procedure
Step 2 Run wlan


AP view.
The working bandwidth and channel are configured for the radio.

On a WDS network, radios of APs must work on the same channel.
radio view.
The AD9431DN-24X (including the mapping RUs), AD9430DN-24 (including the mapping
RUs), AD9430DN-12 (including the mapping RUs), AP6310SN-GN, AP2010DN,
AP7030DE, AP9330DN, AP2030DN, AP2050DN, AP2050DN-E, AP2051DN, and
AP2051DN-E do not support the WDS function.
Working channels of radios vary according to countries and regions. To conform to local laws
and regulations, you need to configure different working channels under different country
codes. You can run the display ap configurable channel { ap-name ap-name | ap-id ap-id }
command to check the channels supported by the specified AP.
To use the 4.9 GHz frequency band to configure backhaul links, see Usage Guide of
wideband enable for channels and bandwidth of the 4.9 GHz frequency band. Only radios
working on the 5 GHz frequency band can use the 4.9 GHz frequency band. For example,
radio 1 of the AP8130DN-W can use the 4.9 GHz frequency band. Radio 0 of the
AP8130DN-W can also use the 4.9 GHz frequency band after it is configured to work on the
5 GHz frequency band using the frequency 5g command.


WLANs.
Step 8 Run frequency 5g
Radio 0 is configured to work on the 5 GHz frequency band.
frequency band.
Among all WDS-capable APs, radio 0 of the AP8130DN and AP8130DN-W supports both
2.4G and 5G frequency bands but can only work on one frequency band at a time. After radio
0 of the AP8130DN and AP8130DN-W is configured to work on the 5G frequency band, the
AP8130DN and AP8130DN-W can work on dual 5G radios.
Step 9 Run quit
Return to the AP group view or AP view.
Step 10 Run quit
Step 12 Run wifi-light signal-strength
The blinking frequency of the Wireless indicator on the AP is configured to reflect the signal
strength.
By default,

During installation and commissioning of an AP that has the WDS or Mesh function enabled,
you need to adjust AP locations and antenna directions to obtain strong signals. If the blinking
frequency of the Wireless LED shows the signal strength, onsite installation personnel can
know the signal strength in real time. The wifi-light command allows you to specify the
parameter reflected by the blinking frequency of the Wireless LED. For example, you can
specify the parameter to signal strength during installation and service traffic volume after
installation.
NOTE
Step 13 (Optional) Configure the frame aggregation function and length of the aggregated frames.
The frame aggregation function can improve the channel resource usage efficiency and
overall WDS network performance.
l Configure the frame aggregation function for the 802.11n protocol.
a. Run the undo ht a-mpdu disable command to enable the frame aggregation
function for the 802.11n protocol.
By default, aggregation of MPDUs is enabled.
b. Run the ht a-mpdu max-length-exponent max-length-exponent-index command to
set the length of aggregated frames for the 802.11n protocol.
By default, the index for the maximum length of an A-MPDU is 3. The maximum
length of the A-MPDU is 65535 bytes.
l Configure the frame aggregation function for the 802.11ac protocol.
Run the vht a-mpdu max-length-exponent max-length-exponent-index command to set
the length of aggregated frames for the 802.11ac protocol.
By default, the index for the maximum length of an A-MPDU is 7. The maximum length
of the A-MPDU is 1048575 bytes.
NOTE
The length of an A-MPDU can only be configured in a 5G radio profile.

All frames on radios working in 802.11ac mode are A-MPDUs. Therefore, you do not need to
enable the frame aggregation function for the 802.11ac protocol.
Step 14 (Optional) Run beamforming enable

The beamforming function is enabled.

By default, Beamforming is disabled.

Beamforming can enhance signals at a particular angle (for target users), attenuate signals at
another angle (for non-target users or obstacles), and extend the radio coverage area.
If nodes on the WDS or Mesh network are fixed and distant from each other, enable
beamforming to increase WDS or Mesh link SNR. Mobile nodes may cause low link SNR in
WDS or Mesh scenarios. To prevent this problem, disable beamforming.
For details on how to configure other radio parameters, see 5.11.1.4 (Optional) Adjusting
Radio Parameters of basic WLAN service configuration.
----End
Follow-up Procedure
In the AP group view or AP view, run the radio-2g-profile profile-name { radio { radio-id |
all } } or radio-5g-profile profile-name { radio { id | all } } command to bind the 2.4G or 5G
radio profile to the AP radio. Alternatively, you can run the radio-2g-profile profile-name or
radio-5g-profile profile-name command in the AP group radio view or AP radio view to bind
the 2.4G or 5G radio profile to the AP radio.
14.8.4 Configuring Parameters for an AP's Wired Interface

Context
You can configure the wired interface on a root AP to connect to the AC or configure the
wired interface on an AP to deploy a Layer 2 network or directly associate with STAs.
On WDS networks, an AP wired interface can work in the following modes:
l root mode: The wired interface that connects the root AP to the AC must work in root
mode.
l endpoint mode: When the wired interface of an AP works in endpoint mode, the AP's
wired interface can directly connect to a STA or be used to deploy Layer 2 networks.
Procedure
Step 2 Run wlan
An AP wired port profile is created and the AP wired port profile view is displayed.
Step 4 Set parameters for an AP wired interface.
l Configure a wired interface to work in root mode.
a. Run the mode root command to configure an AP's wired interface to work in root
mode.

By default,
n On a common AP: Its GE interfaces work in root mode, Ethernet interfaces in
n On a central AP: Its uplink GE interfaces in root mode and downlink GE
interfaces work in middle mode.
n On an R230D: Its Ethernet interface works in root mode.
n On an R240D: Its Ethernet interface works in endpoint mode and GE interface
in root mode.
n On an R250D, R250D-E, AP2050DN, AP2051DN, AP2051DN-E, R251D,
R251D-E and AP2050DN-E: Their uplink GE interfaces work in root mode
and downlink GE interfaces in endpoint mode.
n On an R450D: Its GE interface works in root mode.
l Configure a wired interface to work in endpoint mode.
a. Run the mode endpoint command to configure an AP's wired interface to work in
endpoint mode.
By default,
n On a common AP: Its GE interfaces work in root mode, Ethernet interfaces in
n On a central AP: Its uplink GE interfaces in root mode and downlink GE
interfaces work in middle mode.
n On an R230D: Its Ethernet interface works in root mode.
n On an R240D: Its Ethernet interface works in endpoint mode and GE interface
in root mode.
n On an R250D, R250D-E, AP2050DN, AP2051DN, AP2051DN-E, R251D,
R251D-E and AP2050DN-E: Their uplink GE interfaces work in root mode
and downlink GE interfaces in endpoint mode.
n On an R450D: Its GE interface works in root mode.
b. Run the vlan pvid vlan-id command to configure the PVID of an AP's wired
interface.
c. Run the vlan { tagged | untagged } { vlan-id1 [ to vlan-id2 ] } &<1-10> command
to add an AP's wired interface to VLANs.
By default, an AP wired interface allows packets from all VLANs to pass. The
wired interface is added to VLAN 1 in untagged mode and to other VLANs in
tagged mode.
NOTE
An AP wired interface can be added to a maximum of 256 VLANs.

d. Run the user-isolate { all | l2 } command to enable user isolation on an AP's wired
interface.
----End

Follow-up Procedure
Run the wired-port-profile profile-name interface-type interface-number command in the AP
group view or AP view to bind the specified AP wired port profile to the AP's wired interface.
14.8.5 Configuring a Security Profile
Context
You need to configure a security profile and a security policy for the WDS to ensure security.
The WPA2+PSK+AES security policy is recommended for a WDS security profile. For
details about WPA2, PSK, and AES, see 11 WLAN Security Configuration.
security.
Procedure
Step 2 Run wlan
system.
Step 4 Run security wpa2 psk { pass-phrase | hex } key-value aes
A security policy is configured for the security profile.
----End
14.8.6 (Optional) Configuring a WDS Whitelist
Context
A WDS whitelist profile contains MAC addresses of neighboring APs allowed to set up WDS
links with an AP. After a WDS whitelist profile is applied to an AP radio, only APs with
MAC addresses in the whitelist can access the AP, and other APs are denied. In the WDS,
only APs with radios working in root mode and middle mode can have a whitelist configured.
APs in leaf mode require no whitelist.

NOTE
l WDS links can be set up only when neighboring APs with MAC addresses in the whitelist succeed
in authentication.
l If the AP uses no whitelist, all the neighboring APs can connect to the bridge.
Procedure
Step 2 Run wlan
Step 3 Run wds-whitelist-profile name whitelist-name
A WDS whitelist profile is created, and the WDS whitelist profile view is displayed.
By default, no WDS whitelist profile is available in the system.
Step 4 Run peer-ap mac mac-address
MAC addresses of neighboring APs that are allowed to connect to an AP are added to the
WDS whitelist profile.
By default, no MAC address of a neighboring AP is added to a WDS whitelist profile.
Step 5 Run quit
AP view.
Step 7 Run wds-whitelist-profile whitelist-name
The Mesh whitelist profile is bound to the AP radio.
By default, no WDS whitelist profile is bound to an AP radio.
----End
14.8.7 Configuring a WDS Profile

Context

Procedure
Step 2 Run wlan
Step 3 Run wds-profile name profile-name
A WDS profile is created and the WDS profile view is displayed.
By default, the system provides the WDS profile default.
Step 4 Run wds-name name
A WDS name is set for the WDS profile. WDS nodes use a WDS name to identify
connections between them.
By default, the WDS name of a WDS profile is HUAWEI-WLAN-WDS.
Step 5 Run wds-mode { root | middle | leaf }
The WDS mode is configured in the WDS profile.
By default, the WDS mode in a WDS profile is leaf.
A security profile is bound to the WDS profile.
By default, the security profile default-wds is bound to a WDS profile.
NOTE
By default, the system provides the WDS profile default. By default, the security profile default-wds
with the security policy WPA2+PSK+AES and the security key huawei_secwds is referenced by a WDS
profile regardless of whether the WDS profile is the default profile provided by the system or a WDS
profile created by users. If the default security profile default-wds is used, you are advised to change the
security key of the profile to ensure security.
Step 7 Run vlan tagged { vlan-id1 [ to vlan-id2 ] } &<1-10>

A VLAN or a group of VLANs are added to the WDS profile in tagged mode.
By default, no VLAN is configured in a WDS profile.
When configuring WDS, perform this step to configure service VLANs in the WDS profile so
that packets from the service VLANs can be transmitted over WDS links.
NOTE
A maximum of 256 VLANs can be added to a WDS profile.
Step 8 (Optional) Improve channel usage efficiency.

1. Run the beacon-2g-rate beacon-2g-rate command to set the transmit rate of 2.4 GHz
Beacon frames.
By default, the transmit rate of 2.4 GHz Beacon frames is 1 Mbit/s.
2. Run the beacon-5g-rate beacon-5g-rate command to set the transmit rate of 5 GHz
Beacon frames.

By default, the transmit rate of 5 GHz Beacon frames is 6 Mbit/s.
Step 9 (Optional) Run mu-mimo enable
MU-MIMO is enabled.
By default, the MU-MIMO function is enabled.
APs support MU-MIMO starting from 802.11ac Wave 2. If WDS VAPs need to support MU-
MIMO, a WDS profile must be bound to 5 GHz radios of the AP.
In WDS scenarios, ensure that the number of spatial streams on STA VAPs is smaller than
that on AP VAPs. Otherwise, MU-MIMO cannot take effect. For example, if STA VAPs and
AP VAPs are both configured with three spatial streams, an AP VAP can communicate with
only one STA VAP even if MU-MIMO has been enabled.
Step 10 (Optional) Run dhcp trust port
A DHCP trusted port is configured in the WDS profile.
By default, no DHCP trusted port is configured in a WDS profile.
NOTE
After a DHCP trusted port is enabled in a WDS profile and the WDS profile is applied to an AP, the AP
receives the DHCP OFFER, ACK, and NAK packets sent by authorized DHCP servers and forwards the
Step 11 (Optional) Run priority-map trust { dot1p | dscp }
The priority mapping trusted by the WDS air interface is configured.
By default, the WDS air interface trusts the mapping from DSCP priorities to 802.11e user
priorities.
Step 12 (Optional) Run priority-map dscp { dscp-value1 [ to dscp-value2 ] } &<1-10> dot11e

dot11e-value
The WDS air interface to be configured to trust the mapping from DSCP priorities to 802.11e
user priorities.
Table 14-5 describes the mapping from DSCP priorities to 802.11e user priorities by default.
Table 14-5 Mapping from DSCP priorities to 802.11e user priorities
DSCP Priority 802.11e User Priority
0-7 0
8-15 1
16-23 2
24-31 3
32-39 4
40-47 5
48-55 6

56-63 7
Step 13 Run quit
Step 14 Apply the WDS profile. You can use any of the following methods according to actual
situations:
l Bind the WDS profile to an AP group.
b. Run the wds-profile profile-name radio { all | radio-id } command to bind the
WDS profile to the AP group.
By default, no WDS profile is bound to an AP group or AP.
NOTE
A WDS link uses the VAPs with the WLAN ID 13 and ID 14, which cannot be occupied by other
WLAN services.
l Bind the WDS profile to an AP.
AP view.
b. Run the wds-profile profile-name radio { all | radio-id } command to bind the
WDS profile to the AP.
By default, no WDS profile is bound to an AP group or AP.
NOTE
WLAN services.
l Bind the WDS profile to AP group radios.
c. Run the wds-profile profile-name command to bind the WDS profile to AP group
radios.
By default, no WDS profile is bound to an AP radio.
NOTE
WLAN services.
l Bind the WDS profile to an AP radio.
AP view.
c. Run the wds-profile profile-name command to bind the WDS profile to the AP
radio.
By default, no WDS profile is bound to an AP radio.

NOTE
WLAN services.
----End
14.8.8 Verifying the WDS Configuration
Prerequisites
The WDS configuration is complete.
Procedure
l Run the display references wds-profile name profile-name command to check
reference information of a specified WDS profile.
l Run the display wds-profile { all | name profile-name } command to check information
of a WDS profile.
l Run the display references wds-whitelist-profile name whitelist-name command to
check reference information of a specified WDS whitelist profile.
l Run the display wds-whitelist-profile { all | name whitelist-name } command to check
information of a WDS whitelist profile.
----End
14.9 Maintaining WDS
14.9.1 Checking Information About WDS Links
Procedure
l Run the display wds vap { ap-group ap-group-name | ap-id ap-id [ radio radio-id ] |
ap-name ap-name [ radio radio-id ] } [ wds-name wds-name ] command to check
information about WDS VAPs.
l Run the display wds vap { all | wds-name wds-name } command to check information
about WDS VAPs of a specified WDS name or all WDS names.
l Run the display wlan wds link { all | ap-id ap-id [ radio radio-id ] | ap-name ap-name
[ radio radio-id ] | wds-profile profile-name } command to check information about
WDS links.
----End
14.9.2 Configuring Antenna Alignment VAPs
Context
During WDS network deployment, you can configure antenna alignment VAPs for WDS
nodes to facilitate antenna alignment between neighboring APs. When commissioning the
network onsite, connect a mobile terminal to an antenna alignment VAP and start the antenna

alignment program on the terminal to collect signal strength information of the peer AP radio.
The collected information boosts easy antenna alignment operations.
You can log in to Huawei technical support website and search for Probe Handset Unit to
download the Antenna Alignment program.

Procedure
l Configure the default antenna alignment VAP.

d. Run the undo temporary-management disable command to enable the antenna
alignment VAP functions.
enabled.
for the default SSID (hw_manage_xxxx) of the antenna alignment VAP.

hw_manage.
view.
enter the AP view.
profile to an AP.
l Create an antenna alignment VAP.


profile used by the antenna alignment VAP and enter the security profile view.
key.
NOTE
The antenna alignment VAP supports only the WEP or WPA/WPA2 PSK authentication
mode. You can run the security wep share-key and wep key key-id { wep-40 | wep-104 |
wep-128 } { pass-phrase | hex } key-value commands to configure WEP authentication.
VAP profile.
the VAP profile.
f. Configure an AP system profile, and enable the antenna alignment VAP functions in
the AP system profile.
antenna alignment VAP functions.
enabled.


NOTE
l VAPs 1 to 12 and VAP 15 are used for the antenna alignment VAP configuration. Before
using these VAPs, ensure that they are not used by other WLAN services.
WLAN services.
view.
enter the AP view.
view.
enter the AP view.
view.


enter the AP view.
profile to an AP.
----End
14.10 Configuration Examples for WDS
14.10.1 Example for Configuring the WLAN Service Using WDS

Technology
An enterprise has three areas: Area A, Area B, and Area C. In the office environment, AP_1
in Area A can be connected to the AC through a network cable; AP_2 and AP_3 in Area B
can be connected through a cable but cannot be connected to the AC in wired mode; Area C is
near Area B but AP_4 in Area C cannot be connected to the AC through a network cable
either. The enterprise requires that APs be connected to each other in back-to-back WDS
mode and go online on the AC to provide network services for PCs in VLAN 101, as shown
in Figure 14-8:

Figure 14-8 Networking for configuring back-to-back WDS
GE0/0/2 GE0/0/3
AC Network
GE0/0/1
GE0/0/1 Switch_A
GE0/0/2
Switch_B
GE0/0/1
AP_1 Area A
(root)
AP_2 Area B
(leaf)
GE0/0/2
Switch_C
GE0/0/1
AP_3
(root)
AP_4
Area C
(leaf)
VLAN101 PC
1. Configure WDS links in Area A and Area B so that AP_1 and AP_2 can go online on the
AC.
2. Configure Switch_C to enable AP_2 and AP_3 to communicate through the wired
network.
3. Configure WDS links in Area B and Area C so that AP_4 can go online on the AC.
NOTE
In this example, the access switches Switch_B and Switch_C and aggregation switch Switch_A are
Huawei products.

Table 14-6 AP data required for completing the configuration

AP Type MAC
AP_1 AP8130DN 60de-4474-9640
AP_2 AP8130DN dcd2-fc04-b500
AP_3 AP8130DN dcd2-fcf6-76a0
AP_4 AP8130DN 60de-4476-e360

Item Data
VLAN Management VLAN: VLAN 100

of the AC's
source
interface
WDS l wds-net1 (WDS profile used by AP_1): WDS mode root, referenced
profile WDS whitelist wds-list1, permitting access only from AP_2
l wds-net2 (WDS profile used by AP_3): WDS mode root, referenced
WDS whitelist wds-list2, permitting access only from AP_4
l wds-net3 (WDS profile used by AP_2 and AP_4): referencing no WDS
whitelist
WDS role l AP_1: root

l AP_2: leaf
l AP_3: root
l AP_4: leaf
WDS name wds-net
WDS l wds-list1: contains MAC address of AP_2 and is bound to AP_1.

whitelist l wds-list2: contains MAC address of AP_4 and is bound to AP_3.
Radio used Radio 1 (AP_1 and AP_2):

by WDS l Bandwidth: 40mhz-plus
l Channel: 157
l Radio coverage distance parameter: 4 (unit: 100 m)
Radio 1 (AP_3 and AP_4):
l Bandwidth: 40mhz-plus
l Channel: 149

Item Data
Security l Name: wds-sec

l Password type: PASS-PHRASE
AP group l wds-root1: AP_1

l wds-root2: AP_3
l wds-leaf1: AP_2
l wds-leaf2: AP_4. The wired interface of AP_4 is connected to a PC, a
wired port profile needs to be configured for AP_4. Therefore, AP_2 and
AP_4 are added to two separate AP groups.
Configuration Notes
user experience.
Procedure
Step 1 Configure the AC to communicate with AP_1 and AP_2 to communicate with AP_3.
# Configure the access switch Switch_B. Add GE0/0/1 of Switch_B to VLAN 100
(management VLAN) and set the PVID of the interface to VLAN 100. Configure GE0/0/1
and GE0/0/2 to allow packets from VLAN 100 and VLAN 101 to pass through.
[Switch_B] vlan batch 100 to 101

[Switch_B] interface gigabitEthernet 0/0/1

[Switch_B-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_B-GigabitEthernet0/0/1] port-isolate enable
# Configure the aggregation switch Switch_A. Configure GE0/0/1 to allow packets from
VLAN 100 and VLAN 101 to pass through, GE0/0/2 to allow packets from VLAN 100 to
pass through, and GE0/0/3 to allow packets from VLAN 101 to pass through.
[Switch_A] vlan batch 100 to 101
[Switch_A] interface gigabitEthernet 0/0/1
# Configure GE0/0/1 of the AC to allow packets from VLAN 100 to pass through.
[HUAWEI] sysname AC
[AC] interface gigabitEthernet 0/0/1
# Configure the access switch Switch_C. Configure GE0/0/1 and GE0/0/2 to allow packets
from the service and management VLANs to pass through.
[HUAWEI] sysname Switch_C
[Switch_C] vlan batch 100 to 101
[Switch_C] interface gigabitEthernet 0/0/1
[Switch_C-GigabitEthernet0/0/1] port link-type trunk
[Switch_C-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_C-GigabitEthernet0/0/1] quit
[Switch_C-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 101
Step 2 Configure Switch_A to assign IP addresses to PCs and the AC to assign IP addresses to APs.
# Configure Switch_A as a DHCP server to assign IP addresses to PCs from an interface
address pool.
NOTE
view.

[Switch_A] dhcp enable

[Switch_A] interface vlanif 101
[Switch_A-Vlanif101] ip address 10.23.101.1 24
[Switch_A-Vlanif101] dhcp select interface
[Switch_A-Vlanif101] quit
# Enable the DHCP function on the AC to allow it to assign IP addresses to APs from an
interface address pool.
[AC] dhcp enable
[AC-Vlanif100] quit
Step 3 Configure the AP groups, country code, and AC's source interface.
# Create AP group wds-root1 and AP group wds-root2 for root APs and AP group wds-leaf1
and AP group wds-leaf2 for leaf APs.
[AC] wlan
[AC-wlan-view] ap-group name wds-root1
[AC-wlan-ap-group-wds-root1] quit
[AC-wlan-view] ap-group name wds-leaf1
[AC-wlan-ap-group-wds-leaf1] quit
[AC-wlan-ap-group-wds-root1] regulatory-domain-profile domain1
e?[Y/N]:y
[AC-wlan-ap-group-wds-root2] regulatory-domain-profile domain1
e?[Y/N]:y
[AC-wlan-ap-group-wds-leaf1] regulatory-domain-profile domain1
e?[Y/N]:y
[AC-wlan-ap-group-wds-leaf2] regulatory-domain-profile domain1
e?[Y/N]:y
[AC-wlan-view] quit

# Add AP_1 to AP group wds-root1, AP_3 to AP group wds-root2, AP_2 to AP group wds-
leaf1, and AP_4 to AP group wds-leaf2.

NOTE
In this example, the AP8130DN is used and has two radios: radio 0 and radio 1.
[AC] wlan
[AC-wlan-ap-1] ap-name AP_1
[AC-wlan-ap-1] ap-group wds-root1
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] ap-group wds-leaf1
[AC-wlan-ap-2] quit
[AC-wlan-view] ap-id 3 ap-mac dcd2-fcf6-76a0
[AC-wlan-ap-3] ap-group wds-root2
[AC-wlan-ap-3] quit
[AC-wlan-ap-4] ap-group wds-leaf2
[AC-wlan-ap-4] quit
Step 4 Configure WDS service parameters.

# Configure radio parameters for WDS nodes. This example uses radio 1 of the AP8130DN.
The parameter coverage distance indicates the radio coverage distance parameter. By default,
the radio coverage distance parameter is 3 (unit: 100 meters). In this example, the radio
coverage distance parameter is 4. You can configure the parameter according to actual
situations.
[AC-wlan-ap-group-wds-root1] radio 1
[AC-wlan-group-radio-wds-root1/1] channel 40mhz-plus 157
[AC-wlan-group-radio-wds-root1/1] coverage distance 4
[AC-wlan-group-radio-wds-root1/1] quit
[AC-wlan-group-radio-wds-root2/1] channel 40mhz-plus 149
[AC-wlan-group-radio-wds-root2/1] coverage distance 4
[AC-wlan-ap-group-wds-leaf1] radio 1
[AC-wlan-group-radio-wds-leaf1/1] channel 40mhz-plus 157
[AC-wlan-group-radio-wds-leaf1/1] coverage distance 4
[AC-wlan-group-radio-wds-leaf1/1] quit
[AC-wlan-ap-group-wds-leaf2] radio 1

[AC-wlan-group-radio-wds-leaf2/1] channel 40mhz-plus 149

[AC-wlan-group-radio-wds-leaf2/1] coverage distance 4
[AC-wlan-group-radio-wds-leaf2/1] quit
# Configure the security profile wds-sec used by WDS links. The wds-sec uses the security
policy WPA2+PSK+AES.
[AC-wlan-view] security-profile name wds-sec
[AC-wlan-sec-prof-wds-sec] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-wds-sec] quit
# Configure the WDS whitelist. Configure the WDS whitelist wds-list1 bound to AP_1 to
permit access only from AP_2. Configure the WDS whitelist wds-list2 bound to AP_3 to
permit access only from AP_4.
[AC-wlan-view] wds-whitelist-profile name wds-list1
[AC-wlan-wds-whitelist-wds-list1] peer-ap mac dcd2-fc04-b500
[AC-wlan-wds-whitelist-wds-list1] quit
[AC-wlan-view] wds-whitelist-profile name wds-list2
[AC-wlan-wds-whitelist-wds-list2] peer-ap mac 60de-4476-e360
[AC-wlan-wds-whitelist-wds-list2] quit
# Configure the WDS profile wds-net1. Set the WDS name to wds-net and WDS mode to
root. Apply the security profile wds-sec and allow packets from service VLAN 101 to pass
through in tagged mode.
[AC-wlan-view] wds-profile name wds-net1
[AC-wlan-wds-prof-wds-net1] wds-name wds-net
[AC-wlan-wds-prof-wds-net1] wds-mode root
[AC-wlan-wds-prof-wds-net1] security-profile wds-sec
[AC-wlan-wds-prof-wds-net1] vlan tagged 101
[AC-wlan-wds-prof-wds-net1] quit
root. Apply the security profile wds-sec and allow packets from service VLAN 101 to pass
through in tagged mode.
[AC-wlan-wds-prof-wds-net2] wds-mode root
leaf. Bind the security profile wds-sec to the WDS profile, allowing packets from service
VLAN 101 to pass through in tagged mode.
[AC-wlan-wds-prof-wds-net3] wds-mode leaf
# Bind the WDS whitelist wds-list1 to radio 1 in AP group wds-root1 to permit access only
from AP_2. # Bind the WDS whitelist wds-list2 to radio 1 in AP group wds-root2 to permit
access only from AP_4.
[AC-wlan-group-radio-wds-root1/1] wds-whitelist-profile wds-list1

[AC-wlan-group-radio-wds-root2/1] wds-whitelist-profile wds-list2
Step 5 Configure the wired port profile used by the wired interface of AP_4 and set the wired
interface mode to endpoint. In this example, the PVID of the wired interface is set to VLAN
101 and the wired interface is added to VLAN 101 in untagged mode.
[AC-wlan-view] wired-port-profile name wired-port
[AC-wlan-wired-port-wired-port] mode endpoint
configuration will cause the AP to go out of management
. This fault can be recovered only by modifying the configuration on the AP.
Continue? [Y/N]:y
[AC-wlan-wired-port-wired-port] vlan pvid 101
[AC-wlan-wired-port-wired-port] vlan untagged 101
[AC-wlan-wired-port-wired-port] quit
Step 6 Bind required profiles to the AP groups to make WDS services take effect.
# Configure the AP group wds-root1 and bind the WDS profile wds-net1 to the group.
[AC-wlan-ap-group-wds-root1] wds-profile wds-net1 radio 1
# Configure the AP group wds-root2 and bind the WDS profile wds-net2 to the group.
[AC-wlan-ap-group-wds-root2] wds-profile wds-net2 radio 1
# Configure the AP group wds-leaf1 and bind the WDS profile wds-net3 to the group.
[AC-wlan-ap-group-wds-leaf1] wds-profile wds-net3 radio 1
# Configure the AP group wds-leaf2, and bind the WDS profile wds-net3 and wired port
profile wired-port to the group.
NOTE
After referencing the AP wired port profile in endpoint mode, configure the AP to go online on the AC and
obtain the configuration. Then restart the AP to make the configuration effective.
[AC-wlan-ap-group-wds-leaf2] wds-profile wds-net3 radio 1
[AC-wlan-ap-group-wds-leaf2] wired-port-profile wired-port gigabitethernet 0
Step 7 Check that the AP goes online and restart AP_4.

# After the configuration is complete, run the display ap all command to check whether WDS
nodes go online successfully. If State displays as nor, APs have gone online successfully.
nor : normal [4]
Extra information:
----------------------------------------------------------------------------------
-----------------

Uptime ExtraInfo
----------------------------------------------------------------------------------
-----------------
1 60de-4474-9640 AP_1 wds-root1 10.23.100.250 AP8130DN nor 0 20M:
16S -
4 60de-4476-e360 AP_4 wds-leaf2 10.23.100.251 AP8130DN nor 0
17S -
2 dcd2-fc04-b500 AP_2 wds-leaf1 10.23.100.253 AP8130DN nor 0 3M:
55S -
3 dcd2-fcf6-76a0 AP_3 wds-root2 10.23.100.252 AP8130DN nor 0 2M:
55S -
----------------------------------------------------------------------------------
---------------
Total: 4
Run the display wlan wds link all command to check information about the WDS links.
[AC-wlan-view] display wlan wds link all
Rf : radio ID Dis : coverage distance(100m)
Ch : channel Per : drop percent(%)
TSNR : total SNR(dB) P- : peer
WDS : WDS mode Re : retry ratio(%)
RSSI : RSSI(dBm) MaxR : max RSSI(dBm)
----------------------------------------------------------------------------------
---------------
APName P-APName Rf Dis Ch WDS P-Status RSSI MaxR Per Re
TS NR SNR(Ch0~3:dB)
----------------------------------------------------------------------------------
---------------
AP_1 AP_2 1 4 157 root normal -44 -40 0 3
50 45/49/-/-
AP_2 AP_1 1 4 157 leaf normal -38 -36 0 49
57 36/31/57/-
AP_3 AP_4 1 4 149 root normal -11 -7 0 1
83 81/80/-/-
AP_4 AP_3 1 4 149 leaf normal -4 -4 0 0
91 90/85/-/-
----------------------------------------------------------------------------------
---------------
Total: 4
Verify that the AP goes online and restart AP_4 to make the working mode of the AP wired
port effective.
[AC-wlan-view] ap-reset ap-group wds-leaf2
Warning: Reset AP(s), continue?[Y/N]:y

After AP_4 goes online again, verify that wired users connected to AP_4 can access the
network.
----End
Configuration Files
#
sysname Switch_A
#
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#

#
#
#
return
#
sysname Switch_B
#
#
#
#
return
l Switch_C configuration file
#
sysname Switch_C
#
#
#
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
#
wlan
security-profile name wds-

sec

security wpa2 psk pass-phrase %^%#n}5+DgC3wLB.hJ34j5;*QMv<8"9#{Bq@ghBI3L9K%^

%# aes
wds-whitelist-profile name wds-
list1
peer-ap mac dcd2-fc04-
b500
wds-whitelist-profile name wds-
list2
peer-ap mac 60de-4476-
e360
wds-profile name wds-
net1
security-profile wds-
sec
vlan tagged
101
wds-name wds-
net
wds-mode
root
net2
sec
vlan tagged
101
wds-name wds-
net
wds-mode
root
net3
sec
vlan tagged
101
wds-name wds-
net
regulatory-domain-profile name
domain1
wired-port-profile name wired-
port
mode
endpoint
vlan pvid
101
vlan untagged
101
ap-group name wds-
leaf1
regulatory-domain-profile
domain1
radio 1
wds-profile wds-net3
channel 40mhz-plus
157
coverage distance 4
ap-group name wds-
leaf2
wired-port-profile wired-port gigabitethernet
0
domain1
radio
1
wds-profile wds-
net3
channel 40mhz-plus
149

coverage distance 4
ap-group name wds-
root1
domain1
radio
1
wds-profile wds-
net1
wds-whitelist-profile wds-
list1
channel 40mhz-plus
157
coverage distance 4
ap-group name wds-
root2
domain1
radio
1
wds-profile wds-
net2
wds-whitelist-profile wds-
list2
channel 40mhz-plus
149
coverage distance
4
ap-id 1 ap-mac 60de-4474-9640
ap-name
AP_1
ap-group wds-
root1
ap-id 2 ap-mac dcd2-fc04-b500
ap-name
AP_2
ap-group wds-
leaf1
ap-id 3 ap-mac dcd2-fcf6-76a0
ap-name
AP_3
ap-group wds-
root2
ap-name
AP_4
ap-group wds-
leaf2
#
return

Configuration Guide - WLAN-AC 15 Mesh Configuration
15 Mesh Configuration
15.1 Overview of Mesh
Definition
A wireless mesh network (WMN) is a communications network that consists of multiple
wirelessly connected APs in a mesh topology and connects to a wired network through a
portal node or two portal nodes.
Purpose
On a traditional WLAN, APs exchange data with STAs using wireless channels and connect
to a wired network through uplinks. If no wired network is available before a WLAN is
constructed, it takes much time and money to construct a wired network. If positions of some
APs on a WLAN are adjusted, the wired network must be adjusted accordingly, increasing the
difficulty in network adjustment. A traditional WLAN requires a long construction period and
has a high cost and poor flexibility, so it does not apply to emergency communication,
wireless MANs, or areas that lack weak wired network infrastructure. The construction of a
WMN requires only APs to be installed, which greatly speeds up network construction.
A WMN allows APs to wirelessly connect to each other, solving the preceding problems. A
WMN has the following advantages:
l Fast deployment: Mesh nodes can be easily installed to construct a WMN in a short time,
much shorter than the construction period of a traditional WLAN.
l Dynamic coverage area expansion: As more mesh nodes are deployed on a WMN, the
WMN coverage area can be rapidly expanded.
l Robustness: A WMN is a peer network that will not be affected by the failure of a single
node. If a node fails, packets are forwarded to the destination node along the backup
path.
l Flexible networking: An AP can join or leave a WMN easily, allowing for flexible
networking.
l Various application scenarios: Besides traditional WLAN scenarios such as enterprise
networks, office networks, and campus networks, a WMN also applies to scenarios such
as large-scale warehouses, docks, MANs, metro lines, and emergency communications.

l Cost-effectiveness: Only MPPs need to connect to a wired network, which minimizes the
dependency of a WMN on wired devices and saves costs in wired device purchasing and
cable deployment.
Benefits
A WMN saves cables required between mesh nodes while providing path redundancy and
rerouting functions as a distributed network. Therefore,
l When a new AP is added to a WMN, the AP can automatically connect to the WMN and
determine the optimal multi-hop transmission path after being powered on.
l When an AP is moved from a WMN, the WMN can automatically discover the topology
change and adjust communication routes to obtain the optimal transmission path.
15.2 Understanding Mesh
Concepts
Figure 15-1 Networking diagram
MPP MP1 MP2

LAN
AC
MP4 MP3
STA3
STA1 STA2
Mesh link
User access
A WMN includes the following devices:

l Mesh point (MP): a mesh-capable node that uses IEEE 802.11 MAC and physical layer
protocols for wireless communication. This node supports automatic topology discovery,
automatic route discovery, and data packet forwarding. MPs can provide both mesh
service and user access service.
l Mesh point portal (MPP): an MP that connects to a WMN or another type of network.
This node has the portal function and enables mesh nodes to communicate with external
networks.

l Neighboring MP: an MP that directly communicates with another MP or MPP. For

example, in Figure 15-1, MP2 is the neighbor of MP1.
l Candidate MP: a neighboring MP with which an MP prepares to establish a mesh link.
l Peer MP: a neighboring MP that has established a mesh connection with an MP.
Implementation
The establishment of a mesh link includes mesh neighbor discovery and mesh connection
management.
Mesh Neighbor Discovery
1. Discover a mesh neighbor.

Before constructing a WMN, an MP needs to discover neighboring MPs. On Mesh
networks, each MP obtains neighboring MP information through passive scanning.
– Passive scanning: To obtain neighboring MP information, an MP listens on the
Mesh Beacon frames sent from neighboring MPs in each channel. A Beacon frame
contains information, including the Mesh ID.
2. Update the neighbor relationship table.
Each MP has a neighbor relationship table that contains information about four types of
neighboring nodes: common AP neighbors, nodes of other WMNs, candidate MPs, and
peer MPs.
– In passive scanning, if the MP finds that the Mesh ID in the Mesh Beacon frame is
the same as the local Mesh ID, the MP records the neighboring MP as a candidate
MP in the neighbor relationship table.
Mesh Connection Management
Mesh connection management involves two phases: mesh connection establishment and mesh
connection teardown. The two phases are implemented using three types of Mesh Action
frames: Mesh Peering Open, Mesh Peering Confirm, and Mesh Peering Close frames.
Figure 15-2 Mesh connection management process

MP1 MP2
Mesh Peering Open

Mesh Peering Confirm
Mesh Peering Open

Mesh Peering Confirm
Security Negotiation & Data forwarding
Mesh Peering Close
Mesh Peering Close

1. Mesh connection establishment

An MP can initiate a mesh connection with a candidate MP. The two MPs are peers and
exchange Mesh Peering Open and Mesh Peering Confirm frames to establish a mesh
connection.
After the two MPs establish a mesh connection, they start the key negotiation phase. The
two MPs can forward mesh data only after key negotiation succeeds.
2. Mesh connection teardown
Either of the two MPs that establish a mesh connection can send a Mesh Peering Close
frame to the other MP to tear down the mesh connection. After receiving the Mesh
Peering Close frame, the other MP needs to respond with a Mesh Peering Close frame.
Mesh Routing
On a WMN, multiple mesh links are available between any source and destination, and the
transmission quality of these mesh links varies according to the surrounding environment.
Therefore, routing protocols are required on the WMN. The Hybrid Wireless Mesh Protocol
(HWMP) defined in the 802.11s standard can address routing issues.
The following route management frames are defined in HWMP:
l Root Announcement (RANN) frame: used to announce the presence of an MPP.
– An MPP periodically broadcasts a RANN frame.
– After an MP receives a RANN frame, the MP reduces the time to live (TTL) of the
frame by 1, updates the path metric, and broadcasts the frame. After an MP reads a
RANN frame, the MP checks whether the gateway specified in the RANN frame
exists in the local gateway list. If the gateway exists in the local gateway list, the
MP updates the gateway information in the gateway list according to the
information in the RANN frame. Otherwise, the MP adds gateway information to
the gateway list.
l Path Request (PREQ) and Path Reply (PREP) frames: In on-demand routing mode, the
source node broadcasts a PREQ frame to establish a route to the destination node. After
an MP receives the PREQ frame, the MP responds with a PREP frame.
A WMN supports two routing modes: on-demand routing and proactive routing.
l On-demand routing: The source node broadcasts a PREQ frame to establish a route to
the destination node. After receiving the PREQ frame, a transit node checks the frame. If
the PREQ frame contains a sequence number greater than or equal to the sequence
number of the previous frame but has a lower metric, the transit node creates and updates
the route to the source node. If the transit node has no route to the destination route, the
transit node continues forwarding the PREQ frame.
l Proactive routing: A root node periodically broadcasts a RANN frame. When a mesh
node receives a RANN frame and needs to create or update the route to the root node, the
mesh node unicasts a PREP frame to the root node and broadcasts the RANN frame.
Then, the root node creates a reverse path from the root node to the source node, and the
mesh node creates a forwarding path from the root node to the source node.
HWMP combines on-demand routing and proactive routing to ensure that data frames are
always transmitted on mesh links with the best transmission quality.
Huawei develops and optimizes the proprietary mesh routing protocol based on the 802.11s
standard to implement route load balancing. The mesh routing protocol has the following
characteristics:

l Reduces the number of times frames are forwarded during the wireless link
establishment.
l Constructs the forwarding topology based on the path with only a few hops from the
source node to the destination node.
Zero Touch Configuration

On a WMN that uses the centralized WLAN architecture (AC+Fit AP), you only need to
perform a few AP management configurations on the AC without having to log in to APs.
APs can then connect to the AC. This function facilitates the deployment of a large number of
APs. Figure 15-3 shows how zero touch configuration is implemented.
Figure 15-3 Implementation of zero touch configuration

DHCP Server
MP1 MP2 AC
1. Establish a temporary mesh connection
2. Obtain an IP address
3. Discover the AC and obtain the AC configuration
4. Tear down the mesh connection

5. Use the new configuration to establish a formal,
secure mesh link
6. Establish a secure CAPWAP tunnel
7. If all the faulty mesh links cannot be restored, go

online again using the default mesh configuration
1. After MP1 is powered on, it exchanges Mesh Peering Open and Mesh Peering Confirm
frames with MP2, which has associated with the AC using information including the
default Mesh ID and pre-shared key. MP1 establishes a temporary insecure mesh
connection with MP2 and establishes a route to the MPP.
2. MP1 obtains an IP address and the IP address of the AC from the DHCP server through
the mesh connection.
3. MP1 discovers and associates with the AC through the mesh connection and establishes
a temporary CAPWAP tunnel to obtain the configuration from the AC.
4. After MP1 obtains the new configuration, it sends a Mesh Peering Close frame to tear
down the temporary insecure mesh connection.
5. MP1 exchanges Mesh Peering Open and Mesh Peering Confirm frames with MP2 using
the new mesh configuration for key negotiation. After MP1 and MP2 negotiate the key
for communication, the two MPs establish a formal secure mesh link.
6. MP1 re-establishes a secure CAPWAP tunnel with the AC using the new configuration.

7. When MP1 cannot establish a mesh link with MP2 within a long period of time, the
default configuration is restored. The whole process starts from step 1 until MP1
establishes a secure CAPWAP tunnel with the AC using the new configuration.
15.3 Application Scenarios for Mesh
Mesh Wireless Bridging

In Figure 15-4, AP1 to AP3 provide network access service for wired and wireless users. The
three APs, however, cannot access the Internet in wired mode because of geographical or
environmental restrictions. AP1 to AP3 can work with AP4 to build a WMN so that wireless
users can connect to the Internet.
Figure 15-4 Mesh wireless bridging
STA
AP1
STA
STA Internet
AP2 AP4 Switch AC
STA
AP3
Access Switch
5 GHz mesh link
2.4 GHz access network

STA
WMN with One MPP

In Figure 15-5, AP2 to AP5 provide network access service for wireless users, and AP1
provides wired access to the Internet. AP1 to AP5 are fully meshed to establish a secure, auto-
configured, and self-healing outdoor WMN, which facilitates fast and cost-effective WLAN
deployment in outdoor environment where cabling is difficult.

Figure 15-5 WMN with one MPP
Internet
AC
Switch
AP1
STA1 AP2 AP3 STA4
AP4 AP5
Mesh link
STA access
STA2 STA3
WMN with Multiple MPPs

In Figure 15-6, AP1 and AP11 provide wired access to the Internet. AP2 to AP5 provide
network access service for wired and wireless users in Area 1, and AP7 to AP10 provide
network access service for wired and wireless users in Area 2. AP6 resides in the overlapping
area between Area 1 and Area 2.
An MPP and MPs that establish mesh links with the MPP use the same wireless channels. If
network access service needs to be provided for different areas, multiple MPPs need to work
in different channels to prevent MPs from preempting wireless channels and improve
coverage performance. Each MP can select the MPP with the minimum hops from the MP as
the gateway to connect the wired network.

Figure 15-6 WMN with multiple MPPs
Area 1
AP2 AP3
AP1 AP4 AP5

Internet
AP6
AC Switch
AP7 AP8
AP11 AP10 AP9
Area 2
Mesh link
15.4 STP Scenarios Supported by a Mesh Network

NOTE
l Only when wired interfaces of the preceding APs are not bound to an Eth-trunk interface, an AC can
deliver STP configurations to the APs.
A Mesh network supports only transparent transmission of Spanning Tree Protocol (STP)
packets. An STP-enabled AP does not forward STP packets to the wireless side. STP takes
effect only on the AP's wired side.
When deploying a Mesh network, avoid network loops. In Mesh networking, STP applies
only to scenarios where the Mesh network forms a single loop with the wired network. Table
15-1 describes STP scenarios supported by a Mesh network.

Table 15-1 STP scenarios supported by a Mesh network

Mesh links form a

single loop with wired
links. STP is enabled on
non-AP network
elements (NEs) on the
loop but not enabled on
NEs connected to the
Mesh network that are
not involved in the loop.
In this case, STP takes
effect and breaks the
loop.
As shown in the figure,
the switch forms a
single loop with Mesh
links. To break the loop,
enable STP on the
switch and ensure that
STP is not enabled on
GE0/0/1 connecting the
AC to the MPP.

GE0/0/1 of the AC.
AC
MP1

MPP MP3
GE0/0/1
MP2
SwitchB
The Mesh network

connects to an AP with
dual network ports. A
loop exists on the AP's
wired-side interfaces
and the wired-side
interfaces are not bound
to an Eth-trunk
interface. To prevent
transparent forwarding
of STA packets to the
wireless side, enable
STP on the AP.
In the figure, the AC,
SwitchA, SwitchB, and
MPP form a loop (loop
1), and SwitchC,
SwitchD, and MP3 form
a loop (loop 2). If STP
packets can be
transparently
transmitted over Mesh
links, STP on loop 1
incorrectly includes
SwitchC and SwitchD
on loop 2 into its
calculation.
To prevent calculation
errors, enable STP on
the MPP and MP3 so
that STP packets from
loop 1 and loop 2 will
not be transparently
forwarded to the
wireless side. The MPP
implements STP
calculation of loop 1
and blocks wired-side
interfaces based on the
AC calculation results. MP3
implements STP
calculation of loop 2
and blocks wired-side
interfaces based on the
calculation results.
SwitchA Loop 1 SwitchB
STP needs to be
enabled on the MPP
MPP’s wired port.
MP2 MP1
STP needs to be
NOTE
Mesh networks support Mesh link redundancy. To prevent loops, use Mesh routing to decide on the
forwarding path.
15.5 Understanding Mesh Profiles

A Mesh profile contains major parameters required for configuring the Mesh function. To
enable radios of an AP group or a specified AP to set up Mesh links, a Mesh profile must be
When configuring Mesh services, use the Mesh profile with the following profiles:
l Security profile: After a security profile is bound to a Mesh profile, parameters in the
security profile will be used for Mesh link setup to ensure security of Mesh links, The
WPA2+PSK+AES security policy is recommended for a Mesh security profile.
NOTE
l Mesh whitelist profile: A Mesh whitelist profile contains MAC addresses of neighboring
APs allowed to set up Mesh links with an AP. After a Mesh whitelist profile is applied to
APs are denied. On common Mesh networks, a Mesh whitelist must be configured for a
Mesh node.
NOTE
l On a Mesh network where ATs are deployed, after FWA is enabled in a Mesh profile, you do not
need to configure a Mesh whitelist for a Mesh node. All ATs are allowed to access the Mesh node.
configuring the Mesh function, configure the same channel for radios of Mesh APs.
configure other radio parameters for Mesh links through a radio profile.
l AP wired port profile: The AP wired port profile is used to configure AP wired port
parameters and Mesh roles. When configuring Mesh services, you need to configure AP
wired port parameters according to actual situations, enabling the Mesh network to
transmit user services. For example, if direct forwarding is used on a Mesh network, you
need to configure wired ports of Mesh APs to allow service VLANs to pass through.
l Mesh handover profile: After a Mesh handover profile is bound to a Mesh profile, the
Mesh profile can provide the fast Mesh link handover function and apply to train-ground
communication scenarios. A Mesh handover profile and the FWA mode of a Mesh
profile are mutually exclusive. A Mesh handover profile cannot be referenced by the
Mesh profile in which the FWA mode is enabled.

15.6 Licensing Requirements and Limitations for Mesh

AP
by the device.
V200R007C10.
V200R012C00 V200R009C00
V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C10 V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C00 V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R010C00 V200R007C10
V200R006C20
V200R006C10
V200R009C00 V200R006C20
V200R006C10

V200R008C00 V200R005C30
V200R005C20
V200R005C10
V200R007 V200R005C20
V200R005C10
V200R006 V200R005C00
agent.
Table 15-3 Products and minimum version supporting Mesh

Required

S5730HI: V200R012
Feature Limitations
l The AD9431DN-24X central AP (including the mapping RUs), AD9430DN-24 central
AP (including the mapping RUs), AD9430DN-12 central AP (including the mapping
RUs), AP2010DN, AP2030DN, AP2050DN, AP2050DN-E, AP7030DE, AP9330DN,
AP2051DN, AP2051DN-E, and AP6310SN-GN do not support the Mesh function.

l On a WDS or Mesh network, an 802.11ac AP cannot interoperate with non-802.11ac

APs regardless of the radio types used by the AP. Only 802.11ac APs can interoperate
with each other.
NOTE
Among all WDS- or Mesh-capable APs, the AP1050DN-S, AP4050DN, AP4051DN, AP4151DN,
AP8050DN, AP8150DN, AP5030DN, AP5130DN, AP8130DN, AP8030DN, AP8130DN-W,
AP4030DN, AP4130DN, AP9131DN, AP9132DN, AP6050DN, AP6150DN, AP7050DE, AP7050DN-
E, AP4030TN, AP4050DN-E, AP4050DN-HD, AP4051TN, AP6052DN, AP7052DN, AP7152DN,
AP7052DE, AP8050TN-HD, AP8082DN, and AP8182DN are 802.11ac APs.
l If radio 0 of the AP8130DN is configured to work on the 5 GHz frequency band and
used for WDS or Mesh services, the software version of the AP connected to the
AP8130DN must be V200R005C10 or a later version.
l This section provides only Mesh configurations. After the Mesh configuration is
complete, APs can connect to an AC through Mesh links. To use WLAN services, you
still need to configure basic WLAN services. For details, see Example for Configuring
WLAN Services on a Small-Scale Network.
l When Mesh is configured on dual-band APs, any two adjacent APs cannot use radio 0 or
radio 1 simultaneously to establish a Mesh link.
l When configuring the Mesh function, ensure that Mesh nodes use the same bandwidth
and channel.
l The security profile used by WDS or Mesh links supports only the security policy
WPA2+PSK+CCMP.
l You are advised to configure different names for the profiles used to configure the Mesh
function than the profiles used to configure the WLAN service. These profiles are the
WMM profile, radio profile, and security profile. This configuration facilitates
maintenance on the Mesh network and WLAN service.
l The WLAN Mesh function and WLAN WDS function are mutually exclusive. If the
WLAN WDS function has been configured, the WLAN Mesh function cannot be
configured.
l During Mesh network planning, if dual-band APs function as Mesh nodes, AP radios
bound to Mesh profiles cannot be configured to work in monitor mode; if single-band
APs function as Mesh nodes, AP radios cannot work in monitor mode.
l Avoid using radar channels to configure Mesh links; otherwise, the following problems
may occur:
– Establishing Mesh links on radar channels takes several minutes or several ten
minutes longer than establishing Mesh links on non-radar channels.
– Radar signals cause disconnection of established Mesh links.
l In V200R006, if you set the CAPWAP heartbeat interval or the number of heartbeat
packet transmissions to a small value using the capwap keep-alive interval interval-
value or capwap keep-alive times times-value command, WDS or Mesh links may fail
to be established. Therefore, you are advised to use the default values.
l In V200R007 and later versions, if you set the CAPWAP heartbeat interval or the
number of heartbeat packet transmissions to a small value using the capwap echo
interval interval-value or capwap echo times times-value command, WDS or Mesh
links may fail to be established. Therefore, you are advised to use the default values.

l In V200R006, if WDS or Mesh is enabled simultaneously with dual-link backup, the AC

sends CAPWAP heartbeat packets three times at an interval of 25 seconds by default.
This may cause unstable WDS or Mesh links and result in user access failures. You are
advised to run the capwap keep-alive times times-value command to set the number of
heartbeat packet transmissions to 6 or a larger value.
l In V200R007 and later versions, if WDS or Mesh is enabled simultaneously with dual-
link backup, the AC sends CAPWAP heartbeat packets three times at an interval of 25
seconds by default. This may cause unstable WDS or Mesh links and result in user
access failures. You are advised to run the capwap echo times times-value command to
set the number of heartbeat packet transmissions to 6 or a larger value.
l If an MP connects to a wired network, ensure that the MP does not communicate with
MPPs at Layer 2 through the wired network; otherwise, the MP connects to MPPs
through both Mesh links and wired links, which causes a network loop.
l Starting from V200R007, the Mesh profile supports FWA and vehicle-ground fast link
handover, which are mutually exclusive.
15.7 Mesh Interconnection Requirements

On a Mesh network, radios of APs with 802.11ac chips can interconnect only with radios of
neighbors with 802.11ac chips, and radios of APs with 802.11n chips can interconnect only
with radios of neighbors with 802.11n chips. Table 15-4 lists types of radio chips used by AP
models.
Table 15-4 Chips used by AP radios

AP Model Radio 0 and Radio 1 Radio 2
R450D Mesh not supported N/A
R250D-E Mesh not supported N/A
R251D-E Mesh not supported N/A
AP9330DN Mesh not supported N/A
l Radio 0: 802.11n
AP9132DN N/A
l Radio 1: 802.11ac
l Radio 0: 802.11n
AP9131DN N/A
l Radio 1: 802.11ac
AP9130DN 802.11ac N/A
AP8150DN 802.11ac N/A

Mesh not
AP8050TN-HD 802.11ac
supported
AP8082DN 802.11ac NA
AP8130DN-W 802.11ac N/A
AP8130DN 802.11ac N/A
AP8050DN-S 802.11ac N/A
AP8050DN 802.11ac N/A
AP8030DN 802.11ac N/A
l radio 0: 802.11n
AP7110SN-GN N/A
l radio 1: N/A
AP7110DN-AGN 802.11n N/A
AP7050DN-E 802.11ac N/A
AP7050DE 802.11ac N/A
AP7052DE 802.11ac NA
AP7030DE Mesh not supported N/A
l radio 0: Mesh not

AP6310SN-GN supported N/A
l radio 1: N/A
AP6150DN 802.11ac N/A
AP6050DN 802.11ac N/A
l radio 0: 802.11n
AP6010SN-GN N/A
l radio 1: N/A
l Radio 0: 802.11n
AP5130DN N/A
l Radio 1: 802.11ac

l Radio 0: 802.11n
AP5030DN N/A
l Radio 1: 802.11ac
l radio 0: 802.11n
AP5010SN-GN N/A
l radio 1: N/A
AP4151DN 802.11ac N/A
l Radio 0: 802.11n
AP4130DN N/A
l Radio 1: 802.11ac
AP4051DN 802.11ac N/A
AP4050DN-HD 802.11ac N/A
AP4050DN-E 802.11ac N/A
AP4050DN-S 802.11ac N/A
AP4050DN 802.11ac N/A
l Radio 0: 802.11n Mesh not

AP4051TN
l Radio 1: 802.11ac supported
l Radio 0: 802.11n Mesh not

AP4030TN
l Radio 1: 802.11ac supported
l radio 0: 802.11n
AP4030DN N/A
l radio 1: 802.11ac
AP2050DN-E Mesh not supported N/A
AP2051DN-E Mesh not supported N/A
AP1050DN-S 802.11ac N/A
AD9430DN-24 Mesh not supported N/A
AD9431DN-24X Mesh not supported N/A
AD9430DN-12 Mesh not supported N/A

15.8 Default Settings for Mesh

Table 15-5 lists the default settings for Mesh.
Table 15-5 Default settings for Mesh
Security profile bound to a Mesh profile default-mesh
Mesh ID of a Mesh profile HUAWEI-WLAN-MESH
Mesh role mesh-node
Default Mesh profile default
Mesh whitelist profile None
Maximum number of Mesh links that can 8

be established on an MP NOTE
A maximum of 32 Mesh links can be established on
an MP after the FWA mode is enabled.
Minimum RSSI of a Mesh link -75 dBm

NOTE
The minimum RSSI of a Mesh link is fixed as -90
dBm after the FWA mode is enabled.
Interval at which an MP reports Mesh 30s

link information to an AC
15.9 Configuring the Mesh Function
In AC+Fit AP networking, you can configure the Mesh function to easily deploy a WLAN in
complex environments. This configuration saves network deployment cost, facilitates network
expansion, and implements flexible networking.
Before configuring the Mesh function, complete the following tasks:

l 5.8 Creating an AP Group
l 5.9.2 Configuring Network Interconnections

15.9.1 Adding APs

Context
On a Mesh network, you can deploy an AP as an MPP or MP based on the location of the AP,
as shown in Figure 15-7. Select a proper method to add APs on an AC according to actual
situations.

Figure 15-7 Mesh networking diagram
Internet
AC
Switch
MPP
STA MP2 MP1 STA
MP4 MP3
STA STA
: Mesh link
l mesh-portal (MPP): an MP that connects to a WMN or another type of network. An

MPP connects Mesh nodes to external networks. Each WMN has at least one MPP.
NOTE
You are not advised to configure access VAPs on an MPP to ensure a high throughput.
l mesh-node (MP): a node that provides both mesh service and user access service. All
nodes except MPPs on a WMN are MPs.
Procedure


enter the AP view.
NOTE

NOTE
more secure.


SN authentication.

unauthorized APs.
----End
15.9.2 (Optional) Enabling the Backhaul Function on the 4.9 GHz

Frequency Band
Context
WARNING
Before using the 4.9 GHz frequency band, ensure that you have obtained the 4.9 GHz license
from the local administrative department and use the band properly.
Only the AP8130DN-W supports the 4.9 GHz frequency band.
The 4.9 GHz frequency band is applicable to outdoor backhaul scenarios but not wireless
coverage services. It is mainly used by WDS and Mesh backhaul links. The 4.9 GHz
frequency band is out of the channel range reselected using DFS.
NOTE
The AP8130DN-W is sold only in regions outside China.
The following table lists channels and frequency distribution of the 4.9 GHz frequency band.

No.


No.

(MHz)

(MHz)

(MHz)

(MHz)

(MHz)

(MHz)

(MHz)

(MHz)

(MHz)

(MHz)

(MHz)

(MHz)
The 4.9 GHz frequency band supports channel bandwidths of 20 MHz and 40 MHz. Channels
184+188 or 192+196 can be bundled into a 40 MHz channel. Similar to the 5 GHz frequency
band, the 4.9 GHz frequency band complies with 802.11a/n/ac.
Procedure

Step 2 Run wlan

The regulatory domain profile is displayed.
Step 4 Run wideband enable
The wideband function, that is, the 4.9 GHz frequency band, of the regulatory domain profile
is enabled.
By default, the wideband function of the regulatory domain profile is disabled.
After the wideband function of the regulatory domain profile is enabled, APs bound to this
profile are automatically reset.
Only after the wideband function of the regulatory domain profile is enabled, you can
configure channels and bandwidth of the 4.9 GHz frequency band.
Step 5 Run quit
AP view.
----End

check the status of the wideband function in the regulatory domain profile.
15.9.3 Configuring Mesh Radio Parameters
Context
To ensure that Mesh links can be set up successfully on a Mesh network, you need to
configure radio parameters for Mesh links according to actual service requirements.

l On a Mesh link, radios of adjacent Mesh APs must work on the same channel.
l You need to configure the radio coverage distance parameter based on distances between
APs. The APs automatically adjust the values of slottime, acktimeout, and ctstimeout
based on the configured distance parameter to set up Mesh links correctly.
Procedure
Step 2 Run wlan
AP view.
On a Mesh link, radios of adjacent Mesh APs must work on the same channel.
radio view.
AP2051DN-E do not support the Mesh function.
To use the 4.9 GHz frequency band to configure backhaul links, see Usage Guide of
wideband enable for channels and bandwidth of the 4.9 GHz frequency band. Only radios
working on the 5 GHz frequency band can use the 4.9 GHz frequency band. For example,
radio 1 of the AP8130DN-W can use the 4.9 GHz frequency band. Radio 0 of the
AP8130DN-W can also use the 4.9 GHz frequency band after it is configured to work on the
5 GHz frequency band using the frequency 5g command.


WLANs.
frequency band.
Among Mesh-capable APs, radio 0 of the AP8130DN and AP8130DN-W support 2.4 GHz
and 5 GHz frequency bands but can work on one frequency band at a time. If you configure
radio 0 of the AP8130DN and AP8130DN-W to work on the 5 GHz frequency band, the
AP8130DN and AP8130DN-W can then work in dual-5G mode.
Step 9 Run quit

Step 10 Run quit
strength.
By default,
installation.
NOTE
Step 13 (Optional) Configure the frame aggregation function and length of the aggregated frames.
The frame aggregation function can improve the channel resource usage efficiency and
overall WDS network performance.
l Configure the frame aggregation function for the 802.11n protocol.
a. Run the undo ht a-mpdu disable command to enable the frame aggregation
function for the 802.11n protocol.
By default, aggregation of MPDUs is enabled.
b. Run the ht a-mpdu max-length-exponent max-length-exponent-index command to
set the length of aggregated frames for the 802.11n protocol.
By default, the index for the maximum length of an A-MPDU is 3. The maximum
length of the A-MPDU is 65535 bytes.
l Configure the frame aggregation function for the 802.11ac protocol.

Run the vht a-mpdu max-length-exponent max-length-exponent-index command to set

the length of aggregated frames for the 802.11ac protocol.
By default, the index for the maximum length of an A-MPDU is 7. The maximum length
of the A-MPDU is 1048575 bytes.
NOTE
The length of an A-MPDU can only be configured in a 5G radio profile.

All frames on radios working in 802.11ac mode are A-MPDUs. Therefore, you do not need to
enable the frame aggregation function for the 802.11ac protocol.
Step 14 (Optional) Run beamforming enable

The beamforming function is enabled.
By default, Beamforming is disabled.
Beamforming can enhance signals at a particular angle (for target users), attenuate signals at
another angle (for non-target users or obstacles), and extend the radio coverage area.
If nodes on the WDS or Mesh network are fixed and distant from each other, enable
beamforming to increase WDS or Mesh link SNR. Mobile nodes may cause low link SNR in
WDS or Mesh scenarios. To prevent this problem, disable beamforming.
For details on how to configure other radio parameters, see 5.11.1.4 (Optional) Adjusting
Radio Parameters of basic WLAN service configuration.
----End
Follow-up Procedure
Context
You can configure the wired interface on an MPP to connect to the AC or configure the wired
interface on an AP to deploy a Layer 2 network or directly associate with STAs.
On Mesh networks, an AP wired interface can work in the following modes:
l root mode: The wired interface that connects the MPP to the AC must work in root
mode.
Procedure

Step 2 Run wlan

Step 4 Run mode { root | endpoint }
A working mode is configured for the AP's wired interface.
By default,
in middle mode.
mode.
NOTE
After changing the working mode of an AP's wired interface, run the ap-reset command to reset the AP
for the configuration to take effect.
Step 5 Run vlan { tagged | untagged } { vlan-id1 [ to vlan-id2 ] } &<1-10>

The VLAN to which the AP's wired interface is added is specified.
By default, an AP wired interface allows packets from all VLANs to pass. The wired interface
is added to VLAN 1 in untagged mode and to other VLANs in tagged mode.
When an AT connects to an MPP through a Mesh link, run the vlan { tagged | untagged }
{ vlan-id1 [ to vlan-id2 ] } &<1-10> command to add the AP's wired interface to the VLAN
used by the AT; otherwise, the AT cannot communicate with the AP. If the service VLAN of
the AP is the same as the VLAN used by the AT, you do not need to run the command
because the AP's wired interface automatically joins the VLAN after the AP receives the
service VLAN configuration from the AC.
NOTE
Step 6 Run vlan pvid vlan-id

A PVID is configured for the AP's wired interface.
Step 7 Run user-isolate { all | l2 }
User isolation is enabled on the AP's wired interface.

----End
Follow-up Procedure
Context
You need to configure a security profile and a security policy for the Mesh to ensure security.
The WPA2+PSK+AES security policy is recommended for a Mesh security profile. For
NOTE
Procedure
Step 2 Run wlan
system.
----End
15.9.6 Configuring a Mesh Whitelist
Context
A Mesh whitelist specifies the MAC addresses of neighboring APs that are allowed to
connect to an AP. After a Mesh whitelist is bound to a radio of an AP, only the neighboring

APs with the MAC addresses in the whitelist can connect to the AP, and other APs are denied
access.
If no Mesh whitelist is configured, APs may establish Mesh links with neighboring APs
randomly, wasting limited Mesh link resources. When the number of established Mesh links
reaches the maximum, the APs cannot establish more Mesh links with neighboring APs that
require Mesh links. In addition, because there may be rogue neighboring APs, potential
security risks exist if no Mesh whitelist is configured.
NOTE
In a scenario where ATs access a Mesh network, only ATs can connect to the MPP. You can allow all
neighboring ATs to access the MPP without configuring a Mesh whitelist. Alternatively, you can
configure a Mesh whitelist to allow only neighboring ATs whose MAC addresses are specified in the
Mesh whitelist to connect to the MPP. However, in other Mesh application scenarios, a Mesh profile
must have a Mesh whitelist profile bound, and the Mesh whitelist profile must have MAC addresses
configured.
Procedure
Step 2 Run wlan
Step 3 Run mesh-whitelist-profile name whitelist-name
A Mesh whitelist profile is created, and the Mesh whitelist profile view is displayed.
By default, no Mesh whitelist profile is available in the system.
Mesh whitelist profile.
By default, no MAC address of a neighboring AP is added to a Mesh whitelist profile.
Step 5 Run quit
AP view.
Step 7 Run mesh-whitelist-profile whitelist-name
By default, no Mesh whitelist profile is bound to an AP radio.

When the AT accesses the MPP through a Mesh link, the Mesh whitelist is optional. You can
determine whether to configure a Mesh whitelist to control AT access as required.
----End
15.9.7 Configuring a Mesh Role and Mesh Profile
Context
On a Mesh network shown in Figure 15-8, you need to deploy APs as MPPs or MPs based on
AP locations.
l mesh-portal (MPP): an MP that connects to a WMN or another type of network. An

MPP connects Mesh nodes to external networks. Each WMN has at least one MPP.
NOTE
You are not advised to configure access VAPs on an MPP to ensure a high throughput.
l mesh-node (MP): a node that provides both mesh service and user access service. All
nodes except MPPs on a WMN are MPs.
Internet
AC
Switch
MPP
STA MP2 MP1 STA
MP4 MP3
STA STA
: Mesh link

Procedure
Step 2 Run wlan
The AP system profile view is displayed.
Step 4 Run mesh-role { mesh-portal | mesh-node }
A Mesh role is configured.
By default, the Mesh role of an AP is mesh-node in the AP system profile.
Step 5 Run quit
Step 6 Run mesh-profile name profile-name
A Mesh profile is created, and the Mesh profile view is displayed.
By default, the system provides the Mesh profile default.
Step 7 Run mesh-id name
A Mesh ID is configured. Mesh nodes use a Mesh ID to identify connections between them.
By default, the Mesh ID of a Mesh profile is HUAWEI-WLAN-MESH.
A security profile is bound to the Mesh profile.
By default, the security profile default-mesh is bound to a Mesh profile.
NOTE
By default, the system provides the Mesh profile default. Both the default Mesh profile default and a
self-defined Mesh profile have the security profile default-mesh referenced by default. In the security
profile default-mesh, the security policy is set to WPA2+PSK+AES and the security key to
huawei_secmesh. If the default security profile default-mesh is used, you are advised to change the

Beacon frames.
Beacon frames.

Step 10 (Optional) Run max-link-number link-num
The maximum number of Mesh links allowed on an AP is configured.
By default, a maximum of eight mesh links can be established between APs. After you enable
FWA for a mesh profile using the fwa enable command, a maximum of 32 mesh links can be
established between APs by default.
Step 11 (Optional) Run link-rssi-threshold threshold-value
The RSSI threshold of a Mesh link is configured. When the minimum RSSI of all Mesh links
on the optimal route to the current MPP is lower than the RSSI threshold of a Mesh link, the
MP reselects Mesh links.
By default, the RSSI threshold of a mesh link is -75 dBm. After the FWA mode is enabled in
a Mesh profile, the RSSI threshold of a Mesh link is fixed as -90 dBm.
Step 12 (Optional) Run link-aging-time aging-time
The aging time of a Mesh link is specified.
The default aging time of a Mesh link is 60 seconds.
Step 13 (Optional) Run link-report-interval report-interval
The interval at which an MP reports Mesh link information to an AC is specified.
By default, an MP reports Mesh link information to the AC at an interval of 30 seconds.
A DHCP trusted port is enabled in the Mesh profile.
By default, a DHCP trusted port is enabled in a Mesh profile.
NOTE
After a DHCP trusted port is enabled in a Mesh profile and the Mesh profile is applied to an AP, the AP
Step 15 (Optional) Run priority-map trust { dot1p | dscp }
The priority mapping trusted by the Mesh air interface is configured.
By default, the Mesh air interface trusts the mapping from DSCP priorities to 802.11e user
priorities.
Step 16 (Optional) Run priority-map dscp { dscp-value1 [ to dscp-value2 ] } &<1-10> dot11e

dot11e-value
The Mesh air interface to be configured to trust the mapping from DSCP priorities to 802.11e
user priorities.
Table 15-6 describes the mapping from DSCP priorities to 802.11e user priorities by default.
Table 15-6 Mapping from DSCP priorities to 802.11e user priorities

0-7 0

8-15 1
16-23 2
24-31 3
32-39 4
40-47 5
48-55 6
56-63 7
Step 17 Run quit
Step 19 (Optional) Run mpp-active-reselection enable
Active MPP reselection is enabled.
By default, active MPP reselection is disabled.
Step 20 Run quit
Step 21 Apply the Mesh profile. You can use any of the following methods according to actual
situations:
l Bind the Mesh profile to an AP group.
b. Run the mesh-profile profile-name radio { all | radio-id } command to bind the
Mesh profile to the AP group.
By default, no Mesh profile is bound to an AP group or AP.
NOTE
A Mesh link uses the VAP with the WLAN ID 16, which cannot be occupied by other WLAN
services.
l Bind the Mesh profile to an AP.
AP view.
Mesh profile to the AP.

NOTE
services.
l Bind the Mesh profile to AP group radios.
c. Run the mesh-profile profile-name command to bind the Mesh profile to AP group
radios.
By default, no Mesh profile is bound to an AP radio.
NOTE
services.
l Bind the Mesh profile to an AP radio.
AP view.
c. Run the mesh-profile profile-name command to bind the Mesh profile to the AP
radio.
NOTE
services.
----End
15.9.8 (Optional) Enabling FWA

Context
NOTE
You need to enable FWA only when ATs are connected to remote APs.
As shown in Figure 15-9, the outdoor AT needs to connect to the remote AP through a Mesh
link in wireless mode to provide network access for users connected to the outdoor AT. You
need to configure the Mesh service and enable FWA so that the AT can connect to the remote
AP.

Figure 15-9 Networking diagram of the AT application
AC Switch AP AT Home gateway
Internet
STA PC
Mesh link
NOTE
Only the AP6510DN-AGN and AP6610DN-AGN can function as a remote AP to provide access to the AT.
An AT can connect only to one remote AP, and the remote AP must be an MPP.
This document provides the Mesh service configuration on the remote AP. For details about the Mesh service
configuration on the AT, see section AT Wireless Access Configuration in the Huawei Wireless Access
Terminal Configuration Guide.
Procedure
Step 2 Run wlan
The Mesh profile view is displayed.
Step 4 Run fwa enable
FWA is enabled in the Mesh profile.
By default, FWA is disabled for a Mesh profile.
NOTE
FWA and vehicle-ground fast link handover are mutually exclusive in a Mesh profile.
After you enable FWA for a Mesh profile using the fwa enable command, the default value of link-num in the
max-link-number link-num command is 32, and the value ranges from 1 to 32.
After you enable FWA in a Mesh profile using the fwa enable command, the RSSI threshold of a Mesh link
is fixed as -90 dBm, and not changed by the link-rssi-threshold command.
After you enable FWA in a Mesh profile using the fwa enable command, you can complete Mesh service
configuration without the need to bind a Mesh whitelist profile to the Mesh profile.
After you enable FWA for a Mesh profile using the fwa enable command, the radio bound to the Mesh
profile allows access from only ATs. Do not enable FWA when ATs are not used to prevent a Mesh service
configuration failure.
Step 5 Run fwa wmm edca-mode { auto | manual }

The EDCA mode is configured.

By default, the automatic EDCA mode is used.
l The remote AP automatically adjusts EDCA parameters based on the number of ATs in
automatic EDCA mode.
NOTE
In automatic EDCA mode, the EDCA parameters manually configured using the fwa wmm edca-client
command do not take effect on the AP.
l In manual mode, you can run the fwa wmm edca-client command to configure EDCA
parameters of the AT. The remote AP negotiates with the AT according to the configured
parameters.
Table 15-7 lists the default EDCA parameter settings.
Table 15-7 Default EDCA parameter settings

Packet Type Parameters Description
AC_VO ECWmax 3
ECWmin 2
AIFSN 2
TXOPLimit 47
AC_VI ECWmax 4
ECWmin 3
AIFSN 2
TXOPLimit 94
AC_BE ECWmax 10
ECWmin 4
AIFSN 3
TXOPLimit 0
AC_BK ECWmax 10
ECWmin 4
AIFSN 7
TXOPLimit 0
You need to configure EDCA parameters according to actual scenarios. Table 15-8
shows the configuration of EDCA parameters in voice scenarios, and Table 15-9 shows
the configuration in voice and video hybrid scenarios.

Table 15-8 Recommended configuration of EDCA parameters in voice scenarios

AC_VO ECWmax 4
ECWmin 2
AIFSN 2
TXOPLimit 0
AC_VI ECWmax 5
ECWmin 3
AIFSN 5
TXOPLimit 0
AC_BE ECWmax 10
ECWmin 6
AIFSN 5
TXOPLimit 0
AC_BK ECWmax 10
ECWmin 8
AIFSN 12
TXOPLimit 0
Table 15-9 Recommended configuration of EDCA parameters in voice and video hybrid
scenarios
AC_VO ECWmax 4
ECWmin 2
AIFSN 2
TXOPLimit 0
AC_VI ECWmax 5
ECWmin 3
AIFSN 5
TXOPLimit 0
AC_BE ECWmax 10

ECWmin 6
AIFSN 12
TXOPLimit 0
AC_BK ECWmax 10
ECWmin 8
AIFSN 12
TXOPLimit 0
----End
15.9.9 Verifying the Mesh Configuration
Prerequisites
The Mesh configuration is complete.
Procedure
l Run the display references mesh-profile name profile-name command to check
reference information of a specified Mesh profile.
l Run the display mesh-profile { all | name profile-name } command to check
information about a Mesh profile.
l Run the display references mesh-whitelist-profile name whitelist-name command to
check reference information of a specified Mesh whitelist profile.
l Run the display mesh-whitelist-profile { all | name whitelist-name } command to check
information about a Mesh whitelist profile.
----End
15.10 Maintaining Mesh Links
15.10.1 Checking Information About Mesh Links
Procedure
l Run the display mesh vap { ap-group ap-group-name | ap-id ap-id [ radio radio-id ] |
ap-name ap-name [ radio radio-id ] } [ mesh-id mesh-id ] command to check
information about Mesh VAPs.
l Run the display mesh vap { all | mesh-id mesh-id } command to check information
about Mesh VAPs of a specified Mesh ID or all Mesh IDs.

l Run the display wlan mesh link { all | ap-id ap-id [ radio radio-id ] | ap-name ap-
name [ radio radio-id ] | mesh-profile profile-name } command to check information
about Mesh links.
----End
15.10.2 Configuring Antenna Alignment VAPs
Context
During Mesh network deployment, you can configure antenna alignment VAPs for Mesh
nodes to facilitate antenna alignment between neighboring APs. When commissioning the
network onsite, connect a mobile terminal to an antenna alignment VAP and start the antenna
alignment program on the terminal to collect signal strength information of the peer AP radio.
The collected information boosts easy antenna alignment operations.
You can log in to Huawei technical support website and search for Probe Handset Unit to
download the Antenna Alignment program.

Procedure
l Configure the default antenna alignment VAP.

d. Run the undo temporary-management disable command to enable the antenna
alignment VAP functions.
enabled.
for the default SSID (hw_manage_xxxx) of the antenna alignment VAP.

hw_manage.
view.


enter the AP view.
profile to an AP.
l Create an antenna alignment VAP.
profile used by the antenna alignment VAP and enter the security profile view.
key.
NOTE
The antenna alignment VAP supports only the WEP or WPA/WPA2 PSK authentication
mode. You can run the security wep share-key and wep key key-id { wep-40 | wep-104 |
wep-128 } { pass-phrase | hex } key-value commands to configure WEP authentication.
VAP profile.
the VAP profile.


f. Configure an AP system profile, and enable the antenna alignment VAP functions in
the AP system profile.
antenna alignment VAP functions.
enabled.
NOTE
l VAPs 1 to 12 and VAP 15 are used for the antenna alignment VAP configuration. Before
using these VAPs, ensure that they are not used by other WLAN services.
WLAN services.
view.
enter the AP view.
view.
enter the AP view.


view.
enter the AP view.
profile to an AP.
----End
15.11 Configuration Examples for Mesh
15.11.1 Example for Configuring Mesh Services
An enterprise has three areas: Area A, Area B, and Area C. Restricted by geographical
locations, the AP in Area A can be deployed in wired mode, but wired deployment of APs is
costly in Area B and Area C. The enterprise requires that APs be deployed in Area B and
Area C at low cost.
As shown in Figure 15-10, a Mesh network is deployed to connect AP_2 and AP_3 to AP_1
through Mesh links, which can reduce network construction cost.

Network
Switch_B GE0/0/2
AP_3 AP_2 AP_1 GE0/0/1
GE0/0/1 AC
(MP) (MP) (MPP)
GE0/0/1 GE0/0/2
Switch_A
Area C Area B Area A
: Mesh link
1. Configure network connectivity and enable the AP (MPP) in Area A to go online on the
AC in wired mode.
2. Configure Mesh services to enable APs (MPs) in Area B and Area C to go online on the
AC through Mesh links.
NOTE
In this example, Switch_A (access switch) and Switch_B (aggregation switch) are Huawei products.
AP Type MAC
AP_1 AP8130DN 60de-4474-9640
AP_2 AP8130DN 60de-4476-e360
Item Data
Manageme VLAN 100

nt VLAN
for APs
DHCP The AC functions as a DHCP server to allocate IP addresses to APs.

server Address pool: 10.23.100.2-10.23.100.254/24

interface

Item Data
Mesh Name: mesh-net

profile
name
Mesh role l AP_1: Mesh-portal (MPP)

l AP_2: Mesh-node (MP)
Mesh ID Name: mesh-net
Mesh Name: mesh-list

whitelist
AP system Name: mesh-sys

profile
Radio used Radio 1:

by Mesh l Bandwidth: 40mhz-plus
services
l Channel: 157
Security l Name: mesh-sec

AP group l mesh-mpp: AP_1

l mesh-mp: AP_2 and AP_3
Configuration Notes

user experience.
Procedure
Step 1 Configure the AC to communicate with AP_1.
# Configure access switch Switch_A. Add GE0/0/1 to VLAN 100 (management VLAN) and
set the PVID of the interface to VLAN 100. Configure GE0/0/1 and GE0/0/2 to allow packets
from VLAN 100 to pass through.
# Configure aggregation switch Switch_B. Configure GE0/0/1 and GE0/0/2 to allow packets
[Switch_B] vlan batch 100
# Configure GE0/0/1 that connects the AC to the aggregation switch to allow packets from
VLAN 100 to pass through.
[HUAWEI] sysname AC
[AC] vlan batch 100
Step 2 Configure the AC as a DHCP server to allocate IP addresses to APs.

[AC] dhcp enable
[AC-Vlanif100] quit
# Create AP groups for MPPs and MPs respectively and add APs that require the same
configuration to the same group.

[AC] wlan
[AC-wlan-view] ap-group name mesh-mpp
[AC-wlan-ap-group-mesh-mpp] quit
[AC-wlan-view] ap-group name mesh-mp
[AC-wlan-ap-group-mesh-mp] quit
[AC-wlan-ap-group-mesh-mpp] regulatory-domain-profile domain1
e?[Y/N]:y
[AC-wlan-ap-group-mesh-mp] regulatory-domain-profile domain1
e?[Y/N]:y
[AC-wlan-view] quit

# Add AP_1 to the AP group mesh-mpp and AP_2 and AP_3 to the AP group mesh-mp.
NOTE
[AC] wlan
[AC-wlan-ap-1] ap-group mesh-mpp
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] ap-group mesh-mp
[AC-wlan-ap-2] quit
[AC-wlan-ap-3] quit
Step 4 Configure Mesh parameters.

# Configure radio parameters for Mesh nodes. Radio 1 of the AP8130DN is used as an
example. coverage distance indicates the radio coverage distance parameter, which is 3 (unit:
100 m) by default. This example sets the radio coverage distance parameter to 4. You can
configure the parameter according to your service needs.


[AC-wlan-ap-group-mesh-mpp] radio 1
[AC-wlan-group-radio-mesh-mpp/1] channel 40mhz-plus 157
[AC-wlan-group-radio-mesh-mpp/1] coverage distance 4
[AC-wlan-group-radio-mesh-mpp/1] quit
[AC-wlan-ap-group-mesh-mp] radio 1
[AC-wlan-group-radio-mesh-mp/1] channel 40mhz-plus 157
[AC-wlan-group-radio-mesh-mp/1] coverage distance 4
[AC-wlan-group-radio-mesh-mp/1] quit
# Set parameters for the APs' wired interfaces. This example assumes that the service VLAN
is VLAN 101. Wired interfaces of all Mesh nodes are therefore added to VLAN 101 in tagged
mode.
[AC-wlan-wired-port-wired-port] vlan tagged 101
# Configure the security profile mesh-sec used by Mesh links. The Mesh network supports
only the security policy WPA2+PSK+AES.
[AC-wlan-view] security-profile name mesh-sec
[AC-wlan-sec-prof-mesh-sec] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-mesh-sec] quit
# Configure a Mesh whitelist.

[AC-wlan-view] mesh-whitelist-profile name mesh-list
[AC-wlan-mesh-whitelist-mesh-list] peer-ap mac 60de-4474-9640
[AC-wlan-mesh-whitelist-mesh-list] peer-ap mac 60de-4476-e360
[AC-wlan-mesh-whitelist-mesh-list] peer-ap mac dcd2-fcf6-76a0
[AC-wlan-mesh-whitelist-mesh-list] quit
# Configure Mesh roles. Set the Mesh role of AP_1 to mesh-portal. AP_2 and AP_3 use the
default Mesh role mesh-node. Mesh roles are configured through the AP system profile.
[AC-wlan-view] ap-system-profile name mesh-sys
[AC-wlan-ap-system-prof-mesh-sys] mesh-role mesh-portal
[AC-wlan-ap-system-prof-mesh-sys] quit
# Configure a Mesh profile. Set the Mesh network ID to mesh-net, aging time of Mesh links
to 30s, and bind the security profile and Mesh whitelist to the Mesh profile.
[AC-wlan-view] mesh-profile name mesh-net
[AC-wlan-mesh-prof-mesh-net] mesh-id mesh-net
[AC-wlan-mesh-prof-mesh-net] link-aging-time 30
[AC-wlan-mesh-prof-mesh-net] security-profile mesh-sec
[AC-wlan-mesh-prof-mesh-net] quit
# Bind the Mesh whitelist profile to the AP radio.

[AC-wlan-group-radio-mesh-mpp/1] mesh-whitelist-profile mesh-list
[AC-wlan-group-radio-mesh-mp/1] mesh-whitelist-profile mesh-list
Step 5 Bind required profiles to the AP groups to make Mesh services take effect.

# Bind the AP wired port profile wired-port to AP groups mesh-mpp and mesh-mp to make
AP wired port parameters take effect on Mesh nodes. This example assumes that all APs
connect to Switch_A through GE0.
[AC-wlan-ap-group-mesh-mpp] wired-port-profile wired-port gigabitethernet 0
[AC-wlan-ap-group-mesh-mp] wired-port-profile wired-port gigabitethernet 0
# Bind the AP system profile mesh-sys to the AP group mesh-mpp to make the MPP role
take effect on AP_1.
[AC-wlan-ap-group-mesh-mpp] ap-system-profile mesh-sys
# Bind the Mesh profile mesh-net to AP groups mesh-mpp and mesh-mp to make the Mesh
services take effect.
[AC-wlan-ap-group-mesh-mpp] mesh-profile mesh-net radio 1
[AC-wlan-ap-group-mesh-mp] mesh-profile mesh-net radio 1
Step 6 Verify the Mesh service configuration.

# After the configuration is complete, run the display ap all command to check whether Mesh
<AC> display ap all
nor : normal [3]
Extra information:
----------------------------------------------------------------------------------
------------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
------------------
1 60de-4474-9640 AP_1 mesh-mpp 10.23.100.254 AP8130DN nor 0 13M:
45S -
2 60de-4476-e360 AP_2 mesh-mp 10.23.100.251 AP8130DN nor 0 5M:
22S -
3 dcd2-fcf6-76a0 AP_3 mesh-mp 10.23.100.253 AP8130DN nor 0 4M:
14S -
----------------------------------------------------------------------------------
------------------
Total: 3
# After Mesh services take effect, run the display wlan mesh link all command to check
Mesh link information.
<AC> display wlan mesh link all
Mesh : Mesh mode Re : retry ratio(%)
----------------------------------------------------------------------------------
------------------------------------------------
APName P-APName P-APMAC Rf Dis Ch Mesh P-
Status RSSI MaxR Per Re TSNR SNR(Ch0~3:dB)
----------------------------------------------------------------------------------

------------------------------------------------
AP_1 AP_2 60de-4476-e360 1 4 157 portal
normal -30 -27 0 12 67 62/65/-/-
AP_1 AP_3 dcd2-fcf6-76a0 1 4 157 portal
normal -26 -24 0 12 71 67/68/-/-
AP_3 AP_2 60de-4476-e360 1 4 157 node
normal -19 -3 0 5 77 66/76/-/-
AP_3 AP_1 60de-4474-9640 1 4 157 node
normal -32 -4 0 26 64 55/63/-/-
AP_2 AP_1 60de-4474-9640 1 4 157 node
normal -32 -4 0 12 64 62/61/-/-
AP_2 AP_3 dcd2-fcf6-76a0 1 4 157 node
normal -14 -12 0 4 82 71/82/-/-
----------------------------------------------------------------------------------
------------------------------------------------
Total: 6
----End
Configuration Files
#
sysname Switch_A
#
vlan batch 100
#
#
#
return

#
sysname Switch_B
#
vlan batch 100
#
#
#
return
#
sysname AC
#
vlan batch 100
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#


#
#
wlan
security-profile name mesh-sec
security wpa2 psk pass-phrase %^%#WXq~51G1^G;~|`C\G$v-`XoiIe4z$CNAM#@TeN^+%^
%#
aes
mesh-whitelist-profile name mesh-list
peer-ap mac 60de-4474-9640
peer-ap mac 60de-4476-e360
peer-ap mac dcd2-fcf6-76a0
mesh-profile name mesh-net
security-profile mesh-sec
mesh-id mesh-net
link-aging-time 30
ap-system-profile name mesh-sys
mesh-role mesh-portal
wired-port-profile name wired-port
vlan tagged 101
ap-group name mesh-mp
wired-port-profile wired-port gigabitethernet 0
radio 1
mesh-profile mesh-net
mesh-whitelist-profile mesh-list
channel 40mhz-plus 157
coverage distance 4
ap-group name mesh-mpp
ap-system-profile mesh-sys
radio 1
coverage distance 4
ap-id 1 ap-mac 60de-4474-9640
ap-name AP_1
ap-group mesh-mpp
ap-name AP_2
ap-group mesh-mp
ap-name AP_3
ap-group mesh-mp
#
return
15.11.2 Example for Configuring Dual-MPP Mesh Services

An enterprise has two areas: Area A and Area B. Restricted by geographical locations, APs in
Area A can be deployed in wired mode, but wired deployment of APs is costly in Area B. The
enterprise requires that APs be deployed in Area B at low cost.
As shown in Figure 15-11, a dual-MPP Mesh network is deployed to connect AP_3 and
AP_4 in Area B to AP_1 and AP_2 through Mesh links, which improves network reliability
and loads balance traffic.
Figure 15-11 Dual-MPP Mesh networking
Network
Switch_B GE0/0/2
GE0/0/1
GE0/0/1
AC
GE0/0/3
Switch_A
GE0/0/1 GE0/0/2
AP_1 AP_2 Area A

(MPP) (MPP)
AP_3 AP_4 Area B

(MP) (MP)
: Mesh link
1. Configure network connectivity and enable APs (MPPs) in Area A to go online on the
AC in wired mode.
2. Configure Mesh services to enable APs (MPs) in Area B to go online on the AC through
Mesh links.
NOTE
In this example, Switch_A (access switch) and Switch_B (aggregation switch) are Huawei products.

AP Type MAC
AP_1 AP8130DN 60de-4474-9640
AP_2 AP8130DN dcd2-fc04-b500
AP_4 AP8130DN 60de-4476-e360
Item Data
Manageme VLAN 100

nt VLAN
for APs
DHCP The AC functions as a DHCP server to allocate IP addresses to APs.

server Address pool: 10.23.100.2-10.23.100.254/24

interface
Mesh Name: mesh-net

profile
name
Mesh role l AP_1: Mesh-portal (MPP)

l AP_2: Mesh-portal (MPP)
Mesh ID Name: mesh-net
Mesh Name: mesh-list

whitelist
AP system Name: mesh-sys

profile
Radio used Radio 1:

by Mesh l Bandwidth: 40mhz-plus
services
l Channel: 157
Security l Name: mesh-sec


Item Data
AP group l mesh-mpp: AP_1 and AP_2

l mesh-mp: AP_3 and AP_4
Configuration Notes
user experience.
Procedure
Step 1 Configure the AC to communicate with AP_1 and AP_2.
# Configure access switch Switch_A. Add GE0/0/1 and GE0/0/2 to VLAN 100 (management
VLAN) and set the PVID of the interfaces to VLAN 100. Configure GE0/0/1, GE0/0/2, and
GE0/0/3 to allow packets from VLAN 100 to pass through.


# Configure aggregation switch Switch_B. Configure GE0/0/1 and GE0/0/2 to allow packets
[Switch_B] vlan batch 100
# Configure GE0/0/1 that connects the AC to the aggregation switch to allow packets from
VLAN 100 to pass through.
[HUAWEI] sysname AC
[AC] vlan batch 100
Step 2 Configure the AC as a DHCP server to allocate IP addresses to APs.

[AC] dhcp enable
[AC-Vlanif100] quit
# Create AP groups for MPPs and MPs respectively and add APs that require the same
configuration to the same group.
[AC] wlan
e?[Y/N]:y
[AC-wlan-ap-group-mesh-mp] regulatory-domain-profile domain1
e?[Y/N]:y
[AC-wlan-view] quit

# Add AP_1 and AP_2 to the AP group mesh-mpp and AP_3 and AP_4 to the AP group
mesh-mp.
NOTE
[AC] wlan
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit
[AC-wlan-ap-3] quit
[AC-wlan-ap-4] quit
Step 4 Configure Mesh parameters.
# Configure radio parameters for Mesh nodes. Radio 1 of the AP8130DN is used as an
example. coverage distance indicates the radio coverage distance parameter, which is 3 (unit:
100 m) by default. This example sets the radio coverage distance parameter to 4. You can
configure the parameter according to your service needs.
[AC-wlan-group-radio-mesh-mpp/1] coverage distance 4
[AC-wlan-group-radio-mesh-mp/1] channel 40mhz-plus 157
[AC-wlan-group-radio-mesh-mp/1] coverage distance 4
# Set parameters for the APs' wired interfaces. This example assumes that the service VLAN
is VLAN 101. Wired interfaces of all Mesh nodes are therefore added to VLAN 101 in tagged
mode.


# Configure the security profile mesh-sec used by Mesh links. The Mesh network supports
only the security policy WPA2+PSK+AES.
[AC-wlan-view] security-profile name mesh-sec
[AC-wlan-sec-prof-mesh-sec] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-mesh-sec] quit
# Configure a Mesh whitelist.

[AC-wlan-view] mesh-whitelist-profile name mesh-list
[AC-wlan-mesh-whitelist-mesh-list] peer-ap mac 60de-4474-9640
[AC-wlan-mesh-whitelist-mesh-list] peer-ap mac dcd2-fc04-b500
[AC-wlan-mesh-whitelist-mesh-list] peer-ap mac dcd2-fcf6-76a0
[AC-wlan-mesh-whitelist-mesh-list] peer-ap mac 60de-4476-e360
[AC-wlan-mesh-whitelist-mesh-list] quit
# Configure Mesh roles. Set Mesh roles of AP_1 and AP_2 to mesh-portal. AP_3 and AP_4
use the default Mesh role mesh-node. Mesh roles are configured through the AP system
profile.
# Configure a Mesh profile. Set the Mesh network ID to mesh-net, aging time of Mesh links
to 30s, and bind the security profile and Mesh whitelist to the Mesh profile.
[AC-wlan-mesh-prof-mesh-net] link-aging-time 30
[AC-wlan-mesh-prof-mesh-net] security-profile mesh-sec
# Bind the Mesh whitelist profile to the AP radio.

[AC-wlan-group-radio-mesh-mpp/1] mesh-whitelist-profile mesh-list
[AC-wlan-group-radio-mesh-mp/1] mesh-whitelist-profile mesh-list
Step 5 Bind required profiles to the AP groups to make Mesh services take effect.
# Bind the AP wired port profile wired-port to AP groups mesh-mpp and mesh-mp to make
AP wired port parameters take effect on Mesh nodes. This example assumes that all APs
connect to Switch_A through GE0.
[AC-wlan-ap-group-mesh-mpp] wired-port-profile wired-port gigabitethernet 0
[AC-wlan-ap-group-mesh-mp] wired-port-profile wired-port gigabitethernet 0
# Bind the AP system profile mesh-sys to the AP group mesh-mpp to make the MPP role
take effect on AP_1 and AP_2.


# Bind the Mesh profile mesh-net to AP groups mesh-mpp and mesh-mp to make the Mesh
services take effect.
[AC-wlan-ap-group-mesh-mpp] mesh-profile mesh-net radio 1
[AC-wlan-ap-group-mesh-mp] mesh-profile mesh-net radio 1
Step 6 Verify the Mesh service configuration.

# After the configuration is complete, run the display ap all command to check whether Mesh
nor : normal [4]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
1 60de-4474-9640 AP_1 mesh-mpp 10.23.100.254 AP8130DN nor 0 5M:
44S -
2 dcd2-fc04-b500 AP_2 mesh-mpp 10.23.100.253 AP8130DN nor 0 6M:
15S -
3 dcd2-fcf6-76a0 AP_3 mesh-mp 10.23.100.252 AP8130DN nor 0 1M:
35S -
4 60de-4476-e360 AP_4 mesh-mp 10.23.100.251 AP8130DN nor 0 3M:
56S -
----------------------------------------------------------------------------------
----------------
Total: 4
# After dual-MPP Mesh services take effect, run the display wlan mesh link all command to
check Mesh link information.
[AC-wlan-view] display wlan mesh link all
----------------------------------------------------------------------------------
------------------------------------------------
----------------------------------------------------------------------------------
------------------------------------------------
AP_1 AP_4 60de-4476-e360 1 4 157 portal
normal -28 -27 0 25 70 62/69/-/-
normal -18 -2 0 0 78 73/77/-/-
AP_2 AP_4 60de-4476-e360 1 4 157 portal
normal -17 -16 0 52 80 57/49/80/-
normal -24 -21 0 0 72 58/54/72/-
AP_4 AP_1 60de-4474-9640 1 4 157 node
normal -29 -29 0 0 65 64/58/-/-
AP_4 AP_2 dcd2-fc04-b500 1 4 157 node
normal -21 -19 0 10 76 76/64/-/-

AP_4 AP_3 dcd2-fcf6-76a0 1 4 157 node

normal -7 -1 0 0 89 88/82/-/-
AP_3 AP_2 dcd2-fc04-b500 1 4 157 node
normal -35 -32 0 35 61 51/60/-/-
AP_3 AP_1 60de-4474-9640 1 4 157 node
normal -27 -23 0 0 70 68/66/-/-
AP_3 AP_4 60de-4476-e360 1 4 157 node
normal -13 -11 0 23 83 80/81/-/-
----------------------------------------------------------------------------------
------------------------------------------------
Total: 10
# Run the display wlan mesh route all command to check Mesh routes on the Mesh network.
<AC> display wlan mesh route all
--------------------------------------------------------------------------
AP name/MAC/Mesh role/Radio Next-hop name/MAC/Mesh role/Radio
--------------------------------------------------------------------------
AP_4 /60de-4476-e360/MP /1 AP_2 /dcd2-fc04-b500/MPP/1
AP_3 /dcd2-fcf6-76a0/MP /1 AP_4 /60de-4476-e360/MP /1
--------------------------------------------------------------------------
Total: 2
# When the link between AP_2 and AC is faulty, AP_2 automatically changes to an MP and
goes online through Mesh links. Run the display wlan mesh route all command. The
command output shows that AP_2, AP_3, and AP_4 go online on AP_1.
<AC> display wlan mesh route all
--------------------------------------------------------------------------
AP name/MAC/Mesh role/Radio Next-hop name/MAC/Mesh role/Radio
--------------------------------------------------------------------------
AP_4 /60de-4476-e360/MP /1 AP_1 /60de-4474-9640/MPP/1
AP_2 /dcd2-fc04-b500/MP /1 AP_4 /60de-4476-e360/MP /1
AP_3 /dcd2-fcf6-76a0/MP /1 AP_1 /60de-4474-9640/MPP/1
--------------------------------------------------------------------------
Total: 3
----End
Configuration Files
#
sysname Switch_A
#
vlan batch 100
#
#
#
#
return

#
sysname Switch_B

#
vlan batch 100
#
#
#
return
#
sysname AC
#
vlan batch 100
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
#
wlan
security-profile name mesh-sec
security wpa2 psk pass-phrase %^%#WXq~51G1^G;~|`C\G$v-`XoiIe4z$CNAM#@TeN^+%^
%#
aes
mesh-whitelist-profile name mesh-list
peer-ap mac 60de-4474-9640
peer-ap mac dcd2-fc04-b500
peer-ap mac dcd2-fcf6-76a0
peer-ap mac 60de-4476-e360
security-profile mesh-sec
mesh-id mesh-net
link-aging-time 30
vlan tagged 101
ap-group name mesh-mp
radio 1
coverage distance 4
radio 1
coverage distance 4
ap-id 1 ap-mac 60de-4474-9640
ap-name AP_1
ap-group mesh-mpp

ap-id 2 ap-mac dcd2-fc04-b500

ap-name AP_2
ap-group mesh-mpp
ap-name AP_3
ap-group mesh-mp
ap-name AP_4
ap-group mesh-mp
#
return
15.12 References for Mesh

The following table lists the references for Mesh.
Table 15-14 References for Mesh

IEEE 802.11s WLAN Mesh Standard

Configuration Guide - WLAN-AC 16 Vehicle-Ground Fast Link Handover Configuration
16 Vehicle-Ground Fast Link Handover

Configuration
16.1 Overview of Vehicle-Ground Fast Link Handover
Definition
Huawei's vehicle-ground fast link solution uses WLAN Mesh technology to implement the
seamless handover of Mesh links, ensuring high-quality data communications between a
moving train and the ground network.
Purpose
The vehicle-ground communication subsystem is an integral part of the Passenger Information
System (PIS). It provides data channels for transmitting information services between fast
moving trains and the ground network. Vehicle-ground communications mainly rely on
wireless communication technologies, and WLAN technology is the most widely used due to
its easy deployment and cost effectiveness.
A WLAN-based vehicle-ground communication subsystem creates more economic benefits

for rail transit enterprises. Due to limited coverage of APs, a fast-moving train needs to
continuously switch from one AP to another, causing terminals to roam. WLAN roaming
usually takes 100 ms or longer, and data loss or delay that occurs in this period may result in
video freeze or garbled image. This would fail to meet the requirements of the vehicle-ground
communication subsystem.
Vehicle-ground fast link handover enables seamless Mesh link switching and provides
reliable, stable data links for high-speed terminals, allowing passengers to enjoy smooth
vehicle-mounted information services.
Benefits
Vehicle-ground fast link handover offers the following advantages:
l Low communication costs: Unlike other wireless communication technologies such as
3G and LTE, WLAN Mesh technology applied in vehicle-ground fast link handover
works on the Industrial, Scientific, Medical (ISM) spectrum. This can be used without
the need to apply for a license. In addition, vehicle-ground fast link handover incurs no

additional communication costs and can better integrate into the existing rail transit
network, which facilitates rail transit service expansion.
l High reliability: Vehicle-ground fast link handover inherits link redundancy features
from WLAN Mesh technology. In the forward direction of a train, a vehicle-mounted AP
sets up Mesh links with multiple trackside APs. When the quality of the active link
deteriorates, the vehicle-mounted AP chooses a better link as the active link to ensure
quality of vehicle-ground communications.
l High-quality data transmission: Seamless Mesh link switching ensures smooth
multimedia services. With larger bandwidth, WLAN technology provides faster data
services than other wireless technologies.
16.2 Understanding Vehicle-Ground Fast Link Handover
16.2.1 Network Models of Vehicle-Ground Fast Link Handover

The vehicle-ground fast link handover network is a single-hop Layer 2 Mesh network
composed of the AC, trackside APs, and vehicle-mounted APs.
l The AC is deployed on the ground network to manage and control trackside APs.
l Trackside APs are Fit APs deployed along the track. They function as MPPs and
communicate with the AC in wired mode at Layer 2.
l Vehicle-mounted APs: are Fat APs deployed in the front and rear of a train. They
function as MPs to set up Mesh links with trackside APs.
Depending on the use of vehicle-mounted APs, vehicle-ground fast link handover has three
network models:
l When a train is running, only the vehicle-mounted AP in the front works. After the train
arrives at the destination, it switches the forward direction. The working vehicle-
mounted AP changes accordingly.
l When a train is running, only the vehicle-mounted AP in the rear works. After the train
arrives at the destination, it switches the forward direction. The working vehicle-
mounted AP changes accordingly.
l When a train is running, both the vehicle-mounted APs in the front and rear work to load
balance traffic. They work on different channels to communicate with trackside APs.
NOTE
The network model does not affect the implementation of vehicle-ground fast link handover. This section
describes implementation based on the first network model.
As shown in Figure 16-1, a vehicle-mounted AP sets up Mesh links with multiple

neighboring trackside APs in the forward direction of the train and chooses the best link as the
active link to transmit data. The rest of the links act as candidate links. As the train moves
forward, the quality of the active link deteriorates and the vehicle-mounted AP may detect a
better link. To ensure high-quality communication between the train and ground network, the
vehicle-mounted AP rapidly switches to the optimal candidate link.

Figure 16-1 Networking diagram of vehicle-ground fast link handovers
AC
Switch
Trackside AP Trackside AP Trackside AP Trackside AP Trackside AP
Vehicle- Vehicle-
mounted AP mounted AP in
in the rear the front
Forward direction
Active Mesh link

Candidate Mesh link
16.2.2 Signal Coverage Models of Vehicle-Ground Fast Link

Handover
A train has a fixed forward direction. Therefore, vehicle-ground APs all use directional
antennas to enhance signal strength and mitigate interference. In Figure 16-2, the antenna on
the working vehicle-mounted AP faces the forward direction of the train. Antennas on
trackside APs face the opposite direction, with a certain angle deviation. In this way, the
vehicle-mounted AP always moves within the optimal coverage area of the trackside APs.
NOTE
l If only the vehicle-mounted AP in the rear of the train works, the antennas of trackside APs should tilt in
the forward direction of the train to achieve optimal signal coverage.
l If both the vehicle-mounted APs in the front and rear of the train work, use dual-band APs (such as
dual-5G AP8130DNs) as trackside APs. To achieve optimal signal coverage, install two directional
antennas on each trackside AP, with one antenna tilting in the forward direction of the train and the other
in the opposite direction.
Wind resistance in rail tunnels may affect coverage of AP antennas. When a train passes
through a tunnel at high speed, a turbulent airflow is induced. Strong turbulent airflows may

cause angle offset of antennas. Wind-resistant Yagi antennas with small cross-sectional areas
can solve this problem. Huawei's vehicle-ground communication network uses external Yagi
antennas on trackside APs and external Yagi or panel antennas on vehicle-mounted APs.
Figure 16-2 Signal coverage in vehicle-ground communications
AC
Switch
Vehicle-mounted
Forward direction
AP in the rear
Signal coverage of
Vehicle-mounted
candidate MPP
AP in the front
Signal coverage of
active MPP
Trackside AP
Overlapping
coverage area
16.2.3 Implementation of Vehicle-Ground Fast Link Handover
Implementation of vehicle-ground fast link handover includes Mesh link setup and teardown,
fast link handover, and multicast data guarantee.
Mesh Link Setup and Teardown

To enable vehicle-ground communications, a vehicle-mounted AP sets up Mesh links with
neighboring trackside APs. If the Received Signal Strength Indicator (RSSI) of a trackside AP
is greater than or equal to N (N = Minimum RSSI threshold of a Mesh link - 5 dB) and the

number of Mesh links has not reached the maximum, the vehicle-mounted AP sets up a Mesh
link with the trackside AP according to the common Mesh link setup process. For details, see
Principle Description-Mesh Implementation in "Mesh Configuration."
The vehicle-mounted AP sets up Mesh links with multiple trackside APs and chooses one
qualified Mesh link as the active link to transmit data. Other links act as candidate links. As
the train moves forward, the vehicle-mounted AP chooses the candidate link of the best
quality as the active link to implement fast handover so that quality of vehicle-ground
communications is always at the optimal level.
If the RSSI of a Mesh link is smaller than N (N = Minimum RSSI threshold of a Mesh link - 5
dB) and the Mesh link is not the active link, the vehicle-mounted AP tears down the link so
that it can set up a better Mesh link with another trackside AP.
Vehicle-Ground Fast Link Handover

A vehicle-mounted AP chooses the active Mesh link using the basic or location-based
vehicle-ground fast link handover algorithm. The two algorithms determine whether to
perform a common handover or an emergency handover based on link conditions.
Basic handover algorithm
The basic handover algorithm does not consider trackside AP locations when deciding to
perform a common or an emergency handover.
l Common handover: As a train moves forward, a common link handover is triggered if
the RSSI of a candidate link meets the following conditions:
– The RSSI difference between the candidate link and current active link is greater
than or equal to the RSSI threshold for a Mesh link handover.
– The candidate link belongs to the candidate area.
NOTE
The RSSI range of a candidate area is from the minimum RSSI threshold to the maximum RSSI
threshold of the Mesh link. Candidate links with RSSI values in this range belong to the candidate
area.
– The serving time of the current active link is longer than or equal to the link holding
time.
NOTE
A holding time is specified for the active link to prevent frequent handovers. The serving time of
the active link must be longer than or equal to the specified holding time; otherwise, the vehicle-
mounted AP can only implement an emergency handover, not a common handover.
If multiple candidate links meet common handover conditions, the candidate link with
the highest RSSI is chosen as the active link.
In Figure 16-3, the RSSI of AP_4 (in the candidate area) is -20 dBm. The RSSI
difference between AP_4 (-20 dBm) and the active link (-80 dBm) is 60 dB, equal to the
RSSI threshold for a Mesh link handover. In addition, the serving time of the current
active link (20s) is longer than the link holding time (1s). All conditions for a common
handover are met; therefore, the vehicle-mounted AP switches the active link to AP_4.

Figure 16-3 Common handover
AC
Switch
Trackside Trackside Trackside Trackside Trackside

AP_1 AP_2 AP_3 AP_4 AP_5
-90dBm -80dBm -20dBm
Min RSSI threshold of the active

Mesh link: -80 dBm
-20dBm-(-80dBm)>=60dB
Max RSSI threshold of the active And 20s>1s
Vehicle-
Mesh link: -17 dBm
RSSI threshold for Mesh link
mounted AP Common handover: the
handover: 60 dB active link is switched to
Link holding time: 1s AP_4
Serving time of the current active
Forward direction
link: 20s
: Active Mesh link

: Candidate Mesh link
l An emergency handover occurs in the following situations.

– The RSSIs of candidate links have not satisfied the common handover conditions
but the RSSI of the current active link is out of the RSSI range of the candidate area
(falls below the minimum RSSI threshold of a Mesh link or exceeds the maximum
RSSI threshold of a Mesh link).
– The RSSI of the current active link is still within the allowed range, but the link rate
has fallen below the minimum rate threshold or stayed in this low-speed state longer
than the minimum rate holding time.
When performing an emergency handover, the vehicle-mounted AP chooses the
candidate link with the highest RSSI as the active link from the candidate area. If no
candidate link meets the requirement and the current active link is still connected, the AP
retains the current active link and does not perform an emergency handover.

NOTE
If the current active link is disconnected due to a trackside AP fault or when the train leaves the
originating station, no active link is available. The vehicle-mounted AP then performs an emergency
handover. The vehicle-mounted AP selects the candidate link of the best quality as the active link from
the candidate area. If no candidate link in the candidate area meets the requirement, the vehicle-
mounted AP selects the candidate link with the highest RSSI in another area as the active link.
In Figure 16-4, the RSSI of trackside AP_3 decreases to -83 dBm, which is smaller than
the minimum RSSI threshold (-80 dBm) of a Mesh link. An emergency handover is
triggered, and the vehicle-mounted AP switches the active link to AP_4 with the highest
RSSI in the candidate area.
Figure 16-4 Emergency handover
AC
Switch
Trackside Trackside Trackside Trackside Trackside

AP_1 AP_2 AP_3 AP_4 AP_5
-90dBm -80dBm -20dBm -30dBm
Min RSSI threshold of active Mesh Vehicle- -83dBm < -80dBm

link: -80 dBm mounted AP Emergency handover: the
Max RSSI threshold of active Mesh active link is switched to
link:-17 dBm AP_4.
RSSI of the current active link: -83
dBm Forward direction
: Active Mesh link

If the RSSIs of AP_4 and AP_5 are -12 dBm and -15 dBm respectively, out of the range
from -80 dBm to -17 dBm, no candidate link qualifies as an active Mesh link. In this
case, the vehicle-mounted AP retains its connection with AP_3. If AP_3 becomes faulty,
the current active link is disconnected. The vehicle-mounted AP then switches the active
link to AP_4 (-12 dBm).

NOTE
An emergency handover may occur when the radio environment is unstable or a trackside AP fails. To
prevent back and forth handovers between trackside APs (ping-pong handovers), you can configure
penalty parameters for an emergency handover. The penalty parameters include the penalty period and
penalty level. When an emergency handover occurs, the vehicle-mounted AP disconnects the active link
from a trackside AP. If the RSSI of the trackside AP falls within the RSSI range of the candidate area
before the penalty period expires, the vehicle-mounted AP deducts the penalty level from the RSSI of
the trackside AP before comparing it with the RSSIs of other links.
Location-based enhanced handover algorithm

The location-based enhanced handover algorithm incorporates location information of
trackside APs into the basic handover algorithm to determine whether to perform a common
or emergency handover.
In vehicle-ground communication scenarios, signals of a trackside AP distant from a train
may be temporarily better than the trackside AP near the train due to radio environment
changes. If an active link handover occurs at this time, the active link may be incorrectly
switched to the distant trackside AP. To prevent incorrect handovers and improve vehicle-
ground communication quality, you can use the location-based enhanced link handover
algorithm. This algorithm requires that trackside APs be named in ascending or descending
order of sequence numbers.
Trackside APs should be named in head-name_sequence-number format. head-name
describes track line information and can be different for trackside APs on the same track. It is
recommended that you set the same head-name for APs on a track to differentiate tracks.
sequence-number of APs along a track must be in descending or ascending order. The
sequence numbers of trackside APs can be set with unequal steps. head-name and sequence-
number are separated using an underline (_), for example, L1_001, L1_002, L1_005, L1_010.
The location-based enhanced link handover algorithm gives priority to trackside APs that are
near the train and meet handover requirements. In Figure 16-5, the vehicle-mounted AP
detects that the RSSIs of L1_003, L1_010, and L1_015 are -20 dBm, -40 dBm, and -30 dBm
respectively. All trackside APs meet RSSI requirements for a common handover. According
to the basic link handover algorithm, the vehicle-mounted AP will switch the active link to
L1_003 with the highest RSSI. If the location-based enhanced link handover algorithm is
used, the vehicle-mounted AP will switch the active link to the nearest trackside AP L1_010.

Figure 16-5 Link handover based on trackside AP locations
AC
Switch
L1_001 L1_003 L1_005 L1_010 L1_015

-90dBm -80dBm -20dBm -30dBm
Min RSSI threshold of active Mesh

link: -80 dBm
Max RSSI threshold of active Mesh
link:-17 dBm Vehicle-
Link handover algorithm based on
RSSI threshold for a Mesh link mounted AP trackside AP locations: the active
handover: 40 dB
link is switched to L1_010
Link holding time: 1s
Serving time of the current active link: Forward direction
20s
: Active Mesh link

Multicast Data Guarantee

Vehicle-mounted multimedia devices on moving trains deliver multimedia information
services to passengers in multicast mode. Reliable multicast data transmission ensures smooth
delivery of multimedia information services. All vehicle-mounted multimedia devices are
added to a multicast group. As the train moves ahead, the active link changes frequently. Only
the trackside AP and vehicle-mounted AP are aware of the link change. Other ground devices
such as switches connected to trackside APs cannot detect the change and fail to forward
multicast data. To resolve the problem, IGMP snooping is enabled on the vehicle-mounted AP
and ground devices to generate Layer 2 multicast forwarding entries. After switching the
active link to a new trackside AP, the vehicle-mounted AP sends a Report message to the
trackside AP. The trackside AP forwards the message to the ground device, which then
updates the multicast forwarding table accordingly. To prevent loss of multicast packets
during a link handover, the vehicle-mounted AP still receives multicast data from the old
trackside AP before the multicast flow is switched to the new trackside AP. After receiving
multicast data from the new trackside AP, the vehicle-mounted AP sends a Leave message to
the old trackside AP. The old trackside AP forwards the Leave message to the ground device,

which then stops sending multicast data to the old trackside AP. This mechanism ensures
seamless switching of multicast data.
In Figure 16-6, vehicle-mounted multimedia devices on the train join the same multicast
group. IGMP snooping is enabled on the ground switch and vehicle-mounted AP. Before a
link handover occurs, AP_1 receives data from GE0/0/1 of the switch and forwards the data to
the vehicle-mounted AP. Before switching the active link to AP_2, the vehicle-mounted AP
sends a Report message to AP_2, which then forwards the message to the switch. After
receiving the message, the switch updates the multicast forwarding table and sends multicast
data to AP_2 from GE0/0/2. When receiving multicast data from AP_2, the vehicle-mounted
AP sends a Leave message to AP_1, which then forwards the message to the switch. The
switch stops sending multicast data to AP_1. Multicast data is therefore seamlessly switched
from AP_1 to AP_2.
Figure 16-6 Multicast data switching
AC
Switch
GE0/0/1 GE0/0/2
4 2
Trackside Trackside
1 3
AP_1 AP_2
4 2
Send a Leave Send a Report
message. Vehicle- message.
mounted AP
Forward direction
1: Multicast data before a handover

: Active link after a handover
2: Send a Report message.
: Active link before a handover
3: Forward multicast data to the new
trackside AP after the handover.
4: Send a Leave message.

16.3 Application Scenarios for Vehicle-Ground Fast Link

Handover
PIS used in urban rail transit delivers media news, sports events, advertisements, as well as
notices, and train departure and arrival time to passengers. Nowadays, PIS is deployed by
more and more rail transit enterprises. As an integral part of the PIS, the vehicle-ground
communication subsystem enables moving trains to communicate with the ground network.
With Mesh-based vehicle-ground fast link handover technology, the vehicle-ground
communication subsystem offers high-quality data channels for vehicle-ground
communications. Capitalizing on convenient and cost-effective WLANs, the vehicle-ground
communication subsystem brings significant economic benefits to rail transit enterprises. As
shown in Figure 16-7, a rail transit enterprise deploys trackside APs along the track and
vehicle-mounted APs on the train. As the train moves forward, the working vehicle-mounted
AP keeps switching connections with trackside APs through vehicle-ground fast link
handovers to ensure reliable data communications.


Management
center
Ground network
AC
Switch Switch
……
Trackside Trackside Trackside Trackside Trackside Trackside
AP AP AP AP AP AP
Vehicle-mounted AP Vehicle-mounted AP
(in the rear) (in the front)
Forward direction
: Active Mesh link

16.4 Licensing Requirements and Limitations for Vehicle-

Ground Fast Link Handover
AP
by the device.

V200R012C00 V200R009C00
V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C10 V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C00 V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R010C00 V200R007C10
V200R006C20
V200R006C10
V200R009C00 V200R006C20
V200R006C10
V200R008C00 V200R005C30
V200R005C20
V200R005C10
V200R007 V200R005C10
V200R005C20
agent.


Required

S5730HI: V200R012
Feature Limitations
l The vehicle-ground fast link handover network is a single-hop Layer 2 Mesh network
composed of the AC, trackside APs, and vehicle-mounted APs.
– The AC is deployed on the ground network to manage and control trackside APs.
– Trackside APs are Fit APs deployed along the track. They function as MPPs and
communicate with the AC in wired mode at Layer 2.
– Vehicle-mounted APs: are Fat APs deployed in the front and rear of a train. They
function as MPs to set up Mesh links with trackside APs.
l Each vehicle-mounted AP can only use one radio for vehicle-ground communications at
one time.
l On a vehicle-ground fast link handover network, the AP9131DN (Fit AP) or AP9132DN
(Fit AP) is usually used as the trackside AP and the AP9131DN (Fat AP) or AP9132DN
(Fat AP) as the vehicle-mounted AP. If other AP models are used as the vehicle-mounted
and trackside APs, they must comply with the same 802.11 standards, for example, both
802.11ac APs or 802.11n APs.
16.5 Default Settings for Vehicle-Ground Fast Link

Handover
Table 16-2 describes the default settings for vehicle-ground fast link handover.

Table 16-2 Default settings for vehicle-ground fast link handover
Vehicle-ground fast link handover Disabled
Location-based enhanced link handover Disabled

algorithm
16.6 Summary of Vehicle-Ground Fast Link Handover

Configuration Tasks
A rail transportation system involves the following scenarios:
l Scenario 1: Each train travels on a fixed line.
l Scenario 2: A train may switch between traveling lines.
Both of the scenarios above require the configuration for vehicle-mounted and trackside APs.
The differences between the configurations are listed in Table 16-3.
Vehicle-mounted APs support the configuration for scenario 2 from V200R009.
Table 16-3 Vehicle-ground fast link handover configuration tasks
Task Description Configuration

Difference Between
Scenarios 1 and 2
Configure vehicle-mounted APs.
16.8.1 Configuring Mesh Configure the same channel In scenario 1, configure only
Radio Parameters and bandwidth for both the one working channel for
vehicle-mounted and radios on a vehicle-mounted
trackside APs. AP.
In scenario 2, configure
different working channels
for radios on a vehicle-
mounted AP, which map
working channels of
trackside APs on different
lines.
16.8.2 Configuring a Configure a security profile In scenario 1, configure only

Security Profile and a security policy to one security profile for a
improve Mesh security. vehicle-mounted AP.
multiple security profiles for
a vehicle-mounted AP to
map the Mesh networks
where trackside APs on
different lines reside.


Difference Between
Scenarios 1 and 2
16.8.3 (Optional) Add trackside APs to a The Mesh whitelist is not

Configuring a Mesh Mesh whitelist so that the recommended in scenarios 1
Whitelist vehicle-mounted AP can set and 2.
up Mesh links only with the If a Mesh whitelist is
trackside APs in the configured:
whitelist. If the Mesh
whitelist is not configured, l In scenario 1, add all
vehicle-mounted APs can trackside APs on the line
set up Mesh links with all to the whitelist.
trackside APs. l In scenario 2, add all
trackside APs on
different lines to
different whitelists.
16.8.4 Configuring Train- Configure the vehicle- No difference

Ground Communication ground communication
(For Vehicle-Mounted APs mode based on site
in V200R007 or Later) requirements.
16.8.5 Configuring a Mesh Configure Mesh profile In scenario 1, configure only

Profile parameters to generate a one Mesh profile for a
Mesh VAP for setting up vehicle-mounted AP, set the
links with trackside APs. Mesh ID, and bind the Mesh
profile to the security
profile.
multiple Mesh profiles for a
vehicle-mounted AP, set
different Mesh IDs, and bind
the Mesh profiles to the
security profiles.
16.8.6 Configuring Proxied Configure proxied ground No difference

Ground Devices devices. When a train turns
around, data streams sent to
the ground network are
routed to the vehicle-
mounted AP at the front,
ensuring normal data
transmission.


Difference Between
Scenarios 1 and 2
16.8.7 Configuring Proxied Configure proxied vehicle- No difference

Vehicle-Mounted Devices mounted devices. When a
vehicle-mounted AP
connects to a new trackside
AP, devices on the ground
network can forward data to
the vehicle-mounted AP
through the new trackside
AP.
16.8.8 Enabling IGMP Configure uninterrupted No difference

Snooping on a Vehicle- multicast services.
Mounted AP
Configure trackside APs.
16.7.1 Adding APs Add trackside APs to the No difference

AC for management.
16.7.2 Configuring Mesh Configure radio parameters No difference

Radio Parameters for trackside APs.
16.7.3 Configuring Configure the wired port of No difference

Parameters for an AP's trackside APs to work in
Wired Interface root mode, and add the ports
to VLANs.
16.7.4 Configuring a Configure a security profile No difference

Security Profile and a security policy to
improve Mesh security.
16.7.5 Configuring a Mesh Add vehicle-mounted APs In scenario 1, add vehicle-

Whitelist to a Mesh whitelist so that mounted APs only on a train
the APs can communicate traveling on the current line
with trackside APs. to the Mesh whitelist for the
current line.
In scenario 2, add vehicle-
mounted APs on trains
traveling on multiple lines to
the Mesh whitelist for the
current line.
16.7.6 Configuring a Mesh Bind a Mesh profile to a No difference

Handover Profile Mesh handover profile to
provide the fast link
handover function.
16.7.7 Configuring a Mesh Configure trackside APs as No difference

Role and Mesh Profile MPPs and a vehicle-
mounted AP as MPs, and set
Mesh profile parameters.


Difference Between
Scenarios 1 and 2
16.7.8 Guaranteeing Configure uninterrupted No difference

Multicast Data multicast services.
Transmission
16.7 Configuring Trackside APs

Before configuring trackside APs, complete the following tasks:
l Create an AP group
l Configure network interconnections
16.7.1 Adding APs
Context
Procedure

enter the AP view.
NOTE

NOTE
more secure.


SN authentication.
unauthorized APs.
----End
Procedure
Step 2 Run wlan
AP view.

Radios of different AP nodes on a Mesh link must be configured with the same channel and
bandwidth.
radio view.
AP2051DN-E do not support the Mesh function.
frequency band.
Among Mesh-capable APs, radio 0 of the AP8130DN and AP8130DN-W support 2.4 GHz
and 5 GHz frequency bands but can work on one frequency band at a time. If you configure
radio 0 of the AP8130DN and AP8130DN-W to work on the 5 GHz frequency band, the
AP8130DN and AP8130DN-W can then work in dual-5G mode.
Step 7 Run quit
Step 8 Run quit
strength.
By default,

installation.
NOTE
----End
Follow-up Procedure
Context
You can configure the wired interface on an MPP to connect to the AC or configure the wired
interface on an AP to deploy a Layer 2 network or directly associate with STAs.
On Mesh networks, an AP wired interface can work in the following modes:
l root mode: The wired interface that connects the MPP to the AC must work in root
mode.
Procedure

Step 2 Run wlan
Step 4 Run mode root
The trackside AP's wired interface is configured to work in root mode.
By default,
in middle mode.
mode.
NOTE
After changing the working mode of an AP's wired interface, run the ap-reset command to reset the AP
for the configuration to take effect.
Step 5 Run vlan { tagged | untagged } { vlan-id1 [ to vlan-id2 ] } &<1-10>
The VLAN to which the AP's wired interface is added is specified.
NOTE
A PVID is configured for the AP's wired interface.
Step 7 Run user-isolate { all | l2 }
User isolation is enabled on the AP's wired interface.
----End

Follow-up Procedure
Context
The WPA2+PSK+AES security policy is recommended for a Mesh security profile. For
NOTE
Procedure
Step 2 Run wlan
system.
----End
16.7.5 Configuring a Mesh Whitelist
Context
To prevent a trackside AP from connecting to the vehicle-mounted AP along a different track
from the trackside AP, you need to add the MAC address of the vehicle-mounted AP along
the local track to Mesh whitelists of all trackside APs.

Procedure
Step 2 Run wlan
NOTE
When configuring vehicle-ground fast link handover, add MAC addresses of vehicle-mounted APs allowed to
connect to a trackside AP to a whitelist.
Step 5 Run quit

AP view.
Step 7 Run mesh-whitelist-profile whitelist-name
----End
16.7.6 Configuring a Mesh Handover Profile
Context
A Mesh profile must have a Mesh handover profile referenced to provide the fast link
handover function.

NOTE
A Mesh handover profile and the FWA mode of a Mesh profile are mutually exclusive and cannot be
configured together.
Procedure
Step 2 Run wlan
Step 3 Run mesh-handover-profile name profile-name
A Mesh handover profile is created, and the Mesh handover profile view is displayed.
By default, the system provides the Mesh handover profile default.
Step 4 Run location-based-algorithm enable
The location-based enhanced link handover algorithm is enabled.
By default, the location-based enhanced link handover algorithm is disabled.
NOTE
After the location-based enhanced link handover algorithm is enabled, the vehicle-mounted AP will switch
the active link to the nearest trackside AP that meets handover requirements.
In vehicle-ground communication scenarios, signals of a trackside AP distant from a train may be temporarily
better than the trackside AP near the train due to radio environment changes. If an active link handover occurs
at this time, the active link may be incorrectly switched to the distant trackside AP. To prevent incorrect
handovers and improve vehicle-ground communication quality, you can use the location-based enhanced link
handover algorithm. This algorithm requires that trackside APs be named in ascending or descending order of
sequence numbers.
Trackside APs should be named in head-name_sequence-number format. head-name describes track line
information and can be different for trackside APs on the same track. It is recommended that you set the same
head-name for APs on a track to differentiate tracks. sequence-number of APs along a track must be in
descending or ascending order. The sequence numbers of trackside APs can be set with unequal steps. head-
name and sequence-number are separated using an underline (_), for example, L1_001, L1_002, L1_005,
L1_010.
----End
16.7.7 Configuring a Mesh Role and Mesh Profile

Context
On a vehicle-ground fast link handover network shown in Figure 16-8, Mesh roles of the
vehicle-mounted AP and trackside AP are MP and MPP respectively.

AC
Switch

MPP MPP MPP MPP MPP

Vehicle-mounted Vehicle-mounted
AP in the rear AP in the front
MP MP
Procedure
Step 2 Run wlan
The AP system profile view is displayed.
Step 4 Run mesh-role mesh-portal
The Mesh role of the trackside AP is set to MPP.
By default, the Mesh role of an AP is mesh-node in the AP system profile.
Step 5 Run antenna-output { split | combine }
The output mode of 2.4G/5G antennas is specified.
By default, a 2.4G/5G antenna uses split output.
Only the AP9132DN and AP8182DN support this function.
Step 6 Run quit
NOTE

Beacon frames.
Beacon frames.
By default, a maximum of eight mesh links can be established between APs. After you enable
FWA for a mesh profile using the fwa enable command, a maximum of 32 mesh links can be
established between APs by default.
NOTE
Step 15 Run quit

Step 16 Apply the Mesh profile. You can use any of the following methods according to actual
situations:
l Bind the Mesh profile to an AP group.
Mesh profile to the AP group.
NOTE
services.
l Bind the Mesh profile to an AP.

AP view.
Mesh profile to the AP.
NOTE
services.
l Bind the Mesh profile to AP group radios.
c. Run the mesh-profile profile-name command to bind the Mesh profile to AP group
radios.
NOTE
services.
l Bind the Mesh profile to an AP radio.
AP view.
c. Run the mesh-profile profile-name command to bind the Mesh profile to the AP
radio.
NOTE
services.
----End
16.7.8 Guaranteeing Multicast Data Transmission
Context

NOTE
In vehicle-ground fast link handover scenarios, you need to configure multicast on all ground network
devices involved in multicast data forwarding according to actual network requirements. This section
assumes that the AC participates in Layer 2 multicast data forwarding and uses multicast configuration on the
AC as an example. To configure other network devices, see the corresponding configuration document.
Procedure
Step 2 Run igmp-snooping enable
IGMP snooping is enabled globally.
Step 3 Run vlan vlan-id
The VLAN view is displayed.
IGMP snooping is enabled in the VLAN.
Step 5 (Optional) Run igmp-snooping version version
The version of IGMP messages that IGMP snooping can process is specified.
By default, the device can process IGMPv1 and IGMPv2 messages but cannot process
IGMPv3 messages.
NOTE
If you set the version of IGMP messages that IGMP snooping can process to IGMPv3, the default Layer
2 multicast data forwarding mode cannot be changed on the device.
Step 6 (Optional) Run igmp-snooping prompt-leave [ group-policy acl-number ]
The fast leave function is enabled.
By default, the fast leave function is disabled.
If trackside APs are directly connected to the device (each device interface maps one
trackside AP), enabling fast leave improves the quality of multicast services during link
handovers. If the trackside APs are not directly connected to the device, you cannot configure
the fast leave function because this function may interrupt multicast services during link
handovers.
NOTE
For methods of configuring other Layer 2 multicast parameters, see IGMP Snooping Configuration in the
S1720, S2700, S5700, and S6720 V200R012C00 Configuration Guide - IP Multicast.
----End

16.7.9 Verifying the Trackside AP Configuration
Prerequisites
The Mesh configuration is complete.
Procedure
l Run the display references mesh-handover-profile name profile-name command to
check information about Mesh profiles by which a specified Mesh handover profile is
referenced.
l Run the display mesh-handover-profile { all | name profile-name } command to check
configuration and reference information about a Mesh handover profile.
----End
16.8 Configuring a Vehicle-Mounted AP

Context
A vehicle-mounted AP used on a vehicle-ground fast link handover network is a Fat AP. This
chapter describes only configuration steps of the vehicle-mounted AP. For more details, see
Vehicle-Ground Fast Link Handover Configuration Guide in Fat AP & Cloud AP Product
Documentationor Fat AP & Cloud AP V200R007C20 Product Documentation.
Procedure
Step 2 Run interface wlan-radio wlan-radio-number
The radio interface view is displayed.
Step 3 Run channel { 20mhz | 40mhz-minus | 40mhz-plus | 80mhz } channel [ index index ]
The working bandwidth and channel are configured for a radio.

The vehicle-mounted and trackside APs must be configured with the same channel and
bandwidth.
----End

Context
The WPA2+PSK+AES security policy is recommended for a WDS security profile.
NOTE
Procedure
Step 2 Run wlan
By default, security profiles default and default-mesh are available in the system.
----End
16.8.3 (Optional) Configuring a Mesh Whitelist

Context
To prevent a vehicle-mounted AP from connecting to trackside APs along a different track
from the vehicle-mounted AP, add MAC addresses of all trackside APs along the local track
to the Mesh whitelist of the vehicle-mounted AP.
Procedure

Step 2 Run wlan

NOTE
When configuring vehicle-ground fast link handover, add MAC addresses of trackside APs allowed to
connect to a vehicle-mounted AP to a whitelist.
Step 5 Run quit

Step 6 Run quit
Step 8 Run mesh-whitelist-profile whitelist-name [ index index ]
----End
16.8.4 Configuring Train-Ground Communication (For Vehicle-

Mounted APs in V200R007 or Later)
Context
Train-ground communication involves Mesh handover and client scenarios.
Mesh handover scenario: Deploy trackside APs along the railway line, which set up Mesh
links with vehicle-mounted APs using the same channel. The vehicle-mounted APs on a
moving train can perform link handovers, without the need to scan channels.
Mesh client scenario: Deploy trackside APs by segment (for example, only in stations) instead
of along the railway line. To meet throughput or coverage efficiency requirements, you need
to configure trackside APs to work in different channels. Vehicle-mounted APs scan channels
of neighboring APs to perform Mesh link handovers.
NOTE
Perform either of the following operations based on train-ground communication scenarios.

Procedure
l Configure the Mesh handover mode.
a. Run system-view

b. Run wlan

c. Run mesh-handover-profile name profile-name
A Mesh handover profile is created, and the Mesh handover profile view is
displayed.
By default, the system provides the Mesh handover profile default.

d. Run location-based-algorithm enable [ moving-direction { backward | forward |
undetermined } ]
The location-based enhanced fast link handover algorithm is enabled, and the
moving direction of the vehicle-mounted AP is configured.
By default, the location-based enhanced fast link handover algorithm is disabled

and the moving direction of the vehicle-mounted AP is undetermined.
NOTE
After the location-based enhanced link handover algorithm is enabled, the vehicle-mounted AP
will switch the active link to the nearest trackside AP that meets handover requirements.
In vehicle-ground communication scenarios, signals of a trackside AP distant from a train may be
temporarily better than the trackside AP near the train due to radio environment changes. If an
active link handover occurs at this time, the active link may be incorrectly switched to the distant
trackside AP. To prevent incorrect handovers and improve vehicle-ground communication quality,
you can use the location-based enhanced link handover algorithm. This algorithm requires that
trackside APs be named in ascending or descending order of sequence numbers.
Trackside APs should be named in head-name_sequence-number format. head-name describes
track line information and can be different for trackside APs on the same track. It is recommended
that you set the same head-name for APs on a track to differentiate tracks. sequence-number of
APs along a track must be in descending or ascending order. The sequence numbers of trackside
APs can be set with unequal steps. head-name and sequence-number are separated using an
underline (_), for example, L1_001, L1_002, L1_005, L1_010.
e. Run max-rssi-threshold value
The maximum RSSI threshold of a Mesh link is specified.
By default, the maximum RSSI threshold of a Mesh link is -20 dBm in a Mesh
handover profile.
f. Run min-rssi-threshold value
The minimum RSSI threshold of a Mesh link is specified.
By default, the minimum RSSI threshold of a Mesh link is -60 dBm in a Mesh
handover profile.
g. Run link-hold-period value
The holding time of a Mesh link is specified.
By default, the holding time of a Mesh link is 4,000 ms.

h. Run rssi-margin value

The RSSI threshold for a Mesh link handover is specified.
By default, the RSSI threshold for a Mesh link handover is 10 dB.
i. Run link-probe-interval value
The Mesh link probe interval is specified.
By default, the Mesh link probe interval is 100 ms in a Mesh handover profile.
j. Run p-n criteria observe-time observe-value qualify-time qualify-value
The P/N criterion for a handover is specified.
By default, the observing value in the P/N criterion is three detection times and the
qualified value is two detection times.
k. Run urgent-handover low-rate threshold rate-value period time
The minimum rate threshold for an emergency handover and the minimum rate
holding time are specified.
By default, the minimum rate threshold for an emergency handover is 10 Mbit/s and
the minimum rate holding time is 2,000 ms.
l. Run urgent-handover punishment period time rssi value
The penalty parameters for an emergency handover are configured.
By default, the penalty period for an emergency handover is 2,000 ms and the
penalty level is 10 dB.
m. Run quit
n. Run mesh-profile name profile-name
o. Run mesh-handover-profile profile-name
A Mesh handover profile is bound to the Mesh profile.
By default, no Mesh handover profile is bound to a Mesh profile.
l Configure the Mesh client mode.
a. Run system-view
b. Run wlan
c. Run mesh-profile name profile-name
d. Run client-mode enable
The Mesh client mode is enabled.

By default, the Mesh client mode is disabled.

e. Run quit

f. Run air-scan-profile name profile-name
An air scan profile is created, and the air scan profile is displayed.
g. (Optional) Run scan-channel-set { country-channel | dca-channel | work-
channel }
An air scan channel is configured.
By default, an air scan channel set contains all channels supported by the
corresponding country code of an AP.
h. (Optional) Run scan-period scan-time
The air scan period is configured.
The default air scan period is 60 ms.
NOTE
A longer air scan period indicates more collected data and a more accurate data analysis result.
However, if the air scan period is set too large, WLAN services are affected. You are advised to
use the default value.
i. (Optional) Run scan-interval scan-time
The air scan interval is configured.
NOTE
l The air scan interval ranges from 300 ms to 1000 ms.

l The air scan interval also applies to radio calibration, smart roaming, WLAN location, and
WIDS functions.
l If the customer has high requirements on real-time data analysis, configure a small air scan
interval using the scan-interval command to improve the scan frequency; however, higher
scan frequency indicates much larger impact on the services.
j. Run quit

k. Run radio-2g-profile name default or radio-5g-profile name default

l. Run air-scan-profile profile-name
The air scan profile is bound to the radio profile.
----End

16.8.5 Configuring a Mesh Profile

Context
On a vehicle-ground fast link handover network shown in Figure 16-9, Mesh roles of the
vehicle-mounted AP and trackside AP are MP and MPP respectively.

AC
Switch

MPP MPP MPP MPP MPP

AP in the rear AP in the front
MP MP
NOTE
After Mesh is enabled on a vehicle-mounted AP, the Mesh role of the AP is fixed as mesh-node (MP).
Procedure
Step 2 Run wlan
NOTE
Step 6 Run mesh-handover-profile profile-name

A Mesh handover profile is bound to the Mesh profile.
By default, no Mesh handover profile is bound to a Mesh profile.
Step 7 (Optional) Run switch-probe-interval interval
The Mesh handover probe interval is specified.
The default Mesh handover probe interval is 60 seconds.
This configuration is required only when a train can switch between two lines.
Beacon frames.
Beacon frames.


By default, a maximum of eight mesh links can be established between APs.
NOTE
Step 13 Run quit

Step 14 Run quit
Step 16 Run mesh-profile profile-name [ index index ]
The Mesh profile is bound to the AP radio.
----End
16.8.6 Configuring Proxied Ground Devices

Context
When a train switches the forward direction, the vehicle-mounted APs in the front and rear
change their working status. However, vehicle-mounted devices, such as the switch, cannot
detect the change and still forward data to the original working vehicle-mounted AP, causing a

data transmission failure. To prevent this situation, you can configure proxied ground devices
on a vehicle-mounted AP so that the working vehicle-mounted AP can instruct the vehicle-
mounted network devices to update MAC forwarding entries after the train switches the
forward direction. In this way, data traffic from the vehicle-mounted network can be
forwarded to the working vehicle-mounted AP.
Procedure
Step 2 Run wlan
Step 3 Run mesh-proxy trackside-equip mac-address mac-address vlan vlan-id
The proxied ground devices are added on the vehicle-mounted AP.
By default, no proxied ground device is added on the vehicle-mounted AP.
----End
16.8.7 Configuring Proxied Vehicle-Mounted Devices
Context
After the vehicle-mounted AP switches the active link to a new trackside AP, ground network
devices cannot detect the link handover and still forward data to the original trackside AP,
causing a data transmission failure. To prevent this situation, you can configure proxied
vehicle-mounted devices on the vehicle-mounted AP so that the vehicle-mounted AP can
instruct the ground network devices to update MAC forwarding entries on interfaces after the
active link is switched to a new trackside AP. In this way, data traffic from the ground
network can be forwarded to the trackside AP.
Procedure
Step 2 Run wlan
Step 3 Run mesh-proxy onboard-equip mac-address mac-address vlan vlan-id
The proxied vehicle-mounted devices are added on the vehicle-mounted AP.
By default, no proxied vehicle-mounted device is added on the vehicle-mounted AP.
----End

16.8.8 Enabling IGMP Snooping on a Vehicle-Mounted AP
Context
Procedure
IGMP snooping is enabled globally.
NOTE
After IGMP snooping is enabled globally, the device can process IGMPv1, IGMPv2, and IGMPv3 packets.
Step 3 Run vlan vlan-id

The VLAN view is displayed.
IGMP snooping is enabled in the VLAN.
----End
16.8.9 Verifying the Vehicle-Mounted AP Configuration
Prerequisites
The vehicle-ground fast link handover configuration is complete.
Procedure


l Run the display references mesh-handover-profile name profile-name command to
check information about Mesh profiles by which a specified Mesh handover profile is
referenced.
l Run the display mesh-handover-profile { all | name profile-name } command to check
configuration and reference information about a Mesh handover profile.
l Run the display mesh-proxy-equip command to check devices that use the vehicle-
mounted AP as a proxy device.
----End
16.9 Monitoring Vehicle-Ground Fast Link Handover

Procedure
l Run the display mesh vap { ap-group ap-group-name | ap-id ap-id [ radio radio-id ] |
ap-name ap-name [ radio radio-id ] } [ mesh-id mesh-id ] command to check
information about Mesh VAPs.
l Run the display mesh vap { all | mesh-id mesh-id } command to check information
about Mesh VAPs of a specified Mesh ID or all Mesh IDs.
l Run the display wlan mesh link { all | ap-id ap-id [ radio radio-id ] | ap-name ap-
name [ radio radio-id ] | mesh-profile profile-name }command to check information
about Mesh links.
l Run the display mesh-neighbor-rssi [ ap-name ap-name radio radio-id | ap-id ap-id
radio radio-id ] [ max-neighbor-number max-number ] command to check RSSI
information collected by an AP.
----End
16.10 Configuration Examples for Vehicle-Ground Fast

Link Handover
16.10.1 Example for Configuring Vehicle-Ground Fast Link

Handover
A rail transportation enterprise needs to implement vehicle-ground communications through
WLAN technology to reduce network deployment costs and better serve passengers. By
leveraging the WLAN, the enterprise expects that multicast servers on the ground network
can deliver multimedia information services to passengers. As shown in Figure 16-10,
trackside APs are deployed along rail line 1 of the enterprise. The AC on the ground network

communicates with the trackside APs in wired mode at Layer 2. A vehicle-mounted AP is

deployed in the front and rear of a train. When the train is running, only the vehicle-mounted
AP in the front works. The vehicle-mounted AP in the rear is in dormancy state. After the
train arrives at the destination, it switches the forward direction. The working vehicle-
mounted AP changes accordingly. The vehicle-mounted AP sets up wireless links with the
trackside APs, allowing the multicast servers on the ground network to offer passengers
multimedia information services.
Figure 16-10 Networking diagram for configuring vehicle-ground fast link handover
Internet
Router
GE1/0/0
IP: 10.23.200.1/24
Management VLAN: VLANIF100 GE1/0/5

IP: 10.23.100.1/20 VLANIF200: 10.23.200.2/24
GE1/0/3 GE1/0/4
Network
Multicast source GE1/0/1 GE1/0/2
AC management device:
IP: 10.23.224.3 MAC: IP: 10.23.224.2
GE1/0/2 GE1/0/2
MAC: 286e-d488-b6ab MAC: 286e-d488-12cd
707b-e8e9-d328
Switch_B Switch_C
GE1/0/1 GE1/0/1
Trackside AP Trackside AP Trackside AP Trackside AP Trackside AP Trackside AP

(L1_001) (L1_003) (L1_010) (L1_150) (L1_160) (L1_170)
MAC: 286e-d488-d359 MAC: 286e-d488-d270

terminal_1 terminal_2
AP AP
(in the rear) GE0/0/1 GE0/0/1 (in the front)
Forward direction
: active Mesh link

: candidate Mesh link
1. Configure the ground network to enable Layer 2 communications between trackside APs
and the AC.

2. Configure multicast services on ground network devices to enable proper multicast data
forwarding on the ground network.
3. Configure vehicle-ground fast link handover on trackside and vehicle-mounted APs so
that the vehicle-mounted AP can set up Mesh connections with the trackside APs.
4. Configure the vehicle-mounted network to enable intra-network data communications.
NOTE
l This example uses Huawei AP9131DNs (Fit APs) as the trackside APs and AP9131DNs (Fat APs)
as the vehicle-mounted APs.
l Switches and routers used in this example are all Huawei products.
AP Model MAC
Trackside AP AP9131DN 0046-4b59-1d10

(L1_001)

(L1_003)

(L1_010)

(L1_150)

(L1_160)

(L1_170)
……
Vehicle-mounted AP9131DN 0046-4b59-2e10

AP (in the front)
Vehicle-mounted AP9131DN 0046-4b59-2e20

AP (in the rear)
……
Item Data
Managemen VLAN 100

t VLAN
Multicast VLAN 101

service
VLAN

Item Data
Gateway IP address of VLANIF 101 on AC: 10.23.224.1/24

address
DHCP The AC functions as a DHCP server to allocate IP addresses to trackside

server APs and vehicle-mounted terminals.
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.224.4-10.23.224.254/24
pool for
vehicle-
mounted
terminals

interface
address
AP group to Name: mesh-mpp

which
trackside
APs belong
ID of l Trackside AP (L1_001): 1
trackside l Trackside AP (L1_003): 2
APs
l Trackside AP (L1_010): 3
Security l Name: sp01

l Authentication key: a1234567
Mesh Trackside APs:

profile l Name: mesh-net
l Identifier: mesh-net
Vehicle-mounted APs:
l Name: mesh-net
l Identifier: mesh-net
Mesh Trackside APs:

handover l Name: hand-over
profile
Vehicle-mounted APs:
l Name: hand-over

Item Data
Mesh Name: whitelist01

whitelist on Add MAC addresses of all vehicle-mounted APs on trains running on the
trackside rail to the whitelist according to actual situations.
APs
Mesh Name: whitelist01

whitelist on Add MAC addresses of all trackside APs along the rail line to the whitelist
vehicle- according to actual situations.
mounted
APs
MAC l Gateway: 707b-e8e9-d328

address of l Network management device: 286e-d488-12cd
the proxied
ground l Multicast source: 286e-d488-b6ab
device
MAC l Vehicle-mounted terminal_1: 286e-d488-d359

address of l Vehicle-mounted terminal_2: 286e-d488-d270
the proxied
vehicle-
mounted
device
Multicast 225.1.1.1-225.1.1.3
group
Configuration Notes
user experience.

Procedure
l Configure ground network devices.
a. Configure the AC. Create VLAN 100, VLAN 101, and VLAN 200 on the AC, add
interfaces GE0/0/1 to GE0/0/4 to VLAN 101, and configure these interfaces to
allow packets from VLAN 101 to pass through. Set PVIDs of GE0/0/3 and GE0/0/4
to VLAN 101. Add GE0/0/5 to VLAN 200, set its PVID to VLAN 200, and
configure GE0/0/5 to allow packets from VLAN 200 to pass through. Configure
GE0/0/1 and GE0/0/2 to allow packets from VLAN 100 to pass through.
[HUAWEI] sysname AC
b. On the AC, configure an IP address for VLANIF 101 and enable the DHCP server
function to allocate IP addresses for vehicle-mounted devices.
[AC] dhcp enable
[AC-Vlanif101] dhcp server excluded-ip-address 10.23.224.2 10.23.224.3
[AC-Vlanif101] quit
c. On the AC, configure an IP address for VLANIF 100 and enable the DHCP server
function to allocate IP addresses to trackside APs.
[AC-Vlanif100] quit
d. Configure an IP address for VLANIF 200 on AC and specify the IP address of

GE1/0/0 on the router as the next hop address of the default route so that packets
from the vehicle-ground communication network can be forwarded to the egress
router.
[AC-Vlanif200] quit

e. Configure an IP address for GE1/0/0 on the router and configure routes to the
internal network segment, with the next hop address 10.23.200.2.
[Router-GigabitEthernet1/0/0] ip address 10.23.200.1 24
NOTE
You can configure routes to external networks and the NAT function on the egress router
according to service requirements to ensure normal communications between internal and
external networks.
f. Configure Switch_B and Switch_C to enable Layer 2 communications between
trackside APs and the ground network.
# On Switch_B, create VLAN 100 and VLAN 101, configure GE0/0/2 and GE0/0/1
to allow packets from VLAN 100 and VLAN 101 to pass through, and set the PVID
of GE0/0/1 to VLAN 100 (management VLAN for trackside APs).
NOTE
Configure other interfaces connected to trackside APs on Switch_B according to GE0/0/1: allow
packets from VLAN 100 and VLAN 101 to pass through and set their PVIDs to VLAN 100.
[Switch_B] vlan batch 100 101
[Switch_B-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch_B-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_B-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
# On Switch_C, create VLAN 100 and VLAN 101, and configure GE0/0/2 and
GE0/0/1 to allow packets from VLAN 100 and VLAN 101 to pass through, and set
the PVID of GE0/0/1 to VLAN 100.
NOTE
Configure other interfaces connected to trackside APs on Switch_C according to GE0/0/1: allow
packets from VLAN 100 and VLAN 101 to pass through and set their PVIDs to VLAN 100.
[HUAWEI] sysname Switch_C
[Switch_C] vlan batch 100 101
[Switch_C-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[Switch_C-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_C-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
g. Enable Layer 2 multicast on AC, Switch_B, and Switch_C to allow them to

properly forward multicast data.
# Enable IGMP snooping globally on AC.

[AC] igmp-snooping enable

# Enable IGMP snooping in VLAN 101 on AC.

[AC] vlan 101
[AC-vlan101] igmp-snooping enable
[AC-vlan101] quit
# Configure multicast group filter policies on AC.

[AC] acl 2000
[AC-acl-basic-2000] rule permit source 225.1.1.1 0
[AC-acl-basic-2000] quit
# Apply the multicast group filter policies in VLAN 101 on AC.

[AC] vlan 101
[AC-vlan101] igmp-snooping group-policy 2000
[AC-vlan101] quit
NOTE
Complete multicast configuration on Switch_B and Switch_C according to the multicast
configuration procedure of AC.
# Configure the fast leave function on Switch_B and Switch_C.
NOTICE
If trackside APs are directly connected to the switches and Layer 2 multicast is
configured, enabling the fast leave function improves the quality of multicast
services. If the trackside APs are not directly connected to the switches or Layer 3
multicast is configured, you cannot configure the fast leave function because this
function may interrupt multicast services.
[Switch_B] vlan 101

[Switch_B-vlan101] igmp-snooping prompt-leave group-policy 2000
[Switch_C] vlan 101
[Switch_C-vlan101] igmp-snooping prompt-leave group-policy 2000
h. Configure the AP group, country code, and AC's source interface.

# Create the AP group mesh-mpp and add trackside APs that require the same
configuration to the group.
[AC] wlan
# Create a regulatory domain profile, configure the AC country code in the profile,
and apply the profile to the AP group.
Warning: Modifying the country code will clear channel, power and
antenna gain configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC-wlan-view] quit

# Add trackside APs to the AP group mesh-mpp.

NOTE
The default AP authentication mode is MAC address authentication. If the default settings are
retained, you do not need to run the ap auth-mode mac-auth command.
[AC] wlan
[AC-wlan-view] ap-id 1 ap-mac 0046-4b59-1d10
[AC-wlan-ap-1] ap-name L1_001
Warning: This operation may cause AP reset. If the country code changes,
it will clear channel, power and antenna gain configuration
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit
[AC-wlan-ap-3] quit
[AC-wlan-ap-101] quit
i. Configure the trackside APs' uplink wired interfaces to allow packets from VLAN
101 to pass through.
# Configure the wired port profile wired-port and add the wired interfaces to
VLAN 101 in tagged mode.
# Bind the wired port profile wired-port to the AP group mesh-mpp.

[AC-wlan-ap-group-mesh-mpp] wired-port-profile wired-port
gigabitethernet 0

j. Configure Mesh parameters.
# Create the Mesh whitelist whitelist01 and add MAC addresses of vehicle-
mounted APs to the Mesh whitelist.
[AC-wlan-view] mesh-whitelist name whitelist01
[AC-wlan-mesh-whitelist-whitelist01] peer-ap mac 0046-4b59-2e10
[AC-wlan-mesh-whitelist-whitelist01] peer-ap mac 0046-4b59-2e20
[AC-wlan-mesh-whitelist-whitelist01] quit
NOTE
Add MAC addresses of vehicle-mounted APs on other trains to the Mesh whitelist whitelist01
according to the preceding procedure.
# Configure the security profile sp01 used by Mesh links. The Mesh network
supports only the security policy WPA2+PSK+AES.
[AC-wlan-view] security-profile name sp01
[AC-wlan-sec-prof-sp01] security wpa2 psk pass-phrase a1234567 aes
[AC-wlan-sec-prof-sp01] quit
# Configure the Mesh role. Set the Mesh role of trackside APs to mesh-portal
through the AP system profile.
# Configure the Mesh handover profile hand-over and enable the location-based
fast link handover algorithm.
[AC-wlan-view] mesh-handover-profile name hand-over
[AC-wlan-mesh-handover-hand-over] location-based-algorithm enable
[AC-wlan-mesh-handover-hand-over] quit
# Configure the Mesh profile. Set the ID of the Mesh network to mesh-net and
apply the security profile and Mesh handover profile.
[AC-wlan-mesh-prof-mesh-net] security-profile sp01
[AC-wlan-mesh-prof-mesh-net] mesh-handover-profile hand-over
k. Apply the Mesh parameters to radios of trackside APs.
# Configure the radio and channel used by trackside APs and apply the Mesh
whitelist, Mesh profile, and AP system profile.
[AC-wlan-group-radio-mesh-mpp/1] mesh-whitelist-profile whitelist01
[AC-wlan-group-radio-mesh-mpp/1] mesh-profile mesh-net
l Configure vehicle-mounted network devices.

NOTE
For the configurations for the vehicle-mounted APs on the vehicle head and tail, see Configuration
Guide - Vehicle-Ground Fast Link Handover in Fat AP & Cloud AP Product Documentationor Fat
AP & Cloud AP V200R007C20 Product Documentation.

l Verify the configuration.

# After vehicle-ground fast link handover configuration is complete, run the display
wlan mesh link all command on the AC to view Mesh connections between trackside
and vehicle-mounted APs.
<AC> display wlan mesh link all
------------------------------------------------------------------------------
----------------------------------------------------
------------------------------------------------------------------------------
----------------------------------------------------
L1_001 AP 0046-4b59-2e10 1 3 157 portal
- -51 -38 0 0 47 39/47/-/-
L1_003 AP 0046-4b59-2e10 1 3 157 portal
- -59 -7 0 0 50 19/14/37/-
L1_010 AP 0046-4b59-2e10 1 3 157 portal
- -45 -33 0 0 37 20/17/17/-
L1_150 AP 0046-4b59-2e10 1 3 157 portal
- -54 -39 0 0 46 34/43/-/-
L1_160 AP 0046-4b59-2e10 1 3 157 portal
- -52 -7 0 0 32 21/18/35/-
L1_170 AP 0046-4b59-2e10 1 3 157 portal
- -42 -33 0 0 29 26/14/19/-
------------------------------------------------------------------------------
----------------------------------------------------
Total: 6
# Run the display mesh-neighbor-rssi command on the AC to view RSSI information

of trackside APs.
[AC-wlan-view] display mesh-neighbor-rssi
AP name/MAC/Radio/Location-ID Neighbor AP/MAC/Location-ID RSSI Update
Time
------------------------------------------------------------------------------
L1_001/0046-4b59-1d10/1/1 -/00bc-da3f-e900/- -44

18:08:21
L1_003/0046-4b59-1d20/1/3 -/00bc-da3f-e900/- -50
18:08:20
L1_010/0046-4b59-1d30/1/10 -/00bc-da3f-e900/- -28
18:08:21
L1_150/0046-4b59-1d40/1/150 -/0046-4b59-2e10/- -43
18:08:20
L1_160/0046-4b59-1d50/1/160 -/0046-4b59-2e10/- -47
18:08:21
L1_170/0046-4b59-1d60/1/170 -/0046-4b59-2e10/- -38
18:08:21
------------------------------------------------------------------------------
Total: 6
----End
Configuration Files
l Ground network devices
– Router configuration file
#
sysname Router
#

ip address 10.23.200.1 255.255.255.0
#
ip route-static 10.23.100.0 255.255.240.0 10.23.200.2
ip route-static 10.23.224.0 255.255.240.0 10.23.200.2
#
return
– Switch_B configuration file
#
sysname Switch_B
#
#
igmp-snooping enable
#
vlan 101
igmp-snooping group-policy 2000
igmp-snooping prompt-leave group-policy 2000
#
acl number 2000
rule 5 permit source 225.1.1.1 0
#
#
#
#
#
return
– Switch_C configuration file
#
sysname Switch_C
#
#
#
vlan 101
igmp-snooping prompt-leave group-policy 2000
#
acl number 2000
#
#

#
#
#
return
– AC configuration file
#
sysname AC
#
#
#
dhcp enable
#
acl number 2000
#
vlan 101
#
interface Vlanif100
ip address 10.23.100.1 255.255.240.0
#
interface Vlanif101
ip address 10.23.224.1 255.255.240.0
dhcp server excluded-ip-address 10.23.224.2 10.23.224.3
#
interface Vlanif200
ip address 10.23.200.2 255.255.255.0
#
#
#
#
#
#

ip route-static 0.0.0.0 0.0.0.0 10.23.200.1

#
#
wlan
security-profile name sp01
security wpa2 psk pass-phrase %^%#g^Rs#om$z!uIXX;5P9W.#&g;"F4a6[$CJ
$w2s]bhH%^%# aes
mesh-handover-profile name hand-over
location-based-algorithm enable
mesh-whitelist-profile name whitelist01
peer-ap mac 0046-4b59-2e10
peer-ap mac 0046-4b59-2e20
mesh-handover-profile hand-over
security-profile sp01
mesh-id mesh-net
vlan tagged 101
radio 1
mesh-whitelist-profile whitelist01
ap-id 1 ap-mac 0046-4b59-1d10
ap-name L1_001
ap-group mesh-mpp
ap-id 2 ap-mac 0046-4b59-1d20
ap-name L1_003
ap-group mesh-mpp
ap-id 3 ap-mac 0046-4b59-1d30
ap-name L1_010
ap-group mesh-mpp
ap-id 101 ap-mac 0046-4b59-1d40
ap-name L1_150
ap-group mesh-mpp
ap-id 102 ap-mac 0046-4b59-1d50
ap-name L1_160
ap-group mesh-mpp
ap-id 103 ap-mac 0046-4b59-1d60
ap-name L1_170
ap-group mesh-mpp
#
return
l Vehicle-mounted network devices

N/A

Configuration Guide - WLAN-AC 17 Wi-Fi Tag Location Configuration
17 Wi-Fi Tag Location Configuration
17.1 Overview of Wi-Fi Tag Location

Definition
With Wi-Fi tag location technology, a location system can help physically locate Wi-Fi tags
through a WLAN. APs collect and send information about Wi-Fi tags to a location server,
which computes the physical locations of the tags. Then the location server transmits location
data to a third-party device to allow an administrator to check the tag locations on the map.
Purpose
After the Wi-Fi tag is deployed on targets such as assets and persons, Wi-Fi tag location
technology allows users to locate the Wi-Fi tag, helping users control key assets and ensure
security of persons.
17.2 Understanding Wi-Fi Tag Location

Concepts
As shown in Figure 17-1, the tag location system includes at least three APs, one or more Wi-
Fi tags, one or more ACs, a location server, and a location display terminal. Functions of each
component are as follows:
l Wi-Fi tag: is manufactured by tag vendors to generate signals. For example, AeroScout
manufactures Wi-Fi tags that are often placed or pasted to the objects to be located. The
tag is a source device that needs to be located and can periodically send radio waves to
surrounding devices.
l AP: receives location information sent by an Wi-Fi tag and forwards the information to
the AC or directly sends it to a location server.
l AC: forwards the configuration instruction from the location server to APs. It can also
forward location information received from an AP to the location server.
l Location server: computes the Wi-Fi tag location using a location algorithm (for
example, three-point location) after receiving the location information, and provides the
computed data to user systems, including the system management software and image
software.

Figure 17-1 Typical networking for the Wi-Fi Tag location system
Internet
Location server
AC
Switch
AP2
AP1 AP3
RFID
RFID Tag
Implementation
Figure 17-2 Working mechanism of the Wi-Fi Tag location system
Tag Message Tag Report
UDP encapsulation
RFID
Location
RFID Tag AP Switch AC server
Wireless packets sent by tags

Tag information encapsulated by the AP
Figure 17-2 shows how wireless location is implemented.

1. The Wi-Fi tag sends a tag message.

The Wi-Fi tag only sends 802.11 frames periodically to provide location information and
does not need to connect to a WLAN.
To enable more APs to receive tag messages, the Wi-Fi tag sends a tag message in all
channels each time. A tag message usually contains location information required by a
location server, and the frame format of the tag message varies depending on the
vendor's tag device. A tag of AeroScout is used as an example here.
– The Address1 field indicates the destination address, which is a specified multicast
address. The AP identifies an 802.11 packet as a tag message through the multicast
address.
– The Address2 field indicates the source address, which is the MAC address of the
Wi-Fi tag. According to this field, the wireless location system collects information
about the same Wi-Fi tag that is received from different APs.
– The Address3 field indicates Wi-Fi tag information. The most important
information in this field is about the channel that transmits the tag message. The AP
determines whether the channel information in the received tag message matches its
working channel.
For details about the 802.11 MAC frame format, see 5.2.2 802.11 Standards.
2. The AP receives the tag message and forwards it to the location server.
a. When receiving a tag message frame, the AP records the location information such
as the received signal strength indicator (RSSI), timestamp, rate, and channel of the
frame. The RSSI is the most important information because the location server uses
it to determine the distance between a tag and an AP. To ensure that the RSSI is
accurate, the AP must filter out the tag messages received from adjacent channels.
For example, when working in channel 1, the AP may receive the frames sent from
a tag in channel 2. The RSSI is low because the AP and tag are located in different
channels. As a result, the location server incorrectly considers that the tag is far
away from the AP.
b. The AP encapsulates all location information obtained from tag message frames
into a UDP packet (tag report) and sends the packet to the location server directly or
through the AC.
The required location information and report mode vary depending on the vendor's
location server. For example, the Ekahau Location Server requires that the location
information should contain content of the tag message frames and the AP should
report tag message frames immediately when receiving them; the AeroScout
Location Server does not need content of the tag message frames and allows the AP
to periodically report collected location information.
The destination IP address and port number of a tag report packet are configured on
the AC. If the destination address is set to the IP address of the location server, the
tag report packet is directly sent to the location server. If the destination address is
set to the AC IP address, the tag report packet is sent to the AC and forwarded by
the AC to the location server. This configuration is used when the AP cannot be
directly connected to the location server.
3. The location server computes the location information.
To accurately determine the tag location, the location server must receive location
information about a tag from at least three APs. After receiving the tag information, the
location server uses the built-in computing algorithm to compute the tag location
according to information including the RSSI, SNR, radio mode, the imported map, and
AP locations. Then, the location server sends the location information to the graphical
interface of the third-party device for presentation.

17.3 Application Scenarios for Wi-Fi Tag Location

Enterprise users need to monitor and locate key assets and person security in industries such
as the healthcare, oil, gas, and mining industries. Users can deploy the Wi-Fi tag on targets to
locate them, helping the enterprises improve security and efficiency, as shown in Figure 17-3.
Figure 17-3 Typical networking for the Wi-Fi tag location system
Internet
Location server
AC
Switch
AP2
AP1 AP3
RFID
RFID Tag

Tag Location
AP
by the device.

V200R007C10.

V200R012C00 V200R009C00
V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C10 V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C00 V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R010C00 V200R007C10
V200R006C20
V200R006C10
V200R009C00 V200R006C20
V200R006C10
V200R008C00 V200R005C30
V200R005C20
V200R005C10
V200R007 V200R005C20
V200R005C10
V200R006 V200R005C00
Location server

l Computes the RFID tag location using a location algorithm (for example, three-point
positioning) after receiving the location information and provides the computed data to
user systems, including the system management software and image software.
agent.
Table 17-2 Products and minimum version supporting WLAN location

Required

S5730HI: V200R012
Feature Limitations
WLAN Location of AeroScout Tags and AeroScout MUs
l The AP9330DN does not support Tag location.
l The AP3010DN-AGN, AP6310SN-GN, and AP9330DN do not support AeroScout MU
location.
l When configuring the AC as the destination to which the AP reports location
information:
– Configure the port number used by the AC to communicate with the AeroScout
location server.
– Ensure that the port number configured on the AeroScout location server is the
same as that used by AC to communicate with the AeroScout location server.

l When configuring the AeroScout location server as the destination to which the AP
reports location information, ensure that the port number used by the AP to report
location information is the same as that configured on the AeroScout location server.
l The port number used by the AP to report location information cannot be the same as
that used by the AC to communicate with the location server.
l If the location server runs the Linux system and has URPF enabled, the server must be
able to successfully ping the source IP address that the AC uses to send packets.
WLAN Location of Ekahau Tags
l The AP9330DN does not support Tag location.
l When configuring the AC as the destination to which the AP reports location
information:
– Configure the port number used by the AC to communicate with the Ekahau
location server and the IP address of the Ekahau location server on the AC.
– Ensure that the port number configured on the Ekahau location server is the same as
that used by AC to communicate with the Ekahau location server.
l When configuring the Ekahau location server as the destination to which the AP reports
location information, ensure that the port number used by the AP to report location
information is the same as that configured on the Ekahau location server.
l The port number used by the AP to report location information cannot be the same as
that used by the AC to communicate with the location server.
l If the location server runs the Linux system and has URPF enabled, the server must be
able to successfully ping the source IP address that the AC uses to send packets.

17.5 Summary of Wi-Fi Tag Location Configuration Tasks

Table 17-3 WLAN tag location configuration tasks
Wi-Fi tag An Wi-Fi tag is a signal generator l If AeroScout location server is

location manufactured by tag vendors to used, refer to 17.7.1 Configuring
carry wireless location system data. WLAN Location for AeroScout
Wi-Fi tags are attached to objects to Tags for details.
be located. The WLAN and Location l If Ekahau location server is used,
Server can locate the objects based refer to 17.7.2 Configuring
on the tags. WLAN Location for Ekahau
The device can locate AeroScout Tags for details.
and Ekahau Wi-Fi tags.
l On a WLAN network, APs can
monitor information sent by
AeroScout tags and report the
information to the AeroScout
Location Server directly or
through the AC. The AeroScout
Location Server then computes
the tag location.
l On a WLAN network, APs can
monitor information sent by
Ekahau tags and report the
information to the Ekahau
Location Server directly or
through the AC. The Ekahau
Location Server then computes
the tag location.
17.6 Default Settings for Wi-Fi Tag Location

Table 17-4 Default settings for AeroScout Tag location
Wi-Fi tag location for AeroScout tags Disabled
Port number used by the AC to Unspecified

communicate with the AeroScout
Location Server
Port number used by an AP to Unspecified

Location Server

Destination to which an AP reports tag Unspecified

information
Packet aggregation interval for 6553.5 s

AeroScout Tag
Destination to which an AP reports Unspecified

channel scan information
Port number used by an AP to report Unspecified

Table 17-5 Default settings for Ekahau Tag location

Wi-Fi tag location for Ekahau tags Disabled

communicate with the Ekahau Location
Server

communicate with the Ekahau Location
Server
Destination to which an AP reports tag Unspecified

information


17.7 Configuring Wi-Fi Tag Location

17.7.1 Configuring WLAN Location for AeroScout Tags
Before configuring the WLAN location function, perform the tasks listed in the following
table.


Task Description

AP Group.

addresses. You can
Configuring a DHCP
Server.

Configuring Network
Interconnections.

Codes.

Task Description

details, see 5.9.4
Interface or Source
Address.

l Importing APs offline.
l Configuring AC to
an AP.
unauthorized APs.
APs.
Procedure
Step 2 Run wlan
Step 3 Run air-scan-profile name profile-name
An air scan profile is created and the air scan profile view is displayed.
Step 5 Run scan-channel-set { country-channel | dca-channel | work-channel }
An air scan channel set is configured.
By default, an air scan channel set contains all channels supported by the country code of an
AP.

Step 6 Run quit
The radio profile view of the specified AP is displayed.
l By default, the system provides the 2G radio profile default.

Step 8 Run air-scan-profile profile-name
Step 9 Run quit
NOTE
Step 11 Run quit
Step 13 Run quit
Step 14 Run location-profile name profile-name
A location profile is created and the location profile view is displayed.
By default, no location profile is created.
Step 15 Run aeroscout tag-enable
WLAN location for AeroScout tags is enabled.
By default, WLAN location for AeroScout tags is disabled.
Step 16 Run aeroscout server port port-num [ via-ac ac-port ac-port-num ]
The destination to which and port number through which the AP reports the received
AeroScout tag information are configured.
By default, the destination to which and port number through which the AP reports tag
information are not configured.

AeroScout server adds APs and configures the APs' MAC addresses, port numbers, and IP
addresses, and configures the AC IP address if an AC is used. The AeroScout location server
actively initiates a connection with the AC and APs.
Step 17 (Optional) Run source ip-address ip-address
The source IP address from which the AC sends packets to the AeroScout Location Server is
configured.
By default, the source IP address from which the AC sends packets to the AeroScout Location
Server is not configured.
NOTE
l The tags must send signals on the AP's working or scanning channels.
l You need to run this command only when location information is forwarded to the location server via an
AC.
l To configure the AC as the destination to which the AP reports tag information:
– You must configure the number of the port through which the AC communicates with the
AeroScout Location Server.
– Ensure that the port number configured on the AeroScout Location Server is the same as the
number of the port through which the AC communicates with the AeroScout Location Server.
l To configure the AeroScout Location Server as the destination to which the AP reports tag information,
ensure that the port number configured on the AeroScout Location Server is the same as the number of
the port through which the AP reports tag information.
l The port number through which the AP reports tag information cannot be the same as the number of the
port through which the AC communicates with the AeroScout Location Server.
l If the location server uses the Linux system and has URPF enabled, the source IP address that the AC
uses to send packets to the location server must be pinged by the server.
Step 18 (Optional) Run aeroscout compound-time time-value

The aggregation time of AeroScout tag packets is configured on the AC.
The default aggregation time of AeroScout tag packets is 6553.5s on the AC.
NOTE
The AeroScout Tag Server and AC can both send the setting of the tag packet aggregation time to the
AP; however, the shorter aggregation time takes effect on the AP. For example, if the aggregation time is
set to 3600 seconds on the AeroScout Tag Server and 4800 seconds on the AC, the aggregation time of
3600 seconds takes effect on the AP.
Step 19 Run quit

Step 20 Enter the AP group view or AP view.
l Run the ap-group name group-name command to enter the AP group view.
l Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to enter the AP
view.
Step 21 Run radio-2g-profile profile-name { radio { radio-id | all } } or radio-5g-profile profile-
name { radio { radio-id | all } }
The radio profile is bound to the AP group or AP.
l By default, the 2G radio profile default is bound to an AP group, but no 2G radio profile
is bound to an AP.

is bound to an AP.
Step 22 Run location-profile profile-name radio { radio-id | all }
The location profile is bound to the specified radio on the AP.
By default, no location profile is bound to a radio.
Step 23 Run quit
Step 24 (Optional) Run location source ip-address ip-address
The source IP address in packets sent by an AC to a location server is configured.
By default, the source IP address is not configured in packets sent by an AC to a location
server.
NOTE
In scenarios where the active and standby ACs are deployed, configure the source IP address on the standby
AC using the location source ip-address ip-address command. The source IP address configured on the
active AC using the source command cannot be synchronized to the standby AC. When source IP addresses
are configured on an AC using the location source and source commands at the same time, the source IP
address configured using the source command takes effect.
----End

Run the display location-profile name profile-name command to check location profile
configuration.
Run the display wlan location config-info aeroscout { ap-id ap-id | ap-name ap-name }
command to check LSB information of the AP that has successfully received tag information.
Run the display wlan location statistics aeroscout command to check the LBS statistics
about AeroScout tags and MUs.
NOTE
If APs are configured to report AeroScout tag and MU packets to the AeroScout location server directly but
not through an AC, the display wlan location statistics aeroscout command cannot display location
statistics, and all fields are displayed as "0".
17.7.2 Configuring WLAN Location for Ekahau Tags

Before configuring the Tag location function, perform the tasks listed in the following table.


Task Description

AP Group.

addresses. You can
Configuring a DHCP
Server.

Configuring Network
Interconnections.

Codes.

Task Description

details, see 5.9.4
Interface or Source
Address.

l Configuring AC to
an AP.
unauthorized APs.
APs.
Procedure
Step 2 Run wlan
AP.

Step 6 Run quit

Step 9 Run quit
NOTE
Step 11 Run quit

Step 13 Run quit
Step 15 Run ekahau tag-enable
WLAN location for Ekahau tags is enabled.
By default, WLAN location for Ekahau tags is disabled.
Step 16 Run ekahau server ip-address ip-address port port-num [ via-ac ac-port ac-port-num ]
The destination to which and port number through which the AP reports the received Ekahau
tag information are configured.
By default, the destination to which and port number through which the AP reports tag

The source IP address from which the AC sends packets to the Ekahau Location Server is
configured.
By default, the source IP address from which the AC sends packets to the Ekahau Location
NOTE
l The tags must send signals on the AP's working or scanning channels.
AC.
– You must configure the IP address of the Ekahau Location Server and port number for
communicating with the Ekahau Location Server.
– Ensure that the port number configured on the Ekahau Location Server is the same as the number of
the port through which the AC communicates with the Ekahau Location Server.
l To configure the Ekahau Location Server as the destination to which the AP reports tag information,
ensure that the port number configured on the Ekahau Location Server is the same as the number of the
port through which the AP reports tag information.
l The port number through which the AP reports tag information cannot be the same as the number of the
port through which the AC communicates with the Ekahau Location Server.
Step 18 Run quit

view.
is bound to an AP.
is bound to an AP.
Step 22 Run quit
server.

NOTE
----End

Run the display location-profile name profile-name command to check location based
service (LBS) information about tag location.
17.8 Maintaining Wi-Fi Tag Location

17.8.1 Checking Information About Wi-Fi Tag Location
Context
After the AP that has WLAN location enabled successfully receives the configuration
information, it replies a response packet. You can run the display command to check
information about LBS statistics and APs that have successfully received tag information.
Procedure
l Run the display wlan location config-info aeroscout { ap-id ap-id | ap-name ap-
name } command to check LSB information of the AP that has successfully received tag
information.
l Run the display wlan location statistics aeroscout command to check the LBS statistics
about AeroScout tags and MUs.
NOTE
If APs are configured to report AeroScout tag and MU packets to the AeroScout location server directly
but not through an AC, the display wlan location statistics aeroscout command cannot display
location statistics, and all fields are displayed as "0".
l Run the display wlan location device-info tag { all | ap-id ap-id | ap-name ap-name }
command to check tag location information on the AP.
----End
17.8.2 Clearing Tag Information
Procedure
l Run the reset wlan location device-info tag { all | ap-id ap-id | ap-name ap-name }
command to clear tag information received by all APs or specified APs on the AC.
----End

17.9 Configuration Examples for Wi-Fi Tag Location

17.9.1 Example for Configuring Basic WLAN Location Services
Based on AeroScout Tags
In Figure 17-4, the AC connects to the APs through a switch in a small warehouse.
The administrator requires that the APs collect tag information and report the information to
the AeroScout location server to compute tag locations so that users can obtain the locations
of all goods AeroScout Tags through maps, tables, or reports.
Figure 17-4 Configuring basic WLAN location services
/1 area_1
GE0/0/2 GE0/0/1 0/0
GE
GE0/0/2
RFID
GE0/0/4
GE area_2 AeroScout tag
AeroScout AC SwitchA 0/0
/3
location server
area_3
Data preparation
Item Data
Management VLAN for APs VLAN100
Service VLAN for STAs VLAN101

Item Data
DHCP server The AC functions as the DHCP server for

STAs and APs.
AC's source interface VLANIF100

l Referenced profile: regulatory domain
profile domain1, VAP profile wlan-vap,
2G radio profile wlan-radio-2g, 5G
radio profile wlan-radio-5g, and
location profile wlan-location

l Country code: CN



l Service VLAN: VLAN101
l Referenced profile: SSID profile wlan-
ssid and security profile wlan-security
Air scan profile l Name: wlan-air-scan

l Probe channel set: channels supported by
the country code
2G radio profile l Name: wlan-radio-2g

l Referenced profile: air scan profile
wlan-air-scan

wlan-air-scan

Item Data
Location profile l Name: wlan-location

l Source IP address of the sent packets:
10.23.100.1
l Mode in which an AP reports tag
information: via the AC
l Port number used by an AP to report tag
information: 1144
l Port number of the AC: 10001
l Configure basic WLAN services so that users can connect to the internal network
through the WLAN.
l Configure WLAN tag location so that APs can receive configuration information from
the AeroScout location server and send the collected tag information to the AeroScout
location server.
Configuration Notes
user experience.

Procedure
Step 1 Configure the AeroScout location server.
Complete location configurations on the AeroScout location server. For details, see the related
document of the AeroScout location server.
NOTE
Step 3 Connect AC and AP.
# Configure the access switch SwitchA. Add GE0/0/1, GE0/0/2, GE0/0/3 and GE0/0/4 on
SwitchA to VLAN 100 (management VLAN)
# Configure the AC. Add GE0/0/1 to VLAN 100.

[HUAWEI] sysname AC
Step 4 Configure the AC to communicate with the AeroScout Positioning Server.
# Add GE0/0/2 that connects the AC and the AeroScout Positioning Server to VLAN 100.

VLANIF 101.
NOTE
view.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

# Import the AP offline on the AC and add the AP to AP group ap-group1. Configure a name
for the AP based on the AP's deployment location, so that you can know where the AP is
deployed from its name. For example, name the AP area_1 if it is deployed in Area 1.
NOTE
radio).
[AC] wlan

[AC-wlan-ap-0] quit
[AC-wlan-view] ap-id 1 ap-mac dcd2-fc9d-0bb0
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit
nor : normal [3]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
1 dcd2-fc9d-0bb0 area_2 ap-group1 10.23.100.253 AP6010DN-AGN nor 0 20S
2 dcd2-fc04-b500 area_3 ap-group1 10.23.100.252 AP6010DN-AGN nor 0 10S
----------------------------------------------------------------------------------
---
Total: 3

NOTE
the AP.

Step 8 Configure the WLAN air scan function.

# Create an air scan profile named wlan-air-scan and configure an air scan channel set.
[AC-wlan-view] air-scan-profile name wlan-air-scan
[AC-wlan-air-scan-prof-wlan-air-scan] scan-channel-set country-channel
[AC-wlan-air-scan-prof-wlan-air-scan] quit
# Create a 2G radio profile named wlan-radio-2g and bind the air scan profile wlan-air-scan
to the 2G radio profile.
[AC-wlan-view] radio-2g-profile name wlan-radio-2g
[AC-wlan-radio-2g-prof-wlan-radio-2g] air-scan-profile wlan-air-scan
[AC-wlan-radio-2g-prof-wlan-radio-2g] quit
# Configure an AP group and bind the radio profile to the AP group.

[AC-wlan-ap-group-ap-group1] radio-2g-profile wlan-radio-2g radio 0
Step 9 Configure the location function based on AeroScout Tags

# Create a location profile named wlan-location. Enable the location function based on
AeroScout Tags. Configure port number to report the location information and the source IP
address used by the AC to send packets to the location server.
[AC-wlan-view] location-profile name wlan-location
[AC-wlan-location-prof-wlan-location] aeroscout tag-enable
[AC-wlan-location-prof-wlan-location] aeroscout server port 1144 via-ac ac-port
10001
[AC-wlan-location-prof-wlan-location] source ip-address 10.23.100.1
[AC-wlan-location-prof-wlan-location] quit
# Configure an AP group and bind the location profile to the AP group.

[AC-wlan-ap-group-ap-group1] location-profile wlan-location radio all

The AC automatically delivers WLAN service configuration to the AP. After the service
configuration is complete, run the display vap ssid wlan-net command. If Status in the
command output is displayed as ON, the VAPs have been successfully created on AP radios.
WID : WLAN ID
----------------------------------------------------------------------------------
--
----------------------------------------------------------------------------------
--
1 area_2 0 1 DCD2-FC9D-0BB0 ON WPA2-PSK 0 wlan-net
1 area_2 1 1 DCD2-FC9D-0BC0 ON WPA2-PSK 0 wlan-net
2 area_3 0 1 DCD2-FC04-B500 ON WPA2-PSK 0 wlan-net
----------------------------------------------------------------------------------
--
Total: 6
# When the location server has delivered the configuration information to the AP, run the
display wlan location device-info tag { ap-id ap-id | ap-name ap-name } command. The
command output shows the LBS information of the APs.

[AC-wlan-view] display wlan location device-info tag ap-name area_1

AP ID AP name Tag type Tag MAC Channel RSSI
------------------------------------------------------------------------------
0 area_1 AeroScout 1040-8002-6f80 11 -50
------------------------------------------------------------------------------
Total: 1
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
#
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
wlan
security wpa2 psk pass-phrase %^%#_b"h2cpaO$9bZ-;`-_;CN5)k,_\UP3[!AJE6Vtg3%^

%# aes
ssid wlan-net
forward-mode tunnel
location-profile name wlan-location
aeroscout tag-enable
aeroscout server port 1144 via-ac ac-port 10001
source ip-address 10.23.100.1
air-scan-profile name wlan-air-scan
radio-2g-profile name wlan-radio-2g
air-scan-profile wlan-air-scan
location-profile wlan-location radio all
radio 0
radio-2g-profile wlan-radio-2g
radio 1
ap-name area_1
ap-group ap-group1
ap-id 1 type-id 19 ap-mac dcd2-fc9d-0bb0 ap-sn 210235555310CC000094
ap-name area_2
ap-group ap-group1
ap-name area_3
ap-group ap-group1
#
return

Based on Ekahau Tags
the Ekahau location server to compute tag locations so that users can obtain the locations of
all goods with Ekahau Tags through maps, tables, or reports.

/1 area_1
GE0/0/2 GE0/0/1 0/0
GE
GE0/0/2
RFID
GE0/0/4 GE
0/0 area_2
Ekahau AC SwitchA /3 Ekahau tag
location server
area_3
Data Preparation
Item Data
Management VLAN for APs VLAN 100
Service VLAN for STAs VLAN 101

STAs and APs.
AC's source interface VLANIF 100


l Country code: CN



Item Data


the country code

wlan-air-scan

wlan-air-scan

10.23.100.1
l Mode in which an AP reports tag
information: via the AC
l Destination IP address/Port number used
by the AP to report tag information:
10.23.100.2/8569
through the WLAN.
l Configure WLAN tag location so that APs can receive configuration information from
the Ekahau location server and send the collected tag information to the Ekahau location
server.
Configuration Notes


user experience.
Procedure
Step 1 Configure the Ekahau location server.
Complete location configurations on the Ekahau location server. For details, see the related
document of the Ekahau location server.
NOTE


[HUAWEI] sysname AC
Step 4 Configure the connection between the AC and Ekahau Location Server.
# Add GE0/0/2 that connects the AC and the Ekahau Location Server to VLAN 100.
VLANIF 101.
NOTE
view.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit


NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit
nor : normal [3]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
----------------------------------------------------------------------------------
---
Total: 3
NOTE


the AP.

Step 9 Configure the Ekahau Tag location function.
# Create a location profile named wlan-location. Enable the location function based on
Ekahau Tags. Configure the IP address and port number to report the location information and
the source IP address used by the AC to send packets to the location server.
[AC-wlan-location-prof-wlan-location] ekahau tag-enable
[AC-wlan-location-prof-wlan-location] ekahau server ip-address 10.23.100.2 port
8569 via-ac ac-port 10001


WID : WLAN ID
----------------------------------------------------------------------------------
--
----------------------------------------------------------------------------------
--
----------------------------------------------------------------------------------
--
Total: 6
# Run the display wlan location device-info tag { ap-id ap-id | ap-name ap-name }
command. The command output displays tag location information of APs.
[AC-wlan-view] display wlan location device-info tag ap-name area_1
AP ID AP name Tag type Tag MAC Channel RSSI
------------------------------------------------------------------------------
0 area_1 Ekahau 1040-8002-6420 11 -50
------------------------------------------------------------------------------
Total: 1
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
#
#
return
#
sysname AC
#
#

dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
wlan
%# aes
ssid wlan-net
forward-mode tunnel
ekahau tag-enable
ekahau server ip-address 10.23.100.2 port 8569 via-ac ac-port 10001
radio 0
radio 1
ap-name area_1
ap-group ap-group1
ap-name area_2
ap-group ap-group1
ap-name area_3
ap-group ap-group1
#
return

Configuration Guide - WLAN-AC 18 Terminal Location Configuration
18 Terminal Location Configuration
18.1 Overview of Terminal Location

Definition
Terminal location technology uses APs to collect strength information about radio signals in
the surrounding environment to locate Wi-Fi terminals and rogue APs. The APs report the
collected information to a location server. The location server computes locations of terminals
based on AP's location and data received from the APs, and presents the computing results to
users through a display terminal.
Terminal location technology includes Wi-Fi terminal location and AeroScout MU location.
Purpose
Terminal location technology allows users to locate devices such as Wi-Fi terminals and
rogue APs, helping users manage the network and control key assets.
18.2 Understanding Terminal Location

18.2.1 Wi-Fi Terminal Location
Basic Concepts
As shown in Figure 18-1, the terminal location system includes at least three APs, one AC,
and one location server. Functions of each component are as follows:
l AP: The APs collect wireless signals. The APs periodically switch channels to collect
strength information about terminal signals in the surrounding environment on each
channel and report the collected information to the location server.
l AC: The AC delivers terminal location configurations to the APs. In addition, the AC
also classifies and filters the information received from the APs based on the device type
(such as authorized terminals and rogue APs).
l Location server: The location server functions as the location server and display terminal
in the location system. The location server computes the signal transmission model
according to locations of APs and obstacles, and calculates locations of terminals, rogue

APs, or Wi-Fi interference sources based on the RSSI information collected by each AP.
The display terminal draws maps and displays locations of the devices on the map.
Figure 18-1 Typical networking for the terminal location system
Internet
Location
server
AC
Switch
AP2
AP1 AP3
Wi-Fi
Rogue APs
terminals
Implementation Principles
Terminal location technology locates terminals as follows:
1. APs collect strength information about radio signals and forwards the information to the
location server.
a. The APs periodically switch channels to collect frames sent from terminals in the
surrounding environment on each channel and record frame information including
RSSI information, timestamp, data rate, and channel information. RSSIs are
essential in determining whether a terminal is near or far from the APs.
b. The APs encapsulate the collected radio signal information into UDP packets and
report the data to the location server in the following two modes:
n APs report collected data to the AC. Then, the AC reports the data to the
location server.
When the network between the APs and the location server is not reachable,
the APs report data to the AC first. The AC then filters information about
terminals and rogue APs before reporting the data to the location server.

n The APs directly report the collected data to the location server.
If the network between the APs and the location server is reachable, and the
AC is not required to identify unauthorized APs, configure the APs to directly
send data to the location server, which decreases CPU usage of the AC and
reduces impacts of the location function on services.
2. The AC reports the information received from APs to the location server.
As shown in Figure 18-2, after receiving information from the APs, the AC processes
the information as follows:
a. Determine whether the data received from the APs is location data. If not, the data
is processed in other ways.
b. If the AC receives the location data, the AC processes the data in the following
way: if the data is about terminal locations, the AC reports the data directly to the
location server; if the data is about authorized AP locations, the AC discards the
data; if the data is about rogue AP locations, the AC reports the data to the location
server.
Figure 18-2 Processing location information
The AC receives
data from APs.
Does the AC No To other

receive the
processes
location data?
Yes
Is the data about No Is the data about No

Discard
terminal location? rogue AP location?
Yes Yes
The AC reports the

data to the positioning
server

The location process involves the offline phase and online phase.
a. Offline phase: The location server divides the whole network into multiple equal
area grids, computes the signal transmission model according to environment
features (indoor/outdoor and obstacle features), calculates the theoretical

differences among RSSIs of a STA in the grid to all APs based on the imported AP
location information, and stores the data into the database.
b. Online phase: At least three APs report terminal information to the location server
after receiving the terminal information. The location server compares the
information received from the APs with the information in the database to obtain
the location of the terminal.
18.2.2 AeroScout MU Location

Concepts
As shown in Figure 18-3, the AeroScout mobile unit (MU) location system includes at least
three APs, one or more ACs, and an AeroScout location server. Functions of each component
are as follows:
l AP: The APs collect wireless signals. The APs periodically switch channels to collect
strength information about signals of MUs in the surrounding environment on each
channel and report the collected information to the AC or location server.
l AC: The AC forwards the configuration instruction from the location server to APs. It
can also forward location information received from an AP to the location server.
l Location server: The location server computes the MU location using a location
algorithm (for example, three-point location) after receiving the location information and
provides the computed data to user systems, including the system management software
and image software.

Figure 18-3 Typical networking for the AeroScout MU location system
Internet
Location
server
AC
Switch
AP2
AP1 AP3
Wi-Fi
Rogue APs
terminals
Implementation
Figure 18-4 Working mechanism of the AeroScout MU location system

MU Message MU Report
UDP encapsulation
MU AP Switch AC Location
server
Wireless packets sent by tags

Tag information encapsulated by the AP
The protocol process of the AeroScout MU location system is similar to that of the AeroScout
tag location system. However, the two systems locate different devices. The AeroScout MU

location system locates mobile terminals while the AeroScout tag location system locates
tags.
Figure 18-4 shows the AeroScout MU location principle, which is similar to terminal
location.
1. After the AeroScout MU location function is enabled, APs receive MU messages and
forward them to the location server.
a. After receiving an MU Message frame, an AP records location information
contained in the frame such as the received signal strength indicator (RSSI), time
stamp, rate, and channel. The RSSI is the most important information because the
location server uses it to determine the distance between an MU and an AP.
b. The AP encapsulates all location information obtained from MU Message frames
into a UDP packet (MU Report) and sends the packet to the location server directly
or through the AC.
The destination IP address and port number of an MU Report packet are configured
on the AC.
n If the destination address is set to the IP address of the location server, the MU
Report packet is directly sent to the location server.
n If the destination address is set to the AC's IP address, the MU Report packet
is sent to the AC and forwarded by the AC to the location server. This
configuration is used when the AP cannot be directly connected to the location
server.
To accurately determine the MU location, the location server must receive location
information about an MU from at least three APs. After receiving the location
information, the location server computes the MU location according to information
including the RSSI, SNR, radio mode, the imported map, and AP locations. Then, the
location server sends the location information to the graphical interface of the third-party
device for presentation.
18.3 Implementation of Terminal Location

Network Troubleshooting
On a WLAN, the following faults may occur:
l Rogue APs exist on the WLAN.
l Interference sources exist, affecting the WLAN.
l Users cannot access the WLAN or encounter problems when using the WLAN.
To troubleshoot such faults, configure the terminal location function, as shown in Figure
18-5. This function can locate Wi-Fi terminals, rogue APs, and interference sources on the
WLAN, helping O&M personnel quickly locate and rectify the faults.

Figure 18-5 Typical networking for the terminal location system
Internet
Location
server
AC
Switch
AP2
AP1 AP3
Wi-Fi
Rogue APs
terminals
Passenger Flow Analysis

In a shopping hall, the administrator needs to collect statistics about the stay durations of
passengers in different stores based on the passengers' locations. Such information can help
the administrator analyze shopping trends and passenger flows.
After the terminal location function is configured, the administrator can obtain MAC
addresses of Wi-Fi STAs in the shopping mall and stay durations of passengers. The
administrator can then upload obtained information to the location server, facilitating
passenger flow statistics collection and analysis.
18.4 Licensing Requirements and Limitations for Terminal

Location
AP

by the device.
V200R007C10.

V200R012C00 V200R009C00
V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C10 V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C00 V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R010C00 V200R007C10
V200R006C20
V200R006C10
V200R009C00 V200R006C20
V200R006C10
V200R008C00 V200R005C30
V200R005C20
V200R005C10
V200R007 V200R005C20
V200R005C10
V200R006 V200R005C00
eSight

l Functions as the location server and display terminal in the location system. The location
server computes the signal transmission model according to locations of APs and
obstacles, and calculates locations of terminals, rogue APs, or Wi-Fi interference sources
based on the RSSI information collected by each AP. The display terminal draws maps
and displays locations of the devices on the map.
l The Wi-Fi terminal location function is applicable to eSight in V300R005C00.
App server
l An app server obtains location results from a location server and pushes information to
Bluetooth terminals based on the location results.
agent.
Table 18-2 Products and minimum version supporting WLAN location

Required

S5730HI: V200R012
Feature Limitations
Wi-Fi Terminal Location
l The AP3010DN-AGN, AP6310SN-GN, and AP9330DN do not support Wi-Fi terminal
location.
l Locating a terminal requires at least three APs to scan signals on the WLAN.

l To use the terminal location function to locate unauthorized STAs, rogue APs and
bridges, and ad-hoc devices, you need to enable WIDS. To use the terminal location
function to locate authorized STAs, you do not need to enable WIDS.
18.5 Summary of Terminal Location Configuration Tasks

You can select the proper WLAN location mode according to actual scenarios and complete
corresponding configuration tasks, as shown in Table 18-3.
Table 18-3 Terminal location configuration tasks

Wi-Fi On a WLAN network, APs can l If AeroScout location server is

device periodically scan wireless terminals used, refer to 18.7.1 Configuring
location. in the surroundings and report the WLAN Location for AeroScout
scan data to the Location Server MUs for details.
which then computes the data and l If other location server is used,
presents wireless terminal locations refer to 18.7.2 Configuring Wi-
to users. Wireless terminals that can Fi Terminal Location for
be located include APs, STAs, details.
wireless bridges, and Ad-hoc
devices.
18.6 Default Settings for Terminal Location

Table 18-4 Default settings for Wi-Fi terminal location
Terminal location Disabled
Channel scan period 60 ms
Channel scan interval 60s
Interval at which an AP reports channel 20s

scan information



Table 18-5 Default settings for AeroScout MU location

Location Server

Location Server
WLAN location for AeroScout MUs Disabled
Channel scan period 60 ms
Channel scan interval 60s
Packet aggregation interval for 6553.5s

AeroScout MU


18.7 Configuring Terminal Location

18.7.1 Configuring WLAN Location for AeroScout MUs
Before configuring the WLAN location function, perform the tasks listed in the following
table.
Task Description

AP Group.

Task Description

addresses. You can
Configuring a DHCP
Server.

Configuring Network
Interconnections.

Codes.

details, see 5.9.4
Interface or Source
Address.

Task Description

l Configuring AC to
an AP.
unauthorized APs.
APs.
Procedure
Step 2 Run wlan
AP.
Step 6 (Optional) Run scan-period scan-time
The period during which the AP scans channels is configured.
The default period during which an AP scans channels is 60 ms.
The channel scan period applies to radio calibration, smart roaming, WLAN location, and
WIDS functions.

A shorter channel scan period means fewer location packets that the device can obtain, which
affects the location accuracy. A longer channel scan period has a much larger impact on
services.
Step 7 (Optional) Run scan-interval scan-time
The interval at which the AP scans channels is configured.
The channel scan interval applies to radio calibration, smart roaming, WLAN location, and
WIDS functions.
NOTE
l If the customer has high requirements on real-time locating services, deploy the APs on the same channel
to scan channels.
Step 8 Run quit

Step 11 Run quit
NOTE
Step 13 Run quit
Step 15 Run quit

Step 17 Run aeroscout mu-enable
WLAN location for AeroScout MUs is enabled.
By default, WLAN location for AeroScout MUs is disabled.
Step 18 Run aeroscout server port port-num [ via-ac ac-port ac-port-num ]
The destination to which and port number through which the AP reports the received
AeroScout MU information are configured.
By default, the destination to which and port number through which the AP reports MU
The source IP address from which the AC sends packets to the AeroScout Location Server is
configured.
By default, the source IP address from which the AC sends packets to the AeroScout Location
NOTE
AC.
– You must configure the number of the port through which the AC communicates with the
AeroScout Location Server.
– Ensure that the port number configured on the AeroScout Location Server is the same as the
number of the port through which the AC communicates with the AeroScout Location Server.
l To configure the AeroScout Location Server as the destination to which the AP reports MU information,
ensure that the port number configured on the AeroScout Location Server is the same as the number of
the port through which the AP reports MU information.
l The port number through which the AP reports MU information cannot be the same as the number of the
port through which the AC communicates with the AeroScout Location Server.
Step 20 (Optional) Run aeroscout compound-time time-value
The aggregation time of AeroScout MU packets is configured on the AC.
The default aggregation time of AeroScout MU packets is 6553.5s on the AC.
NOTE
The AeroScout Location Server and AC can both send the setting of the MU packet aggregation time to
the AP; however, the shorter aggregation time takes effect on the AP. For example, if the aggregation
time is set to 3600 seconds on the AeroScout Location Server and 4800 seconds on the AC, the
aggregation time of 3600 seconds takes effect on the AP.
Step 21 Run quit


view.

is bound to an AP.
is bound to an AP.
Step 25 Run quit

server.
NOTE
----End

l Run the display location-profile name profile-name command to check the
configuration for AeroScout MU location.
18.7.2 Configuring Wi-Fi Terminal Location
Before configuring Wi-Fi terminal location, perform the tasks listed in the following table.


Task Description

AP Group.

addresses. You can
Configuring a DHCP
Server.

Configuring Network
Interconnections.

Codes.

Task Description

details, see 5.9.4
Interface or Source
Address.

l Configuring AC to
an AP.
unauthorized APs.
APs.
Procedure
Step 2 Run wlan


AP view.
NOTE

– If the air scan function is disabled on a radio, including WIDS, spectrum analysis, and terminal
location, the radio is used to transmit common WLAN services.
– If the air scan function is enabled on a radio, the radio transmits common WLAN services and
also implements detection. Transmission of common WLAN services may be affected.
In this mode, the radio can only transmit WLAN services scanned by the air interface but cannot
transmit common WLAN services.
Step 4 Run quit

AP.
WIDS functions.
services.


WIDS functions.
NOTE
to scan channels.
Step 10 Run quit

Step 13 Run quit
Step 14 (Optional) Configure the WIDS function according to 11.6 Configuring Device Detection
and Containment and 11.7 Configuring Attack Detection and a Dynamic Blacklist.
To use the Wi-Fi terminal location function to locate unauthorized STAs, rogue APs and
bridges, and ad-hoc devices, you need to enable WIDS. To use the Wi-Fi terminal location
NOTE
Step 16 Run quit

Step 18 Run quit


Step 20 Run private mu-enable
Wi-Fi terminal location is enabled on the AP.
Locating a STA requires at least three APs to scan signals on the WLAN.
By default, Wi-Fi terminal location is disabled on an AP.
Step 21 (Optional) Run private report-frequency time
The interval at which the AP reports channel scan information is configured.
By default, an AP reports channel scan information every 20s (20000 ms).
Step 22 (Optional) Run private report-protocol { udp | http | https ssl-policy ssl-policy }
The protocol type used by APs to report information is configured.
By default, an AP uses UDP to reports information.
Step 23 (Optional) Run private mu protocol-version { v3 | v5 }
The STA location protocol version is configured.
The default terminal location protocol version is v3.
Step 24 Run private server { ip-address ip-address | domain domain } port port-num [ via-ac ac-
port ac-port-num ]
The destination IP address and port number are configured for the AP to report STA location
data.
By default, no destination IP address or port number is configured for the AP to report STA
location data.
Step 25 Run quit
view.
is bound to an AP.
is bound to an AP.


----End

l Run the display location-profile name profile-name command to check Wi-Fi terminal
location configurations.
Follow-up Procedure
After Wi-Fi terminal location is configured on the AC, configure required WLAN location
parameters on the location server so that you can check Wi-Fi terminal location results on the
location server.
18.8 Configuration Examples for Terminal Location

Based on AeroScout MU
the AeroScout location server to compute tag locations so that users can obtain mobile
terminal locations shown in maps, tables, or reports.
/1 area_1
GE0/0/2 GE0/0/1 0/0
GE
GE0/0/2
GE0/0/4 GE
0/0 area_2 MU
AeroScout AC SwitchA /3
location server
area_3

Data preparation
Item Data

STAs and APs.


l Country code: CN




the country code

wlan-air-scan

wlan-air-scan

Item Data

10.23.100.1
l Data report mode: via the AC
l Server port number: 1144
1. Configure basic WLAN services so that users can connect to the internal network
through the WLAN.
2. Configure WLAN MU location so that APs can receive configuration information from
the AeroScout Location Server and send the collected MU information to the AeroScout
Location Server.
Configuration Notes
user experience.
Procedure
Step 1 Configure the AeroScout location server.

Complete location configurations on the AeroScout location server. For details, see the related
document of the AeroScout location server.
NOTE

[HUAWEI] sysname AC
Step 4 Configure the AC to communicate with the AeroScout Positioning Server.
# Add GE0/0/2 that connects the AC and the AeroScout Positioning Server to VLAN 100.
VLANIF 101.

NOTE
view.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit


[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit
nor : normal [3]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
----------------------------------------------------------------------------------
---
Total: 3

NOTE
the AP.




Step 9 Configure the AeroScout MU location function.

# Create a location profile named wlan-location. Enable the AeroScout MU location
function. Configure the target and port number to report location information and the source
IP address used by the AC to send packets to the location server.
[AC-wlan-location-prof-wlan-location] aeroscout mu-enable
[AC-wlan-location-prof-wlan-location] aeroscout server port 1144 via-ac ac-port
10001


WID : WLAN ID
----------------------------------------------------------------------------------
--
----------------------------------------------------------------------------------
--
----------------------------------------------------------------------------------
--
Total: 6
# When the location server has delivered the configuration information to the AP, run the
display wlan location config-info aeroscout { ap-id ap-id | ap-name ap-name } command.
The command output shows the LBS information of the APs.
[AC-wlan-view] display wlan location config-info aeroscout ap-name area_1
----------------------------------------------------------------

AP ID : 0
AP name : area_1
AP MAC address : 60de-4476-e360
Response IP address : -
Response port : 1144
AP tag mode : start
AP MU mode : start
Dilution factor : 1
Dilution timeout(s) : 1
Tags multicast address : 0180-c200-000e
Compounded message timeout(0.1s) : 65535
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
#
#
return
l AC configuration files
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#


#
wlan
%# aes
ssid wlan-net
forward-mode tunnel
aeroscout mu-enable
aeroscout server port 1144 via-ac ac-port 10001
radio 0
radio 1
ap-name area_1
ap-group ap-group1
ap-name area_2
ap-group ap-group1
ap-name area_3
ap-group ap-group1
#
return
18.8.2 Example for Configuring Wi-Fi Terminal Location
In Figure 18-7, the AC connects to the APs through a switch on an enterprise network.

The administrator requires that the APs collect Wi-Fi terminal information and report the
information to the location server to compute terminal locations so that users can obtain the
locations of the Wi-Fi terminals through maps, tables, or reports.
/1 area_1
GE0/0/2 GE0/0/1 0/0
GE
GE0/0/2
GE0/0/4 GE
0/0 area_2 Wi-Fi
Location AC SwitchA /3
server terminal
area_3
Data preparation
Item Data

STAs and APs.


l Country code: CN



Item Data


the country code

wlan-air-scan

wlan-air-scan

l Data report mode: via the AC
l Destination IP address/Port number used
by the AP to report channel scan
information: 10.23.100.2/32180
through the WLAN.
l Configure terminal location so that APs can periodically scan channels to collect radio
signals and report the collected information to the location server.
Procedure
Step 1 Configure the location server (details are not provided here).
NOTE



[HUAWEI] sysname AC
Step 4 Configure the AC to communicate with the location server.

# Add GE0/0/2 that connects the AC and the location server to VLAN 100.
VLANIF 101.
NOTE
view.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit


[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit
nor : normal [3]
----------------------------------------------------------------------------------
---

Uptime
----------------------------------------------------------------------------------
---
----------------------------------------------------------------------------------
---
Total: 3

NOTE
the AP.




Step 9 Configure the terminal location function.

# Create a location profile named wlan-location. Enable the terminal location function.
Configure the target and port number to report location information.
[AC-wlan-location-prof-wlan-location] private mu-enable
[AC-wlan-location-prof-wlan-location] private server ip-address 10.23.100.2 port


WID : WLAN ID
----------------------------------------------------------------------------------
--
----------------------------------------------------------------------------------
--
----------------------------------------------------------------------------------
--
Total: 6
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
#


#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
wlan
%# aes
ssid wlan-net
forward-mode tunnel
private mu-enable
private server ip-address 10.23.100.2 port 32180 via-ac ac-port 10001
radio 0
radio 1
ap-name area_1
ap-group ap-group1
ap-name area_2
ap-group ap-group1
ap-name area_3
ap-group ap-group1

#
return

Configuration Guide - WLAN-AC 19 Bluetooth Location Configuration
19 Bluetooth Location Configuration
19.1 Overview of Bluetooth Location

Definition
Bluetooth location is classified into Bluetooth terminal location, Bluetooth tag location, and
Bluetooth data transparent transmission.
l Bluetooth terminal location technology uses Bluetooth Low Energy (BLE) devices and a
location system to locate Bluetooth terminals through the iBeacon protocol. An AP with
a built-in Bluetooth module collects information about BLE devices and sends the
information to a server through an AC. The server sends data about maps and BLE
device locations to a Bluetooth terminal through an app server. The Bluetooth terminal
then works with the location app to calculate its own location. Alternatively, the AP
collects information carried in Bluetooth terminal location packets and sends the
information to the AC or location server for server-side location.
l Bluetooth tag location technology uses Bluetooth tags and a location system to locate
Bluetooth tags through the BLE protocol. An AP with a built-in Bluetooth module
collects information about Bluetooth tags and sends the information to a location server
to locate the Bluetooth tags. The AP also monitors battery power of Bluetooth tags and
checks whether Bluetooth tags are disconnected.
l Bluetooth data transparent transmission technology is used to enable an AP with a built-
in Bluetooth module to collect data from Bluetooth clients (such as Bluetooth
thermometers, blood pressure monitors, and heart rate monitors) and upload the data to a
server.
Purpose
l Bluetooth terminal location is used for self-location of users in shopping malls and
parking lots where BLE devices are deployed. APs scan BLE devices and upload
obtained information about the BLE devices to a location server through an AC. The
location server then returns location results to users. Store keepers can push promotion
information to users through the BLE devices.
l Bluetooth tag location is used to locate Bluetooth tags placed on target objects or
persons, so that users can easily locate and manage key assets or persons.
l Bluetooth data transparent transmission is configured to enable Bluetooth clients worn
by users to obtain their health data and send the data to a server. In this way, users' health
conditions can be easily monitored and analyzed.

19.2 Understanding Bluetooth Location
19.2.1 Bluetooth Terminal Location
Concepts
As shown in Figure 19-1, a Bluetooth terminal location system consists of multiple Bluetooth
terminals, BLE devices, APs with built-in Bluetooth modules, ACs, one location server, and
one app server.
Figure 19-1 Working mechanism of a Bluetooth terminal location system
Functions of each component are as follows:

l BLE device: is a Bluetooth signal generator that periodically sends BLE broadcast
frames to surrounding devices. The frame content complies with the iBeacon protocol.
NOTE
Currently, only BLE devices from Xuntong Technology Co., Ltd are supported.
l AP: scans BLE broadcast frames sent by BLE devices, obtains BLE device information
such as UUIDs, RSSI calibration values, and power, reports the information to an AC,
and sends Bluetooth terminal location packets to an AC or a server.
l AC: delivers the Bluetooth location function configuration. It also sends Bluetooth
terminal location packets, and Bluetooth terminal location packets, and lower power and
fault alarm information to a location server.
l Location server: allows BLE base stations to be set and location maps to be made,
calculates Bluetooth terminal locations, and monitors the status of BLE base stations.
l App server: obtains map information and BLE device locations from the location server,
and sends the information to Bluetooth terminals.
l Bluetooth terminal: periodically sends iBeacon broadcast frames, receives signal strength
of BLE base stations and sensor data, and works with the mobile app to calculate
Bluetooth terminal locations using location algorithms.

Implementation
As shown in Figure 19-1, Bluetooth terminal location technology locates Bluetooth terminals
through the following steps:
1. An AP obtains information about BLE devices and Bluetooth terminals, such as UUIDs,
RSSI calibration values, and power.
– The AP's built-in Bluetooth module scans surrounding BLE devices and Bluetooth
terminals, and collects iBeacon broadcast frames sent by them. The iBeacon
broadcast frames carry device information such as UUIDs and RSSI calibration
values.
BLE devices and Bluetooth terminals periodically send iBeacon broadcast frames
without the need to access the WLAN. Figure 19-2 shows the format of an iBeacon
broadcast frame.
Figure 19-2 Format of an iBeacon broadcast frame

16Bytes 2Bytes 2Bytes 1Byte
Reference
UUID Major Minor
RSSI
Fields of an iBeacon broadcast frame are described as follows:

n UUID: universally unique identifier for identifying BLE devices or Bluetooth
terminals
n Major: field customized by device vendors for identifying a major group
n Minor: field customized by device vendors for identifying a minor group
n Reference RSSI: RSSI calibration value measured 1 meter away from a BLE
device or Bluetooth terminal
– The AP sends power query requests to surrounding BLE devices or Bluetooth
terminals. After receiving the requests, the BLE devices or Bluetooth terminals send
scan response broadcast frames carrying power information on broadcast channels.
Figure 19-3 describes the format of a scan response broadcast frame.
Figure 19-3 Format of a scan response broadcast frame

1Bytes 1Bytes 7Bytes 1Bytes 1Bytes 2Bytes 1Byte
Data Length Local name Data Data Length Service Date Service UUID Battery volume
Fields of a scan response broadcast frame are described as follows:

n Data Length: length of the first part of data, including the length of Local
name and Data
n Local name: iBeacon protocol data format, indicating that the subsequent data
is a device name
n Data: device name customized by device vendors
n Data Length: length of the last part of data, including the length of the Service
Data, Service UUID, and Battery volume fields

n Service Data: iBeacon protocol data format, indicating that the subsequent data
is a UUID
n Service UUID: universally unique identifier customized by device vendors for
identifying BLE devices or Bluetooth terminals
n Battery volume: battery power level ranging from 0 to 100 in decimal notation
that maps battery power from 0% to 100%.
2. The AP reports obtained information about BLE devices, such as UUIDs, RSSI
calibration values, and power, to the AC, and sends Bluetooth terminal location packets
to the AC or location server.
In scenarios where no independent BLE devices are deployed, the Bluetooth broadcast
function of APs' built-in Bluetooth modules can be enabled, so that APs can function as
BLE devices to send BLE broadcast frames. Then APs can directly report battery power,
UUIDs, and RSSI calibration values of built-in Bluetooth modules to an AC without the
need of scanning.
NOTE
Currently, only the AP4050DN-E supports the Bluetooth broadcast function.
3. The AC sends Bluetooth terminal location packets, and lower power and fault alarm
information about BLE devices to the location server.
4. On the location server, make floor plans and location map models, add BLE devices, set
their deployment locations, monitor their status, and calculate Bluetooth terminal
locations.
5. The app server obtains map information and BLE locations from the location server.
6. The app server sends map information and BLE device locations to Bluetooth locations.
7. Install a location app on a Bluetooth terminal (such as a mobile phone), start the app, and
perform the following operations:
a. Collect information about scanned BLE devices and their signal strengths.
b. Collect information about sensors of the mobile phone, such as speed sensors and
Gyroscopes.
c. Obtain map information from the location server.
d. Calculate and display BLE device locations on the Bluetooth terminal.
19.2.2 Bluetooth Tag Location

Basic Concepts
As shown in Figure 19-4, a Blue tag location system is composed of multiple Blue tags, at
least three APs with built-in Blue modules, one or more ACs, one location server, and one
management system.

Figure 19-4 Blue tag location system architecture
Functions of each component in a Blue tag location system are as follows:

l Bluetooth tag: is manufactured by Bluetooth tag vendors and generates Bluetooth signals
based on the BLE protocol. Bluetooth tags periodically send BLE broadcast frames.
l AP: scans BLE broadcast frames sent by Blue tags to obtain Blue tag information and
reports the information to an AC or a location server. The information includes RSSI
calibration values, battery power, and Blue tag disconnection alarms.
l AC: delivers the Blue location function configuration, and reports Blue tag information
and Blue tag offline alarms to the location server.
l Location server: You can make a location map model on a location server. After APs
with built-in Blue modules are added to a location server, the location server can
determine AP installation locations, compute Blue tag locations, and monitor Blue tag
status.
l Management system: obtains Blue tag information from a location server, analyzes the
information, and manages assets and guests that bring Blue tags.
Implementation
As shown in Figure 19-4, Blue tag location technology is used to locate Blue tags by the
following procedure:
1. The built-in Blue module of an AP scans surrounding Blue tags and collects BLE
broadcast frames sent by Blue tags. A BLE broadcast frame contains Blue tag
information including the RSSI calibration value, battery power, and Blue tag
disconnection alarms.
Blue tags periodically send BLE broadcast frames and do not need to access a WLAN.
Figure 19-5 shows the format of a BLE broadcast frame.
Figure 19-5 Format of a BLE broadcast frame

1Byte 1Byte 1Byte 1Byte 1Byte 2Bytes 1Byte 1Byte 1Byte 1Byte
Data BLE Flag Data Company Company BLE Battery Reference
Current Reserved
Length Flags Data Length Manufacture Data ID Type volume RSSI

Fields of a BLE broadcast frame are described from the left to the right as follows:
– Data Length: total length of the BLE Flags and Flag Data fields
– BLE Flags: field defined by the BLE protocol. For details, see Chapter 18.1 of Part
C in Volume 3 of Blue 4.0 Core Specification.
– Flag Data: field defined by the BLE protocol. For details, see Chapter 18.1 of Part
C in Volume 3 of Blue 4.0 Core Specification.
– Data Length: total length of the Company Manufacture Data, Company ID, BLE
Type, Battery volume, Current, Reference RSSI, and Reserved fields.
– Company Manufacture Data: vendor information.
– Company ID: company ID applied by Huawei from the Bluetooth Special Interest
Group (Bluetooth SIG).
– BLE Type: tag type. Currently, only 0x00 is supported, which indicates the
universal tag.
– Battery volume: battery power level ranging from 0 to 100 in decimal notation that
corresponds to battery power from 0% to 100%.
– Current: Bluetooth tag disconnection alarm. The value 0 indicates that a Bluetooth
tag is connected, while 1 indicates that a Bluetooth tag is disconnected. For devices
that do not support Blue tag disconnection alarms, the field value is fixed at 0.
– Reference RSSI: RSSI calibration value, which is measured 1 meter away from a
Blue tag. The distance between a Blue tag and an AP is calculated based on this
field.
– Reserved: field defined by tag vendors. The field length is less than or equal to 20
bytes.
2. The AP reports the obtained information about Blue tags to an AC.
3. The AC reports information about all Blue tags and Blue tag offline alarms to a location
server.
4. Make a floor plan and location map model on the location server. After APs with built-in
Blue modules are added to the location server, the location server can determine AP
installation locations, compute Blue tag locations, and monitor Blue tag status.
19.2.3 Bluetooth Data Transparent Transmission

Basic Concepts
As shown in Figure 19-6, a Bluetooth data transparent transmission system consists of
multiple Bluetooth clients, one or more APs with built-in Bluetooth modules, one or more
ACs, and one server.

Figure 19-6 Mechanism of Bluetooth data transparent transmission
Functions of each component in a Bluetooth data transparent transmission system are as

follows:
l Bluetooth client: manufactured by Bluetooth client vendors and generate Bluetooth
signals based on the BLE protocol. Bluetooth clients obtain users' health data (such as
the body temperature measured by Bluetooth thermometers) and periodically send BLE
broadcast frames containing users' health data.
l AP: scans BLE broadcast frames sent by Bluetooth clients. An AP only parses the header
of BLE broadcast frames but does not parse the data field in the frames. An AP obtains
MAC addresses and RSSIs of Bluetooth clients from the BLE broadcast frames, and
reports the information to an AC or a server.
l AC: delivers configurations and sends information in BLE broadcast frames to a server.
The information includes users' health data, MAC addresses and RSSIs of Bluetooth
clients, and Bluetooth client offline alarms.
l Server: parses and obtains users' health data carried in BLE broadcast frames for analysis
and management.
Implementation
As shown in Figure 19-6, Bluetooth data is transparently transmitted as follows:
1. The built-in Bluetooth module of an AP scans surrounding Bluetooth clients, and
collects BLE broadcast frames sent by the clients. BLE broadcast frames carry users'
health data, and MAC addresses and RSSIs of Bluetooth clients.
Bluetooth clients periodically send BLE broadcast frames and do not need to access a
WLAN.
2. The AP sends information obtained from Bluetooth clients to an AC or a server. The
information includes users' health data, and MAC addresses and RSSIs of Bluetooth
clients.
3. The AC sends information reported by APs to a server. The information includes users'
health data, MAC addresses and RSSIs of Bluetooth clients, and Bluetooth client offline
alarms.
4. The server parses and obtains users' health data carried in BLE broadcast frames for
analysis and management.

19.3 Application Scenarios for Bluetooth Location
19.3.1 Bluetooth Terminal Location

As shown in Figure 19-7, APs can be deployed in shopping malls and parking lots and
provide the Bluetooth location function through the built-in Bluetooth module while
providing the Wi-Fi access service.
Users can use mobile phones to scan BLE devices and upload information about scanned BLE
devices to the location server to implement location and navigation through apps.
Shop owners can deploy BLE devices to push commodity information and promotion
information through apps to users who have scanned broadcast frames sent by the BLE
devices.
Figure 19-7 Networking diagram for the Bluetooth location system
Location
App server
server
AC
AP
BLE BLE
BLE
19.3.2 Bluetooth Tag Location

As shown in Figure 19-8, APs in schools, warehouses, hospitals, and enterprises provide
WLAN access service for users. Working with the location server, APs with built-in Bluetooth
modules also provide the Bluetooth Tag location function to locate key devices, assets, and
guests.

Figure 19-8 Typical networking for Bluetooth tag location
Management Location
System Server
AC
AP AP AP
Bluetooth Bluetooth
Tag1 Tag2
Bluetooth Signal
19.3.3 Bluetooth Data Transparent Transmission

As shown in Figure 19-9, APs with built-in Bluetooth modules deployed in hospitals and
schools can provide the Bluetooth data transparent transmission function while providing Wi-
Fi access. Bluetooth clients (such as Bluetooth thermometers, blood pressure monitors, and
heart rate monitors) worn by users collect their health data. The data then can be analyzed for
health monitoring.

Figure 19-9 Networking diagram for Bluetooth data transparent transmission
Server
AC
AP
Bluetooth
Bluetooth
Clients
Signal
19.4 Licensing Requirements and Limitations for

Bluetooth Location
AP
by the device.
V200R012C00 V200R009C00
V200R008C10
V200R008C00
V200R007C20
V200R007C10

V200R011C10 V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R011C00 V200R007C20
V200R007C10
V200R010C00 V200R007C10
V200R009C00 -
Bluetooth device
l Bluetooth devices generate Bluetooth signals based on the BLE or iBeacon protocol.
They include BLE devices, Bluetooth tags, and Bluetooth clients (such as Bluetooth
thermometers, blood pressure monitors, and heart rate monitors).
– BLE devices are manufactured by BLE device vendors and generate Bluetooth
signals based on the iBeacon protocol. BLE devices periodically send BLE
broadcast frames. Currently, only BLE devices from Lanke Xuntong Technology
are supported.
– Bluetooth tags are manufactured by Bluetooth tag vendors and generate Bluetooth
signals based on the BLE protocol. Bluetooth tags periodically send BLE broadcast
frames.
– Bluetooth clients are manufactured by Bluetooth client vendors and generate
Bluetooth signals based on the BLE protocol. Bluetooth clients periodically send
BLE broadcast frames.
eSight
l Functions as the location server and display terminal in the location system. The location
server computes the signal transmission model according to locations of APs and
obstacles, and calculates locations of terminals, rogue APs, or Wi-Fi interference sources
based on the RSSI information collected by each AP. The display terminal draws maps
and displays locations of the devices on the map.
l The Bluetooth location function is supported by eSight V300R006C00.
agent.


Required
S5700 series switches S5720HI, S5730HI S5720HI :

l Bluetooth Terminal
Location : V200R009
l Bluetooth Tag Location
and Bluetooth data
transparent
transmission : V200R011
S5730HI : V200R012
Feature Limitations
Bluetooth Terminal Location
l Only the R250D-E, R251D-E, AP2050DN-E, AP2051DN-E, AP4050DN-E,
AP8050DN, AP8050DN-S, AP8150DN, AP4051TN, AP6052DN, AP7052DN,
AP7152DN, AP7052DE, AP8050TN-HD, AP8082DN, AP8182DN, and AP7050DE
support Bluetooth location, Bluetooth tag location and Bluetooth data transparent
transmission. Only the AP4050DN-E supports the Bluetooth broadcast function.
l Bluetooth terminals must support BLE 4.0 or later versions and can properly report
received RSSI information to the location server through apps.
l After the Bluetooth monitoring function is enabled, APs will obtain battery power
information about surrounding BLE devices at 02:00 of the AC system time, which is
off-peak hours of WLAN services. If the system time is different from the actual time,
obtaining battery power information may interrupt WLAN services. To prevent such an
issue, configure the system time correctly on the AC.
l After enabling the Bluetooth location function, you are advised to deploy APs in
channels 1, 6, and 11 on the 2.4 GHz frequency band.
Bluetooth Tag Location and Bluetooth data transparent transmission

l To implement Bluetooth tag location and Bluetooth data transparent transmission,
Bluetooth devices must support BLE 4.0 or later versions and can report RSSIs to a
location server through APs.

l After the Bluetooth tag location function is enabled, at least three APs need to collect
location information about a Bluetooth tag to be located and send the information to the
location server. The location server matches the RSSIs received by the APs with
information in the database, and obtains the location of the Bluetooth tag.
l After enabling the Bluetooth location function, you are advised to deploy APs in
channels 1, 6, and 11 on the 2.4 GHz frequency band.
l Enabling both the Bluetooth scanning and broadcast functions of an AP affects the
efficiency for the AP's Bluetooth module to scan surrounding BLE devices. When an AP
does not serve as a Bluetooth base station, it is recommended that the broadcast function
of the AP be disabled.
19.5 Default Settings for Bluetooth Location

Table 19-2 Default settings for Bluetooth location
Bluetooth broadcast function Disabled
Interval for sending BLE broadcast 500 ms

frames
Content of a BLE broadcast frame The UUID, Major, and Minor fields in a BLE
broadcast frame are null. The default RSSI
calibration value is -65 dBm.
Transmit power of an AP's built-in 0 dBm

Bluetooth module
Bluetooth monitoring function Disabled
Low power alarm threshold for BLE 20%

devices
Monitoring list of BLE devices Unconfigured
Bluetooth tag location function Disabled
Bluetooth data transparent transmission Disabled

function
19.6 Configuring Bluetooth Location

19.6.1 Configuring Bluetooth Terminal Location
Before configuring Bluetooth Terminal location, perform the tasks listed in the following
table.


Task Description

AP Group.

addresses. You can
Configuring a DHCP
Server.

Configuring Network
Interconnections.

Codes.

Task Description

details, see 5.9.4
Interface or Source
Address.

l Configuring AC to
an AP.
unauthorized APs.
APs.
Procedure
Step 2 Run wlan
Step 3 Run ble-profile name profile-name
A BLE profile is created.
By default, no BLE profile is created.
Step 4 Run sniffer enable ibeacon-mode
By default, the Bluetooth function of an AP's built-in Bluetooth module is disabled.
Step 5 Configure the Bluetooth broadcast function for an AP's built-in Bluetooth module.

NOTE
l If an independent Bluetooth device is deployed on a WLAN, this step is optional.

l If no independent Bluetooth device is deployed on a WLAN, this step is mandatory.
l Only the AP4050DN-E supports the Bluetooth broadcast function.
1. Run broadcaster enable
The Bluetooth broadcast function of an AP's built-in Bluetooth module is enabled.
By default, the Bluetooth broadcast function of an AP's built-in Bluetooth module is
disabled.
2. Run tx-power tx-power-value
The transmit power is set for the built-in Bluetooth module of an AP.
By default, the transmit power of an AP's built-in Bluetooth module is 0 dBm.
3. Run broadcasting-content { uuid { uuid-character-string uuid-value | uuid-hex uuid-
value } | major { major-character-string major-value | major-hex major-value |
major-decimal major-value } | minor { minor-character-string minor-value | minor-
hex minor-value | minor-decimal minor-value } | reference-rssi reference-rssi-value }*
The content of BLE broadcast frames sent by an AP's built-in Bluetooth module is
configured.
By default, the UUID, Major, and Minor fields in a BLE broadcast frame sent by an AP's
built-in Bluetooth module are null, and the RSSI calibration value is -65 dBm.
The RSSI calibration value in a BLE broadcast frame is set based on the actual
measurement result.
4. Run broadcasting-interval broadcasting-interval-value
The interval for an AP's built-in Bluetooth module to send BLE broadcast frames is set.
By default, the built-in Bluetooth module of an AP sends BLE broadcast frames at an
interval of 500 ms.
Step 6 Run quit
Step 7 Enter the AP view or AP group view.
view.
Step 8 (Optional) Run broadcasting-content uuid { uuid-character-string uuid-value | uuid-hex
uuid-value }
The UUID of BLE broadcast frames sent by an AP's built-in Bluetooth module is configured.
By default, the UUID of the BLE broadcast frames sent by an AP's built-in Bluetooth module
is null.
Step 9 (Optional) Run ble-profile profile-name
A BLE profile is applied to an AP or AP group.
By default, no BLE profile is bound to an AP group or AP.

Step 10 Server-side location is enabled.

1. Run report enable
An AP is enabled to send Bluetooth terminal location packets.
By default, an AP is disabled from sending Bluetooth packets.

2. Run report-mode { immediate | periodic [ interval interval ] }
The mode in which Bluetooth terminal location packets are sent is configured.
By default, an AP sends Bluetooth packets at an interval of 10 seconds.

3. Run report-to-server ip-address ip-address port port-num [ via-ac ac-port ac-port-
num ] or report-to-server domain domain port port-num
The destination IP address and port number to which an AP sends Bluetooth terminal
location packets are configured.
By default, no destination IP address or port number is configured for APs to report

Bluetooth packets.
Step 11 Run quit
Step 12 (Optional) Run ble low-power-threshold low-power-threshold
The low power alarm threshold for BLE devices is set.
By default, the low power alarm threshold of BLE devices or Bluetooth tags is 20%.
Step 13 (Optional) Run ble monitoring-list mac mac-address1 [ to mac-address2 ]
A specified Bluetooth device is added to the monitoring list on the built-in Bluetooth module
of an AP
By default, no Bluetooth devices are added to the monitoring list.
When no Bluetooth device is added to the monitoring list, all Bluetooth devices are
monitored. When any Bluetooth device is offline or has insufficient battery power, an alarm is
triggered on the AC accordingly. When Bluetooth devices are added to the monitoring list,
only the Bluetooth devices in the list are monitored. When a Bluetooth device in the
monitoring list is offline or has insufficient battery power, an alarm is triggered on the AC
accordingly.
----End

l Run the display ble-profile { all | name profile-name } command to check configuration
and reference information about a BLE profile.
l Run the display references ble-profile name profile-name command to check reference
information about a BLE profile.
Follow-up Procedure
After configuring Bluetooth location, you need to perform the following operations to check
location results on a location server.

l Configure Bluetooth location parameters on the location server.

l Configure eSight to communicate with an app server.
l Install a Bluetooth location app (usually provided by a location server vendor) on a
Bluetooth terminal (such as a mobile phone). Enable Bluetooth, and enable Wi-Fi or
mobile cellular networks, to ensure that the Bluetooth terminal can access a network and
send information about scanned BLE devices to the location server.
19.6.2 Configuring Bluetooth Tag Location
Before configuring the Bluetooth tag location function, complete the following tasks:
Task Description

AP Group.

addresses. You can
Configuring a DHCP
Server.

Configuring Network
Interconnections.

Task Description

Codes.

details, see 5.9.4
Interface or Source
Address.

l Configuring AC to
an AP.
unauthorized APs.
APs.
Procedure
Step 2 Run wlan

Step 4 Run sniffer enable tag-mode

The Bluetooth tag location function of an AP's built-in Bluetooth module is enabled.
Step 5 Run report enable
An AP is enabled to report Bluetooth packets.
Step 6 (Optional) Run report-mode { immediate | periodic [ interval interval ] }
The mode in which an AP reports Bluetooth packets is configured.
Step 7 Run report-to-server ip-address ip-address port port-num [ via-ac ac-port ac-port-num ] or
report-to-server domain domain port port-num
The destination server and port number for an AP to report Bluetooth packets are configured.
By default, no destination IP address or port number is configured for APs to report Bluetooth
packets.
Step 8 Run quit
Step 9 The AP view or AP group view is displayed.
view.
Step 10 Run ble-profile profile-name
A BLE profile is bound to an AP group or an AP.
Step 11 Run quit
Step 12 (Optional) Run ble report interval interval-value
The interval at which an AP reports Bluetooth device information is set.
By default, an AP reports Bluetooth device information at an interval of 10 minutes.
A low power alarm threshold is set for BLE devices or Bluetooth tags.
Specified BLE devices or Bluetooth tags are added to the monitoring list of an AP's built-in
Bluetooth module.

accordingly.
----End

l Run the display wlan ble global configuration command to view global configurations
of Bluetooth devices.
Follow-up Procedure
After configuring the Bluetooth tag location function, configure related Bluetooth tag location
parameters on eSight so that you can view location results on eSight.
19.6.3 Configuring Bluetooth Data Transparent Transmission
Before configuring Bluetooth data transparent transmission, complete the following tasks:

Task Description

AP Group.

Task Description

addresses. You can
Configuring a DHCP
Server.

Configuring Network
Interconnections.

Codes.

details, see 5.9.4
Interface or Source
Address.

Task Description

l Configuring AC to
an AP.
unauthorized APs.
APs.
Procedure
Step 2 Run wlan
Step 4 Run sniffer enable transparent-mode
Bluetooth data transparent transmission is enabled on an AP's built-in Bluetooth module.
An AP is enabled to send Bluetooth data packets for transparent transmission.
The mode of sending Bluetooth data packets for transparent transmission is configured.

The destination IP address and port number are configured for an AP to send Bluetooth data
packets for transparent transmission.
packets.
Step 8 Run quit

view.
A BLE profile is bound to the AP or AP group.
Step 11 Run quit
Specified Bluetooth clients are added to the monitoring list of an AP's built-in Bluetooth
module.
accordingly. Bluetooth clients do not support low power alarms.
----End

l Run the display wlan ble global configuration command to check global configurations

Follow-up Procedure
After Bluetooth data transparent transmission is configured, servers need to collect data from
Bluetooth clients for effective Bluetooth data analysis.
19.7 Maintaining Bluetooth Location

19.7.1 Checking Information About BLE Devices Used for
Bluetooth Location
Procedure
l Run the display wlan ble site-info { all | mac-address mac-address | host-ap { valid |
host-ap-id ap-id | host-ap-name ap-name } } command to check information about
BLE devices scanned and obtained by an AP's built-in Bluetooth module.
l Run the display wlan ble monitoring-list command to check BLE devices that have
been added to the monitoring list.
----End
19.7.2 Deleting Information About BLE Devices Stored on the AC
Procedure
l Run the reset wlan ble site-info { all | mac-address mac-address } command to delete
information about BLE devices stored on the AC.
----End
19.8 Configuration Examples for Bluetooth Location

19.8.1 Example for Configuring Bluetooth Location
As shown in Figure 19-10, an AC is connected to an AP through a switch on the network of a
shopping mall.

The administrator expects to use the AP to scan BLE broadcast frames sent by BLE devices to
obtain information about the BLE devices, such as universally unique identifiers (UUIDs) and
received signal strength indicator (RSSI) calibration values, and report the information to the
location server. When Bluetooth terminals of customers scan BLE devices and report obtained
information about the BLE devices to the location server, the location server implements
location algorithms for providing navigation services and pushing commodity sales
information to customers through apps.
Figure 19-10 Networking diagram for configuring basic Bluetooth location services
App server
GE0/0/1 GE0/0/1 BLE device

GE0/0/2 GE0/0/2
AC SwitchA AP: area_1
Location
server BLE device
Bluetooth
terminal
Bluetooth signal
BLE device
Data Plan
Item Data

STAs and APs.

l Referenced profiles: regulatory domain
and BLE profile wlan-ble

l Country code: CN


Item Data


l Referenced profiles: SSID profile wlan-
BLE profile l Name: wlan-ble

l Bluetooth monitoring function: enable
l Configure basic WLAN services so that users can access the WLAN of the shopping
mall and send information about scanned BLE devices to the location server.
l Configure the Bluetooth location function so that the AP can scan BLE devices and send
obtained information about the BLE devices to the location server.
Configuration Notes
user experience.

Procedure
Step 1 Configure the location server.
Complete the location configuration on the location server. For details, see related documents
of the location server.
Step 2 Configure the switch and AC so that the AP and AC can exchange CAPWAP packets.
# Configure access switch SwitchA. Add GE0/0/1 and GE0/0/2 on SwitchA to management
VLAN 100.

[HUAWEI] sysname AC

# Add GE0/0/2 of the AC for connecting to the location server to VLANs 100 and 101.
VLANIF 101.
NOTE
view.
[AC] dhcp enable
[AC-Vlanif100] quit


[AC-Vlanif101] quit
# Create an AP group to which the APs with the same configuration are to be added.
[AC] wlan
# Create a regulatory domain profile, configure the AC's country code in the profile, and
apply the profile to the AP group.
e?[Y/N]:y
[AC-wlan-view] quit

# Import the AP offline on the AC and add the AP to AP group ap-group1. Configure the AP
name based on the AP's deployment location so that you can know where the AP is deployed
by its name. For example, if the AP with MAC address 60de-4476-e360 is deployed in area 1,
name the AP as area_1.
NOTE
By default, MAC address authentication is configured using the ap auth-mode command. If the default
settings are retained, you do not need to run the ap auth-mode mac-auth command.
In this example, the AP4050DN-E is used and has two radios: radio 0 and radio 1.
[AC] wlan
# Power on the AP, and run the display ap all command to check the AP state. If the State
field is displayed as nor, the AP is online.
nor : normal [1]
----------------------------------------------------------------------------------
---
Uptime
----------------------------------------------------------------------------------
---
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP4050DN-E nor 0 25S
----------------------------------------------------------------------------------
---
Total: 1

NOTE

the AP.
Step 7 Configure the Bluetooth location function.
# Create BLE profile wlan-ble and enable the Bluetooth monitoring function.
[AC-wlan-view] ble-profile name wlan-ble
[AC-wlan-ble-prof-wlan-ble] sniffer enable ibeacon-mode
[AC-wlan-ble-prof-wlan-ble] quit
# Add BLE devices within the AP's coverage area to the monitoring list.
[AC-wlan-view] ble monitoring-list mac 1234-1234-1000 to 1234-1234-1002
# Apply the BLE profile to the AP group.

[AC-wlan-ap-group-ap-group1] ble-profile wlan-ble
The WLAN service configuration is automatically delivered to the AP. After the service
command output is displayed as ON, the VAPs have been successfully created on the AP
radios.
WID : WLAN ID
----------------------------------------------------------------------------------
--
----------------------------------------------------------------------------------
--
----------------------------------------------------------------------------------
--
Total: 2

# After the AP obtains information about BLE devices, run the display wlan ble site-info
{ all | mac-address mac-address } command to view the information about BLE devices.
[AC-wlan-view] display wlan ble site-info all
----------------------------------------------------------------------------------
----------------------------------
Index MAC Host AP ID Host AP name RSSI Power Type
DetachedFlag Aging-Timeout(m) Advertisement data
----------------------------------------------------------------------------------
----------------------------------
1 1234-1234-1000 0 area_1 -80 80% ibeacon
N 57
41-42-43-44-45-46-30-31-32-33-34-35-36-37-38-39-4d-41-4d-49-bf
2 1234-1234-1001 0 area_1 -85 60% ibeacon
N 57
41-42-43-44-45-46-30-31-32-33-34-35-36-37-38-39-4d-41-4d-49-bf
3 1234-1234-1002 0 area_1 -83 60% ibeacon
N 57
41-42-43-44-45-46-30-31-32-33-34-35-36-37-38-39-4d-41-4d-49-bf
----------------------------------------------------------------------------------
----------------------------------
Total: 3
After connecting to the WLAN of the shopping mall using a Bluetooth terminal enabled with
the Bluetooth function, a user can use a location app to download the shopping mall's map
and reports information about scanned BLE devices to the location server. The location server
then implements location algorithms and sends the location of the Bluetooth terminal to the
user. At the same time, the app server pushes commodity sales information to the user based
on the location of the Bluetooth terminal.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0

#
#
#
#
wlan
%# aes
ssid wlan-net
forward-mode tunnel
ble-profile name wlan-ble
sniffer enable ibeacon-mode
ble monitoring-list mac 1234-1234-1000
ble-profile wlan-ble
radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
return
19.9 References for Bluetooth Location

The following table lists the references for Bluetooth Location.
iBeacon iBeacon uses Bluetooth low energy

proximity sensing to transmit a universally
unique identifier picked up by a compatible
app or operating system. The identifier and
several bytes sent with it can be used to
determine the device's physical location,
track customers, or trigger a location-based
action on the device such as a check-in on
social media or a push notification.

Configuration Guide - WLAN-AC 20 Hotspot 2.0 Configuration Guide
20 Hotspot 2.0 Configuration Guide
20.1 Overview of Hotspot 2.0

Definition
Hotspot 2.0, a technical specification designed by the Wi-Fi Alliance (WFA), aims to provide
users with cellular-like mobile experience. Built on IEEE 802.11u standards, it achieves
automatic Wi-Fi identification and seamless handovers, enabling wireless terminals to roam
between networks without additional identity authentication.
Purpose
Today's WLANs face usability problems and security vulnerabilities:
l Users need to manually connect their terminals to the WLAN, including opening WLAN
management UI on the wireless terminals, searching for SSIDs, selecting the SSID to
connect, and configuring identity authentication parameters.
l After associating with the AP, the wireless terminal needs to be further authenticated to
gain access to network services.
l Different WLANs provide inconsistent and limited security mechanisms.
Hotspot 2.0 solves the security and usability problems of WLANs. It provides users with
automatic and secure WLAN access. Wireless terminals can automatically discover Hotspot
2.0 networks, select and associate with the APs based on the network information provided by
APs, and finish identity authentication.
Benefits
Benefits to network service providers
l Data traffic can be transmitted on 2G/3G/4G networks or offloaded to Wi-Fi networks.
l Roaming access is supported.
l Users enjoy varied network access modes.
Benefits to terminal users

l Automatic and simple connection process
l Granted access to several WLANs with one group of account credentials

l Secure and reliable WPA2-802.1X authentication
20.2 Understanding Hotspot 2.0

Hotspot 2.0 Network Architecture
Based on the cellular network infrastructure, the operator deploys a Hotspot 2.0 network to
provide Wi-Fi access. Figure 20-1 shows the network architecture.
Figure 20-1 Hotspot 2.0 network architecture
BOSS
Router
AAA
STA AP HLR
server
Network
AC
Support Hotspot 2.0
Support 802.1X
and WPA2-802.1X 802.1X relay
Hotspot 2.0 authentication
client
Table 20-1 Description of Hotspot 2.0 NEs

NE Description
STA Wireless terminals that support Hotspot 2.0 and WPA2-802.1X client. STAs
function as the ANQP clients and can obtain Hotspot 2.0 network
information through ANQP.
AP Wireless access points that support Hotspot 2.0 and WAP2-802.1X access.
The APs function as the ANQP servers and can send Hotspot 2.0 network
information to STAs through ANQP.
AC Wireless controller that manages and configures APs in batches, and

supports 802.1X authentication.
AAA Authentication, authorization, and accounting server that supports 802.1X

server authentication and EAP-SIM/AKA/TLS/TTLS encryption. It can obtain
authentication vectors and WLAN registration information from the HLR.
HLR Home location register (HLR), a database that stores user information on
mobile communication networks, including the user registration information,
mobile station location information, MSISDNs, and IMSIs.

NE Description
BOSS The operation support platform provides end-to-end business flow support
for the carrier to handle routine tasks such as customer service, rating,
billing, settlement and dunning.
Concepts
Hotspot 2.0 is implemented based on IEEE 802.11u standards. IEEE 802.11u defines a
mechanism for terminals to obtain WLAN information. On home or roaming networks,
terminals can obtain WLAN information through Beacon or Probe frames or the generic
advertisement service (GAS). Based on the received WLAN information, the terminals
automatically select the optimal WLAN network to access, where the terminals will be
automatically authenticated.
WLAN information is transferred through GAS and ANQP.
l GAS: a mechanism defined by 802.11u through which the STA obtains network
information by exchanging Request and Response packets with the network side.
l Access Network Query Protocol (ANQP): a network information query protocol
encapsulated in GAS packets.
ANQP defines the network parameters that are used to identify networks, as shown in Table
20-2.
Table 20-2 ANQP network parameters

Parameter Description
Service provider information, including the realm

NAI Realm
name and authentication type.
Cellular network identifier composed of MNC and

3GPP Cellular PLMN
MCC.
Operator Identifiers (OIs) of service providers having

Roaming Consortium List roaming relationships with each other. STAs can
determine the authentication type based on the OI.
Domain name of the access network operator, which is

Domain Name
the identifier of the operated Hotspot 2.0 network.
Venue name that specifies the location of the Hotspot

Venue Name
2.0 network.
Venue information that specifies the type of the

Venue Info
location where the Hotspot 2.0 network resides.
Operator Friendly Name Friendly operator name displayed on the user terminal.
IP Address Type Availability Available IP address types, for example, IPv4, IPv6,
Information and NAT.

Parameter Description
Load on wired interface, including link status, and

WAN Metrics
uplink and downlink rates and loads.
Connection capability, including allowed IP protocols

Connection Capability
and ports of the network.
Operating class indication, indicating the working

Operating Class Indication channel of the APs providing the same SSID and at the
same location.
Network Authentication Type Information used for HTTP/HTTPS redirection and

Information DNS redirection.
Homogenous Extended Service Set Identifier which is

globally unique and uses the the BSSID of one AP to
identify APs of the same service provider. HESSID
HESSID
helps STAs to determine whether network parameters
need to be renewed and assist the STAs in network
selection.
Access network type: whether the WLAN is a private

Access Network Type Field network or public network, or whether it is chargeable
or free.
Whether the Hotspot 2.0 network provides Internet

Internet Available Field
access.
AP load information, including STA quantity and

BSS Load Information Element
channel usage.
Hotspot 2.0 indication field, which indicates that the

AP supports Hotspot 2.0 and whether the AP is
Hotspot 2.0 Indication
allowed to forward downstream broadcast or multicast
packets.
Network Discovery and Selection

Figure 20-2 shows the process of Hotsot2.0 network discovery and selection which involves
packet exchanges between the STA and AP. Step 1 and Step 2 are parallel. Based on different
STA and AP settings, a STA may perform an active or passive scan.

Figure 20-2 Hotspot 2.0 network discovery and selection
BOSS
Router
AAA
STA AP HLR
server
Network
AC
Support Hotspot 2.0 and Support Hotspot 802.1X

802.1X relay
WPA2-802.1X client 2.0 authentication
1
Beacon
Passive
scan
2 Probe Request
Active Probe Response
scan
3 GAS Initial request

Obtain
network GAS Initial response
information
in roaming
scenarios
Association request
4
Association Association response
with AP
5 802.1X EAP authentication

Identity
authentication
Users are registered at their home service providers and configured with the USIM/SIM card,
certificate, user name and password, and organization identifier (OI) of the home service
provider. In scenarios where a STA accesses a roaming WLAN, the roaming WLAN must
have set up connections with the home network. Additionally, roaming consortium, and some
or all of the following information related to the home network must be configured on the
roaming WLAN, including roaming consortium list, cellular network information, and NAI
realm list.
1. STA passive scan or active scan
– STA passive scan
An AP sends a Beacon frame which contains information including the Hotspot 2.0
indication, BSS load, Internet connectivity flag, network type, and information of
service providers.
Upon receiving the Beacon frame, the STA checks whether the received Beacon
frame carries the Hotspot 2.0 indication. If so, the STA determines that the AP

supports Hotspot 2.0. The STA then parses the Roaming Consortium field included
in the received frame to obtain the OI of the WLAN service provider. In this way,
the STA determines whether it is allowed to access the WLAN. Before network
access, the STA can also learn the BSS load information and then select a lightly
loaded AP to access the WLAN.
– STA active scan
The STA sends to the home AP a Probe Request frame with access network type
information. After receiving the Probe Request frame, the AP checks whether the
network type contained in the frame matches the allowed network type configured
on the AP. If so, the AP responds with a Probe Response frame, which includes
Hotspot 2.0 indication, BSS load, Internet connectivity flag, network type, and
information of one to three service providers.
When receiving the Probe Response frame, the STA checks whether the received
frame carries the Hotspot 2.0 indication. If so, the STA determines that the AP
supports Hotspot 2.0. The STA then parses the Roaming Consortium field included
in the received frame to obtain the OI of the WLAN service provider. In this way,
the STA determines whether it is allowed to access the WLAN. Before network
access, the STA can also learn the BSS load information and then select a lightly
loaded AP to access the WLAN.
2. STA obtain network information in roaming scenarios
The STA sends a GAS Initial Request frame to obtain more WLAN information,
including a list of all available service providers, supported authentication types, hotspot
operators, IP addresses and ports, and traffic over the wired port. The AP replies a GAS
Initial Response frame, which carries ANQP network parameters.
3. STA association with the AP
The STA selects a WLAN to access based on the obtained WLAN information (such as
the realm name and authentication type), preset NAI, and access credential. Upon
determining a target WLAN, the STA sends an Association Request frame to the AP. The
Association Request frame carries the Hotspot 2.0 indication which indicates that AES
encryption and 802.1X authentication are used. The AP replies with an Association
Response frame.
4. STA identity authentication
The STA sends an 802.1X authentication request, and the AC forwards it to the AAA
server. The STA also reports NAI information. Based on the route information carried in
the NAI field, the home AAA server connects to the authentication server of the home
service provider for authentication of the STA. After passing the authentication, the STA
can access the WLAN.
20.3 Application Scenarios for Hotspot 2.0

STA Access to the Home Network
A home network service provider (NSP) provides both WLAN access and core networks.

Figure 20-3 Home network access
BOSS
AAA
Server
Core network
Access AC
network
AP
Home
network
operator
STA
STA Access to the Roaming Network

A roaming NSP provides a WLAN access network on which the AAA server provides the
proxy authentication function. The roaming NSP is not the STA's home NSP. When a STA
connects to a roaming network, the AAA server on the roaming network sends the
authentication request of the STA to the AAA server on the STA's home network to
implement authentication on the STA.
Figure 20-4 Roaming network access
BOSS
AAA
AAA Server
Server
Core network Core network
Access AC Home
network
network
AP operator
Roaming
STA network operator

STA Access to the Local Network

Entities except the NSP, such as the shopping mall, coffee shop, and museum deploy WLAN
access networks to provide services for STAs.
Figure 20-5 Local network access
BOSS
AAA
Server
IP Network
AP AC
Local
STA network
20.4 Licensing Requirements and Limitations for Hotspot

2.0
AP
by the device.
V200R012C00 V200R009C00
V200R008C10
V200R008C00
V200R007C20
V200R007C10

agent.
Required
S5700 series switches S5720HI, S5730HI V200R012
Feature Limitations
l WPA2-802.1X authentication must be configured for Hotspot 2.0 services.
l In WPA2-802.1X authentication, an AP uses the same GTK to send broadcast packets to
different STAs, which brings security risks. Therefore, the AP is forbidden to forward
broadcast or multicast packets to STAs.
l To automatically select and access Hotspot 2.0 networks, wireless terminals must
support Hotspot 2.0 and 802.1X client, and be configured with identity credentials, such
as the SIM/USIM card acquired from the service provider; otherwise, users need to
manually search for SSIDs of the desired networks and enter identity authentication
information to access the networks.
20.5 Configuring Hotspot 2.0

Before configuring Hotspot 2.0, perform the task of 5 WLAN Service Configuration.
Hotspot 2.0 is configured using profiles. Figure 20-6 shows the configuration flowchart.

Figure 20-6 Hotspot 2.0 configuration flowchart
AP group AP
VAP profile
Hotspot 2.0 profile Authentication profile Configure 802.1X

authentication
Security policy profile
Issue 04 (2018-08-17) Copyright © Huawei Technologies Co., Ltd. Configure downstream 1061
Traffic profile broadcast control on
APs
NAI realm profile Operator domain profile Venue name profile

20.5.1 Configuring WPA2-802.1X Authentication
Context
Hotspot 2.0 requires use of the WAP2-802.1X security policy and AES encryption algorithm.
Therefore, you need to configure WPA2–802.1X authentication in the security profile and
authentication profile.
l See 12.4.2.4 Configuring WPA/WPA2-802.1X for the security profile configuration.
l See NAC Configuration (Unified Mode) for 802.1X authentication configuration, and
Configuring an 802.1X Access Profile for access mode configuration.
20.5.2 Configuring a Hotspot 2.0 Profile
Context
Hotspot 2.0 networks are usually provided by network service providers who can set network
parameters in compliance with Hotspot 2.0 standards to identify the networks. Wireless
terminals can obtain network information and automatically select and access the desired
networks based on the preset identity credentials. The administrator needs to configure the
APs through Hotspot 2.0 profiles according to the parameters provided by the network service
providers so that the APs can provide Hotspot 2.0 network information to the wireless
terminals. After the Hotspot 2.0 profiles are applied to VAP profiles, the configuration takes
effect.
Procedure
Step 2 Run wlan
Step 3 Run hotspot2-profile name profile-name
A Hotspot 2.0 profile is created and the Hotspot 2.0 profile view is displayed.
By default, no Hotspot2.0 profile is available.
Step 4 Run network-type { emergency-service | personal-device | private | private-guest | public-
chargeable | public-free | test | wildcard } [ internet-access ]
The Hotspot 2.0 network type and Internet access status are configured.
By default, the network type is set to wildcard, and Internet access is not supported.
Step 5 (Optional) Run hessid mac-address
HESSID of the Hotspot 2.0 network is configured.
By default, no HESSID is configured.
Step 6 (Optional) Run venue-type group-code venue-group type-code type-code-value

The venue type of the Hotspot 2.0 network is configured.

By default, no venue type information is configured for a Hotspot2.0 network.
Step 7 (Optional) Run network-authen-type { acceptance [ redirect-url url ] | dns-redirection |
http-https-redirection redirect-url url | online-enroll }
The authentication type of the Hotspot 2.0 network is configured.
By default, no network authentication type is configured.
Step 8 (Optional) Run ipv4-address-avail { not-available | available | port-restricted [ single-nat |
double-nat ] | private { single-nat | double-nat } | unknown }
Available IPv4 address types of the Hotspot 2.0 network are configured.
By default, no available type of IPv4 addresses is configured.
----End
20.5.3 Configuring ANQP Parameters

Context
If a Hotspot 2.0 network parameter carries multiple data entries, you need to configure the
parameter using a profile. In the profile, you can configure the entries of the parameter and
then bind the profile to a Hotspot 2.0 profile.
Table 20-4 describes the configurable parameter profiles. Not all parameter profiles are
mandatory. You can configure profiles according to network settings to provide required
network information for STAs.
Table 20-4 Description of the parameter profiles

Parameter Profile Description
Cellular network profile Recommended

You can configure Hotspot 2.0 services on
cellular networks. When connecting to the
networks, user terminals can obtain network
information from APs, which helps them to
select desired networks.
NAI realm profile Recommended

A NAI realm profile is used to configure the
network access identifier (NAI) realm
name, authentication mode, and
authentication parameters for networks
accessible to users.

Parameter Profile Description
Roaming consortium profile Recommended

If the user terminals need to roam among
Hotspot2.0 networks of different operators,
configure a roaming consortium profile and
add the organization identifiers (OIs) of the
operators to the roaming consortium profile.
In this way, after the user terminals connect
to a network of an operator in the profile,
they can roam to networks of the other
operators while maintaining online.
Connection capability profile Optional

You can configure Hotspot2.0 services for
networks. When user terminals connect to
the networks, they can obtain network
connection capability information from
APs, including allowed protocols and ports,
which helps them to select desired
networks.
Operating class profile Optional

The operating class profile is used to
configure the operating class indication of
AP in on the hotspot2.0 network. When a
STA accesses the network, it can obtain
channel information used to access a Wi-Fi
frequency from AP so that the STA can set
up a connection.
Operator domain profile Recommended

A network domain name profile is used to
configure the operator domain profile. STAs
can obtain the domain name information
through ANQP, which is used as a basis for
network selection.
Operator name profile Optional

You can specify different friendly names for
different languages so that users can select
networks.
Venue name profile Optional

When configuring Hotspot2.0 services,
configure network parameters according to
operator requirements. When connecting to
networks, user terminals can obtain the
network parameters to select desired
networks. The venue name describes
physical locations of a network and is an
optional parameter.

Procedure
Step 2 Run wlan
Step 3 Configure parameter profiles.
l Cellular network profile
a. Run the cellular-network-profile name profile-name command to create a cellular
network profile and enter the cellular network profile view.
By default, no cellular network profile exists in the system.
b. Run the plmn-id plmn-id command to set the PLMN ID.
By default, no PLMN identifier is configured in the cellular network profile.
c. Run the quit command to return to the WLAN view.
l NAI realm profile
a. Run the nai-realm-profile name profile-name command to create an NAI realm
profile and enter the NAI realm profile view.
By default, no NAI realm profile is available in the system.
b. Run the nai-realm realm-name realm-name [ eap-method-type eap-method-type
[ eap-authen-id eap-authen-id eap-authen-para eap-authen-para ] ] command to
configure an NAI realm.
By default, no NAI realm is configured.
l Roaming consortium profile
a. Run the roaming-consortium-profile name profile-name command to create a
roaming consortium profile and enter the roaming consortium profile view.
By default, no roaming consortium profile is created.
b. Run the roaming-consortium-oi oi-value [ in-beacon ] command to set the
roaming-consortium organization identifier (OI).
By default, no roaming consortium identifier is configured for the Hotspot2.0
network.
l Connection capability profile
a. Run the connection-capability-profile name profile-name command to create a
connection capability profile and enter the connection capability profile view.
By default, no connection capability profile exists in the system.
b. Run the connection-capability { esp | icmp | tcp-ftp | tcp-http | tcp-pptp-vpn |
tcp-ssh | tcp-tls-vpn | tcp-voip | udp-ike2-4500 | udp-ike2-500 | udp-voip } { on |
off } command to set whether Hotspot 2.0 networks support common IP protocols
and ports.
By default, no supported protocol is specified in a connection capability profile.


l Operating class profile
a. Run the operating-class-profile name profile-name command to create an
operating class profile and enter the operating class profile view.
By default, no operating class profile is configured in the system.
b. Run the operating-class-indication operating-class-value command to configure
the operating class identifier used by the AP.
By default, no operating class indication is configured in the system.
l Operator domain profile
a. Run the operator-domain-profile name profile-name command to create an
operator domain profile and enter the operator domain profile view.
By default, no network domain name profile is available in the system.
b. Run the domain-name domain-name command to configure a domain name for a
hotspot operator.
By default, no domain name is configured for a hotspot operator.
l Operator name profile
a. Run the operator-name-profile name profile-name command to create an operator
name profile and enter the operator name profile view.
By default, no network domain name profile is available in the system.
b. Run the operator-friendly-name language-code language-code name name
command to configure a friendly operator name.
By default, no operator friendly name is configured in an operator name profile
view.
l Venue name profile
a. Run the venue-name-profile name profile-name command to create a venue name
profile and enter the venue name profile view.
By default, no venue name profile is created.
b. Run the venue-name language-code language-code name venue-name command
to configure the venue name.
By default, no venue name is configured.
Step 4 Run the hotspot2-profile name profile-name command to enter the Hotspot 2.0 profile view.
Step 5 Bind the parameter profiles to the Hotspot 2.0 profile.

l Run the cellular-network-profile profile-name command to bind the cellular network
profile to the Hotspot 2.0 profile.
l Run the nai-realm-profile profile-name command to bind the NAI realm profile to the
Hotspot 2.0 profile.
l Run the roaming-consortium-profile profile-name command to bind the roaming
consortium profile to the Hotspot 2.0 profile.

l Run the connection-capability-profile profile-name command to bind the connection

capability profile to the Hotspot 2.0 profile.
l Run the operating-class-profile profile-name command to bind the operating class
l Run the operator-domain-profile profile-name command to bind the operator domain
l Run the operator-name-profile profile-name command to bind the operator name
l Run the venue-name-profile profile-name command to bind the venue name profile to
the Hotspot 2.0 profile.
----End
20.5.4 Applying a Hotspot 2.0 Profile to a VAP Profile
Context
After the Hotspot 2.0 profile configuration is complete, apply the Hotspot 2.0 profile to a VAP
profile. Each VAP profile contains one Hotspot 2.0 profile. Hotspot 2.0-capable wireless
terminals that have obtained identity credentials from the service providers can obtain
network information from the connected APs, and automatically select and access the desired
networks.
Procedure
Step 2 Run wlan
Step 4 Run hotspot2-profile profile-name
The Hotspot 2.0 profile is applied to the VAP profile.
By default, no Hotspot2.0 profile is bound to a VAP profile.
----End
20.5.5 Verifying the Hotspot 2.0 Configuration
Context
After the Hotspot 2.0 configuration is complete, you can check profiles on the device,
including their configuration and reference information.

Procedure
l Checking profiles and their configuration information
– Run the display hotspot2-profile { all | name profile-name } command to check
information about the Hotspot 2.0 profile.
– Run the display cellular-network-profile { all | name profile-name } command to
check information about the cellular network profile.
– Run the display connection-capability-profile { all | name profile-name }
command to check information about the connection capability profile.
– Run the display nai-realm-profile { all | name profile-name } command to check
information about the NAI realm profile.
– Run the display operating-class-profile { all | name profile-name } command to
check information about the operating class profile.
– Run the display operator-domain-profile { all | name profile-name } command to
check information about the operator domain profile.
– Run the display operator-name-profile { all | name profile-name } command to
check information about the operator name profile.
– Run the display roaming-consortium-profile { all | name profile-name }
command to check information about the roaming consortium profile.
– Run the display venue-name-profile { all | name profile-name } command to
check information about the venue name profile.
l Checking profile reference information
– Run the display references hotspot2-profile name profile-name command to
check reference information about the Hotspot 2.0 profile.
– Run the display references cellular-network-profile name profile-name command
to check reference information about the cellular network profile.
– Run the display references connection-capability-profile name profile-name
command to check reference information about the connection capability profile.
– Run the display references nai-realm-profile name profile-name command to
check reference information about the NAI realm profile.
– Run the display references operating-class-profile name profile-name command
to check information about the operating class profile.
– Run the display references operator-domain-profile name profile-name
command to check reference information about the operator domain profile.
– Run the display references operator-name-profile name profile-name command
to check reference information about the operator name profile.
– Run the display references roaming-consortium-profile name profile-name
command to check reference information about the roaming consortium profile.
– Run the display references venue-name-profile name profile-name command to
check reference information about the venue name profile.
----End
20.6 Configuration Examples for Hotspot 2.0

20.6.1 Example for Configuring WLAN Hotspot 2.0 Services
Service Requirements
Enterprise users can access the network through WLANs, which is the basic requirement of
mobile office. Furthermore, users' services are not affected during roaming in the coverage
area. On a traditional WLAN, users need to manually select an SSID and set authentication
information to access the WLAN, causing poor user experience. To enhance user experience,
Hotspot 2.0 services are deployed using a subscriber identity module (SIM) card for
authentication. In this way, users can access the WLAN automatically without awareness.
l AC networking mode: Layer 2 networking in bypass mode
l DHCP deployment mode:
– The AC functions as a DHCP server to assign IP addresses to APs.
– The aggregation switch (Switch_B) functions as a DHCP server to assign IP
addresses to STAs.

Figure 20-7 Networking for configuring WLAN Hotspot 2.0 services
RADIUS Server
IP
10.23.102.1/24
Network
Port:1812
Router
Management VLAN: 100 GE1/0/0
Service VLAN: 101 VLANIF101
10.23.101.2/24
GE0/0/3
GE0/0/1 GE0/0/1
SwitchB
GE0/0/2
AP SwitchA GE0/0/2
STA
GE0/0/1
AC
VLANIF100
10.23.100.1/24
Data Planning
Table 20-5 Data planning on the AC

Item Data
DHCP server The AC functions as a DHCP server to

assign IP addresses to APs and STAs.
The aggregation switch (Switch_B)
functions as a DHCP server to assign IP
addresses to STAs. The default gateway
address of STAs is 10.23.101.2.
AC's source interface address VLANIF 100: 10.23.101.1/24

Item Data

l Country code: China
l Referenced profile: VAP profile wlan-
net
SSID profile l Name: wlan-net

Security profile l Name: wlan-net

l Security policy: WPA2-802.1X-AES
Authentication profile l Name: wlan-net

l Access authentication mode: 802.1X
l AAA domain: huawei.com
Hotspot 2.0 profile Hotspot 2.0 profile

l Name: wlan-net
l Network type: free public network
l Internet access: supported
l Venue type: coffee shop (venue group
code 1 and venue type code 13)
l HESSID: 60de-4476-e360
l IP address availability: available
l Network authentication type: acceptance
l P2P cross connection: disabled
l Cellular network profile: wlan-net
– 46000
l Roaming consortium profile: wlan-net
– 50-6f-9a
l NAI realm profile: wlan-net
– www.mobileA.com
l Network connection capability profile:
wlan-net
– HTTP service: enabled
l Operator domain profile: wlan-net
– www.mobileA.com
l Operator name profile: wlan-net
– eng, mobileA
l Venue name profile: wlan-net
– eng, Coffee
l Operating class profile: wlan-net
– 81

Item Data

net, security profile wlan-net,
authentication profile wlan-net, and
Hotspot 2.0 profile wlan-net
RADIUS server l IP address: 10.23.102.1

l Port number: 1812
1. Configure network interworking of the AC, APs, and other network devices.
to go online.
4. Configure WPA2-802.1X authentication based on the operator's AAA server information
5. Configure Hotspot 2.0 services based on the operator's network information.
Configuration Notes


user experience.
Procedure
NOTE
Step 2 Configure the network devices.

# Add GE0/0/1 and GE0/0/2 on SwitchA to VLAN 100 and VLAN101. The default VLAN of
GE0/0/1 is VLAN 100.
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 100 and VLAN101, GE0/0/2 to
VLAN100 and GE0/0/3 to VLAN 101.
[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 101
[SwitchB] interface gigabitethernet 0/0/1
[SwitchB-GigabitEthernet0/0/1] port link-type trunk
[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101
[SwitchB-GigabitEthernet0/0/1] quit
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 101
# Add GE1/0/0 on Router to VLAN 101. Create VLANIF 101 and set its IP address to
10.23.101.2/24.


Step 3 Configure the AC to communicate with the network devices.

NOTE
If the AC and APs are directly connected, set the default VLAN of the interfaces connected to the APs to
management VLAN 100.
# Add GE0/0/1 on the AC to VLAN 100.

[HUAWEI] sysname AC
Step 4 Configure the DHCP servers to assign IP addresses to APs and STAs.
# On the AC, configure VLANIF 100 to assign IP addresses to APs.
[AC] dhcp enable
[AC-Vlanif100] quit
# On SwitchB, configure VLANIF 101 to assign IP addresses to STAs and set the default
gateway address of STAs to 10.23.101.2.
NOTE
view.
[SwitchB] dhcp enable
[SwitchB] interface vlanif 101
[SwitchB-Vlanif101] ip address 10.23.101.1 24
[SwitchB-Vlanif101] dhcp select interface
[SwitchB-Vlanif101] dhcp server gateway-list 10.23.101.2
[SwitchB-Vlanif101] quit
Step 5 Configure an AP to go online.

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit


NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
State field is displayed as nor, the AP goes online successfully.
nor : normal [1]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
10S -
----------------------------------------------------------------------------------
----------------
Total: 1

[AC-wlan-sec-prof-wlan-net] security wpa2 dot1x aes
# Bind VAP profile wlan-net to the AP group and apply the profile to radio 0 and radio 1 of
the AP.


Step 7 Configure the AP channel and power.

NOTE
configurations take effect only when these two functions are disabled. The settings of the AP channel and
power in this example are for reference only. You need to configure the AP channel and power based on the
actual country code and network planning.
[AC-wlan-ap-0] quit
Step 8 Configure WPA2-802.1X.

[AC-wlan-view] quit
[AC] radius-server template wlan-radius
[AC-radius-wlan-radius] radius-server authentication 10.23.102.1 1812
[AC-radius-wlan-radius] radius-server shared-key cipher Huawei@123
[AC-radius-wlan-radius] radius-server retransmit 2
[AC-radius-wlan-radius] undo radius-server user-name domain-included
[AC-radius-wlan-radius] quit
# Configure an AAA authentication scheme and configure the device to use RADIUS
authentication preferentially.
[AC] aaa
[AC-aaa] authentication-scheme wlan-authen
[AC-aaa-authen-wlan-authen] authentication-mode radius local
[AC-aaa-authen-wlan-authen] quit
[AC-aaa] quit
scheme for the domain.
[AC] aaa
[AC-aaa-domain-huawei.com] radius-server wlan-radius
[AC-aaa-domain-huawei.com] authentication-scheme wlan-authen
[AC-aaa] quit
# Configure an 802.1X access profile and configure EAP relay authentication for 802.1X
users.

[AC] dot1x-access-profile name wlan-net

[AC-dot1x-access-profile-wlan-net] dot1x authentication-method eap
[AC-dot1x-access-profile-wlan-net] quit
# Configure an authentication profile and bind the 802.1X access profile to the authentication
profile, and configure a forcible authentication domain for users.
[AC] authentication-profile name wlan-net
[AC-authentication-profile-wlan-net] dot1x-access-profile wlan-net
[AC-authentication-profile-wlan-net] access-domain huawei.com dot1x force
[AC-authentication-profile-wlan-net] quit
Step 9 Configure Hotspot 2.0 services.
# Configure Hotspot 2.0 profile wlan-net based on the operator's network parameters. Ensure
that the WPA2-802.1X authentication profile has been bound to the VAP profile.
[AC] wlan
[AC-wlan-view] cellular-network-profile name wlan-net
[AC-wlan-cellular-net-wlan-net] plmn-id 46000
[AC-wlan-cellular-net-wlan-net] quit
[AC-wlan-view] connection-capability-profile name wlan-net
[AC-wlan-co-cap-prof-wlan-net] connection-capability tcp-http on
[AC-wlan-co-cap-prof-wlan-net] quit
[AC-wlan-view] operator-name-profile name wlan-net
[AC-wlan-wlan-op-name-prof-wlan-net] operator-friendly-name language-code eng
name mobileA
[AC-wlan-wlan-op-name-prof-wlan-net] quit
[AC-wlan-view] operating-class-profile name wlan-net
[AC-wlan-op-class-prof-wlan-net] operating-class-indication 81
[AC-wlan-op-class-prof-wlan-net] quit
[AC-wlan-view] operator-domain-profile name wlan-net
[AC-wlan-op-domain-prof-wlan-net] domain-name www.mobileA.com
[AC-wlan-op-domain-prof-wlan-net] quit
[AC-wlan-view] nai-realm-profile name wlan-net
[AC-wlan-nai-realm-prof-wlan-net] nai-realm realm-name www.mobileA.com
[AC-wlan-nai-realm-prof-wlan-net] quit
[AC-wlan-view] venue-name-profile name wlan-net
[AC-wlan-ve-na-prof-wlan-net] venue-name language-code eng name Coffee
[AC-wlan-ve-na-prof-wlan-net] quit
[AC-wlan-view] roaming-consortium-profile name wlan-net
[AC-wlan-ro-co-prof-wlan-net] roaming-consortium-oi 50-6f-9a in-beacon
[AC-wlan-ro-co-prof-wlan-net] quit
[AC-wlan-view] hotspot2-profile name wlan-net
[AC-wlan-hotspot2-prof-wlan-net] network-type public-free internet-access
[AC-wlan-hotspot2-prof-wlan-net] undo p2p-cross-connect disable
[AC-wlan-hotspot2-prof-wlan-net] venue-type group-code 1 type-code 13
[AC-wlan-hotspot2-prof-wlan-net] hessid 60de-4476-e360
[AC-wlan-hotspot2-prof-wlan-net] ipv4-address-avail available
[AC-wlan-hotspot2-prof-wlan-net] network-authen-type acceptance
[AC-wlan-hotspot2-prof-wlan-net] cellular-network-profile wlan-net
[AC-wlan-hotspot2-prof-wlan-net] connection-capability-profile wlan-net
[AC-wlan-hotspot2-prof-wlan-net] operator-name-profile wlan-net
[AC-wlan-hotspot2-prof-wlan-net] operating-class-profile wlan-net
[AC-wlan-hotspot2-prof-wlan-net] operator-domain-profile wlan-net
[AC-wlan-hotspot2-prof-wlan-net] nai-realm-profile wlan-net
[AC-wlan-hotspot2-prof-wlan-net] venue-name-profile wlan-net
[AC-wlan-hotspot2-prof-wlan-net] roaming-consortium-profile wlan-net
[AC-wlan-hotspot2-prof-wlan-net] quit
Step 10 Apply the authentication profile and Hotspot 2.0 profile to the VAP profile.
[AC-wlan-vap-prof-wlan-net] authentication-profile wlan-net
[AC-wlan-vap-prof-wlan-net] hotspot2-profile wlan-net

WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
0 area_1 0 1 60DE-4476-E360 ON WPA/WPA2-PSK 0 wlan-net
-------------------------------------------------------------------------------
Total: 2
---------------------------------------------------------------------------------
address
---------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 46/59 -68 101
10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
#
sysname SwitchA
#
#
#
#
return
l SwitchB configuration file

#
sysname SwitchB
#
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp server gateway-list 10.23.101.2
#


#
#
#
return
#
sysname Router
#
vlan batch 101
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
#
return
#
sysname AC
#
#
authentication-profile name wlan-net
dot1x-access-profile wlan-net
#
dhcp enable
#
radius-server template wlan-radius
radius-server shared-key cipher %^%#Qm'::9R&'!ybA{8_>U.,$+k!BxwPmY}YUA+Q$&@C
%^%#
radius-server retransmit 2
undo radius-server user-name domain-included
#
aaa
authentication-scheme wlan-authen
authentication-mode radius local
domain huawei.com
authentication-scheme wlan-authen
radius-server wlan-radius
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
#
wlan
ssid wlan-net
roaming-consortium-profile name wlan-net

roaming-consortium-oi 50-6f-9a in-beacon

operating-class-profile name wlan-net
operating-class-indication 81
cellular-network-profile name wlan-net
plmn-id 46000
connection-capability-profile name wlan-net
connection-capability tcp-http on
operator-domain-profile name wlan-net
domain-name www.mobileA.com
operator-name-profile name wlan-net
operator-friendly-name language-code eng name mobileA
venue-name-profile name wlan-net
venue-name language-code eng name Coffee
nai-realm-profile name wlan-net
nai-realm realm-name www.mobileA.com
hotspot2-profile name wlan-net
hessid 60de-4476-e360
network-type public-free internet-access
venue-type group-code 1 type-code 13
ipv4-address-avail available
network-authen-type acceptance
cellular-network-profile wlan-net
connection-capability-profile wlan-net
operator-name-profile wlan-net
operator-domain-profile wlan-net
venue-name-profile wlan-net
nai-realm-profile wlan-net
operating-class-profile wlan-net
roaming-consortium-profile wlan-net
authentication-profile wlan-net
hotspot2-profile wlan-net
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
dot1x-access-profile name wlan-net
#
return
20.7 References for Hotspot 2.0

The following table lists the references for Hotspot 2.0.

Table 20-6 References for Hotspot 2.0

Standard Description
IEEE 802.11u Defines secure connections between wireless networks of

different types and enables interconnections between Wi-Fi
and cellular networks. It allows Wi-Fi devices to obtain
more information about external networks, such as whether
the network is chargeable.
Hotspot 2.0 Release 1 A technical specification designed by the Wi-Fi Alliance

(WFA) and Wireless Broadband Alliance. Building on IEEE
802.11u standards, it enables wireless terminals to roam
seamlessly between mobile and Wi-Fi networks, without
additional registration and identity authentication.

Configuration Guide - WLAN-AC 21 WLAN Traffic Optimization Configuration
21 WLAN Traffic Optimization

Configuration
21.1 Overview of WLAN Traffic Optimization

On a WLAN, a large number of wireless packets need to be forwarded, which may easily
cause network congestion and degrade network performance. WLAN traffic optimization
measures, such as traffic limit and multicast optimization, can be taken to adjust network
traffic in real time, significantly reducing impact of burst data on the network and improving

Traffic Optimization
AP
by the device.
V200R007C10.

V200R012C00 V200R009C00
V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C10 V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C00 V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R010C00 V200R007C10
V200R006C20
V200R006C10
V200R009C00 V200R006C20
V200R006C10
V200R008C00 V200R005C30
V200R005C20
V200R005C10
V200R007 V200R005C20
V200R005C10
V200R006 V200R005C00
agent.


Table 21-2 Products and minimum version supporting WLAN air interface performance
Required

S5730HI: V200R012
Feature Limitations
l Multicast-to-unicast conversion depends on the IGMP snooping function. Before
configuring multicast-to-unicast conversion, enable IGMP snooping.
l Multicast CAC depends on the function of converting multicast packets into unicast
packets, but cannot be configured together with the adaptive function of converting
multicast packets into unicast packets.
21.3 Default Settings for WLAN Traffic Optimization
Table 21-3 Default settings for WLAN traffic optimization

Traffic limit Maximum None

volume of
broadcast
traffic allowed
in a traffic
profile

Maximum None
volume of
multicast
traffic allowed
in a traffic
profile
Maximum None
volume of
unknown
unicast traffic
allowed in a
traffic profile
Function of Disabled
forbidding air
interfaces to
forward
packets to
bridging STAs
Multicast IGMP Disabled

optimization snooping
Function of Disabled
converting
multicast
packets into
unicast packets
Multicast CAC Disabled
21.4 Configuring Traffic Limit
Context
Traffic limit configuration in a traffic profile can reduce unnecessary packet forwarding and
improve air interface performance.
Before configuring traffic limit, perform the task of 5 WLAN Service Configuration.
Procedure

Step 2 Run wlan

Step 4 Run the following commands as required:
l Configure the maximum volume of broadcast traffic allowed in the traffic profile.
a. Run the traffic-optimize broadcast-suppression packets packets-rate command
to configure the maximum volume of broadcast traffic allowed in the traffic profile.
By default, broadcast packets are not suppressed on a traffic profile.
l Configure the maximum volume of multicast traffic allowed in the traffic profile.
a. Run the traffic-optimize multicast-suppression packets packets-rate command to
configure the maximum volume of multicast traffic allowed in the traffic profile.
By default, multicast packets are not suppressed in a traffic profile.
l Configure the maximum volume of unknown unicast traffic allowed in the traffic profile.
a. Run the traffic-optimize unicast-suppression packets packets-rate command to
configure the maximum volume of unknown unicast traffic allowed in the traffic
profile.
By default, unknown unicast packets are not suppressed in a traffic profile.
l Forbid air interfaces to forward packets to bridging STAs.
a. Run the traffic-optimize sta-bridge-forward disable command to forbid air
interfaces to forward packets to bridging STAs.
By default, an air interface is allowed to forward packets to bridging terminals.
Step 5 Run quit
----End

l Run the display traffic-profile { all | name profile-name } command to check the traffic
limit configuration in a traffic profile.
21.5 Configuring Multicast Optimization
21.5.1 Configuring IGMP Snooping

Context
IGMP snooping is a basic Layer 2 multicast function that forwards and controls multicast
traffic at the data link layer. IGMP snooping runs on a Layer 2 device and analyzes IGMP
messages exchanged between a Layer 3 device and hosts to set up and maintain a Layer 2
multicast forwarding table. The Layer 2 device forwards multicast packets based on the Layer
2 multicast forwarding table.
Before configuring IGMP snooping, perform the task of 5 WLAN Service Configuration.
Procedure
Step 2 Run wlan
IGMP snooping is enabled in the traffic profile.
By default, IGMP snooping is disabled in a traffic profile.
Step 5 (Optional) Run igmp-snooping report-suppress
Suppression of IGMP Report and Leave messages is enabled in the traffic profile.
By default, IGMP Report and Leave message suppression is disabled in a traffic profile.
Step 6 Run quit
----End

l Run the display traffic-profile { all | name profile-name } command to check the IGMP
snooping configuration in a traffic profile.

21.5.2 Configuring Multicast-to-Unicast Conversion
Context
You can enable the function of converting multicast packets to unicast packets in scenarios
that have high requirements on multicast stream transmission, such as a high-definition video
on-demand scenario.
After the function is enabled, an AP listens on Report and Leave packets to maintain
multicast-to-unicast entries. When sending multicast packets to the client, the AP converts the
multicast packets to unicast packets based on the multicast-to-unicast entries to improve
multicast stream transmission efficiency.
After adaptive multicast-to-unicast conversion is enabled, when the air interface performance
becomes a bottleneck during multicast-to-unicast conversion, an AP automatically switches
the multicast group containing the minimum number of STAs to the multicast mode. After the
air interface performance is improved and keeps being improved for a period of time, the AP
automatically switches the multicast group containing the maximum number of STAs to the
unicast mode. In this way, the air interface performance is automatically adjusted without
manual intervention, improving wireless user experience.
Before configuring multicast-to-unicast conversion, complete the following tasks:
l Layer 2 multicast configuration
Procedure
Step 2 Run wlan
Step 4 Run traffic-optimize multicast-unicast enable
Multicast-to-unicast conversion is enabled in the traffic profile.
By default, the function of converting multicast packets to unicast packets is disabled in a
traffic profile.
Step 5 (Optional) Run undo traffic-optimize multicast-unicast dynamic-adaptive disable
Adaptive multicast-to-unicast conversion is enabled.
By default, adaptive multicast-to-unicast conversion is enabled in a traffic profile.
Step 6 Run quit


----End

multicast-to-unicast configuration in a traffic profile.
21.5.3 Configuring Multicast CAC
Context
Multicast Call Admission Control (CAC) is a function that controls access of multicast users
based on various rules to ensure multicast service availability. You can configure CAC based
on multicast bandwidth or the number of multicast group memberships. These two CAC
modes are independent of each other and can be used independently or together.
l CAC based on multicast bandwidth
If the multicast bandwidth is insufficient, new users are prevented from joining multicast
groups.
l CAC based on the number of multicast group memberships
When the number of multicast group memberships reaches the maximum value, new
users are prevented from joining multicast groups.
Before configuring multicast CAC, complete the following tasks:
l Multicast-to-unicast configuration. For details, see 21.5.2 Configuring Multicast-to-
Unicast Conversion.
Procedure
l Configure CAC based on multicast bandwidth.
a. Run system-view
b. Run wlan
A profile profile is created and the profile profile view is displayed.


d. Run igmp-snooping max-bandwidth max-bandwidth
The multicast bandwidth limit is configured for a VAP.
By default, the maximum multicast bandwidth is not configured for a VAP.

e. Run quit

f. Run vap-profile name profile-name

g. Run traffic-profile profile-name

h. Run quit

i. Run ap-system-profile name profile-name
An AP system profile is created and the AP system profile view is displayed.

j. Run igmp-snooping group-bandwidth start-group-address start-group-address
end-group-address end-group-address bandwidth bandwidth-value
The global bandwidth limit is configured for an AP.
By default, the bandwidth of global multicast groups is not configured on an AP.
You can configure the bandwidth of multicast groups in an AP system profile

according to the actual bandwidth of a multicast program. This configuration takes
effect for the APs or AP groups to which this AP system profile is bound. When
users request to order this multicast program, the AC collects statistics on the
current multicast bandwidth of the VAP according to the bandwidth of global
multicast groups configured for the AP, and compares the current bandwidth with
the configured maximum bandwidth to determine whether to allow users to order
this multicast program.
k. Run quit

l. Bind the AP system profile to an AP group or an AP.
view.


enter the AP view.
profile to an AP.
l Configure CAC based on the number of multicast group memberships.
a. Run system-view

b. Run wlan

A profile profile is created and the profile profile view is displayed.

d. Run igmp-snooping max-user max-user
The maximum number of multicast group memberships is configured for a VAP.
By default, the maximum number of multicast group memberships is not configured

for a VAP.
e. Run quit

f. Run vap-profile name profile-name

g. Run traffic-profile profile-name
----End

multicast CAC configuration in the traffic profile.
global multicast bandwidth configuration on the AP in the AP system profile.
21.6 Maintaining WLAN Traffic Optimization
21.6.1 Displaying Multicast CAC Statistics

Context
After configuring multicast CAC, run the following command to check multicast CAC
statistics.
Procedure
l Run the display wlan igmp-snooping vap-cac { ap-id ap-id | ap-name ap-name }
command to check the multicast CAC configuration and statistics on a VAP.
----End
21.7 Configuration Examples for WLAN Traffic

Optimization
21.7.1 Example for Configuring Multicast CAC Based on

Multicast Bandwidth
Context
As shown in Figure 21-1, enterprise users can access the Internet through the WLAN to meet
the basic requirement of mobile office.
Video conference multicast sources are deployed on the WLAN to specially provide video
conference services. The multicast source IP address ranges from 225.1.1.1 to 225.1.1.5. The
administrator wants to configure multicast connection admission control (CAC) based on
multicast bandwidth to deny access of employees when the multicast bandwidth reaches the
upper limit, ensuring access quality of video conferences.

Figure 21-1 Networking for configuring multicast CAC based on multicast bandwidth

1. Configure basic WLAN services to ensure that users can access the WLAN.
2. Configure the multicast-to-unicast function to convert multicast data packets to unicast
data packets, improving multicast data transmission efficiency.
3. Configure multicast CAC based on the multicast bandwidth to control access of
multicast users.

Item Data
DHCP The AC functions as a DHCP server to assign IP addresses to STAs and

server APs.
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs

interface
address

domain1, and AP system profile ap-system

profile



l Referenced profiles: SSID profile wlan-ssid, security profile wlan-
security, and traffic profile wlan-traffic
IP address 225.1.1.1-225.1.1.5
segment of
multicast
groups

Item Data
Traffic l Name: wlan-traffic

profile l Maximum multicast bandwidth of a VAP: 40 Mbit/s (40,960 kbit/s)
AP system l Name: ap-system

profile l Bandwidth of global multicast groups on an AP: 2 Mbit/s (2048 kbit/s)
Configuration Notes
user experience.
Procedure
NOTE



[HUAWEI] sysname AC

NOTE

VLANIF 101.
NOTE
view.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit

[AC] wlan

e?[Y/N]:y
[AC-wlan-view] quit

NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
10S -
----------------------------------------------------------------------------------
----------------
Total: 1
NOTE

the AP.

NOTE
[AC-wlan-ap-0] quit
Step 8 Configure the multicast-to-unicast function.

# Create traffic profile wlan-traffic, and enable the Internet Group Management Protocol
(IGMP) snooping and multicast-to-unicast functions in the traffic profile.
[AC-wlan-view] traffic-profile name wlan-traffic
[AC-wlan-traffic-prof-wlan-traffic] igmp-snooping enable
[AC-wlan-traffic-prof-wlan-traffic] traffic-optimize multicast-unicast enable
Step 9 Configure broadcast CAC based on broadcast bandwidth.

# Configure the maximum multicast bandwidth to 40960 kbit/s for a VAP.
[AC-wlan-traffic-prof-wlan-traffic] igmp-snooping max-bandwidth 40960
[AC-wlan-traffic-prof-wlan-traffic] quit

# Bind traffic profile wlan-traffic to VAP profile wlan-vap.

[AC-wlan-vap-prof-wlan-vap] traffic-profile wlan-traffic
# Create AP system profile ap-system and configure the bandwidth to 2048 kbit/s for the IP
address segment of multicast groups ranging from 225.1.1.1 to 225.1.1.5.
[AC-wlan-view] ap-system-profile name ap-system
[AC-wlan-ap-system-prof-ap-system] igmp-snooping group-bandwidth start-group-
address 225.1.1.1 end-group-address 225.1.1.5 bandwidth 2048
[AC-wlan-ap-system-prof-ap-system] quit
# Bind AP system profile ap-system to AP group ap-group1.

[AC-wlan-ap-group-ap-group1] ap-system-profile ap-system

Run the display wlan igmp-snooping vap-cac command on the AC to check the multicast
CAC configuration and statistics on the VAP. When the difference between the CurBw and
MaxBw values is smaller than the configured bandwidth of a multicast group, new users
cannot join the multicast group.
[AC-wlan-view] display wlan igmp-snooping vap-cac ap-id 0
Info: This operation may take a few seconds, please wait.done.
Rf : Radio ID WID : WLAN ID
CurBw : Current bandwidth(kbps) MaxBw : Max bandwidth(kbps)
CurUser : Current user number MaxUser : Max user number
BwUtilization : Bandwidth utilization UserUtilization : User utilization
--------------------------------------------------------------------------------
Rf WID CurBw/MaxBw BwUtilization CurUser/MaxUser UserUtilization
--------------------------------------------------------------------------------
0 1 0/40960 0% 0/0 0%
1 1 0/40960 0% 0/0 0%
--------------------------------------------------------------------------------
Total: 2
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
return
#
sysname AC
#


#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
wlan
traffic-profile name wlan-traffic
igmp-snooping max-bandwidth 40960
traffic-optimize multicast-unicast enable
%# aes
ssid wlan-net
forward-mode tunnel
traffic-profile wlan-traffic
ap-system-profile name ap-system
igmp-snooping group-bandwidth start-group-address 225.1.1.1 end-group-
address 225.1.1.5 bandwidth 2048
ap-system-profile ap-system
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return
21.7.2 Example for Configuring Multicast CAC Based on the

Number of Multicast Group Memberships

As shown in Figure 21-2, enterprise users can access the Internet through the WLAN to meet
the basic requirement of mobile office.
Video conference multicast sources are deployed on the WLAN to specially provide video
conference services. The multicast source IP address ranges from 225.1.1.1 to 225.1.1.5. The
administrator wants to configure multicast connection admission control (CAC) based on the
number of multicast group memberships to deny access of employees when the number of
multicast group memberships reaches the upper limit, ensuring access quality of video
conferences.

Figure 21-2 Networking for configuring multicast CAC based on the number of multicast
group memberships

1. Configure basic WLAN services to ensure that users can access the WLAN.
2. Configure the multicast-to-unicast function to convert multicast data packets to unicast
data packets, improving multicast data transmission efficiency.
3. Configure multicast CAC based on the number of multicast group memberships to
control access of multicast users.

Item Data
DHCP The AC functions as a DHCP server to assign IP addresses to STAs and

server APs.
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs

interface
address

profile domain1

profile



l Referenced profiles: SSID profile wlan-ssid, security profile wlan-
security, and traffic profile wlan-traffic
Traffic l Name: wlan-traffic

profile l Maximum number of multicast group memberships on a VAP: 20

Configuration Notes
user experience.
Procedure
NOTE

[HUAWEI] sysname AC



NOTE

VLANIF 101.
NOTE
view.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit


NOTE
radio).
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
10S -
----------------------------------------------------------------------------------
----------------
Total: 1

NOTE


the AP.

NOTE
[AC-wlan-ap-0] quit
Step 8 Configure the multicast-to-unicast function.

# Create traffic profile wlan-traffic, and enable the Internet Group Management Protocol
(IGMP) snooping and multicast-to-unicast functions in the traffic profile.
[AC-wlan-view] traffic-profile name wlan-traffic
[AC-wlan-traffic-prof-wlan-traffic] igmp-snooping enable
[AC-wlan-traffic-prof-wlan-traffic] traffic-optimize multicast-unicast enable
Step 9 Configure multicast CAC based on the number of multicast group memberships.
# Configure the maximum number of multicast group memberships to 20 for a VAP.
[AC-wlan-traffic-prof-wlan-traffic] igmp-snooping max-user 20
[AC-wlan-traffic-prof-wlan-traffic] quit
# Bind traffic profile wlan-traffic to VAP profile wlan-vap.

[AC-wlan-vap-prof-wlan-vap] traffic-profile wlan-traffic

Run the display wlan igmp-snooping vap-cac command on the AC to check the multicast
CAC configuration and statistics on the VAP. When the CurUser value is equal to the
MaxUser value, new users cannot join the multicast group.

[AC-wlan-view] display wlan igmp-snooping vap-cac ap-id 0

Info: This operation may take a few seconds, please wait.done.
Rf : Radio ID WID : WLAN ID
CurBw : Current bandwidth(kbps) MaxBw : Max bandwidth(kbps)
CurUser : Current user number MaxUser : Max user number
BwUtilization : Bandwidth utilization UserUtilization : User utilization
--------------------------------------------------------------------------------
Rf WID CurBw/MaxBw BwUtilization CurUser/MaxUser UserUtilization
--------------------------------------------------------------------------------
0 1 0/0 0% 0/20 0%
1 1 0/0 0% 0/20 0%
--------------------------------------------------------------------------------
Total: 2
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
wlan
traffic-profile name wlan-traffic
igmp-snooping max-user 20
traffic-optimize multicast-unicast enable
%# aes


ssid wlan-net
forward-mode tunnel
traffic-profile wlan-traffic
radio 0
radio 1
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
#
return

Configuration Guide - WLAN-AC 22 Dual-Link Cold Backup Configuration
22 Dual-Link Cold Backup Configuration
22.1 Overview of Dual-Link Cold Backup

Definition
Dual-link cold backup allows two ACs on an AC + Fit AP network to manage APs
simultaneously. The APs set up CAPWAP links with both ACs, between which one AC
functions as the active AC to provide services for the APs while the other works as the
standby AC. When the active AC fails or the CAPWAP link between the active AC and AP
become faulty, the standby AC replaces the active AC to manage APs and provide services.
To ensure that both ACs provide the same services, it is recommended that the same service
configurations be performed on the active and standby ACs.
Purpose
Usually, an AC controls and manages massive APs and STAs on an AC + Fit AP network.
Once the CAPWAP link between the AC and AP is disconnected, the AC is unable to provide
services for STAs. Dual-link cold backup reduces the impact of a CAPWAP link failure on the
STAs, improving network reliability.
22.2 Understanding Dual-Link Cold Backup

In the AC + Fit AP networking, the AC manages and controls the WLAN services of users.
An AC may control hundreds of APs and tens of thousands of STAs. If the CAPWAP link
between the AC and AP becomes faulty, the services of all users connected to the AC are
interrupted, therefore, the AC must be highly reliable.
As shown in Figure 22-1, an active AC and a standby AC are deployed on the WLAN. The
AP establishes tunnels with the two ACs (CAPWAP Tunnel Setup), and periodically
exchanges CAPWAP packets with ACs to monitor link status. The active AC controls access
from STAs. If the AP detects a fault on the link between AP and active AC, the AP requests
the standby AC to trigger an Active/Standby Switchover. The standby AC then becomes the
active AC to control access of STAs. After the original active AC is restored, the AP requests
the active and standby ACs to perform Revertive Switchover. The restored AC becomes the
active AC again.

Figure 22-1 Dual-link cold backup networking diagram

Active Standby
AC AC
CA
Switch
l
ne
PW
tun
AP
up
pri
ck
ma
ba
ry
AP
tun
PW
ne
CA
l
AP
STA STA
Dual-Link CAPWAP Tunnel Setup

1. Setting up the first tunnel
The procedure for setting up the first tunnel is the same as the procedure for setting up a
CAPWAP tunnel, except that the active AC needs to be selected in the Discovery phase.
Only the Discovery phase is described in this section. For description of other phases,
see "CAPWAP Tunnel Establishment" in 5.2.4 AP Online Process.
a. After the dual-link cold backup function is enabled in Discovery phase, the AP
sends a Discovery Request message in unicast or broadcast mode:
n If the IP addresses of active and standby ACs have been allocated in static,
DHCP, or DNS mode, the AP sends the Discovery Request message in unicast
mode to request connections with the ACs.
n If no IP addresses are allocated to ACs or there is no response to the unicast
packet, the AP sends another Discovery Request message in broadcast mode to
discover the ACs that can be associated with the AP.
b. In unicast or broadcast mode, ACs working properly will return Discovery
Response messages to the AP. The Discovery Response messages contain the IP
addresses of primary and backup ACs, dual-link backup flags, priorities, loads, and
IP addresses of the ACs.
c. After receiving the Discovery Response message, the AP selects an active AC
based on IP addresses of primary and backup ACs, AC priorities, loads, and IP
addresses, and sets up a CAPWAP primary tunnel with the active AC. The AP
selects the active AC in the following sequence:
i. Check primary ACs on the AP. If there is only one primary AC, the AP selects
it as the active AC. If there are multiple primary ACs, the AP selects the AC
with the lowest load as the active AC. If the loads are the same, the AP selects
the AC with the smallest IP address as the active AC.
Compare AC loads, that is, numbers of access APs and STAs. The AP selects
the AC with the lowest load as the active AC. The number of allowed APs is

compared ahead of the number of allowed STAs. When the numbers of

allowed APs are the same on ACs, the AP selects the AC that can connect
more STAs as the active AC.
NOTE
The number of allowed APs is calculated using the following formula: Number of allowed
APs = Maximum number of access APs - Number of online APs.
The number of allowed STAs is calculated following the formula: Number of allowed STAs
= Maximum number of access STAs - Number of online STAs.
ii. If there is no primary AC, check backup ACs. If there is only one backup AC,
the AP selects this AC as the active AC. If there are multiple backup ACs, the
AP selects the AC with the lowest load as the active AC. If the loads are the
same, the AP selects the AC with the smallest IP address as the active AC.
iii. If there is no primary AC, compare AC priorities. The AP selects the AC with
the smaller priority value as the active AC.
iv. If the AC priorities are the same, the AP selects the AC with the lowest load as
the active AC.
v. When the loads are the same, compare the ACs' IP addresses, and select the
AC with the smaller IP address as the active AC.
2. Setting up the second tunnel with the other AC
To prevent repeated service configuration delivery, the AP starts to set up the second
tunnel only after the configuration of the first tunnel is complete.
a. The AP sends a Discovery Request message to the other AC in unicast mode.
b. The AC returns a Discovery Response message containing the IP addresses of
primary and backup ACs, dual-link backup flag, load, and priority to the AP.
c. The AP knows that the dual-link backup function is enabled after receiving the
Discovery Response message, and saves the priority of the AC.
NOTE
If the priority of this AC is higher than the priority of the other AC, the AP performs an active/
standby switchover only after the tunnel is set up.
d. The AP sends a Join Request message, notifying the AC that the configurations
have been delivered. After receiving the Join Request message, the AC sets up a
CAPWAP tunnel with the AP but does not deliver configurations to the AP.
e. After the second tunnel is set up, the AP selects the active and standby ACs again
based on the tunnel priorities.
Active/Standby Switchover
After setting up tunnels with the active and standby ACs, the AP sends Echo messages to
monitor tunnel status. The Echo messages contain the active/standby status of the tunnels.
When the AP detects that the primary tunnel has failed, it sends an Echo Request message
with the active flag to the standby AC. After receiving the Echo Request message, the standby
AC becomes the active AC, and the AP transfers STA data to this AC.
Revertive Switchover
The AP periodically sends Discovery Request messages to check whether the original primary
tunnel recovers. If the original primary tunnel has recovered, the AP switches STA data back
to this tunnel after a delay because this tunnel has a higher priority than the other one. To

prevent frequent switchovers caused by network flapping, the AP requests ACs to perform
revertive switchover after 20 Echo intervals, and then sends STA data to the new active AC.
22.3 Application Scenarios for Dual-Link Cold Backup
22.3.1 Application of Dual-Link Cold Backup

1+1 Dual-Link Cold Backup
In the AC+FIT AP network architecture, the AC manages and controls WLAN services for
wireless users in a centralized manner. One AC usually controls hundreds of APs and over ten
thousand STAs. When a fault occurs on the AC or the link between the AC and AP fails, the
services of all users connected to the AC are interrupted. If dual-link cold backup is enabled,
the standby AC controls the WLAN services for wireless users when a fault occurs on the
active AC or the link between the active AC and AP fails. This reduces service interruption
time.
As shown in Figure 22-2, AC1 and AC2 provide dual links for STAs. AC1 is the active
device, serving AP1 and AP2. AC2 is the standby device. Each AP sets up a CAPWAP tunnel
with AC1 and AC2 respectively. When the APs detect that AC1 fails, the CAPWAP tunnels
between APs and AC2 become the active tunnels, and AC2 becomes the active AC. After
AC1 recovers, it becomes the active AC or still functions as the standby AC depending on the
configuration.
Figure 22-2 1+1 dual-link cold backup networking diagram
AC1 AC2
Switch
AP1 AP2
CAPWAP primary tunnel

CAPWAP backup tunnel
STA STA STA STA

22.4 Summary of Dual-Link Cold Backup Configuration

Tasks
Table 22-1 lists the dual-link cold backup configuration tasks.
Table 22-1 Dual-link cold backup configuration tasks

Configure dual-link cold The traditional configuration 22.7 Configuring Dual-

backup in the traditional mode is supported. Link Cold Backup
mode. (Traditional Method)
22.9 (Optional)
Configuring the Active/
Standby Link Switchover
Mode
Configure dual-link cold The new configuration 22.8 Configuring Dual-

backup in a new mode. mode enables more simple Link Cold Backup (New
operations. Method)
22.9 (Optional)
Configuring the Active/
Standby Link Switchover
Mode
22.5 Licensing Requirements and Limitations for Dual-

Link Cold Backup
AP
by the device.
V200R007C10.

V200R012C00 V200R009C00
V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C10 V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C00 V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R010C00 V200R007C10
V200R006C20
V200R006C10
V200R009C00 V200R006C20
V200R006C10
V200R008C00 V200R005C30
V200R005C20
V200R005C10
V200R007 V200R005C20
V200R005C10
V200R006 V200R005C00
agent.


Table 22-3 Products and minimum version supporting dual-link backup

Required

S5730HI: V200R012
Feature Limitations
l WLAN service configurations (for example, WMM profile, radio profile, radio, traffic
profile, security profile, and security policies) of the same AP must be consistent on the
active and standby ACs; otherwise, the AP cannot work properly after an active/standby
AC switchover.
l When an active/standby switchover is implemented between two ACs, STAs using open
system authentication remain connected to APs while STAs using other authentication
modes are disconnected and need to go online again.
22.6 Default Settings for Dual-Link Cold Backup

Table 22-4 Default settings for dual-link cold backup
AC's global priority 0
AC priority based on APs None
CAPWAP heartbeat interval 25 seconds
Number of CAPWAP heartbeat packet 3

transmissions

Revertive switching in dual-link backup Enabled

mode
Dual-link backup Disabled
22.7 Configuring Dual-Link Cold Backup (Traditional

Method)
Context
Dual-link cold backup can be configured using either of the following methods:
l Global configuration: The dual-link backup parameters are configured in the AC's
WLAN view and delivered to all APs except the specified APs. You can use this method
to batch enable dual-link backup.
l AP-specific configuration: The dual-link backup parameters are configured in the AC's
AP system profile view and apply to all APs using the AP system profile. The AP-
specific configuration takes precedence over global configuration on the AC.
The following configurations must be performed on both the active and standby ACs.
Before configuring dual-link cold backup, configure basic WLAN services on the active and
standby ACs (For details, see 5 WLAN Service Configuration). The WLAN service
configuration of the active and standby ACs must be consistent on the two ACs.
Procedure
l Global configuration
a. Run system-view
b. (Optional) Run capwap echo { interval interval-value | times times-value } *
The CAPWAP heartbeat interval and number of CAPWAP heartbeat detections are
configured.
By default, the CAPWAP heartbeat detection interval is 25s and the number of
CAPWAP heartbeat detections is 6.
By default, If dual-link backup is enabled, the CAPWAP heartbeat detection
interval is 25s and the number of CAPWAP heartbeat detections is 3.

NOTE
l To configure dual-link backup on a WDS or mesh network, set the CAPWAP heartbeat
interval to 25 seconds and set the number of heartbeat packet transmissions to at least 6.
If this configuration is not performed, the AC sends heartbeat packets 3 times at an
interval of 25 seconds by default. This may cause unstable WDS or mesh link status and
result in user access failures.
l If you set the CAPWAP heartbeat detection interval and the number of CAPWAP
heartbeat detections smaller than the default values, the CAPWAP link reliability is
degraded. Exercise caution when you set the values. The default values are
recommended.
c. Run wlan
d. Run ac protect protect-ac ip-address
The IP address of the standby AC is configured.
By default, no standby AC IP address is configured in the WLAN view.
e. Run ac protect priority priority
The priority of the local AC is configured.
By default, the AC priority in the WLAN view is 0.
NOTE
l The priority of the standby AC must be smaller than that of the active AC.
l A smaller value indicates a higher priority.
f. Run undo ac protect restore disable
Revertive switching is enabled.
By default, global revertive switching is enabled.
NOTE
If global revertive switching is disabled on the original active AC, traffic of an AP cannot be
switched back to the original active AC when the link between the original active AC and
the AP restores.
g. (Optional) Run ac protect cold-backup kickoff-station
STAs using open system authentication are configured to disconnect from APs
when an active/standby AC switchover is implemented.
By default, STAs using open system authentication remain connected to APs when
an active/standby AC switchover is implemented.
h. (Optional) Run ac protect alarm-restrain enable
AP fault alarm suppression is enabled.
By default, AP Fault alarm suppression is disabled.
i. Run ac protect enable
By default, dual-link backup is disabled.
j. Run ap-reset { all | ap-name ap-name | ap-mac ap-mac | ap-id ap-id | ap-group
ap-group | ap-type { type type-name | type-id type-id } }
APs are restarted to make the dual-link backup configurations take effect.

NOTE
l If the dual-link backup function is disabled, running the ac protect enable command
restarts online APs. After the APs are restarted, the dual-link backup function takes
effect.
l If the dual-link backup function is enabled, running the ac protect enable command
does not restart online APs. You need to run the ap-reset { all | ap-name ap-name | ap-
mac ap-mac | ap-id ap-id | ap-group ap-group | ap-type { type type-name | type-id
type-id } } command to restart the APs and make the dual-link backup function take
effect. You can also manually restart the APs to make the dual-link backup function take
effect.
l If an AP goes online after dual-link backup is configured, you do not need to restart the
AP.
l AP-specific configuration
a. Run system-view

b. (Optional) Run capwap echo { interval interval-value | times times-value } *
configured.
By default, the CAPWAP heartbeat detection interval is 25s and the number of
CAPWAP heartbeat detections is 6.
By default, If dual-link backup is enabled, the CAPWAP heartbeat detection

interval is 25s and the number of CAPWAP heartbeat detections is 3.
NOTE
l To configure dual-link backup on a WDS or mesh network, set the CAPWAP heartbeat
interval to 25 seconds and set the number of heartbeat packet transmissions to at least 6.
If this configuration is not performed, the AC sends heartbeat packets 3 times at an
interval of 25 seconds by default. This may cause unstable WDS or mesh link status and
result in user access failures.
l If you set the CAPWAP heartbeat detection interval and the number of CAPWAP
heartbeat detections smaller than the default values, the CAPWAP link reliability is
degraded. Exercise caution when you set the values. The default values are
recommended.
c. Run wlan

d. Run ap-system-profile name profile-name

e. Run protect-ac ip-address ip-address
The IP address of the standby AC is configured.
By default, no standby AC's IP address is configured in the AP system profile view.

f. Run priority priority-level
The priority of the local AC is configured.
By default, no AC priority is configured in the AP system profile view.

NOTE
l The priority of the standby AC must be smaller than that of the active AC.
l If priorities have been configured for the two ACs to which an AP connects, the AC with
higher priority becomes the active AC.
g. Run quit
h. Run undo ac protect restore disable
NOTE
If global revertive switching is disabled on the original active AC, traffic of an AP cannot be
switched back to the original active AC when the link between the original active AC and
the AP restores.
i. (Optional) Run ac protect cold-backup kickoff-station
STAs using open system authentication are configured to disconnect from APs
when an active/standby AC switchover is implemented.
By default, STAs using open system authentication remain connected to APs when
an active/standby AC switchover is implemented.
j. (Optional) Run ac protect alarm-restrain enable
AP fault alarm suppression is enabled.
k. Run ac protect enable
l. The AP system profile is bound to an AP group.
n Binding an AP system profile to an AP group.
view.
n Binding an AP system profile to an AP.
enter the AP view.
profile to the AP.
m. Run quit
n. Run ap-reset { all | ap-name ap-name | ap-mac ap-mac | ap-id ap-id | ap-group

NOTE
l If the dual-link backup function is disabled, running the ac protect enable command
restarts online APs. After the APs are restarted, the dual-link backup function takes
effect.
l If the dual-link backup function is enabled, running the ac protect enable command
does not restart online APs. You need to run the ap-reset { all | ap-name ap-name | ap-
mac ap-mac | ap-id ap-id | ap-group ap-group | ap-type { type type-name | type-id
type-id } } command to restart the APs and make the dual-link backup function take
effect. You can also manually restart the APs to make the dual-link backup function take
effect.
l If an AP goes online after dual-link backup is configured, you do not need to restart the
AP.
----End

l Run the display ac protect command to check the dual-link backup status, active/
standby AC switch back status, as well as AC priority and the standby AC's IP address in
the WLAN view.
AC priority and the standby AC's IP address in the AP system profile view.
22.8 Configuring Dual-Link Cold Backup (New Method)
Context
Traditionally, dual-link cold backup is configured by specifying IP addresses of the active and
standby ACs on each other and configuring AC priorities. The active and standby ACs are
then determined based on the priority. To simplify configuration logic, the new configuration
method allows you to specify the same primary and backup ACs for APs on the active and
standby ACs. The active AC is specified as the primary AC, and the standby AC as the
backup AC.
NOTE
You cannot configure dual-link cold backup in both the traditional and new methods. Otherwise, the dual-link
cold backup function cannot take effect.
Before configuring dual-link cold backup, configure basic WLAN services on the active and
standby ACs (For details, see 5 WLAN Service Configuration). The WLAN service
configuration of the active and standby ACs must be consistent on the two ACs.
Procedure

Step 2 (Optional) Run capwap echo { interval interval-value | times times-value } *

configured.
By default, the CAPWAP heartbeat detection interval is 25s and the number of CAPWAP
heartbeat detections is 6.
By default, If dual-link backup is enabled, the CAPWAP heartbeat detection interval is 25s
and the number of CAPWAP heartbeat detections is 3.
NOTE
l To configure dual-link backup on a WDS or mesh network, set the CAPWAP heartbeat interval to 25
seconds and set the number of heartbeat packet transmissions to at least 6. If this configuration is not
performed, the AC sends heartbeat packets 3 times at an interval of 25 seconds by default. This may
cause unstable WDS or mesh link status and result in user access failures.
l If you set the CAPWAP heartbeat detection interval and the number of CAPWAP heartbeat
detections smaller than the default values, the CAPWAP link reliability is degraded. Exercise
caution when you set the values. The default values are recommended.
Step 3 Run wlan

Step 5 Run primary-access { ip-address ip-address | ipv6-address ipv6-address }
A primary AC IP address is configured.
By default, no primary AC IP address is configured.
Step 6 Run backup-access { ip-address ip-address | ipv6-address ipv6-address }
A backup AC IP address is configured.
By default, no backup AC IP address is configured.
Step 7 Run quit
Step 8 Run undo ac protect restore disable
Step 9 (Optional) Run ac protect cold-backup kickoff-station
STAs using open system authentication are configured to disconnect from APs when an
active/standby AC switchover is implemented.
Step 10 (Optional) Run ac protect alarm-restrain enable
AP Fault alarm suppression is enabled.
Step 11 Run ac protect enable

Step 12 The AP system profile is bound to an AP group.

the AP group.
AP view.
the AP.
Step 13 Run quit
NOTE
l If the dual-link backup function is disabled, running the ac protect enable command restarts online
APs. After the APs are restarted, the dual-link backup function takes effect.
l If the dual-link backup function is enabled, running the ac protect enable command does not restart
online APs. You need to run the ap-reset { all | ap-name ap-name | ap-mac ap-mac | ap-id ap-id |
ap-group ap-group | ap-type { type type-name | type-id type-id } } command to restart the APs and
make the dual-link backup function take effect. You can also manually restart the APs to make the
dual-link backup function take effect.
l If an AP goes online after dual-link backup is configured, you do not need to restart the AP.
----End

l Run the display ac protect command to check the dual-link backup status, active/
standby AC switch back status, as well as AC priority and the standby AC's IP address in
the WLAN view.
AC priority and the standby AC's IP address in the AP system profile view.
22.9 (Optional) Configuring the Active/Standby Link

Switchover Mode
Context
In dual-link cold backup or hot standby scenarios, an AP simultaneously sets up active and
standby links with active and standby ACs, respectively. If the active link is faulty, the AP
switches service traffic to the standby link and goes online on the standby AC. When the

active link recovers, the AP detects that this link has a higher priority than the other one and
triggers a revertive switchover. After 20 Echo intervals, the AP switches service traffic back
to the active AC.
l To enable an AP to preferentially switch service traffic to the active link, set the active/
standby link switchover mode to the priority mode.
l To allow an AP to use a link with high network stabilization, set the active/standby link
switchover mode to the network stabilization mode. When the condition for triggering an
active/standby link switchover is met, the AP preferentially switches service traffic to the
link on a network with higher stabilization. In this case, whether an active/standby link
switchover is performed is only related to the network stabilization of links but not
related to the active and standby roles of links. You can run the ac protect link-switch
packet-loss { gap-threshold gap-threshold | start-threshold start-threshold } command
to configure the condition for triggering an active/standby link switchover.
In dual-link cold backup and hot standby scenarios, the network stabilization of active and
standby links is determined based on the Echo packet loss rate. The active/standby link
switchover is performed when the following conditions are met:
1. APs collect statistics about the specified number of Echo packets forwarded through the
link in use at each interval and find that the calculated packet loss rate is higher than the
packet loss rate start threshold.
2. The packet loss rate of the link in use is higher than that of the other link, and the
difference between the two links' packet loss rates is higher than the packet loss rate
difference threshold.
Procedure
Step 2 Run wlan
Step 4 Run ac protect link-switch mode { priority | network-stabilization }
The active/standby link switchover mode is configured.
By default, the active/standby link switchover mode is the priority mode.
Step 5 Run ac protect link-switch packet-loss echo-probe-time echo-probe-time
The number of Echo probe packets sent within a statistics collection interval is configured.
By default, the number of Echo packets sent within a statistics collection interval is 20.
This configuration is supported only when the active/standby link switchover mode is set to
the network stabilization mode using the ac protect link-switch mode network-stabilization
command.
Step 6 Run ac protect link-switch packet-loss { gap-threshold gap-threshold | start-threshold
start-threshold }

The packet loss rate start and difference thresholds for an active/standby link switchover are
configured.
By default, the packet loss rate start and difference thresholds for an active/standby link
switchover are 20% and 15%, respectively.
command.
Step 7 Run quit
Step 8 Bind the AP system profile to the AP group.
the AP group.
AP view.
the AP.
----End

configurations related to the active/standby link switchover mode.
22.10 Configuration Examples for Dual-Link Cold Backup
22.10.1 Example for Configuring Dual-link Cold Backup (AP-

Specific Configuration Mode)

the AP in area A is directly connected to the switch, the enterprise deploys two ACs in bypass
mode, and the switch connects to the Internet through the egress route. The enterprise requires
that dual-link backup be used to improve data transmission reliability.
Figure 22-3 Networking diagram for configuring dual-link cold backup
AC1
GE0/0/1
GE0/0/3
GE0/0/1
Internet
Area A
STA AP Switch
GE0/0/2
Service VLAN：VLAN 101
GE0/0/1
AC2
1. Set up connections between the AC1, AC2, and other network devices. Configure the
switch as a DHCP server to allocate IP addresses to APs and STAs.
2. Configure AC1 as the active AC and configure basic WLAN services on AC1.
3. Configure AC2 as the standby AC and configure basic WLAN services on AC2. Ensure
that service configurations on AC1 and AC2 are the same.
4. Configure dual-link backup on the active AC first and then on the standby AC. When
dual-link backup is enabled, all APs are restarted. After dual-link backup configurations
are complete, the standby AC replaces the active AC to manage APs if the CAPWAP
tunnel between the active AC and APs is disconnected.

Item Data
Management VLAN for the AP VLAN 100
Service VLAN for the STA VLAN 101
DHCP server Switch functions as the DHCP server for the

AP and STA.
STA's gateway: 10.23.101.1/24
AP's gateway: 10.23.100.1/24

Item Data
IP address pool for the AP 10.23.100.4-10.23.100.254/24
IP address pool for the STA 10.23.101.2-10.23.101.254/24
Active AC AC1
Local priority: 0
Standby AC AC2
Local priority: 1
Management IP address of AC1 VLANIF 100: 10.23.100.2/24

l Country code: CN
vap



Configuration Notes


user experience.
l Dual-link backup cannot back up DHCP information. When the AC functions as the
DHCP server to assign IP addresses to APs and STAs, APs and STAs need to re-obtain
IP addresses if the active AC is faulty. It is recommended that the switch function as the
DHCP server. If the AC must be used as the DHCP server, configure address pools
containing different IP addresses on the active and standby ACs to prevent IP address
conflicts.
Procedure
NOTE
the link type of GE0/0/1 that connects the switch to the APs to trunk and PVID of the
interface to 100, and configure the interface to allow packets of VLAN100 and VLAN101 to
pass. Set the link type of GE0/0/2 and GE0/0/3 on the switch to trunk, and configure the
interfaces to allow packets of VLAN100 to pass.
# Add GE0/0/1 that connects the AC1 to the switch to VLAN100.

[HUAWEI] sysname AC1
[AC1] vlan batch 100 101
[AC1] interface gigabitethernet 0/0/1
[AC1-GigabitEthernet0/0/1] port link-type trunk
[AC1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC1-GigabitEthernet0/0/1] quit


[Switch-Vlanif100] dhcp server excluded-ip-address 10.23.100.2 10.23.100.3
NOTE
view.
Step 4 Configure basic WLAN services on AC1.

[AC1] wlan
[AC1-wlan-view] ap-group name ap-group1
[AC1-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the AC country code in the profile, and
[AC1-wlan-view] regulatory-domain-profile name domain1
[AC1-wlan-regulate-domain-domain1] country-code cn
[AC1-wlan-regulate-domain-domain1] quit
[AC1-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna
gain configurations of the radio and reset the AP. Continu
e?[Y/N]:y
[AC1-wlan-view] quit

[AC1] interface vlanif 100
[AC1-Vlanif100] ip address 10.23.100.2 24
[AC1-Vlanif100] quit
[AC1] capwap source interface vlanif 100
# Import the AP offline on the AC and add the AP to the AP group ap-group1. In this
example, the AP's MAC address is 60de-4476-e360. Configure a name for the AP based

on the AP's deployment location, so that you can know where the AP is located. For
example, if the AP with MAC address 60de-4476-e360 is deployed in area 1, name the
AP area_1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are retained,
you do not need to run the ap auth-mode mac-auth command.
[AC1] wlan
[AC1-wlan-view] ap auth-mode mac-auth
[AC1-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC1-wlan-ap-0] ap-name area_1
[AC1-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it
will clear channel, power and antenna gain configuration
[AC1-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP state. If
the State field displays nor, the AP has gone online.
[AC1-wlan-view] display ap all
nor : normal [1]
Extra information:
------------------------------------------------------------------------------
--------------------
Uptime ExtraInfo
------------------------------------------------------------------------------
--------------------
10S -
------------------------------------------------------------------------------
--------------------
Total: 1
2. Configure WLAN service parameters.
NOTE
[AC1-wlan-view] security-profile name wlan-security

[AC1-wlan-sec-prof-wlan-security] security wpa2 psk pass-phrase a1234567 aes
[AC1-wlan-sec-prof-wlan-security] quit
[AC1-wlan-view] ssid-profile name wlan-ssid
[AC1-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[AC1-wlan-ssid-prof-wlan-ssid] quit
# Create the VAP profile wlan-vap, set the data forwarding mode and service VLAN,
and apply the security profile and SSID profile to the VAP profile.
[AC1-wlan-view] vap-profile name wlan-vap
[AC1-wlan-vap-prof-wlan-vap] forward-mode direct-forward
[AC1-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC1-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC1-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC1-wlan-vap-prof-wlan-vap] quit

# Bind the VAP profile wlan-vap to the AP group and apply the profile to radio 0 and
radio 1 of the AP.
[AC1-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0

# Configure basic parameters for AC2 according to the configurations of AC1. The
configuration of AC2 is similar to that of AC1 except the source interface address.
# Configure the source interface of AC2.
[AC2-Vlanif100] ip address 10.23.100.3 255.255.255.0
[AC2] wlan
Step 6 Configure dual-link backup on AC1 and AC2.

# On AC1, configure the AC1 priority and AC2 IP address in the AP system profile view to
implement dual-link backup.
NOTE
l The AC priority configuration determines the active and standby ACs. One with higher priority functions
as the active AC, and the other functions as the standby AC. A smaller value indicates a higher priority.
When the AC priorities are the same, the AC with the maximum number of allowed APs is selected as the
active AC. When the numbers of allowed APs are the same, the AC with the maximum number of
allowed STAs is selected as the active AC. When the numbers of allowed APs and STAs are the same, the
AC with a smaller IP address is selected as the active AC.
l In this example, dual-link backup is configured using the AP-specific configuration method. You can also
use the global configuration method to configure dual-link backup in the WLAN view.
[AC1-wlan-view] ap-system-profile name ap-system1
[AC1-wlan-ap-system-prof-ap-system1] priority 0
Warning: This action will take effect after resetting AP.
[AC1-wlan-ap-system-prof-ap-system1] protect-ac ip-address 10.23.100.3
[AC1-wlan-ap-system-prof-ap-system1] quit
# Bind the AP system profile to the AP group view.

[AC1-wlan-ap-group-ap-group1] ap-system-profile ap-system1
# On AC1, enable dual-link backup and revertive switchover globally, and restart all APs to
make the dual-link backup function take effect.
NOTE
By default, dual-link backup is disabled, and running the ac protect enable command restarts all APs. After
the APs are restarted, the dual-link backup function takes effect.
If dual-link backup is enabled, running the ac protect enable command does not restart APs. You need to run
the ap-reset command on the active AC to restart all APs and make the dual-link backup function take effect.
[AC1-wlan-view] undo ac protect restore disable
[AC1-wlan-view] ac protect enable
Warning: This operation maybe cause AP reset, continue?[Y/N]: y
# On AC2, configure the AC2 priority and AC1 IP address in the AP system profile view to
implement dual-link backup.
[AC2-wlan-view] ap-system-profile name ap-system1
[AC2-wlan-ap-system-prof-ap-system1] priority 1


[AC2-wlan-ap-system-prof-ap-system1] protect-ac ip-address 10.23.100.2
[AC2-wlan-ap-system-prof-ap-system1] quit
# Bind the AP system profile to the AP group view.

[AC2-wlan-ap-group-ap-group1] ap-system-profile ap-system1
# Enable dual-link backup and revertive switching globally for AC2.


Run the display ac protect and display ap-system-profile command on the active and
standby ACs to check the dual-link information and priority on the two ACs.
[AC1-wlan-view] display ac protect
------------------------------------------------------------
Protect state : enable
Protect AC : -
Priority : 0
Protect restore : enable
...
------------------------------------------------------------
[AC1-wlan-view] display ap-system-profile name ap-system1
------------------------------------------------------------------------------
AC priority : 0
Protect AC IP address : 10.23.100.3
...
------------------------------------------------------------
Protect AC : -
Priority : 0
...
------------------------------------------------------------
[AC2-wlan-view] display ap-system-profile name ap-system1
------------------------------------------------------------------------------
AC priority : 1
...
# When the link between the AP and AC1 is faulty, AC2 takes the active role. This ensures
service stability.
----End
Configuration Files
#
sysname Switch
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#

interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
return
#
sysname AC1
#
#
interface Vlanif100
ip address 10.23.100.2 255.255.255.0
#
#
#
wlan
ac protect enable
%# aes
ssid wlan-net
ap-system-profile name ap-system1
priority 0
protect-ac ip-address 10.23.100.3
ap-system-profile ap-system1
radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
return
#
sysname AC2
#
#
interface Vlanif100

ip address 10.23.100.3 255.255.255.0

#
#
#
wlan
ac protect enable
%# aes
ssid wlan-net
priority 1
radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
return
22.10.2 Example for Configuring Dual-Link Cold Backup

Globally (Global Configuration Mode)
An enterprise uses two APs to deploy WLAN area A to provide WLAN services. As shown in
Figure 22-4, AP1 and AP2 in area A are directly connected to the switch, the enterprise
deploys two ACs in bypass mode, and the switch connects to the Internet through the egress
route. The enterprise requires that dual-link backup be used to improve data transmission
reliability.

Figure 22-4 Networking diagram for configuring dual-link cold backup
Area A
AC1
GE GE0/0/1
STA1 0 /0/ GE0/0/3
AP1 1
/4 Internet
E0/0
G
Switch GE0/0/2
GE0/0/1
STA2 AP2
Service VLAN: VLAN 101 AC2
1. Set up connections between the AC1, AC2, and other network devices. Configure the
switch as a DHCP server to allocate IP addresses to APs and STAs.
2. Configure AC1 as the active AC and configure basic WLAN services on AC1.
3. Configure AC2 as the standby AC and configure basic WLAN services on AC2. Ensure
that service configurations on AC1 and AC2 are the same.
4. Configure dual-link backup on the active AC first and then on the standby AC. When
dual-link backup is enabled, all APs are restarted. After dual-link backup configurations
are complete, the standby AC replaces the active AC to manage APs if the CAPWAP
tunnel between the active AC and APs is disconnected.
Item Data
DHCP server Switch functions as the DHCP server for the

APs and STAs.
STAs' gateway: 10.23.101.1/24
APs' gateway: 10.23.100.1/24

Item Data
Active AC AC1
Local priority: 0
Standby AC AC2
Local priority: 1

l Country code: CN
vap



Configuration Notes

user experience.
l Dual-link backup cannot back up DHCP information. When the AC functions as the
DHCP server to assign IP addresses to APs and STAs, APs and STAs need to re-obtain
IP addresses if the active AC is faulty. It is recommended that the switch function as the
DHCP server. If the AC must be used as the DHCP server, configure address pools
containing different IP addresses on the active and standby ACs to prevent IP address
conflicts.
Procedure
NOTE
the link type of GE0/0/1 and GE0/0/4 that connect the switch to the APs to trunk and PVID of
the interfaces to 100, and configure the interfaces to allow packets of VLAN100 and
VLAN101 to pass. Set the link type of gigabitethernet0/0/2 and gigabitethernet0/0/3 on the
switch to trunk, and configure the interfaces to allow packets of VLAN100 to pass.
<Quidway> system-view
[Quidway] sysname Switch




[Switch-Vlanif100] dhcp server excluded-ip-address 10.23.100.2 10.23.100.3
NOTE
view.

[AC1] wlan
[AC1-wlan-view] regulatory-domain-profile name domain1
[AC1-wlan-regulate-domain-domain1] country-code cn
[AC1-wlan-regulate-domain-domain1] quit
[AC1-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
e?[Y/N]:y
[AC1-wlan-view] quit

[AC1] interface Vlanif 100

# Import the APs offline on the AC and add the APs to the AP group ap-group1. In this
AP area_1, the AP with MAC address 60de-4474-9640 is deployed in area 2, name the
AP area_2.
NOTE
[AC1] wlan
[AC1-wlan-view] ap auth-mode mac-auth
[AC1-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC1-wlan-view] ap-id 1 ap-mac 60de-4474-9640
# After the APs are powered on, run the display ap all command to check the AP state.
If the State field displays nor, the APs have gone online.
[AC1-wlan-view] display ap all
nor : normal [2]
Extra information:
------------------------------------------------------------------------------
--------------------
Uptime ExtraInfo
------------------------------------------------------------------------------
--------------------
5M:2S -
1 60de-4474-9640 area_2 ap-group1 10.23.100.253 AP5030DN nor 0
5M:4S -
------------------------------------------------------------------------------
--------------------
Total: 2
NOTE
[AC1-wlan-view] security-profile name wlan-security

[AC1-wlan-sec-prof-wlan-security] security wpa2 psk pass-phrase a1234567 aes
[AC1-wlan-sec-prof-wlan-security] quit

[AC1-wlan-view] ssid-profile name wlan-ssid

[AC1-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[AC1-wlan-ssid-prof-wlan-ssid] quit
[AC1-wlan-view] vap-profile name wlan-vap
[AC1-wlan-vap-prof-wlan-vap] forward-mode direct-forward
[AC1-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC1-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC1-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC1-wlan-vap-prof-wlan-vap] quit
# Bind the VAP profile wlan-vap to the AP group and apply the profile to radio 0 and
radio 1 of the APs.

# Configure basic parameters for AC2 according to the configurations of AC1. The
configuration of AC2 is similar to that of AC1 except the source interface address.
# Configure the source interface of AC2.
[AC2] wlan
Step 6 Configure dual-link backup on AC1 and AC2.

# Configure the AC1 priority and AC2 IP address on AC1. Enable dual-link backup and
revertive switchover globally, and restart all APs to make the dual-link backup function take
effect.
NOTE
By default, dual-link backup is disabled, and running the ac protect enable command restarts all APs. After
the APs are restarted, the dual-link backup function takes effect.
If dual-link backup is enabled, running the ac protect enable command does not restart APs. You need to run
the ap-reset command on the active AC to restart all APs and make the dual-link backup function take effect.
[AC1-wlan-view] ac protect protect-ac 10.23.100.3 priority 0
Warning: Operation successful. It will take effect after AP reset.
# Configure the AC2 priority and AC1 IP address on AC2.

[AC2-wlan-view] ac protect protect-ac 10.23.100.2 priority 1

Run the display ac protect command on the active and standby ACs to check the dual-link
information and priority on the two ACs.
------------------------------------------------------------

Protect AC : 10.23.100.3
Priority : 0
...
------------------------------------------------------------
------------------------------------------------------------
Protect AC : 10.23.100.2
Priority : 1
...
------------------------------------------------------------
# When the link between the AP and AC1 is faulty, AC2 takes the active role. This ensures
service stability.
----End
Configuration Files
l Configuration file of the switch
#
sysname Switch
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
#
return
l Configuration file of AC1

#
sysname AC1
#
#
interface Vlanif100
ip address 10.23.100.2 255.255.255.0

#
#
#
wlan
ac protect enable protect-ac 10.23.100.3
%# aes
ssid wlan-net
radio 0
radio 1
ap-name area_1
ap-group ap-group1
ap-name area_2
ap-group ap-group1
#
return
l Configuration file of AC2
#
sysname AC2
#
#
interface Vlanif100
ip address 10.23.100.3 255.255.255.0
#
#
#
wlan
ac protect enable protect-ac 10.23.100.2 priority 1
%# aes
ssid wlan-net
radio 0
radio 1
ap-name area_1
ap-group ap-group1


ap-name area_2
ap-group ap-group1
#
return

Configuration Guide - WLAN-AC 23 N+1 Backup Configuration
23 N+1 Backup Configuration
23.1 Overview of N+1 Backup

Definition
N+1 backup uses one standby AC to provide backup services for multiple ACs on an AC +
Fit AP network. When the network runs properly, an AP sets up a CAWAP link only with the
active AC. When the active AC fails or the CAPWAP link becomes faulty, the standby AC
replaces the active AC to manage APs. The standby AC establishes a CAPWAP link with the
AP to provide services.
Purpose
In public places where a large number of users exist in a large area, many APs are deployed
and managed by multiple ACs to provide free-of-charge WLAN access services. It is common
for some large enterprises have branches in different areas. These enterprises deploy ACs in
each branch to manage APs, providing WLAN access and e-mail services. These services
require only low network reliability and allow for temporary service interruption.
In some cases, the existing network cannot provide reliable network services. If an AC fails,
services on the AC are interrupted. To improve network reliability, an additional AC is
required to provide backup services. The network administrator expects to use an AC as a
backup of all ACs to reduce costs.
In dual-link cold backup mode, each active AC has an independent standby AC. Unlike dual-
link cold backup, N+1 backup uses a standby AC to provide backup services for multiple
ACs, which reduces device purchase costs.
23.2 Understanding N+1 Backup

Many ACs are available on an N+1 backup network. An AP performs Active/Standby AC
Selection and selects the AC with the highest priority as the active AC to establish a
CAPWAP link. When the active AC or the CAPWAP link fails, an Active/Standby
Switchover is triggered, and the standby AC then becomes the active AC, which improves
WLAN reliability. After the original active AC or link recovers, a Revertive Switchover is
implemented to release resources on the standby AC. The standby AC becomes available
again and continues to offer backup services.

NOTE
The ACs of different models can work in N+1 backup mode, but the ACs must use the same software version.
A standby AC can serve multiple active ACs of different models.
Active/Standby AC Selection
The procedure for setting up a CAPWAP link in AC N+1 backup networking is similar to the
procedure for setting up a CAPWAP link in common scenarios, except that the AP needs to
select the AC with the highest priority as the active AC in Discovery phase. For details, see
CAPWAP Tunnel Establishment in 5.2.4 AP Online Process.
In Discovery phase, an AP sends a Discovery Request packet to find available ACs. After
receiving the packet, the AC return a Discovery Response packet containing the IP addresses
of primary and backup AC, N+1 backup flag, AC priorities, loads, and IP addresses. Based on
the information contained in the Discovery Response packet, the AP selects an active AC to
set up a CAPWAP link. The AP selects the active AC according to the following rules:
1. Check primary ACs on the AP. If there is only one primary AC, the AP selects it as the
active AC. If there are multiple primary ACs, the AP selects the AC with the lowest load
as the active AC. If the loads are the same, the AP selects the AC with the smallest IP
address as the active AC.
Compare AC loads, that is, numbers of access APs and STAs. The AP selects the AC
with the lowest load as the active AC. The number of allowed APs is compared ahead of
the number of allowed STAs. When the numbers of allowed APs are the same on ACs,
the AP selects the AC that can connect more STAs as the active AC.
NOTE
The number of allowed APs is calculated using the following formula: Number of allowed APs =
Maximum number of access APs - Number of online APs.
The number of allowed STAs is calculated following the formula: Number of allowed STAs =
Maximum number of access STAs - Number of online STAs.
2. If there is no primary AC, check backup ACs. If there is only one backup AC, the AP
selects this AC as the active AC. If there are multiple backup ACs, the AP selects the AC
with the lowest load as the active AC. If the loads are the same, the AP selects the AC
with the smallest IP address as the active AC.
3. If there is no backup AC, compare AC priorities and select the AC with a smaller
priority value as the active AC. A smaller priority value indicates a higher priority. For
details, see AC Priorities.
4. If the AC priorities are the same, the AP selects the AC with the lowest load as the active
AC.
5. Compare the ACs' IP addresses when the AC loads are the same, and select the AC with
the smallest IP address as the active AC.
NOTE
When planning an AC N+1 backup network, ensure that the active AC can be selected based on AC priorities
so that all APs can go online on the predefined active AC. Otherwise, the APs select the active AC based on
loads and IP addresses, and may not go online on the predefined active AC. Alternatively, ensure that a
specified primary AC or backup AC is selected as the active AC.
AC Priority
An AC has two types of priorities:

l Global priority: AC priority configured for all APs.

l Individual priority: AC priority configured for a single AP or APs in a specified AP

group.
When receiving a Discovery Request packet from an AP, the AC checks whether an
individual priority has been specified for the AP. If not, the AC replies with a Discovery
Response packet carrying the global priority. If so, the AC replies with a Discovery Response
packet carrying the individual priority. It is recommended that the proper priorities be
configured on the active and standby ACs to control access of APs on the two ACs.
The following example illustrates the process of selecting an active AC. Assume that the APs
can discover all ACs in Figure 23-1.
Figure 23-1 Active AC selection
Standby AC_3
Global priority: 5
Active AC_1 Active AC_2

Switch
Global priority: 6 Global priority: 6

Individual priority for Individual priority for
AP_1: 3 AP_301: 3
... ...
AP_1 AP_300 AP_301 AP_700
CAPWAP link between

AP and active AC
1. In Discovery phase, AP_1 sends a Discovery Request packet to all ACs.

2. Each AC returns a Discovery Response packet containing its priority. Before making a
reply, the AC first checks whether an individual priority has been configured for the AP.
If so, the AC returns the individual priority. If not, the AC returns the global priority. As
shown in Figure 23-1, AC_1 receives a Discovery Response packet from AP_1. On
AC_1, an individual priority has been configured only for AP_1. Therefore, AC_1
returns individual priority 3 to AP_1. There is no individual priority for AP_1 on AC_2
and AC_3, so AC_2 returns global priority 6 and AC_3 returns global priority 5.
3. AP_1 compares AC priorities in the Discovery Response packets and selects AC_1,
which has the highest priority, as the active AC to send an association request.

If AC_1 or the CAPWAP link between AC_1 and AP_1 fails, and no standby AC is
designated, AP_1 sends new Discovery Request packets to obtain the priorities of the
remaining ACs. AC_2 returns global priority 6 and AC_3 returns global priority 5. AP_1
compares AC priorities and selects AC_3 with a higher priority as the standby AC to send an
association request.
Active/Standby Switchover
Normally, an AP sets up a CAPWAP link only with the active AC and periodically exchanges
heartbeat packets with the active AC to monitor the link status. When the AP detects a
heartbeat packet transmission timeout, it considers the link disconnected and sets up a
CAPWAP link with the standby AC. The AP sets up a CAPWAP link with the standby AC in
the following situations:
l If the IP address of the standby AC is configured on the active AC, the AP sets up a
CAWAP link with the standby AC directly.
l If the IP address of the standby AC is not configured on the active AC, the AP
broadcasts Discovery Request packets to discover ACs and selects the standby AC to
establish a CAPWAP link.
After the CAPWAP link is established, the standby AC delivers configurations to the AP
again. To ensure that active and standby ACs deliver the same WLAN service configurations
to an AP, perform the same configurations on both ACs. In an active/standby switchover, the
AP selects the standby AC to set up a CAPWAP link and get online, and the standby AC
delivers configurations to the AP.
To ensure that the AP works properly after an active/standby switchover, the following
conditions must be met:
l The number of online APs supported by the standby AC cannot be smaller than the
number of online APs on any of the active ACs.
Assume that the standby AC supports 500 online APs. If an active AC that has 600
online APs becomes faulty, only 500 APs can go online on the standby AC. The
remaining APs are forced to go offline, and are unable to provide services for STAs.
l The total number of online APs on all active ACs cannot exceed the configurable
number of APs on the standby AC.
The configurable number of APs refers to the maximum number of APs supported by the
AC. Assume that the configurable number of APs is 1000 on the standby AC. If there are
300 online APs on AC_1 and 400 online APs on AC_2, a new active AC allows a
maximum of 300 online APs. That is because the APs on all active ACs must be added
on the standby AC and have their corresponding services configured on the standby AC.
In this way, the standby AC can maintain original services for the APs of any faulty
active AC.
If multiple ACs become faulty concurrently, not all APs managed by these ACs can go online
on the standby AC after the active/standby switchover. In Figure 23-2, there are 300 online
APs (from AP_1 to AP_300) on AC_1 and 400 online APs (AP_301 to AP_700) on AC_2.
AC_3 works as the standby AC and allows a maximum of 500 online APs.

Figure 23-2 Active/standby switchover
Standby AC_3

Switch
... ...
AP_1 AP_300 AP_301 AP_700
CAPWAP link between AP

and active AC
CAPWAP link between

AP and standby AC
l If AC_1 becomes faulty, 300 APs (AP_1 to AP_300) perform an active/standby

switchover and get online on AC_3. After AC_1 recovers, the APs perform a Revertive
Switchover to switch back to AC_1.
l After AC_1 recovers from the fault, AC_2 becomes faulty. 400 APs (AP_301 to
AP_700) perform an active/standby switchover and get online on AC_3. After AC_2
recovers, the APs perform a Revertive Switchover to switch back to AC_2.
l If AC_1 and AC_2 become faulty concurrently, the top 500 APs that associate with
AC_3 can implement an active/standby switchover and get online on AC_3. The rest
APs cannot go online on AC_3 and services on these APs are interrupted.
NOTE
l The value of N in N+1 backup depends on the configurable number of APs on the standby AC and the
number of APs managed by the N active ACs. The number of APs managed by the N active ACs cannot
exceed the configurable number of APs on the standby AC.
l The configurable number of APs refers to the maximum number of APs that can be added to the
AC.
l The number of APs managed by ACs refer to the actual number of online APs on the AC.
l The maximum number of online APs on the standby AC is determined by the license.

Revertive Switchover
After an AP sets up a CAPWAP link with the standby AC, the AP obtains the IP address of its
active AC from the standby AC and sends Primary Discovery Request packets at regular
intervals to detect the active AC status. After the active AC recovers, it returns a reply packet
to the AP. The packet carries the AC priority. When the AP receives the reply packet from the
active AC, the AP learns that the active AC has recovered and the active AC priority
contained in the packet is higher than the priority of the AC to which it is connected. If a
revertive switchover is enabled, a revertive switchover is triggered. To prevent frequent
switchovers caused by network flapping, the ACs perform a revertive switchover after a delay
time of 20 heartbeat intervals. As illustrated in Figure 23-3, the AP disconnects from the
current AC and sets up a new CAPWAP link with the active AC. At the same time, the AP
transfers STA data to the original active AC to release resources on the standby AC. The
standby AC then continues to provide backup services. During a revertive switchover, the AP
re-establishes a CAPWAP link with the active AC to get online, and the active AC delivers
configurations to the AP.
If a primary or backup AC is selected as the active AC, the active AC returns a reply packet to
the AP after it recovers. The AP then learns that the active AC has recovered from the reply
packet. If a revertive switchover is enabled, a revertive switchover is triggered.
Figure 23-3 Revertive switchover

Standby AC_3

Switch
... ...
AP_1 AP_300 AP_301 AP_700
CAPWAP link between AP

and active AC
CAPWAP link between

AP and standby AC

23.3 Application Scenarios for N+1 Backup
23.3.1 Typical Application Scenarios for N+1 Backup

APs and ACs in Different Network Segments
A large enterprise has branches in different areas. ACs are deployed in the branches to
manage APs and provide WLAN access and e-mail services. These services provided on the
WLAN require low network reliability and allow temporary service interruption. In this
scenario, the enterprise can deploy a high performance AC at the headquarters as a standby
AC to provide backup services for active ACs in the branches. This reduces device purchase
costs.
As shown in Figure 23-4, ACs of the two branches are on different network segments. AC_1
in branch 1 and AC_2 in branch 2 respectively work as the active AC of AP_1 and AP_2.
AC_3 in the headquarters is a high performance AC and serves as the standby AC of AP_1
and AP_2. When the network runs properly, AP_1 and AP_2 sets up a CAPWAP link with
AC_1 and AC_2 respectively. When the CAPWAP link on AC_1 or AC_2 fails, AP_1 or
AP_2 sets up a CAPWAP link with AC_3. AC_3 replaces AC_1 or AC_2 to provide services
for AP_1 or AP_2.
Each AP can establish a CAPWAP link with only one AC at one time.

Figure 23-4 N+1 backup networking (APs and ACs in different network segments)
Enterprise
headquarters Standby AC_3
30.1.1.1/24
Global priority: 5
DHCP server
Router_3
Internet
Router_1 Router_2
10.1.1.1/24 20.1.1.1/24
Switch_1 Switch_2
branch 1 branch 2
AP_1 AP_2
STA_1 STA_2
CAPWAP link between

AP and active AC
APs and ACs in the Same Network Segment

The waiting hall of an airport accommodates a large number of users. Multiple ACs manage a
large number of APs that provide WLAN access services. These free-of-charge services
require low network reliability and allow temporary service interruption. In this situation, a
high performance AC can be deployed as a standby AC to provide backup services for other
ACs. This reduces device purchase costs.
As shown in Figure 23-5, all ACs are in the same network segment. AC_1 and AC_2
function as the active AC of AP_1 and AP_2 respectively. AC_3 is a high performance AC

and works as the standby AC of AP_1 and AP_2. When the network runs properly, AP_1 and
AP_2 sets up a CAPWAP link with AC_1 and AC_2 respectively. When the CAPWAP link
on AC_1 or AC_2 fails, AP_1 or AP_2 sets up a CAPWAP link with AC_3. AC_3 replaces
AC_1 or AC_2 to provide services for AP_1 or AP_2.
Each AP can establish a CAPWAP link with only one AC at one time.
Figure 23-5 N+1 backup networking (APs and ACs in the same network segment)
Standby AC_3
10.1.1.10/24
Global priority: 5
Standby AC_1 Standby AC_2

10.1.1.1/24 10.1.1.2/24
Switch

Individual priority for Individual priority for
AP_1: 3 AP_2: 3
AP_1 AP_2
CAPWAP link between

AP and standby AC
STA STA STA STA
23.4 Summary of N+1 Backup Configuration Tasks

Table 23-1 lists the N+1 backup configuration tasks.

Table 23-1 N+1 backup configuration tasks

Scenario Description Method and Task
APs and ACs An AP can discover a total of two New method

are located on a ACs in dynamic or static mode. In 1. 23.7.1 Configuring Option 43
Layer 3 this scenario, use the new method on the DHCP Server
network, and an or traditional method 1 for the
AP can discover configuration. 2. 23.7.4 Configuring AC Roles
two ACs (New Method)
l Using the new configuration
through DHCP method, you can directly 3. 23.7.5 Configuring Revertive
Option 43. specify the active and standby Switchover
ACs. The configuration logic 4. 23.7.6 (Optional) Configuring
is clear and simple. This CAPWAP Heartbeat
method is recommended in Detection
new N+1 backup configuration 5. 23.7.7 (Optional) Configuring
scenarios. the Active/Standby Link
l Using traditional method 1, Switchover Mode
you can determine the active 6. 23.7.8 Enabling N+1 Backup
and standby ACs based on the
priority. The configuration Traditional method 1
logic is complex. This method 1. 23.7.1 Configuring Option 43
is applicable to N+1 backup on the DHCP Server
configuration involving earlier
versions but not recommended 2. 23.7.2 Configuring AC Roles
in N+1 backup configuration (Traditional Method 1)
scenarios. 3. 23.7.5 Configuring Revertive
In this case, the AP needs to Switchover
select the active and standby 4. 23.7.6 (Optional) Configuring
ACs. You only need to CAPWAP Heartbeat
configure the priority for the Detection
active AC and standby ACs 5. 23.7.7 (Optional) Configuring
and set the priority of the the Active/Standby Link
active AC higher than that of Switchover Mode
the standby AC.
6. 23.7.8 Enabling N+1 Backup
APs and ACs An AP can discover more than New method

are located on a two ACs in dynamic or static 1. 23.7.4 Configuring AC Roles
Layer 2 mode. In this scenario, use the (New Method)
network, and an new method or traditional method
AP can discover 2 for the configuration. 2. 23.7.5 Configuring Revertive
more than two Switchover
l Using the new configuration
ACs. method, you can directly 3. 23.7.6 (Optional) Configuring
specify the active and standby CAPWAP Heartbeat
ACs. The configuration logic Detection
is clear and simple. This 4. 23.7.7 (Optional) Configuring
method is recommended in the Active/Standby Link
new N+1 backup configuration Switchover Mode
scenarios. 5. 23.7.8 Enabling N+1 Backup
l Using traditional method 2,
you can determine the active

Scenario Description Method and Task
and standby ACs based on the Traditional method 2

priority. The configuration 1. 23.7.3 Configuring AC Roles
logic is complex. This method (Traditional Method 2)
is applicable to N+1 backup
configuration involving earlier 2. 23.7.5 Configuring Revertive
versions but not recommended Switchover
in N+1 backup configuration 3. 23.7.6 (Optional) Configuring
scenarios. CAPWAP Heartbeat
In this case, the AP needs to Detection
select the active and standby 4. 23.7.7 (Optional) Configuring
ACs. You need to configure the Active/Standby Link
both the global and individual Switchover Mode
priorities on all active ACs so 5. 23.7.8 Enabling N+1 Backup
that all APs can associate with
the predefined active or
standby AC.
Ensure that the ACs' priorities
meet the following
requirements: active AC's
individual priority > standby
AC's global priority > active
AC's global priority.
23.5 Licensing Requirements and Limitations for N+1

Backup
AP
by the device.
V200R007C10.

V200R012C00 V200R009C00
V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C10 V200R008C10
V200R008C00
V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R011C00 V200R007C20
V200R007C10
V200R006C20
V200R006C10
V200R010C00 V200R007C10
V200R006C20
V200R006C10
V200R009C00 V200R006C20
V200R006C10
V200R008C00 V200R005C30
V200R005C20
V200R005C10
V200R007 V200R005C20
V200R005C10
V200R006 V200R005C00
agent.


Table 23-3 Products and minimum version supporting N+1 backup

Required

S5730HI: V200R012
Feature Limitations
l WLAN service configurations (for example, radio profile, radio, traffic profile, security
profile, and security policies) of the same AP must be consistent on the active and
standby ACs; otherwise, the AP cannot work properly after an active/standby AC
switchover.
l All WLAN service configurations on the active AC must also be performed on the
standby AC.
l N+1 backup cannot be configured concurrently with dual-link backup.
l If multiple source interfaces are specified on an AC to connect to different APs, AP-
specific configuration must be used.
23.6 Default Settings for N+1 Backup

Table 23-4 Default settings for N+1 backup
AC global priority 0
AC individual priority None
CAPWAP heartbeat detection interval 25s

Number of CAPWAP heartbeat packet 6

transmissions
Revertive switchover Enabled
N+1 backup Enabled
23.7 Configuring N+1 Backup

Context
N+1 backup allows multiple ACs to share one standby AC, which reduces AC purchase costs.
ACs of different models can work in N+1 backup mode as long as they are running the same
software version.
Before configuring N+1 backup, configure basic WLAN services on the active and standby
ACs (For details, see 5 WLAN Service Configuration). The WLAN service configuration of
the active and standby ACs must be consistent on the two ACs.
The following configuration tasks can be performed in any sequence. 23.7.8 Enabling N+1
Backup is performed after all configuration tasks are complete.
23.7.1 Configuring Option 43 on the DHCP Server
Context
If an AP and the ACs are located in different network segments, the AP cannot discover the
ACs through broadcast after it obtains an IP address from the DHCP server. To address this
problem, configure Option 43 on the DHCP server to advertise AC IP addresses to the AP.
After Option 43 is configured, the AP unicasts Discovery Request packets to the IP addresses
carried in Option 43. If the IP addresses specified by Option 43 do not respond, the AP
broadcasts Discovery Request packets to request IP addresses of the ACs in the local network
segment. Option 43 only needs to carry addresses of the active and standby ACs for the AP
and does not carry irrelevant active ACs' IP addresses; otherwise, the AP may not connect to
the correct AC.
Usually, an independent device is used as a DHCP server. Perform correct configurations on
the selected DHCP server. The following example uses a Huawei router as a DHCP server.
Procedure

Step 2 Run dhcp enable

DHCP is enabled.
By default, DHCP is disabled.
Step 3 Run ip pool ip-pool-name
The global address pool view is displayed.
Step 4 Run option 43 sub-option 2 ip-address ip-address &<1-8>
The Option 43 field is set to the IP addresses of the active AC and standby AC.
----End
23.7.2 Configuring AC Roles (Traditional Method 1)
Context
N+1 backup uses one standby AC to back up multiple active ACs. An AP determines AC
roles based on AC priorities. It selects the AC with a higher priority as the active AC and the
AC with a lower priority as the standby AC. The AP sets up a connection with the AC of the
specified IP address.
An AP can discover only two ACs. Therefore, you only need to configure a global priority for
each AC, so that the AP can determine the active and standby ACs by comparing their global
priorities.
Procedure
l Configure the active AC.
Perform the following configurations on the active AC:
a. Run system-view
b. Run wlan
c. Run ac protect protect-ac ip-address
The standby AC's IP address is configured in the WLAN view.
d. Run ac protect priority priority
The global priority of the active AC is configured in the WLAN view.
NOTE
The global priority of the standby AC must be lower than that of the active AC.
A smaller priority value indicates a higher priority.
l Configure the standby AC.
Perform the following configurations on the standby AC:

a. Run system-view

b. Run wlan

c. Run ac protect priority priority
The global priority of the standby AC is configured.
NOTE
The global priority of the standby AC must be lower than that of the active AC.

The active AC's IP address is configured in the AP system profile view.
If multiple APs have the same active AC, configure the active AC's IP address for
the APs on the standby AC in the AP system profile, and bind the AP system
f. Run quit

g. The AP system profile is bound to an AP group.
view.
enter the AP view.
profile to the AP.
----End
23.7.3 Configuring AC Roles (Traditional Method 2)

Context
N+1 backup uses one standby AC to back up multiple active ACs. An AP determines AC
roles based on AC priorities. It selects the AC with a higher priority as the active AC and the
AC with a lower priority as the standby AC. The AP sets up a connection with the AC of the
specified IP address.
An AP may discover more than two ACs. In this case, if you only configure a global priority
for each AC, the AP selects the AC with the highest global priority as the active AC, and
therefore may select an incorrect active AC.
To ensure that the AP connects to the predefined active AC or standby AC, configure both the
global priority and individual priority on the active AC, and configure only the global priority
on the standby AC. Ensure that the ACs' priorities meet the following requirements: active
AC's individual priority > standby AC's global priority > active AC's global priority.
If a global priority and an individual priority are both configured for an AP on the AC, the AC
preferentially delivers the individual priority to the AP.
Procedure
l Configure the active AC.
Perform the following configurations on the active AC:
a. Run system-view

b. Run wlan

c. Run ac protect protect-ac ip-address
The standby AC's IP address is configured in the WLAN view.

d. Run ac protect priority priority
The global priority of the active AC is configured in the WLAN view.
NOTE
Ensure that the ACs' priorities meet the following requirements: active AC's individual priority >
standby AC's global priority > active AC's global priority.
e. Run ap-system-profile name profile-name

f. Run priority priority-level
The individual priority of the AC is configured in the AP system profile.
By default, no AC priority is configured in the AP system profile view.

NOTE
Ensure that the ACs' priorities meet the following requirements: active AC's individual
priority > standby AC's global priority > active AC's global priority.
After you configure the AC's individual priority in the AP system profile, bind the
AP system profile to an AP group.
g. Run quit

h. The AP system profile is bound to an AP group.
view.
enter the AP view.
profile to the AP.
l Configure the standby AC.
Perform the following configurations on the standby AC:
a. Run system-view

b. Run wlan

c. Run ac protect priority priority
The global priority of the standby AC is configured.
NOTE
Ensure that the ACs' priorities meet the following requirements: active AC's individual priority >
standby AC's global priority > active AC's global priority.

The active AC's IP address is configured in the AP system profile view.

If multiple APs have the same active AC, configure the active AC's IP address for
the APs on the standby AC in the AP system profile, and bind the AP system
f. Run quit
g. The AP system profile is bound to an AP group.
view.
enter the AP view.
profile to the AP.
----End
23.7.4 Configuring AC Roles (New Method)
Context
Traditionally, N+1 backup is configured by specifying IP addresses of the active and standby
ACs on each other and configuring AC priorities. The active and standby ACs are then
determined based on the priority. To simplify configuration logic, the new configuration
method allows you to specify the same primary and backup ACs for APs on the active and
standby ACs. The active AC is specified as the primary AC, and the standby AC as the
backup AC.
More than two ACs may exist on the N+1 backup network. Each AP has only one active AC
and one standby AC planned. You only need to create the same AP system profile on the
active and standby ACs, and specify active and standby ACs as the primary and backup ACs
respectively in the AP system profile.
You are advised to create different AP system profiles on different active ACs. Otherwise, the
standby AC cannot identify AP system profile configurations, causing incorrect
configurations.
Procedure
Step 2 Run wlan

Step 4 Run primary-access ip-address ip-address
A primary AC IP address is configured.
By default, no primary AC IP address is configured.
Step 5 Run backup-access ip-address ip-address
A backup AC IP address is configured.
By default, no backup AC IP address is configured.
Step 6 Run quit
Step 7 The AP system profile is bound to an AP group.

the AP group.
AP view.
the AP.
Step 8 Run quit
NOTE
l If the dual-link backup function is disabled, running the ac protect enable command restarts online
APs. After the APs are restarted, the dual-link backup function takes effect.
l If the dual-link backup function is enabled, running the ac protect enable command does not restart
online APs. You need to run the ap-reset { all | ap-name ap-name | ap-mac ap-mac | ap-id ap-id |
ap-group ap-group | ap-type { type type-name | type-id type-id } } command to restart the APs and
make the dual-link backup function take effect. You can also manually restart the APs to make the
dual-link backup function take effect.
l If an AP goes online after dual-link backup is configured, you do not need to restart the AP.
----End

23.7.5 Configuring Revertive Switchover
Context
After an active/standby AC switchover, the standby AC replaces the active AC and sets up a
CAPWAP link with the AP to provide services. The AP periodically sends Primary Discovery
Request packets to detect active AC status. If revertive switchover is enabled on the standby
AC, the AP triggers a revertive switchover when it detects that the active AC recovers. The
AP disconnects from the current AC and sets up a new CAPWAP link with the active AC.
Resources on the standby AC are released and the standby AC then continues to provide
backup services.
Revertive switchover needs to be enabled only on the standby AC.
Procedure
Step 2 Run wlan
Step 3 Run undo ac protect restore disable
Revertive switchover is enabled.
NOTE
If revertive switchover is disabled on the standby AC, traffic of an AP cannot be switched back to the
original active AC even when the link between the original active AC and the AP restores.
----End
23.7.6 (Optional) Configuring CAPWAP Heartbeat Detection
Context
As defined by CAPWAP, an AP and AC periodically exchange packets to maintain
connectivity of the data channel and management channel. If the AP or AC does not receive
any response from each other after CAPWAP heartbeat packets are sent for the specified
number of times, the AP and AC consider the link between them disconnected.
Perform the following configurations on the active and standby ACs:
Procedure
Step 2 Run capwap echo { interval interval-value | times times-value } *

The CAPWAP heartbeat detection interval and number of heartbeat packet transmissions are
configured.
By default, the CAPWAP heartbeat detection interval is 25s and the number of CAPWAP
heartbeat detections is 6.
By default, If dual-link backup is enabled, the CAPWAP heartbeat detection interval is 25s
and the number of CAPWAP heartbeat detections is 3.
NOTE
If you set the CAPWAP heartbeat detection interval and the number of CAPWAP heartbeat detections smaller
than the default values, the CAPWAP link reliability is degraded. Exercise caution when you set the values.
The default values are recommended.
----End
23.7.7 (Optional) Configuring the Active/Standby Link

Switchover Mode
Context
In N+1 backup scenarios, APs set up links only with the primary ACs. When a link between
an AP and a primary AC fails, the AP sets up a link with the backup AC and goes online on
the backup AC. When the primary AC is recovered, a revertive switchover is triggered. The
AP switches the link back to the primary AC after 20 echo intervals.
l To enable an AP to preferentially switch service traffic to the active link, set the active/
standby link switchover mode to the priority mode.
l To allow an AP to use a link with high network stabilization, set the active/standby link
switchover mode to the network stabilization mode. When the condition for triggering an
active/standby link switchover is met, the AP preferentially switches service traffic to the
link on a network with higher network stabilization. In this case, whether an active/
standby link switchover is performed is only related to the network stabilization of links
but not related to the active and standby roles of links. You can run the ac protect link-
switch packet-loss { gap-threshold gap-threshold | start-threshold start-threshold }
command to configure the condition for triggering an active/standby link switchover.
In N+1 backup scenarios, the network stabilization of the link between an AP and the current
AC is determined by the Echo packet loss rate, and that of the link between the AP and
another AC is determined by the Primary Discovery packet loss rate. The active/standby link
switchover is performed when the following conditions are met:
1. APs collect statistics about Echo or Primary Discovery packets and find that the
calculated packet loss rate is higher than the packet loss rate start threshold.
2. The packet loss rate of the link in use is higher than that of the other link, and the
difference between the two links' packet loss rates is higher than the packet loss rate
difference threshold.
Procedure

Step 2 Run wlan

Step 4 Run ac protect link-switch mode { priority | network-stabilization }
The active/standby link switchover mode is configured.
By default, the active/standby link switchover mode is the priority mode.
Step 5 Run ac protect link-switch packet-loss echo-probe-time echo-probe-time
The number of Echo probe packets sent within a statistics collection interval is configured.
By default, the number of Echo packets sent within a statistics collection interval is 20.
command.
Step 6 Run ac protect link-switch packet-loss { gap-threshold gap-threshold | start-threshold
start-threshold }
The packet loss rate start and difference thresholds for an active/standby link switchover are
configured.
By default, the packet loss rate start and difference thresholds for an active/standby link
switchover are 20% and 15%, respectively.
command.
Step 7 Run quit
Step 8 Bind the AP system profile to the AP group.
the AP group.
AP view.
the AP.
----End


configurations related to the active/standby link switchover mode.
23.7.8 Enabling N+1 Backup
Context
After all N+1 backup configurations are complete, enable N+1 backup and then restart all
APs to make the function take effect.
N+1 backup needs to be enabled on all ACs.
Procedure
Step 2 Run wlan
Step 3 Run undo ac protect enable
N+1 backup is enabled.
By default, N+1 backup is enabled.
Step 4 (Optional) Run ap-reset { all | ap-name ap-name | ap-mac ap-mac | ap-id ap-id | ap-group
All APs are restarted to make the N+1 backup function take effect.
NOTE
If N+1 backup is enabled, running the undo ac protect enable command does not restart online APs.
You need to run the ap-reset { all | ap-name ap-name | ap-mac ap-mac | ap-id ap-id | ap-group ap-
group | ap-type { type type-name | type-id type-id } } command to restart the APs and make the N+1
backup function take effect. You can also manually restart the APs to make the N+1 backup function
take effect.
If the N+1 backup function is disabled, running the undo ac protect enable command restarts online
APs. After the APs are restarted, the N+1 backup function starts to take effect.
If an AP goes online after N+1 backup is enabled, you do not need to restart the AP.
----End
23.7.9 Verifying the N+1 Backup Configuration
Procedure
l Run the display ac protect command to check the N+1 backup status, AC revertive
switchover status, the AC's global priority, and the standby AC's IP address.

AC's individual priority for a specific AP and the standby AC's IP address.
----End
23.8 Configuration Examples for N+1 Backup
23.8.1 Example for Configuring N+1 Backup (APs and ACs in

different network segments)
A large enterprise has branches in different areas. ACs are deployed in the branches to
manage APs and provide WLAN access and e-mail services. These services require low
network reliability and allow temporary service interruption. An AC is required to be a
backup of all ACs to reduce cost. In this scenario, the enterprise can deploy a high
performance AC at the headquarters as a standby AC to provide backup services for active
ACs in the branches.
In Figure 23-6, AC_1 in branch 1 and AC_2 in branch 2 are both active ACs, and
respectively provide services for AP_1 and AP_2. AC_3 in the headquarters serves as the
standby AC of AC_1 and AC_2. AC_1 connects to the Network through Router_1 and
connects to AP_1 through Router_1 and Switch_1; AC_2 connects to the Network through
Router_2 and connects to AP_2 through Router_2 and Switch_2; AC_3 connects to the
Network through Router_3. All ACs belong to different network segments. APs and ACs are
also located in different network segments. Router_3 functions as a DHCP server to allocate
IP addresses to APs and STAs. When the CAPWAP link on AC_1 or AC_2 fails, AC_3 is
expected to replace AC_1 or AC_2 to continue serving the APs.

Figure 23-6 Networking diagram for configuring N+1 backup
Enterprise Standby AC_3

headquarters VLANIF 203:
10.23.203.1/24
Global priority: 5
GE0/0/1
Eth2/0/1
Router_3
VLANIF 200:
10.23.200.1/24
Eth2/0/0
Network
Eth2/0/1 Eth2/0/1
GE1/0/1 GE1/0/1
Router_1 Router_2
Active AC_1 Eth2/0/0 Eth2/0/0 Active AC_2
VLANIF 201: GE0/0/2 GE0/0/2 VLANIF 202:
10.23.201.1/24 10.23.202.1/24
GE0/0/1 Switch_1 Switch_2 GE0/0/1
branch 1 branch 2
AP_1 AP_2
STA_1 STA_2
Management Management
VLAN: 99 VLAN: 100
Service VLAN: 101 Service VLAN: 102
1. Set up connections between each AC and other network devices. Configure Router_3 as
a DHCP server to allocate IP addresses to APs and STAs.
2. Configure AC_1 and AC_2 as the active ACs of AP_1 and AP_2 respectively, and
configure basic WLAN services on AC_1 and AC_2.
3. Configure AC_3 as the standby AC and configure basic WLAN services on AC_3.
Ensure that service configurations on AC_3 are the same as those on AC_1 and AC_2.
4. Configure N+1 backup on the active ACs first and then on the standby AC. When N+1
backup is enabled, all APs are restarted.


Item Data
Management VLAN for APs AC_1 (active AC): VLAN 99
AC_2 (active AC): VLAN 100
Service VLAN for STAs AC_1 (active AC): VLAN 101
AC_2 (active AC): VLAN 102
DHCP server Router_3 functions as the DHCP server for

the APs and STAs.
STAs' gateway:
l STA_1: 10.23.101.1/24
l STA_2: 10.23.102.1/24
APs' gateway:
l AP_1: 10.23.99.1/24
l AP_2: 10.23.100.1/24
IP address pool for APs AP_1: 10.23.99.2 to 10.23.99.254/24

AP_2: 10.23.100.2 to 10.23.100.254/24
IP address pool for STAs STA_1:10.23.101.2 to 10.23.101.254/24

STA_2:10.23.102.2 to 10.23.102.254/24
AP group AC_1:
l Name: ap-group1
l Country code: CN
AC_2:
l Name: ap-group2
l Country code: CN
AC_3 (standby AC):

l Name: ap-group1 and ap-group2
l Country code: CN
SSID profile AC_1:

l Name: wlan-net
AC_2:
l Name: wlan-net1
l SSID name: wlan-net1
AC_3 (standby AC):

l Name: wlan-net and wlan-net1
l SSID name: wlan-net and wlan-net1

Item Data

AP system profile AC_3: ap-system1 and ap-system2
Source interface of AC_1 VLANIF 201: 10.23.201.1/24
AC's global priority AC_1: 0

AC_2: 0
AC_3: 5
Configuration Notes
user experience.
Procedure

NOTE
Step 2 Configure the routers, switches, and ACs to ensure communications among them.
# On Router_1, create VLAN 99, VLAN 101 and VLAN201. VLAN 99 is used as the
management VLAN and VLAN 101 is used as the service VLAN. Add Eth2/0/0 connected to
Switch_1 to VLAN 99 and VLAN 101, and Eth2/0/1 connected to AC_1 to VLAN 201.
Configure the IP address 10.23.99.1/24 for VLANIF 99, 10.23.101.1/24 for VLANIF 101 and
10.23.201.2/24 for VLANIF 201.
[HUAWEI] sysname Router_1
[Router_1] vlan batch 99 101 201
[Router_1] interface ethernet 2/0/0
[Router_1-Ethernet2/0/0] port link-type trunk
[Router_1-Ethernet2/0/0] port trunk allow-pass vlan 99 101
[Router_1-Ethernet2/0/0] quit
[Router_1] interface ethernet 2/0/1
[Router_1-Ethernet2/0/1] port link-type trunk
[Router_1-Ethernet2/0/1] port trunk allow-pass vlan 201
[Router_1-Ethernet2/0/1] quit
[Router_1] interface vlanif 99
[Router_1-Vlanif99] ip address 10.23.99.1 255.255.255.0
[Router_1-Vlanif99] quit
# On Router_2, create VLAN 100, VLAN 102 and VLAN 202. VLAN 100 is used as the
management VLAN and VLAN 102 is used as the service VLAN. Add Eth2/0/0 connected to
Switch_2 to VLAN 100 and VLAN 102, and Eth2/0/1 connected to AC_2 to VLAN 202.
Configure the IP address 10.23.100.1/24 for VLANIF 100, 10.23.102.1/24 for VLANIF 102
and 10.23.202.2/24 for VLANIF 202. See Router_1 for the detailed configuration procedure.
# On Router_3, create VLAN 200, VLAN 203, and add Eth2/0/0 connected to the Network to
VLAN 200, and Eth2/0/1 connected to AC_3 to VLAN 203. Configure the IP address
10.23.200.1/24 for VLANIF 200. Configure the IP address 10.23.203.2/24 for VLANIF 203.
See Router_1 for the detailed configuration procedure.
# On AC_1, create VLAN 101, VLAN 201, and add GE0/0/1 connected to Router_1 to
VLAN 201. Configure the IP address 10.23.201.1/24 for VLANIF 201.
# On AC_2, create VLAN 102, VLAN 202, and add GE0/0/1 connected to Router_2 to
VLAN 202. Configure the IP address 10.23.202.1/24 for VLANIF 202. See AC_1 for the
detailed configuration procedure.
# On AC_3, create VLAN 101, VLAN102, VLAN 203, and add GE0/0/1 connected to
Router_3 to VLAN 203. Configure the IP address 10.23.203.1/24 for VLANIF 203. See
AC_1 for the detailed configuration procedure.

# On Switch_1, create VLAN 99 and VLAN 101. Add GE0/0/2 connected to AC_1 and
GE0/0/1 connected to AP_1 to VLAN 99 and VLAN 101, and the PVID of GE0/0/1 is VLAN
99.
[Switch_1] vlan batch 99 101
[Switch_1-GigabitEthernet0/0/1] port trunk allow-pass vlan 99 101
[Switch_1-GigabitEthernet0/0/1] port-isolate enable
[Switch_1-GigabitEthernet0/0/2] port trunk allow-pass vlan 99 101
# On Switch_2, create VLAN 100 and VLAN 102. Add GE0/0/2 connected to AC_2 and
GE0/0/1 connected to AP_2 to VLAN 100 and VLAN 102. See Switch_1 for the detailed
configuration procedure.
# Configure reachable routes between AC_1 and AC_3, AP_1 and AC_3, AC_2 and AC_3,
and between AP_2 and AC_3. Perform the configurations according to networking
requirements. The configuration procedure is not provided here.
# Configure the route between AC_1 and AP_1 with the next hop as Router_1's VLANIF 201.
[AC_1] ip route-static 10.23.99.0 24 10.23.201.2
# Configure the route between AC_2 and AP_2 with the next hop as Router_2's VLANIF 202.
[AC_2] ip route-static 10.23.101.0 24 10.23.202.2
Step 3 Configure a DHCP server to allocate IP addresses to APs and STAs.
# Configure Router_1 as a DHCP relay agent.

[Router_1] dhcp enable
[Router_1-Vlanif99] dhcp select relay
[Router_1-Vlanif99] dhcp relay server-ip 10.23.200.1
# Configure Router_2 as a DHCP relay agent.

# Configure Router_3 as the DHCP server to allocate IP addresses to APs and STAs, and
configure the Option 43 field to advertise the IP addresses of AC_1 and AC_3 to AP_1, and
to advertise the IP addresses of AC_2 and AC_3 to AP_2. Configure the DHCP server to
allocate IP address to AP_1 from the IP address pool ap_1_pool, to AP_2 from ap_2_pool, to
STA1 from sta_1_pool, and to STA2 from sta_2_pool.

NOTE
In this example, AP_1 and AP_2 cannot share an IP address pool; otherwise, AP_1 can discover AC_2 and
AP_2 can discover AC_1, which will cause APs unable to connect to the correct AC based on AC priority.
view.
[Router_3] ip pool ap_1_pool
[Router_3-ip-pool-ap_1_pool] network 10.23.99.0 mask 24
[Router_3-ip-pool-ap_1_pool] gateway-list 10.23.99.1
[Router_3-ip-pool-ap_1_pool] option 43 sub-option 2 ip-address 10.23.201.1
10.23.203.1
[Router_3-ip-pool-ap_1_pool] quit
[Router_3] ip pool ap_2_pool
[Router_3-ip-pool-ap_2_pool] network 10.23.100.0 mask 24
[Router_3-ip-pool-ap_2_pool] gateway-list 10.23.100.1
[Router_3-ip-pool-ap_2_pool] option 43 sub-option 2 ip-address 10.23.202.1
10.23.203.1
[Router_3-ip-pool-ap_2_pool] quit
[Router_3] ip pool sta_1_pool
[Router_3-ip-pool-sta_1_pool] network 10.23.101.0 mask 24
[Router_3-ip-pool-sta_1_pool] gateway-list 10.23.101.1
[Router_3-ip-pool-sta_1_pool] quit
[Router_3] ip pool sta_2_pool
[Router_3-ip-pool-sta_2_pool] network 10.23.102.0 mask 24
[Router_3-ip-pool-sta_2_pool] gateway-list 10.23.102.1
[Router_3-ip-pool-sta_2_pool] quit
Step 4 Configure basic WLAN services on AC_1.

[AC_1] wlan
[AC_1-wlan-view] regulatory-domain-profile name domain1
[AC_1-wlan-regulate-domain-domain1] country-code cn
[AC_1-wlan-regulate-domain-domain1] quit
[AC_1-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
e?[Y/N]:y

[AC_1] capwap source interface Vlanif 201
AP area_1.

NOTE
[AC_1] wlan
will clear channel, power and antenna gain configurati
ons of the radio, Whether to continue? [Y/N]:y
# After the APs are powered on, run the display ap all command to check the AP state.
If the State field displays nor, the APs have gone online.
nor : normal [1]
------------------------------------------------------------------------------
--
Uptime
------------------------------------------------------------------------------
--
0 60de-4476-e360 area_1 ap-group1 10.23.99.254 AP6010DN-AGN nor 0
10S
------------------------------------------------------------------------------
--
Total: 1

NOTE
[AC_1-wlan-view] security-profile name wlan-security
[AC_1-wlan-sec-prof-wlan-security] security wpa2 psk pass-phrase a1234567 aes
[AC_1-wlan-sec-prof-wlan-security] quit
# Create the SSID profile wlan-net and set the SSID name to wlan-net.
[AC_1-wlan-view] vap-profile name wlan-vap
[AC_1-wlan-vap-prof-wlan-vap] forward-mode direct-forward
[AC_1-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC_1-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC_1-wlan-vap-prof-wlan-vap] ssid-profile wlan-net
[AC_1-wlan-vap-prof-wlan-vap] quit
# Bind the VAP profile to the AP group and apply the VAP profile wlan-vap to radio 0
and radio 1 of the APs.
[AC_1-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0

# Configure basic parameters for AC_2 according to the configurations of AC_1.
# Configure the source interface of AC_2.

[AC_2] capwap source interface vlanif 202
# Create the AP group ap-group2.

[AC_2] wlan
example, the AP's MAC address is 60de-4474-9640. Configure a name for the AP based on
the AP's deployment location, so that you can know where the AP is located. For example, if
the AP with MAC address 60de-4474-9640 is deployed in area 2, name the AP area_2.
[AC_2] wlan
[AC_2-wlan-view] ap-id 1 ap-mac 60de-4474-9640
clear channel, power and antenna gain configurati
ons of the radio, Whether to continue? [Y/N]:y
NOTE
# Create an SSID profile and set the SSID name to wlan-net1.

[AC_2-wlan-view] ssid-profile name wlan-net1
[AC_2-wlan-ssid-prof-wlan-net1] ssid wlan-net1
[AC_2-wlan-ssid-prof-wlan-net1] quit
# Create the VAP profile wlan-vap1, set the data forwarding mode and service VLAN, and
[AC_2-wlan-view] vap-profile name wlan-vap1
[AC_2-wlan-vap-prof-wlan-vap1] forward-mode direct-forward
[AC_2-wlan-vap-prof-wlan-vap1] service-vlan vlan-id 102
[AC_2-wlan-vap-prof-wlan-vap1] security-profile wlan-security
[AC_2-wlan-vap-prof-wlan-vap1] ssid-profile wlan-net1
[AC_2-wlan-vap-prof-wlan-vap1] quit
# Bind the VAP profile to the AP group and apply the VAP profile wlan-vap1 to radio 0 and
radio 1 of the APs.
[AC_2-wlan-ap-group-ap-group2] vap-profile wlan-vap1 wlan 1 radio 0
# Set other parameters similarly as those of AC_1.


[AC_3] wlan
[AC_3-wlan-view] regulatory-domain-profile name domain1
[AC_3-wlan-regulate-domain-domain1] country-code cn
[AC_3-wlan-regulate-domain-domain1] quit
e?[Y/N]:y
e?[Y/N]:y

[AC_3] capwap source interface Vlanif 203
NOTE
[AC_3] wlan
[AC_3-wlan-view] ap-id 1 ap-mac 60de-4474-9640
# Run the display ap all command on the AC to check the AP running status. The
command output shows that the state of area_1 and area_2 is both fault.
idle : idle [2]
------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime
------------------------------------------------------------------------
0 60de-4476-e360 area_1 ap-group1 - - fault 0 -
1 60de-4474-9640 area_2 ap-group2 - - fault 0 -
------------------------------------------------------------------------
Total: 2


NOTE
# Create the SSID profile wlan-net and set the SSID name to wlan-net.
# Create the SSID profile wlan-net1 and set the SSID name to wlan-net1.
[AC_3-wlan-view] ssid-profile name wlan-net1
[AC_3-wlan-ssid-prof-wlan-net1] ssid wlan-net1
[AC_3-wlan-ssid-prof-wlan-net1] quit
# Create the AP system profile ap-system1 and configure the IP address of the standby
AC.
[AC_3-wlan-view] ap-system-profile name ap-system1
[AC_3-wlan-ap-system-prof-ap-system1] protect-ac ip-address 10.23.201.1
[AC_3-wlan-ap-system-prof-ap-system1] quit
# Create the AP system profile ap-system2 and configure the IP address of the standby
AC.
[AC_3-wlan-view] ap-system-profile name ap-system2
[AC_3-wlan-ap-system-prof-ap-system2] protect-ac ip-address 10.23.202.1
[AC_3-wlan-ap-system-prof-ap-system2] quit
[AC_3-wlan-view] vap-profile name wlan-vap
[AC_3-wlan-vap-prof-wlan-vap] forward-mode direct-forward
[AC_3-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC_3-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC_3-wlan-vap-prof-wlan-vap] ssid-profile wlan-net
[AC_3-wlan-vap-prof-wlan-vap] quit
# Create the VAP profile wlan-vap1, set the data forwarding mode and service VLAN,
[AC_3-wlan-view] vap-profile name wlan-vap1
[AC_3-wlan-vap-prof-wlan-vap1] forward-mode direct-forward
[AC_3-wlan-vap-prof-wlan-vap1] service-vlan vlan-id 102
[AC_3-wlan-vap-prof-wlan-vap1] security-profile wlan-security
[AC_3-wlan-vap-prof-wlan-vap1] ssid-profile wlan-net1
[AC_3-wlan-vap-prof-wlan-vap1] quit
# Bind the VAP profile and AP system profile to the AP group and apply the VAP profile
to radio 0 and radio 1 of the APs.
[AC_3-wlan-ap-group-ap-group1] ap-system-profile ap-system1


[AC_3-wlan-ap-group-ap-group2] ap-system-profile ap-system2
Step 7 Enable N+1 backup on AC_1, AC_2, and AC_3.

# On AC_1, configure the AC's global priority and IP address of AC_3.
NOTE
AC priorities determine the AC roles. The AC with a higher priority is the active AC, and the AC with a
lower priority is the standby AC. A smaller value indicates a higher priority. If the AC priorities are the same,
the AC that connects to more APs is the active AC. If the ACs connect to the same number of APs, the AC
that connects to more STAs is the active AC. If the ACs connect to the same number of STAs, the AC with a
smaller IP address is the active AC.
[AC_1-wlan-view] ac protect priority 0 protect-ac 10.23.203.1
# On AC_2, configure the AC's global priority and IP address of AC_3.

[AC_2-wlan-view] ac protect priority 0 protect-ac 10.23.203.1
# Configure the global priority of AC_3.

[AC_3-wlan-view] ac protect priority 5
# On AC_1, enable N+1 backup and restart all APs to make the function take effect.
NOTE
By default, N+1 backup is enabled. The system displays an Info message if you run the undo ac protect
enable command. You need to run the ap-reset all command to restart all APs. After the APs are restarted, N
+1 backup starts to take effect.
[AC_1-wlan-view] undo ac protect enable
Info: Backup function has already disabled.
[AC_1-wlan-view] ap-reset all
# On AC_2, enable N+1 backup and restart all APs to make the function take effect.
# Enable revertive switchover and N+1 backup on AC_3.

NOTE
By default, global revertive switchover is enabled. The system displays an Info message if you run the undo
ac protect restore disable command.
[AC_3-wlan-view] undo ac protect restore disable
Info: Protect restore has already enabled.

# Run the display ac protect commands on AC_1 to check N+1 backup information.
[AC_1-wlan-view] display ac protect
------------------------------------------------------------
Protect state : disable
Protect AC : 10.23.203.1
Priority : 0

...
------------------------------------------------------------
# Run the display ac protect commands on AC_2 to check N+1 backup information.
------------------------------------------------------------
Protect AC : 10.23.203.1
Priority : 0
...
------------------------------------------------------------
# Run the display ac protect and display ap-system-profile commands on AC_3 to check N
+1 backup information.
------------------------------------------------------------
Protect AC : -
Priority : 5
...
------------------------------------------------------------
[AC_3-wlan-view] display ap-system-profile name ap-system1
------------------------------------------------------------------------------
AC priority : -
...
[AC_3-wlan-view] display ap-system-profile name ap-system2
------------------------------------------------------------------------------
AC priority : -
...
The WLAN with the SSID wlan-net or wlan-net1 is available for STAs connected to the
APs, and these STAs can connect to the WLAN and go online normally.
When the link between an AP and AC_1 or AC_2 fails, AC_3 takes over the active role. This
ensures accelerate service recovery.
----End
Configuration Files
#
sysname Switch_1
#
vlan batch 99 101
#
#
#
return

#
sysname Switch_2

#
vlan batch 100 102
#
#
#
return
#
sysname AC_1
#
vlan batch 101 201
#
interface Vlanif201
ip address 10.23.201.1 255.255.255.0
#
#
ip route-static 10.23.99.0 255.255.255.0 10.23.201.2
#
capwap source interface Vlanif201
#
wlan
ac protect protect-ac 10.23.203.1
security wpa2 psk pass-phrase %^%#hgEp#@>security wpa2 psk pass-phrase %^
%#hgEp#@>
ssid wlan-net
radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
return
#
sysname AC_2
#
vlan batch 102 202
#
interface
Vlanif202
ip address 10.23.202.1 255.255.255.0
#
#

ip route-static 10.23.101.0 255.255.255.0 10.23.202.2

#
#
wlan
ac protect protect-ac 10.23.203.1
%# aes
ssid-profile name wlan-net1
ssid wlan-net1
ssid-profile wlan-net1
radio 0
radio 1
ap-name area_2
ap-group ap-group2
#
return
#
sysname AC_3
#
#
interface
Vlanif203
ip address 10.23.203.1 255.255.255.0
#
#
#
wlan
ac protect priority 5
%# aes
ssid wlan-net
ssid-profile name wlan-net1
ssid wlan-net1
ssid-profile wlan-net1

radio 0
radio 1
radio 0
radio 1
ap-name area_1
ap-group ap-group1
ap-name area_2
ap-group ap-group2
#
return
l Router_1 configuration file
#
sysname Router_1
#
vlan batch 99 101 201

#
dhcp enable
#
interface Vlanif99
ip address 10.23.99.1 255.255.255.0
dhcp select
relay
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select
relay
#
interface
Vlanif201
ip address 10.23.201.2 255.255.255.0
#
interface Ethernet2/0/0
port link-type
trunk
#
port link-type
trunk
#
return
#
sysname Router_2
#
vlan batch 100 102 202

#
dhcp enable

#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
dhcp select
relay
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
dhcp select
relay
#
interface
Vlanif202
ip address 10.23.202.2 255.255.255.0
#
port link-type
trunk
#
port link-type
trunk
#
return
#
sysname Router_3
#
vlan batch 200 203

#
dhcp enable
#
ip pool
ap_1_pool
network 10.23.99.0 mask 255.255.255.0
option 43 sub-option 2 ip-address 10.23.201.1 10.23.203.1
#
ip pool
ap_2_pool
gateway-list
10.23.100.1
network 10.23.100.0 mask
255.255.255.0
option 43 sub-option 2 ip-address 10.23.202.1 10.23.203.1
#
ip pool
sta_1_pool
network 10.23.101.0 mask 255.255.255.0
#
ip pool
sta_2_pool
network 10.23.102.0 mask 255.255.255.0
#

interface
Vlanif200
ip address 10.23.200.1 255.255.255.0
#
interface Vlanif203
ip address 10.23.203.2 255.255.255.0
#
port link-type
trunk
#
port link-type
trunk
#
return

Configuration Guide - WLAN-AC 24 Smart Retail IoT Solution - ESL
24 Smart Retail IoT Solution - ESL
24.1 Overview of the Smart Retail IoT Solution - ESL
Scenario Overview
In shopping malls, supermarkets, and other retail scenarios, many stores use printed shelf
labels to mark commodity prices. This mode has disadvantages as follows:
l Manual label maintenance has high costs and low efficiency.
l Manual label maintenance is prone to errors, which may lead to customer complaints.
To address these problems, Huawei offers the Smart Retail-Electronic Shelf Label (ESL)
Solution. In this solution, ESLs are used instead of printed labels, and ESL information is
maintained and updated in a background ESL management system.
Solution Benefits
This solution provides the following benefits:
l Reduces ESL maintenance and update costs, saves shelf label update costs, and increases
business profits.
l Implements automatic ESL management, and improves management and maintenance
efficiency.
l Minimizes the maintenance error rate and reduces customer complaints.
l Reuses a WLAN as an ESL network, reducing the ESL network deployment and
maintenance costs, and facilitating central network management by administrators.
Networking Architecture
As shown in Figure 24-1, the networking architecture of the ESL Solution consists of the
terminal, access, pipe, and service application layers.

Figure 24-1 Networking architecture
ESL
management
ERP system
system
Service application
layer
AC Switch
Pipe layer
AP
ESL card Access layer
Terminal layer
ESL
l Terminal layer
ESLs installed on shelves are deployed at this layer.
ESLs, typically made of electronic paper or liquid crystal displays (LCDs), display
commodity information. ESLs with built-in radio modules automatically obtain ESL
information over radios from the AP, and update information to be displayed.
l Access layer
ESL cards are deployed at this layer.
An ESL card is a type of Internet of Things (IoT) cards used in the ESL Solution. ESL
cards are used to receive and cache ESL update tasks delivered by the ESL management
system.
l Pipe layer
Network devices such as APs, ACs, and switches are deployed at this layer.
The pipe layer only forwards packets from ESLs and ensures interworking between the
ESL cards and ESL management system, but does not parse or handle the packets. APs
at the bottom of the pipe layer provide slots for ESL cards.
l Service application layer
The Enterprise Resource Planning (ERP) system and ESL management system are
deployed at this layer.
The ERP system is a business management software integrating physical resource
management (logistics), human resources management (HR flows), and financial
resource management (financial flows), and information resource management

(information flows). In scenarios where ESLs are used, an ERP system is typically used
to manage commodity prices.
An ESL management system consists of an ESL server and a system platform, and is
interconnected with an ERP system to synchronize data from the ERP system and deliver
ESL update tasks to ESL cards. The ESL server manages ESL cards, ESLs, and ESL
update plans, and provides a graphical user interface (GUI).
Involved Products
Table 24-1 Involved products

Device Function Vendor
AP It provides slots for ESL Huawei

cards. Currently, only the
AP4050DN-E provides such
slots.
AC It manages and delivers Huawei

configurations to APs, and
works together with the
APs.
ESL It is installed on a shelf to Century

display commodity
information.
Switch It is used to build a Huawei

networking structure and
forward packet data on the
network.
ESL card It exchanges packets with Century

ESLs, receives and caches
ESL update tasks delivered
by an ESL server, and
delivers the tasks to ESLs
for update.
ESL server It is interconnected with an Century

ERP system to manage ESL
cards and ESLs. In this
solution, the ESL server is
provided by Century.
Handheld scanner It is used to scan commodity Century

codes and ESL IDs.
Commodity codes and ESL
IDs are associated
automatically after being
scanned. In this solution,
handheld scanners are
provided by Century.

ERP system It is used to manage Customer

commodity prices.
24.2 Understanding the Smart Retail IoT Solution - ESL

As shown in Figure 24-2, in the ESL solution, an ERP system is deployed at the headquarters
of a company, while ESLs, ESL cards, and ESL management systems are deployed at both the
headquarters and branch store. The ESL management systems at the headquarters and branch
store are connected to the ERP system. When commodity prices are adjusted in the ERP
system, price adjustment results are synchronized to the ESL management systems. The ESL
management systems adjust commodity prices based on the price adjustment results in the
ERP system and pre-configured price adjustment plan. In addition, the ESL management
systems display other information about commodities on ESLs, such as the validity period,
promotion description, and specifications.
HQ Branch store
ERP
Router system Router
AC Switch
Switch
ESL
management
system
AP ESL AP
management
ESL card system ESL card
ESL ESL
The ESL solution is implemented in two phases.
Phase 1

In phase 1, ESL cards are initialized, ESLs are registered with the ESL management system,
and ESL IDs are associated with commodity codes.
The implementation mode of the ESL management system varies depending on vendors. The
following uses Century's ESL management system as an example.
1. The ESL management system is directly connected to ESL cards at Layer 2, and sends
broadcast requests. After receiving the broadcast requests, ESL cards reply with their
own IDs.
2. After the ESL management system receives the ESL card IDs, the administrator
configures IP addresses for the ESL cards on the GUI of the ESL management system.
3. The ESL management system then assigns the IP addresses to the ESL cards for
initialization.
4. ESLs proactively send registration requests to ESL cards. The ESL cards receive and
send the registration requests to the ESL management system.
5. After receiving the registration requests, the ESL management system allows the ESLs
to register.
After the ESLs are registered, the ESL management system learns the ESL IDs and the
IDs of the ESL cards that manage the ESLs. In this way, after the ESL IDs are associated
with commodity codes, the ESL management system can deliver ESL update tasks to
correct ESLs.
6. Use a handheld scanner to scan ESL IDs and commodity codes for association, or
manually associate them in the ESL management system.
Phase 2
ESL information is updated in phase 2. As shown in Figure 24-3.

Figure 24-3 ESL working process
1
HQ Branch store
ERP
Router system Router
AC Switch
Switch
1
ESL
2 2 management
system
AP ESL AP
management
ESL card system ESL card
3 3
ESL ESL
1. The ERP system at the headquarters is used to maintain and update commodity price
information. The ESL management system at the branch store sends data update requests
to the ERP system, and obtains updated commodity information such as the commodity
code and price.
2. After obtaining updated information, the ESL management system delivers ESL update
tasks to ESL cards as planned. ESL cards cache task data and wait for ESLs to initiate
ESL update requests.
3. To save energy and prolong the service life of batteries, ESLs' radio modules are
activated periodically. Within the activation period, ESLs proactively send requests to
ESL cards to query whether ESL update tasks are available. If so, the ESLs obtain data
and update information to be displayed. If not, the ESLs' radio modules keep their
sleeping state until the next activation period.
In the current ESL solution, ESLs and ESL cards exchange packets with each other using
2.4 GHz radio frequency identification (RFID) technology.
The ESL management system uses 2.4 GHz RFID technology on the wireless side, which
leads to interference with 2.4 GHz Wi-Fi signals. However, the ESL update service and
common WLAN services do not affect each other because they usually do not run at the same
time in actual scenarios.
l In most cases, ESL information is updated in non-business hours to prevent ESL
information update from affecting normal business and avoid customer complaints.

l ESL information update during business hours rarely happens. Such scenario may exist
only in small stores with only tens of ESLs and a small service data volume, such as
bakeries. ESL information update takes a short time, so the interference time is short.
24.3 Implementation Precautions for the Smart Retail IoT

Solution - ESL
Software and Hardware Installation Precautions
l An ESL card can be inserted only into slots 1 and 2 of an AP4050DN-E, occupying two
slots simultaneously.
Service Planning Precautions
l Plan an independent VLAN for ESL data and separate this VLAN from the wireless
coverage service VLAN, facilitating management and maintenance.
l ESL cards can only be directly connected to the ESL server at Layer 2.
Network Planning Precautions
l ESLs are not applicable to commodities in storage cabinets or boxes that block wireless
radio signals because ESL information update fails.
l When ESL information is updated, you are advised to disable the 2.4 GHz radio to avoid
reducing the ESL information update speed. ESL information is typically updated in
non-business hours of shopping malls. Therefore, you are advised to configure the
scheduled VAP auto-off function.
l ESL vendors have properly set frequency points of 2.4 GHz RFID radios used in the
ESL management system, and avoid commonly used channels 1, 6, and 11 to minimize
interference between 2.4 GHz RFID signals and 2.4 GHz Wi-Fi signals.
Version Constraints
l ESLs only need to exchange packets with ESL cards, but not with APs. APs do not parse
packets from ESLs. Therefore, there is no direct constraint on the ESL and AP versions.
24.4 Software and Hardware Installation for the Smart

Retail IoT Solution - ESL
Installing APs (Including ESL Cards)

For details on how to install APs, see the Hardware Installation and Maintenance Guide
(AP4050DN-E). Install ESL cards according to the user guide of the ESL cards.
Installing ESLs
Install ESLs according to related documents obtained from the ESL vendor. The detailed
operations are not described in this document.
After ESLs are installed, verify that the ESLs are intact and battery covers are secured. Read
the ESL user manual before using the ESLs.

Installing the ESL Management System

Install and configure the ESL management system according to related documents obtained
from the system vendor. The detailed operations are not described in this document.
24.5 Configuration Guide for the Smart Retail IoT

Solution - ESL
Follow the configuration process described in Figure 24-4 to configure an ESL system in the
smart retail IoT solution.
Figure 24-4 Configuration process
Configure network
connectivity.
Configure APs to go online.
Configure the wireless

coverage service.
Configure interconnection
of components.
Associate ELS IDs with

commodity codes.
Configure ELS services.
Each step is described as follows:

1. Configure connectivity of devices on the ELS network to ensure data transmission on the
network.
2. Configure APs to go online. The AC can centrally manage APs only after they go online.
Configure connectivity between ESL cards and APs, and the wireless coverage service
on the AC, and then deliver the configurations to the APs.
3. Configure the wireless coverage service to use an existing WLAN as the ESL network,
reducing network deployment and maintenance costs, and facilitating centralized
network management for administrators.
4. Configure interconnection of ESLs, ESL cards, and APs can be configured only after the
APs go online.

5. Associate ELS IDs with commodity codes to enable ESLs to uniquely identify
commodities.
6. Configure ELS services including management and update of commodity prices.
24.5.1 Configuring Network Interworking

Configure network interworking of network elements (NEs) to ensure proper data
transmission.

Management packets between an AC and APs are transmitted only on the network between
them. To ensure that the AC and APs exchange management packets properly, configure
correct VLANs or routes.

Service packets are transmitted between STAs and the upper-layer network. Configure service
packet exchange to ensure proper transmission of service packets.
Configuring APs and STAs to Communicate with a DHCP Server

The APs and STAs must obtain IP addresses from a DHCP server; therefore, you need to
Configuring Interworking Between the ESL Cards and ESL Management System
Configure interworking of ESL cards, APs, and the ESL management system, so that the ESL
management system can connect to and exchange packets with ESL cards inserted into the
APs.
You can only configure Layer 2 interworking between the ESL cards and ESL management
system because the ESL management system can discover ESL cards only by sending Layer 2
network broadcast packets. For details on how to configure interworking between ESL cards
and APs, see 24.5.4.1 Configuring Interworking Between ESL Cards and APs. Configure
interworking between the ESL management system and APs based on the actual network
conditions.
Configuring Interworking Between the ESL Management System and ERP

System
The ERP system is used to manage and update commodity prices, and synchronize updated
information to the ESL management system. You need to configure interworking between the
ESL management system and ERP system.
24.5.2 Configuring APs to Go Online
Context
After network interworking is configured, configure the APs to go online on the AC, so that
the AC can deliver configurations to the APs, such as configurations for interworking
between ESL cards and APs, and wireless service coverage configurations.

This document only describes basic go-online configurations of APs on the AC. For more
information, see 5.9 Configuring APs to Go Online.
Perform the following operations on the AC to configure an AP to go online.
Procedure
Step 2 Run vlan batch vlan-id
A VLAN is created.
Step 3 Run interface vlanif vlan-id
By default, no VLANIF interface is created.
Step 4 Run ip address ip-address { mask | mask-length }
By default, no IP address is configured for a VLANIF interface.
Step 5 Run quit
Step 6 Run capwap source interface vlanif vlan-id
The VLANIF interface is configured as the source interface of the CAPWAP tunnel
established between the AP and AC.
By default, no source interface is configured for the CAPWAP tunnel established between the
AP and AC.
Step 7 Run wlan
A regulatory domain profile is created and the regulatory domain profile view is displayed.
The country code is configured.
Step 10 Run quit

Step 12 Run regulatory-domain-profile profile-name

The regulatory domain profile is bound to the AP group
By default, the regulatory domain profile default is bound to the AP group.
Step 13 Run quit
Step 14 Run ap-id ap-id [ [ type-id type-id | ap-type ap-type ] { ap-mac ap-mac | ap-sn ap-sn | ap-
mac ap-mac ap-sn ap-sn } ] or ap-mac ap-mac [ type-id type-id | ap-type ap-type ] [ ap-id
ap-id ] [ ap-sn ap-sn ]
The AP is imported in offline mode, and the AP view is displayed.
Step 15 Run ap-name ap-name
The AP name is configured.
Step 16 Run ap-group group-name
The AP is added to the AP group.
----End

l Run the display ap all command to check whether the AP goes online on the AC.
l Run the display capwap configuration command to check the source interface or
source IP address of the AC.
check the country code configured in the regulatory domain profile.
24.5.3 Configuring the Wireless Coverage Service
Context
The WLAN network and ESL network can be multiplexed and integrated into one network.
This reduces network deployment and maintenance costs, and helps administrators centrally
manage the networks.
This document provides only basic wireless coverage service configurations. For more
information, see 5 WLAN Service Configuration.
Perform the following operations on the AC to configure wireless coverage services.
Procedure


A VLAN is created.
Step 3 Run wlan
system.
After the security profile is created, using the default security policy has security risks. You
are advised to configure a proper security policy according to actual service requirements. For
the detailed configuration, see 12.4 Configuring a WLAN Security Policy.
Step 5 Run quit
An SSID profile is created and the SSID profile view is displayed.
Step 8 Run quit
Step 11 Run forward-mode { direct-forward | tunnel | softgre profile-name }
The data forwarding mode is configured in the VAP profile.
The SSID profile is bound to the VAP profile.


Step 14 Run quit
Step 15 Run radio-2g-profile name profile-name
A 2G radio profile is created, and the 2G radio profile view is displayed.
By default, the system provides the 2G radio profile default.
Step 16 Run auto-off service start-time start-time end-time end-time
The scheduled VAP auto-off function is enabled.
By default, the scheduled VAP auto-off function is disabled.
When ESL information is updated, you are advised to disable the 2.4 GHz radio to avoid
interfering 2.4 GHz signals of ESLs and affecting the ESL information update speed. ESL
information is typically updated in non-business hours of shopping malls. Therefore, it is
recommended that the scheduled VAP auto-off function be enabled during non-business hours
of shopping malls.
Step 17 Run quit
Step 19 Run vap-profile profile-name wlan wlan-id radio { radio-id | all } [ service-vlan { vlan-id
vlan-id | vlan-pool pool-name } ]
The VAP profile is bound to radios.
Step 20 Run radio-2g-profile profile-name { radio { radio-id | all } }
The 2G radio profile is bound to radios.
By default, the 2G radio profile default is bound to an AP group.
----End

VAP information.
information about the VAP profile.
configuration and reference information about the security profile.
reference information about the security profile.


configuration and reference information about the SSID profile.
reference information about the SSID profile.
configuration and reference information about the 2G radio profile.
reference information about the 2G radio profile.
24.5.4 Configuring Component Interworking
24.5.4.1 Configuring Interworking Between ESL Cards and APs
Context
In smart retail scenarios where ESLs are used, the ESLs use 2.4 GHz RFID technology to
interwork with ESL cards, and the ESL cards interwork with APs through Ethernet interfaces.
ESLs exchange data with an ESL server through ESL cards, APs, and the upper-layer
network. Interworking between ESLs and ESL cards does not need to be configured on a
WLAN. Interworking between ESL cards and APs needs to be configured.
Perform the following configurations on an AC:
Procedure
Step 2 Run wlan
Step 3 (Optional) Set the connection type between IoT cards and APs to Ethernet.
Perform this configuration in either the AP system profile view or IoT card interface view.
The configuration has the highest priority in the IoT card interface view of an AP, a lower
priority in the IoT card interface view of an AP group, and the lowest priority in the AP
system profile view.
1. Run the ap-system-profile name profile-name command to create an AP system profile
and enter the AP system profile view.
2. Run the card connect-type ethernet command to set the connection type between IoT
cards and APs to Ethernet.
By default, IoT cards communicate with APs through serial interfaces.
An AP wired port profile is created, and the AP wired port profile view is displayed.

Step 5 Run mode endpoint
The working mode of the AP wired interface is set to endpoint.
By default, the wired interface on the AP4050DN-E works in root mode.
A PVID is configured for the AP wired interface.
Step 7 Run vlan untagged vlan-id
The AP wired interface is added to a VLAN in untagged mode.
Step 8 Run quit
Step 9 Bind the AP system profile and AP wired port profile.

l Bind the AP system profile and AP wired port profile to an AP group.
b. Run the ap-system-profile profile-name command to bind the AP system profile.
c. Run the card card-number command to enter the IoT card view.
An ESL card occupies slots 1 and 2 on an AP. Therefore, the value of card-number
must be set to 1.
d. Run the wired-port-profile profile-name command to bind the AP wired port
profile.
By default, no AP wired port profile is bound to an IoT card.
e. (Optional) Run the card connect-type ethernet command to set the connection
type between IoT cards and APs to Ethernet.
l Bind the AP system profile and AP wired port profile to the AP.
AP view.
b. Run the ap-system-profile profile-name command to bind the AP system profile.
By default, no AP system profile is bound to the AP.
c. Run the card card-number command to enter the IoT card view.
An ESL card occupies slots 1 and 2 on an AP. Therefore, the value of card-number
must be set to 1.
d. Run the wired-port-profile profile-name command to bind the AP wired port
profile.
By default, no AP wired port profile is bound to an IoT card.
e. (Optional) Run the card connect-type ethernet command to set the connection
type between IoT cards and APs to Ethernet.

----End

configuration of the AP system profile.
l Run the display wired-port-profile { all | name profile-name } command to check the
configuration of the AP wired port profile.
reference information about the AP system profile.
reference information about the AP wired port profile.
24.5.4.2 Registering ESLs
Initializing ESL Cards

After the ESL management system connects to ESL cards through APs, the ESL cards need to
be initialized.
The ESL card initialization mode depends on the ESL management system. For example,
Century's ESL management system can automatically discover ESL cards by sending Layer 2
broadcast packets. The administrator needs to configure IP addresses for the ESL cards on the
GUI of the ESL management system for initialization.
Initialize ESL cards according to related documents obtained from the ESL management
system vendor. The detailed operations are not described in this document.
Registering ESLs
After ESL cards are initialized, registration requests sent by ESLs are forwarded by ESL cards
to the ESL management system. After the ESL management system receives the registration
requests, register the ESLs in the ESL management system.
Register ELS according to related documents obtained from the ESL management system
vendor. The detailed operations are not described in this document.
Configuring Interworking Between the ESL Management System and ERP

System
In scenarios where ESLs are used, the ERP system is used to manage and update commodity
prices, and synchronize updated information to the ESL management system. The ESL
management system then delivers updated information to ESL cards.
To ensure that updated information is synchronized properly, configure interworking between
the ESL management system and ERP system. Configure interworking between the ESL
management system and ERP system according to related documents obtained from the
system vendors. The detailed operations are not described in this document.
24.5.5 Associating ESL IDs with Commodity Codes

To adjust prices or lower prices for promotion, administrators handle commodities and
commodity codes on the ESL management system, but do not directly handle ESLs. The
customer's ERP system does not contain ESL information. Therefore, before using the ESL
management system, associate ESL IDs with commodity codes, so that commodity price
update tasks can be delivered to correct ESLs.
Administrators can manually associate ESL IDs with commodity codes in the ESL
management system. However, this method is not suitable for associating a large number of
ESL IDs with commodity codes. For example, when a shopping mall deploys the ESL
management system for the first time, all ESL IDs need to be associated with commodity
codes. In this case, it is recommended that handheld scanners be used to scan ESL IDs and
commodity codes for association. Associate ESL IDs with commodity codes according to
related documents obtained from the ESL vendor. The detailed operations are not described in
this document.
24.5.6 Configuring ESL Services

Obtain related documents from the ESL management system vendor. Based on the operation
methods on the documents, manage ESLs, synchronize information from the ERP system,
manage, update, add, and delete commodity information, and bind and unbind ESLs
according to the operation guide of the ESL management system. The detailed operations are
not described in this document.
24.5.7 Example for Configuring the Smart Retail IoT Solution -

ESL
A supermarket wants to deploy a network to expand IoT applications while providing the
wireless network access service to display and manage commodity prices using ESLs.
l DHCP deployment mode: The AC functions as a DHCP server to assign IP addresses to
APs and STAs.

Figure 24-5 Networking diagram for configuring an ESL network
ERP
system
Router
ESL
management
AC Switch system
GE0/0/3
GE0/0/1
GE0/0/1 GE0/0/2
GE0
AP
Card
STA
ESL
Data Planning

Item Data
Managemen VLAN 100

t VLAN
Service VLAN 101

VLAN
Interworkin VLAN 102

g VLAN of
the ESL
managemen
t system and
ESLs
AC's source VLANIF 100

interface
DHCP The AC functions as a DHCP server to assign IP addresses to APs and

server STAs.

Item Data
IP address 10.23.100.2 to 10.23.100.254/24

pool for
APs
IP address 10.23.101.2 to 110.23.101.254/24

pool for
STAs

l Referenced profiles: VAP profile wlan-net, regulatory domain profile
domain1, radio profile wlan-radio2g, AP system profile ap-system, and
AP wired port profiles wired1 and wired2

profile



net
Radio l Name: wlan-radio2g

profile l Time range during which the VAP is disabled as scheduled: 23:00 to
6:00
AP system l Name: ap-system

profile l Connection type between IoT cards and APs: Ethernet port
AP wired l Name: wired1

port profile – Working mode of the AP's wired interface: root
– VLAN of the AP's wired interface: 102 (tagged)
l Name: wired2
– Working mode of the AP's wired interface: endpoint
– VLAN of the AP's wired interface: 102 (untagged)
– PVID of the AP's wired interface: 102

1. Configure network interworking of the AC, AP, and switch.
4. Configure interworking between the ERP system and ESL management system.
5. Configure interworking between the ESL management system and ESLs.
Configuration Notes
user experience.
Procedure
NOTE
Step 2 Configure the switch and AC to enable the AP to communicate with the AC.
# Configure the access switch, and add GE0/0/1 and GE0/0/2 on the switch to VLAN 100
(management VLAN) and VLAN 101 (service VLAN).
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 101

# Configure the AC, and add GE0/0/1 to VLAN 100 and VLAN 101.
[HUAWEI] sysname AC
VLANIF 101.
NOTE
view.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit
[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

# Import the AP offline on the AC and add the AP to the AP group ap-group1. Configure a

is located by its name. For example, if the AP with MAC address 60de-4476-e360 is deployed
in area 1, name the AP area_1.
NOTE
[AC] wlan
[AC-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP status. If the
nor : normal [1]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
0 60de-4476-e360 area_1 ap-group1 10.23.100.254 AP4050DN-E nor 0
25S -
----------------------------------------------------------------------------------
----------------
Total: 1

NOTE
# Create radio profile wlan-radio2g and configure the VAP to be disabled from 23:00 to 6:00.
[AC-wlan-radio-2g-prof-wlan-radio2g] auto-off service start-time 23:00:00 end-
time 6:00:00


the AP. Bind radio profile wlan-radio2g to the radios.
Step 6 Configure interworking between the ERP system and ESL management system. The detailed
operations are not described here.
Step 7 Configure Layer 2 interworking between the ESL card and ESL management system.
# Add GE0/0/3 on the switch connected to the ESL management system to VLAN 102.
[Switch] vlan batch 102
# Add GE0/0/2 on the switch connected to the AP to VLAN 102.

# Add GE0 on the AP connected to the switch to VLAN 102.

[AC-wlan-view] quit
[AC] vlan batch 102
[AC] wlan
[AC-wlan-view] wired-port-profile name wired1
[AC-wlan-wired-port-wired1] mode root
configuration will cause the AP to go out of management.
This fault can be recovered only by modifying the configuration on the AP.
Continue? [Y/N]:y
[AC-wlan-wired-port-wired1] vlan tagged 102
[AC-wlan-wired-port-wired1] quit
[AC-wlan-ap-group-ap-group1] wired-port-profile wired1 gigabitethernet 0
# Set the connection type between the AP and ESL card to ethernet, and add the interface on
the AP connected to the ESL card to VLAN 102.
[AC-wlan-view] ap-system-profile name ap-system
[AC-wlan-ap-system-prof-ap-system] card connect-type ethernet
[AC-wlan-ap-system-prof-ap-system] quit
[AC-wlan-view] wired-port-profile name wired2
[AC-wlan-wired-port-wired2] mode endpoint
configuration will cause the AP to go out of management
. This fault can be recovered only by modifying the configuration on the AP.
Continue? [Y/N]:y
[AC-wlan-wired-port-wired2] vlan pvid 102
[AC-wlan-wired-port-wired2] vlan untagged 102
[AC-wlan-wired-port-wired2] quit
[AC-wlan-ap-group-ap-group1] ap-system-profile ap-system

[AC-wlan-ap-group-ap-group1] card 1
[AC-wlan-group-card-ap-group1/1] wired-port-profile wired2
[AC-wlan-group-card-ap-group1/1] quit
# Restart the AP.

[AC-wlan-view] ap-reset all
Step 8 Initialize the ESL card, register ESLs, associate ESL IDs with commodity codes, and
configure ESL services. For detailed operations, see the operation guides provided by
vendors, which are not described here.
# The WLAN service configuration is automatically delivered to the AP after it is completed.
Run the display vap ssid wlan-net command. If Status in the command output is displayed
as ON, the VAP has been successfully created on the AP radios.
WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
----------------------------------------------------------------------------------
--
Total: 2
# Check the connection type between the AP and ESL card.

[AC-wlan-view] display ap-system-profile name ap-system
...
Card connect type : ethernet
...
# Check configuration information about the AP wired port profiles.

[AC-wlan-view] display wired-port-profile name wired1
...
Port work mode : root
Port Tagged VLAN : 102
Port untagged VLAN : 1
Port PVID VLAN : -
...
[AC-wlan-view] display wired-port-profile name wired2
...
Port work mode : endpoint
Port Tagged VLAN : -
Port untagged VLAN : 1 102
Port PVID VLAN : 102
...
----End
Configuration Files
l Access switch configuration file
#
sysname Switch
#
#


#
#
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
wlan
security wpa2 psk pass-phrase %^%#>T-{@<QCU9HBYq2ÛU6Xz6#)+LWx8GLx]uWo;t!M%^
%# aes
ssid wlan-net
auto-off service start-time 23:00:00 end-time 06:00:00
ap-system-profile name ap-system
card connect-type ethernet
wired-port-profile name wired1
mode root
vlan tagged 102
wired-port-profile name wired2
mode endpoint
vlan pvid 102
vlan untagged 102
ap-system-profile ap-system
wired-port-profile wired1 gigabitethernet 0
radio 0
radio 1
card 1
wired-port-profile wired2

ap-name area_1
ap-group ap-group1
#
return

Configuration Guide - WLAN-AC 25 Healthcare IoT Solution
25 Healthcare IoT Solution
25.1 Overview of the Healthcare IoT Solution
Scenario Overview
In healthcare scenarios, hospitals want to use technology means to implement infusion
management and infant abduction prevention to avoid major medical malpractice and security
accidents, improving hospitals' management capabilities and patient satisfaction.
Additionally, hospitals need to manage important medical assets. Manual asset management
and inventory are time-consuming, expensive, and difficult to locate assets. Hospitals also
want to leverage technology means for asset location and management to reduce management
costs and complexity.
To meet the requirements in such scenarios, Huawei offers the Smart Healthcare - Healthcare
IoT Solution to add people and things to the Internet of Things (IoT), implementing infant
abduction prevention, infusion management, and medical asset management.
Solution Benefits
The Healthcare IoT Solution brings benefits to customers based on the following advantages:
l Uses technology means to prevent major medical malpractice and security accidents,
improving hospitals' management capabilities and patient satisfaction.
l Uses technology means for asset location and management to monitor medical assets,
prevent asset loss, and save labor costs.
l Reuses a WLAN as a healthcare IoT, reducing the healthcare IoT deployment and
maintenance costs, and facilitating central network management by administrators.
Networking Architecture
As shown in Figure 25-1, the networking architecture of the Healthcare IoT Solution consists
of the terminal, access, pipe, and service application layers.

Infusion Infant Asset

management protection management
system system system
Campus LAN Service

application layer
AC
Pipe layer
AP AP
Exit monitor
Access layer
RFID receiver 1 RFID receiver 2
Terminal
layer
Infusion Infant
RFID tag
alarm device security tag
l Terminal layer
Infusion alarm devices, radio frequency identification (RFID) tags, and infant security
tags are deployed at this layer and used for infusion management, asset management, and
infant abduction prevention scenarios.
l Access layer
RFID receivers and exit monitors are deployed at this layer. RFID receivers can be
embedded in APs as built-in cards, such as RFID receiver 1 in the preceding figure. They
can also be inserted into USB ports of APs as external USB modules or connected to
APs through USB extension cables, such as RFID receiver 2 in the preceding figure.
l Pipe layer
Network devices such as APs, ACs, and switches are deployed at this layer. The pipe
layer is used only for forwarding packets of healthcare IoT devices.
l Service application layer
Platform systems such as the infusion management system, infant protection system, and
asset management system are deployed at this layer. These systems can be deployed on
either the same server or different servers.

Involved Products
Table 25-1 Involved products

AP It provides a slot or USB Huawei

port for an RFID receiver. Only the R250D-E, R251D-
RFID receivers connect to a E, AP4050DN-E,
WLAN through APs. AP7052DN, AP7152DN,
AP4030TN, AP2050DN,
AP2050DN-E, AP6050DN,
AP6150DN, AP7050DN-E,
AP7050DE, AP4051DN,
AP4151DN, AP4051TN,
AP6052DN, AP7052DE,
AP2051DN, and
AP2051DN-E can be used.
Among them, the
AP4050DN-E, AP7052DN,
and AP7152DN can connect
to RFID receivers through
card slots or USB ports,
while the other APs can
connect to RFID receivers
only through USB ports.
AC It manages and delivers Huawei

configurations to APs, and
works together with the
APs.

network.
Infusion alarm device It detects the infusion status Enjoyor

of patients, and sends
information to the host
computer at the nurse
workstation. When detecting
infusion completion, the
infusion alarm device stops
infusing fluids while
reporting an alarm.

Handheld digital terminal It is used to scan barcodes Enjoyor

on fluid bags and patient
wristbands, and send
information to a host
computer. The host
computer associates patients
with fluid bags.
Barcode printer It is used to print barcodes Enjoyor

that are pasted on fluid bags
or bottles for identification.
Wireless calling unit It is used by patients for Enjoyor

calling nurses.
Infant security tag It is an electronic security Enjoyor

tag used for exchanging data
with exit monitors and RFID
receivers, and sending
information such as exit
monitor IDs to RFID
receivers.
RFID receiver It can be embedded in an AP Enjoyor

as a built-in card, or
connected to an AP through
the USB port as an external
USB module.
Exit monitor It is used for precisely Enjoyor

locating infants to prevent
infant abductions.
Audible and visual alarm It sends audible and visual Enjoyor

device alarms if exit monitors
detect alarm events in a geo-
fence.
Electronic wrist strap It is a wrist trap working Enjoyor

with infant security tags,
and has no harm to infant
skin.
Infusion management It manages infusion Enjoyor

system processes efficiently to
ensure infusion security.
Infant protection system It monitors and manages Enjoyor

operation of the entire
system.

Asset management system It monitors and manages Enjoyor

operation of the entire
system.
25.2 Understanding the Healthcare IoT Solution
25.2.1 Infant Abduction Prevention

To implement infant abduction prevention, infants wear security tags, and information about
the tags, infants, and mothers is bound on the background infant protection system. The infant
protection system identifies infant security tags through exit monitors in wards and records
infant locations in real time. Mothers can use a mobile app to confirm infant identities and
prevent infant abductions. When infant security tags approach exit monitors at entrances/exits
of geo-fences, audible and visual alarm devices are triggered to report alarms, preventing
infant abductions.
As shown in Figure 25-2, in infant abduction prevention scenarios, the APs in wards have
RFID receivers deployed. The RFID receivers are embedded in the APs as built-in cards, or
connected to the APs through USB ports as external USB modules. Exit monitors 1 and 2 are
deployed at entrances/exits of the wards. Exit monitor 3 and an audible and visual alarm
device are deployed at access control entrances/exits of the geo-fence. These exit monitors are
connected to an access switch through wired Ethernet links. Locations of exit monitors are
configured in the infant protection system.
Infant abduction prevention provides three sub-functions: mother-baby matching, infant
location, and geo-fencing.
Mother-Baby Matching
Figure 25-2 shows how mother-baby matching is implemented.

Figure 25-2 Networking diagram for mother-baby matching
Infant protection
5
system
AC Switch
Ward 1 6 Ward 2
Mobile app
RFID RFID
AP AP
1 3 receiver receiver
Infant 2
security tag
Exit monitor 1 Exit monitor 2
Exit monitor 3
Audible and visual
alarm device
: Entrance/Exit
1. Security tags are put on for infants after they are born, and information about the infants,
security tags, and mothers is recorded in the infant protection system.
2. Exit monitors in wards where mothers are located use a 125 kHz radio module to
broadcast their own information such as IDs. Infant security tags receive the information
through 125 kHz radio modules.
3. Through 433 MHz radio modules, infant security tags send tag information and received
exit monitor information to RFID receivers. The RFID receivers receive the information
through 433 MHz radio modules.
4. The RFID receivers forward the information to the infant protection system through APs
and Ethernet links.
5. The infant protection system matches mother and infant information.
6. Mothers use the mobile app provided by the hospital to obtain mother-baby matching
results from the infant protection system, and view current infant information on the app.

Mothers can also use the barcode scanning function of the app to scan QR codes on
infant security tags to obtain more precise matching information.
If multiple mothers are in a ward, the exit monitor can only locate infants in the ward.
Mothers need to scan QR codes to confirm infant identities.
Infant Location
Figure 25-3 shows how infant location is implemented.
Figure 25-3 Networking diagram for infant location
Infant protection
4
system
AC Switch
Ward 1 Ward 2
Mobile app
RFID RFID
2 AP AP
receiver receiver
Infant
security tag 1
Exit monitor 3
Audible and visual
alarm device
: Entrance/Exit
1. When infants approach exit monitors at entrances/exits of the wards, 125 kHz radio
modules of infant security tags receive Beacon frames sent by the exit monitors.
2. Through 433 MHz radio modules, the infant security tags send information about exit
monitors such as IDs to RFID receivers.
3. The RFID receivers forward the information to the infant protection system through APs
and Ethernet links.

4. The infant protection system matches the received information about exit monitors such
as IDs with preset location information to locate infants and monitor infant locations in
real time.
Geo-Fencing
Figure 25-4 shows how geo-fencing is implemented for infant abduction prevention.
Figure 25-4 Networking diagram for geo-fencing
Infant protection
4 system
AC Switch
Ward 1 Ward 2
Mobile app
3
RFID RFID
AP AP
receiver receiver
Infant Exit monitor 1 Exit monitor 2

security tag
3
1
2
Audible and
Exit monitor 3 visual alarm
device
: Entrance/Exit
1. When infants approach exit monitor 3 at the entrance/exit of the geo-fence, 125 kHz
radio modules of infant security tags receive Beacon frames sent by the exit monitor.
2. Through 433 MHz radio modules, the infant security tag then send information about the
exit monitor such as the ID to the 433 MHz radio module of the exit monitor.
3. After receiving the information, the exit monitor immediately triggers the audible and
visual alarm device to report an alarm, and sends alarm information to the infant
protection system through a wired Ethernet link.

4. The infant protection system records the alarm information.
25.2.2 Medical Asset Management

The implementation of medical asset management is similar to that of infant abduction
prevention. The difference is that RFID tags are attached to assets. Both infant security tags
and RFID tags have 433 MHz and 125 kHz radio modules. Similar to the infant abduction
prevention system, the medical asset management system locates assets by identifying
locations of exit monitors.
1. RFID tags are attached to medical assets to uniquely identify them.
2. When assets approach exit monitors at entrances/exits, 125 kHz radio modules of RFID
tags receive Beacon frames sent by the exit monitors.
3. Through 433 MHz radio modules, the RFID tags send RFID tag IDs and received exit
monitor information to RFID receivers.
4. The RFID receivers then forward the received information to the medical asset
management system through APs and upstream Ethernet links.
5. The medical asset management system matches the received information such as exit
monitor IDs with the preset location information about the exit monitors, and then
identifies asset locations. This system enables regional location of assets and real-time
monitoring of asset locations.
25.2.3 Infusion Management

To achieve infusion management, infusion sensors report real-time infusion status to the
infusion management system. The infusion management system monitors the entire infusion
process, prevents medical malpractice, and facilitates timely fluid changes.
In infusion management scenarios, hospitals record information about patients, diagnosis,
beds, medicines, and infusion processes in databases. The infusion management system can
obtain related information from the databases. Figure 25-5 shows how infusion management
is implemented.
Figure 25-5 Networking diagram for infusion management
AC
2 AP 3
Infusion Infusion management

RFID receiver Switch
sensor system
1
Patient wrist : 433 MHz RFID radio signal
strap

1. Before an infusion, a patient puts on a wrist strap, and a nurse uses a handheld digital
terminal to scan the barcode on the wrist strap. In this way, the infusion management
system can obtain infusion information about the patient from the database and associate
infusion information with patient information.
2. The infusion sensor sends infusion parameters to the RFID receiver through the 433
MHz radio module.
3. The RFID receiver then forwards the received information to the infusion management
system through the AP and upstream Ethernet link.
4. The infusion management system performs computing based on the infusion parameters
and infusion sensor parameters, and displays the infusion computing result. In this way,
the system can monitor the entire infusion process and report alarms if necessary.
The infusion management process is as follows:
1. Infusion registration: When patients need infusions, nurses use barcode printers to print
barcodes and paste them on fluid bags. Nurses use handheld digital terminals to scan
barcodes on patients' wrist straps and fluid bags, and associate infusion information with
patient information.
2. Process monitoring: Infusion alarm devices send information about the fluid dripping
speed to the infusion management system in real time. The infusion management system
displays the real-time infusion status.
3. Infusion alarm reporting: When the fluid dripping speed is too high or low, or infusion is
complete, audible alarms are generated on the LCD at nurse workstations.
4. Infusion termination: When infusion is complete and no fluid is left, infusion alarm
devices automatically block infusion tubes to prevent blood backflow.
25.3 Implementation Precautions for the Healthcare IoT

Solution
RFID receivers are embedded in the APs as built-in cards, or connected to the APs through
USB ports as external USB modules. An RFID receiver can connect to an R250D-E or
R251D-E only through a USB port, or to an AP4050DN-E, AP7052DN, or AP7152DN
through a slot or USB port.
In infant abduction prevention and infusion management scenarios, only Layer 2 and Layer 3
networking architectures are supported, and NAT traversal is not supported.
When Enjoyor IoT cards are used, it is recommended that static IP addresses be configured
for APs. This is because IP addresses of IoT cards are added on Enjoyor servers and IoT cards
use AP IP addresses for communication. If AP IP addresses are dynamically allocated through
DHCP, AP IP addresses that dynamically change may be inconsistent with those added on
Enjoyor servers.

25.4 Software and Hardware Installation for the

Healthcare IoT Solution
Installing APs (Including RFID Receivers)

For details on how to install APs, see the AP hardware installation and maintenance guide.
Installing Exit Monitors and Audible and Visual Alarm Devices

Install exist monitors and audible and visual alarm devices according to related documents
obtained from vendors. The detailed operations are not described in this document.
Installing Healthcare Management Systems

Healthcare management systems include the infusion management system, infant protection
system, and asset management system, and can be deployed on the same server or different
servers. Install the systems according to related documents obtained from vendors. The
detailed operations are not described in this document.
25.5 Configuration Guide for the Healthcare IoT Solution

transmission.



APs and STAs must obtain IP addresses from a DHCP server; therefore, you need to

Configuring Interworking Between RFID Receivers and the Infant Protection

System/Infusion Management System/Asset Management System
l In infant abduction prevention scenarios, configure interworking between RFID
receivers and the infant protection system.
l In infusion management scenarios, configure interworking between RFID receivers and
the infusion management system.
l In asset management scenarios, configure interworking between RFID receivers and the
asset management system.
Ensure that the RFID receivers can exchange packets with these systems.
Context
After network interworking is configured, configure the APs to go online on the AC, so that
the AC can deliver configurations to the APs, such as configurations for interworking
between RFID receivers and APs, and wireless service coverage configurations.
Procedure
A VLAN is created.
Step 5 Run quit
AP and AC.

Step 7 Run wlan
Step 10 Run quit
Step 13 Run quit
----End



Context
The WLAN and healthcare IoT can be multiplexed and integrated into one network. This
reduces network deployment and maintenance costs, and helps administrators centrally
manage the networks.
Procedure
A VLAN is created.
Step 3 Run wlan
system.
Step 5 Run quit
An SSID profile is created, and the SSID profile view is displayed.
Step 8 Run quit


A service VLAN is configured for the VAP.
Step 14 Run quit
Step 16 Run vap-profile profile-name wlan wlan-id { radio { radio-id | all } }
Step 17 Run radio-2g-profile profile-name { radio { radio-id | all } }
A 2G radio profile is bound to radios.
By default, the 2G radio profile default is bound to an AP group.
----End

VAP information.
configuration and reference information about the VAP profile.


configuration and reference information about the 2G radio profile.
reference information about the 2G radio profile.
25.5.4 Configuring Parameters for APs to Communicate with the

Host Computer
Context
An AP communicates with a healthcare management host computer bidirectionally.
l Before the AP reports data to the host computer, configure the domain name, IP address,
and port number for the host computer. If these parameters are not configured, serial port
data reported by the AP will be discarded.
l Before the AP receives configurations delivered by the host computer to IoT cards,
configure trusted hosts. In this way, only hosts with specified IP addresses can
communicate with the AP and deliver configurations, protecting the AP against attacks.
If no trusted host is configured, other hosts can also deliver IoT card configurations to
the AP.
To enhance communication security, you can configure a shared key for encrypting
communication data between the AP and host computers. The shared key must be the same on
the AP and host computers.
IoT card slots are identified by the UDP port number, which is the mandatory parameter for
communication between the AP and host computer.
Procedure
Step 2 Run wlan
Step 3 Run iot-profile name profile-name
An IoT profile is created and the IoT profile view is displayed.
By default, no IoT profile is created.
Step 4 Run type common
The IoT card type is set to common.

The default type of an IoT card is common.
Step 5 Run management-server { domain domain-name | server-ip server-ip } server-port server-

port-num
The IP address and port number of a host computer is configured.
By default, no host computer is configured.
Step 6 (Optional) Run config-agent permit ip-address ip-address { net-mask | mask-len }
The host computer trusted by the AP is configured.
By default, no trusted host computer is configured.
Step 7 (Optional) Run share-key key-value
A shared key is configured.
By default, no shared key is configured.
Step 8 Run quit
Step 9 Apply configurations to an IoT card interface.

l Bind an IoT profile in the IoT card interface view of an AP group.
b. Run the card { card-number | usb } command to enter the IoT card interface view.
c. Run the iot-profile profile-name config-agent { udp-port udp-port | tcp-port tcp-
port } command to bind an IoT profile and configure the local port number for the
IoT card interface when the AP functions as a server.
By default, no IoT profile is bound to an IoT card interface.
l Bind an IoT profile in the IoT card interface view of an AP.
AP view.
b. Run the card { card-number | usb } command to enter the IoT card interface view.
c. Run the iot-profile profile-name config-agent { udp-port udp-port | tcp-port tcp-
port } command to bind an IoT profile and configure the local port number for the
IoT card interface when the AP functions as a server.
----End

l Run the display iot-profile { name profile-name | all } command to check the IoT
l Run the display reference iot-profile name profile-name command to check reference
information about the IoT profile.
25.5.5 Preventing Infant Abductions

Security tags are put on for infants after they are born, and information about the infants,
security tags, and mothers is recorded in the infant protection system.
Hospitals provide mothers with a mobile app, so that mothers can obtain information about
their babies from the infant protection system.
Mothers can perform operations according to related documents obtained from the infant
protection system vendor. The detailed operations are not described in this document.
25.5.6 Managing Medical Assets

RFID tags are attached to medical assets to uniquely identify them. In addition, asset
information is recorded in the medical asset management system.
Manage medical assets according to related documents obtained from the medical asset
management system vendor. The detailed operations are not described in this document.
25.5.7 Managing Infusion

When patients need infusions, nurses use barcode printers to print barcodes and paste them on
fluid bags. They use handheld digital terminals to scan barcodes on patients' wrist straps and
fluid bags, and associate fluid information with patient information.
The infusion management system monitors infusion conditions in real time. When the fluid
dripping speed is too fast or slow, or infusion is complete, audible alarms are generated on the
LCD at nurse workstations. After hearing the alarms, nurses can adjust the fluid dripping
speed or take other actions.
Manage infusions according to related documents obtained from the infusion management
system vendor. The detailed operations are not described in this document.
25.5.8 Example for Configuring the Healthcare IoT Solution
A hospital wants to deploy a network to expand IoT applications while providing the wireless
network access service to prevent infant abductions.
l DHCP deployment mode: The AC functions as a DHCP server to assign IP addresses to
STAs.

Figure 25-6 Networking diagram for configuring the Healthcare IoT Solution
Network
Infant protection
GE0/0/1 Switch system
GE0/0/1 GE0/0/4
AC
GE0/0/2 GE0/0/3
Ward 1 Ward 2
Mobile app
RFID RFID
AP AP
receiver receiver
Infant
security tag
Exit monitor 3
Audible and visual
alarm device
: Entrance/Exit
Data Planning

Item Data
Managemen VLAN 100

t VLAN
Service VLAN 101

VLAN

interface

Item Data
DHCP The AC functions as a DHCP server to assign IP addresses to STAs.

server
AP's IP Static IP address: 10.23.100.254

address
IP address 10.23.101.2 to 110.23.101.254/24

pool for
STAs

domain1

profile



net
IoT profile l Name: wlan-iot

l IP address of the host computer: 10.23.100.254
l Port number of the host computer: 3000
l Shared key: aabb0011@11
1. Configure network interworking of the AP, switch, AC, and host computer (on which the
infant protection system is deployed).
2. Configure the AC as a DHCP server to assign an IP address to the AP.
3. Configure the AP to go online and configure WLAN services.
4. Configure parameters for the AP to communicate with RFID cards.
5. Configure parameters for the AP to communicate with the host computer.
6. Add the AP's IP address to the host computer and configure the same shared key as that
on the AP.

Configuration Notes
user experience.
Procedure
NOTE
# Configure the access switch, and add GE0/0/1 through GE0/0/3 on the switch to VLAN 100
(management VLAN) and VLAN 101 (service VLAN).
# Configure the AC, and add GE0/0/1 to VLAN 100 and VLAN 101.

[HUAWEI] sysname AC
Step 3 Configure interworking between the AC and host computer.

# Add GE0/0/4 on the AC connected to the host computer to VLAN 100 and VLAN 101.
Step 4 Configure the AC as a DHCP server to assign IP addresses to STAs.

# Configure the AC as a DHCP server to assign IP addresses to STAs from the IP address
pool on VLANIF 101.
NOTE
view.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

# Import the AP offline on the AC and add the AP to the AP group ap-group1. Configure a
is located by name. For example, if the AP with MAC address 60de-4476-e360 is deployed in
area 1, name the AP area_1.

NOTE
[AC] wlan
[AC-wlan-ap-0] quit
# Configure an IP address for the AP.

[AC-wlan-view] provision-ap
[AC-wlan-provision-ap] address-mode static
[AC-wlan-provision-ap] ip-address 10.23.100.254 24 gateway 10.23.100.1
[AC-wlan-provision-ap] ac-list 10.23.100.1
[AC-wlan-provision-ap] commit ap-name area_1
Warning: The incorrect configuration will cause the AP to go out of management.
This operation will deliver parameter setting and ma
y cause reboot of AP(s). Continue?[Y/N]:y
[AC-wlan-provision-ap] quit
# After the AP is powered on, run the display ap all command to check the AP status. If the
State field in the command output displays nor, the AP has gone online.
nor : normal [1]
Extra information:
----------------------------------------------------------------------------------
----------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
----------------
25S -
----------------------------------------------------------------------------------
----------------
Total: 1

NOTE


the AP.
Step 7 Configure communication parameters between the AP and the RFID card, and configure
communication parameters between the AP and the host computer.
# Create IoT profile wlan-iot, configure the IP address and port number of the host computer,
and configure security communication parameters.
[AC-wlan-view] iot-profile name wlan-iot
[AC-wlan-iot-prof-wlan-iot] type common
[AC-wlan-iot-prof-wlan-iot] management-server server-ip 10.23.100.254 server-port
3000
[AC-wlan-iot-prof-wlan-iot] config-agent permit ip-address 10.23.102.253
255.255.255.0
[AC-wlan-iot-prof-wlan-iot] share-key aabb0011@11
[AC-wlan-iot-prof-wlan-iot] quit
# Bind profiles wlan-iot to the IoT card interface.

[AC-wlan-group-card-ap-group1/1] iot-profile wlan-iot config-agent udp-port 10000
Step 8 Add the AP's IP address to the host computer and configure the same shared key as that on the
AP.
Step 9 Configure exit monitors to connect to the network in wired mode and interwork with the
infant protection system. The detailed operations are not described here.
Step 10 Use the infant protection function according to operation methods of the infant protection
system. For details, see the operation guides provided by vendors.
The configuration is automatically delivered to the AP after it is completed. Run the display
vap ssid wlan-net command. If Status in the command output is displayed as ON, a VAP has
been successfully created on the AP radios.
WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
----------------------------------------------------------------------------------
--
Total: 2
# Check configuration information about the IoT profile.

[AC-wlan-view] display iot-profile name wlan-iot
--------------------------------------------------------------------------------
Type : common
Agent permit IP address : 10.23.102.253

Agent permit net-mask : 255.255.255.0

Management server IP address : 10.23.100.254
Management server port : 3000
ExtManagement server IP address : -
ExtManagement server port : -
Share key : ******
--------------------------------------------------------------------------------
----End
Configuration Files
#
sysname Switch
#
#
#
#
#
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
wlan
security wpa2 psk pass-phrase %^%#cy>>Ce/KCZjbk%'(pjO'$d3L6xs\I(7R_~.ZfhCW%^
%# aes
ssid wlan-net

iot-profile name wlan-iot
config-agent permit ip-address 10.23.102.253 255.255.255.0
management-server server-ip 10.23.100.254 server-port 3000
share-key %^%#:}$U=mz%jCu.$K.XP>pC{(\_*]gOy5qZ)o*T}5SA%^%#
radio 0
radio 1
card 1
iot-profile wlan-iot config-agent udp-port 10000
ap-name area_1
ap-group ap-group1
provision-ap
address-mode static
ip-address 10.23.100.254 255.255.255.0 gateway 10.23.100.1
ac-list 10.23.100.1
#
return

Configuration Guide - WLAN-AC 26 Education IoT Solution - Student Health and Safety
26 Education IoT Solution - Student

Health and Safety
26.1 Overview of the Education IoT Solution - Student

Health and Safety
Scenario Overview
At schools, students' health and safety always attract attention of the schools and parents.
Monitoring and query for students' health and safety information are strongly needed.
To meet these requirements, Huawei offers the Student Health and Safety Internet of Things
(IoT) Solution. This solution allows schools and parents to monitor and query health and
safety information about students, including the time when they enter and leave schools.
Solution Benefits
This solution brings the following benefits:
l It supports monitoring of students' physical health data and information such as heart
rate, pace, and duration of sleep through student wristbands. Student wristbands can also
record the time when they enter and leave schools. Big Data statistics and analytics can
then be performed on the data, so that effective measures can be taken in time against
abnormal situations.
l A WLAN can be reused as the student health and safety IoT network to achieve network
integration, reduce network deployment and maintenance costs, and help administrators
manage the network.
As shown in Figure 26-1, the network architecture consists of the terminal layer, access layer,
network layer, and application layer.

Health and safety

information server
Application
layer
AC Switch
Network
layer
AP AP
RFID RFID Access

card card layer
Terminal
layer
Student Student
wristband wristband
: 433 MHz RFID radio signal
: 2.4 GHz RFID radio signal
l Terminal layer
Student wristbands are deployed at this layer.
l Access layer
IoT APs and radio frequency identification (RFID) cards built in the IoT APs are
deployed at this layer.
l Network layer
Network devices such as ACs and switches are deployed at this layer.
l Application layer
A server is deployed at this layer for managing student health and safety information
("server" for short hereinafter).

Related Products
Table 26-1 Related products
AP Provides slots for RFID Huawei

cards to connect to the
WLAN.
Only the AP4050DN-E,
AP7052DN, and
AP7152DN can be used.
AC Manages APs, delivers Huawei

configurations to them, and
works together with them.

network.
RFID card Receives health data and Telpo

information from student
wristbands and reports the
data to the server.
Student wristband Collects, records, and Telpo

reports health and safety
data and information about
students, including the time
when they enter and leave
schools.
Server Parses and processes data Telpo

and information reported
from student wristbands,
and sends the parsed data to
a health platform.
26.2 Understanding the Education IoT Solution - Student

Health and Safety
The Student Health and Safety IoT Solution provides the following functions:
l Collects statistics on and monitors student health data and information such as the heart
rate, pace, and duration of sleep, and sends the data and information to the health and
safety information server. After being parsed by the server, the data and information is
sent to the health platform. The health platform analyzes the collected health data,
monitors students' health status, and provides health suggestions accordingly.

l Supports query for students' safety information. The time when students enter and leave
schools can be recorded, so that schools and parents can check whether students enter
and leave schools on schedule. Additionally, the information is also saved as attendance
data
The following shows the implementation principle of this solution.
Student Health
Figure 26-2 shows how the student health management solution is implemented.
Figure 26-2 Networking for student health management
Health and safety

information server
AC Switch
AP
RFID
card
Student
wristband
1. A student wristband collects and buffers health data of a student, such as the heart rate,
pace, and duration of sleep.
2. When the amount of data buffered in the wristband reaches a specified threshold, the
wristband sends the data to the RFID card in the AP through the 433 MHz radio module.
3. The RFID card buffers the received data. When the amount of data buffered in the RFID
card reaches a specified threshold, the RFID card packages the data and sends it to the
upper-layer server through the AP and upstream Ethernet links.
NOTE
The server provided by Telpo can communicate with the RFID card using TCP.
4. The server parses the received data and sends the parsed data to the health platform in
real time.
Student Safety
Figure 26-3 shows how the student safety management solution is implemented.

Figure 26-3 Networking for student safety management
Health and safety

information server
AC Switch
AP outside AP inside
the school the school
Student Student
wristband wristband
1. APs with built-in RFID cards are deployed inside and outside a school to cover areas
inside and outside the school, respectively.
A student wristband inside the school sends its ID to the RFID card of the AP inside the
school through the 2.4 GHz radio module. When the student wristband is outside the
school, it sends its ID to the RFID card of the AP outside the school.
When the student wristband sends its ID to the RFID card of the AP outside the school
first and then to that inside the school, the student is considered entering the school.
Conversely, the student is considered leaving the school.
2. After receiving wristband information, the RFID card sends the information to the upper-
layer server through the AP and upstream Ethernet links.
3. The server parses the wristband ID, RFID card ID, and information report time to obtain
the time when the student enters or leaves the school.
NOTE
The health and safety information server is configured as the host computer of the APs. The host computer in
the following sections refers to the health and safety information server.
26.3 Implementation Precautions for the Education IoT

Solution - Student Health and Safety
Telpo's RFID cards use the 2.4 GHz frequency band to communicate with student wristbands,
which may interfere with Wi-Fi radios. Therefore, the RFID cards must use external antennas
to send and receive signals.

When students' arrival time and departure time need to be recorded, the 2.4 GHz radio of APs
works at the same frequency as Telpo's RFID cards. Therefore, during networking planning,
interference must be considered.
26.4 Software and Hardware Installation for the Education

IoT Solution - Student Health and Safety
Installing APs (Including RFID Cards)

For details on how to install APs and RFID cards, see the AP4050DN-E Hardware
Installation and Maintenance Guide or AP7052DN&AP7152DN Hardware Installation
and Maintenance Guide.
Installing a Server
To install a server for managing student health and safety information, contact the server
vendor to obtain related installation documents. The detailed operations are not described in
this document.
26.5 Configuration Guide for the Education IoT Solution -

Student Health and Safety

transmission.

them. To ensure that the AC and APs exchange management packets properly, you only need
to configure correct VLANs or routes.

packet exchange to ensure proper transmission of service packets between STAs and the
upper-layer network.
Student wristbands also need to report service packets. Therefore, ensure that student
wristbands can exchange packets with the upper-layer server.

APs and STAs must obtain IP addresses from a DHCP server. Therefore, you need to

Context
After network interworking is configured, configure APs to go online on an AC so that the
AC can deliver configurations to the APs.
Procedure
A VLAN is created.
Step 5 Run quit
AP and AC.
Step 7 Run wlan

Step 10 Run quit

Step 13 Run quit
----End

Context
A WLAN can be reused as the IoT network for student health and safety management,
reducing network deployment and maintenance costs and helping administrators to manage
the network.

Procedure
A VLAN is created.
Step 3 Run wlan
system.
Step 5 Run quit
Step 8 Run quit


Step 14 Run quit
----End

VAP information.
26.5.4 Configuring APs to Communicate with the Host Computer
Context
After receiving information reported by student wristbands, RFID cards sends the information
to the host computer through APs and upstream Ethernet links. To enable the RFID cards to
connect to the correct host computer and establish links, configure communication parameters
between the APs and host computer.

Procedure
Step 2 Run wlan
port-num
The IP address and port number of a host computer is configured.
Step 7 Run quit
l Bind the IoT profile in the IoT card interface view of an AP group.
b. Run the card card-number command to enter the IoT card interface view.
c. Run the iot-profile profile-name config-agent tcp-port tcp-port command to bind
the IoT profile and configure the local port number mapping the IoT card interface.
NOTE
Telpo's host computer can connect to APs using TCP.

l Bind the IoT profile in the IoT card interface view of an AP.
AP view.

NOTE
Telpo's host computer can connect to APs using TCP.
----End

26.5.5 Example for Configuring the Education IoT Solution -

Student Health and Safety
A school pays much attention to health and safety of its students, and desires to use technical
methods to monitor and query students' health and safety information.
To meet these requirements, Huawei provides the Student Health and Safety IoT Solution that
reuses the existing WLAN.
l AC networking mode: Layer 2 in bypass mode
l DHCP deployment mode: Configure an AC as the DHCP server to assign IP addresses to
APs and STAs.

Figure 26-4 Networking for configuring the Student Health and Safety IoT Solution
Server
AC Switch AP
GE0/0/1 GE0/0/4
GE0/0/1 GE0/0/3
GE0/0/2 RFID
card
AP outside AP inside
the school the school
RFID RFID
card card
Student
wristband
Student Student
wristband wristband
: 433 MHz RFID radio signal
: 2.4 GHz RFID radio signal
Data Planning
Item Data
Managemen VLAN 100

t VLAN
Service VLAN 101

VLAN

interface

server STAs.
IP address 10.23.101.2 to 10.23.101.254/24

pool for
STAs

Item Data

default

profile



net

l IP address of the host computer: 10.23.200.1
l Port number of the host computer: 3000
l Shared key: aabb0011@11
1. Configure network interworking of the APs, switch, AC, and host computer.
2. Configure the AC as a DHCP server to assign IP addresses to APs and STAs.
4. Configure WLAN services.
5. Configure communication parameters between the APs and host computer.
6. Add IP addresses of the APs to the host computer and configure the same shared key as
that on the APs.
Configuration Notes


user experience.
Procedure
NOTE
Step 2 Configure the switch and AC to enable APs to communicate with the AC.
# Configure the access switch. Add GE0/0/1 on the switch to VLAN 100 (management
VLAN), and GE0/0/2 through GE0/0/4 to VLAN 100 and VLAN 101 (service VLANs).
[Switch] vlan batch 100 to 101

[HUAWEI] sysname AC


Step 3 Configure network interworking between the APs and server.

Configure routes based on the actual networking situation to ensure network interworking
between the APs and host computer.
Step 4 Configure the AC as a DHCP server to assign IP addresses to APs and STAs.
# Configure the DHCP server based on the address pool of a VLANIF interface.
NOTE
view.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit

[AC] wlan
# Create a regulatory domain profile, configure the country code for the AC in the profile, and
e?[Y/N]:y
[AC-wlan-view] quit
# Configure the source interface on the AC.

# Import APs offline on the AC and add the APs to the AP group ap-group1. Configure an
AP name based on the AP's deployment location, so that you can know where the AP is
deployed from its name. For example, if an AP with MAC address 60de-4476-e360 is
deployed in a classroom, name the AP room_1. If the APs with MAC addresses 60de-4476-
e460 and 60de-4476-e560 are deployed inside and outside the school door, name the APs
door_1 and door_2.
NOTE
The ap auth-mode command sets the AP authentication mode to MAC address authentication by default. If
the default settings are retained, you do not need to run the ap auth-mode mac-auth command.

[AC] wlan
[AC-wlan-ap-0] ap-name room_1
[AC-wlan-ap-0] quit
[AC-wlan-ap-1] ap-name door_1
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] ap-name door_2
[AC-wlan-ap-2] quit
# After the APs are powered on, run the display ap all command to check the AP states. If
the State field displays nor, the APs have gone online.
nor : normal [3]
Extra information:
----------------------------------------------------------------------------------
------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
------------
0 60de-4476-e360 room_1 ap-group1 10.23.100.254 AP4050DN-E nor 0
51S -
1 60de-4476-e460 door_1 ap-group1 10.23.100.253 AP4050DN-E nor 0
45S -
2 60de-4476-e560 door_2 ap-group1 10.23.100.252 AP4050DN-E nor 0
25S -
----------------------------------------------------------------------------------
------------
Total: 3
Step 6 Configure WLAN services.
NOTE

the AP.
Step 7 Configure communication parameters between the APs and host computer.
3000
[AC-wlan-iot-prof-wlan-iot] config-agent permit ip-address 10.23.102.253
255.255.255.0
[AC-wlan-group-card-ap-group1/1] iot-profile wlan-iot config-agent tcp-port 10000
Step 8 Add IP addresses of the APs to the host computer and configure the same shared key as that
on the APs.
# The WLAN service configuration is automatically delivered to the APs. After completing
the configuration, run the display vap ssid wlan-net command. If the Status field displays
ON, the VAP has been successfully created on the AP radios.
WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
0 room_1 0 1 60DE-4476-E360 ON WPA/WPA2-PSK 1 wlan-net
0 door_1 0 1 60DE-4476-E460 ON WPA/WPA2-PSK 1 wlan-net
----------------------------------------------------------------------------------
--
Total: 6
# Check the IoT profile configuration.

--------------------------------------------------------------------------------
Type : common
Agent permit IP address : 10.23.102.253
Agent permit net-mask : 255.255.255.0
ExtManagement server IP address : -
ExtManagement server port : -
Share key : ******
--------------------------------------------------------------------------------
----End

Configuration Files
#
sysname Switch
#
#
#
#
#
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
wlan
security wpa-wpa2 psk pass-phrase %^%#CU9SYQg[.Vxx;xH%>nwFA.WJ6i/Fm~me>&W
%`b/-%^%# aes
ssid wlan-net
config-agent permit ip-address 10.23.102.253 255.255.255.0
share-key %^%#vj*JIT.]q%6Q6[VqoHMJHs(5Oss3g3*%@r9Vy%aW%^%#
radio 0

radio 1
card 1
iot-profile wlan-iot config-agent tcp-port 10000
ap-id 0 ap-mac 60de-4476-e360 ap-sn 210235419610D2000066
ap-name room_1
ap-group ap-group1
ap-name door_1
ap-group ap-group1
ap-name door_2
ap-group ap-group1
#
return

S5700 and S6720 Series Ethernet Switches 27 Enterprise IoT Solution - Energy Efficiency
Configuration Guide - WLAN-AC Management
27 Enterprise IoT Solution - Energy

Efficiency Management
27.1 Overview of the Enterprise IoT Solution - Energy

Scenario Overview
Energy consumption costs enterprises a lot of money and is not environment-friendly.
Enterprises want to use automatic means to achieve environmental protection, save energy,
and reduce energy costs.
To meet these requirements, Huawei provides an energy efficiency management IoT solution
to implement centralized monitoring and intelligent control over electrical appliances such as
lighting devices and air conditioners in buildings. In this way, the enterprises can collect
statistics on the overall energy consumption of the buildings in real time for analysis, and take
effective measures to adjust energy usage to prevent energy waste and improve economic
benefits.
Solution Benefits
l Enterprises can use automatic means to achieve environmental protection, save energy,
and reduce energy costs.
l A WLAN can be reused as an energy efficiency management IoT network to achieve
network integration, reduce network deployment and maintenance costs, and help
administrators centrally manage the network.
As shown in Figure 27-1, the network architecture of the energy efficiency management IoT
solution consists of the terminal layer, access layer, network layer, and application layer.

BEMS
EEM
EBT Application
layer
IoT gateway Switch AC
Network
layer
AP AP
ZigBee ZigBee
card card Access
layer
Terminal
layer
Intelligent Sensor
switch
l Terminal layer
Sensors and smart switches are deployed at this layer. Common sensors include
temperature sensors, light sensors, infrared sensors, and airflow sensors.
l Access layer
ZigBee cards are located at this layer.
l Network layer
APs, IoT gateways, switches, and ACs are deployed at this layer.
l Application layer
The Building Energy Management System (BEMS), Enterprise Energy Module (EEM),
and EEM boost tools (EBT) are deployed at this layer/

Related Products

AP Provides slots for ZigBee Huawei

cards to connect to the Only the AP4050DN-E,
WLAN. AP7052DN, and
An AP converts uplink AP7152DN can be used.
packets received from
ZigBee cards through the
serial port into Ethernet
packets, and sends the
packets to an IoT gateway.
An AP can also convert
downlink data received from
an IoT gateway into serial
port data and transparently
transmit the data to the
ZigBee cards.


network.
BEMS Allows users to deliver Honeywell or iSoftStone

energy efficiency
management configurations,
and completes energy
efficiency management and
monitoring based on data
reported by an IoT gateway.
EEM Converts energy efficiency Huawei

management configurations
to energy efficiency
management policies and
sends the policies to an IoT
gateway. EEM is a
component of the Agile
Controller that needs to be
deployed.

Server Used to deploy the BEMS Hardware: at least 12-core

and corresponding database. CPU, 16 GB memory,
provided by Huawei
Operating system: Windows
Server 2008 R2 Enterprise
64-bit, prepared by
customers
Browser: Internet Explorer
8.0 or higher, prepared by
customers
IoT gateway Receives data from sensors Huawei

and energy efficiency Only the AR169RW-P-M9,
management policies AR502EGRz-L, and
delivered by the EEM, AR502EGRz-Lc can be
matches energy efficiency used. A Niagara container
management policies based needs to be installed on the
on sensor data, and delivers IoT gateway.
the policies to the sensors
through ZigBee cards.
ZigBee card Communicates with sensors Huawei

through ZigBee radios and
connects to an AP through
the mini PCIe port.
Sensor Collects surrounding Fenjin

environment data and sends
the data to the IoT gateway.
Sensors are deployed in
office areas.
Smart switch Performs energy efficiency Huawei

management operations,
such as turning on or off a
lamp.
27.2 Understanding the Enterprise IoT Solution - Energy

Figure 27-2 shows implementation of the energy efficiency management IoT solution.

Figure 27-2 Network for the energy efficiency management IoT solution
1
BEMS
EEM
4
2
AP 3 AP
ZigBee ZigBee
card card
Sensor Sensor
1. Configure energy efficiency management policies on the BEMS and deliver them to the
EEM.
2. The EEM converts the energy efficiency management configurations into energy
efficiency management policies and distributes the policies to the IoT gateway.
3. Sensors send sensed data to ZigBee cards using 2.4 GHz radio signals. The ZigBee cards
then report the data to the IoT gateway. The IoT gateway matches received data based on
energy efficiency management policies, and sends matched policies to the function
execution modules of sensors for energy efficiency management and control.
For example, if the IoT gateway receives data indicating high temperature from a
temperature sensor, it matches the data based on energy efficiency management policies.
A matched policy is found, indicating the air conditioner should be switched on and
adjusted to 26°C. The IoT gateway sends the policy to the sensor, and then the sensor
function module executes the received policy.
4. The IoT gateway sends the data reported by sensors to the BEMS. The BEMS centrally
monitors environment parameters.
Network Interworking Between APs and Host Computers

On the network for energy efficiency management shown in Figure 27-3, an AP needs to
establish TCP channels with two host computers.

Figure 27-3 Network interworking between APs and host computers
BEMS
EEM
EBT
Niagara 1
container
AP 2 AP
ZigBee ZigBee
card card
Sensor Sensor
l The first channel is established between an AP and the Niagara container loaded on the
IoT gateway. You can configure information such as a whitelist, card authentication
information, and encryption information.
l The second channel is an extended channel established between the AP and the EBT.
The EBT control platform can detect ZigBee cards and sensors managed by the ZigBee
cards. You can view the online status and versions of the ZigBee cards, as well as sensor
information, and upgrade the ZigBee cards using the EBT.
27.3 Implementation Precautions for the Enterprise IoT

Solution - Energy Efficiency Management
Perform the following operations at the terminal layer when deploying this solution on the
live network:
l Replace mechanical switches with smart wall switches, dimmer switches, or single-
controlled modules.
l Replace mechanical sockets with smart sockets.
l Install three-phase load switches to connect to and control air conditioners.
l Install brightness and motion sensors to sense human motions and monitor brightness
indoors.

l Install temperature and humidity sensors to monitor the temperature and humidity
indoors.

l ZigBee cards work on the 2.4 GHz frequency band. Therefore, during network planning
and deployment, avoid using 2.4 GHz Wi-Fi channels. You can modify the band for
ZigBee cards using the BEMS.
l Mesh networks can be established between sensors and ZigBee cards. One mesh network
can have a maximum of 50 nodes and a maximum of four hops. The distance between
neighboring mesh nodes cannot exceed 25 m. No configuration for the mesh networking
is required on the AC.
l It is recommended that the APs connected to the same host computer be added to the
same AP group.
27.4 Software and Hardware Installation for the Enterprise

IoT Solution - Energy Efficiency Management
Installing APs (With ZigBee Cards)

For details on how to install APs, see the Hardware Installation and Maintenance Guide
(AP4050DN-E) or Hardware Installation and Maintenance Guide (AP7052DN&AP7152DN).
Install ZigBee cards by referring to the printed installation guide of the ZigBee cards.
Installing the BEMS

Contact the BEMS provider to obtain related installation documents. The detailed operations
are not described in this document.
Installing the EEM

Components such as the AgileConnect and City Connect need to be installed on the EEM. For
details on how to install the AgileConnect, see the AgileConnect installation guide at http://
support.huawei.com/enterpriseproduct/docTypeNewOffering?lang=en&pid=21488597.
Install the City Connect by referring to the installation guide provided by the vendor such as
iSoftStone.
Installing Niagara Containers

Install Niagara containers on ARs by referring to the installation guide in the Niagara
container software installation package.
Installing the EBT

Contact the EBT provider to obtain related installation documents. The detailed operations are
not described in this document.

Installing Sensors and Smart Switches

Contact vendors of the sensors and smart switches to obtain related installation documents.
The detailed operations are not described in this document.
27.5 Configuration Guide for the Enterprise IoT Solution -

Energy Efficiency Management

transmission.



Configuring APs to Communicate with the EBT and Niagara Container

An AP needs to establish the first channel with the Niagara container on the IoT gateway and
an extended channel with the EBT. Therefore, the AP must interwork with the Niagara
container and EBT.
Configuring Interworking Between the EMS, EEM, and IoT Gateway

The EMS, EEM, and IoT gateway need to exchange energy efficiency management policies
and data reported by sensors. Therefore, network connectivity between them must be ensured.
Context

Procedure
A VLAN is created.
Step 5 Run quit
AP and AC.
Step 7 Run wlan
Step 10 Run quit


Step 13 Run quit
----End

Context
A WLAN can be reused as an energy efficiency management IoT network, reducing network
deployment and maintenance costs and helping administrators centrally manage the network.
Procedure
A VLAN is created.

Step 3 Run wlan

system.
Step 5 Run quit
Step 8 Run quit
Step 14 Run quit


----End

VAP information.
27.5.4 Configuring APs to Communicate with Host Computers
Context
On the network for the energy efficiency management solution, an AP needs to establish TCP
channels with two host computers: Niagara container and EBT.
Procedure
Step 2 Run wlan


port-num
The first host computer is configured.
The Niagara container is the first host computer and its port number is fixed as 7002.

port-num ext-channel
The second host computer is configured.
The EBT is the second host computer and its port number is the same as that on the EBT
configuration page.
Step 8 Run quit

l Bind the IoT profile in the IoT card interface view of an AP group.
NOTE
In the energy efficiency management solution, host computers can connect to APs using only
TCP.
l Bind the IoT profile in the IoT card interface view of an AP.
AP view.

NOTE
In the energy efficiency management solution, host computers can connect to APs using only
TCP.
----End

27.5.5 Configuring Energy Efficiency Management
l Configure energy efficiency management on the BEMS and deliver the configurations to
the EEM. The EEM converts the energy efficiency management configurations into
energy efficiency management policies and distributes the policies to the IoT gateway.
l Configure information such as a whitelist, card authentication information, and
encryption information on the Niagara container.
l View the online status and versions of the ZigBee cards, as well as sensor information on
the EBT. You can also upgrade the ZigBee cards.
For details about how to install and commission the Niagara container, see the installation and
commissioning guide in the Niagara container software installation package. For other
operations, contact the Niagara container vendor to obtain related documents. The detailed
27.5.6 Example for Configuring the Enterprise IoT Solution -

Energy Efficiency Management
An enterprise needs to deploy wireless network office services. Because it attaches
importance to environmental protection and energy saving, it wants to use automatic methods
to save energy and reduce energy costs.
To meet these requirements, Huawei provides the energy efficiency management IoT solution
that reuses the existing WLAN.
APs and STAs.

Figure 27-4 Network for configuring energy efficiency management
BEMS
EEM
EBT
AR Niagara Switch AC
GE0/0/1
GE0/0/1
GE0/0/2
AP
ZigBee
card
Sensor
Data Planning

Item Data
Managemen VLAN 100

t VLAN
Service VLAN 101

VLAN

interface

server STAs.
IP address 10.23.101.2 to 10.23.101.254/24

pool for
STAs

default

Item Data

profile



net

l IP address of the Niagara container (host computer): 10.23.200.1
l Port number of the Niagara container (host computer): 7002
l IP address of the EBT (host computer): 10.23.201.1
l Port number of the EBT (host computer): 50023
1. Configure network interworking between the AR, EEM, and BEMS. Configure APs to
communicate with the AR, Niagara container on the AR, EBT, and AC.
5. Configure communication parameters between APs and host computers.
6. Configure APs' IP addresses on the host computers.
Configuration Notes

user experience.
Procedure
NOTE
Step 2 Configure network interworking between the AR, EEM, and BEMS. Configure APs to
communicate with the AR, Niagara container on the AR, EBT, and AC.
Configure routes based on the actual networking to ensure network interworking.
# Configure the access switch. Add GE0/0/1 on the switch to VLAN 100, and GE0/0/2 to
VLAN 100 and VLAN 101.

[HUAWEI] sysname AC

NOTE
view.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

# Import the AP offline on the AC and add the AP to the AP group ap-group1. Configure an
deployed from its name. If the AP with MAC address 60de-4476-e360 is in area 1, name the
AP area_1.
NOTE
[AC] wlan
[AC-wlan-ap-0] quit

nor : normal [1]

Extra information:
----------------------------------------------------------------------------------
------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
------------
51S -
----------------------------------------------------------------------------------
------------
Total: 1

NOTE
the AP.
Step 7 Configure communication parameters between APs and host computers. Configure the
mapped IP address of the Niagara container as the IP address of the host computer on the first
channel, and the EBT IP address as the IP address of the host computer on the extended
channel.
7002
50023 ext-channel
[AC-wlan-group-card-ap-group1/1] iot-profile wlan-iot config-agent tcp-port 10000
Step 8 Configure APs' IP addresses on the host computers and configure the same shared key as that
on the APs.

Step 9 Configure energy efficiency management policies on the BEMS and deliver them to the EEM.

WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
----------------------------------------------------------------------------------
--
Total: 2
# Check the IoT profile configuration.

--------------------------------------------------------------------------------
Type : common
Agent permit IP address : -
Agent permit net-mask : -
ExtManagement server IP address : 10.23.201.1
ExtManagement server port : 50023
Share key : ******
--------------------------------------------------------------------------------
# According to information detected by sensors, for example, the ambient temperature

exceeding the threshold and high brightness, the energy efficiency management system
automatically controls the on/off state and working modes of air conditioners and lamps.
----End
Configuration Files
#
sysname Switch
#
#
#
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0


#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
wlan
security wpa-wpa2 psk pass-phrase %^%#f}9w={h.2N:H~6ZMbUtPIjkF#:)FI><iec,iA
%G&%^%# aes
ssid wlan-net
management-server server-ip 10.23.201.1 server-port 50023 ext-channel
share-key %^%#$IL2@\MoU#9Y}z3a``5-)/xc&3.'GD#9T~2Edwl4%^%#
radio 0
radio 1
card 1
iot-profile wlan-iot config-agent tcp-port 10000
ap-name area_1
ap-group ap-group1
#
return

Configuration Guide - WLAN-AC 28 Enterprise IoT Solution - Smart Meeting Rooms
28 Enterprise IoT Solution - Smart

Meeting Rooms
28.1 Overview of the Enterprise IoT Solution - Smart

Meeting Rooms
Scenario Overview
In enterprises, meetings may be disturbed by someone who come to check whether meeting
rooms are available.
To address this issue, Huawei provides a smart meeting room solution. An electronic display
is installed at the entrance of a meeting room to show whether the meeting room is in use.
This prevents irrelevant personnel from disturbing meetings and improves meeting efficiency.
Solution Benefits
l Meetings will not be disturbed and the meeting efficiency is improved.
l A WLAN can be reused as a smart meeting room IoT network to achieve network
integration, reducing network deployment and maintenance costs and helping
As shown in Figure 28-1, the network architecture of the smart meeting room IoT solution
consists of the terminal layer, access layer, pipe layer, and application layer.

IoT management Meeting room

system management system
Application
layer
AC Switch
Pipe layer
AP
IoT card Access layer
Terminal
Electronic layer
display
l Terminal layer
Electronic displays are installed at the entrance of meeting rooms.
l Access layer
IoT cards are located at this layer.
l Pipe layer
Network devices such as APs, ACs, and switches are deployed at this layer.
l Application layer
The meeting room management system and IoT card management system are deployed
at this layer.
Related Products
AP Provides slots for IoT cards Huawei

to access the WLAN. Only the AP4050DN-E can
be used.



network.
Electronic display Displays availability of a Century

meeting room. It is installed
at the entrance of a meeting
room.
IoT card Exchanges data with Century

electronic displays and
delivers information to
them.
IoT management system Manages IoT cards and Century

electronic displays.
Meeting room management Manages meeting room Customer

system reservations and usage, and
delivers information to IoT
cards.
Implementation
The implementation and configuration methods of the smart meeting room IoT solution are
similar to those of the electronic shelf label (ESL) solution. The differences are as follows:
l The smart meeting room IoT solution uses electronic displays to show meeting room
information, while the ESL solution uses ESLs to display commodity prices and
information.
l In the smart meeting room IoT solution, the meeting room management system updates
and delivers information to electronic displays. In the ESL solution, the ERP system
updates and delivers information to ESLs.
For details about the implementation and configuration of the smart meeting room solution,
see 24 Smart Retail IoT Solution - ESL.

S5700 and S6720 Series Ethernet Switches 29 Shopping Mall and Supermarket IoT Solution - Smart
Configuration Guide - WLAN-AC Shopping Guide
29 Shopping Mall and Supermarket IoT

Solution - Smart Shopping Guide
29.1 Overview of the Shopping Mall and Supermarket IoT

Solution - Smart Shopping Guide
Scenario Overview
In traditional shopping malls, shop assistants introduce commodity information or
recommend promotional commodities to customers. This mode has the following
shortcomings:
l The labor cost is high.
l The shopping malls cannot perform Big Data analytics on customers' behavior of
selecting commodities to analyze popularity of commodities.
l Some customers want to select commodities freely, but do not need recommendations
from shop assistants. Shopping experience of customers may degrade if they are
followed by shop assistants.
l When there are a large number of customers, shop assistants may not be able to
introduce commodity information to each of them. As a result, shopping experience of
customers is not good.
In this case, Huawei provides a smart shopping guide solution. When customers pick up
commodities, tablet kiosks can display commodity information to the customers.
Solution Benefits
l The number of shop assistants and labor costs are reduced.
l The smart shopping guide system can perform Big Data analytics on customers' behavior
of picking up commodities and analyze popularity of commodities. The analysis result
will help shopping malls make accurate marketing strategies and increase profits.
l Customers will not be annoyed by merchandising of shop assistants.
l Customers can directly view commodity information displayed on tablet kiosks without
waiting for shop assistants to introduce commodities.

Network architecture
As shown in Figure 29-1, the network architecture of the smart shopping guide solution
consists of the terminal layer, access layer, network layer, and application layer.
Smart shopping
guide server
Application
layer
AC Switch
Network
layer
AP AP
Access
layer
Terminal
Tablet kiosk layer
BLE label
: BLE signal
BLE label
Mobile app
l Terminal layer
Tablet kiosks, Bluetooth Low Energy (BLE) labels bound to commodities, and mobile
phones with the smart shopping guide app installed are deployed at this layer.
BLE is a new ultra-low-power wireless transmission technology that enables devices to
work at extremely low operating and standby power consumption.
l Access layer
APs are deployed at this layer.
l Network layer
Network devices such as ACs and switches are deployed at this layer.
l Application layer
A smart shopping guide server is deployed at this layer.

Related Products

AP Provides wireless network Huawei

coverage for customers or l When tablet kiosks are
employees. installed, indoor APs
l When tablet kiosks are suitable for shopping
installed, an AP also malls and supermarkets
provides wireless can be used.
network coverage for l When no tablet kiosk is
them. installed, only the APs
l When no tablet kiosk is with built-in Bluetooth
installed, an AP receives modules that are suitable
BLE broadcast frames for shopping malls and
from BLE labels through supermarkets can be
its built-in Bluetooth used.
module.
Agile Controller-DCN Manages APs, delivers Huawei


network.
BLE label Refers to a label with a Century

gravity sensor. A BLE label
is bound to a commodity to
sense customers' actions of
picking up the commodity.
Tablet kiosk Has the shopping guide app Century

installed and displays A tablet running the
commodity information. Android operating system
has a built-in Bluetooth
module and a built-in Wi-Fi
module installed. It can be
used as a kiosk. The
Bluetooth module complies
with BLE 4.0, while the Wi-
Fi module supports 802.11n,
a single spatial stream, and
the 2.4 GHz frequency band.

Smart shopping guide server Provides commodity Century

software information to be displayed
on tablet kiosks, and collects
and analyzes Big Data
statistics on the data sent by
BLE labels. The analysis
result is provided for
shopping malls to make
marketing strategies.
Mobile app Works together with the Century

smart shopping guide server
to bind BLE labels to
commodities.
Smart shopping guide server A server with the Intel Core Customer or Century
hardware i5-7400 CPU or higher, a
memory of more than 4 GB,
and an SSD hard disk is
recommended. The
Windows 7 or Windows 10
operating system is
supported.
29.2 Understanding the Shopping Mall and Supermarket

IoT Solution - Smart Shopping Guide
The smart shopping guide solution applies to the following sub-scenarios in shopping malls:
l When tablet kiosks are installed, the tablet kiosks display commodity information to
customers, and Big Data statistics can be collected on customers' actions of picking up
commodities. In this sub-scenario, BLE labels must be bound to commodities and tablet
kiosks must be installed on shelves.
l When no tablet kiosk is installed, Big Data statistics can be collected only on customers'
actions of picking up commodities. In this sub-scenario, BLE labels must be bound to
commodities.
The following describes how the smart shopping guide solution is implemented in these sub-
scenarios.
Tablet Kiosks Are Installed

Figure 29-2 shows a scenario with tablet kiosks installed. Tablet kiosks connect to APs
through Wi-Fi and to the smart shopping guide server through the Ethernet, and receive
information from BLE labels through Bluetooth.

Figure 29-2 Network when a tablet kiosk is installed
Smart shopping
BLE label Tablet kiosk AP Switch guide server
AC
The solution is implemented as follows:
1. A BLE label is bound to a commodity. The mobile app is used to associate the BLE label
with the commodity and synchronize the association information to the smart shopping
guide server.
To associate a BLE label with a commodity, use the mobile phone camera to scan the
commodity barcode and the Bluetooth function of the mobile phone to receive BLE label
information.
2. When a customer picks up the commodity, the BLE label bound to the commodity
detects that the commodity is picked up by sensing the gravity change. The BLE label
then sends a BLE broadcast packet carrying the BLE label ID to the tablet kiosk.
3. After receiving the BLE broadcast packet, the tablet kiosk displays the commodity
information mapping the BLE label ID if its camera sees a person in front. At the same
time, the tablet kiosk sends the BLE label information to the smart shopping guide server
through Wi-Fi.
– The BLE broadcast packet sent by the BLE label may be received by multiple tablet
kiosks. If the camera of a tablet kiosk sees a person in front of itself, the tablet kiosk
displays commodity information; otherwise, it does not display commodity
information.
– The tablet kiosk has an app installed locally, and the app must have the smart
shopping guide server information configured and can cache information. If the
tablet kiosk has cached commodity information be displayed and the smart
shopping guide server verifies that the commodity information will not be updated,
the commodity information is displayed. If no commodity information is cached on
the tablet kiosk or the shopping guide server verifies that the commodity
information needs to be updated, new commodity information will be downloaded
from the tablet kiosk and then displayed.
– If a customer picks up multiple commodities concurrently, the app of the tablet
kiosk will provide a display sequence for the customer to select a commodity whose
information is to be displayed. For example, a customer picks up commodities A
and B concurrently and information about commodity A is displayed currently, the
customer can select commodity B. The tablet kiosk will then display information
about commodity B.
4. The smart shopping guide server performs Big Data analytics on the data sent by the
BLE label, and provides a visualized analysis result as reference for the shopping mall to
make timely and accurate marketing strategies.

No Tablet Kiosk Is Installed

As shown in Figure 29-3, when no tablet kiosk is installed, BLE labels connect APs'
Bluetooth modules by sending BLE signals and to the smart shopping guide server through
the Ethernet.
Figure 29-3 Network when no tablet kiosk is installed
Smart shopping
BLE label AP Switch guide server
AC
The solution is implemented as follows:
1. A BLE label is bound to a commodity. The mobile app is used to associate the BLE label
with the commodity and synchronize the association information to the smart shopping
guide server.
To associate a BLE label with a commodity, use the mobile phone camera to scan the
commodity barcode and the Bluetooth function of the mobile phone to receive BLE label
information.
2. When a customer picks up the commodity, the BLE label bound to the commodity
detects that the commodity is picked up by sensing the gravity change. The BLE label
then sends a BLE broadcast packet carrying the BLE label ID to the tablet kiosk.
3. The AP's Bluetooth module transmits BLE data transparently. After receiving a BLE
broadcast packet, the AP sends the packet to the smart shopping guide server based on
the IP address and port number of the host computer specified on the AP.
4. The smart shopping guide server performs Big Data analytics on the data sent by the
BLE label, and provides a visualized analysis result as reference for the shopping mall to
make timely and accurate marketing strategies.
NOTE
The smart shopping guide server functions as the host computer of APs. Therefore, the host computer in the
following sections refers to the smart shopping guide server.
29.3 Summary of Configuration Tasks for the Shopping

Mall and Supermarket IoT Solution - Smart Shopping
Guide

Table 29-2 Configuration tasks

Tablet kiosks Tablet kiosks display commodity 29.6.1 Configuring Network

are installed. information to customers, and Big Interworking: Enable network
Data analytics can be performed on interworking of network elements
customers' actions of picking up (NEs) to ensure transmission of
commodities. management and service packets
on the network.
29.6.2 Configuring APs to Go
Online: Enable APs at the
network access layer to go online
on an AC. The AC will deliver
configurations to the APs.
29.6.3 Configuring the Wireless
Coverage Service: Enable tablet
kiosks to connect to APs in
wireless mode and communicate
with the smart shopping guide
server. To provide wireless
network services for customers or
employees, configure other
SSIDs.
29.6.4 Configuring Transparent
Transmission of Bluetooth Data
(With Tablet Kiosks Installed):
Enable BLE data sent by BLE
labels to be transparently
transmitted to the smart shopping
guide server.
29.6.6 Associating BLE Labels
with Commodities: Enable a
BLE label to uniquely identify a
commodity.

No tablet Big Data statistics can be collected 29.6.1 Configuring Network

kiosk is only on customers' actions of picking Interworking: Enable network
installed. up commodities. interworking of network elements
(NEs) to ensure transmission of
management and service packets
on the network.
29.6.2 Configuring APs to Go
Online: Enable APs at the
network access layer to go online
on an AC. The AC will deliver
configurations to the APs.
(Optional) 29.6.3 Configuring
the Wireless Coverage Service:
Provide wireless network services
to customers or employees.
29.6.5 Configuring Transparent
Transmission of Bluetooth Data
(With No Tablet Kiosk
Installed): Enable BLE data sent
by BLE labels to be transparently
transmitted to the smart shopping
guide server.
29.6.6 Associating BLE Labels
with Commodities: Enable a
BLE label to uniquely identify a
commodity.
29.4 Implementation Precautions for the Shopping Mall

and Supermarket IoT Solution - Smart Shopping Guide
Perform network planning and deployment for tablet kiosks together with other Wi-Fi
terminals. Bandwidth of 1 Mbit/s is recommended for each tablet kiosk.
Century's tablet kiosks support the 802.11n protocol, 2.4 GHz frequency band, and a single
antenna.
When tablet kiosks are installed, indoor APs suitable for shopping malls and supermarkets
can be used. When no tablet kiosk is installed, only the APs with built-in Bluetooth modules
that are suitable for shopping malls and supermarkets can be used.
MAC address authentication is recommended for the SSID that provides wireless access for
tablet kiosks. Other authentication modes can also be configured, such as PSK authentication
or open system authentication.
Ensure different SSIDs provide wireless access for tablet kiosks and customers/employees.

APs are configured to report Bluetooth packets immediately or at an interval of less than 5
seconds. This is because when a commodity is picked up multiple times within 5 seconds, the
BLE label bound to it is considered only being picked up once.
IPv6 addresses are not supported.
29.5 Software and Hardware Installation for the Shopping

Mall and Supermarket IoT Solution - Smart Shopping
Guide
Installing APs
For details on how to install APs, see the AP Hardware Installation and Maintenance Guide.
Installing a Smart Shopping Guide Server

Install the smart shopping guide server hardware and software, and install the smart shopping
guide app on a mobile phone. You can prepare the smart shopping guide server hardware by
yourself. Contact the vendor of the smart shopping guide server to obtain related installation
documents. The detailed operations are not described in this document.
Installing Tablet Kiosks

Contact the vendor of tablet kiosks to obtain related installation documents. The detailed
Installing BLE Labels

Contact the vendor of BLE labels to obtain related installation documents. The detailed
29.6 Configuration Guide for the Shopping Mall and

Supermarket IoT Solution - Smart Shopping Guide

transmission.

them. To ensure that the AC and APs exchange management packets properly, you only need
to configure correct VLANs or routes.


When tablet kiosks are installed, they connect to a WLAN as STAs and communicate with the
smart shopping guide server. Therefore, ensure that service data on the tablet kiosks can be
transmitted on the upper-layer network.
In addition, regardless of whether tablet kiosks are installed, WLAN services must be
configured to ensure service packet exchange if WLAN access for customers or employees is
needed.

APs and STAs must obtain IP addresses from a DHCP server. Therefore, you need to
Context
Procedure
A VLAN is created.
Step 5 Run quit

AP and AC.
Step 7 Run wlan
Step 10 Run quit
Step 13 Run quit
----End



Context
The smart shopping guide scenario is divided into sub-scenarios with tablet kiosks and
without tablet kiosks installed.
l When tablet kiosks are installed, they connect to APs through Wi-Fi and to the smart
shopping guide server through the Ethernet, and receive information from BLE labels
through Bluetooth. In such sub-scenario, configure the wireless coverage service to
allow the tablet kiosks to access APs.
l When no tablet kiosk is installed, BLE labels connect APs' Bluetooth modules by
sending BLE signals and to the smart shopping guide server through the Ethernet. In
such sub-scenario, you do not need to configure the wireless coverage service for the
BLE labels.
If wireless network access is required for customers or employees in the preceding sub-
scenarios, configure other SSIDs to provide wireless service coverage.
Procedure
A VLAN is created.
Step 3 Run wlan
system.
Step 5 Run quit

Step 8 Run quit
Step 14 Run quit
----End


VAP information.
29.6.4 Configuring Transparent Transmission of Bluetooth Data

(With Tablet Kiosks Installed)
In the smart shopping guide sub-scenario with tablet kiosks installed, BLE labels send BLE
broadcast packets to the tablet kiosks through Bluetooth. The tablet kiosks send the BLE label
information in the packets or the video update requests to APs through Wi-Fi. The APs then
send the information to the host computer through the Ethernet.
l To ensure that the tablet kiosks can receive BLE broadcast packets from BLE labels,
enable the Bluetooth function.
l To ensure that the tablet kiosks can send information to the correct host computer or
receive data information from the host computer, configure the IP address of the host
computer in the app of the tablet kiosks. For details on how to configure other network
interworking parameters, see 29.6.1 Configuring Network Interworking.
After the IP address of the host computer is configured, the tablet kiosks can connect to
the wireless network that is independently deployed for them and communicate with the
host computer.
Contact the vendor of tablet kiosks to obtain related installation documents. The detailed
29.6.5 Configuring Transparent Transmission of Bluetooth Data

(With No Tablet Kiosk Installed)
Context
In smart shopping guide sub-scenarios with no tablet kiosk installed, BLE broadcast packets
sent by BLE labels are received by built-in Bluetooth modules of APs and then sent to the
host computer through the Ethernet.
To ensure that APs can receive BLE broadcast packets sent by BLE labels and send the
packets to the host computer, enable the Bluetooth data transparent transmission function for

the APs, and configure the destination host computer and port number for the APs to report
Bluetooth data transparent transmission packets.
Procedure
Step 2 Run wlan
Step 4 Run sniffer enable transparent-mode
The Bluetooth data transparent transmission function is configured for the built-in Bluetooth
modules of APs.
The APs are enabled to report Bluetooth data transparent transmission packets.
Step 6 Run report-mode { immediate | periodic [ interval interval ] }
The mode and interval for APs to send Bluetooth packets.
APs are configured to report Bluetooth packets immediately or at an interval of less than 5
seconds. This is because when a commodity is picked up multiple times within 5 seconds, the
BLE label bound to it is considered only being picked up once.
Step 7 Run report-to-server ip-address ip-address port port-num [ via-ac ac-port ac-port-num ]
The destination IP address and port number are configured for APs to report Bluetooth data
transparent transmission packets.
packets.
Step 8 Run quit

view.


The BLE profile is bound to an AP group or an AP.
----End

and reference information about the BLE profile.
l Run the display wlan ble global configuration command to check the global
configuration of BLE devices.
information about the BLE profile.
29.6.6 Associating BLE Labels with Commodities

To uniquely identify a commodity, a BLE label must be associated with the commodity.
Install the mobile app provided by Century on a mobile phone. Use the mobile phone camera
to scan the barcode of a commodity and the mobile phone to receive BLE label information
through Bluetooth. In this way, the commodity barcode is bound to the BLE label. The mobile
app will synchronize the binding information to the smart shopping guide server.
Contact the mobile app provider to obtain related installation documents. The detailed
29.6.7 Configuration Example for the Shopping Mall and

Supermarket IoT Solution - Smart Shopping Guide
29.6.7.1 Example of Configuring the Shopping Mall and Supermarket IoT

Solution - Smart Shopping Guide (With Tablet Kiosks Installed)
A shopping mall wants to reduce the number of shop assistants to reuse labor costs. It also
wants to perform Big Data analytics on customers' actions of picking up commodities to
understand popularity of commodities, make proper marketing strategies, and improve sales
profits. Additionally, the shopping mall wants to provide wireless network access for its
customers.
To meet these requirements, Huawei provides the smart shopping guide solution with tablet
kiosks installed.
APs and STAs.

Figure 29-4 Networking diagram for configuring the smart shopping guide solution
Smart shopping
guide server
BLE label Tablet kiosk AP Switch
GE0/0/2
GE0/0/1
GE0/0/1
RADIUS
server
STA AC
Data Planning

Item Data
Managemen VLAN 100

t VLAN
Service VLAN 101

VLAN for
customers
or
employees
Service VLAN 102

VLAN for
tablet
kiosks

interface

server STAs.
IP address 10.23.101.2 to 10.23.101.254/24

pool for 10.23.102.2 to 10.23.102.254/24
STAs

l Referenced profiles: VAP profiles wlan-net and wlan-ble, and
regulatory domain profile default

Item Data

profile
SSID For tablet kiosks:

profile l Name: wlan-ble
l SSID name: wlan-ble
For customers or employees:
l Name: wlan-net
Security For tablet kiosks:

profile l Name: wlan-ble
l Security policy: Open
l Name: wlan-net
l Security policy: WPA-WPA2+PSK+AES
VAP profile For tablet kiosks:

l Name: wlan-ble
l Referenced profiles: SSID profile wlan-ble, security profile wlan-ble,
and authentication profile wlan-ble
l Name: wlan-net
net
RADIUS l Name of the RADIUS server template: wlan-ble

on
l Authentication scheme: wlan-ble
MAC Name: wlan-ble

access
profile

Item Data
Authenticati l Name: wlan-ble

on profile l Referenced profiles and authentication scheme: MAC access profile
wlan-ble, RADIUS server template wlan-ble, and authentication profile
wlan-ble
4. Configure WLAN services to provide wireless access for tablet kiosks and wireless
network services for customers or employees.
5. Configure the Bluetooth data transparent transmission function.
6. Associate BLE labels with commodities.
Configuration Notes
user experience.
Procedure

NOTE
VLAN), and GE0/0/2 to VLAN 100, VLAN 101, and VLAN 102 (service VLANs).

[HUAWEI] sysname AC
Step 3 Configure the AP to communicate with the host computer and RADIUS server.
between the AP and host computer.
NOTE
view.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit
[AC-Vlanif102] quit


[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

AP area_1.
NOTE
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
Extra information:
----------------------------------------------------------------------------------
------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
------------
25S -
----------------------------------------------------------------------------------
------------
Total: 1
Step 6 Configure WLAN service parameters to provide wireless network services for customers or
employees.

NOTE
the AP.
Step 7 Configure WLAN service parameters to provide wireless access for tablet kiosks.

[AC-wlan-view] quit
[AC] radius-server template wlan-ble
[AC-radius-wlan-ble] radius-server authentication 10.23.103.1 1812
[AC-radius-wlan-ble] radius-server shared-key cipher huawei@123
[AC-radius-wlan-ble] quit

[AC] aaa
[AC-aaa] authentication-scheme wlan-ble
[AC-aaa-authen-wlan-ble] authentication-mode radius
[AC-aaa-authen-wlan-ble] quit
[AC-aaa] quit
2. Configure a MAC access profile.

NOTE
MAC address authentication by default.
# Create MAC access profile wlan-ble.

[AC] mac-access-profile name wlan-ble
[AC-mac-access-profile-wlan-ble] quit
3. Create authentication profile wlan-ble, and bind the MAC access profile, authentication
scheme, and RADIUS server template to it.
[AC] authentication-profile name wlan-ble
[AC-authentication-profile-wlan-ble] mac-access-profile wlan-ble
[AC-authentication-profile-wlan-ble] authentication-scheme wlan-ble
[AC-authentication-profile-wlan-ble] radius-server wlan-ble
[AC-authentication-profile-wlan-ble] quit


# Create security profile wlan-ble and configure a security policy in the profile. By
default, the security policy is open system authentication.
[AC] wlan
[AC-wlan-view] security-profile name wlan-ble
[AC-wlan-sec-prof-wlan-ble] quit
# Create SSID profile wlan-ble and set the SSID name to wlan-ble.
[AC-wlan-view] ssid-profile name wlan-ble
[AC-wlan-ssid-prof-wlan-ble] ssid wlan-ble
[AC-wlan-ssid-prof-wlan-ble] quit
# Create VAP profile wlan-ble, configure the direct data forwarding mode and service
VLANs, and bind the security profile, authentication profile, and SSID profile to the
VAP profile.
[AC-wlan-view] vap-profile name wlan-ble
[AC-wlan-vap-prof-wlan-ble] forward-mode direct-forward
[AC-wlan-vap-prof-wlan-ble] service-vlan vlan-id 102
[AC-wlan-vap-prof-wlan-ble] security-profile wlan-ble
[AC-wlan-vap-prof-wlan-ble] authentication-profile wlan-ble
[AC-wlan-vap-prof-wlan-ble] ssid-profile wlan-ble
[AC-wlan-vap-prof-wlan-ble] quit
# Bind the VAP profile to the AP group, and apply configurations of VAP profile wlan-
ble to radio 0 of APs in the AP group.
[AC-wlan-ap-group-ap-group1] vap-profile wlan-ble wlan 2 radio 0
[AC-wlan-view] quit
Step 8 Configure third-party server interconnection parameters. For details, see the corresponding
product manual.
Step 9 Configure the Bluetooth data transparent transmission function.
Configure the IP address of the host computer in the app of the tablet kiosk. Enable the
Bluetooth function of the tablet kiosk to allow it to receive BLE broadcast packets from the
BLE label. The detailed operations are not provided here.
Step 10 Associate BLE labels with commodities.
Use the mobile app to scan a commodity barcode and receive BLE label information through
Bluetooth to associate the BLE label with the commodity. The detailed operations are not
provided here.
# The WLAN service configuration is automatically delivered to the AP. After completing the
configuration, run the display vap ssid wlan-ble and display vap ssid wlan-net commands.
If the Status field displays ON, the VAP has been successfully created on the AP radios.
[AC] display vap ssid wlan-ble
WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
0 area_1 0 2 60DE-4476-E361 ON OPEN 1 wlan-ble
----------------------------------------------------------------------------------
--
Total: 1
[AC] display vap ssid wlan-net
WID : WLAN ID

--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
----------------------------------------------------------------------------------
--
Total: 2
# When the commodity with the BLE label is picked up, information about the commodity is
displayed on the tablet kiosk.
----End
Configuration Files
#
sysname Switch
#
#
#
#
return
#
sysname AC
#
#
authentication-profile name wlan-ble
mac-access-profile wlan-ble
authentication-scheme wlan-ble
radius-server wlan-ble
#
dhcp enable
#
radius-server template wlan-ble
radius-server shared-key cipher %^%#sx$wASg6*AV+89@"5.H9}E>4LMJ:+/lj
$dR2I3F3%^%#
#
aaa
authentication-scheme wlan-ble
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#


#
#
wlan
security-profile name wlan-ble
security wpa-wpa2 psk pass-phrase %^%#<nO>>G!1b8mt7n!OC"vR
%2@4Y&E5yQ=QN{.:MP=B%^%# aes
ssid-profile name wlan-ble
ssid wlan-ble
ssid wlan-net
vap-profile name wlan-ble
ssid-profile wlan-ble
security-profile wlan-ble
authentication-profile wlan-ble
radio 0
vap-profile wlan-ble wlan 2
radio 1
ap-name area_1
ap-group ap-group1
#
mac-access-profile name wlan-ble
#
return
29.6.7.2 Example of Configuring the Shopping Mall and Supermarket IoT

Solution - Smart Shopping Guide (With No Tablet Kiosk Installed)
A shopping mall wants to perform Big Data analytics on customers' actions of picking up
commodities, so that it can understand popularity of commodities, make proper marketing
strategies, and improve sales profits. Additionally, the shopping mall wants to provide
wireless network access for its customers.
To meet these requirements, Huawei provides the smart shopping guide solution with no
tablet kiosk installed.
APs and STAs.

Figure 29-5 Networking diagram for configuring the smart shopping guide solution
Smart shopping
BLE label AP Switch guide server
GE0/0/2 GE0/0/1
GE0/0/1
AC
STA
Data Planning

Item Data
Managemen VLAN 100

t VLAN
Service VLAN 101

VLAN

interface

server STAs.
IP address 10.23.100.2 to 10.23.100.254/24

pool for
APs
IP address 10.23.101.2 to 10.23.101.254/24

pool for
STAs

l Referenced profiles: VAP profile wlan-net, BLE profile wlan-ble, and
regulatory domain profile default

profile


Item Data


net
BLE profile l Name: wlan-ble

l Bluetooth data transparent transmission: enabled
l Bluetooth packet reporting mode and interval: reporting at an interval of
3 seconds
l Data reporting mode: directly reported by APs
l Server IP address/port number: 10.23.102.1/10001
4. Configure WLAN service parameters to provide wireless network services for customers
or employees.
5. Configure the Bluetooth data transparent transmission function.
6. Associate BLE labels with commodities.
Configuration Notes

user experience.
Procedure
NOTE
VLAN), and GE0/0/2 to VLAN 100 and VLAN 101 (service VLANs).

[HUAWEI] sysname AC
Step 3 Configure network interworking between the AP and host computer.

between the AP and host computer.
NOTE
view.

[AC] dhcp enable

[AC-Vlanif100] quit
[AC-Vlanif101] quit

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

AP area_1.
NOTE
[AC] wlan
[AC-wlan-ap-0] quit
nor : normal [1]
Extra information:
----------------------------------------------------------------------------------
------------
Uptime ExtraInfo
----------------------------------------------------------------------------------

------------
25S -
----------------------------------------------------------------------------------
------------
Total: 1
Step 6 Configure WLAN service parameters to provide wireless network services for customers or
employees.
NOTE
the AP.
Step 7 Configure the Bluetooth data transparent transmission function.
# Create BLE profile wlan-ble. Enable the Bluetooth data transparent transmission function,
configure the destination IP address and port number to which Bluetooth data is transparently
transmitted, and configure the mode for the AP to transparently transmit Bluetooth data.
[AC-wlan-ble-prof-wlan-ble] sniffer enable transparent-mode
[AC-wlan-ble-prof-wlan-ble] report enable
[AC-wlan-ble-prof-wlan-ble] report-to-server ip-address 10.23.102.1 port 10001
[AC-wlan-ble-prof-wlan-ble] report-mode periodic interval 3
# Add BLE clients within the AP's coverage area to the monitoring list.

Step 8 Associate BLE labels with commodities.

Use the mobile app to scan a commodity barcode and receive BLE label information through
Bluetooth to associate the BLE label with the commodity. The detailed operations are not
provided here.


# After the AP obtains Bluetooth client information, run the display wlan ble site-info all
command to check Bluetooth client information obtained by the AP.
----------------------------------------------------------------------------------
--------------------------------------------------
---------------
DetachedFlag Aging-Timeout(m) Broadcast count Advertisement d
ata
----------------------------------------------------------------------------------
--------------------------------------------------
---------------
0 1234-1234-1000 0 area_1 -30 50% sensor-tag
N 57 10
02-02-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-fa
1 1234-1234-1001 0 area_1 -31 51% sensor-tag
N 57 7
01-02-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-fa
2 1234-1234-1002 0 area_1 -33 55% sensor-tag
N 57 16
03-02-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-fa
----------------------------------------------------------------------------------
--------------------------------------------------
---------------
Total: 3
# The WLAN service configuration is automatically delivered to the AP. After completing the
configuration, run the display vap ssid wlan-net command. If the Status field displays ON,
the VAP has been successfully created on the AP radios.
WID : WLAN ID
----------------------------------------------------------------------------------
--
----------------------------------------------------------------------------------
--
0 area_1 0 1 60DE-4476-E360 ON WPA/WPA2-PSK 1 wlan-
net
0 area_1 1 1 60DE-4476-E370 ON WPA/WPA2-PSK 0 wlan-
net
----------------------------------------------------------------------------------
--
Total: 2
----End
Configuration Files
#
sysname Switch
#
#
#
#
return

#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
wlan
security wpa-wpa2 psk pass-phrase %^%#;LgD%=-_`Sr(ù1]DT!Xg2/"/kXHs2/z>nGs-
yI1%^%# aes
ssid wlan-net
sniffer enable transparent-mode
report-mode periodic interval 3
report-to-server ip-address 10.23.102.1 port 10001
report enable
radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
return

S5700 and S6720 Series Ethernet Switches 30 Shopping Mall and Supermarket IoT Solution - Hotspot
Configuration Guide - WLAN-AC Service and Customer Flow Analysis

Solution - Hotspot Service and Customer Flow
Analysis

Solution - Hotspot Service and Customer Flow Analysis
Scenario Overview
Under fierce competition and affected by online consumption, large shopping malls and
comprehensive complexes have a slow growth in profits. They need to improve customers'
shopping experience and promote profit growth by providing personalized services.
Pushing customized advertisements to different customers not only quickly responds to

customers' needs, but also increases the sales revenue for shops, achieving win-win for both
customers and shops. Currently, it is practical and cost-effective to push advertisements to
smart terminals such as mobile phones through Wi-Fi. In this case, fast and secure access to
Wi-Fi networks and accurate analysis on behavior of individual customers must be ensured.
To meet these requirements, Huawei provides the hotspot service and customer flow analysis
solution. The hotspot service allows customers to access Wi-Fi networks easily and securely
through Portal authentication. Customer flow analysis allows shopping malls to obtain useful
information such as consumption habits and occupations of customers according to their
moving tracks. Then the shopping malls can push customized advertisements to customers
through Wi-Fi networks.
Solution Benefits
l Customers can access Wi-Fi networks easily and securely, and enjoy good Internet
access experience.
l Shopping malls can accurately push customized advertisements to customers' mobile
phones, promoting user consumption and increasing sales.

l A WLAN can be reused as an IoT that provides the hotspot service and customer flow
analysis to achieve network integration, reduce network deployment and maintenance
costs, and help administrators centrally manage the network.
Network architecture
As shown in Figure 30-1, the network architecture consists of the terminal layer, access layer,
service layer, and application layer.
Customer flow
analysis server Application
layer
Policy
configuration
device
RADIUS
server Portal Service
server layer
Switch AC
AP AP AP
Access
layer
Terminal
STA layer
l Terminal layer
Smart terminals such as mobile phones are located at this layer.
l Access layer
APs, switches, and ACs are deployed at this layer.
l Service layer
A RADIUS server, a Portal server, and a policy configuration device are deployed at this
layer.
l Application layer
A customer flow analysis server is deployed at this layer

Related Products


coverage for mobile phones.


network.
RADIUS server Interacts with access devices Cloud4Wi

to implement user
authentication,
authorization, and
accounting.
Portal server Receives authentication Cloud4Wi

requests from clients,
provides free Portal services
and authentication pages,
and exchanges client
authentication information
with access devices.
Policy configuration device Executes different policies Cloud4Wi

for mobile phones, such as
time limiting, rate limiting,
free-of-charge network
access, or charged network
access.
Customer flow analysis Collects location and Cloud4Wi

server identity information about
mobile phones, and
implements personalized
management for customers.
NOTE
Connect switches to the Cloud4Wi server through eSight or Agile Controller-CloudCampus, instead of direct
connection.


IoT Solution - Hotspot Service and Customer Flow
Analysis
The hotspot service and customer flow analysis solutions apply to the following sub-
scenarios:
l Hotspot service: provides WLAN coverage through Portal authentication.
l Customer flow analysis: uses the location function to analyze moving tracks of
customers in shopping malls, so that the shopping malls can obtain consumption habits
and occupations of the customers, and push customized advertisements to the customers.
Hotspot Service
The hotspot service solution provides the Portal authentication access mode. Customers can
use social accounts, email addresses, and phone numbers for authentication. Advertisements
can be embedded into the authentication page.
HTTP or HTTPS is used for Portal authentication. For details about Portal authentication,
choose Configuration Guide > User Access and Authentication Configuration Guide >
NAC Configuration > Principles > Portal Authentication in the S1720, S2700, S5700, and
S6720 V200R012C00 Product Documentation.
Customer Flow Analysis

Figure 30-2 shows implementation of the customer flow analysis solution.

Figure 30-2 Network for the customer flow analysis solution
Customer flow
analysis server
3
Switch AC
2 2
2
AP AP AP
1 1 1
STA
1. APs collect STA information such as the MAC address, timestamp, and RSSI.
– When a STA is not associated with the WLAN, APs near the STA receive Probe
Request frames sent by the STA to obtain STA information such as the MAC
address, time stamp, and RSSI.
– When the STA is associated with the WLAN, surrounding APs obtain data required
for customer flow analysis from management frames and data frames sent by the
STA.
2. The APs send the collected information to the AC.
3. The AC directly sends the received data to the customer flow analysis server without
parsing the data.
4. The customer flow analysis server parses the STA's information such as the MAC
address, timestamp, and RSSI. According to the analysis of the customer's moving tracks
and other information such as the longest duration in a shop, the shopping mall can know
the customer's consumption habits and occupation. Graphical information will then be
displayed to instruct the shopping mall to push customized advertisements to customers.

and Supermarket IoT Solution - Hotspot Service and
Network address translation (NAT) traversal is not supported between APs and an AC.

Scenario Constraints
STAs that support random MAC addresses cannot be located before they are associated with a
Wi-Fi network. A random MAC address is a random virtual MAC address used by a STA in
the scanning phase. It is not a real MAC address.

Mall and Supermarket IoT Solution - Hotspot Service and
Installing APs
Installing Servers
Contact vendors of the RADIUS server, Portal server, policy configuration device, and
customer flow analysis server to obtain related installation documents. The detailed

Supermarket IoT Solution - Hotspot Service and Customer
Flow Analysis

transmission.




Configuring STAs to Communicate with Servers

Configure STAs to communicate with the RADIUS server, Portal server, and policy
configuration device.
Configuring the AC to Communicate with the Customer Flow Analysis Server

The AC needs to report STA information to the customer flow analysis server for analysis.
Therefore, ensure network interworking between the AC and the customer flow analysis
server.
Context
Procedure
A VLAN is created.
Step 5 Run quit
AP and AC.
Step 7 Run wlan


Step 10 Run quit
Step 13 Run quit
----End


30.5.3 Configuring the Hotspot Service
Context
The hotspot service provides WLAN coverage for STAs after they succeed in Portal
authentication. For details on how to configure Portal authentication, choose Configuration
Guide > User Access and Authentication Configuration > NAC Configuration >
Configuring an Access Profile > Configuring a Portal Access Profile (for an External
Portal Server-HTTP/HTTPS Protocol) and Configuration Guide > User Access and
Authentication Configuration > NAC Configuration > Configuring an Authentication
Profile in the S1720, S2700, S5700, and S6720 V200R012C00 Product Documentation..
Procedure
A VLAN is created.
Step 3 Run wlan
system.
Step 5 Run security open
The security policy is set to open system authentication.
The security policy must be set to open system authentication for Portal authentication.
Step 6 Run quit


Step 9 Run quit
Step 15 Run quit
----End

VAP information.


30.5.4 Configuring Customer Flow Analysis
Context
Customer flow analysis allows APs to obtain information about STAs (such as the MAC
address, time stamp, and RSSI) in a shopping mall through the WLAN terminal location
function. The APs then send the information to the customer flow analysis server for statistics
collection and analysis.
Procedure
Step 2 Run wlan

AP view.

NOTE

– If the air scan function is disabled on a radio, including WIDS, spectrum analysis, and terminal
location, the radio is used to transmit common WLAN services.
– If the air scan function is enabled on a radio, the radio transmits common WLAN services and
also implements detection. Transmission of common WLAN services may be affected.
In this mode, the radio can only transmit WLAN services scanned by the air interface but cannot
transmit common WLAN services.
Step 4 Run quit

AP.
WIDS functions.
services.
WIDS functions.
NOTE
to scan channels.

Step 10 Run quit

Step 13 Run quit
Step 14 (Optional) Configure the WIDS function according to 11.6 Configuring Device Detection
and Containment and 11.7 Configuring Attack Detection and a Dynamic Blacklist.
To use the Wi-Fi terminal location function to locate unauthorized STAs, rogue APs and
bridges, and ad-hoc devices, you need to enable WIDS. To use the Wi-Fi terminal location
NOTE
Step 16 Run quit

Step 18 Run quit
Step 20 Run private mu-enable
Wi-Fi terminal location is enabled on the AP.
Locating a STA requires at least three APs to scan signals on the WLAN.
By default, Wi-Fi terminal location is disabled on an AP.
Step 21 (Optional) Run private report-frequency time

The interval at which the AP reports channel scan information is configured.
By default, an AP reports channel scan information every 20s (20000 ms).
Step 22 (Optional) Run private report-protocol { udp | http | https ssl-policy ssl-policy }
The protocol type used by APs to report information is configured.
By default, an AP uses UDP to reports information.
Step 23 (Optional) Run private mu protocol-version { v3 | v5 }
The STA location protocol version is configured.
The default terminal location protocol version is v3.
Step 24 Run private server { ip-address ip-address | domain domain } port port-num [ via-ac ac-
port ac-port-num ]
The destination IP address and port number are configured for the AP to report STA location
data.
By default, no destination IP address or port number is configured for the AP to report STA
location data.
Step 25 Run quit

view.

is bound to an AP.
is bound to an AP.
----End

l Run the display location-profile name profile-name command to check Wi-Fi terminal
location configurations.
30.5.5 Configuring Servers

To configure the customer flow analysis server, RADIUS server, Portal server, and policy
configuration device, contact server vendors to obtain related installation documents. The
detailed operations are not described in this document.
30.5.6 Example for Configuring the Shopping Mall and

Supermarket IoT Solution - Hotspot Service and Customer Flow
Analysis
To improve sales and increase profits, a shopping mall wants to promote consumption by
pushing customized advertisements to customers.
To meet these requirements, Huawei provides the hotspot service and customer flow analysis
solution. This solution provides secure and easy Wi-Fi access for customers and improves
user experience. Additionally, the shopping mall can analyze data to find shops that customers
are interested in and then push customized advertisements to their mobile phones, promoting
consumption.
APs and STAs.

Figure 30-3 Network for configuring the hotspot service and customer flow analysis
Customer flow
analysis server
10.23.201.1
Policy configuration
RADIUS server device
10.23.200.1 10.23.200.4
Portal server DNS server

10.23.200.2 10.23.200.3
Switch AC
GE0/0/1
GE0/0/1
GE0/0/4 GE0/0/2
GE0/0/3
AP AP AP
STA
Data Planning
Item Data

on
SSL policy l Name: huawei

l PKI domain: default
Portal l Name: abc

server l URL address: https://10.23.200.2:8445/portal
template
Portal l Name: portal1

access l Bound template: Portal server template abc
profile

Item Data
on profile l Bound profile and authentication scheme: Portal access profile portal1,
Managemen VLAN 100

t VLAN
Service VLAN 101

VLAN

interface

server STAs.
IP address 10.23.101.2 to 10.23.101.254/24

pool for
STAs

default, location profile wlan-location, and radio profiles wlan-
radio-2g and wlan-radio-5g

profile



l Referenced profiles: SSID profile wlan-net, security profile wlan-net,
Air scan l Name: wlan-air-scan

profile l Probe channel set: channels supported by the country code
2G radio l Name: wlan-radio-2g

profile l Referenced profile: air scan profile wlan-air-scan
5G radio l Name: wlan-radio-5g

profile l Referenced profile: air scan profile wlan-air-scan

Item Data
Location l Name: wlan-location

profile l Wi-Fi terminal location: enabled
l Mode in which terminal information is reported: through the AC
l Destination IP address and port number for the AC to report terminal
information to the server: 10.23.201.1/32180
l Destination port number for APs to report terminal information to the
AC: 10001
Host Customer flow analysis server

computer IP address: 10.23.201.1
Port number: 32180
1. Configure the AC to communicate with servers.
4. Configure Portal authentication.
6. Configure communication parameters between APs and the host computer.
7. Configure APs' IP addresses on the host computer.
Configuration Notes
user experience.

Procedure
NOTE
Step 2 Configure the AC to communicate with servers.
Configure routes based on the actual networking to ensure network interworking between the
AC and servers.
# Configure the access switch. Add GE0/0/1 on the switch to VLAN 100, and GE0/0/2
through GE0/0/4 to VLAN 100 and VLAN 101.

[HUAWEI] sysname AC

NOTE
view.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit
[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

AP area_1. Add the APs to area_2 and area_3 in the same way.
NOTE
[AC] wlan
[AC-wlan-ap-0] quit


[AC-wlan-ap-1] quit
[AC-wlan-view] ap-id 2 ap-mac 60de-4476-e3a0
[AC-wlan-ap-2] quit
nor : normal [3]
Extra information:
----------------------------------------------------------------------------------
------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
------------
22S -
51S -
2 60de-4476-e3a0 area_3 ap-group1 10.23.100.252 AP4050DN-E nor 0
55S -
----------------------------------------------------------------------------------
------------
Total: 3
[AC-wlan-view] quit

NOTE


[AC] aaa
# Create the authentication domain huawei.com, and bind the AAA authentication scheme
radius_huawei and RADIUS server template radius_huawei to the domain.
[AC-aaa] quit
# Check whether a user can pass RADIUS authentication. The test user test and password
Huawei123 have been configured on the RADIUS server.

[AC] test-aaa test Huawei123 radius-template radius_huawei

Step 7 Configure Portal authentication.

# Enable the Portal interconnection function of the HTTPS protocol.
[AC] portal web-authen-server https ssl-policy https-pol
NOTE
The SSL policy configuration is not mentioned here. For details, see Web System Login Configuration
in the S1720, S2700, S5700, and S6720 V200R012C00 Configuration Guide - Basic Configuration.
# Configure the Portal server template abc.

[AC] web-auth-server abc
[AC-web-auth-server-abc] protocol http password-encrypt uam
[AC-web-auth-server-abc] http-method post cmd-key cmd1
[AC-web-auth-server-abc] url https://10.23.200.2:8445/portal
[AC-web-auth-server-abc] quit
# Configure the Portal access profile portal1.

[AC-portal-acces-profile-portal1] web-auth-server abc direct
[AC-portal-acces-profile-portal1] quit
# Configure the authentication profile p1, bind the Portal access profile portal1 to the
authentication profile, specify the domain huawei.com as the forcible authentication domain
in the authentication profile, set the user access mode to multi-authen, and set the maximum
number of access users to 100.
[AC-authen-profile-p1] access-domain huawei.com force
[AC-authen-profile-p1] authentication mode multi-authen max-user 100

NOTE
[AC-wlan-vap-prof-wlan-net] authentication-profile p1
the AP.


Step 9 Configure the air scan function on the AC.
# Enter the air scan profile wlan-air-scan and configure an air scan channel set. By default,
an air scan channel set contains all channels supported by the corresponding country code of
an AP.
# Enter the 2G radio profile wlan-radio-2g and bind it to the air scan profile.
# Enter the 5G radio profile wlan-radio-5g and bind it to the air scan profile.
# Enter the AP group ap-group1 and bind it to the radio profiles.

Step 10 Configure the Wi-Fi terminal location function.
# Create the location profile wlan-location, enable the Wi-Fi terminal location function, and
configure the destination IP address and port number for reporting location information.
[AC-wlan-location-prof-wlan-location] private mu-enable
[AC-wlan-location-prof-wlan-location] private server ip-address 10.23.201.1 port
# Enter the AP group ap-group1 and bind it to the location profile.

Step 11 Add IP addresses of the APs to the host computer and configure the same shared key as that
on the APs.
WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
2 area_3 0 1 60DE-4476-E3a0 ON WPA/WPA2-PSK 1 wlan-net
2 area_3 1 1 60DE-4476-E3b0 ON WPA/WPA2-PSK 0 wlan-net
----------------------------------------------------------------------------------

--
Total: 6
# View the location profile configuration.

[AC-wlan-view] display location-profile name wlan-location
--------------------------------------------------------------------------------
...
private mu : enable
private server : 10.23.201.1
private server domain : -
private server port : 32180
private via-AC : enable
private via-AC port : 10001
private report-frequency(ms) : 20000
private report-protocol : udp
private ssl-policy name : -
private mu protocol-version : v3
--------------------------------------------------------------------------------
# STAs can discover the wireless network with SSID wlan-net and associate with it after
successful Portal authentication.
----End
Configuration Files
#
sysname Switch
#
#
#
#
#
#
return
#
sysname AC
#
#
authentication mode multi-authen max-user 100
access-domain huawei.com force
#
dhcp enable
#
radius-server shared-key cipher %^%#Y+{_U['QgLX705'xUi3H-cXD0\iPHM~}c<8*IHl.

%^%#
#
web-auth-server abc
port 50100
url https://10.23.200.2:8445/portal
protocol http password-encrypt uam
http-method post cmd-key cmd1
#
portal-access-profile name portal1
web-auth-server abc direct
#
aaa
domain huawei.com
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
portal web-authen-server https ssl-policy https-pol
#
#
wlan
security wpa-wpa2 psk pass-phrase %^
%#*T~tI'mg@M*b6+.;NNq)ì[97LZlK~X_nSVeOEBO%^%# aes
ssid wlan-net
private mu-enable
private server ip-address 10.23.201.1 port 32180 via-ac ac-port 10001
radio 0
radio 1
ap-name area_1
ap-group ap-group1
ap-name area_2
ap-group ap-group1

ap-id 2 ap-mac 60de-4476-e3a0 ap-sn 210235419610D2000068

ap-name area_3
ap-group ap-group1
#
return

S5700 and S6720 Series Ethernet Switches 31 Shopping Mall and Supermarket IoT Solution - Indoor
Configuration Guide - WLAN-AC Navigation

Solution - Indoor Navigation

Solution - Indoor Navigation
Scenario Overview
In large public places such as shopping malls with large areas and complicated environments,
it is difficult for customers to find shops or parked cars.
Huawei provides an intelligent indoor navigation solution that allows customers to quickly
find shops or parked cars following instructions of a mobile app.
This solution is applicable not only to shopping malls but also to airports, large exhibition
centers, and large libraries.
Solution Benefits
l Customers can quickly find shops or parked cars using a mobile app, improving
customer satisfaction with shopping malls and promoting customers' buying intention.
l A WLAN can be reused as an intelligent indoor navigation IoT network to achieve
network integration, reducing network deployment and maintenance costs and helping
As shown in Figure 31-1, the network architecture of the intelligent indoor navigation IoT
solution consists of the terminal layer, access layer, network layer, and application layer.

Location server App server
Application
layer
Switch AC
Network layer
AP BLE device AP BLE device AP

Access layer
Terminal
STA layer
Bluetooth
signal
l Terminal layer
Smart terminals such as mobile phones and tablets are located at this layer.
l Access layer
l Network layer
ACs and switches are deployed at this layer.
l Application layer
The location server and app server are deployed at this layer.

Related Products


coverage for mobile phones. Only the AP4050DN-E can
Scans BLE broadcast frames be used.
to obtain BLE device
information, and reports the
information to an AC. An
AP also functions as a BLE
device to send BLE
broadcast frames.
Sends Bluetooth terminal
location packets to the AC
or location server.


network.
BLE device Periodically sends BLE Lanke Xuntong Technology

broadcast frames to provide
Beacon signals for
Bluetooth terminals such as
mobile phones and tablets.
Different from the built-in
Bluetooth module of an AP,
a BLE device is
independently deployed.
Mobile app Collects BLE device EtoneSystem

information and RSSIs,
collects map information
from the location server, and
computes and displays BLE
device locations. The mobile
app is installed on mobile
phones or tablets.
App server Obtains map information EtoneSystem

and BLE device location
information from the
location server, and sends
the information to the
mobile app.

Location server Functions as a location EtoneSystem

server that has location map
models and BLE device
location information
configured.

IoT Solution - Indoor Navigation
Figure 31-2 shows implementation of the intelligent indoor navigation solution.
Figure 31-2 Network for the intelligent indoor navigation solution
Location server 5 App server
3 Switch AC
2
6

1 1
STA
7
Bluetooth
signal
1. The built-in Bluetooth module of an AP scans for Bluetooth broadcast frames in the
surrounding environment to obtain the universal unique identifiers (UUIDs) and RSSI
calibration values of surrounding BLE devices and Bluetooth terminals (mobile phones
and tablets with the Bluetooth function enabled). The AP sends requests to the BLE
devices and Bluetooth terminals to obtain BLE power information.

2. The AP reports obtained information such as UUIDs, RSSI calibration values, and BLE
power of BLE devices to the AC, and reports Bluetooth terminal location packets to the
AC or location server.
The Bluetooth broadcast function needs to be enabled for the built-in Bluetooth module
of the AP, so that the AP can function as a BLE device to send BLE broadcast frames. In
this case, the AP can directly report the UUID, RSSI calibration value, and power of the
built-in Bluetooth module to the AC without the need of scanning.
3. The AC reports Bluetooth terminal location packets, as well as low power alarm and
fault alarm information about BLE devices to the location server.
4. On the location server, make floor plans and location map models, add BLE devices, set
their deployment locations, monitor their status, and compute Bluetooth terminal
locations.
5. The app server obtains map information and BLE device location information from the
location server.
6. The app server sends map information and BLE device locations to Bluetooth terminals.
Bluetooth terminals must be able to access the Internet through a WLAN or cellular
network, so the indoor navigation app installed on the Bluetooth terminals can
communicate with the app server.
7. Enable the indoor navigation app on a Bluetooth terminal and perform the following
steps:
a. Collect information about scanned BLE devices and their signal strengths.
b. Collect information about sensors of mobile phones, such as speed sensors and
gyroscopes.
c. Obtain map information from the location server.
d. The Bluetooth terminal computes the location information and uses the computing
results for applications such as indoor navigation, card seeking, and shop seeking to
provide users with the navigation and car or shop seeking services.

and Supermarket IoT Solution - Indoor Navigation
In the intelligent indoor navigation IoT solution, the deployment density of BLE devices is
higher than that of common APs. To achieve the location precision of 1 m to 3 m, you are
advised to deploy BLE devices at an interval of 5 m to 7 m. Ensure that Bluetooth signals of
at least three BLE devices can be detected at any location. Figure 31-3 shows the
recommended and non-recommended modes for deploying BLE devices.

Figure 31-3 BLE device deployment mode
Recommended Non-recommended
deployment mode deployment mode
BLE device
Constraints
To use the indoor navigation IoT function, you need to enable the Bluetooth function of
terminals such as mobile phones and tablets and install the indoor navigation app.

Mall and Supermarket IoT Solution - Indoor Navigation

Installing APs
Installing BLE Devices

Contact the vendor of BLE devices to obtain related installation documents. After the
installation is complete, configure parameters such as the interval for sending Beacon frames
and RSSI. The detailed operations are not described in this document.
Installing Servers
To install the location server and app server, contact the server vendors to obtain related
installation documents. The detailed operations are not described in this document.

Supermarket IoT Solution - Indoor Navigation

transmission.



Configuring the AC to Communicate with the Location Server

Configure the AC to communicate with the location server, so that the AC can report
Bluetooth data and information to the location server.
Configuring the Location Server to Communicate with the App Server

Configure the location server to communicate with the app server, so that the app server can
obtain map information and BLE device location information from the location server.

Context
Procedure
A VLAN is created.
Step 5 Run quit
AP and AC.
Step 7 Run wlan

Step 10 Run quit

Step 13 Run quit
----End

Context
A WLAN can be reused as an indoor navigation IoT network, reducing network deployment
and maintenance costs and helping administrators centrally manage the network.

Procedure
A VLAN is created.
Step 3 Run wlan
system.
Step 5 Run quit
Step 8 Run quit

Step 14 Run quit
----End

VAP information.
31.5.4 Configuring the Bluetooth Terminal Location Function
Context
Configure the Bluetooth location function for indoor navigation.
Procedure

Step 2 Run wlan

Step 4 Run sniffer enable ibeacon-mode
Step 5 Configure the Bluetooth broadcast function for an AP's built-in Bluetooth module.
NOTE
l If an independent Bluetooth device is deployed on a WLAN, this step is optional.

l If no independent Bluetooth device is deployed on a WLAN, this step is mandatory.
l Only the AP4050DN-E supports the Bluetooth broadcast function.
1. Run broadcaster enable
The Bluetooth broadcast function of an AP's built-in Bluetooth module is enabled.
By default, the Bluetooth broadcast function of an AP's built-in Bluetooth module is
disabled.
2. Run tx-power tx-power-value
The transmit power is set for the built-in Bluetooth module of an AP.
By default, the transmit power of an AP's built-in Bluetooth module is 0 dBm.
3. Run broadcasting-content { uuid { uuid-character-string uuid-value | uuid-hex uuid-
value } | major { major-character-string major-value | major-hex major-value |
major-decimal major-value } | minor { minor-character-string minor-value | minor-
hex minor-value | minor-decimal minor-value } | reference-rssi reference-rssi-value }*
The content of BLE broadcast frames sent by an AP's built-in Bluetooth module is
configured.
By default, the UUID, Major, and Minor fields in a BLE broadcast frame sent by an AP's
built-in Bluetooth module are null, and the RSSI calibration value is -65 dBm.
The RSSI calibration value in a BLE broadcast frame is set based on the actual
measurement result.
4. Run broadcasting-interval broadcasting-interval-value
The interval for an AP's built-in Bluetooth module to send BLE broadcast frames is set.
By default, the built-in Bluetooth module of an AP sends BLE broadcast frames at an
interval of 500 ms.
Step 6 Run quit
view.

Step 8 (Optional) Run broadcasting-content uuid { uuid-character-string uuid-value | uuid-hex

uuid-value }
The UUID of BLE broadcast frames sent by an AP's built-in Bluetooth module is configured.
By default, the UUID of the BLE broadcast frames sent by an AP's built-in Bluetooth module
is null.
Step 9 (Optional) Run ble-profile profile-name
A BLE profile is applied to an AP or AP group.
Step 10 Server-side location is enabled.

1. Run report enable
An AP is enabled to send Bluetooth terminal location packets.

2. Run report-mode { immediate | periodic [ interval interval ] }
The mode in which Bluetooth terminal location packets are sent is configured.

3. Run report-to-server ip-address ip-address port port-num [ via-ac ac-port ac-port-
num ] or report-to-server domain domain port port-num
The destination IP address and port number to which an AP sends Bluetooth terminal
location packets are configured.
By default, no destination IP address or port number is configured for APs to report

Bluetooth packets.
Step 11 Run quit
The low power alarm threshold for BLE devices is set.
A specified Bluetooth device is added to the monitoring list on the built-in Bluetooth module
of an AP
accordingly.
----End


31.5.5 Configuring a Location Server

Configure Bluetooth terminal location parameters on the location server.
Install the indoor navigation app on a Bluetooth terminal, enable the Bluetooth function, and
enable the Wi-Fi or cellular network to ensure that the Bluetooth terminal can access the
network and send information about scanned BLE devices to the location server.
31.5.6 Example for Configuring the Shopping Mall and

Supermarket IoT Solution - Indoor Navigation
In a shopping mall with large areas and complex environment, it is difficult for customers to
find parked cars and shops. To help customers to easily find shops or parked cars, improve
customer satisfaction, and promote customers' buying intention, the shopping mall expects to
provide navigation services.
To meet these requirements of the shopping mall, Huawei provides the indoor navigation
solution. This solution provides customers with easy and secure Wi-Fi network access and
improves customers' network experience. Additionally, an indoor navigation app is provided
for customers to find shops or parked cars, improving customer satisfaction.
APs and STAs.

Figure 31-4 Network for configuring indoor navigation
Location server App server
Switch AC
GE0/0/1
GE0/0/1
GE0/0/4 GE0/0/2
GE0/0/3
STA
Bluetooth
signal
Data Planning

Item Data
Managemen VLAN 100

t VLAN
Service VLAN 101

VLAN

interface

server STAs.
IP address 10.23.101.2 to 10.23.101.254/24

pool for
STAs

Item Data

default, and BLE profile wlan-ble

profile



net
BLE Profile l Name: wlan-ble

l Bluetooth monitoring function of APs' built-in Bluetooth modules:
enabled
l Bluetooth broadcast function of APs' built-in Bluetooth modules:
enabled
1. Configure network interworking between the AC and location server, and between the
location server and app server.
5. Configure the Bluetooth terminal location function.
6. Configure the location server.
Configuration Notes


user experience.
Procedure
NOTE
Step 2 Configure network interworking between the AC and location server, and between the
location server and app server.
Configure routes based on the actual networking to ensure network interworking.

[HUAWEI] sysname AC
NOTE
view.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit

[AC] wlan
e?[Y/N]:y
[AC-wlan-view] quit

NOTE
[AC] wlan


[AC-wlan-ap-0] quit
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit
nor : normal [3]
Extra information:
----------------------------------------------------------------------------------
------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
------------
22S -
51S -
2 60de-4476-e3a0 area_3 ap-group1 10.23.100.252 AP4050DN-E nor 0
55S -
----------------------------------------------------------------------------------
------------
Total: 3

NOTE


the AP.
Step 7 Configure the Bluetooth terminal location function.

# Create BLE profile wlan-ble and configure the Bluetooth location function.
[AC-wlan-ble-prof-wlan-ble] sniffer enable ibeacon-mode
[AC-wlan-ble-prof-wlan-ble] broadcaster enable
# Add the BLE devices within the AP's coverage area to the monitoring list.


Configure Bluetooth terminal location parameters on the location server.
WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
----------------------------------------------------------------------------------
--
Total: 6
# Check Bluetooth tag information obtained by the APs.

----------------------------------------------------------------------------------
--------------------------------------------------
---------------
ata
----------------------------------------------------------------------------------
--------------------------------------------------
---------------
0 1234-1234-1000 0 area_1 -30 50% ibeacon
N 57 10
02-02-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-fa
1 1234-1234-1001 1 area_2 -31 51% ibeacon
N 57 10

01-02-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-fa
2 1234-1234-1002 2 area_3 -32 55% ibeacon
N 57 10
03-02-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-fa
----------------------------------------------------------------------------------
--------------------------------------------------
---------------
Total: 3
# A Bluetooth terminal can discover the wireless network with the SSID wlan-net, and can
associate with it after successful authentication. After opening the indoor navigation app and
obtaining location information from the app server, you can use the car seeking and shop
seeking functions.
----End
Configuration Files
#
sysname Switch
#
#
#
#
#
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#

wlan
security wpa-wpa2 psk pass-phrase %^%#.s:$0fYX$<HdNy8PVSOXjJ
+o#IwB{Hd5toDo)`F$%^%# aes
ssid wlan-net
broadcaster enable
sniffer enable ibeacon-mode
radio 0
radio 1
ap-name area_1
ap-group ap-group1
ap-name area_2
ap-group ap-group1
ap-name area_3
ap-group ap-group1
#
return

S5700 and S6720 Series Ethernet Switches 32 Shopping Mall and Supermarket Solution - Personnel
Configuration Guide - WLAN-AC and Asset Management
32 Shopping Mall and Supermarket

Solution - Personnel and Asset Management
32.1 Overview of the Shopping Mall and Supermarket

Scenario Overview
In places such as shopping malls, employees and assets need to be located accurately so that
the shopping malls can identify their locations and movements, facilitating management.
To meet requirements in these scenarios, Huawei provides the personnel and asset
management IoT solution that uses Bluetooth tags to accurately locate personnel and assets.
Solution Benefits
l Location information about personnel and assets can be graphically displayed, and
moving tracks of personnel and assets and asset reports can be queried. This facilitates
unified personnel and asset management and control.
l A WLAN can be reused as a personnel and asset management IoT network to achieve
network integration, reduce network deployment and maintenance costs, and help
As shown in Figure 32-1, the network architecture of the personnel and asset management
IoT solution consists of the terminal layer, access layer, network layer, and application layer.

Location
server
Application
layer
Switch AC
Network
layer
AP AP AP
Access
layer
Terminal
layer
Bluetooth
Bluetooth
tag
signal
l Terminal layer
Bluetooth tags are deployed at this layer.
l Access layer
l Network layer
ACs and switches are deployed at this layer.
l Application layer
The location server is deployed at this layer.

Related Products


coverage for mobile phones. Only the AP4050DN-E,
An AP receives broadcast AP7050DE, AP4051TN,
frames from Bluetooth tags AP6052DN, AP7052DN,
through its built-in AP7152DN, AP7052DE,
Bluetooth module. AP8050TN-HD,
AP8082DN, AP8182DN,
R250D-E, AP2050DN-E,
R251D-E, AP2051DN-E,
AP8050DN or AP8150DN
can be used.


network.
Bluetooth tag Periodically sends BLE Minew

broadcast frames for APs to
locate personnel or assets.
Bluetooth tags are bound to
personnel or assets
Location server Functions as a location EtoneSystem

server. You can make maps
and set BLE device location
information on it.
The location server collects
Bluetooth tag data for
location computing and
storage, and performs
personnel and asset
management.
It provides a cloud-based
web user interface (UI) and
an app UI for users to
manage and maintain
personnel and assets.


Figure 32-2 shows implementation of the personnel and asset management IoT solution.
Figure 32-2 Network for the personnel and asset management IoT solution
Location
server
3
Switch AC
2 2 2
AP AP AP
1 1 1
Bluetooth
Bluetooth
tag
signal
1. Bind Bluetooth tags to personnel and assets. Built-in Bluetooth modules of APs scan for
Bluetooth tags in the surrounding environment and collect BLE broadcast frames sent by
Bluetooth tags. A BLE broadcast frame carries Bluetooth tag information such as the
RSSI calibration value, battery level, and device disconnection alarms.
Bluetooth tags periodically send BLE broadcast frames but do not need to connect to the
WLAN.
NOTE
Use a scanning terminal to associate or manually record mappings between Bluetooth tags and
personnel/assets, and synchronize the mappings to the location server so that the location server can
identify the personnel or assets based on the Bluetooth tags.
2. The APs report Bluetooth tag information to the AC, such as the RSSI calibration value,
power, and Bluetooth tag disconnection alarms.

3. The AC then reports all the Bluetooth tag information and Bluetooth tag disconnection
alarms to the location server.
4. Make a floor plan on the location server, create a location map model, add APs with
built-in Bluetooth modules, and determine the AP installation locations. Compute
locations of Bluetooth tags, and provide graphical location information and moving
tracks of personnel and assets, and generate asset reports. In addition, you can monitor
working status of the Bluetooth tags.

and Supermarket Solution - Personnel and Asset
Management
Network address translation (NAT) traversal must be supported between the AC/APs and
location sever.

Mall and Supermarket Solution - Personnel and Asset
Management
Installing APs
Installing a Location Server

To install the location server, contact the corresponding vendor to obtain related installation
documents. The detailed operations are not described in this document.

Supermarket Solution - Personnel and Asset Management

transmission.




Configuring the AC to Communicate with the Location Server

Configure the AC to communicate with the location server, so that the AC can report
Bluetooth packets to the location server.
Context
Procedure
A VLAN is created.
Step 5 Run quit

AP and AC.
Step 7 Run wlan
Step 10 Run quit
Step 13 Run quit
----End



Context
A WLAN can be reused as a personnel and asset management IoT network, reducing network
deployment and maintenance costs and helping administrators centrally manage the network.
Procedure
A VLAN is created.
Step 3 Run wlan
system.
Step 5 Run quit
Step 8 Run quit


Step 14 Run quit
----End

VAP information.


32.5.4 Configuring the Bluetooth Tag Location Function
Context
Enable the Bluetooth tag location function to locate personnel and assets.
Procedure
Step 2 Run wlan
Step 4 Run sniffer enable tag-mode
The Bluetooth tag location function is enabled for built-in Bluetooth modules of APs.
An AP is enabled to report Bluetooth packets.
The mode in which an AP reports Bluetooth packets is configured.
The domain name and port number of a destination server are configured for APs to report
Bluetooth tag location packets.
packets.
Step 8 Run quit

view.
A BLE profile is bound to an AP group or an AP.
Step 11 Run quit
A low power alarm threshold is set for BLE devices or Bluetooth tags.
Specified BLE devices or Bluetooth tags are added to the monitoring list of an AP's built-in
Bluetooth module.
accordingly.
----End

l Run the display wlan ble global configuration command to view global configurations
32.5.5 Configuring a Location Server

Configure Bluetooth tag location parameters on the location server.
Use a scanning terminal to associate Bluetooth tags with personnel and assets or manually
record mappings between Bluetooth tags and personnel/assets, and synchronize the mappings
to the location server.

Contact vendors to obtain related installation documents. The detailed operations are not
described in this document.
32.5.6 Example for Configuring the Personnel and Asset

Management IoT Solution
A shopping mall often suffers from asset losses or fails to find assets. To reduce property loss
and facilitate asset management, the shopping mall wants to monitor the locations and moving
tracks of assets.
To meet these requirements, Huawei offers the personnel and asset management IoT solution.
APs and STAs.
Figure 32-3 Network for configuring the personnel and asset management IoT solution
Location
server
Switch AC
GE0/0/1
GE0/0/1
GE0/0/4 GE0/0/2
GE0/0/3
AP AP AP
Bluetooth
Bluetooth
tag
signal

Data Planning

Item Data
Managemen VLAN 100

t VLAN
Service VLAN 101

VLAN

interface

server STAs.
IP address 10.23.101.2 to 10.23.101.254/24

pool for
STAs

default, and BLE profile wlan-ble

profile



net
BLE Profile l Name: wlan-ble

l Reporting of Bluetooth tag packets: enabled
l Domain name/Port number of the location server: testabc.com/10001
1. Configure the AC to communicate with the location server.


5. Configure the Bluetooth tag location function.
6. Configure the location server.
Configuration Notes
user experience.
Procedure
NOTE

Configure routes based on the actual networking to ensure network interworking between the
AC and location server.



[HUAWEI] sysname AC
NOTE
view.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit

[AC] wlan
e?[Y/N]:y

[AC-wlan-view] quit

# Import the APs offline on the AC and add the APs to the AP group ap-group1. Configure
an AP name based on the AP's deployment location, so that you can know where the AP is
NOTE
[AC] wlan
[AC-wlan-ap-0] quit
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit
nor : normal [3]
Extra information:
----------------------------------------------------------------------------------
------------
Uptime ExtraInfo
----------------------------------------------------------------------------------
------------
22S -
51S -
2 60de-4476-e3a0 area_3 ap-group1 10.23.100.252 AP7052DN nor 0
55S -
----------------------------------------------------------------------------------
------------
Total: 3


NOTE
the AP.
Step 7 Configure the Bluetooth tag location function.

# Create BLE profile wlan-ble and configure the Bluetooth tag location function.
[AC-wlan-ble-prof-wlan-ble] sniffer enable tag-mode
[AC-wlan-ble-prof-wlan-ble] report enable
[AC-wlan-ble-prof-wlan-ble] report-to-server domain testabc.com port 10001
# Add all the Bluetooth tags within the AP coverage to the monitoring list.


Configure the location server based on its usage guide.
WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------


----------------------------------------------------------------------------------
--
Total: 6
# Check Bluetooth tag information obtained by the APs.

----------------------------------------------------------------------------------
--------------------------------------------------
---------------
ata
----------------------------------------------------------------------------------
--------------------------------------------------
---------------
0 1234-1234-1000 0 area_1 -30 50% asset-tag
N 57 10
02-02-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-fa
1 1234-1234-1001 1 area_2 -31 51% asset-tag
N 57 10
01-02-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-fa
2 1234-1234-1002 2 area_3 -32 55% asset-tag
N 57 10
03-02-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-fa
----------------------------------------------------------------------------------
--------------------------------------------------
---------------
Total: 3
# STAs can discover the wireless network with SSID wlan-net and associate with it after
successful authentication.
----End
Configuration Files
#
sysname Switch
#
#
#
#
#
#
return

#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
wlan
security wpa-wpa2 psk pass-phrase %^%#)P{x4pF\iPP'Wm!wy%.IZyh!,_S(OXV/k>'KvG
%%%^%# aes
ssid wlan-net
sniffer enable tag-mode
report-to-server domain testabc.com port 10001
report enable
radio 0
radio 1
ap-name area_1
ap-group ap-group1
ap-name area_2
ap-group ap-group1
ap-name area_3
ap-group ap-group1
provision-ap
#
return

S5700 Configuration Guide - WLAN-AC PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

S5700 Configuration Guide - WLAN-AC PDF

Hochgeladen von

Copyright:

Verfügbare Formate

S5700 and S6720 Series Ethernet Switches

Configuration Guide - WLAN-AC

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Issue 04 (2018-08-17) Copyright © Huawei Technologies Co., Ltd. i

About This Document

Indicates a potentially hazardous situation

NOTE Calls attention to important information,

Issue 04 (2018-08-17) Copyright © Huawei Technologies Co., Ltd. ii

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[] Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... } Optional items are grouped in braces and separated by

[ x | y | ... ] Optional items are grouped in brackets and separated by

{ x | y | ... }* Optional items are grouped in braces and separated by

[ x | y | ... ]* Optional items are grouped in brackets and separated by

&<1-n> The parameter before the & sign can be repeated 1 to n

# A line starting with the # sign is comments.

Interface Numbering Conventions

Issue 04 (2018-08-17) Copyright © Huawei Technologies Co., Ltd. iii

Product Software Versions Matching NMS Versions

S1720, S2700, S5700, and S6720 NMS

V200R012C00 eSight V300R009C00

Issue 04 (2018-08-17) Copyright © Huawei Technologies Co., Ltd. iv

S5720HI&S5730HI&S6720HI Software AP Software Version

Issue 04 (2018-08-17) Copyright © Huawei Technologies Co., Ltd. v

About This Document.....................................................................................................................ii

4 WLAN Service Configuration Procedure............................................................................... 30

Issue 04 (2018-08-17) Copyright © Huawei Technologies Co., Ltd. vi

4.23 WDS Profile............................................................................................................................................................... 44

5 WLAN Service Configuration................................................................................................... 49

Issue 04 (2018-08-17) Copyright © Huawei Technologies Co., Ltd. vii

Issue 04 (2018-08-17) Copyright © Huawei Technologies Co., Ltd. viii

6 AP Management Configuration Guide................................................................................. 203

Issue 04 (2018-08-17) Copyright © Huawei Technologies Co., Ltd. ix

6.10.1 Overview of PoE................................................................................................................................................... 259

7 Radio Resource Management..................................................................................................291

Issue 04 (2018-08-17) Copyright © Huawei Technologies Co., Ltd. x

7.14 Configuring the AMC Algorithm for a Radio.......................................................................................................... 335

9 Roaming Configuration........................................................................................................... 424

Issue 04 (2018-08-17) Copyright © Huawei Technologies Co., Ltd. xi

9.4 Default Settings for Roaming..................................................................................................................................... 439

10 WLAN QoS Configuration.................................................................................................... 515

Issue 04 (2018-08-17) Copyright © Huawei Technologies Co., Ltd. xii

10.7.3 Configuring Traffic Policing................................................................................................................................. 542

11 WLAN Security Configuration............................................................................................. 601

Issue 04 (2018-08-17) Copyright © Huawei Technologies Co., Ltd. xiii

11.7.2 Configuring the Radio Working Mode.................................................................................................................. 626

12 Security Policy Configuration...............................................................................................657

Issue 04 (2018-08-17) Copyright © Huawei Technologies Co., Ltd. xiv

12.5.2 Example for Configuring a WPA2-PSK-AES Security Policy............................................................................. 689

13 STA Blacklist and Whitelist Configuration....................................................................... 765

14 WDS Configuration................................................................................................................ 780

Issue 04 (2018-08-17) Copyright © Huawei Technologies Co., Ltd. xv

15 Mesh Configuration................................................................................................................ 827

16 Vehicle-Ground Fast Link Handover Configuration....................................................... 889

Issue 04 (2018-08-17) Copyright © Huawei Technologies Co., Ltd. xvi

16.7.6 Configuring a Mesh Handover Profile.................................................................................................................. 913

17 Wi-Fi Tag Location Configuration....................................................................................... 946

18 Terminal Location Configuration........................................................................................ 982

Issue 04 (2018-08-17) Copyright © Huawei Technologies Co., Ltd. xvii

18.7 Configuring Terminal Location................................................................................................................................ 992